@unwanted/matrix-sdk-mini 34.12.0-1

package/src/rust-crypto/rust-crypto.ts

@@ -0,0 +1,2205 @@
+/*
+Copyright 2022-2023 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import anotherjson from "another-json";
+import * as RustSdkCryptoJs from "@matrix-org/matrix-sdk-crypto-wasm";
+
+import type { IEventDecryptionResult, IMegolmSessionData } from "../@types/crypto.ts";
+import { KnownMembership } from "../@types/membership.ts";
+import type { IDeviceLists, IToDeviceEvent } from "../sync-accumulator.ts";
+import type { IEncryptedEventInfo } from "../crypto/api.ts";
+import type { ToDevicePayload, ToDeviceBatch } from "../models/ToDeviceMessage.ts";
+import { MatrixEvent, MatrixEventEvent } from "../models/event.ts";
+import { Room } from "../models/room.ts";
+import { RoomMember } from "../models/room-member.ts";
+import {
+    BackupDecryptor,
+    CryptoBackend,
+    DecryptionError,
+    OnSyncCompletedData,
+} from "../common-crypto/CryptoBackend.ts";
+import { logger, Logger, LogSpan } from "../logger.ts";
+import { IHttpOpts, MatrixHttpApi, Method } from "../http-api/index.ts";
+import { RoomEncryptor } from "./RoomEncryptor.ts";
+import { OutgoingRequestProcessor } from "./OutgoingRequestProcessor.ts";
+import { KeyClaimManager } from "./KeyClaimManager.ts";
+import { logDuration, MapWithDefault } from "../utils.ts";
+import {
+    BackupTrustInfo,
+    BootstrapCrossSigningOpts,
+    CreateSecretStorageOpts,
+    CrossSigningKey,
+    CrossSigningKeyInfo,
+    CrossSigningStatus,
+    CryptoApi,
+    CryptoCallbacks,
+    DecryptionFailureCode,
+    DeviceVerificationStatus,
+    EventEncryptionInfo,
+    EventShieldColour,
+    EventShieldReason,
+    GeneratedSecretStorageKey,
+    ImportRoomKeysOpts,
+    KeyBackupCheck,
+    KeyBackupInfo,
+    OwnDeviceKeys,
+    UserVerificationStatus,
+    VerificationRequest,
+    encodeRecoveryKey,
+    deriveRecoveryKeyFromPassphrase,
+    DeviceIsolationMode,
+    AllDevicesIsolationMode,
+    DeviceIsolationModeKind,
+    CryptoEvent,
+    CryptoEventHandlerMap,
+    KeyBackupRestoreOpts,
+    KeyBackupRestoreResult,
+} from "../crypto-api/index.ts";
+import { deviceKeysToDeviceMap, rustDeviceToJsDevice } from "./device-converter.ts";
+import { IDownloadKeyResult, IQueryKeysRequest } from "../client.ts";
+import { Device, DeviceMap } from "../models/device.ts";
+import { SECRET_STORAGE_ALGORITHM_V1_AES, ServerSideSecretStorage } from "../secret-storage.ts";
+import { CrossSigningIdentity } from "./CrossSigningIdentity.ts";
+import { secretStorageCanAccessSecrets, secretStorageContainsCrossSigningKeys } from "./secret-storage.ts";
+import { isVerificationEvent, RustVerificationRequest, verificationMethodIdentifierToMethod } from "./verification.ts";
+import { EventType, MsgType } from "../@types/event.ts";
+import { TypedEventEmitter } from "../models/typed-event-emitter.ts";
+import { decryptionKeyMatchesKeyBackupInfo, RustBackupManager } from "./backup.ts";
+import { TypedReEmitter } from "../ReEmitter.ts";
+import { randomString } from "../randomstring.ts";
+import { ClientStoppedError } from "../errors.ts";
+import { ISignatures } from "../@types/signed.ts";
+import { decodeBase64, encodeBase64 } from "../base64.ts";
+import { OutgoingRequestsManager } from "./OutgoingRequestsManager.ts";
+import { PerSessionKeyBackupDownloader } from "./PerSessionKeyBackupDownloader.ts";
+import { DehydratedDeviceManager } from "./DehydratedDeviceManager.ts";
+import { VerificationMethod } from "../types.ts";
+import { keyFromAuthData } from "../common-crypto/key-passphrase.ts";
+
+const ALL_VERIFICATION_METHODS = [
+    VerificationMethod.Sas,
+    VerificationMethod.ScanQrCode,
+    VerificationMethod.ShowQrCode,
+    VerificationMethod.Reciprocate,
+];
+
+interface ISignableObject {
+    signatures?: ISignatures;
+    unsigned?: object;
+}
+
+/**
+ * An implementation of {@link CryptoBackend} using the Rust matrix-sdk-crypto.
