@unwanted/matrix-sdk-mini 34.12.0-1

package/src/crypto/index.ts

@@ -0,0 +1,4414 @@
+/*
+Copyright 2016 OpenMarket Ltd
+Copyright 2017 Vector Creations Ltd
+Copyright 2018-2019 New Vector Ltd
+Copyright 2019-2021 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import anotherjson from "another-json";
+import { v4 as uuidv4 } from "uuid";
+
+import type { IDeviceKeys, IEventDecryptionResult, IMegolmSessionData, IOneTimeKey } from "../@types/crypto.ts";
+import type { PkDecryption, PkSigning } from "@matrix-org/olm";
+import { EventType, ToDeviceMessageId } from "../@types/event.ts";
+import { TypedReEmitter } from "../ReEmitter.ts";
+import { logger } from "../logger.ts";
+import { IExportedDevice, OlmDevice } from "./OlmDevice.ts";
+import { IOlmDevice } from "./algorithms/megolm.ts";
+import * as olmlib from "./olmlib.ts";
+import { DeviceInfoMap, DeviceList } from "./DeviceList.ts";
+import { DeviceInfo, IDevice } from "./deviceinfo.ts";
+import type { DecryptionAlgorithm, EncryptionAlgorithm } from "./algorithms/index.ts";
+import * as algorithms from "./algorithms/index.ts";
+import { createCryptoStoreCacheCallbacks, CrossSigningInfo, DeviceTrustLevel, UserTrustLevel } from "./CrossSigning.ts";
+import { EncryptionSetupBuilder } from "./EncryptionSetup.ts";
+import { SecretStorage as LegacySecretStorage } from "./SecretStorage.ts";
+import { CrossSigningKey, ICreateSecretStorageOpts, IEncryptedEventInfo, IRecoveryKey } from "./api.ts";
+import { OutgoingRoomKeyRequestManager } from "./OutgoingRoomKeyRequestManager.ts";
+import { IndexedDBCryptoStore } from "./store/indexeddb-crypto-store.ts";
+import { VerificationBase } from "./verification/Base.ts";
+import { ReciprocateQRCode, SCAN_QR_CODE_METHOD, SHOW_QR_CODE_METHOD } from "./verification/QRCode.ts";
+import { SAS as SASVerification } from "./verification/SAS.ts";
+import { keyFromPassphrase } from "./key_passphrase.ts";
+import { VerificationRequest } from "./verification/request/VerificationRequest.ts";
+import { InRoomChannel, InRoomRequests } from "./verification/request/InRoomChannel.ts";
+import { Request, ToDeviceChannel, ToDeviceRequests } from "./verification/request/ToDeviceChannel.ts";
+import { IllegalMethod } from "./verification/IllegalMethod.ts";
+import { KeySignatureUploadError } from "../errors.ts";
+import { DehydrationManager } from "./dehydration.ts";
+import { BackupManager, LibOlmBackupDecryptor, backupTrustInfoFromLegacyTrustInfo } from "./backup.ts";
+import { IStore } from "../store/index.ts";
+import { Room, RoomEvent } from "../models/room.ts";
+import { RoomMember, RoomMemberEvent } from "../models/room-member.ts";
+import { EventStatus, IContent, IEvent, MatrixEvent, MatrixEventEvent } from "../models/event.ts";
+import { ToDeviceBatch, ToDevicePayload } from "../models/ToDeviceMessage.ts";
+import { ClientEvent, IKeysUploadResponse, ISignedKey, IUploadKeySignaturesResponse, MatrixClient } from "../client.ts";
+import { IRoomEncryption, RoomList } from "./RoomList.ts";
+import { IKeyBackupInfo } from "./keybackup.ts";
+import { ISyncStateData } from "../sync.ts";
+import { CryptoStore } from "./store/base.ts";
+import { IVerificationChannel } from "./verification/request/Channel.ts";
+import { TypedEventEmitter } from "../models/typed-event-emitter.ts";
+import { IDeviceLists, ISyncResponse, IToDeviceEvent } from "../sync-accumulator.ts";
+import { ISignatures } from "../@types/signed.ts";
+import { IMessage } from "./algorithms/olm.ts";
+import {
+    BackupDecryptor,
+    CryptoBackend,
+    DecryptionError,
+    OnSyncCompletedData,
+} from "../common-crypto/CryptoBackend.ts";
+import { RoomState, RoomStateEvent } from "../models/room-state.ts";
+import { MapWithDefault, recursiveMapToObject } from "../utils.ts";
+import {
+    AccountDataClient,
+    AddSecretStorageKeyOpts,
+    calculateKeyCheck,
+    SECRET_STORAGE_ALGORITHM_V1_AES,
+    SecretStorageKeyDescription,
+    SecretStorageKeyObject,
+    SecretStorageKeyTuple,
+    ServerSideSecretStorageImpl,
+} from "../secret-storage.ts";
+import { ISecretRequest } from "./SecretSharing.ts";
+import {
+    BackupTrustInfo,
+    BootstrapCrossSigningOpts,
+    CrossSigningKeyInfo,
+    CrossSigningStatus,
+    decodeRecoveryKey,
+    DecryptionFailureCode,
+    DeviceIsolationMode,
+    DeviceVerificationStatus,
+    encodeRecoveryKey,
+    EventEncryptionInfo,
+    EventShieldColour,
+    EventShieldReason,
+    ImportRoomKeysOpts,
+    KeyBackupCheck,
+    KeyBackupInfo,
+    OwnDeviceKeys,
+    CryptoEvent as CryptoApiCryptoEvent,
+    CryptoEventHandlerMap as CryptoApiCryptoEventHandlerMap,
+    KeyBackupRestoreResult,
+    KeyBackupRestoreOpts,
+} from "../crypto-api/index.ts";
+import { Device, DeviceMap } from "../models/device.ts";
+import { deviceInfoToDevice } from "./device-converter.ts";
+import { ClientPrefix, MatrixError, Method } from "../http-api/index.ts";
+import { decodeBase64, encodeBase64 } from "../base64.ts";
+import { KnownMembership } from "../@types/membership.ts";
+import decryptAESSecretStorageItem from "../utils/decryptAESSecretStorageItem.ts";
+import encryptAESSecretStorageItem from "../utils/encryptAESSecretStorageItem.ts";
+import { AESEncryptedSecretStoragePayload } from "../@types/AESEncryptedSecretStoragePayload.ts";
+
+/* re-exports for backwards compatibility */
+export type {
+    BootstrapCrossSigningOpts as IBootstrapCrossSigningOpts,
+    CryptoCallbacks as ICryptoCallbacks,
+} from "../crypto-api/index.ts";
+
+const DeviceVerification = DeviceInfo.DeviceVerification;
+
+const defaultVerificationMethods = {
+    [ReciprocateQRCode.NAME]: ReciprocateQRCode,
+    [SASVerification.NAME]: SASVerification,
+
+    // These two can't be used for actual verification, but we do
+    // need to be able to define them here for the verification flows
+    // to start.
+    [SHOW_QR_CODE_METHOD]: IllegalMethod,
+    [SCAN_QR_CODE_METHOD]: IllegalMethod,
+} as const;
+
+/**
+ * verification method names
+ */
+// legacy export identifier
+export const verificationMethods = {
+    RECIPROCATE_QR_CODE: ReciprocateQRCode.NAME,
+    SAS: SASVerification.NAME,
+} as const;
+
+export type VerificationMethod = keyof typeof verificationMethods | string;
+
+// minimum time between attempting to unwedge an Olm session, if we succeeded
+// in creating a new session
+const MIN_FORCE_SESSION_INTERVAL_MS = 60 * 60 * 1000; // 1 hour
+// minimum time between attempting to unwedge an Olm session, if we failed
+// to create a new session
+const FORCE_SESSION_RETRY_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes
+
+interface IInitOpts {
+    exportedOlmDevice?: IExportedDevice;
+    pickleKey?: string;
+}
+
+/* eslint-disable camelcase */
+interface IRoomKey {
+    room_id: string;
+    algorithm: string;
+}
+
+/**
+ * The parameters of a room key request. The details of the request may
+ * vary with the crypto algorithm, but the management and storage layers for
+ * outgoing requests expect it to have 'room_id' and 'session_id' properties.
+ */
+export interface IRoomKeyRequestBody extends IRoomKey {
+    session_id: string;
+    sender_key: string;
+}
+
+/* eslint-enable camelcase */
+
+interface IDeviceVerificationUpgrade {
+    devices: DeviceInfo[];
+    crossSigningInfo: CrossSigningInfo;
+}
+
+export interface ICheckOwnCrossSigningTrustOpts {
+    allowPrivateKeyRequests?: boolean;
+}
+
+interface IUserOlmSession {
+    deviceIdKey: string;
+    sessions: {
+        sessionId: string;
+        hasReceivedMessage: boolean;
+    }[];
+}
+
+export interface IRoomKeyRequestRecipient {
+    userId: string;
+    deviceId: string;
+}
+
+interface ISignableObject {
+    signatures?: ISignatures;
+    unsigned?: object;
+}
+
+export interface IRequestsMap {
+    getRequest(event: MatrixEvent): VerificationRequest | undefined;
+    getRequestByChannel(channel: IVerificationChannel): VerificationRequest | undefined;
+    setRequest(event: MatrixEvent, request: VerificationRequest): void;
+    setRequestByChannel(channel: IVerificationChannel, request: VerificationRequest): void;
+}
+
+/* eslint-disable camelcase */
+export interface IOlmEncryptedContent {
+    algorithm: typeof olmlib.OLM_ALGORITHM;
+    sender_key: string;
+    ciphertext: Record<string, IMessage>;
+    [ToDeviceMessageId]?: string;
+}
+
+export interface IMegolmEncryptedContent {
+    algorithm: typeof olmlib.MEGOLM_ALGORITHM;
+    sender_key: string;
+    session_id: string;
+    device_id: string;
+    ciphertext: string;
+    [ToDeviceMessageId]?: string;
+}
+/* eslint-enable camelcase */
+
+export type IEncryptedContent = IOlmEncryptedContent | IMegolmEncryptedContent;
+
+export enum CryptoEvent {
+    /** @deprecated Event not fired by the rust crypto */
+    DeviceVerificationChanged = "deviceVerificationChanged",
+    UserTrustStatusChanged = CryptoApiCryptoEvent.UserTrustStatusChanged,
+    /** @deprecated Event not fired by the rust crypto */
+    UserCrossSigningUpdated = "userCrossSigningUpdated",
+    /** @deprecated Event not fired by the rust crypto */
+    RoomKeyRequest = "crypto.roomKeyRequest",
+    /** @deprecated Event not fired by the rust crypto */
+    RoomKeyRequestCancellation = "crypto.roomKeyRequestCancellation",
+    KeyBackupStatus = CryptoApiCryptoEvent.KeyBackupStatus,
+    KeyBackupFailed = CryptoApiCryptoEvent.KeyBackupFailed,
+    KeyBackupSessionsRemaining = CryptoApiCryptoEvent.KeyBackupSessionsRemaining,
+
+    /**
+     * Fires when a new valid backup decryption key is in cache.
+     * This will happen when a secret is received from another session, from secret storage,
+     * or when a new backup is created from this session.
+     *
+     * The payload is the version of the backup for which we have the key for.
+     *
+     * This event is only fired by the rust crypto backend.
+     */
+    KeyBackupDecryptionKeyCached = CryptoApiCryptoEvent.KeyBackupDecryptionKeyCached,
+
+    /** @deprecated Event not fired by the rust crypto */
+    KeySignatureUploadFailure = "crypto.keySignatureUploadFailure",
+    /** @deprecated Use `VerificationRequestReceived`. */
+    VerificationRequest = "crypto.verification.request",
+
+    /**
+     * Fires when a key verification request is received.
+     *
+     * The payload is a {@link Crypto.VerificationRequest}.
+     */
+    VerificationRequestReceived = CryptoApiCryptoEvent.VerificationRequestReceived,
+
+    /** @deprecated Event not fired by the rust crypto */
+    Warning = "crypto.warning",
+    /** @deprecated Use {@link DevicesUpdated} instead when using rust crypto */
+    WillUpdateDevices = CryptoApiCryptoEvent.WillUpdateDevices,
+    DevicesUpdated = CryptoApiCryptoEvent.DevicesUpdated,
+    KeysChanged = CryptoApiCryptoEvent.KeysChanged,
+
+    /**
+     * Fires when data is being migrated from legacy crypto to rust crypto.
+     *
+     * The payload is a pair `(progress, total)`, where `progress` is the number of steps completed so far, and
+     * `total` is the total number of steps. When migration is complete, a final instance of the event is emitted, with
+     * `progress === total === -1`.
+     */
+    LegacyCryptoStoreMigrationProgress = CryptoApiCryptoEvent.LegacyCryptoStoreMigrationProgress,
+}
+
+export type CryptoEventHandlerMap = CryptoApiCryptoEventHandlerMap & {
+    /**
+     * Fires when a device is marked as verified/unverified/blocked/unblocked by
+     * {@link MatrixClient#setDeviceVerified | MatrixClient.setDeviceVerified} or
+     * {@link MatrixClient#setDeviceBlocked | MatrixClient.setDeviceBlocked}.
+     *
+     * @param userId - the owner of the verified device
+     * @param deviceId - the id of the verified device
+     * @param deviceInfo - updated device information
+     */
+    [CryptoEvent.DeviceVerificationChanged]: (userId: string, deviceId: string, deviceInfo: DeviceInfo) => void;
+    /**
+     * Fires when we receive a room key request
+     *
+     * @param request - request details
+     */
+    [CryptoEvent.RoomKeyRequest]: (request: IncomingRoomKeyRequest) => void;
+    /**
+     * Fires when we receive a room key request cancellation
+     */
+    [CryptoEvent.RoomKeyRequestCancellation]: (request: IncomingRoomKeyRequestCancellation) => void;
+    [CryptoEvent.KeySignatureUploadFailure]: (
+        failures: IUploadKeySignaturesResponse["failures"],
+        source: "checkOwnCrossSigningTrust" | "afterCrossSigningLocalKeyChange" | "setDeviceVerification",
+        upload: (opts: { shouldEmit: boolean }) => Promise<void>,
+    ) => void;
+    /**
+     * Fires when a key verification is requested.
+     *
+     * Deprecated: use `CryptoEvent.VerificationRequestReceived`.
+     */
+    [CryptoEvent.VerificationRequest]: (request: VerificationRequest<any>) => void;
+    /**
+     * Fires when the app may wish to warn the user about something related
+     * the end-to-end crypto.
+     *
+     * @param type - One of the strings listed above
+     */
+    [CryptoEvent.Warning]: (type: string) => void;
+    [CryptoEvent.UserCrossSigningUpdated]: (userId: string) => void;
+
+    [CryptoEvent.LegacyCryptoStoreMigrationProgress]: (progress: number, total: number) => void;
+};
+
+export class Crypto extends TypedEventEmitter<CryptoEvent, CryptoEventHandlerMap> implements CryptoBackend {
+    /**
+     * @returns The version of Olm.
+     */
+    public static getOlmVersion(): [number, number, number] {
+        return OlmDevice.getOlmVersion();
+    }
+
+    public readonly backupManager: BackupManager;
+    public readonly crossSigningInfo: CrossSigningInfo;
+    public readonly olmDevice: OlmDevice;
+    public readonly deviceList: DeviceList;
+    public readonly dehydrationManager: DehydrationManager;
+    public readonly secretStorage: LegacySecretStorage;
+
+    private readonly roomList: RoomList;
+    private readonly reEmitter: TypedReEmitter<CryptoEvent, CryptoEventHandlerMap>;
+    private readonly verificationMethods: Map<VerificationMethod, typeof VerificationBase>;
+    public readonly supportedAlgorithms: string[];
+    private readonly outgoingRoomKeyRequestManager: OutgoingRoomKeyRequestManager;
+    private readonly toDeviceVerificationRequests: ToDeviceRequests;
+    public readonly inRoomVerificationRequests: InRoomRequests;
+
+    private trustCrossSignedDevices = true;
+    // the last time we did a check for the number of one-time-keys on the server.
+    private lastOneTimeKeyCheck: number | null = null;
+    private oneTimeKeyCheckInProgress = false;
+
+    // EncryptionAlgorithm instance for each room
+    private roomEncryptors = new Map<string, EncryptionAlgorithm>();
+    // map from algorithm to DecryptionAlgorithm instance, for each room
+    private roomDecryptors = new Map<string, Map<string, DecryptionAlgorithm>>();
+
+    private deviceKeys: Record<string, string> = {}; // type: key
+
+    public globalBlacklistUnverifiedDevices = false;
+    public globalErrorOnUnknownDevices = true;
+
+    // list of IncomingRoomKeyRequests/IncomingRoomKeyRequestCancellations
+    // we received in the current sync.
+    private receivedRoomKeyRequests: IncomingRoomKeyRequest[] = [];
+    private receivedRoomKeyRequestCancellations: IncomingRoomKeyRequestCancellation[] = [];
+    // true if we are currently processing received room key requests
+    private processingRoomKeyRequests = false;
+    // controls whether device tracking is delayed
+    // until calling encryptEvent or trackRoomDevices,
+    // or done immediately upon enabling room encryption.
+    private lazyLoadMembers = false;
+    // in case lazyLoadMembers is true,
+    // track if an initial tracking of all the room members
+    // has happened for a given room. This is delayed
+    // to avoid loading room members as long as possible.
+    private roomDeviceTrackingState: { [roomId: string]: Promise<void> } = {};
+
+    // The timestamp of the minimum time at which we will retry forcing establishment
+    // of a new session for each device, in milliseconds.
+    // {
+    //     userId: {
+    //         deviceId: 1234567890000,
+    //     },
+    // }
+    // Map: user Id → device Id → timestamp
+    private forceNewSessionRetryTime: MapWithDefault<string, MapWithDefault<string, number>> = new MapWithDefault(
+        () => new MapWithDefault(() => 0),
+    );
+
+    // This flag will be unset whilst the client processes a sync response
+    // so that we don't start requesting keys until we've actually finished
+    // processing the response.
+    private sendKeyRequestsImmediately = false;
+
+    private oneTimeKeyCount?: number;
+    private needsNewFallback?: boolean;
+    private fallbackCleanup?: ReturnType<typeof setTimeout>;
+
+    /**
+     * Cryptography bits
+     *
+     * This module is internal to the js-sdk; the public API is via MatrixClient.
+     *
+     * @internal
+     *
+     * @param baseApis - base matrix api interface
+     *
+     * @param userId - The user ID for the local user
+     *
+     * @param deviceId - The identifier for this device.
+     *
+     * @param clientStore - the MatrixClient data store.
+     *
+     * @param cryptoStore - storage for the crypto layer.
+     *
+     * @param verificationMethods - Array of verification methods to use.
+     *    Each element can either be a string from MatrixClient.verificationMethods
+     *    or a class that implements a verification method.
+     */
+    public constructor(
+        public readonly baseApis: MatrixClient,
+        public readonly userId: string,
+        private readonly deviceId: string,
+        private readonly clientStore: IStore,
+        public readonly cryptoStore: CryptoStore,
+        verificationMethods: Array<VerificationMethod | (typeof VerificationBase & { NAME: string })>,
+    ) {
+        super();
+
+        logger.debug("Crypto: initialising roomlist...");
+        this.roomList = new RoomList(cryptoStore);
+
+        this.reEmitter = new TypedReEmitter(this);
+
+        if (verificationMethods) {
+            this.verificationMethods = new Map();
+            for (const method of verificationMethods) {
+                if (typeof method === "string") {
+                    if (defaultVerificationMethods[method]) {
+                        this.verificationMethods.set(
+                            method,
+                            <typeof VerificationBase>defaultVerificationMethods[method],
+                        );
+                    }
+                } else if (method["NAME"]) {
+                    this.verificationMethods.set(method["NAME"], method as typeof VerificationBase);
+                } else {
+                    logger.warn(`Excluding unknown verification method ${method}`);
+                }
+            }
+        } else {
+            this.verificationMethods = new Map(Object.entries(defaultVerificationMethods)) as Map<
+                VerificationMethod,
+                typeof VerificationBase
+            >;
+        }
+
+        this.backupManager = new BackupManager(baseApis, async () => {
+            // try to get key from cache
+            const cachedKey = await this.getSessionBackupPrivateKey();
+            if (cachedKey) {
+                return cachedKey;
+            }
+
+            // try to get key from secret storage
+            const storedKey = await this.secretStorage.get("m.megolm_backup.v1");
+
+            if (storedKey) {
+                // ensure that the key is in the right format.  If not, fix the key and
+                // store the fixed version
+                const fixedKey = fixBackupKey(storedKey);
+                if (fixedKey) {
+                    const keys = await this.secretStorage.getKey();
+                    await this.secretStorage.store("m.megolm_backup.v1", fixedKey, [keys![0]]);
+                }
+
+                return decodeBase64(fixedKey || storedKey);
+            }
+
+            // try to get key from app
+            if (this.baseApis.cryptoCallbacks && this.baseApis.cryptoCallbacks.getBackupKey) {
+                return this.baseApis.cryptoCallbacks.getBackupKey();
+            }
+
+            throw new Error("Unable to get private key");
+        });
+
+        this.olmDevice = new OlmDevice(cryptoStore);
+        this.deviceList = new DeviceList(baseApis, cryptoStore, this.olmDevice);
+
+        // XXX: This isn't removed at any point, but then none of the event listeners
+        // this class sets seem to be removed at any point... :/
+        this.deviceList.on(CryptoEvent.UserCrossSigningUpdated, this.onDeviceListUserCrossSigningUpdated);
+        this.reEmitter.reEmit(this.deviceList, [CryptoEvent.DevicesUpdated, CryptoEvent.WillUpdateDevices]);
+
+        this.supportedAlgorithms = Array.from(algorithms.DECRYPTION_CLASSES.keys());
+
+        this.outgoingRoomKeyRequestManager = new OutgoingRoomKeyRequestManager(
+            baseApis,
+            this.deviceId,
+            this.cryptoStore,
+        );
+
+        this.toDeviceVerificationRequests = new ToDeviceRequests();
+        this.inRoomVerificationRequests = new InRoomRequests();
+
+        const cryptoCallbacks = this.baseApis.cryptoCallbacks || {};
+        const cacheCallbacks = createCryptoStoreCacheCallbacks(cryptoStore, this.olmDevice);
+
+        this.crossSigningInfo = new CrossSigningInfo(userId, cryptoCallbacks, cacheCallbacks);
+        // Yes, we pass the client twice here: see SecretStorage
+        this.secretStorage = new LegacySecretStorage(baseApis as AccountDataClient, cryptoCallbacks, baseApis);
+        this.dehydrationManager = new DehydrationManager(this);
+
+        // Assuming no app-supplied callback, default to getting from SSSS.
