core_crypto::e2e_identity

Struct E2eiEnrollment

source
pub struct E2eiEnrollment { /* private fields */ }
Expand description

Wire end to end identity solution for fetching a x509 certificate which identifies a client.

Implementations§

source§

impl E2eiEnrollment

source

pub fn get_refresh_token(&self) -> E2eIdentityResult<&str>

Lets clients retrieve the OIDC refresh token to try to renew the user’s authorization. If it’s expired, the user needs to reauthenticate and they will update the refresh token in E2eiEnrollment::new_oidc_challenge_request

source§

impl E2eiEnrollment

source

pub fn try_new( client_id: ClientId, display_name: String, handle: String, team: Option<String>, expiry_sec: u32, backend: &MlsCryptoProvider, ciphersuite: MlsCiphersuite, sign_keypair: Option<E2eiSignatureKeypair>, refresh_token: Option<RefreshToken>, ) -> CryptoResult<Self>

Builds an instance holding private key material. This instance has to be used in the whole enrollment process then dropped to clear secret key material.

§Parameters
  • client_id - client identifier e.g. b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com
  • display_name - human readable name displayed in the application e.g. Smith, Alice M (QA)
  • handle - user handle e.g. alice.smith.qa@example.com
  • expiry_sec - generated x509 certificate expiry in seconds
source

pub fn directory_response( &mut self, directory: Vec<u8>, ) -> E2eIdentityResult<E2eiAcmeDirectory>

Parses the response from GET /acme/{provisioner-name}/directory. Use this types::E2eiAcmeDirectory in the next step to fetch the first nonce from the acme server. Use [types::E2eiAcmeDirectory.new_nonce].

See RFC 8555 Section 7.1.1

§Parameters
  • directory - http response body
source

pub fn new_account_request( &self, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>

For creating a new acme account. This returns a signed JWS-alike request body to send to POST /acme/{provisioner-name}/new-account.

See RFC 8555 Section 7.3.

§Parameters
source

pub fn new_account_response( &mut self, account: Vec<u8>, ) -> E2eIdentityResult<()>

Parses the response from POST /acme/{provisioner-name}/new-account.

See RFC 8555 Section 7.3.

§Parameters
  • account - http response body
source

pub fn new_order_request( &self, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>

Creates a new acme order for the handle (userId + display name) and the clientId.

See RFC 8555 Section 7.4.

§Parameters
  • previous_nonce - replay-nonce response header from POST /acme/{provisioner-name}/new-account
source

pub fn new_order_response( &self, order: Vec<u8>, ) -> E2eIdentityResult<E2eiNewAcmeOrder>

Parses the response from POST /acme/{provisioner-name}/new-order.

See RFC 8555 Section 7.4.

§Parameters
  • new_order - http response body
source

pub fn new_authz_request( &self, url: String, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>

Creates a new authorization request.

See RFC 8555 Section 7.5.

§Parameters
  • url - one of the URL in new order’s authorizations (from Self::new_order_response)
  • account - you got from Self::new_account_response
  • previous_nonce - replay-nonce response header from POST /acme/{provisioner-name}/new-order (or from the previous to this method if you are creating the second authorization)
source

pub fn new_authz_response( &mut self, authz: Vec<u8>, ) -> E2eIdentityResult<E2eiNewAcmeAuthz>

Parses the response from POST /acme/{provisioner-name}/authz/{authz-id}

See RFC 8555 Section 7.5.

§Parameters
  • new_authz - http response body
source

pub fn create_dpop_token( &self, expiry_secs: u32, backend_nonce: String, ) -> E2eIdentityResult<String>

Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces (from wire-server & acme server) and will be verified by the acme server when verifying the challenge (in order to deliver a certificate).

Then send it to POST /clients/{id}/access-token on wire-server.

