Skip to content

Commit

Permalink
feat!: expose 'ClientId' in e2ei methods for credential rotation sinc…
Browse files Browse the repository at this point in the history 
…e the e2ei client identifier differs from the one used in MLS
  • Loading branch information
@beltram
beltram committed Jul 25, 2023
1 parent 386f1de commit d687ae3
Show file tree
Hide file tree
Showing 6 changed files with 73 additions and 22 deletions.
14 changes: 7 additions & 7 deletions crypto-ffi/bindings/js/CoreCrypto.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1647,35 +1647,35 @@ export class CoreCrypto {

/**
* Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
* As a consequence, this method does not support changing the ClientId which should remain the same as the Basic one.
* Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
*
* @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:[email protected]`
* @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
* @param handle user handle e.g. `[email protected]`
* @param expiryDays generated x509 certificate expiry
* @param ciphersuite - for generating signing key material
* @returns The new {@link WireE2eIdentity} object
*/
async e2eiNewActivationEnrollment(displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity> {
const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_activation_enrollment(displayName, handle, expiryDays, ciphersuite));
async e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity> {
const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_activation_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
return new WireE2eIdentity(e2ei);
}

/**
* Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
* having to change/rotate their credential, either because the former one is expired or it
* has been revoked. As a consequence, this method does not support changing neither ClientId which
* should remain the same as the previous one. It lets you change the DisplayName or the handle
* has been revoked. It lets you change the DisplayName or the handle
* if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
*
* @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:[email protected]`
* @param expiryDays generated x509 certificate expiry
* @param ciphersuite - for generating signing key material
* @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
* @param handle user handle e.g. `[email protected]`
* @returns The new {@link WireE2eIdentity} object
*/
async e2eiNewRotateEnrollment(expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string,): Promise<WireE2eIdentity> {
const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_rotate_enrollment(displayName, handle, expiryDays, ciphersuite));
async e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string,): Promise<WireE2eIdentity> {
const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_rotate_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
return new WireE2eIdentity(e2ei);
}

Expand Down
20 changes: 20 additions & 0 deletions crypto-ffi/bindings/kt/main/com/wire/crypto/client/CoreCryptoCentral.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,26 @@ class CoreCryptoCentral private constructor(private val cc: CoreCrypto, private
return E2EIClientImpl(cc.e2eiNewEnrollment(clientId, displayName, handle, expiryDays, ciphersuite))
}

suspend fun e2eiNewActivationEnrollment(
clientId: String,
displayName: String,
handle: String,
expiryDays: UInt,
ciphersuite: Ciphersuite,
): E2EIClient {
return E2EIClientImpl(cc.e2eiNewActivationEnrollment(clientId, displayName, handle, expiryDays, ciphersuite))
}

suspend fun e2eiNewRotateEnrollment(
clientId: String,
expiryDays: UInt,
ciphersuite: Ciphersuite,
displayName: String? = null,
handle: String? = null,
): E2EIClient {
return E2EIClientImpl(cc.e2eiNewRotateEnrollment(clientId, displayName, handle, expiryDays, ciphersuite))
}

suspend fun e2eiMlsInitOnly(enrollment: E2EIClient, certificateChain: String): MLSClient {
cc.e2eiMlsInitOnly(enrollment.delegate, certificateChain)
return MLSClientImpl(cc)
Expand Down
14 changes: 7 additions & 7 deletions crypto-ffi/bindings/swift/Sources/CoreCrypto/CoreCrypto.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1044,30 +1044,30 @@ public class CoreCryptoWrapper {
}

/// Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
/// As a consequence, this method does not support changing the ClientId which should remain the same as the Basic one.
/// Once the enrollment is finished, use the instance in ``CoreCrypto/e2eiRotateAll`` to do the rotation.
///
/// - parameter clientId: client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:[email protected]`
/// - parameter displayName: human readable name displayed in the application e.g. `Smith, Alice M (QA)`
/// - parameter handle: user handle e.g. `[email protected]`
/// - parameter expiryDays: generated x509 certificate expiry
/// - parameter ciphersuite: For generating signing key material.
/// - returns: The new ``CoreCryptoSwift.WireE2eIdentity`` object
public func e2eiNewActivationEnrollment(displayName: String, handle: String, expiryDays: UInt32, ciphersuite: UInt16) async throws -> CoreCryptoSwift.WireE2eIdentity {
return try await self.coreCrypto.e2eiNewActivationEnrollment(displayName: displayName, handle: handle, expiryDays: expiryDays, ciphersuite: ciphersuite)
public func e2eiNewActivationEnrollment(clientId: String, displayName: String, handle: String, expiryDays: UInt32, ciphersuite: UInt16) async throws -> CoreCryptoSwift.WireE2eIdentity {
return try await self.coreCrypto.e2eiNewActivationEnrollment(clientId: clientId, displayName: displayName, handle: handle, expiryDays: expiryDays, ciphersuite: ciphersuite)
}

/// Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)having to change/rotate
/// their credential, either because the former one is expired or it has been revoked. As a consequence, this method
/// does not support changing neither ClientId which should remain the same as the previous one. It lets you change
/// their credential, either because the former one is expired or it has been revoked. It lets you change
/// the DisplayName or the handle if you need to. Once the enrollment is finished, use the instance in ``CoreCrypto/e2eiRotateAll`` to do the rotation.
///
/// - parameter clientId: client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:[email protected]`
/// - parameter expiryDays: generated x509 certificate expiry
/// - parameter ciphersuite: For generating signing key material.
/// - parameter displayName: human readable name displayed in the application e.g. `Smith, Alice M (QA)`
/// - parameter handle: user handle e.g. `[email protected]`
/// - returns: The new ``CoreCryptoSwift.WireE2eIdentity`` object
public func e2eiNewRotateEnrollment(expiryDays: UInt32, ciphersuite: UInt16, displayName: String? = nil, handle: String? = nil) async throws -> CoreCryptoSwift.WireE2eIdentity {
return try await self.coreCrypto.e2eiNewRotateEnrollment(expiryDays: expiryDays, ciphersuite: ciphersuite, displayName: displayName, handle: handle)
public func e2eiNewRotateEnrollment(clientId: String, expiryDays: UInt32, ciphersuite: UInt16, displayName: String? = nil, handle: String? = nil) async throws -> CoreCryptoSwift.WireE2eIdentity {
return try await self.coreCrypto.e2eiNewRotateEnrollment(clientId: clientId, expiryDays: expiryDays, ciphersuite: ciphersuite, displayName: displayName, handle: handle)
}

/// Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
Expand Down
18 changes: 16 additions & 2 deletions crypto-ffi/src/generic.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -934,6 +934,7 @@ impl CoreCrypto {
/// See [core_crypto::mls::MlsCentral::e2ei_new_activation_enrollment]
pub async fn e2ei_new_activation_enrollment(
&self,
client_id: String,
display_name: String,
handle: String,
expiry_days: u32,
Expand All @@ -942,7 +943,13 @@ impl CoreCrypto {
self.central
.lock()
.await
.e2ei_new_activation_enrollment(display_name, handle, expiry_days, ciphersuite.into())
.e2ei_new_activation_enrollment(
client_id.into_bytes().into(),
display_name,
handle,
expiry_days,
ciphersuite.into(),
)
.map(async_lock::Mutex::new)
.map(std::sync::Arc::new)
.map(WireE2eIdentity)
Expand All @@ -953,6 +960,7 @@ impl CoreCrypto {
/// See [core_crypto::mls::MlsCentral::e2ei_new_rotate_enrollment]
pub async fn e2ei_new_rotate_enrollment(
&self,
client_id: String,
display_name: Option<String>,
handle: Option<String>,
expiry_days: u32,
Expand All @@ -961,7 +969,13 @@ impl CoreCrypto {
self.central
.lock()
.await
.e2ei_new_rotate_enrollment(display_name, handle, expiry_days, ciphersuite.into())
.e2ei_new_rotate_enrollment(
client_id.into_bytes().into(),
display_name,
handle,
expiry_days,
ciphersuite.into(),
)
.map(async_lock::Mutex::new)
.map(std::sync::Arc::new)
.map(WireE2eIdentity)
Expand Down
18 changes: 16 additions & 2 deletions crypto-ffi/src/wasm.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2337,6 +2337,7 @@ impl CoreCrypto {
/// see [core_crypto::mls::MlsCentral::e2ei_new_activation_enrollment]
pub fn e2ei_new_activation_enrollment(
&self,
client_id: String,
display_name: String,
handle: String,
expiry_days: u32,
Expand All @@ -2348,7 +2349,13 @@ impl CoreCrypto {
async move {
let this = this.read().await;
let enrollment = this
.e2ei_new_activation_enrollment(display_name, handle, expiry_days, ciphersuite.into())
.e2ei_new_activation_enrollment(
client_id.into_bytes().into(),
display_name,
handle,
expiry_days,
ciphersuite.into(),
)
.map(WireE2eIdentity)
.map_err(|_| CryptoError::ImplementationError)
.map_err(CoreCryptoError::from)?;
Expand All @@ -2364,6 +2371,7 @@ impl CoreCrypto {
/// see [core_crypto::mls::MlsCentral::e2ei_new_rotate_enrollment]
pub fn e2ei_new_rotate_enrollment(
&self,
client_id: String,
display_name: Option<String>,
handle: Option<String>,
expiry_days: u32,
Expand All @@ -2375,7 +2383,13 @@ impl CoreCrypto {
async move {
let this = this.read().await;
let enrollment = this
.e2ei_new_rotate_enrollment(display_name, handle, expiry_days, ciphersuite.into())
.e2ei_new_rotate_enrollment(
client_id.into_bytes().into(),
display_name,
handle,
expiry_days,
ciphersuite.into(),
)
.map(WireE2eIdentity)
.map_err(|_| CryptoError::ImplementationError)
.map_err(CoreCryptoError::from)?;
Expand Down
11 changes: 7 additions & 4 deletions crypto/src/e2e_identity/rotate.rs
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
use crate::prelude::ClientId;
use crate::{
mls::credential::{ext::CredentialExt, x509::CertificatePrivateKey, CredentialBundle},
prelude::{
Expand Down Expand Up @@ -53,21 +54,21 @@ impl MlsCentral {
/// the rotation.
pub fn e2ei_new_activation_enrollment(
&self,
client_id: ClientId,
display_name: String,
handle: String,
expiry_days: u32,
ciphersuite: MlsCiphersuite,
) -> E2eIdentityResult<E2eiEnrollment> {
let client = self.mls_client()?;
let client_id = client.id();

// look for existing credential of type basic. If there isn't, then this method has been misused
client
.find_most_recent_credential_bundle(ciphersuite.signature_algorithm(), MlsCredentialType::Basic)
.ok_or(E2eIdentityError::ImplementationError)?;

E2eiEnrollment::try_new(
client_id.clone(),
client_id,
display_name,
handle,
expiry_days,
Expand All @@ -83,13 +84,13 @@ impl MlsCentral {
/// if you need to. Once the enrollment is finished, use the instance in [MlsCentral::e2ei_rotate_all] to do the rotation.
pub fn e2ei_new_rotate_enrollment(
&self,
client_id: ClientId,
display_name: Option<String>,
handle: Option<String>,
expiry_days: u32,
ciphersuite: MlsCiphersuite,
) -> E2eIdentityResult<E2eiEnrollment> {
let client = self.mls_client()?;
let client_id = client.id();

// look for existing credential of type x509. If there isn't, then this method has been misused
let cb = client
Expand All @@ -104,7 +105,7 @@ impl MlsCentral {
let handle = handle.unwrap_or(existing_identity.handle);

E2eiEnrollment::try_new(
client_id.clone(),
client_id,
display_name,
handle,
expiry_days,
Expand Down Expand Up @@ -293,12 +294,14 @@ pub mod tests {

let init = |cc: &MlsCentral| match case.credential_type {
MlsCredentialType::Basic => cc.e2ei_new_activation_enrollment(
cc.get_client_id(),
new_display_name.to_string(),
new_handle.to_string(),
E2EI_EXPIRY,
case.ciphersuite(),
),
MlsCredentialType::X509 => cc.e2ei_new_rotate_enrollment(
cc.get_client_id(),
Some(new_display_name.to_string()),
Some(new_handle.to_string()),
E2EI_EXPIRY,
Expand Down

0 comments on commit d687ae3

Please sign in to comment.