[PM-35105] Add hazmat module and shared COSE symmetric encryption

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-35105

📔 Objective

Stacked PR 2/4 (on top of #1201).

Introduces a hazmat::symmetric_encryption module (moving XChaCha20-Poly1305 into it and adding AES-256-GCM), and a shared cose::symmetric layer that seals/unseals COSE Encrypt/Encrypt0 bodies with either cipher, declaring the content-encryption algorithm in the protected header. Migrates the data, symmetric-key, and password-protected key envelopes to the shared encrypt/decrypt helpers.

The password envelope's COSE byte layout shifts, so the pin corruption test now flips a byte at the envelope midpoint.

Base: km/high-entropy-secret (#1201).

[github-actions]

🔍 SDK Breaking Change Detection

SDK Version: km/hazmat-cose-symmetric (51d850a)

⚠️ If breaking changes are detected, a corresponding pull request addressing them must be ready for merge in the affected client repository.

Client	Status	Details
typescript	✅ No breaking changes detected	Compilation passed with new SDK version - View Details
android	✅ No breaking changes detected	Compilation passed with new SDK version - View Details

---

Breaking change detection uses the build of the SDK from this branch, including any incompatibities pre-existing on or merged into this branch. Check the workflow logs to confirm.
Results update as workflows complete.

[codecov]

Codecov Report

❌ Patch coverage is 97.92244% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.17%. Comparing base (53771bf) to head (61d6e36).

Files with missing lines	Patch %	Lines
crates/bitwarden-crypto/src/cose/symmetric.rs	96.80%	15 Missing ⚠️

Additional details and impacted files

@@                    Coverage Diff                     @@
##           km/high-entropy-secret    #1202      +/-   ##
==========================================================
+ Coverage                   85.09%   85.17%   +0.07%     
==========================================================
  Files                         465      467       +2     
  Lines                       63947    64291     +344     
==========================================================
+ Hits                        54415    54757     +342     
- Misses                       9532     9534       +2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the new hazmat::symmetric_encryption module (XChaCha20-Poly1305 + new AES-256-GCM), the shared cose::symmetric seal/unseal layer, and the migration of the data, symmetric-key, and password-protected key envelopes onto the shared encrypt/decrypt helpers. Focus was on backward compatibility of existing encrypted data, AEAD/AAD correctness, and the new dependency. No blocking issues found.

Code Review Details

No new findings.

Backward-compatibility verification:

• Data and symmetric-key envelopes always wrote the content-encryption algorithm into the protected header (confirmed against the base branch), so decrypt_cose0(.., None, ..) requiring a declared algorithm is correct for existing data.
• The password-protected key envelope historically omitted the algorithm from the protected header, and the migration correctly supplies XChaCha20Poly1305 as the decryption fallback for those legacy envelopes. The pin-corruption test was correctly retargeted to the ciphertext midpoint for the shifted COSE byte layout.
• The shared helpers recompute AAD from the stored protected header, so re-framing does not break previously sealed messages.

Notes (not findings):

• AES-256-GCM is implemented and dispatchable but not yet wired to any caller (all three envelopes pass XChaCha20-Poly1305); its short-nonce caveat is documented and applies to future per-message-key callers.
• aes-gcm is a pre-release (0.11.0-rc.4), consistent with the existing argon2 and chacha20poly1305 RC pins. AppSec dependency review is already tracked in VULN-650 (existing thread).
• The [patch.crates-io] pin of crypto-bigint to a git tag is a documented, temporary registry-propagation workaround.

Dependency Changes

Package	Change	Ecosystem
aes-gcm	New (0.11.0-rc.4)	Cargo
crypto-bigint	Patched to git v0.7.5	Cargo

[claude]

⚠️ IMPORTANT: New direct dependency aes-gcm added — confirm AppSec dependency review was completed.

Details

aes-gcm = "0.11.0-rc.4" is a net-new direct dependency for bitwarden-crypto. Bitwarden's Dependency Review and Approval process requires AppSec review (typically tracked via a VULN task) before introducing a new dependency, and the PR description references only PM-35105 with no approval signal.

Two specifics worth confirming with AppSec:

• This is a release-candidate version (0.11.0-rc.4), not a stable release. Pre-release crypto dependencies warrant extra scrutiny on maintenance/stability.
• It is published by the RustCrypto org (same as the existing aes and chacha20poly1305 deps), which should ease review.

If approval was already obtained out-of-band, linking the VULN task in the PR description resolves this.

Reference: Bitwarden Dependency Review and Approval process (Stage 1–4).

[quexten]

In-review https://bitwarden.atlassian.net/browse/VULN-650

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.3% Duplication on New Code

See analysis details on SonarQube Cloud