wireapp · SimonThormeyer · Mar 4, 2025 · Mar 3, 2025 · Mar 3, 2025 · Mar 3, 2025
@@ -7,6 +7,7 @@ use crate::{
         E2eiEnrollment, MlsCredentialType, WireIdentity, context::CoreCryptoContext,
     },
 };
+use core_crypto::mls::conversation::Conversation as _;
 use core_crypto::{RecursiveError, prelude::VerifiableGroupInfo};
 use tls_codec::Deserialize;
 

@@ -4,6 +4,7 @@ use super::{
 };
 use crate::NewCrlDistributionPoints;
 use async_lock::{Mutex, OnceCell};
+use core_crypto::mls::conversation::Conversation as _;
 use core_crypto::{
     RecursiveError,
     context::CentralContext,

@@ -29,6 +29,7 @@ use tls_codec::Deserialize;
 
 use self::context::CoreCryptoContext;
 use crate::{UniffiCustomTypeConverter, proteus_impl};
+use core_crypto::mls::conversation::Conversation as _;
 pub use core_crypto::prelude::ConversationId;
 use core_crypto::{
     InnermostErrorMessage, RecursiveError,
@@ -1184,12 +1185,18 @@ impl CoreCrypto {
 
     /// See [core_crypto::mls::conversation::ImmutableConversation::epoch]
     pub async fn conversation_epoch(&self, conversation_id: Vec<u8>) -> CoreCryptoResult<u64> {
-        Ok(self.central.get_raw_conversation(&conversation_id).await?.epoch())
+        let conversation = self.central.get_raw_conversation(&conversation_id).await?;
+        Ok(conversation.epoch().await)
     }
 
     /// See [core_crypto::mls::conversation::ImmutableConversation::ciphersuite]
     pub async fn conversation_ciphersuite(&self, conversation_id: &ConversationId) -> CoreCryptoResult<Ciphersuite> {
-        let cs = self.central.get_raw_conversation(conversation_id).await?.ciphersuite();
+        let cs = self
+            .central
+            .get_raw_conversation(conversation_id)
+            .await?
+            .ciphersuite()
+            .await;
         Ok(Ciphersuite::from(core_crypto::prelude::CiphersuiteName::from(cs)))
     }
 

@@ -3,6 +3,12 @@ use std::{
     ops::{Deref, DerefMut},
 };
 
+use crate::{
+    Ciphersuite, CoreCryptoError, CredentialType, CrlRegistration, E2eiDumpedPkiEnv, E2eiEnrollment, InternalError,
+    WasmCryptoResult, WireIdentity,
+    wasm::{E2eiConversationState, context::CoreCryptoContext},
+};
+use core_crypto::mls::conversation::Conversation as _;
 use core_crypto::{
     RecursiveError,
     prelude::{CiphersuiteName, ClientId, ConversationId, MlsCiphersuite, VerifiableGroupInfo},
@@ -13,12 +19,6 @@ use tls_codec::Deserialize;
 use wasm_bindgen::{JsValue, prelude::wasm_bindgen};
 use wasm_bindgen_futures::future_to_promise;
 
-use crate::{
-    Ciphersuite, CoreCryptoError, CredentialType, CrlRegistration, E2eiDumpedPkiEnv, E2eiEnrollment, InternalError,
-    WasmCryptoResult, WireIdentity,
-    wasm::{E2eiConversationState, context::CoreCryptoContext},
-};
-
 #[wasm_bindgen]
 impl CoreCryptoContext {
     /// Returns: [`WasmCryptoResult<E2eiEnrollment>`]

@@ -3,6 +3,7 @@ use crate::{
     Ciphersuite, ConversationConfiguration, CoreCrypto, CoreCryptoError, CoreCryptoResult, CredentialType,
     CustomConfiguration, DecryptedMessage, FfiClientId, WasmCryptoResult, WelcomeBundle,
 };
+use core_crypto::mls::conversation::Conversation as _;
 use core_crypto::{
     RecursiveError,
     context::CentralContext,

