feat: Include certificate roots and certificate policy in GroupContext - WPB-1188 #346
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #346 +/- ##
===========================================
- Coverage 72.98% 71.45% -1.53%
===========================================
Files 68 70 +2
Lines 11348 11608 +260
===========================================
+ Hits 8282 8295 +13
- Misses 3066 3313 +247
Continue to review full report in Codecov by Sentry.
|
augustocdias
force-pushed
the
feat/wpb-1188
branch
2 times, most recently
from
eacaf14
to
c2cf701
Compare
crypto-ffi/bindings/js/CoreCrypto.ts
Outdated
| @@ -953,6 +974,45 @@ export class CoreCrypto { | |||
| )); | |||
| } | |||
|
|
|||
| /** | |||
| * Updates the trust anchors for a conversation | |||
There was a problem hiding this comment.
Give a bit more context about the validation rules: e.g. fails if you try to remove/add the same anchor etc...
When should a client call this method ? => when a federation event occurs etc..
crypto-ffi/src/generic.rs
Outdated
| Ok(cfg) | ||
| } | ||
| } | ||
|
|
||
| impl From<PerDomainTrustAnchor> for core_crypto::prelude::PerDomainTrustAnchor { | ||
| fn from(wasm_cfg: PerDomainTrustAnchor) -> Self { |
|
|
||
| pub(crate) fn extract_domain_name(certificate: &Certificate) -> CryptoResult<String> { | ||
| for attr in certificate.tbs_certificate.subject.0.iter().flat_map(|n| n.0.iter()) { | ||
| // according to the RFC implementations must be prepared to receive the domain component |
There was a problem hiding this comment.
Which RFC ? This Object Identifier seems to be reserved for LDAPs.
I think you should remove this
There was a problem hiding this comment.
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
In addition, implementations of this specification MUST be prepared
to receive the domainComponent attribute, as defined in [RFC4519].
The Domain Name System (DNS) provides a hierarchical resource
labeling system.
| .unwrap_or_else(|| Ok(Vec::new()))?; | ||
|
|
||
| // check if all to remove exists | ||
| if remove_domain_names |
There was a problem hiding this comment.
You could simplify this by comparing anchors length before & after retain on L212
| // check if any new chain is already in the group's context | ||
| if anchors.iter().any(|a| { | ||
| add_trust_anchors | ||
| .iter() | ||
| .any(|n| n.intermediate_certificate_chain == a.intermediate_certificate_chain) | ||
| }) { | ||
| return Err(CryptoError::DuplicateCertificateChain); | ||
| } |
There was a problem hiding this comment.
You could factorize this check with this one a few lines below:
// check for duplicate anchors to be added
if anchors
.iter()
.any(|a| add_trust_anchors.iter().any(|n| a.domain_name == n.domain_name))
{
return Err(CryptoError::DuplicateDomainName);
}That way you only iterate once the lists. Use a try_for_each()
|
|
||
| /// see [MlsCentral::update_trust_anchors_from_conversation] | ||
| #[cfg_attr(test, crate::durable)] | ||
| pub(crate) async fn update_trust_anchors( |
There was a problem hiding this comment.
You should really extract the validation part of this method into a dedicated method. This way we can reuse it if/when we allow to do the same in a GCE proposal
crypto/src/test_utils/central.rs
Outdated
| @@ -432,6 +435,20 @@ impl MlsCentral { | |||
| pub async fn count_credentials_in_keystore(&self) -> usize { | |||
| self.mls_backend.key_store().count::<MlsCredential>().await.unwrap() | |||
| } | |||
|
|
|||
| pub async fn add_per_domain_trust_anchor_unwchecked( | |||
crypto/src/test_utils/central.rs
Outdated
| .collect() | ||
| } | ||
|
|
||
| pub async fn add_per_domain_trust_anchor_unwchecked( |
augustocdias
force-pushed
the
feat/wpb-1188
branch
from
1b6c431
to
0678a8f
Compare
crypto-ffi/bindings/kt/main/com/wire/crypto/client/MLSClient.kt
Outdated
Show resolved
Hide resolved
augustocdias
force-pushed
the
feat/wpb-1188
branch
2 times, most recently
from
0cdf8a1
to
a98f804
Compare
augustocdias
force-pushed
the
feat/wpb-1188
branch
2 times, most recently
from
add3cc9
to
9b87dce
Compare
crypto-ffi/src/CoreCrypto.udl
Outdated
| @@ -179,6 +185,14 @@ enum CryptoError { | |||
| "ClearingPendingCommitError", | |||
| "SelfCommitIgnored", | |||
| "UnmergedPendingGroup", | |||
| "X509CertDerError", | |||
There was a problem hiding this comment.
Nit: indenting is wrong here (3 spaces, should be 4)
augustocdias
force-pushed
the
feat/wpb-1188
branch
from
9b87dce
to
e81b4b9
Compare
…t - WPB-1188 Co-authored-by: Mathieu Amiot <[email protected]> Co-authored-by: beltram <[email protected]>
augustocdias
force-pushed
the
feat/wpb-1188
branch
from
e81b4b9
to
945d073
Compare
PR Submission Checklist for internal contributors
The PR Title
SQPIT-764The PR Description
What's new in this PR?
Include certificate roots and certificate policy in GroupContext and expose to API
References
feat(conversation-list): Sort conversations by most emojis in the title #SQPIT-764.