§Parameters
  • expiry_secs - of the client Dpop JWT. This should be equal to the grace period set in Team Management
  • backend_nonce - you get by calling GET /clients/token/nonce on wire-server. See endpoint definition
  • expiry - token expiry
source

pub fn new_dpop_challenge_request( &self, access_token: String, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>

Creates a new challenge request.

See RFC 8555 Section 7.5.1.

§Parameters
source

pub fn new_dpop_challenge_response( &self, challenge: Vec<u8>, ) -> E2eIdentityResult<()>

Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id} for the DPoP challenge

See RFC 8555 Section 7.5.1.

§Parameters
  • challenge - http response body
source

pub fn new_oidc_challenge_request( &mut self, id_token: String, refresh_token: String, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>

Creates a new challenge request.

See RFC 8555 Section 7.5.1.

§Parameters
  • id_token - you get back from Identity Provider
  • refresh_token - you get back from Identity Provider to renew the access token
  • oidc_challenge - you found after Self::new_authz_response
  • account - you got from Self::new_account_response
  • previous_nonce - replay-nonce response header from POST /acme/{provisioner-name}/authz/{authz-id}
source

pub async fn new_oidc_challenge_response( &mut self, backend: &MlsCryptoProvider, challenge: Vec<u8>, ) -> E2eIdentityResult<()>

Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id} for the OIDC challenge

See RFC 8555 Section 7.5.1.

§Parameters
  • challenge - http response body
source

pub fn check_order_request( &self, order_url: String, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>

Verifies that the previous challenge has been completed.

See RFC 8555 Section 7.4.

§Parameters
source

pub fn check_order_response( &mut self, order: Vec<u8>, ) -> E2eIdentityResult<String>

Parses the response from POST /acme/{provisioner-name}/order/{order-id}.

See RFC 8555 Section 7.4.

§Parameters
  • order - http response body
§Returns

The finalize url to use with Self::finalize_request

source

pub fn finalize_request( &mut self, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>

Final step before fetching the certificate.

See RFC 8555 Section 7.4.

§Parameters
  • domains - you want to generate a certificate for e.g. ["wire.com"]
  • order - you got from Self::check_order_response
  • account - you got from Self::new_account_response
  • previous_nonce - replay-nonce response header from POST /acme/{provisioner-name}/order/{order-id}
source

pub fn finalize_response( &mut self, finalize: Vec<u8>, ) -> E2eIdentityResult<String>

Parses the response from POST /acme/{provisioner-name}/order/{order-id}/finalize.

See RFC 8555 Section 7.4.

§Parameters
  • finalize - http response body
§Returns

The certificate url to use with Self::certificate_request

source

pub fn certificate_request( &mut self, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>

Creates a request for finally fetching the x509 certificate.

See RFC 8555 Section 7.4.2.

§Parameters

Methods from Deref<Target = RustyE2eIdentity>§

pub fn acme_directory_response( &self, directory: Value, ) -> Result<AcmeDirectory, E2eIdentityError>

Parses the response from GET /acme/{provisioner-name}/directory. Use this [AcmeDirectory] in the next step to fetch the first nonce from the acme server. Use [AcmeDirectory::new_nonce].

See RFC 8555 Section 7.1.1

§Parameters
  • directory - http response body

pub fn acme_new_account_request( &self, directory: &AcmeDirectory, previous_nonce: String, ) -> Result<Value, E2eIdentityError>

For creating a new acme account. This returns a signed JWS-alike request body to send to POST /acme/{provisioner-name}/new-account.

See RFC 8555 Section 7.3.

§Parameters
  • directory - you got from [Self::acme_directory_response]
  • previous_nonce - you got from calling HEAD {directory.new_nonce}

pub fn acme_new_account_response( &self, account: Value, ) -> Result<E2eiAcmeAccount, E2eIdentityError>

Parses the response from POST /acme/{provisioner-name}/new-account.

See RFC 8555 Section 7.3.

§Parameters
  • account - http response body

pub fn acme_new_order_request( &self, display_name: &str, client_id: &str, handle: &str, expiry: Duration, directory: &AcmeDirectory, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>

Creates a new acme order for the handle (userId + display name) and the clientId.