+        if (!cryptoCallbacks.getCrossSigningKey && cryptoCallbacks.getSecretStorageKey) {
+            cryptoCallbacks.getCrossSigningKey = async (type): Promise<Uint8Array | null> => {
+                return CrossSigningInfo.getFromSecretStorage(type, this.secretStorage);
+            };
+        }
+    }
+
+    /**
+     * Initialise the crypto module so that it is ready for use
+     *
+     * Returns a promise which resolves once the crypto module is ready for use.
+     *
+     * @param exportedOlmDevice - (Optional) data from exported device
+     *     that must be re-created.
+     */
+    public async init({ exportedOlmDevice, pickleKey }: IInitOpts = {}): Promise<void> {
+        logger.log("Crypto: initialising Olm...");
+        await globalThis.Olm.init();
+        logger.log(
+            exportedOlmDevice
+                ? "Crypto: initialising Olm device from exported device..."
+                : "Crypto: initialising Olm device...",
+        );
+        await this.olmDevice.init({ fromExportedDevice: exportedOlmDevice, pickleKey });
+        logger.log("Crypto: loading device list...");
+        await this.deviceList.load();
+
+        // build our device keys: these will later be uploaded
+        this.deviceKeys["ed25519:" + this.deviceId] = this.olmDevice.deviceEd25519Key!;
+        this.deviceKeys["curve25519:" + this.deviceId] = this.olmDevice.deviceCurve25519Key!;
+
+        logger.log("Crypto: fetching own devices...");
+        let myDevices = this.deviceList.getRawStoredDevicesForUser(this.userId);
+
+        if (!myDevices) {
+            myDevices = {};
+        }
+
+        if (!myDevices[this.deviceId]) {
+            // add our own deviceinfo to the cryptoStore
+            logger.log("Crypto: adding this device to the store...");
+            const deviceInfo = {
+                keys: this.deviceKeys,
+                algorithms: this.supportedAlgorithms,
+                verified: DeviceVerification.VERIFIED,
+                known: true,
+            };
+
+            myDevices[this.deviceId] = deviceInfo;
+            this.deviceList.storeDevicesForUser(this.userId, myDevices);
+            this.deviceList.saveIfDirty();
+        }
+
+        await this.cryptoStore.doTxn("readonly", [IndexedDBCryptoStore.STORE_ACCOUNT], (txn) => {
+            this.cryptoStore.getCrossSigningKeys(txn, (keys) => {
+                // can be an empty object after resetting cross-signing keys, see storeTrustedSelfKeys
+                if (keys && Object.keys(keys).length !== 0) {
+                    logger.log("Loaded cross-signing public keys from crypto store");
+                    this.crossSigningInfo.setKeys(keys);
+                }
+            });
+        });
+        // make sure we are keeping track of our own devices
+        // (this is important for key backups & things)
+        this.deviceList.startTrackingDeviceList(this.userId);
+
+        logger.debug("Crypto: initialising roomlist...");
+        await this.roomList.init();
+
+        logger.log("Crypto: checking for key backup...");
+        this.backupManager.checkAndStart();
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi#setDeviceIsolationMode}.
+     */
+    public setDeviceIsolationMode(isolationMode: DeviceIsolationMode): void {
+        throw new Error("Not supported");
+    }
+    /**
+     * Implementation of {@link Crypto.CryptoApi#getVersion}.
+     */
+    public getVersion(): string {
+        const olmVersionTuple = Crypto.getOlmVersion();
+        return `Olm ${olmVersionTuple[0]}.${olmVersionTuple[1]}.${olmVersionTuple[2]}`;
+    }
+
+    /**
+     * Whether to trust a others users signatures of their devices.
+     * If false, devices will only be considered 'verified' if we have
+     * verified that device individually (effectively disabling cross-signing).
+     *
+     * Default: true
+     *
+     * @returns True if trusting cross-signed devices
+     */
+    public getTrustCrossSignedDevices(): boolean {
+        return this.trustCrossSignedDevices;
+    }
+
+    /**
+     * @deprecated Use {@link Crypto.CryptoApi#getTrustCrossSignedDevices}.
+     */
+    public getCryptoTrustCrossSignedDevices(): boolean {
+        return this.trustCrossSignedDevices;
+    }
+
+    /**
+     * See getCryptoTrustCrossSignedDevices
+     *
+     * @param val - True to trust cross-signed devices
+     */
+    public setTrustCrossSignedDevices(val: boolean): void {
+        this.trustCrossSignedDevices = val;
+
+        for (const userId of this.deviceList.getKnownUserIds()) {
+            const devices = this.deviceList.getRawStoredDevicesForUser(userId);
+            for (const deviceId of Object.keys(devices)) {
+                const deviceTrust = this.checkDeviceTrust(userId, deviceId);
+                // If the device is locally verified then isVerified() is always true,
+                // so this will only have caused the value to change if the device is
+                // cross-signing verified but not locally verified
+                if (!deviceTrust.isLocallyVerified() && deviceTrust.isCrossSigningVerified()) {
+                    const deviceObj = this.deviceList.getStoredDevice(userId, deviceId)!;
+                    this.emit(CryptoEvent.DeviceVerificationChanged, userId, deviceId, deviceObj);
+                }
+            }
+        }
+    }
+
+    /**
+     * @deprecated Use {@link Crypto.CryptoApi#setTrustCrossSignedDevices}.
+     */
+    public setCryptoTrustCrossSignedDevices(val: boolean): void {
+        this.setTrustCrossSignedDevices(val);
+    }
+
+    /**
+     * Create a recovery key from a user-supplied passphrase.
+     *
+     * @param password - Passphrase string that can be entered by the user
+     *     when restoring the backup as an alternative to entering the recovery key.
+     *     Optional.
+     * @returns Object with public key metadata, encoded private
+     *     recovery key which should be disposed of after displaying to the user,
+     *     and raw private key to avoid round tripping if needed.
+     */
+    public async createRecoveryKeyFromPassphrase(password?: string): Promise<IRecoveryKey> {
+        const decryption = new globalThis.Olm.PkDecryption();
+        try {
+            if (password) {
+                const derivation = await keyFromPassphrase(password);
+
+                decryption.init_with_private_key(derivation.key);
+                const privateKey = decryption.get_private_key();
+                return {
+                    keyInfo: {
+                        passphrase: {
+                            algorithm: "m.pbkdf2",
+                            iterations: derivation.iterations,
+                            salt: derivation.salt,
+                        },
+                    },
+                    privateKey: privateKey,
+                    encodedPrivateKey: encodeRecoveryKey(privateKey),
+                };
+            } else {
+                decryption.generate_key();
+                const privateKey = decryption.get_private_key();
+                return {
+                    privateKey: privateKey,
+                    encodedPrivateKey: encodeRecoveryKey(privateKey),
+                };
+            }
+        } finally {
+            decryption?.free();
+        }
+    }
+
+    /**
+     * Checks if the user has previously published cross-signing keys
+     *
+     * This means downloading the devicelist for the user and checking if the list includes
+     * the cross-signing pseudo-device.
+     *
+     * @internal
+     */
+    public async userHasCrossSigningKeys(userId = this.userId): Promise<boolean> {
+        await this.downloadKeys([userId]);
+        return this.deviceList.getStoredCrossSigningForUser(userId) !== null;
+    }
+
+    /**
+     * Checks whether cross signing:
+     * - is enabled on this account and trusted by this device
+     * - has private keys either cached locally or stored in secret storage
+     *
+     * If this function returns false, bootstrapCrossSigning() can be used
+     * to fix things such that it returns true. That is to say, after
+     * bootstrapCrossSigning() completes successfully, this function should
+     * return true.
+     *
+     * The cross-signing API is currently UNSTABLE and may change without notice.
+     *
+     * @returns True if cross-signing is ready to be used on this device
+     */
+    public async isCrossSigningReady(): Promise<boolean> {
+        const publicKeysOnDevice = this.crossSigningInfo.getId();
+        const privateKeysExistSomewhere =
+            (await this.crossSigningInfo.isStoredInKeyCache()) ||
+            (await this.crossSigningInfo.isStoredInSecretStorage(this.secretStorage));
+
+        return !!(publicKeysOnDevice && privateKeysExistSomewhere);
+    }
+
+    /**
+     * Checks whether secret storage:
+     * - is enabled on this account
+     * - is storing cross-signing private keys
+     * - is storing session backup key (if enabled)
+     *
+     * If this function returns false, bootstrapSecretStorage() can be used
+     * to fix things such that it returns true. That is to say, after
+     * bootstrapSecretStorage() completes successfully, this function should
+     * return true.
+     *
+     * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+     *
+     * @returns True if secret storage is ready to be used on this device
+     */
+    public async isSecretStorageReady(): Promise<boolean> {
+        const secretStorageKeyInAccount = await this.secretStorage.hasKey();
+        const privateKeysInStorage = await this.crossSigningInfo.isStoredInSecretStorage(this.secretStorage);
+        const sessionBackupInStorage =
+            !this.backupManager.getKeyBackupEnabled() || (await this.baseApis.isKeyBackupKeyStored());
+
+        return !!(secretStorageKeyInAccount && privateKeysInStorage && sessionBackupInStorage);
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi#getCrossSigningStatus}
+     */
+    public async getCrossSigningStatus(): Promise<CrossSigningStatus> {
+        const publicKeysOnDevice = Boolean(this.crossSigningInfo.getId());
+        const privateKeysInSecretStorage = Boolean(
+            await this.crossSigningInfo.isStoredInSecretStorage(this.secretStorage),
+        );
+        const cacheCallbacks = this.crossSigningInfo.getCacheCallbacks();
+        const masterKey = Boolean(await cacheCallbacks.getCrossSigningKeyCache?.("master"));
+        const selfSigningKey = Boolean(await cacheCallbacks.getCrossSigningKeyCache?.("self_signing"));
+        const userSigningKey = Boolean(await cacheCallbacks.getCrossSigningKeyCache?.("user_signing"));
+
+        return {
+            publicKeysOnDevice,
+            privateKeysInSecretStorage,
+            privateKeysCachedLocally: {
+                masterKey,
+                selfSigningKey,
+                userSigningKey,
+            },
+        };
+    }
+
+    /**
+     * Bootstrap cross-signing by creating keys if needed. If everything is already
+     * set up, then no changes are made, so this is safe to run to ensure
+     * cross-signing is ready for use.
+     *
+     * This function:
+     * - creates new cross-signing keys if they are not found locally cached nor in
+     *   secret storage (if it has been setup)
+     *
+     * The cross-signing API is currently UNSTABLE and may change without notice.
+     */
+    public async bootstrapCrossSigning({
+        authUploadDeviceSigningKeys,
+        setupNewCrossSigning,
+    }: BootstrapCrossSigningOpts = {}): Promise<void> {
+        logger.log("Bootstrapping cross-signing");
+
+        const delegateCryptoCallbacks = this.baseApis.cryptoCallbacks;
+        const builder = new EncryptionSetupBuilder(this.baseApis.store.accountData, delegateCryptoCallbacks);
+        const crossSigningInfo = new CrossSigningInfo(
+            this.userId,
+            builder.crossSigningCallbacks,
+            builder.crossSigningCallbacks,
+        );
+
+        // Reset the cross-signing keys
+        const resetCrossSigning = async (): Promise<void> => {
+            crossSigningInfo.resetKeys();
+            // Sign master key with device key
+            await this.signObject(crossSigningInfo.keys.master);
+
+            // Store auth flow helper function, as we need to call it when uploading
+            // to ensure we handle auth errors properly.
+            builder.addCrossSigningKeys(authUploadDeviceSigningKeys, crossSigningInfo.keys);
+
+            // Cross-sign own device
+            const device = this.deviceList.getStoredDevice(this.userId, this.deviceId)!;
+            const deviceSignature = await crossSigningInfo.signDevice(this.userId, device);
+            builder.addKeySignature(this.userId, this.deviceId, deviceSignature!);
+
+            // Sign message key backup with cross-signing master key
+            if (this.backupManager.backupInfo) {
+                await crossSigningInfo.signObject(this.backupManager.backupInfo.auth_data, "master");
+                builder.addSessionBackup(this.backupManager.backupInfo);
+            }
+        };
+
+        const publicKeysOnDevice = this.crossSigningInfo.getId();
+        const privateKeysInCache = await this.crossSigningInfo.isStoredInKeyCache();
+        const privateKeysInStorage = await this.crossSigningInfo.isStoredInSecretStorage(this.secretStorage);
+        const privateKeysExistSomewhere = privateKeysInCache || privateKeysInStorage;
+
+        // Log all relevant state for easier parsing of debug logs.
+        logger.log({
+            setupNewCrossSigning,
+            publicKeysOnDevice,
+            privateKeysInCache,
+            privateKeysInStorage,
+            privateKeysExistSomewhere,
+        });
+
+        if (!privateKeysExistSomewhere || setupNewCrossSigning) {
+            logger.log("Cross-signing private keys not found locally or in secret storage, " + "creating new keys");
+            // If a user has multiple devices, it important to only call bootstrap
+            // as part of some UI flow (and not silently during startup), as they
+            // may have setup cross-signing on a platform which has not saved keys
+            // to secret storage, and this would reset them. In such a case, you
+            // should prompt the user to verify any existing devices first (and
+            // request private keys from those devices) before calling bootstrap.
+            await resetCrossSigning();
+        } else if (publicKeysOnDevice && privateKeysInCache) {
+            logger.log("Cross-signing public keys trusted and private keys found locally");
+        } else if (privateKeysInStorage) {
+            logger.log(
+                "Cross-signing private keys not found locally, but they are available " +
+                    "in secret storage, reading storage and caching locally",
+            );
+            await this.checkOwnCrossSigningTrust({
+                allowPrivateKeyRequests: true,
+            });
+        }
+
+        // Assuming no app-supplied callback, default to storing new private keys in
+        // secret storage if it exists. If it does not, it is assumed this will be
+        // done as part of setting up secret storage later.
+        const crossSigningPrivateKeys = builder.crossSigningCallbacks.privateKeys;
+        if (crossSigningPrivateKeys.size && !this.baseApis.cryptoCallbacks.saveCrossSigningKeys) {
+            const secretStorage = new ServerSideSecretStorageImpl(
+                builder.accountDataClientAdapter,
+                builder.ssssCryptoCallbacks,
+            );
+            if (await secretStorage.hasKey()) {
+                logger.log("Storing new cross-signing private keys in secret storage");
+                // This is writing to in-memory account data in
+                // builder.accountDataClientAdapter so won't fail
+                await CrossSigningInfo.storeInSecretStorage(crossSigningPrivateKeys, secretStorage);
+            }
+        }
+
+        const operation = builder.buildOperation();
+        await operation.apply(this);
+        // This persists private keys and public keys as trusted,
+        // only do this if apply succeeded for now as retry isn't in place yet
+        await builder.persist(this);
+
+        logger.log("Cross-signing ready");
+    }
+
+    /**
+     * Bootstrap Secure Secret Storage if needed by creating a default key. If everything is
+     * already set up, then no changes are made, so this is safe to run to ensure secret
+     * storage is ready for use.
+     *
+     * This function
+     * - creates a new Secure Secret Storage key if no default key exists
+     *   - if a key backup exists, it is migrated to store the key in the Secret
+     *     Storage
+     * - creates a backup if none exists, and one is requested
+     * - migrates Secure Secret Storage to use the latest algorithm, if an outdated
+     *   algorithm is found
+     *
+     * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+     *
+     * Returns:
+     *     A promise which resolves to key creation data for
+     *     SecretStorage#addKey: an object with `passphrase` etc fields.
+     */
+    // TODO this does not resolve with what it says it does
+    public async bootstrapSecretStorage({
+        createSecretStorageKey = async (): Promise<IRecoveryKey> => ({}) as IRecoveryKey,
+        keyBackupInfo,
+        setupNewKeyBackup,
+        setupNewSecretStorage,
+        getKeyBackupPassphrase,
+    }: ICreateSecretStorageOpts = {}): Promise<void> {
+        logger.log("Bootstrapping Secure Secret Storage");
+        const delegateCryptoCallbacks = this.baseApis.cryptoCallbacks;
+        const builder = new EncryptionSetupBuilder(this.baseApis.store.accountData, delegateCryptoCallbacks);
+        const secretStorage = new ServerSideSecretStorageImpl(
+            builder.accountDataClientAdapter,
+            builder.ssssCryptoCallbacks,
+        );
+
+        // the ID of the new SSSS key, if we create one
+        let newKeyId: string | null = null;
+
+        // create a new SSSS key and set it as default
+        const createSSSS = async (opts: AddSecretStorageKeyOpts): Promise<string> => {
+            const { keyId, keyInfo } = await secretStorage.addKey(SECRET_STORAGE_ALGORITHM_V1_AES, opts);
+
+            // make the private key available to encrypt 4S secrets
+            builder.ssssCryptoCallbacks.addPrivateKey(keyId, keyInfo, opts.key);
+
+            await secretStorage.setDefaultKeyId(keyId);
+            return keyId;
+        };
+
+        const ensureCanCheckPassphrase = async (keyId: string, keyInfo: SecretStorageKeyDescription): Promise<void> => {
+            if (!keyInfo.mac) {
+                const key = await this.baseApis.cryptoCallbacks.getSecretStorageKey?.(
+                    { keys: { [keyId]: keyInfo } },
+                    "",
+                );
+                if (key) {
+                    const privateKey = key[1];
+                    builder.ssssCryptoCallbacks.addPrivateKey(keyId, keyInfo, privateKey);
+                    const { iv, mac } = await calculateKeyCheck(privateKey);
+                    keyInfo.iv = iv;
+                    keyInfo.mac = mac;
+
+                    await builder.setAccountData(`m.secret_storage.key.${keyId}`, keyInfo);
+                }
+            }
+        };
+
+        const signKeyBackupWithCrossSigning = async (keyBackupAuthData: IKeyBackupInfo["auth_data"]): Promise<void> => {
+            if (this.crossSigningInfo.getId() && (await this.crossSigningInfo.isStoredInKeyCache("master"))) {
+                try {
+                    logger.log("Adding cross-signing signature to key backup");
+                    await this.crossSigningInfo.signObject(keyBackupAuthData, "master");
+                } catch (e) {
+                    // This step is not critical (just helpful), so we catch here
+                    // and continue if it fails.
+                    logger.error("Signing key backup with cross-signing keys failed", e);
+                }
+            } else {
+                logger.warn("Cross-signing keys not available, skipping signature on key backup");
+            }
+        };
+
+        const oldSSSSKey = await this.secretStorage.getKey();
+        const [oldKeyId, oldKeyInfo] = oldSSSSKey || [null, null];
+        const storageExists =
+            !setupNewSecretStorage && oldKeyInfo && oldKeyInfo.algorithm === SECRET_STORAGE_ALGORITHM_V1_AES;
+
+        // Log all relevant state for easier parsing of debug logs.
+        logger.log({
+            keyBackupInfo,
+            setupNewKeyBackup,
+            setupNewSecretStorage,
+            storageExists,
+            oldKeyInfo,
+        });
+
+        if (!storageExists && !keyBackupInfo) {
+            // either we don't have anything, or we've been asked to restart
+            // from scratch
+            logger.log("Secret storage does not exist, creating new storage key");
+
+            // if we already have a usable default SSSS key and aren't resetting
+            // SSSS just use it. otherwise, create a new one
+            // Note: we leave the old SSSS key in place: there could be other
+            // secrets using it, in theory. We could move them to the new key but a)
+            // that would mean we'd need to prompt for the old passphrase, and b)
+            // it's not clear that would be the right thing to do anyway.
