Struct core_crypto::e2e_identity::E2eiEnrollment
source · pub struct E2eiEnrollment { /* private fields */ }
Expand description
Wire end to end identity solution for fetching a x509 certificate which identifies a client.
Implementations§
source§impl E2eiEnrollment
impl E2eiEnrollment
sourcepub fn get_refresh_token(&self) -> E2eIdentityResult<&str>
pub fn get_refresh_token(&self) -> E2eIdentityResult<&str>
Lets clients retrieve the OIDC refresh token to try to renew the user’s authorization. If it’s expired, the user needs to reauthenticate and they will update the refresh token in E2eiEnrollment::new_oidc_challenge_request
source§impl E2eiEnrollment
impl E2eiEnrollment
sourcepub fn try_new(
client_id: ClientId,
display_name: String,
handle: String,
team: Option<String>,
expiry_sec: u32,
backend: &MlsCryptoProvider,
ciphersuite: MlsCiphersuite,
sign_keypair: Option<E2eiSignatureKeypair>,
refresh_token: Option<RefreshToken>,
) -> CryptoResult<Self>
pub fn try_new( client_id: ClientId, display_name: String, handle: String, team: Option<String>, expiry_sec: u32, backend: &MlsCryptoProvider, ciphersuite: MlsCiphersuite, sign_keypair: Option<E2eiSignatureKeypair>, refresh_token: Option<RefreshToken>, ) -> CryptoResult<Self>
Builds an instance holding private key material. This instance has to be used in the whole enrollment process then dropped to clear secret key material.
§Parameters
client_id
- client identifier e.g.b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com
display_name
- human readable name displayed in the application e.g.Smith, Alice M (QA)
handle
- user handle e.g.alice.smith.qa@example.com
expiry_sec
- generated x509 certificate expiry in seconds
sourcepub fn directory_response(
&mut self,
directory: Vec<u8>,
) -> E2eIdentityResult<E2eiAcmeDirectory>
pub fn directory_response( &mut self, directory: Vec<u8>, ) -> E2eIdentityResult<E2eiAcmeDirectory>
Parses the response from GET /acme/{provisioner-name}/directory
.
Use this types::E2eiAcmeDirectory in the next step to fetch the first nonce from the acme server. Use
[types::E2eiAcmeDirectory.new_nonce].
§Parameters
directory
- http response body
sourcepub fn new_account_request(
&self,
previous_nonce: String,
) -> E2eIdentityResult<Vec<u8>>
pub fn new_account_request( &self, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>
For creating a new acme account. This returns a signed JWS-alike request body to send to
POST /acme/{provisioner-name}/new-account
.
See RFC 8555 Section 7.3.
§Parameters
directory
- you got from Self::directory_responseprevious_nonce
- you got from callingHEAD {directory.new_nonce}
sourcepub fn new_account_response(
&mut self,
account: Vec<u8>,
) -> E2eIdentityResult<()>
pub fn new_account_response( &mut self, account: Vec<u8>, ) -> E2eIdentityResult<()>
Parses the response from POST /acme/{provisioner-name}/new-account
.
See RFC 8555 Section 7.3.
§Parameters
account
- http response body
sourcepub fn new_order_request(
&self,
previous_nonce: String,
) -> E2eIdentityResult<Vec<u8>>
pub fn new_order_request( &self, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>
Creates a new acme order for the handle (userId + display name) and the clientId.
See RFC 8555 Section 7.4.
§Parameters
previous_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/new-account
sourcepub fn new_order_response(
&self,
order: Vec<u8>,
) -> E2eIdentityResult<E2eiNewAcmeOrder>
pub fn new_order_response( &self, order: Vec<u8>, ) -> E2eIdentityResult<E2eiNewAcmeOrder>
Parses the response from POST /acme/{provisioner-name}/new-order
.
See RFC 8555 Section 7.4.
§Parameters
new_order
- http response body
sourcepub fn new_authz_request(
&self,
url: String,
previous_nonce: String,
) -> E2eIdentityResult<Vec<u8>>
pub fn new_authz_request( &self, url: String, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>
Creates a new authorization request.
See RFC 8555 Section 7.5.
§Parameters
url
- one of the URL in new order’s authorizations (from Self::new_order_response)account
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/new-order
(or from the previous to this method if you are creating the second authorization)
sourcepub fn new_authz_response(
&mut self,
authz: Vec<u8>,
) -> E2eIdentityResult<E2eiNewAcmeAuthz>
pub fn new_authz_response( &mut self, authz: Vec<u8>, ) -> E2eIdentityResult<E2eiNewAcmeAuthz>
Parses the response from POST /acme/{provisioner-name}/authz/{authz-id}
See RFC 8555 Section 7.5.
