pub struct E2eiEnrollment { /* private fields */ }
Expand description
Wire end to end identity solution for fetching a x509 certificate which identifies a client.
Implementations§
Source§impl E2eiEnrollment
impl E2eiEnrollment
Sourcepub fn try_new(
client_id: ClientId,
display_name: String,
handle: String,
team: Option<String>,
expiry_sec: u32,
backend: &MlsCryptoProvider,
ciphersuite: MlsCiphersuite,
sign_keypair: Option<E2eiSignatureKeypair>,
has_called_new_oidc_challenge_request: bool,
) -> Result<Self>
pub fn try_new( client_id: ClientId, display_name: String, handle: String, team: Option<String>, expiry_sec: u32, backend: &MlsCryptoProvider, ciphersuite: MlsCiphersuite, sign_keypair: Option<E2eiSignatureKeypair>, has_called_new_oidc_challenge_request: bool, ) -> Result<Self>
Builds an instance holding private key material. This instance has to be used in the whole enrollment process then dropped to clear secret key material.
§Parameters
client_id
- client identifier e.g.b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com
display_name
- human readable name displayed in the application e.g.Smith, Alice M (QA)
handle
- user handle e.g.alice.smith.qa@example.com
expiry_sec
- generated x509 certificate expiry in seconds
Sourcepub fn directory_response(
&mut self,
directory: Vec<u8>,
) -> Result<E2eiAcmeDirectory>
pub fn directory_response( &mut self, directory: Vec<u8>, ) -> Result<E2eiAcmeDirectory>
Parses the response from GET /acme/{provisioner-name}/directory
.
Use this types::E2eiAcmeDirectory in the next step to fetch the first nonce from the acme server. Use
[types::E2eiAcmeDirectory.new_nonce].
§Parameters
directory
- http response body
Sourcepub fn new_account_request(&self, previous_nonce: String) -> Result<Vec<u8>>
pub fn new_account_request(&self, previous_nonce: String) -> Result<Vec<u8>>
For creating a new acme account. This returns a signed JWS-alike request body to send to
POST /acme/{provisioner-name}/new-account
.
See RFC 8555 Section 7.3.
§Parameters
directory
- you got from Self::directory_responseprevious_nonce
- you got from callingHEAD {directory.new_nonce}
Sourcepub fn new_account_response(&mut self, account: Vec<u8>) -> Result<()>
pub fn new_account_response(&mut self, account: Vec<u8>) -> Result<()>
Parses the response from POST /acme/{provisioner-name}/new-account
.
See RFC 8555 Section 7.3.
§Parameters
account
- http response body
Sourcepub fn new_order_request(&self, previous_nonce: String) -> Result<Vec<u8>>
pub fn new_order_request(&self, previous_nonce: String) -> Result<Vec<u8>>
Creates a new acme order for the handle (userId + display name) and the clientId.
See RFC 8555 Section 7.4.
§Parameters
previous_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/new-account
Sourcepub fn new_order_response(&self, order: Vec<u8>) -> Result<E2eiNewAcmeOrder>
pub fn new_order_response(&self, order: Vec<u8>) -> Result<E2eiNewAcmeOrder>
Parses the response from POST /acme/{provisioner-name}/new-order
.
See RFC 8555 Section 7.4.
§Parameters
new_order
- http response body
Sourcepub fn new_authz_request(
&self,
url: String,
previous_nonce: String,
) -> Result<Vec<u8>>
pub fn new_authz_request( &self, url: String, previous_nonce: String, ) -> Result<Vec<u8>>
Creates a new authorization request.
See RFC 8555 Section 7.5.
§Parameters
url
- one of the URL in new order’s authorizations (from Self::new_order_response)account
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/new-order
(or from the previous to this method if you are creating the second authorization)
Sourcepub fn new_authz_response(&mut self, authz: Vec<u8>) -> Result<E2eiNewAcmeAuthz>
pub fn new_authz_response(&mut self, authz: Vec<u8>) -> Result<E2eiNewAcmeAuthz>
Parses the response from POST /acme/{provisioner-name}/authz/{authz-id}
See RFC 8555 Section 7.5.
