core_crypto/mls/credential/
crl.rs

1use super::{Error, Result};
2use crate::{KeystoreError, RecursiveError, e2e_identity::NewCrlDistributionPoints};
3use core_crypto_keystore::{connection::FetchFromDatabase, entities::E2eiCrl};
4use mls_crypto_provider::MlsCryptoProvider;
5use openmls::{
6    group::MlsGroup,
7    prelude::{Certificate, MlsCredentialType, Proposal, StagedCommit},
8};
9use openmls_traits::OpenMlsCryptoProvider;
10use std::collections::HashSet;
11use wire_e2e_identity::prelude::x509::extract_crl_uris;
12
13pub(crate) fn extract_crl_uris_from_credentials<'a>(
14    mut credentials: impl Iterator<Item = &'a MlsCredentialType>,
15) -> Result<HashSet<String>> {
16    credentials.try_fold(HashSet::new(), |mut acc, cred| {
17        if let MlsCredentialType::X509(cert) = cred {
18            acc.extend(extract_dp(cert)?);
19        }
20
21        Ok(acc)
22    })
23}
24
25pub(crate) fn extract_crl_uris_from_proposals(proposals: &[Proposal]) -> Result<HashSet<String>> {
26    extract_crl_uris_from_credentials(
27        proposals
28            .iter()
29            .filter_map(|p| match p {
30                Proposal::Add(add) => Some(add.key_package().leaf_node()),
31                Proposal::Update(update) => Some(update.leaf_node()),
32                _ => None,
33            })
34            .map(|ln| ln.credential().mls_credential()),
35    )
36}
37
38pub(crate) fn extract_crl_uris_from_update_path(commit: &StagedCommit) -> Result<HashSet<String>> {
39    if let Some(update_path) = commit.get_update_path_leaf_node() {
40        if let MlsCredentialType::X509(cert) = update_path.credential().mls_credential() {
41            return extract_dp(cert);
42        }
43    }
44    Ok(HashSet::new())
45}
46
47pub(crate) fn extract_crl_uris_from_group(group: &MlsGroup) -> Result<HashSet<String>> {
48    extract_crl_uris_from_credentials(group.members_credentials().map(|c| c.mls_credential()))
49}
50
51pub(crate) fn extract_dp(cert: &Certificate) -> Result<HashSet<String>> {
52    cert.certificates
53        .iter()
54        .try_fold(HashSet::new(), |mut acc, cert| -> Result<HashSet<String>> {
55            use x509_cert::der::Decode as _;
56            let cert = x509_cert::Certificate::from_der(cert.as_slice()).map_err(Error::DecodeX509)?;
57            if let Some(crl_uris) =
58                extract_crl_uris(&cert).map_err(RecursiveError::e2e_identity("extracting crl urls"))?
59            {
60                acc.extend(crl_uris);
61            }
62            Ok(acc)
63        })
64}
65
66pub(crate) async fn get_new_crl_distribution_points(
67    backend: &MlsCryptoProvider,
68    mut crl_dps: HashSet<String>,
69) -> Result<NewCrlDistributionPoints> {
70    if crl_dps.is_empty() {
71        return Ok(None.into());
72    }
73
74    let stored_crls = backend
75        .key_store()
76        .find_all::<E2eiCrl>(Default::default())
77        .await
78        .map_err(KeystoreError::wrap("finding all e2e crl"))?;
79    let stored_crl_dps: HashSet<&str> = stored_crls.iter().map(|crl| crl.distribution_point.as_str()).collect();
80    crl_dps.retain(|dp| !stored_crl_dps.contains(&dp.as_str()));
81
82    Ok(Some(crl_dps).into())
83}