See RFC 8555 Section 7.4.

§Parameters
  • display_name - human readable name displayed in the application e.g. Smith, Alice M (QA)
  • domain - DNS name of owning backend e.g. example.com
  • client_id - client identifier with user b64Url encoded & clientId hex encoded e.g. NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ/6add501bacd1d90e@example.com
  • handle - user handle e.g. alice.smith.qa@example.com
  • expiry - x509 generated certificate expiry
  • directory - you got from [Self::acme_directory_response]
  • account - you got from [Self::acme_new_account_response]
  • previous_nonce - “replay-nonce” response header from POST /acme/{provisioner-name}/new-account

pub fn acme_new_order_response( &self, new_order: Value, ) -> Result<E2eiNewAcmeOrder, E2eIdentityError>

Parses the response from POST /acme/{provisioner-name}/new-order.

See RFC 8555 Section 7.4.

§Parameters
  • new_order - http response body

pub fn acme_new_authz_request( &self, url: &Url, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>

Creates a new authorization request.

See RFC 8555 Section 7.5.

§Parameters
  • url - one of the URL in new order’s authorizations (from [Self::acme_new_order_response])
  • account - you got from [Self::acme_new_account_response]
  • previous_nonce - “replay-nonce” response header from POST /acme/{provisioner-name}/new-order (or from the previous to this method if you are creating the second authorization)

pub fn acme_new_authz_response( &self, new_authz: Value, ) -> Result<E2eiAcmeAuthorization, E2eIdentityError>

Parses the response from POST /acme/{provisioner-name}/authz/{authz-id}

You then have to map the challenge from this authorization object. The client_id_challenge will be the one with the client_id_host (you supplied to [Self::acme_new_order_request]) identifier, the other will be your handle_challenge.

See RFC 8555 Section 7.5.

§Parameters
  • new_authz - http response body

pub fn new_dpop_token( &self, client_id: &str, display_name: &str, dpop_challenge: &E2eiAcmeChallenge, backend_nonce: String, handle: &str, team: Option<String>, expiry: Duration, ) -> Result<String, E2eIdentityError>

Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces (from wire-server & acme server) and will be verified by the acme server when verifying the challenge (in order to deliver a certificate).

Then send it to POST /clients/{id}/access-token on wire-server.

§Parameters
  • access_token_url - backend endpoint where this token will be sent. Should be this one
  • client_id - client identifier with user b64Url encoded & clientId hex encoded e.g. NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com
  • dpop_challenge - you found after [Self::acme_new_authz_response]
  • backend_nonce - you get by calling GET /clients/token/nonce on wire-server.
  • handle - user handle e.g. alice.smith.qa@example.com See endpoint definition
  • expiry - token expiry

pub fn acme_dpop_challenge_request( &self, access_token: String, dpop_challenge: &E2eiAcmeChallenge, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>

Creates a new challenge request.

See RFC 8555 Section 7.5.1.

§Parameters
  • access_token - returned by wire-server from this endpoint
  • dpop_challenge - you found after [Self::acme_new_authz_response]
  • account - you got from [Self::acme_new_account_response]
  • previous_nonce - “replay-nonce” response header from POST /acme/{provisioner-name}/authz/{authz-id}

pub fn acme_oidc_challenge_request( &self, id_token: String, oidc_challenge: &E2eiAcmeChallenge, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>

Creates a new challenge request.

See RFC 8555 Section 7.5.1.

§Parameters
  • id_token - returned by Identity Provider
  • oidc_challenge - you found after [Self::acme_new_authz_response]
  • account - you got from [Self::acme_new_account_response]
  • previous_nonce - “replay-nonce” response header from POST /acme/{provisioner-name}/authz/{authz-id}

pub fn acme_new_challenge_response( &self, challenge: Value, ) -> Result<(), E2eIdentityError>

Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id}.