+            const { keyInfo, privateKey } = await createSecretStorageKey();
+            newKeyId = await createSSSS({ passphrase: keyInfo?.passphrase, key: privateKey, name: keyInfo?.name });
+        } else if (!storageExists && keyBackupInfo) {
+            // we have an existing backup, but no SSSS
+            logger.log("Secret storage does not exist, using key backup key");
+
+            // if we have the backup key already cached, use it; otherwise use the
+            // callback to prompt for the key
+            const backupKey = (await this.getSessionBackupPrivateKey()) || (await getKeyBackupPassphrase?.());
+
+            // create a new SSSS key and use the backup key as the new SSSS key
+            const opts = { key: backupKey } as AddSecretStorageKeyOpts;
+
+            if (keyBackupInfo.auth_data.private_key_salt && keyBackupInfo.auth_data.private_key_iterations) {
+                // FIXME: ???
+                opts.passphrase = {
+                    algorithm: "m.pbkdf2",
+                    iterations: keyBackupInfo.auth_data.private_key_iterations,
+                    salt: keyBackupInfo.auth_data.private_key_salt,
+                    bits: 256,
+                };
+            }
+
+            newKeyId = await createSSSS(opts);
+
+            // store the backup key in secret storage
+            await secretStorage.store("m.megolm_backup.v1", encodeBase64(backupKey!), [newKeyId]);
+
+            // The backup is trusted because the user provided the private key.
+            // Sign the backup with the cross-signing key so the key backup can
+            // be trusted via cross-signing.
+            await signKeyBackupWithCrossSigning(keyBackupInfo.auth_data);
+
+            builder.addSessionBackup(keyBackupInfo);
+        } else {
+            // 4S is already set up
+            logger.log("Secret storage exists");
+
+            if (oldKeyInfo && oldKeyInfo.algorithm === SECRET_STORAGE_ALGORITHM_V1_AES) {
+                // make sure that the default key has the information needed to
+                // check the passphrase
+                await ensureCanCheckPassphrase(oldKeyId, oldKeyInfo);
+            }
+        }
+
+        // If we have cross-signing private keys cached, store them in secret
+        // storage if they are not there already.
+        if (
+            !this.baseApis.cryptoCallbacks.saveCrossSigningKeys &&
+            (await this.isCrossSigningReady()) &&
+            (newKeyId || !(await this.crossSigningInfo.isStoredInSecretStorage(secretStorage)))
+        ) {
+            logger.log("Copying cross-signing private keys from cache to secret storage");
+            const crossSigningPrivateKeys = await this.crossSigningInfo.getCrossSigningKeysFromCache();
+            // This is writing to in-memory account data in
+            // builder.accountDataClientAdapter so won't fail
+            await CrossSigningInfo.storeInSecretStorage(crossSigningPrivateKeys, secretStorage);
+        }
+
+        if (setupNewKeyBackup && !keyBackupInfo) {
+            logger.log("Creating new message key backup version");
+            const info = await this.baseApis.prepareKeyBackupVersion(
+                null /* random key */,
+                // don't write to secret storage, as it will write to this.secretStorage.
+                // Here, we want to capture all the side-effects of bootstrapping,
+                // and want to write to the local secretStorage object
+                { secureSecretStorage: false },
+            );
+            // write the key to 4S
+            const privateKey = decodeRecoveryKey(info.recovery_key);
+            await secretStorage.store("m.megolm_backup.v1", encodeBase64(privateKey));
+
+            // create keyBackupInfo object to add to builder
+            const data: IKeyBackupInfo = {
+                algorithm: info.algorithm,
+                auth_data: info.auth_data,
+            };
+
+            // Sign with cross-signing master key
+            await signKeyBackupWithCrossSigning(data.auth_data);
+
+            // sign with the device fingerprint
+            await this.signObject(data.auth_data);
+
+            builder.addSessionBackup(data);
+        }
+
+        // Cache the session backup key
+        const sessionBackupKey = await secretStorage.get("m.megolm_backup.v1");
+        if (sessionBackupKey) {
+            logger.info("Got session backup key from secret storage: caching");
+            // fix up the backup key if it's in the wrong format, and replace
+            // in secret storage
+            const fixedBackupKey = fixBackupKey(sessionBackupKey);
+            if (fixedBackupKey) {
+                const keyId = newKeyId || oldKeyId;
+                await secretStorage.store("m.megolm_backup.v1", fixedBackupKey, keyId ? [keyId] : null);
+            }
+            const decodedBackupKey = new Uint8Array(decodeBase64(fixedBackupKey || sessionBackupKey));
+            builder.addSessionBackupPrivateKeyToCache(decodedBackupKey);
+        } else if (this.backupManager.getKeyBackupEnabled()) {
+            // key backup is enabled but we don't have a session backup key in SSSS: see if we have one in
+            // the cache or the user can provide one, and if so, write it to SSSS
+            const backupKey = (await this.getSessionBackupPrivateKey()) || (await getKeyBackupPassphrase?.());
+            if (!backupKey) {
+                // This will require user intervention to recover from since we don't have the key
+                // backup key anywhere. The user should probably just set up a new key backup and
+                // the key for the new backup will be stored. If we hit this scenario in the wild
+                // with any frequency, we should do more than just log an error.
+                logger.error("Key backup is enabled but couldn't get key backup key!");
+                return;
+            }
+            logger.info("Got session backup key from cache/user that wasn't in SSSS: saving to SSSS");
+            await secretStorage.store("m.megolm_backup.v1", encodeBase64(backupKey));
+        }
+
+        const operation = builder.buildOperation();
+        await operation.apply(this);
+        // this persists private keys and public keys as trusted,
+        // only do this if apply succeeded for now as retry isn't in place yet
+        await builder.persist(this);
+
+        logger.log("Secure Secret Storage ready");
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi#resetKeyBackup}.
+     */
+    public async resetKeyBackup(): Promise<void> {
+        // Delete existing ones
+        // There is no use case for having several key backup version live server side.
+        // Even if not deleted it would be lost as the key to restore is lost.
+        // There should be only one backup at a time.
+        await this.backupManager.deleteAllKeyBackupVersions();
+
+        const info = await this.backupManager.prepareKeyBackupVersion();
+
+        await this.signObject(info.auth_data);
+
+        // add new key backup
+        const { version } = await this.baseApis.http.authedRequest<{ version: string }>(
+            Method.Post,
+            "/room_keys/version",
+            undefined,
+            info,
+            {
+                prefix: ClientPrefix.V3,
+            },
+        );
+
+        logger.log(`Created backup version ${version}`);
+
+        // write the key to 4S
+        const privateKey = info.privateKey;
+        await this.secretStorage.store("m.megolm_backup.v1", encodeBase64(privateKey));
+        await this.storeSessionBackupPrivateKey(privateKey);
+
+        await this.backupManager.checkAndStart();
+        await this.backupManager.scheduleAllGroupSessionsForBackup();
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi#deleteKeyBackupVersion}.
+     */
+    public async deleteKeyBackupVersion(version: string): Promise<void> {
+        await this.backupManager.deleteKeyBackupVersion(version);
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#addKey}.
+     */
+    public addSecretStorageKey(
+        algorithm: string,
+        opts: AddSecretStorageKeyOpts,
+        keyID?: string,
+    ): Promise<SecretStorageKeyObject> {
+        return this.secretStorage.addKey(algorithm, opts, keyID);
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#hasKey}.
+     */
+    public hasSecretStorageKey(keyID?: string): Promise<boolean> {
+        return this.secretStorage.hasKey(keyID);
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#getKey}.
+     */
+    public getSecretStorageKey(keyID?: string): Promise<SecretStorageKeyTuple | null> {
+        return this.secretStorage.getKey(keyID);
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#store}.
+     */
+    public storeSecret(name: string, secret: string, keys?: string[]): Promise<void> {
+        return this.secretStorage.store(name, secret, keys);
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#get}.
+     */
+    public getSecret(name: string): Promise<string | undefined> {
+        return this.secretStorage.get(name);
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#isStored}.
+     */
+    public isSecretStored(name: string): Promise<Record<string, SecretStorageKeyDescription> | null> {
+        return this.secretStorage.isStored(name);
+    }
+
+    public requestSecret(name: string, devices: string[]): ISecretRequest {
+        if (!devices) {
+            devices = Object.keys(this.deviceList.getRawStoredDevicesForUser(this.userId));
+        }
+        return this.secretStorage.request(name, devices);
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#getDefaultKeyId}.
+     */
+    public getDefaultSecretStorageKeyId(): Promise<string | null> {
+        return this.secretStorage.getDefaultKeyId();
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#setDefaultKeyId}.
+     */
+    public setDefaultSecretStorageKeyId(k: string): Promise<void> {
+        return this.secretStorage.setDefaultKeyId(k);
+    }
+
+    /**
+     * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#checkKey}.
+     */
+    public checkSecretStorageKey(key: Uint8Array, info: SecretStorageKeyDescription): Promise<boolean> {
+        return this.secretStorage.checkKey(key, info);
+    }
+
+    /**
+     * Checks that a given secret storage private key matches a given public key.
+     * This can be used by the getSecretStorageKey callback to verify that the
+     * private key it is about to supply is the one that was requested.
+     *
+     * @param privateKey - The private key
+     * @param expectedPublicKey - The public key
+     * @returns true if the key matches, otherwise false
+     */
+    public checkSecretStoragePrivateKey(privateKey: Uint8Array, expectedPublicKey: string): boolean {
+        let decryption: PkDecryption | null = null;
+        try {
+            decryption = new globalThis.Olm.PkDecryption();
+            const gotPubkey = decryption.init_with_private_key(privateKey);
+            // make sure it agrees with the given pubkey
+            return gotPubkey === expectedPublicKey;
+        } finally {
+            decryption?.free();
+        }
+    }
+
+    /**
+     * Fetches the backup private key, if cached
+     * @returns the key, if any, or null
+     */
+    public async getSessionBackupPrivateKey(): Promise<Uint8Array | null> {
+        const encodedKey = await new Promise<Uint8Array | AESEncryptedSecretStoragePayload | string | null>(
+            (resolve) => {
+                this.cryptoStore.doTxn("readonly", [IndexedDBCryptoStore.STORE_ACCOUNT], (txn) => {
+                    this.cryptoStore.getSecretStorePrivateKey(txn, resolve, "m.megolm_backup.v1");
+                });
+            },
+        );
+
+        let key: Uint8Array | null = null;
+
+        // make sure we have a Uint8Array, rather than a string
+        if (typeof encodedKey === "string") {
+            key = new Uint8Array(decodeBase64(fixBackupKey(encodedKey) || encodedKey));
+            await this.storeSessionBackupPrivateKey(key);
+        }
+        if (encodedKey && typeof encodedKey === "object" && "ciphertext" in encodedKey) {
+            const pickleKey = Buffer.from(this.olmDevice.pickleKey);
+            const decrypted = await decryptAESSecretStorageItem(encodedKey, pickleKey, "m.megolm_backup.v1");
+            key = decodeBase64(decrypted);
+        }
+        return key;
+    }
+
+    /**
+     * Stores the session backup key to the cache
+     * @param key - the private key
+     * @returns a promise so you can catch failures
+     */
+    public async storeSessionBackupPrivateKey(key: ArrayLike<number>, version?: string): Promise<void> {
+        if (!(key instanceof Uint8Array)) {
+            // eslint-disable-next-line @typescript-eslint/no-base-to-string
+            throw new Error(`storeSessionBackupPrivateKey expects Uint8Array, got ${key}`);
+        }
+        const pickleKey = Buffer.from(this.olmDevice.pickleKey);
+        const encryptedKey = await encryptAESSecretStorageItem(encodeBase64(key), pickleKey, "m.megolm_backup.v1");
+        return this.cryptoStore.doTxn("readwrite", [IndexedDBCryptoStore.STORE_ACCOUNT], (txn) => {
+            this.cryptoStore.storeSecretStorePrivateKey(txn, "m.megolm_backup.v1", encryptedKey);
+        });
+    }
+
+    /**
+     * Implementation of {@link Crypto.loadSessionBackupPrivateKeyFromSecretStorage}.
+     */
+    public loadSessionBackupPrivateKeyFromSecretStorage(): Promise<void> {
+        throw new Error("Not implmeented");
+    }
+
+    /**
+     * Get the current status of key backup.
+     *
+     * Implementation of {@link Crypto.CryptoApi.getActiveSessionBackupVersion}.
+     */
+    public async getActiveSessionBackupVersion(): Promise<string | null> {
+        if (this.backupManager.getKeyBackupEnabled()) {
+            return this.backupManager.version ?? null;
+        }
+        return null;
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi#getKeyBackupInfo}.
+     */
+    public async getKeyBackupInfo(): Promise<KeyBackupInfo | null> {
+        throw new Error("Not implemented");
+    }
+
+    /**
+     * Determine if a key backup can be trusted.
+     *
+     * Implementation of {@link Crypto.CryptoApi.isKeyBackupTrusted}.
+     */
+    public async isKeyBackupTrusted(info: KeyBackupInfo): Promise<BackupTrustInfo> {
+        const trustInfo = await this.backupManager.isKeyBackupTrusted(info);
+        return backupTrustInfoFromLegacyTrustInfo(trustInfo);
+    }
+
+    /**
+     * Force a re-check of the key backup and enable/disable it as appropriate.
+     *
+     * Implementation of {@link Crypto.CryptoApi.checkKeyBackupAndEnable}.
+     */
+    public async checkKeyBackupAndEnable(): Promise<KeyBackupCheck | null> {
+        const checkResult = await this.backupManager.checkKeyBackup();
+        if (!checkResult || !checkResult.backupInfo) return null;
+        return {
+            backupInfo: checkResult.backupInfo,
+            trustInfo: backupTrustInfoFromLegacyTrustInfo(checkResult.trustInfo),
+        };
+    }
+
+    /**
+     * Checks that a given cross-signing private key matches a given public key.
+     * This can be used by the getCrossSigningKey callback to verify that the
+     * private key it is about to supply is the one that was requested.
+     *
+     * @param privateKey - The private key
+     * @param expectedPublicKey - The public key
+     * @returns true if the key matches, otherwise false
+     */
+    public checkCrossSigningPrivateKey(privateKey: Uint8Array, expectedPublicKey: string): boolean {
+        let signing: PkSigning | null = null;
+        try {
+            signing = new globalThis.Olm.PkSigning();
+            const gotPubkey = signing.init_with_seed(privateKey);
+            // make sure it agrees with the given pubkey
+            return gotPubkey === expectedPublicKey;
+        } finally {
+            signing?.free();
+        }
+    }
+
+    /**
+     * Run various follow-up actions after cross-signing keys have changed locally
+     * (either by resetting the keys for the account or by getting them from secret
+     * storage), such as signing the current device, upgrading device
+     * verifications, etc.
+     */
+    private async afterCrossSigningLocalKeyChange(): Promise<void> {
+        logger.info("Starting cross-signing key change post-processing");
+
+        // sign the current device with the new key, and upload to the server
+        const device = this.deviceList.getStoredDevice(this.userId, this.deviceId)!;
+        const signedDevice = await this.crossSigningInfo.signDevice(this.userId, device);
+        logger.info(`Starting background key sig upload for ${this.deviceId}`);
+
+        const upload = ({ shouldEmit = false }): Promise<void> => {
+            return this.baseApis
+                .uploadKeySignatures({
+                    [this.userId]: {
+                        [this.deviceId]: signedDevice!,
+                    },
+                })
+                .then((response) => {
+                    const { failures } = response || {};
+                    if (Object.keys(failures || []).length > 0) {
+                        if (shouldEmit) {
+                            this.baseApis.emit(
+                                CryptoEvent.KeySignatureUploadFailure,
+                                failures,
+                                "afterCrossSigningLocalKeyChange",
+                                upload, // continuation
+                            );
+                        }
+                        throw new KeySignatureUploadError("Key upload failed", { failures });
+                    }
+                    logger.info(`Finished background key sig upload for ${this.deviceId}`);
+                })
+                .catch((e) => {
+                    logger.error(`Error during background key sig upload for ${this.deviceId}`, e);
+                });
+        };
+        upload({ shouldEmit: true });
+
+        const shouldUpgradeCb = this.baseApis.cryptoCallbacks.shouldUpgradeDeviceVerifications;
+        if (shouldUpgradeCb) {
+            logger.info("Starting device verification upgrade");
+
+            // Check all users for signatures if upgrade callback present
+            // FIXME: do this in batches
+            const users: Record<string, IDeviceVerificationUpgrade> = {};
+            for (const [userId, crossSigningInfo] of Object.entries(this.deviceList.crossSigningInfo)) {
+                const upgradeInfo = await this.checkForDeviceVerificationUpgrade(
+                    userId,
+                    CrossSigningInfo.fromStorage(crossSigningInfo, userId),
+                );
+                if (upgradeInfo) {
+                    users[userId] = upgradeInfo;
+                }
+            }
+
+            if (Object.keys(users).length > 0) {
+                logger.info(`Found ${Object.keys(users).length} verif users to upgrade`);
+                try {
+                    const usersToUpgrade = await shouldUpgradeCb({ users: users });
+                    if (usersToUpgrade) {
+                        for (const userId of usersToUpgrade) {
+                            if (userId in users) {
+                                await this.baseApis.setDeviceVerified(userId, users[userId].crossSigningInfo.getId()!);
+                            }
+                        }
+                    }
+                } catch (e) {
+                    logger.log("shouldUpgradeDeviceVerifications threw an error: not upgrading", e);
+                }
+            }
+
+            logger.info("Finished device verification upgrade");
+        }
+
+        logger.info("Finished cross-signing key change post-processing");
+    }
+
+    /**
+     * Check if a user's cross-signing key is a candidate for upgrading from device
+     * verification.
+     *
+     * @param userId - the user whose cross-signing information is to be checked
+     * @param crossSigningInfo - the cross-signing information to check
+     */
+    private async checkForDeviceVerificationUpgrade(
+        userId: string,
+        crossSigningInfo: CrossSigningInfo,
+    ): Promise<IDeviceVerificationUpgrade | undefined> {
+        // only upgrade if this is the first cross-signing key that we've seen for
+        // them, and if their cross-signing key isn't already verified
+        const trustLevel = this.crossSigningInfo.checkUserTrust(crossSigningInfo);
+        if (crossSigningInfo.firstUse && !trustLevel.isVerified()) {
+            const devices = this.deviceList.getRawStoredDevicesForUser(userId);
+            const deviceIds = await this.checkForValidDeviceSignature(userId, crossSigningInfo.keys.master, devices);
+            if (deviceIds.length) {
+                return {
+                    devices: deviceIds.map((deviceId) => DeviceInfo.fromStorage(devices[deviceId], deviceId)),
+                    crossSigningInfo,
+                };
+            }
+        }
+    }
+
+    /**
+     * Check if the cross-signing key is signed by a verified device.
+     *
+     * @param userId - the user ID whose key is being checked
+     * @param key - the key that is being checked
+     * @param devices - the user's devices.  Should be a map from device ID
+     *     to device info
+     */
+    private async checkForValidDeviceSignature(
+        userId: string,
+        key: CrossSigningKeyInfo,
+        devices: Record<string, IDevice>,
+    ): Promise<string[]> {
+        const deviceIds: string[] = [];
+        if (devices && key.signatures && key.signatures[userId]) {
+            for (const signame of Object.keys(key.signatures[userId])) {
+                const [, deviceId] = signame.split(":", 2);
+                if (deviceId in devices && devices[deviceId].verified === DeviceVerification.VERIFIED) {
+                    try {
+                        await olmlib.verifySignature(
+                            this.olmDevice,
+                            key,
+                            userId,
+                            deviceId,
+                            devices[deviceId].keys[signame],
+                        );
+                        deviceIds.push(deviceId);
+                    } catch {}
+                }
+            }
+        }
+        return deviceIds;
+    }
+
+    /**
+     * Get the user's cross-signing key ID.
+     *
+     * @param type - The type of key to get the ID of.  One of
+     *     "master", "self_signing", or "user_signing".  Defaults to "master".
+     *
+     * @returns the key ID
+     */
+    public getCrossSigningKeyId(type: CrossSigningKey = CrossSigningKey.Master): Promise<string | null> {
+        return Promise.resolve(this.getCrossSigningId(type));
+    }
+
+    // old name, for backwards compatibility
+    public getCrossSigningId(type: string): string | null {
+        return this.crossSigningInfo.getId(type);
+    }
+
+    /**
+     * Get the cross signing information for a given user.
+     *
+     * @param userId - the user ID to get the cross-signing info for.
+     *
+     * @returns the cross signing information for the user.
+     */
+    public getStoredCrossSigningForUser(userId: string): CrossSigningInfo | null {
+        return this.deviceList.getStoredCrossSigningForUser(userId);
+    }
+
+    /**
+     * Check whether a given user is trusted.
+     *
+     * @param userId - The ID of the user to check.