§Parameters
new_authz
- http response body
sourcepub fn create_dpop_token(
&self,
expiry_secs: u32,
backend_nonce: String,
) -> E2eIdentityResult<String>
pub fn create_dpop_token( &self, expiry_secs: u32, backend_nonce: String, ) -> E2eIdentityResult<String>
Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces (from wire-server & acme server) and will be verified by the acme server when verifying the challenge (in order to deliver a certificate).
Then send it to
POST /clients/{id}/access-token
on wire-server.
§Parameters
expiry_secs
- of the client Dpop JWT. This should be equal to the grace period set in Team Managementbackend_nonce
- you get by callingGET /clients/token/nonce
on wire-server. See endpoint definitionexpiry
- token expiry
sourcepub fn new_dpop_challenge_request(
&self,
access_token: String,
previous_nonce: String,
) -> E2eIdentityResult<Vec<u8>>
pub fn new_dpop_challenge_request( &self, access_token: String, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>
Creates a new challenge request.
§Parameters
access_token
- returned by wire-server from this endpointdpop_challenge
- you found after Self::new_authz_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/authz/{authz-id}
sourcepub fn new_dpop_challenge_response(
&self,
challenge: Vec<u8>,
) -> E2eIdentityResult<()>
pub fn new_dpop_challenge_response( &self, challenge: Vec<u8>, ) -> E2eIdentityResult<()>
Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id}
for the DPoP challenge
§Parameters
challenge
- http response body
sourcepub fn new_oidc_challenge_request(
&mut self,
id_token: String,
refresh_token: String,
previous_nonce: String,
) -> E2eIdentityResult<Vec<u8>>
pub fn new_oidc_challenge_request( &mut self, id_token: String, refresh_token: String, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>
Creates a new challenge request.
§Parameters
id_token
- you get back from Identity Providerrefresh_token
- you get back from Identity Provider to renew the access tokenoidc_challenge
- you found after Self::new_authz_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/authz/{authz-id}
sourcepub async fn new_oidc_challenge_response(
&mut self,
backend: &MlsCryptoProvider,
challenge: Vec<u8>,
) -> E2eIdentityResult<()>
pub async fn new_oidc_challenge_response( &mut self, backend: &MlsCryptoProvider, challenge: Vec<u8>, ) -> E2eIdentityResult<()>
Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id}
for the OIDC challenge
§Parameters
challenge
- http response body
sourcepub fn check_order_request(
&self,
order_url: String,
previous_nonce: String,
) -> E2eIdentityResult<Vec<u8>>
pub fn check_order_request( &self, order_url: String, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>
Verifies that the previous challenge has been completed.
See RFC 8555 Section 7.4.
§Parameters
order_url
-location
header from http response you got from Self::new_order_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/challenge/{challenge-id}
sourcepub fn check_order_response(
&mut self,
order: Vec<u8>,
) -> E2eIdentityResult<String>
pub fn check_order_response( &mut self, order: Vec<u8>, ) -> E2eIdentityResult<String>
Parses the response from POST /acme/{provisioner-name}/order/{order-id}
.
See RFC 8555 Section 7.4.
§Parameters
order
- http response body
§Returns
The finalize url to use with Self::finalize_request
sourcepub fn finalize_request(
&mut self,
previous_nonce: String,
) -> E2eIdentityResult<Vec<u8>>
pub fn finalize_request( &mut self, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>
Final step before fetching the certificate.
See RFC 8555 Section 7.4.
§Parameters
domains
- you want to generate a certificate for e.g.["wire.com"]
order
- you got from Self::check_order_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/order/{order-id}
sourcepub fn finalize_response(
&mut self,
finalize: Vec<u8>,
) -> E2eIdentityResult<String>
pub fn finalize_response( &mut self, finalize: Vec<u8>, ) -> E2eIdentityResult<String>
Parses the response from POST /acme/{provisioner-name}/order/{order-id}/finalize
.
See RFC 8555 Section 7.4.
§Parameters
finalize
- http response body
§Returns
The certificate url to use with Self::certificate_request
sourcepub fn certificate_request(
&mut self,
previous_nonce: String,
) -> E2eIdentityResult<Vec<u8>>
pub fn certificate_request( &mut self, previous_nonce: String, ) -> E2eIdentityResult<Vec<u8>>
Creates a request for finally fetching the x509 certificate.
