core_crypto/

lib.rs

//! Core Crypto is a wrapper on top of OpenMLS aimed to provide an ergonomic API for usage in web
//! through Web Assembly and in mobile devices through FFI.
//!
//! The goal is provide a easier and less verbose API to create, manage and interact with MLS
//! groups.
#![doc = include_str!(env!("STRIPPED_README_PATH"))]
#![cfg_attr(not(test), deny(missing_docs))]
#![allow(clippy::single_component_path_imports)]

#[cfg(test)]
#[macro_use]
pub mod test_utils;
// both imports above have to be defined at the beginning of the crate for rstest to work

mod build_metadata;
mod bytes_wrapper;
mod ephemeral;
mod error;
mod identity;
mod immutable_database;

/// MLS Abstraction
pub mod mls;
mod mls_provider;
/// Proteus Abstraction
#[cfg(feature = "proteus")]
pub mod proteus;
pub mod transaction_context;

use std::sync::Arc;

#[cfg(feature = "proteus")]
use async_lock::Mutex;
use async_lock::RwLock;
pub(crate) use bytes_wrapper::bytes_wrapper;
pub use core_crypto_keystore::{ConnectionType, Database, DatabaseKey};
use core_crypto_keystore::{entities::StoredCredential, traits::FetchFromDatabase};
#[cfg(test)]
pub use core_crypto_macros::{dispotent, durable, idempotent};
pub(crate) use immutable_database::ImmutableDatabase;
pub use openmls::{
    group::{MlsGroup, MlsGroupConfig},
    prelude::{
        Ciphersuite as MlsCiphersuite, GroupEpoch, KeyPackageIn, MlsMessageIn, MlsMessageInBody, Node, SignatureScheme,
        group_info::VerifiableGroupInfo,
    },
};
use wire_e2e_identity::{legacy::device_status::DeviceStatus, pki_env::PkiEnvironment};

pub use crate::{
    build_metadata::{BUILD_METADATA, BuildMetadata},
    ephemeral::{HISTORY_CLIENT_ID_PREFIX, HistorySecret},
    error::{
        Error, InnermostErrorMessage, KeystoreError, LeafError, OpenMlsError, OpenMlsErrorKind, ProteusError,
        ProteusErrorKind, RecursiveError, Result, ToRecursiveError,
    },
    identity::{WireIdentity, X509Identity},
    mls::{
        ExternalSender,
        cipher_suite::CipherSuite,
        conversation::{
            BufferedDecryptedMessage, CommitBundle, ConversationConfiguration, ConversationId, CustomConfiguration,
            DecryptedMessage, GroupInfoBundle, GroupInfoEncryptionType, GroupInfoPayload, RatchetTreeType, WirePolicy,
        },
        credential::{
            Credential, CredentialRef, CredentialType, FindFilters as CredentialFindFilters, x509::CertificateBundle,
        },
        key_package::{Keypackage, KeypackageRef},
        session::{
            EpochObserver, HistoryObserver, Session,
            id::{ClientId, ClientIdRef, QualifiedClientId},
            identifier::ClientIdentifier,
            user_id::UserId,
        },
    },
    mls_provider::{CryptoProvider, EntropySeed, RawEntropySeed, RustCrypto},
    transaction_context::{
        e2e_identity::conversation_state::E2eiConversationState, key_package::KEYPACKAGE_DEFAULT_LIFETIME,
    },
};

/// An entity / data which has been packaged by the application to be encrypted
/// and transmitted in an application message.
#[derive(Debug, derive_more::From, derive_more::Deref, serde::Serialize, serde::Deserialize)]
pub struct TransportData(pub Vec<u8>);

/// Client callbacks to allow communication with the delivery service.
/// There are two different endpoints, one for messages and one for commit bundles.
#[cfg_attr(target_os = "unknown", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_os = "unknown"), async_trait::async_trait)]
pub trait MlsTransport: std::fmt::Debug + Send + Sync {
    /// Send a commit bundle to the corresponding endpoint.
    async fn send_commit_bundle(&self, commit_bundle: CommitBundle) -> Result<()>;