+     *
+     * @returns
+     */
+    public checkUserTrust(userId: string): UserTrustLevel {
+        const userCrossSigning = this.deviceList.getStoredCrossSigningForUser(userId);
+        if (!userCrossSigning) {
+            return new UserTrustLevel(false, false, false);
+        }
+        return this.crossSigningInfo.checkUserTrust(userCrossSigning);
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi.getUserVerificationStatus}.
+     */
+    public async getUserVerificationStatus(userId: string): Promise<UserTrustLevel> {
+        return this.checkUserTrust(userId);
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi.pinCurrentUserIdentity}.
+     */
+    public async pinCurrentUserIdentity(userId: string): Promise<void> {
+        throw new Error("not implemented");
+    }
+
+    /**
+     * Check whether a given device is trusted.
+     *
+     * @param userId - The ID of the user whose device is to be checked.
+     * @param deviceId - The ID of the device to check
+     */
+    public async getDeviceVerificationStatus(
+        userId: string,
+        deviceId: string,
+    ): Promise<DeviceVerificationStatus | null> {
+        const device = this.deviceList.getStoredDevice(userId, deviceId);
+        if (!device) {
+            return null;
+        }
+        return this.checkDeviceInfoTrust(userId, device);
+    }
+
+    /**
+     * @deprecated Use {@link Crypto.CryptoApi.getDeviceVerificationStatus}.
+     */
+    public checkDeviceTrust(userId: string, deviceId: string): DeviceTrustLevel {
+        const device = this.deviceList.getStoredDevice(userId, deviceId);
+        return this.checkDeviceInfoTrust(userId, device);
+    }
+
+    /**
+     * Check whether a given deviceinfo is trusted.
+     *
+     * @param userId - The ID of the user whose devices is to be checked.
+     * @param device - The device info object to check
+     *
+     * @deprecated Use {@link Crypto.CryptoApi.getDeviceVerificationStatus}.
+     */
+    public checkDeviceInfoTrust(userId: string, device?: DeviceInfo): DeviceTrustLevel {
+        const trustedLocally = !!device?.isVerified();
+
+        const userCrossSigning = this.deviceList.getStoredCrossSigningForUser(userId);
+        if (device && userCrossSigning) {
+            // The trustCrossSignedDevices only affects trust of other people's cross-signing
+            // signatures
+            const trustCrossSig = this.trustCrossSignedDevices || userId === this.userId;
+            return this.crossSigningInfo.checkDeviceTrust(userCrossSigning, device, trustedLocally, trustCrossSig);
+        } else {
+            return new DeviceTrustLevel(false, false, trustedLocally, false);
+        }
+    }
+
+    /**
+     * Check whether one of our own devices is cross-signed by our
+     * user's stored keys, regardless of whether we trust those keys yet.
+     *
+     * @param deviceId - The ID of the device to check
+     *
+     * @returns true if the device is cross-signed
+     */
+    public checkIfOwnDeviceCrossSigned(deviceId: string): boolean {
+        const device = this.deviceList.getStoredDevice(this.userId, deviceId);
+        if (!device) return false;
+        const userCrossSigning = this.deviceList.getStoredCrossSigningForUser(this.userId);
+        return (
+            userCrossSigning?.checkDeviceTrust(userCrossSigning, device, false, true).isCrossSigningVerified() ?? false
+        );
+    }
+
+    /*
+     * Event handler for DeviceList's userNewDevices event
+     */
+    private onDeviceListUserCrossSigningUpdated = async (userId: string): Promise<void> => {
+        if (userId === this.userId) {
+            // An update to our own cross-signing key.
+            // Get the new key first:
+            const newCrossSigning = this.deviceList.getStoredCrossSigningForUser(userId);
+            const seenPubkey = newCrossSigning ? newCrossSigning.getId() : null;
+            const currentPubkey = this.crossSigningInfo.getId();
+            const changed = currentPubkey !== seenPubkey;
+
+            if (currentPubkey && seenPubkey && !changed) {
+                // If it's not changed, just make sure everything is up to date
+                await this.checkOwnCrossSigningTrust();
+            } else {
+                // We'll now be in a state where cross-signing on the account is not trusted
+                // because our locally stored cross-signing keys will not match the ones
+                // on the server for our account. So we clear our own stored cross-signing keys,
+                // effectively disabling cross-signing until the user gets verified by the device
+                // that reset the keys
+                this.storeTrustedSelfKeys(null);
+                // emit cross-signing has been disabled
+                this.emit(CryptoEvent.KeysChanged, {});
+                // as the trust for our own user has changed,
+                // also emit an event for this
+                this.emit(CryptoEvent.UserTrustStatusChanged, this.userId, this.checkUserTrust(userId));
+            }
+        } else {
+            await this.checkDeviceVerifications(userId);
+
+            // Update verified before latch using the current state and save the new
+            // latch value in the device list store.
+            const crossSigning = this.deviceList.getStoredCrossSigningForUser(userId);
+            if (crossSigning) {
+                crossSigning.updateCrossSigningVerifiedBefore(this.checkUserTrust(userId).isCrossSigningVerified());
+                this.deviceList.setRawStoredCrossSigningForUser(userId, crossSigning.toStorage());
+            }
+
+            this.emit(CryptoEvent.UserTrustStatusChanged, userId, this.checkUserTrust(userId));
+        }
+    };
+
+    /**
+     * Check the copy of our cross-signing key that we have in the device list and
+     * see if we can get the private key. If so, mark it as trusted.
+     */
+    public async checkOwnCrossSigningTrust({
+        allowPrivateKeyRequests = false,
+    }: ICheckOwnCrossSigningTrustOpts = {}): Promise<void> {
+        const userId = this.userId;
+
+        // Before proceeding, ensure our cross-signing public keys have been
+        // downloaded via the device list.
+        await this.downloadKeys([this.userId]);
+
+        // Also check which private keys are locally cached.
+        const crossSigningPrivateKeys = await this.crossSigningInfo.getCrossSigningKeysFromCache();
+
+        // If we see an update to our own master key, check it against the master
+        // key we have and, if it matches, mark it as verified
+
+        // First, get the new cross-signing info
+        const newCrossSigning = this.deviceList.getStoredCrossSigningForUser(userId);
+        if (!newCrossSigning) {
+            logger.error(
+                "Got cross-signing update event for user " + userId + " but no new cross-signing information found!",
+            );
+            return;
+        }
+
+        const seenPubkey = newCrossSigning.getId()!;
+        const masterChanged = this.crossSigningInfo.getId() !== seenPubkey;
+        const masterExistsNotLocallyCached = newCrossSigning.getId() && !crossSigningPrivateKeys.has("master");
+        if (masterChanged) {
+            logger.info("Got new master public key", seenPubkey);
+        }
+        if (allowPrivateKeyRequests && (masterChanged || masterExistsNotLocallyCached)) {
+            logger.info("Attempting to retrieve cross-signing master private key");
+            let signing: PkSigning | null = null;
+            // It's important for control flow that we leave any errors alone for
+            // higher levels to handle so that e.g. cancelling access properly
+            // aborts any larger operation as well.
+            try {
+                const ret = await this.crossSigningInfo.getCrossSigningKey("master", seenPubkey);
+                signing = ret[1];
+                logger.info("Got cross-signing master private key");
+            } finally {
+                signing?.free();
+            }
+        }
+
+        const oldSelfSigningId = this.crossSigningInfo.getId("self_signing");
+        const oldUserSigningId = this.crossSigningInfo.getId("user_signing");
+
+        // Update the version of our keys in our cross-signing object and the local store
+        this.storeTrustedSelfKeys(newCrossSigning.keys);
+
+        const selfSigningChanged = oldSelfSigningId !== newCrossSigning.getId("self_signing");
+        const userSigningChanged = oldUserSigningId !== newCrossSigning.getId("user_signing");
+
+        const selfSigningExistsNotLocallyCached =
+            newCrossSigning.getId("self_signing") && !crossSigningPrivateKeys.has("self_signing");
+        const userSigningExistsNotLocallyCached =
+            newCrossSigning.getId("user_signing") && !crossSigningPrivateKeys.has("user_signing");
+
+        const keySignatures: Record<string, ISignedKey> = {};
+
+        if (selfSigningChanged) {
+            logger.info("Got new self-signing key", newCrossSigning.getId("self_signing"));
+        }
+        if (allowPrivateKeyRequests && (selfSigningChanged || selfSigningExistsNotLocallyCached)) {
+            logger.info("Attempting to retrieve cross-signing self-signing private key");
+            let signing: PkSigning | null = null;
+            try {
+                const ret = await this.crossSigningInfo.getCrossSigningKey(
+                    "self_signing",
+                    newCrossSigning.getId("self_signing")!,
+                );
+                signing = ret[1];
+                logger.info("Got cross-signing self-signing private key");
+            } finally {
+                signing?.free();
+            }
+
+            const device = this.deviceList.getStoredDevice(this.userId, this.deviceId)!;
+            const signedDevice = await this.crossSigningInfo.signDevice(this.userId, device);
+            keySignatures[this.deviceId] = signedDevice!;
+        }
+        if (userSigningChanged) {
+            logger.info("Got new user-signing key", newCrossSigning.getId("user_signing"));
+        }
+        if (allowPrivateKeyRequests && (userSigningChanged || userSigningExistsNotLocallyCached)) {
+            logger.info("Attempting to retrieve cross-signing user-signing private key");
+            let signing: PkSigning | null = null;
+            try {
+                const ret = await this.crossSigningInfo.getCrossSigningKey(
+                    "user_signing",
+                    newCrossSigning.getId("user_signing")!,
+                );
+                signing = ret[1];
+                logger.info("Got cross-signing user-signing private key");
+            } finally {
+                signing?.free();
+            }
+        }
+
+        if (masterChanged) {
+            const masterKey = this.crossSigningInfo.keys.master;
+            await this.signObject(masterKey);
+            const deviceSig = masterKey.signatures![this.userId]["ed25519:" + this.deviceId];
+            // Include only the _new_ device signature in the upload.
+            // We may have existing signatures from deleted devices, which will cause
+            // the entire upload to fail.
+            keySignatures[this.crossSigningInfo.getId()!] = Object.assign({} as ISignedKey, masterKey, {
+                signatures: {
+                    [this.userId]: {
+                        ["ed25519:" + this.deviceId]: deviceSig,
+                    },
+                },
+            });
+        }
+
+        const keysToUpload = Object.keys(keySignatures);
+        if (keysToUpload.length) {
+            const upload = ({ shouldEmit = false }): Promise<void> => {
+                logger.info(`Starting background key sig upload for ${keysToUpload}`);
+                return this.baseApis
+                    .uploadKeySignatures({ [this.userId]: keySignatures })
+                    .then((response) => {
+                        const { failures } = response || {};
+                        logger.info(`Finished background key sig upload for ${keysToUpload}`);
+                        if (Object.keys(failures || []).length > 0) {
+                            if (shouldEmit) {
+                                this.baseApis.emit(
+                                    CryptoEvent.KeySignatureUploadFailure,
+                                    failures,
+                                    "checkOwnCrossSigningTrust",
+                                    upload,
+                                );
+                            }
+                            throw new KeySignatureUploadError("Key upload failed", { failures });
+                        }
+                    })
+                    .catch((e) => {
+                        logger.error(`Error during background key sig upload for ${keysToUpload}`, e);
+                    });
+            };
+            upload({ shouldEmit: true });
+        }
+
+        this.emit(CryptoEvent.UserTrustStatusChanged, userId, this.checkUserTrust(userId));
+
+        if (masterChanged) {
+            this.emit(CryptoEvent.KeysChanged, {});
+            await this.afterCrossSigningLocalKeyChange();
+        }
+
+        // Now we may be able to trust our key backup
+        await this.backupManager.checkKeyBackup();
+        // FIXME: if we previously trusted the backup, should we automatically sign
+        // the backup with the new key (if not already signed)?
+    }
+
+    /**
+     * Implementation of {@link CryptoBackend#getBackupDecryptor}.
+     */
+    public async getBackupDecryptor(backupInfo: KeyBackupInfo, privKey: ArrayLike<number>): Promise<BackupDecryptor> {
+        if (!(privKey instanceof Uint8Array)) {
+            throw new Error(`getBackupDecryptor expects Uint8Array`);
+        }
+
+        const algorithm = await BackupManager.makeAlgorithm(backupInfo, async () => {
+            return privKey;
+        });
+
+        // If the pubkey computed from the private data we've been given
+        // doesn't match the one in the auth_data, the user has entered
+        // a different recovery key / the wrong passphrase.
+        if (!(await algorithm.keyMatches(privKey))) {
+            return Promise.reject(new MatrixError({ errcode: MatrixClient.RESTORE_BACKUP_ERROR_BAD_KEY }));
+        }
+
+        return new LibOlmBackupDecryptor(algorithm);
+    }
+
+    /**
+     * Implementation of {@link CryptoBackend#importBackedUpRoomKeys}.
+     */
+    public importBackedUpRoomKeys(
+        keys: IMegolmSessionData[],
+        backupVersion: string,
+        opts: ImportRoomKeysOpts = {},
+    ): Promise<void> {
+        opts.source = "backup";
+        return this.importRoomKeys(keys, opts);
+    }
+
+    /**
+     * Store a set of keys as our own, trusted, cross-signing keys.
+     *
+     * @param keys - The new trusted set of keys
+     */
+    private async storeTrustedSelfKeys(keys: Record<string, CrossSigningKeyInfo> | null): Promise<void> {
+        if (keys) {
+            this.crossSigningInfo.setKeys(keys);
+        } else {
+            this.crossSigningInfo.clearKeys();
+        }
+        await this.cryptoStore.doTxn("readwrite", [IndexedDBCryptoStore.STORE_ACCOUNT], (txn) => {
+            this.cryptoStore.storeCrossSigningKeys(txn, this.crossSigningInfo.keys);
+        });
+    }
+
+    /**
+     * Check if the master key is signed by a verified device, and if so, prompt
+     * the application to mark it as verified.
+     *
+     * @param userId - the user ID whose key should be checked
+     */
+    private async checkDeviceVerifications(userId: string): Promise<void> {
+        const shouldUpgradeCb = this.baseApis.cryptoCallbacks.shouldUpgradeDeviceVerifications;
+        if (!shouldUpgradeCb) {
+            // Upgrading skipped when callback is not present.
+            return;
+        }
+        logger.info(`Starting device verification upgrade for ${userId}`);
+        if (this.crossSigningInfo.keys.user_signing) {
+            const crossSigningInfo = this.deviceList.getStoredCrossSigningForUser(userId);
+            if (crossSigningInfo) {
+                const upgradeInfo = await this.checkForDeviceVerificationUpgrade(userId, crossSigningInfo);
+                if (upgradeInfo) {
+                    const usersToUpgrade = await shouldUpgradeCb({
+                        users: {
+                            [userId]: upgradeInfo,
+                        },
+                    });
+                    if (usersToUpgrade.includes(userId)) {
+                        await this.baseApis.setDeviceVerified(userId, crossSigningInfo.getId()!);
+                    }
+                }
+            }
+        }
+        logger.info(`Finished device verification upgrade for ${userId}`);
+    }
+
+    /**
+     */
+    public enableLazyLoading(): void {
+        this.lazyLoadMembers = true;
+    }
+
+    /**
+     * Tell the crypto module to register for MatrixClient events which it needs to
+     * listen for
+     *
+     * @param eventEmitter - event source where we can register
+     *    for event notifications
+     */
+    public registerEventHandlers(
+        eventEmitter: TypedEventEmitter<
+            RoomMemberEvent.Membership | ClientEvent.ToDeviceEvent | RoomEvent.Timeline | MatrixEventEvent.Decrypted,
+            any
+        >,
+    ): void {
+        eventEmitter.on(RoomMemberEvent.Membership, this.onMembership);
+        eventEmitter.on(ClientEvent.ToDeviceEvent, this.onToDeviceEvent);
+        eventEmitter.on(RoomEvent.Timeline, this.onTimelineEvent);
+        eventEmitter.on(MatrixEventEvent.Decrypted, this.onTimelineEvent);
+    }
+
+    /**
+     * @deprecated this does nothing and will be removed in a future version
+     */
+    public start(): void {
+        logger.warn("MatrixClient.crypto.start() is deprecated");
+    }
+
+    /** Stop background processes related to crypto */
+    public stop(): void {
+        this.outgoingRoomKeyRequestManager.stop();
+        this.deviceList.stop();
+        this.dehydrationManager.stop();
+        this.backupManager.stop();
+    }
+
+    /**
+     * Get the Ed25519 key for this device
+     *
+     * @returns base64-encoded ed25519 key.
+     *
+     * @deprecated Use {@link Crypto.CryptoApi#getOwnDeviceKeys}.
+     */
+    public getDeviceEd25519Key(): string | null {
+        return this.olmDevice.deviceEd25519Key;
+    }
+
+    /**
+     * Get the Curve25519 key for this device
+     *
+     * @returns base64-encoded curve25519 key.
+     *
+     * @deprecated Use {@link Crypto.CryptoApi#getOwnDeviceKeys}
+     */
+    public getDeviceCurve25519Key(): string | null {
+        return this.olmDevice.deviceCurve25519Key;
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi#getOwnDeviceKeys}.
+     */
+    public async getOwnDeviceKeys(): Promise<OwnDeviceKeys> {
+        if (!this.olmDevice.deviceCurve25519Key) {
+            throw new Error("Curve25519 key not yet created");
+        }
+        if (!this.olmDevice.deviceEd25519Key) {
+            throw new Error("Ed25519 key not yet created");
+        }
+        return {
+            ed25519: this.olmDevice.deviceEd25519Key,
+            curve25519: this.olmDevice.deviceCurve25519Key,
+        };
+    }
+
+    /**
+     * Set the global override for whether the client should ever send encrypted
+     * messages to unverified devices.  This provides the default for rooms which
+     * do not specify a value.
+     *
+     * @param value - whether to blacklist all unverified devices by default
+     *
+     * @deprecated Set {@link Crypto.CryptoApi#globalBlacklistUnverifiedDevices | CryptoApi.globalBlacklistUnverifiedDevices} directly.
+     */
+    public setGlobalBlacklistUnverifiedDevices(value: boolean): void {
+        this.globalBlacklistUnverifiedDevices = value;
+    }
+
+    /**
+     * @returns whether to blacklist all unverified devices by default
+     *
+     * @deprecated Reference {@link Crypto.CryptoApi#globalBlacklistUnverifiedDevices | CryptoApi.globalBlacklistUnverifiedDevices} directly.
+     */
+    public getGlobalBlacklistUnverifiedDevices(): boolean {
+        return this.globalBlacklistUnverifiedDevices;
+    }
+
+    /**
+     * Upload the device keys to the homeserver.
+     * @returns A promise that will resolve when the keys are uploaded.
+     */
+    public uploadDeviceKeys(): Promise<IKeysUploadResponse> {
+        const deviceKeys = {
+            algorithms: this.supportedAlgorithms,
+            device_id: this.deviceId,
+            keys: this.deviceKeys,
+            user_id: this.userId,
+        };
+
+        return this.signObject(deviceKeys).then(() => {
+            return this.baseApis.uploadKeysRequest({
+                device_keys: deviceKeys as Required<IDeviceKeys>,
+            });
+        });
+    }
+
+    public getNeedsNewFallback(): boolean {
+        return !!this.needsNewFallback;
+    }
+
+    // check if it's time to upload one-time keys, and do so if so.
+    private maybeUploadOneTimeKeys(): void {
+        // frequency with which to check & upload one-time keys
+        const uploadPeriod = 1000 * 60; // one minute
+
+        // max number of keys to upload at once
+        // Creating keys can be an expensive operation so we limit the
+        // number we generate in one go to avoid blocking the application
+        // for too long.
+        const maxKeysPerCycle = 5;
+
+        if (this.oneTimeKeyCheckInProgress) {
+            return;
+        }
+
+        const now = Date.now();
+        if (this.lastOneTimeKeyCheck !== null && now - this.lastOneTimeKeyCheck < uploadPeriod) {
+            // we've done a key upload recently.
+            return;
+        }
+
+        this.lastOneTimeKeyCheck = now;
+
+        // We need to keep a pool of one time public keys on the server so that
+        // other devices can start conversations with us. But we can only store
+        // a finite number of private keys in the olm Account object.
+        // To complicate things further then can be a delay between a device
+        // claiming a public one time key from the server and it sending us a
+        // message. We need to keep the corresponding private key locally until
+        // we receive the message.
+        // But that message might never arrive leaving us stuck with duff
+        // private keys clogging up our local storage.
+        // So we need some kind of engineering compromise to balance all of
+        // these factors.
+
+        // Check how many keys we can store in the Account object.
+        const maxOneTimeKeys = this.olmDevice.maxNumberOfOneTimeKeys();
+        // Try to keep at most half that number on the server. This leaves the
+        // rest of the slots free to hold keys that have been claimed from the
+        // server but we haven't received a message for.
+        // If we run out of slots when generating new keys then olm will
+        // discard the oldest private keys first. This will eventually clean
+        // out stale private keys that won't receive a message.
+        const keyLimit = Math.floor(maxOneTimeKeys / 2);
+
+        const uploadLoop = async (keyCount: number): Promise<void> => {
+            while (keyLimit > keyCount || this.getNeedsNewFallback()) {
+                // Ask olm to generate new one time keys, then upload them to synapse.