See RFC 8555 Section 7.5.1.

§Parameters
  • challenge - http response body

pub fn acme_check_order_request( &self, order_url: Url, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>

Verifies that the previous challenge has been completed.

See RFC 8555 Section 7.4.

§Parameters
  • order_url - “location” header from http response you got from [Self::acme_new_order_response]
  • account - you got from [Self::acme_new_account_response]
  • previous_nonce - “replay-nonce” response header from POST /acme/{provisioner-name}/challenge/{challenge-id}

pub fn acme_check_order_response( &self, order: Value, ) -> Result<E2eiAcmeOrder, E2eIdentityError>

Parses the response from POST /acme/{provisioner-name}/order/{order-id}.

See RFC 8555 Section 7.4.

§Parameters
  • order - http response body

pub fn acme_finalize_request( &self, order: &E2eiAcmeOrder, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>

Final step before fetching the certificate.

See RFC 8555 Section 7.4.

§Parameters
  • domains - domains you want to generate a certificate for e.g. ["wire.com"]
  • order - you got from [Self::acme_check_order_response]
  • account - you got from [Self::acme_new_account_response]
  • previous_nonce - “replay-nonce” response header from POST /acme/{provisioner-name}/order/{order-id}

pub fn acme_finalize_response( &self, finalize: Value, ) -> Result<E2eiAcmeFinalize, E2eIdentityError>

Parses the response from POST /acme/{provisioner-name}/order/{order-id}/finalize.

See RFC 8555 Section 7.4.

§Parameters
  • finalize - http response body

pub fn acme_x509_certificate_request( &self, finalize: E2eiAcmeFinalize, account: E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>

Creates a request for finally fetching the x509 certificate.

See RFC 8555 Section 7.4.2.

§Parameters
  • domains - domains you want to generate a certificate for e.g. ["wire.com"]
  • order - you got from [Self::acme_check_order_response]
  • account - you got from [Self::acme_new_account_response]
  • previous_nonce - “replay-nonce” response header from POST /acme/{provisioner-name}/order/{order-id}

pub fn acme_x509_certificate_response( &self, response: String, order: E2eiAcmeOrder, env: Option<&PkiEnvironment>, ) -> Result<Vec<Vec<u8>>, E2eIdentityError>

Parses the response from POST /acme/{provisioner-name}/certificate/{certificate-id}.

See RFC 8555 Section 7.4.2

§Parameters
  • response - http string response body

Trait Implementations§

source§

impl Debug for E2eiEnrollment

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl Deref for E2eiEnrollment

source§

type Target = RustyE2eIdentity

The resulting type after dereferencing.
source§

fn deref(&self) -> &Self::Target

Dereferences the value.
source§

impl<'de> Deserialize<'de> for E2eiEnrollment

source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
source§

impl Serialize for E2eiEnrollment

source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, UT> HandleAlloc<UT> for T
where T: Send + Sync,

§

fn new_handle(value: Arc<T>) -> Handle

Create a new handle for an Arc value Read more
§

unsafe fn clone_handle(handle: Handle) -> Handle

Clone a handle Read more
§

unsafe fn consume_handle(handle: Handle) -> Arc<T>

Consume a handle, getting back the initial Arc<> Read more
§

unsafe fn get_arc(handle: Handle) -> Arc<Self>

Get a clone of the Arc<> using a “borrowed” handle. Read more
source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> IntoEither for T

source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

impl<T> Same for T

source§

type Output = T

Should always be Self
source§

impl<T> Serialize for T
where T: Serialize + ?Sized,

source§

fn erased_serialize(&self, serializer: &mut dyn Serializer) -> Result<(), Error>

source§

fn do_erased_serialize( &self, serializer: &mut dyn Serializer, ) -> Result<(), ErrorImpl>

source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

source§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,

§

impl<T> ErasedDestructor for T
where T: 'static,

§

impl<T> MaybeSendSync for T