+ *
+ * @internal
+ */
+export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventHandlerMap> implements CryptoBackend {
+    /**
+     * The number of iterations to use when deriving a recovery key from a passphrase.
+     */
+    private readonly RECOVERY_KEY_DERIVATION_ITERATIONS = 500000;
+
+    private _trustCrossSignedDevices = true;
+    private deviceIsolationMode: DeviceIsolationMode = new AllDevicesIsolationMode(false);
+
+    /** whether {@link stop} has been called */
+    private stopped = false;
+
+    /** mapping of roomId → encryptor class */
+    private roomEncryptors: Record<string, RoomEncryptor> = {};
+
+    private eventDecryptor: EventDecryptor;
+    private keyClaimManager: KeyClaimManager;
+    private outgoingRequestProcessor: OutgoingRequestProcessor;
+    private crossSigningIdentity: CrossSigningIdentity;
+    private readonly backupManager: RustBackupManager;
+    private outgoingRequestsManager: OutgoingRequestsManager;
+    private readonly perSessionBackupDownloader: PerSessionKeyBackupDownloader;
+    private readonly dehydratedDeviceManager: DehydratedDeviceManager;
+    private readonly reemitter = new TypedReEmitter<RustCryptoEvents, CryptoEventHandlerMap>(this);
+
+    public constructor(
+        private readonly logger: Logger,
+
+        /** The `OlmMachine` from the underlying rust crypto sdk. */
+        private readonly olmMachine: RustSdkCryptoJs.OlmMachine,
+
+        /**
+         * Low-level HTTP interface: used to make outgoing requests required by the rust SDK.
+         *
+         * We expect it to set the access token, etc.
+         */
+        private readonly http: MatrixHttpApi<IHttpOpts & { onlyData: true }>,
+
+        /** The local user's User ID. */
+        private readonly userId: string,
+
+        /** The local user's Device ID. */
+        _deviceId: string,
+
+        /** Interface to server-side secret storage */
+        private readonly secretStorage: ServerSideSecretStorage,
+
+        /** Crypto callbacks provided by the application */
+        private readonly cryptoCallbacks: CryptoCallbacks,
+    ) {
+        super();
+        this.outgoingRequestProcessor = new OutgoingRequestProcessor(olmMachine, http);
+        this.outgoingRequestsManager = new OutgoingRequestsManager(
+            this.logger,
+            olmMachine,
+            this.outgoingRequestProcessor,
+        );
+
+        this.keyClaimManager = new KeyClaimManager(olmMachine, this.outgoingRequestProcessor);
+
+        this.backupManager = new RustBackupManager(olmMachine, http, this.outgoingRequestProcessor);
+        this.perSessionBackupDownloader = new PerSessionKeyBackupDownloader(
+            this.logger,
+            this.olmMachine,
+            this.http,
+            this.backupManager,
+        );
+        this.dehydratedDeviceManager = new DehydratedDeviceManager(
+            this.logger,
+            olmMachine,
+            http,
+            this.outgoingRequestProcessor,
+            secretStorage,
+        );
+        this.eventDecryptor = new EventDecryptor(this.logger, olmMachine, this.perSessionBackupDownloader);
+
+        this.reemitter.reEmit(this.backupManager, [
+            CryptoEvent.KeyBackupStatus,
+            CryptoEvent.KeyBackupSessionsRemaining,
+            CryptoEvent.KeyBackupFailed,
+            CryptoEvent.KeyBackupDecryptionKeyCached,
+        ]);
+
+        this.crossSigningIdentity = new CrossSigningIdentity(olmMachine, this.outgoingRequestProcessor, secretStorage);
+
+        // Check and start in background the key backup connection
+        this.checkKeyBackupAndEnable();
+    }
+
+    /**
+     * Return the OlmMachine only if {@link RustCrypto#stop} has not been called.