+                if (keyLimit > keyCount) {
+                    logger.info("generating oneTimeKeys");
+                    const keysThisLoop = Math.min(keyLimit - keyCount, maxKeysPerCycle);
+                    await this.olmDevice.generateOneTimeKeys(keysThisLoop);
+                }
+
+                if (this.getNeedsNewFallback()) {
+                    const fallbackKeys = await this.olmDevice.getFallbackKey();
+                    // if fallbackKeys is non-empty, we've already generated a
+                    // fallback key, but it hasn't been published yet, so we
+                    // can use that instead of generating a new one
+                    if (!fallbackKeys.curve25519 || Object.keys(fallbackKeys.curve25519).length == 0) {
+                        logger.info("generating fallback key");
+                        if (this.fallbackCleanup) {
+                            // cancel any pending fallback cleanup because generating
+                            // a new fallback key will already drop the old fallback
+                            // that would have been dropped, and we don't want to kill
+                            // the current key
+                            clearTimeout(this.fallbackCleanup);
+                            delete this.fallbackCleanup;
+                        }
+                        await this.olmDevice.generateFallbackKey();
+                    }
+                }
+
+                logger.info("calling uploadOneTimeKeys");
+                const res = await this.uploadOneTimeKeys();
+                if (res.one_time_key_counts && res.one_time_key_counts.signed_curve25519) {
+                    // if the response contains a more up to date value use this
+                    // for the next loop
+                    keyCount = res.one_time_key_counts.signed_curve25519;
+                } else {
+                    throw new Error(
+                        "response for uploading keys does not contain " + "one_time_key_counts.signed_curve25519",
+                    );
+                }
+            }
+        };
+
+        this.oneTimeKeyCheckInProgress = true;
+        Promise.resolve()
+            .then(() => {
+                if (this.oneTimeKeyCount !== undefined) {
+                    // We already have the current one_time_key count from a /sync response.
+                    // Use this value instead of asking the server for the current key count.
+                    return Promise.resolve(this.oneTimeKeyCount);
+                }
+                // ask the server how many keys we have
+                return this.baseApis.uploadKeysRequest({}).then((res) => {
+                    return res.one_time_key_counts.signed_curve25519 || 0;
+                });
+            })
+            .then((keyCount) => {
+                // Start the uploadLoop with the current keyCount. The function checks if
+                // we need to upload new keys or not.
+                // If there are too many keys on the server then we don't need to
+                // create any more keys.
+                return uploadLoop(keyCount);
+            })
+            .catch((e) => {
+                logger.error("Error uploading one-time keys", e.stack || e);
+            })
+            .finally(() => {
+                // reset oneTimeKeyCount to prevent start uploading based on old data.
+                // it will be set again on the next /sync-response
+                this.oneTimeKeyCount = undefined;
+                this.oneTimeKeyCheckInProgress = false;
+            });
+    }
+
+    // returns a promise which resolves to the response
+    private async uploadOneTimeKeys(): Promise<IKeysUploadResponse> {
+        const promises: Promise<unknown>[] = [];
+
+        let fallbackJson: Record<string, IOneTimeKey> | undefined;
+        if (this.getNeedsNewFallback()) {
+            fallbackJson = {};
+            const fallbackKeys = await this.olmDevice.getFallbackKey();
+            for (const [keyId, key] of Object.entries(fallbackKeys.curve25519)) {
+                const k = { key, fallback: true };
+                fallbackJson["signed_curve25519:" + keyId] = k;
+                promises.push(this.signObject(k));
+            }
+            this.needsNewFallback = false;
+        }
+
+        const oneTimeKeys = await this.olmDevice.getOneTimeKeys();
+        const oneTimeJson: Record<string, { key: string }> = {};
+
+        for (const keyId in oneTimeKeys.curve25519) {
+            if (oneTimeKeys.curve25519.hasOwnProperty(keyId)) {
+                const k = {
+                    key: oneTimeKeys.curve25519[keyId],
+                };
+                oneTimeJson["signed_curve25519:" + keyId] = k;
+                promises.push(this.signObject(k));
+            }
+        }
+
+        await Promise.all(promises);
+
+        const requestBody: Record<string, any> = {
+            one_time_keys: oneTimeJson,
+        };
+
+        if (fallbackJson) {
+            requestBody["org.matrix.msc2732.fallback_keys"] = fallbackJson;
+            requestBody["fallback_keys"] = fallbackJson;
+        }
+
+        const res = await this.baseApis.uploadKeysRequest(requestBody);
+
+        if (fallbackJson) {
+            this.fallbackCleanup = setTimeout(
+                () => {
+                    delete this.fallbackCleanup;
+                    this.olmDevice.forgetOldFallbackKey();
+                },
+                60 * 60 * 1000,
+            );
+        }
+
+        await this.olmDevice.markKeysAsPublished();
+        return res;
+    }
+
+    /**
+     * Download the keys for a list of users and stores the keys in the session
+     * store.
+     * @param userIds - The users to fetch.
+     * @param forceDownload - Always download the keys even if cached.
+     *
+     * @returns A promise which resolves to a map `userId->deviceId->{@link DeviceInfo}`.
+     */
+    public downloadKeys(userIds: string[], forceDownload?: boolean): Promise<DeviceInfoMap> {
+        return this.deviceList.downloadKeys(userIds, !!forceDownload);
+    }
+
+    /**
+     * Get the stored device keys for a user id
+     *
+     * @param userId - the user to list keys for.
+     *
+     * @returns list of devices, or null if we haven't
+     * managed to get a list of devices for this user yet.
+     */
+    public getStoredDevicesForUser(userId: string): Array<DeviceInfo> | null {
+        return this.deviceList.getStoredDevicesForUser(userId);
+    }
+
+    /**
+     * Get the device information for the given list of users.
+     *
+     * @param userIds - The users to fetch.
+     * @param downloadUncached - If true, download the device list for users whose device list we are not
+     *    currently tracking. Defaults to false, in which case such users will not appear at all in the result map.
+     *
+     * @returns A map `{@link DeviceMap}`.
+     */
+    public async getUserDeviceInfo(userIds: string[], downloadUncached = false): Promise<DeviceMap> {
+        const deviceMapByUserId = new Map<string, Map<string, Device>>();
+        // Keep the users without device to download theirs keys
+        const usersWithoutDeviceInfo: string[] = [];
+
+        for (const userId of userIds) {
+            const deviceInfos = await this.getStoredDevicesForUser(userId);
+            // If there are device infos for a userId, we transform it into a map
+            // Else, the keys will be downloaded after
+            if (deviceInfos) {
+                const deviceMap = new Map(
+                    // Convert DeviceInfo to Device
+                    deviceInfos.map((deviceInfo) => [deviceInfo.deviceId, deviceInfoToDevice(deviceInfo, userId)]),
+                );
+                deviceMapByUserId.set(userId, deviceMap);
+            } else {
+                usersWithoutDeviceInfo.push(userId);
+            }
+        }
+
+        // Download device info for users without device infos
+        if (downloadUncached && usersWithoutDeviceInfo.length > 0) {
+            const newDeviceInfoMap = await this.downloadKeys(usersWithoutDeviceInfo);
+
+            newDeviceInfoMap.forEach((deviceInfoMap, userId) => {
+                const deviceMap = new Map<string, Device>();
+                // Convert DeviceInfo to Device
+                deviceInfoMap.forEach((deviceInfo, deviceId) =>
+                    deviceMap.set(deviceId, deviceInfoToDevice(deviceInfo, userId)),
+                );
+
+                // Put the new device infos into the returned map
+                deviceMapByUserId.set(userId, deviceMap);
+            });
+        }
+
+        return deviceMapByUserId;
+    }
+
+    /**
+     * Get the stored keys for a single device
+     *
+     *
+     * @returns device, or undefined
+     * if we don't know about this device
+     */
+    public getStoredDevice(userId: string, deviceId: string): DeviceInfo | undefined {
+        return this.deviceList.getStoredDevice(userId, deviceId);
+    }
+
+    /**
+     * Save the device list, if necessary
+     *
+     * @param delay - Time in ms before which the save actually happens.
+     *     By default, the save is delayed for a short period in order to batch
+     *     multiple writes, but this behaviour can be disabled by passing 0.
+     *
+     * @returns true if the data was saved, false if
+     *     it was not (eg. because no changes were pending). The promise
+     *     will only resolve once the data is saved, so may take some time
+     *     to resolve.
+     */
+    public saveDeviceList(delay: number): Promise<boolean> {
+        return this.deviceList.saveIfDirty(delay);
+    }
+
+    /**
+     * Mark the given device as locally verified.
+     *
+     * Implementation of {@link Crypto.CryptoApi#setDeviceVerified}.
+     */
+    public async setDeviceVerified(userId: string, deviceId: string, verified = true): Promise<void> {
+        await this.setDeviceVerification(userId, deviceId, verified);
+    }
+
+    /**
+     * Blindly cross-sign one of our other devices.
+     *
+     * Implementation of {@link Crypto.CryptoApi#crossSignDevice}.
+     */
+    public async crossSignDevice(deviceId: string): Promise<void> {
+        await this.setDeviceVerified(this.userId, deviceId, true);
+    }
+
+    /**
+     * Update the blocked/verified state of the given device
+     *
+     * @param userId - owner of the device
+     * @param deviceId - unique identifier for the device or user's
+     * cross-signing public key ID.
+     *
+     * @param verified - whether to mark the device as verified. Null to
+     *     leave unchanged.
+     *
+     * @param blocked - whether to mark the device as blocked. Null to
+     *      leave unchanged.
+     *
+     * @param known - whether to mark that the user has been made aware of
+     *      the existence of this device. Null to leave unchanged
+     *
+     * @param keys - The list of keys that was present
+     * during the device verification. This will be double checked with the list
+     * of keys the given device has currently.
+     *
+     * @returns updated DeviceInfo
+     */
+    public async setDeviceVerification(
+        userId: string,
+        deviceId: string,
+        verified: boolean | null = null,
+        blocked: boolean | null = null,
+        known: boolean | null = null,
+        keys?: Record<string, string>,
+    ): Promise<DeviceInfo | CrossSigningInfo | CrossSigningKeyInfo | undefined> {
+        // Check if the 'device' is actually a cross signing key
+        // The js-sdk's verification treats cross-signing keys as devices
+        // and so uses this method to mark them verified.
+        const xsk = this.deviceList.getStoredCrossSigningForUser(userId);
+        if (xsk?.getId() === deviceId) {
+            if (blocked !== null || known !== null) {
+                throw new Error("Cannot set blocked or known for a cross-signing key");
+            }
+            if (!verified) {
+                throw new Error("Cannot set a cross-signing key as unverified");
+            }
+            const gotKeyId = keys ? Object.values(keys)[0] : null;
+            if (keys && (Object.values(keys).length !== 1 || gotKeyId !== xsk.getId())) {
+                throw new Error(`Key did not match expected value: expected ${xsk.getId()}, got ${gotKeyId}`);
+            }
+
+            if (!this.crossSigningInfo.getId() && userId === this.crossSigningInfo.userId) {
+                this.storeTrustedSelfKeys(xsk.keys);
+                // This will cause our own user trust to change, so emit the event
+                this.emit(CryptoEvent.UserTrustStatusChanged, this.userId, this.checkUserTrust(userId));
+            }
+
+            // Now sign the master key with our user signing key (unless it's ourself)
+            if (userId !== this.userId) {
+                logger.info("Master key " + xsk.getId() + " for " + userId + " marked verified. Signing...");
+                const device = await this.crossSigningInfo.signUser(xsk);
+                if (device) {
+                    const upload = async ({ shouldEmit = false }): Promise<void> => {
+                        logger.info("Uploading signature for " + userId + "...");
+                        const response = await this.baseApis.uploadKeySignatures({
+                            [userId]: {
+                                [deviceId]: device,
+                            },
+                        });
+                        const { failures } = response || {};
+                        if (Object.keys(failures || []).length > 0) {
+                            if (shouldEmit) {
+                                this.baseApis.emit(
+                                    CryptoEvent.KeySignatureUploadFailure,
+                                    failures,
+                                    "setDeviceVerification",
+                                    upload,
+                                );
+                            }
+                            /* Throwing here causes the process to be cancelled and the other
+                             * user to be notified */
+                            throw new KeySignatureUploadError("Key upload failed", { failures });
+                        }
+                    };
+                    await upload({ shouldEmit: true });
+
+                    // This will emit events when it comes back down the sync
+                    // (we could do local echo to speed things up)
+                }
+                return device!;
+            } else {
+                return xsk;
+            }
+        }
+
+        const devices = this.deviceList.getRawStoredDevicesForUser(userId);
+        if (!devices || !devices[deviceId]) {
+            throw new Error("Unknown device " + userId + ":" + deviceId);
+        }
+
+        const dev = devices[deviceId];
+        let verificationStatus = dev.verified;
+
+        if (verified) {
+            if (keys) {
+                for (const [keyId, key] of Object.entries(keys)) {
+                    if (dev.keys[keyId] !== key) {
+                        throw new Error(`Key did not match expected value: expected ${key}, got ${dev.keys[keyId]}`);
+                    }
+                }
+            }
+            verificationStatus = DeviceVerification.VERIFIED;
+        } else if (verified !== null && verificationStatus == DeviceVerification.VERIFIED) {
+            verificationStatus = DeviceVerification.UNVERIFIED;
+        }
+
+        if (blocked) {
+            verificationStatus = DeviceVerification.BLOCKED;
+        } else if (blocked !== null && verificationStatus == DeviceVerification.BLOCKED) {
+            verificationStatus = DeviceVerification.UNVERIFIED;
+        }
+
+        let knownStatus = dev.known;
+        if (known !== null) {
+            knownStatus = known;
+        }
+
+        if (dev.verified !== verificationStatus || dev.known !== knownStatus) {
+            dev.verified = verificationStatus;
+            dev.known = knownStatus;
+            this.deviceList.storeDevicesForUser(userId, devices);
+            this.deviceList.saveIfDirty();
+        }
+
+        // do cross-signing
+        if (verified && userId === this.userId) {
+            logger.info("Own device " + deviceId + " marked verified: signing");
+
+            // Signing only needed if other device not already signed
+            let device: ISignedKey | undefined;
+            const deviceTrust = this.checkDeviceTrust(userId, deviceId);
+            if (deviceTrust.isCrossSigningVerified()) {
+                logger.log(`Own device ${deviceId} already cross-signing verified`);
+            } else {
+                device = (await this.crossSigningInfo.signDevice(userId, DeviceInfo.fromStorage(dev, deviceId)))!;
+            }
+
+            if (device) {
+                const upload = async ({ shouldEmit = false }): Promise<void> => {
+                    logger.info("Uploading signature for " + deviceId);
+                    const response = await this.baseApis.uploadKeySignatures({
+                        [userId]: {
+                            [deviceId]: device!,
+                        },
+                    });
+                    const { failures } = response || {};
+                    if (Object.keys(failures || []).length > 0) {
+                        if (shouldEmit) {
+                            this.baseApis.emit(
+                                CryptoEvent.KeySignatureUploadFailure,
+                                failures,
+                                "setDeviceVerification",
+                                upload, // continuation
+                            );
+                        }
+                        throw new KeySignatureUploadError("Key upload failed", { failures });
+                    }
+                };
+                await upload({ shouldEmit: true });
+                // XXX: we'll need to wait for the device list to be updated
+            }
+        }
+
+        const deviceObj = DeviceInfo.fromStorage(dev, deviceId);
+        this.emit(CryptoEvent.DeviceVerificationChanged, userId, deviceId, deviceObj);
+        return deviceObj;
+    }
+
+    public findVerificationRequestDMInProgress(roomId: string, userId?: string): VerificationRequest | undefined {
+        return this.inRoomVerificationRequests.findRequestInProgress(roomId, userId);
+    }
+
+    public getVerificationRequestsToDeviceInProgress(userId: string): VerificationRequest[] {
+        return this.toDeviceVerificationRequests.getRequestsInProgress(userId);
+    }
+
+    public requestVerificationDM(userId: string, roomId: string): Promise<VerificationRequest> {
+        const existingRequest = this.inRoomVerificationRequests.findRequestInProgress(roomId);
+        if (existingRequest) {
+            return Promise.resolve(existingRequest);
+        }
+        const channel = new InRoomChannel(this.baseApis, roomId, userId);
+        return this.requestVerificationWithChannel(userId, channel, this.inRoomVerificationRequests);
+    }
+
+    /** @deprecated Use `requestOwnUserVerificationToDevice` or `requestDeviceVerification` */
+    public requestVerification(userId: string, devices?: string[]): Promise<VerificationRequest> {
+        if (!devices) {
+            devices = Object.keys(this.deviceList.getRawStoredDevicesForUser(userId));
+        }
+        const existingRequest = this.toDeviceVerificationRequests.findRequestInProgress(userId, devices);
+        if (existingRequest) {
+            return Promise.resolve(existingRequest);
+        }
+        const channel = new ToDeviceChannel(this.baseApis, userId, devices, ToDeviceChannel.makeTransactionId());
+        return this.requestVerificationWithChannel(userId, channel, this.toDeviceVerificationRequests);
+    }
+
+    public requestOwnUserVerification(): Promise<VerificationRequest> {
+        return this.requestVerification(this.userId);
+    }
+
+    public requestDeviceVerification(userId: string, deviceId: string): Promise<VerificationRequest> {
+        return this.requestVerification(userId, [deviceId]);
+    }
+
+    private async requestVerificationWithChannel(
+        userId: string,
+        channel: IVerificationChannel,
+        requestsMap: IRequestsMap,
+    ): Promise<VerificationRequest> {
+        let request = new VerificationRequest(channel, this.verificationMethods, this.baseApis);
+        // if transaction id is already known, add request
+        if (channel.transactionId) {
+            requestsMap.setRequestByChannel(channel, request);
+        }
+        await request.sendRequest();
+        // don't replace the request created by a racing remote echo
+        const racingRequest = requestsMap.getRequestByChannel(channel);
+        if (racingRequest) {
+            request = racingRequest;
+        } else {
+            logger.log(
+                `Crypto: adding new request to ` + `requestsByTxnId with id ${channel.transactionId} ${channel.roomId}`,
+            );
+            requestsMap.setRequestByChannel(channel, request);
+        }
+        return request;
+    }
+
+    public beginKeyVerification(
+        method: string,
+        userId: string,
+        deviceId: string,
+        transactionId: string | null = null,
+    ): VerificationBase<any, any> {
+        let request: Request | undefined;
+        if (transactionId) {
+            request = this.toDeviceVerificationRequests.getRequestBySenderAndTxnId(userId, transactionId);
+            if (!request) {
+                throw new Error(`No request found for user ${userId} with ` + `transactionId ${transactionId}`);
+            }
+        } else {
+            transactionId = ToDeviceChannel.makeTransactionId();
+            const channel = new ToDeviceChannel(this.baseApis, userId, [deviceId], transactionId, deviceId);
+            request = new VerificationRequest(channel, this.verificationMethods, this.baseApis);
+            this.toDeviceVerificationRequests.setRequestBySenderAndTxnId(userId, transactionId, request);
+        }
+        return request.beginKeyVerification(method, { userId, deviceId });
+    }
+
+    public async legacyDeviceVerification(
+        userId: string,
+        deviceId: string,
+        method: VerificationMethod,
+    ): Promise<VerificationRequest> {
+        const transactionId = ToDeviceChannel.makeTransactionId();
+        const channel = new ToDeviceChannel(this.baseApis, userId, [deviceId], transactionId, deviceId);
+        const request = new VerificationRequest(channel, this.verificationMethods, this.baseApis);
+        this.toDeviceVerificationRequests.setRequestBySenderAndTxnId(userId, transactionId, request);
+        const verifier = request.beginKeyVerification(method, { userId, deviceId });
+        // either reject by an error from verify() while sending .start
+        // or resolve when the request receives the
+        // local (fake remote) echo for sending the .start event
+        await Promise.race([verifier.verify(), request.waitFor((r) => r.started)]);
+        return request;
+    }
+
+    /**
+     * Get information on the active olm sessions with a user
+     * <p>
+     * Returns a map from device id to an object with keys 'deviceIdKey' (the
+     * device's curve25519 identity key) and 'sessions' (an array of objects in the
+     * same format as that returned by
+     * {@link OlmDevice#getSessionInfoForDevice}).
+     * <p>
+     * This method is provided for debugging purposes.
+     *
+     * @param userId - id of user to inspect
+     */
+    public async getOlmSessionsForUser(userId: string): Promise<Record<string, IUserOlmSession>> {
+        const devices = this.getStoredDevicesForUser(userId) || [];
+        const result: { [deviceId: string]: IUserOlmSession } = {};
+        for (const device of devices) {
+            const deviceKey = device.getIdentityKey();
+            const sessions = await this.olmDevice.getSessionInfoForDevice(deviceKey);
+
+            result[device.deviceId] = {
+                deviceIdKey: deviceKey,
+                sessions: sessions,
+            };
+        }
+        return result;
+    }
+
+    /**
+     * Get the device which sent an event
+     *
+     * @param event - event to be checked
+     */
+    public getEventSenderDeviceInfo(event: MatrixEvent): DeviceInfo | null {
+        const senderKey = event.getSenderKey();
+        const algorithm = event.getWireContent().algorithm;
+
+        if (!senderKey || !algorithm) {
+            return null;
+        }
+
+        if (event.isKeySourceUntrusted()) {
+            // we got the key for this event from a source that we consider untrusted
+            return null;
+        }
+
+        // senderKey is the Curve25519 identity key of the device which the event
+        // was sent from. In the case of Megolm, it's actually the Curve25519
+        // identity key of the device which set up the Megolm session.