§Parameters
new_authz
- http response body
Sourcepub fn create_dpop_token(
&self,
expiry_secs: u32,
backend_nonce: String,
) -> Result<String>
pub fn create_dpop_token( &self, expiry_secs: u32, backend_nonce: String, ) -> Result<String>
Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces (from wire-server & acme server) and will be verified by the acme server when verifying the challenge (in order to deliver a certificate).
Then send it to
POST /clients/{id}/access-token
on wire-server.
§Parameters
expiry_secs
- of the client Dpop JWT. This should be equal to the grace period set in Team Managementbackend_nonce
- you get by callingGET /clients/token/nonce
on wire-server. See endpoint definitionexpiry
- token expiry
Sourcepub fn new_dpop_challenge_request(
&self,
access_token: String,
previous_nonce: String,
) -> Result<Vec<u8>>
pub fn new_dpop_challenge_request( &self, access_token: String, previous_nonce: String, ) -> Result<Vec<u8>>
Creates a new challenge request.
§Parameters
access_token
- returned by wire-server from this endpointdpop_challenge
- you found after Self::new_authz_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/authz/{authz-id}
Sourcepub fn new_dpop_challenge_response(&self, challenge: Vec<u8>) -> Result<()>
pub fn new_dpop_challenge_response(&self, challenge: Vec<u8>) -> Result<()>
Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id}
for the DPoP challenge
§Parameters
challenge
- http response body
Sourcepub fn new_oidc_challenge_request(
&mut self,
id_token: String,
previous_nonce: String,
) -> Result<Vec<u8>>
pub fn new_oidc_challenge_request( &mut self, id_token: String, previous_nonce: String, ) -> Result<Vec<u8>>
Creates a new challenge request.
§Parameters
id_token
- you get back from Identity Provideroidc_challenge
- you found after Self::new_authz_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/authz/{authz-id}
Sourcepub async fn new_oidc_challenge_response(
&mut self,
challenge: Vec<u8>,
) -> Result<()>
pub async fn new_oidc_challenge_response( &mut self, challenge: Vec<u8>, ) -> Result<()>
Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id}
for the OIDC challenge
§Parameters
challenge
- http response body
Sourcepub fn check_order_request(
&self,
order_url: String,
previous_nonce: String,
) -> Result<Vec<u8>>
pub fn check_order_request( &self, order_url: String, previous_nonce: String, ) -> Result<Vec<u8>>
Verifies that the previous challenge has been completed.
See RFC 8555 Section 7.4.
§Parameters
order_url
-location
header from http response you got from Self::new_order_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/challenge/{challenge-id}
Sourcepub fn check_order_response(&mut self, order: Vec<u8>) -> Result<String>
pub fn check_order_response(&mut self, order: Vec<u8>) -> Result<String>
Parses the response from POST /acme/{provisioner-name}/order/{order-id}
.
See RFC 8555 Section 7.4.
§Parameters
order
- http response body
§Returns
The finalize url to use with Self::finalize_request
Sourcepub fn finalize_request(&mut self, previous_nonce: String) -> Result<Vec<u8>>
pub fn finalize_request(&mut self, previous_nonce: String) -> Result<Vec<u8>>
Final step before fetching the certificate.
See RFC 8555 Section 7.4.
§Parameters
domains
- you want to generate a certificate for e.g.["wire.com"]
order
- you got from Self::check_order_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/order/{order-id}
Sourcepub fn finalize_response(&mut self, finalize: Vec<u8>) -> Result<String>
pub fn finalize_response(&mut self, finalize: Vec<u8>) -> Result<String>
Parses the response from POST /acme/{provisioner-name}/order/{order-id}/finalize
.
See RFC 8555 Section 7.4.
§Parameters
finalize
- http response body
§Returns
The certificate url to use with Self::certificate_request
Sourcepub fn certificate_request(&mut self, previous_nonce: String) -> Result<Vec<u8>>
pub fn certificate_request(&mut self, previous_nonce: String) -> Result<Vec<u8>>
Creates a request for finally fetching the x509 certificate.