+     *
+     * This allows us to better handle race conditions where the client is stopped before or during a crypto API call.
+     *
+     * @throws ClientStoppedError if {@link RustCrypto#stop} has been called.
+     */
+    private getOlmMachineOrThrow(): RustSdkCryptoJs.OlmMachine {
+        if (this.stopped) {
+            throw new ClientStoppedError();
+        }
+        return this.olmMachine;
+    }
+
+    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+    //
+    // CryptoBackend implementation
+    //
+    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    public set globalErrorOnUnknownDevices(_v: boolean) {
+        // Not implemented for rust crypto.
+    }
+
+    public get globalErrorOnUnknownDevices(): boolean {
+        // Not implemented for rust crypto.
+        return false;
+    }
+
+    public stop(): void {
+        // stop() may be called multiple times, but attempting to close() the OlmMachine twice
+        // will cause an error.
+        if (this.stopped) {
+            return;
+        }
+        this.stopped = true;
+
+        this.keyClaimManager.stop();
+        this.backupManager.stop();
+        this.outgoingRequestsManager.stop();
+        this.perSessionBackupDownloader.stop();
+        this.dehydratedDeviceManager.stop();
+
+        // make sure we close() the OlmMachine; doing so means that all the Rust objects will be
+        // cleaned up; in particular, the indexeddb connections will be closed, which means they
+        // can then be deleted.
+        this.olmMachine.close();
+    }
+
+    public async encryptEvent(event: MatrixEvent, _room: Room): Promise<void> {
+        const roomId = event.getRoomId()!;
+        const encryptor = this.roomEncryptors[roomId];
+
+        if (!encryptor) {
+            throw new Error(`Cannot encrypt event in unconfigured room ${roomId}`);
+        }
+
+        await encryptor.encryptEvent(event, this.globalBlacklistUnverifiedDevices, this.deviceIsolationMode);
+    }
+
+    public async decryptEvent(event: MatrixEvent): Promise<IEventDecryptionResult> {
+        const roomId = event.getRoomId();
+        if (!roomId) {
+            // presumably, a to-device message. These are normally decrypted in preprocessToDeviceMessages
+            // so the fact it has come back here suggests that decryption failed.
+            //
+            // once we drop support for the libolm crypto implementation, we can stop passing to-device messages
+            // through decryptEvent and hence get rid of this case.
+            throw new Error("to-device event was not decrypted in preprocessToDeviceMessages");
+        }
+        return await this.eventDecryptor.attemptEventDecryption(event, this.deviceIsolationMode);
+    }
+
+    /**
+     * Implementation of (deprecated) {@link MatrixClient#getEventEncryptionInfo}.
+     *
+     * @param event - event to inspect
+     */
+    public getEventEncryptionInfo(event: MatrixEvent): IEncryptedEventInfo {
+        const ret: Partial<IEncryptedEventInfo> = {};
+
+        ret.senderKey = event.getSenderKey() ?? undefined;
+        ret.algorithm = event.getWireContent().algorithm;
+
+        if (!ret.senderKey || !ret.algorithm) {
+            ret.encrypted = false;
+            return ret as IEncryptedEventInfo;
+        }
+        ret.encrypted = true;
+        ret.authenticated = true;
+        ret.mismatchedSender = true;
+        return ret as IEncryptedEventInfo;
+    }
+
+    /**
+     * Implementation of {@link CryptoBackend#checkUserTrust}.
+     *
+     * Stub for backwards compatibility.
+     *
+     */
+    public checkUserTrust(userId: string): UserVerificationStatus {
+        return new UserVerificationStatus(false, false, false);
+    }
+
+    /**
+     * Get the cross signing information for a given user.
+     *
+     * The cross-signing API is currently UNSTABLE and may change without notice.
