core_crypto/mls/credential/
crl.rs

1use super::{Error, Result};
2use crate::{
3    KeystoreError, RecursiveError, context::CentralContext, e2e_identity::init_certificates::NewCrlDistributionPoint,
4};
5use core_crypto_keystore::{connection::FetchFromDatabase, entities::E2eiCrl};
6use mls_crypto_provider::MlsCryptoProvider;
7use openmls::{
8    group::MlsGroup,
9    prelude::{Certificate, MlsCredentialType, Proposal, StagedCommit},
10};
11use openmls_traits::OpenMlsCryptoProvider;
12use std::collections::HashSet;
13use wire_e2e_identity::prelude::x509::extract_crl_uris;
14
15pub(crate) fn extract_crl_uris_from_credentials<'a>(
16    mut credentials: impl Iterator<Item = &'a MlsCredentialType>,
17) -> Result<HashSet<String>> {
18    credentials.try_fold(HashSet::new(), |mut acc, cred| {
19        if let MlsCredentialType::X509(cert) = cred {
20            acc.extend(extract_dp(cert)?);
21        }
22
23        Ok(acc)
24    })
25}
26
27pub(crate) fn extract_crl_uris_from_proposals(proposals: &[Proposal]) -> Result<HashSet<String>> {
28    extract_crl_uris_from_credentials(
29        proposals
30            .iter()
31            .filter_map(|p| match p {
32                Proposal::Add(add) => Some(add.key_package().leaf_node()),
33                Proposal::Update(update) => Some(update.leaf_node()),
34                _ => None,
35            })
36            .map(|ln| ln.credential().mls_credential()),
37    )
38}
39
40pub(crate) fn extract_crl_uris_from_update_path(commit: &StagedCommit) -> Result<HashSet<String>> {
41    if let Some(update_path) = commit.get_update_path_leaf_node() {
42        if let MlsCredentialType::X509(cert) = update_path.credential().mls_credential() {
43            return extract_dp(cert);
44        }
45    }
46    Ok(HashSet::new())
47}
48
49pub(crate) fn extract_crl_uris_from_group(group: &MlsGroup) -> Result<HashSet<String>> {
50    extract_crl_uris_from_credentials(group.members_credentials().map(|c| c.mls_credential()))
51}
52
53pub(crate) fn extract_dp(cert: &Certificate) -> Result<HashSet<String>> {
54    cert.certificates
55        .iter()
56        .try_fold(HashSet::new(), |mut acc, cert| -> Result<HashSet<String>> {
57            use x509_cert::der::Decode as _;
58            let cert = x509_cert::Certificate::from_der(cert.as_slice()).map_err(Error::DecodeX509)?;
59            if let Some(crl_uris) =
60                extract_crl_uris(&cert).map_err(RecursiveError::e2e_identity("extracting crl urls"))?
61            {
62                acc.extend(crl_uris);
63            }
64            Ok(acc)
65        })
66}
67
68pub(crate) async fn get_new_crl_distribution_points(
69    backend: &MlsCryptoProvider,
70    mut crl_dps: HashSet<String>,
71) -> Result<NewCrlDistributionPoint> {
72    if crl_dps.is_empty() {
73        return Ok(None.into());
74    }
75
76    let stored_crls = backend
77        .key_store()
78        .find_all::<E2eiCrl>(Default::default())
79        .await
80        .map_err(KeystoreError::wrap("finding all e2e crl"))?;
81    let stored_crl_dps: HashSet<&str> = stored_crls.iter().map(|crl| crl.distribution_point.as_str()).collect();
82    crl_dps.retain(|dp| !stored_crl_dps.contains(&dp.as_str()));
83
84    Ok(Some(crl_dps).into())
85}
86
87impl CentralContext {
88    /// When x509 new credentials are registered this extracts the new CRL Distribution Point from the end entity certificate
89    /// and all the intermediates
90    pub(crate) async fn extract_dp_on_init(&self, certificate_chain: &[Vec<u8>]) -> Result<NewCrlDistributionPoint> {
91        use x509_cert::der::Decode as _;
92
93        // Own intermediates are not provided by smallstep in the /federation endpoint so we got to intercept them here, at issuance
94        let size = certificate_chain.len();
95        let mut crl_new_distribution_points = HashSet::new();
96        if size > 1 {
97            for int in certificate_chain.iter().skip(1).rev() {
98                let mut crl_dp = self
99                    .e2ei_register_intermediate_ca_der(int)
100                    .await
101                    .map_err(RecursiveError::e2e_identity("registering intermediate ca der"))?;
102                if let Some(crl_dp) = crl_dp.take() {
103                    crl_new_distribution_points.extend(crl_dp);
104                }
105            }
106        }
107
108        let ee = certificate_chain.first().ok_or(Error::InvalidCertificateChain)?;
109
110        let ee = x509_cert::Certificate::from_der(ee).map_err(Error::DecodeX509)?;
111        let mut ee_crl_dp = extract_crl_uris(&ee).map_err(RecursiveError::e2e_identity("extracting crl urls"))?;
112        if let Some(crl_dp) = ee_crl_dp.take() {
113            crl_new_distribution_points.extend(crl_dp);
114        }
115
116        get_new_crl_distribution_points(
117            &self
118                .mls_provider()
119                .await
120                .map_err(RecursiveError::root("getting mls provider"))?,
121            crl_new_distribution_points,
122        )
123        .await
124    }
125}