+
+        const device = this.deviceList.getDeviceByIdentityKey(algorithm, senderKey);
+
+        if (device === null) {
+            // we haven't downloaded the details of this device yet.
+            return null;
+        }
+
+        // so far so good, but now we need to check that the sender of this event
+        // hadn't advertised someone else's Curve25519 key as their own. We do that
+        // by checking the Ed25519 claimed by the event (or, in the case of megolm,
+        // the event which set up the megolm session), to check that it matches the
+        // fingerprint of the purported sending device.
+        //
+        // (see https://github.com/vector-im/vector-web/issues/2215)
+
+        const claimedKey = event.getClaimedEd25519Key();
+        if (!claimedKey) {
+            logger.warn("Event " + event.getId() + " claims no ed25519 key: " + "cannot verify sending device");
+            return null;
+        }
+
+        if (claimedKey !== device.getFingerprint()) {
+            logger.warn(
+                "Event " +
+                    event.getId() +
+                    " claims ed25519 key " +
+                    claimedKey +
+                    " but sender device has key " +
+                    device.getFingerprint(),
+            );
+            return null;
+        }
+
+        return device;
+    }
+
+    /**
+     * Get information about the encryption of an event
+     *
+     * @param event - event to be checked
+     *
+     * @returns An object with the fields:
+     *    - encrypted: whether the event is encrypted (if not encrypted, some of the
+     *      other properties may not be set)
+     *    - senderKey: the sender's key
+     *    - algorithm: the algorithm used to encrypt the event
+     *    - authenticated: whether we can be sure that the owner of the senderKey
+     *      sent the event
+     *    - sender: the sender's device information, if available
+     *    - mismatchedSender: if the event's ed25519 and curve25519 keys don't match
+     *      (only meaningful if `sender` is set)
+     */
+    public getEventEncryptionInfo(event: MatrixEvent): IEncryptedEventInfo {
+        const ret: Partial<IEncryptedEventInfo> = {};
+
+        ret.senderKey = event.getSenderKey() ?? undefined;
+        ret.algorithm = event.getWireContent().algorithm;
+
+        if (!ret.senderKey || !ret.algorithm) {
+            ret.encrypted = false;
+            return ret as IEncryptedEventInfo;
+        }
+        ret.encrypted = true;
+
+        if (event.isKeySourceUntrusted()) {
+            // we got the key this event from somewhere else
+            // TODO: check if we can trust the forwarders.
+            ret.authenticated = false;
+        } else {
+            ret.authenticated = true;
+        }
+
+        // senderKey is the Curve25519 identity key of the device which the event
+        // was sent from. In the case of Megolm, it's actually the Curve25519
+        // identity key of the device which set up the Megolm session.
+
+        ret.sender = this.deviceList.getDeviceByIdentityKey(ret.algorithm, ret.senderKey) ?? undefined;
+
+        // so far so good, but now we need to check that the sender of this event
+        // hadn't advertised someone else's Curve25519 key as their own. We do that
+        // by checking the Ed25519 claimed by the event (or, in the case of megolm,
+        // the event which set up the megolm session), to check that it matches the
+        // fingerprint of the purported sending device.
+        //
+        // (see https://github.com/vector-im/vector-web/issues/2215)
+
+        const claimedKey = event.getClaimedEd25519Key();
+        if (!claimedKey) {
+            logger.warn("Event " + event.getId() + " claims no ed25519 key: " + "cannot verify sending device");
+            ret.mismatchedSender = true;
+        }
+
+        if (ret.sender && claimedKey !== ret.sender.getFingerprint()) {
+            logger.warn(
+                "Event " +
+                    event.getId() +
+                    " claims ed25519 key " +
+                    claimedKey +
+                    "but sender device has key " +
+                    ret.sender.getFingerprint(),
+            );
+            ret.mismatchedSender = true;
+        }
+
+        return ret as IEncryptedEventInfo;
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi.getEncryptionInfoForEvent}.
+     */
+    public async getEncryptionInfoForEvent(event: MatrixEvent): Promise<EventEncryptionInfo | null> {
+        const encryptionInfo = this.getEventEncryptionInfo(event);
+        if (!encryptionInfo.encrypted) {
+            return null;
+        }
+
+        const senderId = event.getSender();
+        if (!senderId || encryptionInfo.mismatchedSender) {
+            // something definitely wrong is going on here
+
+            // previously: E2EState.Warning -> E2ePadlockUnverified -> Red/"Encrypted by an unverified session"
+            return {
+                shieldColour: EventShieldColour.RED,
+                shieldReason: EventShieldReason.MISMATCHED_SENDER_KEY,
+            };
+        }
+
+        const userTrust = this.checkUserTrust(senderId);
+        if (!userTrust.isCrossSigningVerified()) {
+            // If the message is unauthenticated, then display a grey
+            // shield, otherwise if the user isn't cross-signed then
+            // nothing's needed
+            if (!encryptionInfo.authenticated) {
+                // previously: E2EState.Unauthenticated -> E2ePadlockUnauthenticated -> Grey/"The authenticity of this encrypted message can't be guaranteed on this device."
+                return {
+                    shieldColour: EventShieldColour.GREY,
+                    shieldReason: EventShieldReason.AUTHENTICITY_NOT_GUARANTEED,
+                };
+            } else {
+                // previously: E2EState.Normal -> no icon
+                return { shieldColour: EventShieldColour.NONE, shieldReason: null };
+            }
+        }
+
+        const eventSenderTrust =
+            senderId &&
+            encryptionInfo.sender &&
+            (await this.getDeviceVerificationStatus(senderId, encryptionInfo.sender.deviceId));
+
+        if (!eventSenderTrust) {
+            // previously: E2EState.Unknown -> E2ePadlockUnknown -> Grey/"Encrypted by a deleted session"
+            return {
+                shieldColour: EventShieldColour.GREY,
+                shieldReason: EventShieldReason.UNKNOWN_DEVICE,
+            };
+        }
+
+        if (!eventSenderTrust.isVerified()) {
+            // previously: E2EState.Warning -> E2ePadlockUnverified -> Red/"Encrypted by an unverified session"
+            return {
+                shieldColour: EventShieldColour.RED,
+                shieldReason: EventShieldReason.UNSIGNED_DEVICE,
+            };
+        }
+
+        if (!encryptionInfo.authenticated) {
+            // previously: E2EState.Unauthenticated -> E2ePadlockUnauthenticated -> Grey/"The authenticity of this encrypted message can't be guaranteed on this device."
+            return {
+                shieldColour: EventShieldColour.GREY,
+                shieldReason: EventShieldReason.AUTHENTICITY_NOT_GUARANTEED,
+            };
+        }
+
+        // previously: E2EState.Verified -> no icon
+        return { shieldColour: EventShieldColour.NONE, shieldReason: null };
+    }
+
+    /**
+     * Forces the current outbound group session to be discarded such
+     * that another one will be created next time an event is sent.
+     *
+     * @param roomId - The ID of the room to discard the session for
+     *
+     * This should not normally be necessary.
+     */
+    public forceDiscardSession(roomId: string): Promise<void> {
+        const alg = this.roomEncryptors.get(roomId);
+        if (alg === undefined) throw new Error("Room not encrypted");
+        if (alg.forceDiscardSession === undefined) {
+            throw new Error("Room encryption algorithm doesn't support session discarding");
+        }
+        alg.forceDiscardSession();
+        return Promise.resolve();
+    }
+
+    /**
+     * Configure a room to use encryption (ie, save a flag in the cryptoStore).
+     *
+     * @param roomId - The room ID to enable encryption in.
+     *
+     * @param config - The encryption config for the room.
+     *
+     * @param inhibitDeviceQuery - true to suppress device list query for
+     *   users in the room (for now). In case lazy loading is enabled,
+     *   the device query is always inhibited as the members are not tracked.
+     *
+     * @deprecated It is normally incorrect to call this method directly. Encryption
+     *   is enabled by receiving an `m.room.encryption` event (which we may have sent
+     *   previously).
+     */
+    public async setRoomEncryption(
+        roomId: string,
+        config: IRoomEncryption,
+        inhibitDeviceQuery?: boolean,
+    ): Promise<void> {
+        const room = this.clientStore.getRoom(roomId);
+        if (!room) {
+            throw new Error(`Unable to enable encryption tracking devices in unknown room ${roomId}`);
+        }
+        await this.setRoomEncryptionImpl(room, config);
+        if (!this.lazyLoadMembers && !inhibitDeviceQuery) {
+            this.deviceList.refreshOutdatedDeviceLists();
+        }
+    }
+
+    /**
+     * Set up encryption for a room.
+     *
+     * This is called when an <tt>m.room.encryption</tt> event is received. It saves a flag
+     * for the room in the cryptoStore (if it wasn't already set), sets up an "encryptor" for
+     * the room, and enables device-list tracking for the room.
+     *
+     * It does <em>not</em> initiate a device list query for the room. That is normally
+     * done once we finish processing the sync, in onSyncCompleted.
+     *
+     * @param room - The room to enable encryption in.
+     * @param config - The encryption config for the room.
+     */
+    private async setRoomEncryptionImpl(room: Room, config: IRoomEncryption): Promise<void> {
+        const roomId = room.roomId;
+
+        // ignore crypto events with no algorithm defined
+        // This will happen if a crypto event is redacted before we fetch the room state
+        // It would otherwise just throw later as an unknown algorithm would, but we may
+        // as well catch this here
+        if (!config.algorithm) {
+            logger.log("Ignoring setRoomEncryption with no algorithm");
+            return;
+        }
+
+        // if state is being replayed from storage, we might already have a configuration
+        // for this room as they are persisted as well.
+        // We just need to make sure the algorithm is initialized in this case.
+        // However, if the new config is different,
+        // we should bail out as room encryption can't be changed once set.
+        const existingConfig = this.roomList.getRoomEncryption(roomId);
+        if (existingConfig) {
+            if (JSON.stringify(existingConfig) != JSON.stringify(config)) {
+                logger.error("Ignoring m.room.encryption event which requests " + "a change of config in " + roomId);
+                return;
+            }
+        }
+        // if we already have encryption in this room, we should ignore this event,
+        // as it would reset the encryption algorithm.
+        // This is at least expected to be called twice, as sync calls onCryptoEvent
+        // for both the timeline and state sections in the /sync response,
+        // the encryption event would appear in both.
+        // If it's called more than twice though,
+        // it signals a bug on client or server.
+        const existingAlg = this.roomEncryptors.get(roomId);
+        if (existingAlg) {
+            return;
+        }
+
+        // _roomList.getRoomEncryption will not race with _roomList.setRoomEncryption
+        // because it first stores in memory. We should await the promise only
+        // after all the in-memory state (roomEncryptors and _roomList) has been updated
+        // to avoid races when calling this method multiple times. Hence keep a hold of the promise.
+        let storeConfigPromise: Promise<void> | null = null;
+        if (!existingConfig) {
+            storeConfigPromise = this.roomList.setRoomEncryption(roomId, config);
+        }
+
+        const AlgClass = algorithms.ENCRYPTION_CLASSES.get(config.algorithm);
+        if (!AlgClass) {
+            throw new Error("Unable to encrypt with " + config.algorithm);
+        }
+
+        const alg = new AlgClass({
+            userId: this.userId,
+            deviceId: this.deviceId,
+            crypto: this,
+            olmDevice: this.olmDevice,
+            baseApis: this.baseApis,
+            roomId,
+            config,
+        });
+        this.roomEncryptors.set(roomId, alg);
+
+        if (storeConfigPromise) {
+            await storeConfigPromise;
+        }
+
+        logger.log(`Enabling encryption in ${roomId}`);
+
+        // we don't want to force a download of the full membership list of this room, but as soon as we have that
+        // list we can start tracking the device list.
+        if (room.membersLoaded()) {
+            await this.trackRoomDevicesImpl(room);
+        } else {
+            // wait for the membership list to be loaded
+            const onState = (_state: RoomState): void => {
+                room.off(RoomStateEvent.Update, onState);
+                if (room.membersLoaded()) {
+                    this.trackRoomDevicesImpl(room).catch((e) => {
+                        logger.error(`Error enabling device tracking in ${roomId}`, e);
+                    });
+                }
+            };
+            room.on(RoomStateEvent.Update, onState);
+        }
+    }
+
+    /**
+     * Make sure we are tracking the device lists for all users in this room.
+     *
+     * @param roomId - The room ID to start tracking devices in.
+     * @returns when all devices for the room have been fetched and marked to track
+     * @deprecated there's normally no need to call this function: device list tracking
+     *    will be enabled as soon as we have the full membership list.
+     */
+    public trackRoomDevices(roomId: string): Promise<void> {
+        const room = this.clientStore.getRoom(roomId);
+        if (!room) {
+            throw new Error(`Unable to start tracking devices in unknown room ${roomId}`);
+        }
+        return this.trackRoomDevicesImpl(room);
+    }
+
+    /**
+     * Make sure we are tracking the device lists for all users in this room.
+     *
+     * This is normally called when we are about to send an encrypted event, to make sure
+     * we have all the devices in the room; but it is also called when processing an
+     * m.room.encryption state event (if lazy-loading is disabled), or when members are
+     * loaded (if lazy-loading is enabled), to prepare the device list.
+     *
+     * @param room - Room to enable device-list tracking in
+     */
+    private trackRoomDevicesImpl(room: Room): Promise<void> {
+        const roomId = room.roomId;
+        const trackMembers = async (): Promise<void> => {
+            // not an encrypted room
+            if (!this.roomEncryptors.has(roomId)) {
+                return;
+            }
+            logger.log(`Starting to track devices for room ${roomId} ...`);
+            const members = await room.getEncryptionTargetMembers();
+            members.forEach((m) => {
+                this.deviceList.startTrackingDeviceList(m.userId);
+            });
+        };
+
+        let promise = this.roomDeviceTrackingState[roomId];
+        if (!promise) {
+            promise = trackMembers();
+            this.roomDeviceTrackingState[roomId] = promise.catch((err) => {
+                delete this.roomDeviceTrackingState[roomId];
+                throw err;
+            });
+        }
+        return promise;
+    }
+
+    /**
+     * Try to make sure we have established olm sessions for all known devices for
+     * the given users.
+     *
+     * @param users - list of user ids
+     * @param force - If true, force a new Olm session to be created. Default false.
+     *
+     * @returns resolves once the sessions are complete, to
+     *    an Object mapping from userId to deviceId to
+     *    `IOlmSessionResult`
+     */
+    public ensureOlmSessionsForUsers(
+        users: string[],
+        force?: boolean,
+    ): Promise<Map<string, Map<string, olmlib.IOlmSessionResult>>> {
+        // map user Id → DeviceInfo[]
+        const devicesByUser: Map<string, DeviceInfo[]> = new Map();
+
+        for (const userId of users) {
+            const userDevices: DeviceInfo[] = [];
+            devicesByUser.set(userId, userDevices);
+
+            const devices = this.getStoredDevicesForUser(userId) || [];
+            for (const deviceInfo of devices) {
+                const key = deviceInfo.getIdentityKey();
+                if (key == this.olmDevice.deviceCurve25519Key) {
+                    // don't bother setting up session to ourself
+                    continue;
+                }
+                if (deviceInfo.verified == DeviceVerification.BLOCKED) {
+                    // don't bother setting up sessions with blocked users
+                    continue;
+                }
+
+                userDevices.push(deviceInfo);
+            }
+        }
+
+        return olmlib.ensureOlmSessionsForDevices(this.olmDevice, this.baseApis, devicesByUser, force);
+    }
+
+    /**
+     * Get a list containing all of the room keys
+     *
+     * @returns a list of session export objects
+     */
+    public async exportRoomKeys(): Promise<IMegolmSessionData[]> {
+        const exportedSessions: IMegolmSessionData[] = [];
+        await this.cryptoStore.doTxn("readonly", [IndexedDBCryptoStore.STORE_INBOUND_GROUP_SESSIONS], (txn) => {
+            this.cryptoStore.getAllEndToEndInboundGroupSessions(txn, (s) => {
+                if (s === null) return;
+
+                const sess = this.olmDevice.exportInboundGroupSession(s.senderKey, s.sessionId, s.sessionData!);
+                delete sess.first_known_index;
+                sess.algorithm = olmlib.MEGOLM_ALGORITHM;
+                exportedSessions.push(sess);
+            });
+        });
+
+        return exportedSessions;
+    }
+
+    /**
+     * Get a JSON list containing all of the room keys
+     *
+     * @returns a JSON string encoding a list of session
+     *    export objects, each of which is an IMegolmSessionData
+     */
+    public async exportRoomKeysAsJson(): Promise<string> {
+        return JSON.stringify(await this.exportRoomKeys());
+    }
+
+    /**
+     * Import a list of room keys previously exported by exportRoomKeys
+     *
+     * @param keys - a list of session export objects
+     * @returns a promise which resolves once the keys have been imported
+     */
+    public importRoomKeys(keys: IMegolmSessionData[], opts: ImportRoomKeysOpts = {}): Promise<void> {
+        let successes = 0;
+        let failures = 0;
+        const total = keys.length;
+
+        function updateProgress(): void {
+            opts.progressCallback?.({
+                stage: "load_keys",
+                successes,
+                failures,
+                total,
+            });
+        }
+
+        return Promise.all(
+            keys.map((key) => {
+                if (!key.room_id || !key.algorithm) {
+                    logger.warn("ignoring room key entry with missing fields", key);
+                    failures++;
+                    if (opts.progressCallback) {
+                        updateProgress();
+                    }
+                    return null;
+                }
+
+                const alg = this.getRoomDecryptor(key.room_id, key.algorithm);
+                return alg.importRoomKey(key, opts).finally(() => {
+                    successes++;
+                    if (opts.progressCallback) {
+                        updateProgress();
+                    }
+                });
+            }),
+        ).then();
+    }
+
+    /**
+     * Import a JSON string encoding a list of room keys previously
+     * exported by exportRoomKeysAsJson
+     *
+     * @param keys - a JSON string encoding a list of session export
+     *    objects, each of which is an IMegolmSessionData
+     * @param opts - options object
+     * @returns a promise which resolves once the keys have been imported
+     */
+    public async importRoomKeysAsJson(keys: string, opts?: ImportRoomKeysOpts): Promise<void> {
+        return await this.importRoomKeys(JSON.parse(keys));
+    }
+
+    /**
+     * Counts the number of end to end session keys that are waiting to be backed up
+     * @returns Promise which resolves to the number of sessions requiring backup
+     */
+    public countSessionsNeedingBackup(): Promise<number> {
+        return this.backupManager.countSessionsNeedingBackup();
+    }
+
+    /**
+     * Perform any background tasks that can be done before a message is ready to
+     * send, in order to speed up sending of the message.
+     *
+     * @param room - the room the event is in
+     */
+    public prepareToEncrypt(room: Room): void {
+        const alg = this.roomEncryptors.get(room.roomId);
+        if (alg) {
+            alg.prepareToEncrypt(room);
+        }
+    }
+
+    /**
+     * Encrypt an event according to the configuration of the room.
+     *
+     * @param event -  event to be sent
+     *
+     * @param room - destination room.
+     *
+     * @returns Promise which resolves when the event has been
+     *     encrypted, or null if nothing was needed
+     */
+    public async encryptEvent(event: MatrixEvent, room: Room): Promise<void> {
+        const roomId = event.getRoomId()!;
+
+        const alg = this.roomEncryptors.get(roomId);
+        if (!alg) {
+            // MatrixClient has already checked that this room should be encrypted,
+            // so this is an unexpected situation.
+            throw new Error(
+                "Room " +
+                    roomId +
+                    " was previously configured to use encryption, but is " +
+                    "no longer. Perhaps the homeserver is hiding the " +
+                    "configuration event.",
+            );
+        }
+
+        // wait for all the room devices to be loaded
+        await this.trackRoomDevicesImpl(room);
+
+        let content = event.getContent();
+        // If event has an m.relates_to then we need
+        // to put this on the wrapping event instead
+        const mRelatesTo = content["m.relates_to"];
+        if (mRelatesTo) {
+            // Clone content here so we don't remove `m.relates_to` from the local-echo
+            content = Object.assign({}, content);
+            delete content["m.relates_to"];
+        }
+
+        // Treat element's performance metrics the same as `m.relates_to` (when present)
+        const elementPerfMetrics = content["io.element.performance_metrics"];
+        if (elementPerfMetrics) {
+            content = Object.assign({}, content);
+            delete content["io.element.performance_metrics"];
+        }
+
+        const encryptedContent = (await alg.encryptMessage(room, event.getType(), content)) as IContent;
+
+        if (mRelatesTo) {
+            encryptedContent["m.relates_to"] = mRelatesTo;
+        }
+        if (elementPerfMetrics) {
+            encryptedContent["io.element.performance_metrics"] = elementPerfMetrics;
+        }
+
+        event.makeEncrypted(
+            "m.room.encrypted",
+            encryptedContent,
+            this.olmDevice.deviceCurve25519Key!,
+            this.olmDevice.deviceEd25519Key!,
+        );
+    }
+
+    /**
+     * Decrypt a received event
+     *
+     *
+     * @returns resolves once we have
+     *  finished decrypting. Rejects with an `algorithms.DecryptionError` if there
+     *  is a problem decrypting the event.
