core_crypto/
ephemeral.rs

1//! Utilities for ephemeral CoreCrypto instances.
2//!
3//! Ephemeral instances are intended to support history sharing. History sharing works like this:
4//! every history-enabled conversation has a passive "history client" as a member. This client
5//! is a member of the MLS group (and can therefore decrypt messages), but it is not actively running
6//! on any device or decrypting any messages.
7//!
8//! Approximately once daily, and whenever a member is removed from the group, a new history-sharing era
9//! begins. The client submitting the commit which instantiates the new history-sharing era is responsible
10//! for ensuring that the old history client is removed from the group, and new one is added. Additionally,
11//! one of the first application messages in the new history-sharing era contains the serialized history
12//! secret.
13//!
14//! When a new client joins the history-enabled conversation, they receive a list of history secrets
15//! and their associated history-sharing eras (identified by the epoch number at which they start).
16//! For each history-sharing era, they can instantiate an ephemeral client from the history secret,
17//! and use that client to decrypt all messages in this era.
18//!
19//! Though ephemeral clients are full instances of `CoreCrypto` and contain the same API, they cannot
20//! be used to generate messages for sending, as they don't posess a credential with a signature key:
21//! Any attempt to encrypt a message will fail because the client cannot retrieve the signature key from
22//! its keystore.
23
24use mls_crypto_provider::DatabaseKey;
25use openmls::prelude::KeyPackageSecretEncapsulation;
26
27use crate::{
28    CoreCrypto, Error, MlsError, RecursiveError, Result,
29    prelude::{ClientId, ClientIdentifier, MlsCiphersuite, MlsCredentialType, Session, SessionConfig},
30};
31
32/// We always instantiate history clients with this prefix in their client id, so
33/// we can use prefix testing to determine with some accuracy whether or not something is a history client.
34pub const HISTORY_CLIENT_ID_PREFIX: &str = "history-client";
35
36/// A `HistorySecret` encodes sufficient client state that it can be used to instantiate an
37/// ephemeral client.
38#[derive(serde::Serialize, serde::Deserialize)]
39pub struct HistorySecret {
40    /// Client id of the associated history client
41    pub client_id: ClientId,
42    pub(crate) key_package: KeyPackageSecretEncapsulation,
43}
44
45/// Create a new [`CoreCrypto`] with an **uninitialized** mls session.
46///
47/// You must initialize the session yourself before using this!
48async fn in_memory_cc_with_ciphersuite(ciphersuite: impl Into<MlsCiphersuite>) -> Result<CoreCrypto> {
49    let config = SessionConfig::builder()
50        .in_memory()
51        .ciphersuites([ciphersuite.into()])
52        .database_key(DatabaseKey::generate())
53        .nb_key_packages(Some(0)) // don't generate any keypackages; we will never add this client to another group
54        .build()
55        .validate()
56        .map_err(RecursiveError::mls("validating ephemeral session configuration"))?;
57
58    // Construct the MLS session, but don't initialize it. The implementation when `client_id` is `None` just
59    // does construction, which is what we need.
60    let session = Session::try_new(config)
61        .await
62        .map_err(RecursiveError::mls("creating ephemeral session"))?;
63
64    Ok(session.into())
65}
66
67/// Generate a new [`HistorySecret`].
68///
69/// This is useful when it's this client's turn to generate a new history client.
70///
71/// The generated secret is cryptographically unrelated to the current CoreCrypto client.
72///
73/// Note that this is a crate-private function; the public interface for this feature is
74/// [`Conversation::generate_history_secret`][core_crypto::mls::conversation::Conversation::generate_history_secret].
75/// This implementation lives here instead of there for organizational reasons.
76pub(crate) async fn generate_history_secret(ciphersuite: MlsCiphersuite) -> Result<HistorySecret> {
77    // generate a new completely arbitrary client id
78    let client_id = uuid::Uuid::new_v4();
79    let client_id = format!("{HISTORY_CLIENT_ID_PREFIX}-{client_id}");
80    let client_id = ClientId::from(client_id.into_bytes());
81    let identifier = ClientIdentifier::Basic(client_id.clone());
82
83    let cc = in_memory_cc_with_ciphersuite(ciphersuite).await?;
84    let tx = cc
85        .new_transaction()
86        .await
87        .map_err(RecursiveError::transaction("creating new transaction"))?;
88    cc.init(identifier, &[ciphersuite], &cc.crypto_provider, 0)
89        .await
90        .map_err(RecursiveError::mls_client("initializing ephemeral cc"))?;
91
92    // we can generate a key package from the ephemeral cc and ciphersutite
93    let [key_package] = tx
94        .get_or_create_client_keypackages(ciphersuite, MlsCredentialType::Basic, 1)
95        .await
96        .map_err(RecursiveError::transaction("generating keypackages"))?
97        .try_into()
98        .expect("generating 1 keypackage returns 1 keypackage");
99    let key_package = KeyPackageSecretEncapsulation::load(&cc.crypto_provider, key_package)
100        .await
101        .map_err(MlsError::wrap("encapsulating key package"))?;
102
103    // we don't need to finish the transaction here--the point of the ephemeral CC was that no mutations would be saved there
104
105    Ok(HistorySecret { client_id, key_package })
106}
107
108pub(crate) fn is_history_client(client_id: &ClientId) -> bool {
109    client_id.starts_with(HISTORY_CLIENT_ID_PREFIX.as_bytes())
110}
111
112impl CoreCrypto {
113    /// Instantiate a history client.
114    ///
115    /// This client exposes the full interface of `CoreCrypto`, but it should only be used to decrypt messages.
116    /// Other use is a logic error.
117    pub async fn history_client(history_secret: HistorySecret) -> Result<Self> {
118        if !history_secret
119            .client_id
120            .starts_with(HISTORY_CLIENT_ID_PREFIX.as_bytes())
121        {
122            return Err(Error::InvalidHistorySecret("client id has invalid format"));
123        }
124
125        let session = in_memory_cc_with_ciphersuite(history_secret.key_package.ciphersuite()).await?;
126        let tx = session
127            .new_transaction()
128            .await
129            .map_err(RecursiveError::transaction("creating new transaction"))?;
130
131        session
132            .restore_from_history_secret(history_secret)
133            .await
134            .map_err(RecursiveError::mls_client(
135                "restoring ephemeral session from history secret",
136            ))?;
137
138        tx.finish()
139            .await
140            .map_err(RecursiveError::transaction("finishing transaction"))?;
141
142        Ok(session)
143    }
144}
145
146#[cfg(test)]
147mod tests {
148    use rstest::rstest;
149    use rstest_reuse::apply;
150
151    use crate::test_utils::{TestContext, all_cred_cipher};
152
153    /// Create a history secret, and restore it into a CoreCrypto instance
154    #[apply(all_cred_cipher)]
155    async fn can_create_ephemeral_client(case: TestContext) {
156        let [alice] = case.sessions().await;
157        let conversation = case
158            .create_conversation([&alice])
159            .await
160            .enable_history_sharing_notify()
161            .await;
162
163        assert_eq!(
164            conversation.member_count().await,
165            2,
166            "the convesation should now magically have a second member"
167        );
168
169        let ephemeral_client = conversation.members().nth(1).unwrap();
170        assert!(
171            conversation.can_one_way_communicate(&alice, ephemeral_client).await,
172            "alice can send messages to the history client"
173        );
174        assert!(
175            !conversation.can_one_way_communicate(ephemeral_client, &alice).await,
176            "the history client cannot send messages"
177        );
178    }
179}