@@ -24,6 +24,7 @@ use std::{
 };
 
 use crate::proteus_impl;
+use core_crypto::mls::conversation::Conversation as _;
 use core_crypto::{InnermostErrorMessage, MlsTransportResponse, prelude::*};
 use futures_util::future::TryFutureExt;
 use js_sys::{Promise, Uint8Array};
@@ -1582,8 +1583,16 @@ impl CoreCrypto {
     pub fn conversation_epoch(&self, conversation_id: ConversationId) -> Promise {
         let central = self.inner.clone();
         future_to_promise(
-            async move { WasmCryptoResult::Ok(central.get_raw_conversation(&conversation_id).await?.epoch().into()) }
-                .err_into(),
+            async move {
+                let epoch = central
+                    .get_raw_conversation(&conversation_id)
+                    .await?
+                    .epoch()
+                    .await
+                    .into();
+                WasmCryptoResult::Ok(epoch)
+            }
+            .err_into(),
         )
     }
 
@@ -1594,9 +1603,13 @@ impl CoreCrypto {
         let central = self.inner.clone();
         future_to_promise(
             async move {
-                WasmCryptoResult::Ok(
-                    Ciphersuite::from(central.get_raw_conversation(&conversation_id).await?.ciphersuite()).into(),
-                )
+                let ciphersuite: Ciphersuite = central
+                    .get_raw_conversation(&conversation_id)
+                    .await?
+                    .ciphersuite()
+                    .await
+                    .into();
+                WasmCryptoResult::Ok(ciphersuite.into())
             }
             .err_into(),
         )

@@ -1,15 +1,16 @@
 //! This module contains the primitives to enable transactional support on a higher level within the
 //! [MlsCentral]. All mutating operations need to be done through a [CentralContext].
 
+use crate::mls::HasClientAndProvider;
 #[cfg(feature = "proteus")]
 use crate::proteus::ProteusCentral;
 use crate::{
-    CoreCrypto, Error, KeystoreError, MlsError, MlsTransport, Result,
+    CoreCrypto, Error, KeystoreError, MlsError, MlsTransport, RecursiveError, Result,
     group_store::GroupStore,
     mls::MlsCentral,
     prelude::{Client, MlsConversation},
 };
 use async_lock::{Mutex, RwLock, RwLockReadGuardArc, RwLockWriteGuardArc};
 use core_crypto_keystore::{CryptoKeystoreError, connection::FetchFromDatabase, entities::ConsumerData};
 use mls_crypto_provider::{CryptoKeystore, MlsCryptoProvider};
 use std::{ops::Deref, sync::Arc};
@@ -55,6 +56,24 @@
     }
 }
 
+#[cfg_attr(target_family = "wasm", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_family = "wasm"), async_trait::async_trait)]
+impl HasClientAndProvider for CentralContext {
+    async fn client(&self) -> crate::mls::Result<Client> {
+        self.mls_client()
+            .await
+            .map_err(RecursiveError::root("getting mls client"))
+            .map_err(Into::into)
+    }
+
+    async fn mls_provider(&self) -> crate::mls::Result<MlsCryptoProvider> {
+        self.mls_provider()
+            .await
+            .map_err(RecursiveError::root("getting mls provider"))
+            .map_err(Into::into)
+    }
+}
+
 impl CentralContext {
     async fn new(
         mls_central: &MlsCentral,

@@ -214,13 +214,13 @@ mod tests {
     use crate::e2e_identity::rotate::tests::all::failsafe_ctx;
     use wasm_bindgen_test::*;
 
+    use super::*;
+    use crate::mls::conversation::Conversation as _;
     use crate::{
         prelude::{CertificateBundle, Client, MlsCredentialType},
         test_utils::*,
     };
 
-    use super::*;
-
     wasm_bindgen_test_configure!(run_in_browser);
 
     // testing the case where both Bob & Alice have the same Credential type

@@ -592,6 +592,7 @@ pub(crate) mod tests {
     use serde_json::json;
     use wasm_bindgen_test::*;
 
+    use crate::mls::conversation::Conversation as _;
     #[cfg(not(target_family = "wasm"))]
     use crate::{
         RecursiveError,

@@ -787,6 +787,7 @@ pub(crate) mod tests {
 
     mod one {
         use super::*;
+        use crate::mls::conversation::Conversation as _;
 
         #[apply(all_cred_cipher)]
         #[wasm_bindgen_test]

@@ -149,6 +149,7 @@ impl CentralContext {
 
 #[cfg(test)]
 mod tests {
+    use crate::mls::conversation::Conversation as _;
     use crate::prelude::MlsConversationDecryptMessage;
     use crate::test_utils::*;
     use wasm_bindgen_test::*;