+     */
+    public async decryptEvent(event: MatrixEvent): Promise<IEventDecryptionResult> {
+        if (event.isRedacted()) {
+            // Try to decrypt the redaction event, to support encrypted
+            // redaction reasons.  If we can't decrypt, just fall back to using
+            // the original redacted_because.
+            const redactionEvent = new MatrixEvent({
+                room_id: event.getRoomId(),
+                ...event.getUnsigned().redacted_because,
+            });
+            let redactedBecause: IEvent = event.getUnsigned().redacted_because!;
+            if (redactionEvent.isEncrypted()) {
+                try {
+                    const decryptedEvent = await this.decryptEvent(redactionEvent);
+                    redactedBecause = decryptedEvent.clearEvent as IEvent;
+                } catch (e) {
+                    logger.warn("Decryption of redaction failed. Falling back to unencrypted event.", e);
+                }
+            }
+
+            return {
+                clearEvent: {
+                    room_id: event.getRoomId(),
+                    type: "m.room.message",
+                    content: {},
+                    unsigned: {
+                        redacted_because: redactedBecause,
+                    },
+                },
+            };
+        } else {
+            const content = event.getWireContent();
+            const alg = this.getRoomDecryptor(event.getRoomId()!, content.algorithm);
+            return alg.decryptEvent(event);
+        }
+    }
+
+    /**
+     * Handle the notification from /sync that device lists have
+     * been changed.
+     *
+     * @param deviceLists - device_lists field from /sync
+     */
+    public async processDeviceLists(deviceLists: IDeviceLists): Promise<void> {
+        // Here, we're relying on the fact that we only ever save the sync data after
+        // sucessfully saving the device list data, so we're guaranteed that the device
+        // list store is at least as fresh as the sync token from the sync store, ie.
+        // any device changes received in sync tokens prior to the 'next' token here
+        // have been processed and are reflected in the current device list.
+        // If we didn't make this assumption, we'd have to use the /keys/changes API
+        // to get key changes between the sync token in the device list and the 'old'
+        // sync token used here to make sure we didn't miss any.
+        await this.evalDeviceListChanges(deviceLists);
+    }
+
+    /**
+     * Send a request for some room keys, if we have not already done so
+     *
+     * @param resend - whether to resend the key request if there is
+     *    already one
+     *
+     * @returns a promise that resolves when the key request is queued
+     */
+    public requestRoomKey(
+        requestBody: IRoomKeyRequestBody,
+        recipients: IRoomKeyRequestRecipient[],
+        resend = false,
+    ): Promise<void> {
+        return this.outgoingRoomKeyRequestManager
+            .queueRoomKeyRequest(requestBody, recipients, resend)
+            .then(() => {
+                if (this.sendKeyRequestsImmediately) {
+                    this.outgoingRoomKeyRequestManager.sendQueuedRequests();
+                }
+            })
+            .catch((e) => {
+                // this normally means we couldn't talk to the store
+                logger.error("Error requesting key for event", e);
+            });
+    }
+
+    /**
+     * Cancel any earlier room key request
+     *
+     * @param requestBody - parameters to match for cancellation
+     */
+    public cancelRoomKeyRequest(requestBody: IRoomKeyRequestBody): void {
+        this.outgoingRoomKeyRequestManager.cancelRoomKeyRequest(requestBody).catch((e) => {
+            logger.warn("Error clearing pending room key requests", e);
+        });
+    }
+
+    /**
+     * Re-send any outgoing key requests, eg after verification
+     * @returns
+     */
+    public async cancelAndResendAllOutgoingKeyRequests(): Promise<void> {
+        await this.outgoingRoomKeyRequestManager.cancelAndResendAllOutgoingRequests();
+    }
+
+    /**
+     * handle an m.room.encryption event
+     *
+     * @param room - in which the event was received
+     * @param event - encryption event to be processed
+     */
+    public async onCryptoEvent(room: Room, event: MatrixEvent): Promise<void> {
+        const content = event.getContent<IRoomEncryption>();
+        await this.setRoomEncryptionImpl(room, content);
+    }
+
+    /**
+     * Called before the result of a sync is processed
+     *
+     * @param syncData -  the data from the 'MatrixClient.sync' event
+     */
+    public async onSyncWillProcess(syncData: ISyncStateData): Promise<void> {
+        if (!syncData.oldSyncToken) {
+            // If there is no old sync token, we start all our tracking from
+            // scratch, so mark everything as untracked. onCryptoEvent will
+            // be called for all e2e rooms during the processing of the sync,
+            // at which point we'll start tracking all the users of that room.
+            logger.log("Initial sync performed - resetting device tracking state");
+            this.deviceList.stopTrackingAllDeviceLists();
+            // we always track our own device list (for key backups etc)
+            this.deviceList.startTrackingDeviceList(this.userId);
+            this.roomDeviceTrackingState = {};
+        }
+
+        this.sendKeyRequestsImmediately = false;
+    }
+
+    /**
+     * handle the completion of a /sync
+     *
+     * This is called after the processing of each successful /sync response.
+     * It is an opportunity to do a batch process on the information received.
+     *
+     * @param syncData -  the data from the 'MatrixClient.sync' event
+     */
+    public async onSyncCompleted(syncData: OnSyncCompletedData): Promise<void> {
+        this.deviceList.setSyncToken(syncData.nextSyncToken ?? null);
+        this.deviceList.saveIfDirty();
+
+        // we always track our own device list (for key backups etc)
+        this.deviceList.startTrackingDeviceList(this.userId);
+
+        this.deviceList.refreshOutdatedDeviceLists();
+
+        // we don't start uploading one-time keys until we've caught up with
+        // to-device messages, to help us avoid throwing away one-time-keys that we
+        // are about to receive messages for
+        // (https://github.com/vector-im/element-web/issues/2782).
+        if (!syncData.catchingUp) {
+            this.maybeUploadOneTimeKeys();
+            this.processReceivedRoomKeyRequests();
+
+            // likewise don't start requesting keys until we've caught up
+            // on to_device messages, otherwise we'll request keys that we're
+            // just about to get.
+            this.outgoingRoomKeyRequestManager.sendQueuedRequests();
+
+            // Sync has finished so send key requests straight away.
+            this.sendKeyRequestsImmediately = true;
+        }
+    }
+
+    /**
+     * Trigger the appropriate invalidations and removes for a given
+     * device list
+     *
+     * @param deviceLists - device_lists field from /sync, or response from
+     * /keys/changes
+     */
+    private async evalDeviceListChanges(deviceLists: Required<ISyncResponse>["device_lists"]): Promise<void> {
+        if (Array.isArray(deviceLists?.changed)) {
+            deviceLists.changed.forEach((u) => {
+                this.deviceList.invalidateUserDeviceList(u);
+            });
+        }
+
+        if (Array.isArray(deviceLists?.left) && deviceLists.left.length) {
+            // Check we really don't share any rooms with these users
+            // any more: the server isn't required to give us the
+            // exact correct set.
+            const e2eUserIds = new Set(await this.getTrackedE2eUsers());
+
+            deviceLists.left.forEach((u) => {
+                if (!e2eUserIds.has(u)) {
+                    this.deviceList.stopTrackingDeviceList(u);
+                }
+            });
+        }
+    }
+
+    /**
+     * Get a list of all the IDs of users we share an e2e room with
+     * for which we are tracking devices already
+     *
+     * @returns List of user IDs
+     */
+    private async getTrackedE2eUsers(): Promise<string[]> {
+        const e2eUserIds: string[] = [];
+        for (const room of this.getTrackedE2eRooms()) {
+            const members = await room.getEncryptionTargetMembers();
+            for (const member of members) {
+                e2eUserIds.push(member.userId);
+            }
+        }
+        return e2eUserIds;
+    }
+
+    /**
+     * Get a list of the e2e-enabled rooms we are members of,
+     * and for which we are already tracking the devices
+     *
+     * @returns
+     */
+    private getTrackedE2eRooms(): Room[] {
+        return this.clientStore.getRooms().filter((room) => {
+            // check for rooms with encryption enabled
+            const alg = this.roomEncryptors.get(room.roomId);
+            if (!alg) {
+                return false;
+            }
+            if (!this.roomDeviceTrackingState[room.roomId]) {
+                return false;
+            }
+
+            // ignore any rooms which we have left
+            const myMembership = room.getMyMembership();
+            return myMembership === KnownMembership.Join || myMembership === KnownMembership.Invite;
+        });
+    }
+
+    /**
+     * Encrypts and sends a given object via Olm to-device messages to a given
+     * set of devices.
+     * @param userDeviceInfoArr - the devices to send to
+     * @param payload - fields to include in the encrypted payload
+     * @returns Promise which
+     *     resolves once the message has been encrypted and sent to the given
+     *     userDeviceMap, and returns the `{ contentMap, deviceInfoByDeviceId }`
+     *     of the successfully sent messages.
+     *
+     * @deprecated Instead use {@link encryptToDeviceMessages} followed by {@link MatrixClient.queueToDevice}.
+     */
+    public async encryptAndSendToDevices(userDeviceInfoArr: IOlmDevice<DeviceInfo>[], payload: object): Promise<void> {
+        try {
+            const toDeviceBatch = await this.prepareToDeviceBatch(userDeviceInfoArr, payload);
+
+            try {
+                await this.baseApis.queueToDevice(toDeviceBatch);
+            } catch (e) {
+                logger.error("sendToDevice failed", e);
+                throw e;
+            }
+        } catch (e) {
+            logger.error("encryptAndSendToDevices promises failed", e);
+            throw e;
+        }
+    }
+
+    private async prepareToDeviceBatch(
+        userDeviceInfoArr: IOlmDevice<DeviceInfo>[],
+        payload: object,
+    ): Promise<ToDeviceBatch> {
+        const toDeviceBatch: ToDeviceBatch = {
+            eventType: EventType.RoomMessageEncrypted,
+            batch: [],
+        };
+
+        await Promise.all(
+            userDeviceInfoArr.map(async ({ userId, deviceInfo }) => {
+                const deviceId = deviceInfo.deviceId;
+                const encryptedContent: IEncryptedContent = {
+                    algorithm: olmlib.OLM_ALGORITHM,
+                    sender_key: this.olmDevice.deviceCurve25519Key!,
+                    ciphertext: {},
+                    [ToDeviceMessageId]: uuidv4(),
+                };
+
+                toDeviceBatch.batch.push({
+                    userId,
+                    deviceId,
+                    payload: encryptedContent,
+                });
+
+                await olmlib.ensureOlmSessionsForDevices(
+                    this.olmDevice,
+                    this.baseApis,
+                    new Map([[userId, [deviceInfo]]]),
+                );
+                await olmlib.encryptMessageForDevice(
+                    encryptedContent.ciphertext,
+                    this.userId,
+                    this.deviceId,
+                    this.olmDevice,
+                    userId,
+                    deviceInfo,
+                    payload,
+                );
+            }),
+        );
+
+        // prune out any devices that encryptMessageForDevice could not encrypt for,
+        // in which case it will have just not added anything to the ciphertext object.
+        // There's no point sending messages to devices if we couldn't encrypt to them,
+        // since that's effectively a blank message.
+        toDeviceBatch.batch = toDeviceBatch.batch.filter((msg) => {
+            if (Object.keys(msg.payload.ciphertext).length > 0) {
+                return true;
+            } else {
+                logger.log(`No ciphertext for device ${msg.userId}:${msg.deviceId}: pruning`);
+                return false;
+            }
+        });
+
+        return toDeviceBatch;
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi#encryptToDeviceMessages}.
+     */
+    public async encryptToDeviceMessages(
+        eventType: string,
+        devices: { userId: string; deviceId: string }[],
+        payload: ToDevicePayload,
+    ): Promise<ToDeviceBatch> {
+        const userIds = new Set(devices.map(({ userId }) => userId));
+        const deviceInfoMap = await this.downloadKeys(Array.from(userIds), false);
+
+        const userDeviceInfoArr: IOlmDevice<DeviceInfo>[] = [];
+
+        devices.forEach(({ userId, deviceId }) => {
+            const devices = deviceInfoMap.get(userId);
+            if (!devices) {
+                logger.warn(`No devices found for user ${userId}`);
+                return;
+            }
+
+            if (devices.has(deviceId)) {
+                // Send the message to a specific device
+                userDeviceInfoArr.push({ userId, deviceInfo: devices.get(deviceId)! });
+            } else {
+                logger.warn(`No device found for user ${userId} with id ${deviceId}`);
+            }
+        });
+
+        return this.prepareToDeviceBatch(userDeviceInfoArr, payload);
+    }
+
+    private onMembership = (event: MatrixEvent, member: RoomMember, oldMembership?: string): void => {
+        try {
+            this.onRoomMembership(event, member, oldMembership);
+        } catch (e) {
+            logger.error("Error handling membership change:", e);
+        }
+    };
+
+    public async preprocessToDeviceMessages(events: IToDeviceEvent[]): Promise<IToDeviceEvent[]> {
+        // all we do here is filter out encrypted to-device messages with the wrong algorithm. Decryption
+        // happens later in decryptEvent, via the EventMapper
+        return events.filter((toDevice) => {
+            if (
+                toDevice.type === EventType.RoomMessageEncrypted &&
+                !["m.olm.v1.curve25519-aes-sha2"].includes(toDevice.content?.algorithm)
+            ) {
+                logger.log("Ignoring invalid encrypted to-device event from " + toDevice.sender);
+                return false;
+            }
+            return true;
+        });
+    }
+
+    /**
+     * Stores the current one_time_key count which will be handled later (in a call of
+     * onSyncCompleted).
+     *
+     * @param currentCount - The current count of one_time_keys to be stored
+     */
+    private updateOneTimeKeyCount(currentCount: number): void {
+        if (isFinite(currentCount)) {
+            this.oneTimeKeyCount = currentCount;
+        } else {
+            throw new TypeError("Parameter for updateOneTimeKeyCount has to be a number");
+        }
+    }
+
+    public processKeyCounts(oneTimeKeysCounts?: Record<string, number>, unusedFallbackKeys?: string[]): Promise<void> {
+        if (oneTimeKeysCounts !== undefined) {
+            this.updateOneTimeKeyCount(oneTimeKeysCounts["signed_curve25519"] || 0);
+        }
+
+        if (unusedFallbackKeys !== undefined) {
+            // If `unusedFallbackKeys` is defined, that means `device_unused_fallback_key_types`
+            // is present in the sync response, which indicates that the server supports fallback keys.
+            //
+            // If there's no unused signed_curve25519 fallback key, we need a new one.
+            this.needsNewFallback = !unusedFallbackKeys.includes("signed_curve25519");
+        }
+
+        return Promise.resolve();
+    }
+
+    private onToDeviceEvent = (event: MatrixEvent): void => {
+        try {
+            logger.log(
+                `received to-device ${event.getType()} from: ` +
+                    `${event.getSender()} id: ${event.getContent()[ToDeviceMessageId]}`,
+            );
+
+            if (event.getType() == "m.room_key" || event.getType() == "m.forwarded_room_key") {
+                this.onRoomKeyEvent(event);
+            } else if (event.getType() == "m.room_key_request") {
+                this.onRoomKeyRequestEvent(event);
+            } else if (event.getType() === "m.secret.request") {
+                this.secretStorage.onRequestReceived(event);
+            } else if (event.getType() === "m.secret.send") {
+                this.secretStorage.onSecretReceived(event);
+            } else if (event.getType() === "m.room_key.withheld") {
+                this.onRoomKeyWithheldEvent(event);
+            } else if (event.getContent().transaction_id) {
+                this.onKeyVerificationMessage(event);
+            } else if (event.getContent().msgtype === "m.bad.encrypted") {
+                this.onToDeviceBadEncrypted(event);
+            } else if (event.isBeingDecrypted() || event.shouldAttemptDecryption()) {
+                if (!event.isBeingDecrypted()) {
+                    event.attemptDecryption(this);
+                }
+                // once the event has been decrypted, try again
+                event.once(MatrixEventEvent.Decrypted, (ev) => {
+                    this.onToDeviceEvent(ev);
+                });
+            }
+        } catch (e) {
+            logger.error("Error handling toDeviceEvent:", e);
+        }
+    };
+
+    /**
+     * Handle a key event
+     *
+     * @internal
+     * @param event - key event
+     */
+    private onRoomKeyEvent(event: MatrixEvent): void {
+        const content = event.getContent();
+
+        if (!content.room_id || !content.algorithm) {
+            logger.error("key event is missing fields");
+            return;
+        }
+
+        if (!this.backupManager.checkedForBackup) {
+            // don't bother awaiting on this - the important thing is that we retry if we
+            // haven't managed to check before
+            this.backupManager.checkAndStart();
+        }
+
+        const alg = this.getRoomDecryptor(content.room_id, content.algorithm);
+        alg.onRoomKeyEvent(event);
+    }
+
+    /**
+     * Handle a key withheld event
+     *
+     * @internal
+     * @param event - key withheld event
+     */
+    private onRoomKeyWithheldEvent(event: MatrixEvent): void {
+        const content = event.getContent();
+
+        if (
+            (content.code !== "m.no_olm" && (!content.room_id || !content.session_id)) ||
+            !content.algorithm ||
+            !content.sender_key
+        ) {
+            logger.error("key withheld event is missing fields");
+            return;
+        }
+
+        logger.info(
+            `Got room key withheld event from ${event.getSender()} ` +
+                `for ${content.algorithm} session ${content.sender_key}|${content.session_id} ` +
+                `in room ${content.room_id} with code ${content.code} (${content.reason})`,
+        );
+
+        const alg = this.getRoomDecryptor(content.room_id, content.algorithm);
+        if (alg.onRoomKeyWithheldEvent) {
+            alg.onRoomKeyWithheldEvent(event);
+        }
+        if (!content.room_id) {
+            // retry decryption for all events sent by the sender_key.  This will
+            // update the events to show a message indicating that the olm session was
+            // wedged.
+            const roomDecryptors = this.getRoomDecryptors(content.algorithm);
+            for (const decryptor of roomDecryptors) {
+                decryptor.retryDecryptionFromSender(content.sender_key);
+            }
+        }
+    }
+
+    /**
+     * Handle a general key verification event.
+     *
+     * @internal
+     * @param event - verification start event
+     */
+    private onKeyVerificationMessage(event: MatrixEvent): void {
+        if (!ToDeviceChannel.validateEvent(event, this.baseApis)) {
+            return;
+        }
+        const createRequest = (event: MatrixEvent): VerificationRequest | undefined => {
+            if (!ToDeviceChannel.canCreateRequest(ToDeviceChannel.getEventType(event))) {
+                return;
+            }
+            const content = event.getContent();
+            const deviceId = content && content.from_device;
+            if (!deviceId) {
+                return;
+            }
+            const userId = event.getSender()!;
+            const channel = new ToDeviceChannel(this.baseApis, userId, [deviceId]);
+            return new VerificationRequest(channel, this.verificationMethods, this.baseApis);
+        };
+        this.handleVerificationEvent(event, this.toDeviceVerificationRequests, createRequest);
+    }
+
+    /**
+     * Handle key verification requests sent as timeline events
+     *
+     * @internal
+     * @param event - the timeline event
+     * @param room - not used
+     * @param atStart - not used
+     * @param removed - not used
+     * @param whether - this is a live event
+     */
+    private onTimelineEvent = (
+        event: MatrixEvent,
+        room: Room,
+        atStart: boolean,
+        removed: boolean,
+        { liveEvent = true } = {},
+    ): void => {
+        if (!InRoomChannel.validateEvent(event, this.baseApis)) {
+            return;
+        }
+        const createRequest = (event: MatrixEvent): VerificationRequest => {
+            const channel = new InRoomChannel(this.baseApis, event.getRoomId()!);
+            return new VerificationRequest(channel, this.verificationMethods, this.baseApis);
+        };
+        this.handleVerificationEvent(event, this.inRoomVerificationRequests, createRequest, liveEvent);
+    };
+
+    private async handleVerificationEvent(
+        event: MatrixEvent,
+        requestsMap: IRequestsMap,
+        createRequest: (event: MatrixEvent) => VerificationRequest | undefined,
+        isLiveEvent = true,
+    ): Promise<void> {
+        // Wait for event to get its final ID with pendingEventOrdering: "chronological", since DM channels depend on it.