§Parameters
finalize
- you got from Self::finalize_responseaccount
- you got from Self::new_account_responseprevious_nonce
-replay-nonce
response header fromPOST /acme/{provisioner-name}/order/{order-id}/finalize
Methods from Deref<Target = RustyE2eIdentity>§
pub fn acme_directory_response(
&self,
directory: Value,
) -> Result<AcmeDirectory, E2eIdentityError>
pub fn acme_directory_response( &self, directory: Value, ) -> Result<AcmeDirectory, E2eIdentityError>
Parses the response from GET /acme/{provisioner-name}/directory
.
Use this [AcmeDirectory] in the next step to fetch the first nonce from the acme server. Use
[AcmeDirectory::new_nonce].
§Parameters
directory
- http response body
pub fn acme_new_account_request(
&self,
directory: &AcmeDirectory,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_new_account_request( &self, directory: &AcmeDirectory, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
For creating a new acme account. This returns a signed JWS-alike request body to send to
POST /acme/{provisioner-name}/new-account
.
See RFC 8555 Section 7.3.
§Parameters
directory
- you got from [Self::acme_directory_response]previous_nonce
- you got from callingHEAD {directory.new_nonce}
pub fn acme_new_account_response(
&self,
account: Value,
) -> Result<E2eiAcmeAccount, E2eIdentityError>
pub fn acme_new_account_response( &self, account: Value, ) -> Result<E2eiAcmeAccount, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/new-account
.
See RFC 8555 Section 7.3.
§Parameters
account
- http response body
pub fn acme_new_order_request(
&self,
display_name: &str,
client_id: &str,
handle: &str,
expiry: Duration,
directory: &AcmeDirectory,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_new_order_request( &self, display_name: &str, client_id: &str, handle: &str, expiry: Duration, directory: &AcmeDirectory, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a new acme order for the handle (userId + display name) and the clientId.
See RFC 8555 Section 7.4.
§Parameters
display_name
- human readable name displayed in the application e.g.Smith, Alice M (QA)
domain
- DNS name of owning backend e.g.example.com
client_id
- client identifier with user b64Url encoded & clientId hex encoded e.g.NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ/6add501bacd1d90e@example.com
handle
- user handle e.g.alice.smith.qa@example.com
expiry
- x509 generated certificate expirydirectory
- you got from [Self::acme_directory_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/new-account
pub fn acme_new_order_response(
&self,
new_order: Value,
) -> Result<E2eiNewAcmeOrder, E2eIdentityError>
pub fn acme_new_order_response( &self, new_order: Value, ) -> Result<E2eiNewAcmeOrder, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/new-order
.
See RFC 8555 Section 7.4.
§Parameters
new_order
- http response body
pub fn acme_new_authz_request(
&self,
url: &Url,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_new_authz_request( &self, url: &Url, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a new authorization request.
See RFC 8555 Section 7.5.
§Parameters
url
- one of the URL in new order’s authorizations (from [Self::acme_new_order_response])account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/new-order
(or from the previous to this method if you are creating the second authorization)
pub fn acme_new_authz_response(
&self,
new_authz: Value,
) -> Result<E2eiAcmeAuthorization, E2eIdentityError>
pub fn acme_new_authz_response( &self, new_authz: Value, ) -> Result<E2eiAcmeAuthorization, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/authz/{authz-id}
You then have to map the challenge from this authorization object. The client_id_challenge
will be the one with the client_id_host
(you supplied to [Self::acme_new_order_request]) identifier,
the other will be your handle_challenge
.
See RFC 8555 Section 7.5.
§Parameters
new_authz
- http response body
pub fn new_dpop_token(
&self,
client_id: &str,
display_name: &str,
dpop_challenge: &E2eiAcmeChallenge,
backend_nonce: String,
handle: &str,
team: Option<String>,
expiry: Duration,
) -> Result<String, E2eIdentityError>
pub fn new_dpop_token( &self, client_id: &str, display_name: &str, dpop_challenge: &E2eiAcmeChallenge, backend_nonce: String, handle: &str, team: Option<String>, expiry: Duration, ) -> Result<String, E2eIdentityError>
Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces (from wire-server & acme server) and will be verified by the acme server when verifying the challenge (in order to deliver a certificate).
Then send it to
POST /clients/{id}/access-token
on wire-server.
