core_crypto/mls/credential/
crl.rs

1use crate::context::CentralContext;
2use crate::e2e_identity::init_certificates::NewCrlDistributionPoint;
3use crate::{CryptoError, CryptoResult};
4use core_crypto_keystore::{connection::FetchFromDatabase, entities::E2eiCrl};
5use mls_crypto_provider::MlsCryptoProvider;
6use openmls::{
7    group::MlsGroup,
8    prelude::{Certificate, MlsCredentialType, Proposal, StagedCommit},
9};
10use openmls_traits::OpenMlsCryptoProvider;
11use std::collections::HashSet;
12use wire_e2e_identity::prelude::x509::extract_crl_uris;
13
14pub(crate) fn extract_crl_uris_from_credentials<'a>(
15    mut credentials: impl Iterator<Item = &'a MlsCredentialType>,
16) -> CryptoResult<HashSet<String>> {
17    credentials.try_fold(HashSet::new(), |mut acc, cred| {
18        if let MlsCredentialType::X509(cert) = cred {
19            acc.extend(extract_dp(cert)?);
20        }
21
22        Ok(acc)
23    })
24}
25
26pub(crate) fn extract_crl_uris_from_proposals(proposals: &[Proposal]) -> CryptoResult<HashSet<String>> {
27    extract_crl_uris_from_credentials(
28        proposals
29            .iter()
30            .filter_map(|p| match p {
31                Proposal::Add(add) => Some(add.key_package().leaf_node()),
32                Proposal::Update(update) => Some(update.leaf_node()),
33                _ => None,
34            })
35            .map(|ln| ln.credential().mls_credential()),
36    )
37}
38
39pub(crate) fn extract_crl_uris_from_update_path(commit: &StagedCommit) -> CryptoResult<HashSet<String>> {
40    if let Some(update_path) = commit.get_update_path_leaf_node() {
41        if let MlsCredentialType::X509(cert) = update_path.credential().mls_credential() {
42            return extract_dp(cert);
43        }
44    }
45    Ok(HashSet::new())
46}
47
48pub(crate) fn extract_crl_uris_from_group(group: &MlsGroup) -> CryptoResult<HashSet<String>> {
49    extract_crl_uris_from_credentials(group.members_credentials().map(|c| c.mls_credential()))
50}
51
52pub(crate) fn extract_dp(cert: &Certificate) -> CryptoResult<HashSet<String>> {
53    Ok(cert
54        .certificates
55        .iter()
56        .try_fold(HashSet::new(), |mut acc, cert| {
57            use x509_cert::der::Decode as _;
58            let cert = x509_cert::Certificate::from_der(cert.as_slice())?;
59            if let Some(crl_uris) = extract_crl_uris(&cert).map_err(|e| CryptoError::E2eiError(e.into()))? {
60                acc.extend(crl_uris);
61            }
62            CryptoResult::Ok(acc)
63        })?
64        .into_iter()
65        .collect())
66}
67
68pub(crate) async fn get_new_crl_distribution_points(
69    backend: &MlsCryptoProvider,
70    mut crl_dps: HashSet<String>,
71) -> CryptoResult<NewCrlDistributionPoint> {
72    if crl_dps.is_empty() {
73        return Ok(None.into());
74    }
75
76    let stored_crls = backend.key_store().find_all::<E2eiCrl>(Default::default()).await?;
77    let stored_crl_dps: HashSet<&str> = stored_crls.iter().map(|crl| crl.distribution_point.as_str()).collect();
78    crl_dps.retain(|dp| !stored_crl_dps.contains(&dp.as_str()));
79
80    Ok(Some(crl_dps).into())
81}
82
83impl CentralContext {
84    /// When x509 new credentials are registered this extracts the new CRL Distribution Point from the end entity certificate
85    /// and all the intermediates
86    pub(crate) async fn extract_dp_on_init(
87        &self,
88        certificate_chain: &[Vec<u8>],
89    ) -> CryptoResult<NewCrlDistributionPoint> {
90        use x509_cert::der::Decode as _;
91
92        // Own intermediates are not provided by smallstep in the /federation endpoint so we got to intercept them here, at issuance
93        let size = certificate_chain.len();
94        let mut crl_new_distribution_points = HashSet::new();
95        if size > 1 {
96            for int in certificate_chain.iter().skip(1).rev() {
97                let mut crl_dp = self.e2ei_register_intermediate_ca_der(int).await?;
98                if let Some(crl_dp) = crl_dp.take() {
99                    crl_new_distribution_points.extend(crl_dp);
100                }
101            }
102        }
103
104        let ee = certificate_chain.first().ok_or(CryptoError::InvalidCertificateChain)?;
105
106        let ee = x509_cert::Certificate::from_der(ee)?;
107        let mut ee_crl_dp = extract_crl_uris(&ee).map_err(|e| CryptoError::E2eiError(e.into()))?;
108        if let Some(crl_dp) = ee_crl_dp.take() {
109            crl_new_distribution_points.extend(crl_dp);
110        }
111
112        get_new_crl_distribution_points(&self.mls_provider().await?, crl_new_distribution_points).await
113    }
114}