§Parameters
finalize
- you got from Self::finalize_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/order/{order-id}/finalize
Methods from Deref<Target = RustyE2eIdentity>§
pub fn acme_directory_response(
&self,
directory: Value,
) -> Result<AcmeDirectory, E2eIdentityError>
pub fn acme_directory_response( &self, directory: Value, ) -> Result<AcmeDirectory, E2eIdentityError>
Parses the response from GET /acme/{provisioner-name}/directory
.
Use this [AcmeDirectory] in the next step to fetch the first nonce from the acme server. Use
[AcmeDirectory::new_nonce].
§Parameters
directory
- http response body
pub fn acme_new_account_request(
&self,
directory: &AcmeDirectory,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_new_account_request( &self, directory: &AcmeDirectory, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
For creating a new acme account. This returns a signed JWS-alike request body to send to
POST /acme/{provisioner-name}/new-account
.
See RFC 8555 Section 7.3.
§Parameters
directory
- you got from [Self::acme_directory_response]previous_nonce
- you got from callingHEAD {directory.new_nonce}
pub fn acme_new_account_response(
&self,
account: Value,
) -> Result<E2eiAcmeAccount, E2eIdentityError>
pub fn acme_new_account_response( &self, account: Value, ) -> Result<E2eiAcmeAccount, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/new-account
.
See RFC 8555 Section 7.3.
§Parameters
account
- http response body
pub fn acme_new_order_request(
&self,
display_name: &str,
client_id: &str,
handle: &str,
expiry: Duration,
directory: &AcmeDirectory,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_new_order_request( &self, display_name: &str, client_id: &str, handle: &str, expiry: Duration, directory: &AcmeDirectory, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a new acme order for the handle (userId + display name) and the clientId.
See RFC 8555 Section 7.4.
§Parameters
display_name
- human readable name displayed in the application e.g.Smith, Alice M (QA)
domain
- DNS name of owning backend e.g.example.com
client_id
- client identifier with user b64Url encoded & clientId hex encoded e.g.NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ/6add501bacd1d90e@example.com
handle
- user handle e.g.alice.smith.qa@example.com
expiry
- x509 generated certificate expirydirectory
- you got from [Self::acme_directory_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/new-account
pub fn acme_new_order_response(
&self,
new_order: Value,
) -> Result<E2eiNewAcmeOrder, E2eIdentityError>
pub fn acme_new_order_response( &self, new_order: Value, ) -> Result<E2eiNewAcmeOrder, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/new-order
.
See RFC 8555 Section 7.4.
§Parameters
new_order
- http response body
pub fn acme_new_authz_request(
&self,
url: &Url,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_new_authz_request( &self, url: &Url, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a new authorization request.
See RFC 8555 Section 7.5.
§Parameters
url
- one of the URL in new order’s authorizations (from [Self::acme_new_order_response])account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/new-order
(or from the previous to this method if you are creating the second authorization)
pub fn acme_new_authz_response(
&self,
new_authz: Value,
) -> Result<E2eiAcmeAuthorization, E2eIdentityError>
pub fn acme_new_authz_response( &self, new_authz: Value, ) -> Result<E2eiAcmeAuthorization, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/authz/{authz-id}
You then have to map the challenge from this authorization object. The client_id_challenge
will be the one with the client_id_host
(you supplied to [Self::acme_new_order_request]) identifier,
the other will be your handle_challenge
.
See RFC 8555 Section 7.5.
§Parameters
new_authz
- http response body
pub fn new_dpop_token(
&self,
client_id: &str,
display_name: &str,
dpop_challenge: &E2eiAcmeChallenge,
backend_nonce: String,
handle: &str,
team: Option<String>,
expiry: Duration,
) -> Result<String, E2eIdentityError>
pub fn new_dpop_token( &self, client_id: &str, display_name: &str, dpop_challenge: &E2eiAcmeChallenge, backend_nonce: String, handle: &str, team: Option<String>, expiry: Duration, ) -> Result<String, E2eIdentityError>
Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces (from wire-server & acme server) and will be verified by the acme server when verifying the challenge (in order to deliver a certificate).
Then send it to
POST /clients/{id}/access-token
on wire-server.
