[PM-22845] Add account key rotation

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-22845

📔 Objective

The decrypted signing key is never available to Typescript, and we need key-rotation to re-encrypt the signing key. This PR implements a part of key-rotation in the crypto crate - specifically re-encrypting the private and signing key.

Long-term, the key-rotation could should be ported at higher levels to the crypto crate.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – bea393f0-d9c6-4b38-a4f4-0431bd07221c

Great job, no security vulnerabilities found in this Pull Request

[codecov]

Codecov Report

Attention: Patch coverage is 11.62791% with 38 lines in your changes missing coverage. Please review.

Project coverage is 71.61%. Comparing base (17866c0) to head (a766ab9).

Files with missing lines	Patch %	Lines
crates/bitwarden-crypto/src/key_rotation/mod.rs	0.00%	19 Missing ⚠️
crates/bitwarden-core/src/key_management/crypto.rs	0.00%	13 Missing ⚠️
...bitwarden-core/src/key_management/crypto_client.rs	0.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #313      +/-   ##
==========================================
- Coverage   71.75%   71.61%   -0.15%     
==========================================
  Files         224      225       +1     
  Lines       18385    18426      +41     
==========================================
+ Hits        13193    13196       +3     
- Misses       5192     5230      +38     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Hinton]

question: Key rotation feels very application bound and not like a low level cryptographic primitive? I think this is further enhanced by bitwarden-core just acting as a wrapper around this function.

I presume this was done to avoid making get_asymetric_key and `get_signing_key public?

[quexten]

Yes;

As far as I understand we do not want any further new uses that expose keys out of bitwarden-crypto, so this had to go into the crypto crate to achieve that. Is there another pattern we can use here? (Maybe we do allow (non-deprecated) getting wrapped(encrypted) keys out of a context?)