§Parameters
access_token_url
- backend endpoint where this token will be sent. Should be this oneclient_id
- client identifier with user b64Url encoded & clientId hex encoded e.g.NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com
dpop_challenge
- you found after [Self::acme_new_authz_response]backend_nonce
- you get by callingGET /clients/token/nonce
on wire-server.handle
- user handle e.g.alice.smith.qa@example.com
See endpoint definitionexpiry
- token expiry
pub fn acme_dpop_challenge_request(
&self,
access_token: String,
dpop_challenge: &E2eiAcmeChallenge,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_dpop_challenge_request( &self, access_token: String, dpop_challenge: &E2eiAcmeChallenge, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a new challenge request.
§Parameters
access_token
- returned by wire-server from this endpointdpop_challenge
- you found after [Self::acme_new_authz_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/authz/{authz-id}
pub fn acme_oidc_challenge_request(
&self,
id_token: String,
oidc_challenge: &E2eiAcmeChallenge,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_oidc_challenge_request( &self, id_token: String, oidc_challenge: &E2eiAcmeChallenge, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a new challenge request.
§Parameters
id_token
- returned by Identity Provideroidc_challenge
- you found after [Self::acme_new_authz_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/authz/{authz-id}
pub fn acme_new_challenge_response(
&self,
challenge: Value,
) -> Result<(), E2eIdentityError>
pub fn acme_new_challenge_response( &self, challenge: Value, ) -> Result<(), E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/challenge/{challenge-id}
.
§Parameters
challenge
- http response body
pub fn acme_check_order_request(
&self,
order_url: Url,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_check_order_request( &self, order_url: Url, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Verifies that the previous challenge has been completed.
See RFC 8555 Section 7.4.
§Parameters
order_url
- “location” header from http response you got from [Self::acme_new_order_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/challenge/{challenge-id}
pub fn acme_check_order_response(
&self,
order: Value,
) -> Result<E2eiAcmeOrder, E2eIdentityError>
pub fn acme_check_order_response( &self, order: Value, ) -> Result<E2eiAcmeOrder, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/order/{order-id}
.
See RFC 8555 Section 7.4.
§Parameters
order
- http response body
pub fn acme_finalize_request(
&self,
order: &E2eiAcmeOrder,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_finalize_request( &self, order: &E2eiAcmeOrder, account: &E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Final step before fetching the certificate.
See RFC 8555 Section 7.4.
§Parameters
domains
- domains you want to generate a certificate for e.g.["wire.com"]
order
- you got from [Self::acme_check_order_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/order/{order-id}
pub fn acme_finalize_response(
&self,
finalize: Value,
) -> Result<E2eiAcmeFinalize, E2eIdentityError>
pub fn acme_finalize_response( &self, finalize: Value, ) -> Result<E2eiAcmeFinalize, E2eIdentityError>
Parses the response from POST /acme/{provisioner-name}/order/{order-id}/finalize
.
See RFC 8555 Section 7.4.
§Parameters
finalize
- http response body
pub fn acme_x509_certificate_request(
&self,
finalize: E2eiAcmeFinalize,
account: E2eiAcmeAccount,
previous_nonce: String,
) -> Result<Value, E2eIdentityError>
pub fn acme_x509_certificate_request( &self, finalize: E2eiAcmeFinalize, account: E2eiAcmeAccount, previous_nonce: String, ) -> Result<Value, E2eIdentityError>
Creates a request for finally fetching the x509 certificate.
§Parameters
domains
- domains you want to generate a certificate for e.g.["wire.com"]
order
- you got from [Self::acme_check_order_response]account
- you got from [Self::acme_new_account_response]previous_nonce
- “replay-nonce” response header fromPOST /acme/{provisioner-name}/order/{order-id}
Trait Implementations§
Source§impl Debug for E2eiEnrollment
impl Debug for E2eiEnrollment
Source§impl Deref for E2eiEnrollment
impl Deref for E2eiEnrollment
Source§impl<'de> Deserialize<'de> for E2eiEnrollment
impl<'de> Deserialize<'de> for E2eiEnrollment
Source§fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
Auto Trait Implementations§
impl Freeze for E2eiEnrollment
impl RefUnwindSafe for E2eiEnrollment
impl Send for E2eiEnrollment
impl Sync for E2eiEnrollment
impl Unpin for E2eiEnrollment
impl UnwindSafe for E2eiEnrollment
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left
is true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left(&self)
returns true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read more