    /// This function will be called before a history secret is sent to the mls transport to allow
    /// the application to package it in a suitable transport container (json, protobuf, ...).
    ///
    /// The `secret` parameter contain the history client's secrets which will be sent over the mls transport.
    ///
    /// Returns the history secret packaged for transport
    async fn prepare_for_transport(&self, secret: &HistorySecret) -> Result<TransportData>;
}

/// This provider is mainly used for the initialization of the history client session, the only case where transport
/// doesn't need to be implemented.
#[derive(Debug, Default)]
pub struct CoreCryptoTransportNotImplementedProvider();

#[cfg_attr(target_os = "unknown", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_os = "unknown"), async_trait::async_trait)]
impl MlsTransport for CoreCryptoTransportNotImplementedProvider {
    async fn send_commit_bundle(&self, _commit_bundle: CommitBundle) -> crate::Result<()> {
        Err(Error::MlsTransportNotProvided)
    }

    async fn prepare_for_transport(&self, _secret: &HistorySecret) -> crate::Result<TransportData> {
        Err(Error::MlsTransportNotProvided)
    }
}

/// Wrapper superstruct for both [mls::session::Session] and [proteus::ProteusCentral]
///
/// As [std::ops::Deref] is implemented, this struct is automatically dereferred to [mls::session::Session] apart from
/// `proteus_*` calls
#[derive(Debug)]
pub struct CoreCrypto {
    database: Database,
    pki_environment: RwLock<Option<Arc<PkiEnvironment>>>,
    mls: RwLock<Option<mls::session::Session>>,
    #[cfg(feature = "proteus")]
    proteus: Mutex<Option<proteus::ProteusCentral>>,
    #[cfg(not(feature = "proteus"))]
    #[allow(dead_code)]
    proteus: (),
}

impl CoreCrypto {
    /// Create an new CoreCrypto client without any initialized session.
    pub fn new(database: Database) -> Arc<Self> {
        Self {
            database,
            pki_environment: Default::default(),
            mls: Default::default(),
            proteus: Default::default(),
        }
        .into()
    }

    /// Set the session's PKI Environment
    pub async fn set_pki_environment(&self, pki_environment: Option<Arc<PkiEnvironment>>) {
        *self.pki_environment.write().await = pki_environment.clone();
        if let Some(mls_session) = self.mls.write().await.as_mut() {
            mls_session.crypto_provider.set_pki_environment(pki_environment).await;
        }
    }

    /// Get the session's PKI Environment
    pub async fn get_pki_environment(&self) -> Option<Arc<PkiEnvironment>> {
        self.pki_environment.read().await.clone()
    }

    /// Get the public key associated with this credential
    pub async fn public_key(&self, credential_ref: &CredentialRef) -> Result<Vec<u8>> {
        self.database
            .get::<StoredCredential>(&credential_ref.public_key_hash())
            .await
            .map_err(KeystoreError::wrap("finding credential"))?
            .ok_or(mls::credential::credential_ref::Error::CredentialNotFound)
            .map_err(RecursiveError::mls_credential_ref("retrieving public key"))
            .map(|stored_credential: StoredCredential| stored_credential.public_key.clone())
            .map_err(Into::into)
    }

    /// Find all credentials known by this session which match the specified conditions.
    ///
    /// If no filters are set, this is equivalent to [`Self::get_credentials`].
    pub async fn find_credentials(&self, find_filters: CredentialFindFilters<'_>) -> Result<Vec<CredentialRef>> {
        CredentialRef::find(&self.database(), find_filters)
            .await
            .map_err(RecursiveError::mls_credential_ref("finding credentials with filters"))
            .map_err(Into::into)
    }

    /// Get all credentials known by this session.
    pub async fn get_credentials(&self) -> Result<Vec<CredentialRef>> {
        self.find_credentials(Default::default()).await
    }

    /// Get the mls session if initialized
    pub async fn mls_session(&self) -> Result<Session> {
        if let Some(session) = self.mls.read().await.as_ref() {
            return Ok(session.clone());
        }
        let err = Err(mls::session::Error::MlsNotInitialized);
        err.map_err(RecursiveError::mls_client("Getting mls session"))?
    }

    /// Get the database
    pub fn database(&self) -> ImmutableDatabase {
        self.database.clone().into()
    }
}