@@ -147,6 +147,7 @@ impl MlsConversation {
 #[cfg(test)]
 mod tests {
     use super::super::error::Error;
+    use crate::mls::conversation::Conversation as _;
     use crate::prelude::MlsConversationDecryptMessage;
     use crate::test_utils::*;
     use wasm_bindgen_test::*;

@@ -2,8 +2,11 @@
 
 use openmls::prelude::KeyPackageIn;
 
+use crate::mls::conversation::ConversationWithMls as _;
+use crate::mls::credential::CredentialBundle;
+use crate::prelude::MlsCredentialType;
 use crate::{
-    MlsError, RecursiveError,
+    LeafError, MlsError, RecursiveError,
     e2e_identity::init_certificates::NewCrlDistributionPoint,
     mls::{
         conversation::{ConversationGuard, Result, commit::MlsCommitBundle},
@@ -108,7 +111,7 @@
    /// # Arguments
    /// * `conversation_id` - the group/conversation id
    ///
    /// see [MlsCentral::update_keying_material]
    pub async fn update_key_material(&mut self) -> Result<()> {
        let client = self.mls_client().await?;
        let backend = self.mls_provider().await?;
@@ -120,6 +123,43 @@
         self.send_and_merge_commit(commit).await
     }
 
+    /// Send a commit in a conversation for changing the credential. Requires first
+    /// having enrolled a new X509 certificate with either
+    /// [crate::context::CentralContext::e2ei_new_activation_enrollment] or
+    /// [crate::context::CentralContext::e2ei_new_rotate_enrollment] and having saved it with
+    /// [crate::context::CentralContext::save_x509_credential].
+    pub async fn e2ei_rotate(&mut self, cb: Option<&CredentialBundle>) -> Result<()> {
+        let client = &self.mls_client().await?;
+        let backend = &self.mls_provider().await?;
+        let mut conversation = self.inner.write().await;
+
+        let cb = match cb {
+            Some(cb) => cb,
+            None => &client
+                .find_most_recent_credential_bundle(
+                    conversation.ciphersuite().signature_algorithm(),
+                    MlsCredentialType::X509,
+                )
+                .await
+                .map_err(RecursiveError::mls_client("finding most recent x509 credential bundle"))?,
+        };
+
+        let mut leaf_node = conversation
+            .group
+            .own_leaf()
+            .ok_or(LeafError::InternalMlsError)?
+            .clone();
+        leaf_node.set_credential_with_key(cb.to_mls_credential_with_key());
+
+        let commit = conversation
+            .update_keying_material(client, backend, Some(cb), Some(leaf_node))
+            .await?;
+        // we don't need the conversation anymore, but we do need to mutably borrow `self` again
+        drop(conversation);
+
+        self.send_and_merge_commit(commit).await
+    }
+
     /// Commits all pending proposals of the group
     pub async fn commit_pending_proposals(&mut self) -> Result<()> {
         let client = self.mls_client().await?;

@@ -1,34 +0,0 @@
-//! This module provides the implementation of the `ConversationGuard` for the E2E identity
-//! conversation state.
-//!
-//! Even though this is just a single method now, we want it in its own module: after the upcoming
-//! internal refactoring, this is probably the place where almost all the logic from
-//! [crate::e2e_identity::conversation_state] will be moved to.
-
-use crate::prelude::MlsCredentialType;
-
-use openmls_traits::OpenMlsCryptoProvider;
-
-use super::ConversationGuard;
-use super::Result;
-use crate::e2e_identity::conversation_state::compute_state;
-use crate::prelude::E2eiConversationState;
-
-impl ConversationGuard {
-    /// Indicates when to mark a conversation as not verified i.e. when not all its members have a X509
-    /// Credential generated by Wire's end-to-end identity enrollment
-    pub async fn e2ei_conversation_state(&self) -> Result<E2eiConversationState> {
-        let backend = self.mls_provider().await?;
-        let authentication_service = backend.authentication_service();
-        authentication_service.refresh_time_of_interest().await;
-        let inner = self.conversation().await;
-        let state = compute_state(
-            inner.ciphersuite(),
-            inner.group.members_credentials(),
-            MlsCredentialType::X509,
-            authentication_service.borrow().await.as_ref(),
-        )
-        .await;
-        Ok(state)
-    }
-}