+        if (event.isSending() && event.status != EventStatus.SENT) {
+            let eventIdListener: () => void;
+            let statusListener: () => void;
+            try {
+                await new Promise<void>((resolve, reject) => {
+                    eventIdListener = resolve;
+                    statusListener = (): void => {
+                        if (event.status == EventStatus.CANCELLED) {
+                            reject(new Error("Event status set to CANCELLED."));
+                        }
+                    };
+                    event.once(MatrixEventEvent.LocalEventIdReplaced, eventIdListener);
+                    event.on(MatrixEventEvent.Status, statusListener);
+                });
+            } catch (err) {
+                logger.error("error while waiting for the verification event to be sent: ", err);
+                return;
+            } finally {
+                event.removeListener(MatrixEventEvent.LocalEventIdReplaced, eventIdListener!);
+                event.removeListener(MatrixEventEvent.Status, statusListener!);
+            }
+        }
+        let request: VerificationRequest | undefined = requestsMap.getRequest(event);
+        let isNewRequest = false;
+        if (!request) {
+            request = createRequest(event);
+            // a request could not be made from this event, so ignore event
+            if (!request) {
+                logger.log(
+                    `Crypto: could not find VerificationRequest for ` +
+                        `${event.getType()}, and could not create one, so ignoring.`,
+                );
+                return;
+            }
+            isNewRequest = true;
+            requestsMap.setRequest(event, request);
+        }
+        event.setVerificationRequest(request);
+        try {
+            await request.channel.handleEvent(event, request, isLiveEvent);
+        } catch (err) {
+            logger.error("error while handling verification event", err);
+        }
+        const shouldEmit =
+            isNewRequest &&
+            !request.initiatedByMe &&
+            !request.invalid && // check it has enough events to pass the UNSENT stage
+            !request.observeOnly;
+        if (shouldEmit) {
+            this.baseApis.emit(CryptoEvent.VerificationRequest, request);
+            this.baseApis.emit(CryptoEvent.VerificationRequestReceived, request);
+        }
+    }
+
+    /**
+     * Handle a toDevice event that couldn't be decrypted
+     *
+     * @internal
+     * @param event - undecryptable event
+     */
+    private async onToDeviceBadEncrypted(event: MatrixEvent): Promise<void> {
+        const content = event.getWireContent();
+        const sender = event.getSender();
+        const algorithm = content.algorithm;
+        const deviceKey = content.sender_key;
+
+        this.baseApis.emit(ClientEvent.UndecryptableToDeviceEvent, event);
+
+        // retry decryption for all events sent by the sender_key.  This will
+        // update the events to show a message indicating that the olm session was
+        // wedged.
+        const retryDecryption = (): void => {
+            const roomDecryptors = this.getRoomDecryptors(olmlib.MEGOLM_ALGORITHM);
+            for (const decryptor of roomDecryptors) {
+                decryptor.retryDecryptionFromSender(deviceKey);
+            }
+        };
+
+        if (sender === undefined || deviceKey === undefined || deviceKey === undefined) {
+            return;
+        }
+
+        // check when we can force a new session with this device: if we've already done so
+        // recently, don't do it again.
+        const forceNewSessionRetryTimeDevices = this.forceNewSessionRetryTime.getOrCreate(sender);
+        const forceNewSessionRetryTime = forceNewSessionRetryTimeDevices.getOrCreate(deviceKey);
+        if (forceNewSessionRetryTime > Date.now()) {
+            logger.debug(
+                `New session already forced with device ${sender}:${deviceKey}: ` +
+                    `not forcing another until at least ${new Date(forceNewSessionRetryTime).toUTCString()}`,
+            );
+            await this.olmDevice.recordSessionProblem(deviceKey, "wedged", true);
+            retryDecryption();
+            return;
+        }
+
+        // make sure we don't retry to unwedge too soon even if we fail to create a new session
+        forceNewSessionRetryTimeDevices.set(deviceKey, Date.now() + FORCE_SESSION_RETRY_INTERVAL_MS);
+
+        // establish a new olm session with this device since we're failing to decrypt messages
+        // on a current session.
+        // Note that an undecryptable message from another device could easily be spoofed -
+        // is there anything we can do to mitigate this?
+        let device = this.deviceList.getDeviceByIdentityKey(algorithm, deviceKey);
+        if (!device) {
+            // if we don't know about the device, fetch the user's devices again
+            // and retry before giving up
+            await this.downloadKeys([sender], false);
+            device = this.deviceList.getDeviceByIdentityKey(algorithm, deviceKey);
+            if (!device) {
+                logger.info("Couldn't find device for identity key " + deviceKey + ": not re-establishing session");
+                await this.olmDevice.recordSessionProblem(deviceKey, "wedged", false);
+                retryDecryption();
+                return;
+            }
+        }
+        const devicesByUser = new Map([[sender, [device]]]);
+        await olmlib.ensureOlmSessionsForDevices(this.olmDevice, this.baseApis, devicesByUser, true);
+
+        forceNewSessionRetryTimeDevices.set(deviceKey, Date.now() + MIN_FORCE_SESSION_INTERVAL_MS);
+
+        // Now send a blank message on that session so the other side knows about it.
+        // (The keyshare request is sent in the clear so that won't do)
+        // We send this first such that, as long as the toDevice messages arrive in the
+        // same order we sent them, the other end will get this first, set up the new session,
+        // then get the keyshare request and send the key over this new session (because it
+        // is the session it has most recently received a message on).
+        const encryptedContent: IEncryptedContent = {
+            algorithm: olmlib.OLM_ALGORITHM,
+            sender_key: this.olmDevice.deviceCurve25519Key!,
+            ciphertext: {},
+            [ToDeviceMessageId]: uuidv4(),
+        };
+        await olmlib.encryptMessageForDevice(
+            encryptedContent.ciphertext,
+            this.userId,
+            this.deviceId,
+            this.olmDevice,
+            sender,
+            device,
+            { type: "m.dummy" },
+        );
+
+        await this.olmDevice.recordSessionProblem(deviceKey, "wedged", true);
+        retryDecryption();
+
+        await this.baseApis.sendToDevice(
+            "m.room.encrypted",
+            new Map([[sender, new Map([[device.deviceId, encryptedContent]])]]),
+        );
+
+        // Most of the time this probably won't be necessary since we'll have queued up a key request when
+        // we failed to decrypt the message and will be waiting a bit for the key to arrive before sending
+        // it. This won't always be the case though so we need to re-send any that have already been sent
+        // to avoid races.
+        const requestsToResend = await this.outgoingRoomKeyRequestManager.getOutgoingSentRoomKeyRequest(
+            sender,
+            device.deviceId,
+        );
+        for (const keyReq of requestsToResend) {
+            this.requestRoomKey(keyReq.requestBody, keyReq.recipients, true);
+        }
+    }
+
+    /**
+     * Handle a change in the membership state of a member of a room
+     *
+     * @internal
+     * @param event -  event causing the change
+     * @param member -  user whose membership changed
+     * @param oldMembership -  previous membership
+     */
+    private onRoomMembership(event: MatrixEvent, member: RoomMember, oldMembership?: string): void {
+        // this event handler is registered on the *client* (as opposed to the room
+        // member itself), which means it is only called on changes to the *live*
+        // membership state (ie, it is not called when we back-paginate, nor when
+        // we load the state in the initialsync).
+        //
+        // Further, it is automatically registered and called when new members
+        // arrive in the room.
+
+        const roomId = member.roomId;
+
+        const alg = this.roomEncryptors.get(roomId);
+        if (!alg) {
+            // not encrypting in this room
+            return;
+        }
+        // only mark users in this room as tracked if we already started tracking in this room
+        // this way we don't start device queries after sync on behalf of this room which we won't use
+        // the result of anyway, as we'll need to do a query again once all the members are fetched
+        // by calling _trackRoomDevices
+        if (roomId in this.roomDeviceTrackingState) {
+            if (member.membership == KnownMembership.Join) {
+                logger.log("Join event for " + member.userId + " in " + roomId);
+                // make sure we are tracking the deviceList for this user
+                this.deviceList.startTrackingDeviceList(member.userId);
+            } else if (
+                member.membership == KnownMembership.Invite &&
+                this.clientStore.getRoom(roomId)?.shouldEncryptForInvitedMembers()
+            ) {
+                logger.log("Invite event for " + member.userId + " in " + roomId);
+                this.deviceList.startTrackingDeviceList(member.userId);
+            }
+        }
+
+        alg.onRoomMembership(event, member, oldMembership);
+    }
+
+    /**
+     * Called when we get an m.room_key_request event.
+     *
+     * @internal
+     * @param event - key request event
+     */
+    private onRoomKeyRequestEvent(event: MatrixEvent): void {
+        const content = event.getContent();
+        if (content.action === "request") {
+            // Queue it up for now, because they tend to arrive before the room state
+            // events at initial sync, and we want to see if we know anything about the
+            // room before passing them on to the app.
+            const req = new IncomingRoomKeyRequest(event);
+            this.receivedRoomKeyRequests.push(req);
+        } else if (content.action === "request_cancellation") {
+            const req = new IncomingRoomKeyRequestCancellation(event);
+            this.receivedRoomKeyRequestCancellations.push(req);
+        }
+    }
+
+    /**
+     * Process any m.room_key_request events which were queued up during the
+     * current sync.
+     *
+     * @internal
+     */
+    private async processReceivedRoomKeyRequests(): Promise<void> {
+        if (this.processingRoomKeyRequests) {
+            // we're still processing last time's requests; keep queuing new ones
+            // up for now.
+            return;
+        }
+        this.processingRoomKeyRequests = true;
+
+        try {
+            // we need to grab and clear the queues in the synchronous bit of this method,
+            // so that we don't end up racing with the next /sync.
+            const requests = this.receivedRoomKeyRequests;
+            this.receivedRoomKeyRequests = [];
+            const cancellations = this.receivedRoomKeyRequestCancellations;
+            this.receivedRoomKeyRequestCancellations = [];
+
+            // Process all of the requests, *then* all of the cancellations.
+            //
+            // This makes sure that if we get a request and its cancellation in the
+            // same /sync result, then we process the request before the
+            // cancellation (and end up with a cancelled request), rather than the
+            // cancellation before the request (and end up with an outstanding
+            // request which should have been cancelled.)
+            await Promise.all(requests.map((req) => this.processReceivedRoomKeyRequest(req)));
+            await Promise.all(
+                cancellations.map((cancellation) => this.processReceivedRoomKeyRequestCancellation(cancellation)),
+            );
+        } catch (e) {
+            logger.error(`Error processing room key requsts: ${e}`);
+        } finally {
+            this.processingRoomKeyRequests = false;
+        }
+    }
+
+    /**
+     * Helper for processReceivedRoomKeyRequests
+     *
+     */
+    private async processReceivedRoomKeyRequest(req: IncomingRoomKeyRequest): Promise<void> {
+        const userId = req.userId;
+        const deviceId = req.deviceId;
+
+        const body = req.requestBody;
+        const roomId = body.room_id;
+        const alg = body.algorithm;
+
+        logger.log(
+            `m.room_key_request from ${userId}:${deviceId}` +
+                ` for ${roomId} / ${body.session_id} (id ${req.requestId})`,
+        );
+
+        if (userId !== this.userId) {
+            if (!this.roomEncryptors.get(roomId)) {
+                logger.debug(`room key request for unencrypted room ${roomId}`);
+                return;
+            }
+            const encryptor = this.roomEncryptors.get(roomId)!;
+            const device = this.deviceList.getStoredDevice(userId, deviceId);
+            if (!device) {
+                logger.debug(`Ignoring keyshare for unknown device ${userId}:${deviceId}`);
+                return;
+            }
+
+            try {
+                await encryptor.reshareKeyWithDevice!(body.sender_key, body.session_id, userId, device);
+            } catch (e) {
+                logger.warn(
+                    "Failed to re-share keys for session " +
+                        body.session_id +
+                        " with device " +
+                        userId +
+                        ":" +
+                        device.deviceId,
+                    e,
+                );
+            }
+            return;
+        }
+
+        if (deviceId === this.deviceId) {
+            // We'll always get these because we send room key requests to
+            // '*' (ie. 'all devices') which includes the sending device,
+            // so ignore requests from ourself because apart from it being
+            // very silly, it won't work because an Olm session cannot send
+            // messages to itself.
+            // The log here is probably superfluous since we know this will
+            // always happen, but let's log anyway for now just in case it
+            // causes issues.
+            logger.log("Ignoring room key request from ourselves");
+            return;
+        }
+
+        // todo: should we queue up requests we don't yet have keys for,
+        // in case they turn up later?
+
+        // if we don't have a decryptor for this room/alg, we don't have
+        // the keys for the requested events, and can drop the requests.
+        if (!this.roomDecryptors.has(roomId)) {
+            logger.log(`room key request for unencrypted room ${roomId}`);
+            return;
+        }
+
+        const decryptor = this.roomDecryptors.get(roomId)!.get(alg);
+        if (!decryptor) {
+            logger.log(`room key request for unknown alg ${alg} in room ${roomId}`);
+            return;
+        }
+
+        if (!(await decryptor.hasKeysForKeyRequest(req))) {
+            logger.log(`room key request for unknown session ${roomId} / ` + body.session_id);
+            return;
+        }
+
+        req.share = (): void => {
+            decryptor.shareKeysWithDevice(req);
+        };
+
+        // if the device is verified already, share the keys
+        if (this.checkDeviceTrust(userId, deviceId).isVerified()) {
+            logger.log("device is already verified: sharing keys");
+            req.share();
+            return;
+        }
+
+        this.emit(CryptoEvent.RoomKeyRequest, req);
+    }
+
+    /**
+     * Helper for processReceivedRoomKeyRequests
+     *
+     */
+    private async processReceivedRoomKeyRequestCancellation(
+        cancellation: IncomingRoomKeyRequestCancellation,
+    ): Promise<void> {
+        logger.log(
+            `m.room_key_request cancellation for ${cancellation.userId}:` +
+                `${cancellation.deviceId} (id ${cancellation.requestId})`,
+        );
+
+        // we should probably only notify the app of cancellations we told it
+        // about, but we don't currently have a record of that, so we just pass
+        // everything through.
+        this.emit(CryptoEvent.RoomKeyRequestCancellation, cancellation);
+    }
+
+    /**
+     * Get a decryptor for a given room and algorithm.
+     *
+     * If we already have a decryptor for the given room and algorithm, return
+     * it. Otherwise try to instantiate it.
+     *
+     * @internal
+     *
+     * @param roomId -   room id for decryptor. If undefined, a temporary
+     * decryptor is instantiated.
+     *
+     * @param algorithm -  crypto algorithm
+     *
+     * @throws `DecryptionError` if the algorithm is unknown
+     */
+    public getRoomDecryptor(roomId: string | null, algorithm: string): DecryptionAlgorithm {
+        let decryptors: Map<string, DecryptionAlgorithm> | undefined;
+        let alg: DecryptionAlgorithm | undefined;
+
+        if (roomId) {
+            decryptors = this.roomDecryptors.get(roomId);
+            if (!decryptors) {
+                decryptors = new Map<string, DecryptionAlgorithm>();
+                this.roomDecryptors.set(roomId, decryptors);
+            }
+
+            alg = decryptors.get(algorithm);
+            if (alg) {
+                return alg;
+            }
+        }
+
+        const AlgClass = algorithms.DECRYPTION_CLASSES.get(algorithm);
+        if (!AlgClass) {
+            throw new DecryptionError(
+                DecryptionFailureCode.UNKNOWN_ENCRYPTION_ALGORITHM,
+                'Unknown encryption algorithm "' + algorithm + '".',
+            );
+        }
+        alg = new AlgClass({
+            userId: this.userId,
+            crypto: this,
+            olmDevice: this.olmDevice,
+            baseApis: this.baseApis,
+            roomId: roomId ?? undefined,
+        });
+
+        if (decryptors) {
+            decryptors.set(algorithm, alg);
+        }
+        return alg;
+    }
+
+    /**
+     * Get all the room decryptors for a given encryption algorithm.
+     *
+     * @param algorithm - The encryption algorithm
+     *
+     * @returns An array of room decryptors
+     */
+    private getRoomDecryptors(algorithm: string): DecryptionAlgorithm[] {
+        const decryptors: DecryptionAlgorithm[] = [];
+        for (const d of this.roomDecryptors.values()) {
+            if (d.has(algorithm)) {
+                decryptors.push(d.get(algorithm)!);
+            }
+        }
+        return decryptors;
+    }
+
+    /**
+     * sign the given object with our ed25519 key
+     *
+     * @param obj -  Object to which we will add a 'signatures' property
+     */
+    public async signObject<T extends ISignableObject & object>(obj: T): Promise<void> {
+        const sigs = new Map(Object.entries(obj.signatures || {}));
+        const unsigned = obj.unsigned;
+
+        delete obj.signatures;
+        delete obj.unsigned;
+
+        const userSignatures = sigs.get(this.userId) || {};
+        sigs.set(this.userId, userSignatures);
+        userSignatures["ed25519:" + this.deviceId] = await this.olmDevice.sign(anotherjson.stringify(obj));
+        obj.signatures = recursiveMapToObject(sigs);
+        if (unsigned !== undefined) obj.unsigned = unsigned;
+    }
+
+    /**
+     * @returns true if the room with the supplied ID is encrypted. False if the
+     * room is not encrypted, or is unknown to us.
+     */
+    public isRoomEncrypted(roomId: string): boolean {
+        return this.roomList.isRoomEncrypted(roomId);
+    }
+
+    /**
+     * Implementation of {@link Crypto.CryptoApi#isEncryptionEnabledInRoom}.
+     */
+    public async isEncryptionEnabledInRoom(roomId: string): Promise<boolean> {
+        return this.isRoomEncrypted(roomId);
+    }
+
+    /**
+     * @returns information about the encryption on the room with the supplied
+     * ID, or null if the room is not encrypted or unknown to us.
+     */
+    public getRoomEncryption(roomId: string): IRoomEncryption | null {
+        return this.roomList.getRoomEncryption(roomId);
+    }
+
+    /**
+     * Returns whether dehydrated devices are supported by the crypto backend
+     * and by the server.
+     */
+    public async isDehydrationSupported(): Promise<boolean> {
+        return false;
+    }
+
+    /**
+     * Stub function -- dehydration is not implemented here, so throw error
+     */
+    public async startDehydration(createNewKey?: boolean): Promise<void> {
+        throw new Error("Not implemented");
+    }
+
+    /**
+     * Stub function -- restoreKeyBackup is not implemented here, so throw error
+     */
+    public restoreKeyBackup(opts: KeyBackupRestoreOpts): Promise<KeyBackupRestoreResult> {
+        throw new Error("Not implemented");
+    }
+
+    /**
+     * Stub function -- restoreKeyBackupWithPassphrase is not implemented here, so throw error
+     */
+    public restoreKeyBackupWithPassphrase(
+        passphrase: string,
+        opts: KeyBackupRestoreOpts,
+    ): Promise<KeyBackupRestoreResult> {
+        throw new Error("Not implemented");
+    }
+}
+
+/**
+ * Fix up the backup key, that may be in the wrong format due to a bug in a
+ * migration step.  Some backup keys were stored as a comma-separated list of
+ * integers, rather than a base64-encoded byte array.  If this function is
+ * passed a string that looks like a list of integers rather than a base64
+ * string, it will attempt to convert it to the right format.
+ *
+ * @param key - the key to check
+ * @returns If the key is in the wrong format, then the fixed
+ * key will be returned. Otherwise null will be returned.
+ *
+ */
+export function fixBackupKey(key?: string): string | null {
+    if (typeof key !== "string" || key.indexOf(",") < 0) {
+        return null;
+    }
+    const fixedKey = Uint8Array.from(key.split(","), (x) => parseInt(x));
+    return encodeBase64(fixedKey);
+}
+
+/**
+ * Represents a received m.room_key_request event
+ */
+export class IncomingRoomKeyRequest {
+    /** user requesting the key */
+    public readonly userId: string;
+    /** device requesting the key */
+    public readonly deviceId: string;
+    /** unique id for the request */
+    public readonly requestId: string;
+    public readonly requestBody: IRoomKeyRequestBody;
+    /**
+     * callback which, when called, will ask
+     *    the relevant crypto algorithm implementation to share the keys for
+     *    this request.
+     */
+    public share: () => void;
+
+    public constructor(event: MatrixEvent) {
+        const content = event.getContent();
+
+        this.userId = event.getSender()!;
+        this.deviceId = content.requesting_device_id;
+        this.requestId = content.request_id;
+        this.requestBody = content.body || {};
+        this.share = (): void => {
+            throw new Error("don't know how to share keys for this request yet");
+        };
+    }
+}
+
+/**
+ * Represents a received m.room_key_request cancellation
+ */
+class IncomingRoomKeyRequestCancellation {
+    /** user requesting the cancellation */
+    public readonly userId: string;
+    /** device requesting the cancellation */
+    public readonly deviceId: string;
+    /** unique id for the request to be cancelled */
+    public readonly requestId: string;
+
+    public constructor(event: MatrixEvent) {
+        const content = event.getContent();
+
+        this.userId = event.getSender()!;
+        this.deviceId = content.requesting_device_id;
+        this.requestId = content.request_id;
+    }
+}
+
+// a number of types are re-exported for backwards compatibility, in case any applications are referencing it.
+export type { IEventDecryptionResult, IMegolmSessionData } from "../@types/crypto.ts";