§Parameters
access_token_url
- backend endpoint where this token will be sent. Should be this oneclient_id
- client identifier with user b64Url encoded & clientId hex encoded e.g.NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com
dpop_challenge
- you found after [Self::acme_new_authz_response]backend_nonce
- you get by callingGET /clients/token/nonce
on wire-server.handle
- user handle e.g.alice.smith.qa@example.com
See endpoint definitionexpiry
- token expiry
pub fn acme_dpop_challenge_request(
&self,
access_token: String,
dpop_challenge: &E2eiAcmeChallenge,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_dpop_challenge_request( &self, access_token: String, dpop_challenge: &E2eiAcmeChallenge, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a new challenge request.
§Parameters
access_token
- returned by wire-server from this endpointdpop_challenge
- you found after [Self::acme_new_authz_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/authz/{authz-id}
pub fn acme_oidc_challenge_request(
&self,
id_token: String,
oidc_challenge: &E2eiAcmeChallenge,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_oidc_challenge_request( &self, id_token: String, oidc_challenge: &E2eiAcmeChallenge, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a new challenge request.
§Parameters
id_token
- returned by Identity Provideroidc_challenge
- you found after [Self::acme_new_authz_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/authz/{authz-id}
pub fn acme_new_challenge_response(
&self,
challenge: Value,
) -> Result<(), E2eIdentityError>
pub fn acme_new_challenge_response( &self, challenge: Value, ) -> Result<(), E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id}
.
§Parameters
challenge
- http response body
pub fn acme_check_order_request(
&self,
order_url: Url,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_check_order_request( &self, order_url: Url, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Verifies that the previous challenge has been completed.
See RFC 8555 Section 7.4.
§Parameters
order_url
- “location” header from http response you got from [Self::acme_new_order_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/challenge/{challenge-id}
pub fn acme_check_order_response(
&self,
order: Value,
) -> Result<E2eiAcmeOrder, E2eIdentityError>
pub fn acme_check_order_response( &self, order: Value, ) -> Result<E2eiAcmeOrder, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/order/{order-id}
.
See RFC 8555 Section 7.4.
§Parameters
order
- http response body
pub fn acme_finalize_request(
&self,
order: &E2eiAcmeOrder,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_finalize_request( &self, order: &E2eiAcmeOrder, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Final step before fetching the certificate.
See RFC 8555 Section 7.4.
§Parameters
domains
- domains you want to generate a certificate for e.g.["wire.com"]
order
- you got from [Self::acme_check_order_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/order/{order-id}
pub fn acme_finalize_response(
&self,
finalize: Value,
) -> Result<E2eiAcmeFinalize, E2eIdentityError>
pub fn acme_finalize_response( &self, finalize: Value, ) -> Result<E2eiAcmeFinalize, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/order/{order-id}/finalize
.
See RFC 8555 Section 7.4.
§Parameters
finalize
- http response body
pub fn acme_x509_certificate_request(
&self,
finalize: E2eiAcmeFinalize,
account: E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_x509_certificate_request( &self, finalize: E2eiAcmeFinalize, account: E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a request for finally fetching the x509 certificate.
§Parameters
domains
- domains you want to generate a certificate for e.g.["wire.com"]
order
- you got from [Self::acme_check_order_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/order/{order-id}
Trait Implementations§
source§impl Debug for E2eiEnrollment
impl Debug for E2eiEnrollment
source§impl Deref for E2eiEnrollment
impl Deref for E2eiEnrollment
source§impl<'de> Deserialize<'de> for E2eiEnrollment
impl<'de> Deserialize<'de> for E2eiEnrollment
source§fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
Auto Trait Implementations§
impl Freeze for E2eiEnrollment
impl RefUnwindSafe for E2eiEnrollment
impl Send for E2eiEnrollment
impl Sync for E2eiEnrollment
impl Unpin for E2eiEnrollment
impl UnwindSafe for E2eiEnrollment
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
§impl<T, UT> HandleAlloc<UT> for T
impl<T, UT> HandleAlloc<UT> for T
§fn new_handle(value: Arc<T>) -> Handle
fn new_handle(value: Arc<T>) -> Handle
§unsafe fn clone_handle(handle: Handle) -> Handle
unsafe fn clone_handle(handle: Handle) -> Handle
§unsafe fn consume_handle(handle: Handle) -> Arc<T>
unsafe fn consume_handle(handle: Handle) -> Arc<T>
Arc<>
Read moresource§impl<T> IntoEither for T
impl<T> IntoEither for T
source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left
is true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read moresource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left(&self)
returns true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read more