+     *
+     * @param userId - the user ID to get the cross-signing info for.
+     *
+     * @returns the cross signing information for the user.
+     */
+    public getStoredCrossSigningForUser(userId: string): null {
+        // TODO
+        return null;
+    }
+
+    /**
+     * This function is unneeded for the rust-crypto.
+     * The cross signing key import and the device verification are done in {@link CryptoApi#bootstrapCrossSigning}
+     *
+     * The function is stub to keep the compatibility with the old crypto.
+     * More information: https://github.com/vector-im/element-web/issues/25648
+     *
+     * Implementation of {@link CryptoBackend#checkOwnCrossSigningTrust}
+     */
+    public async checkOwnCrossSigningTrust(): Promise<void> {
+        return;
+    }
+
+    /**
+     * Implementation of {@link CryptoBackend#getBackupDecryptor}.
+     */
+    public async getBackupDecryptor(backupInfo: KeyBackupInfo, privKey: ArrayLike<number>): Promise<BackupDecryptor> {
+        if (!(privKey instanceof Uint8Array)) {
+            throw new Error(`getBackupDecryptor: expects Uint8Array`);
+        }
+
+        if (backupInfo.algorithm != "m.megolm_backup.v1.curve25519-aes-sha2") {
+            throw new Error(`getBackupDecryptor: Unsupported algorithm ${backupInfo.algorithm}`);
+        }
+
+        const backupDecryptionKey = RustSdkCryptoJs.BackupDecryptionKey.fromBase64(encodeBase64(privKey));
+        if (!decryptionKeyMatchesKeyBackupInfo(backupDecryptionKey, backupInfo)) {
+            throw new Error(`getBackupDecryptor: key backup on server does not match the decryption key`);
+        }
+
+        return this.backupManager.createBackupDecryptor(backupDecryptionKey);
+    }
+
+    /**
+     * Implementation of {@link CryptoBackend#importBackedUpRoomKeys}.
+     */
+    public async importBackedUpRoomKeys(
+        keys: IMegolmSessionData[],
+        backupVersion: string,
+        opts?: ImportRoomKeysOpts,
+    ): Promise<void> {
+        return await this.backupManager.importBackedUpRoomKeys(keys, backupVersion, opts);
+    }
+
+    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+    //
+    // CryptoApi implementation
+    //
+    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    public globalBlacklistUnverifiedDevices = false;
+
+    /**
+     * Implementation of {@link CryptoApi#getVersion}.
+     */
+    public getVersion(): string {
+        const versions = RustSdkCryptoJs.getVersions();
+        return `Rust SDK ${versions.matrix_sdk_crypto} (${versions.git_sha}), Vodozemac ${versions.vodozemac}`;
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#setDeviceIsolationMode}.
+     */
+    public setDeviceIsolationMode(isolationMode: DeviceIsolationMode): void {
+        this.deviceIsolationMode = isolationMode;
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#isEncryptionEnabledInRoom}.
+     */
+    public async isEncryptionEnabledInRoom(roomId: string): Promise<boolean> {
+        const roomSettings: RustSdkCryptoJs.RoomSettings | undefined = await this.olmMachine.getRoomSettings(
+            new RustSdkCryptoJs.RoomId(roomId),
+        );
+        return Boolean(roomSettings?.algorithm);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#getOwnDeviceKeys}.
+     */
+    public async getOwnDeviceKeys(): Promise<OwnDeviceKeys> {
+        const keys = this.olmMachine.identityKeys;
+        return { ed25519: keys.ed25519.toBase64(), curve25519: keys.curve25519.toBase64() };
+    }
+
+    public prepareToEncrypt(room: Room): void {
+        const encryptor = this.roomEncryptors[room.roomId];
+
+        if (encryptor) {
+            encryptor.prepareForEncryption(this.globalBlacklistUnverifiedDevices, this.deviceIsolationMode);
+        }
+    }
+
+    public forceDiscardSession(roomId: string): Promise<void> {
+        return this.roomEncryptors[roomId]?.forceDiscardSession();
+    }
+
+    public async exportRoomKeys(): Promise<IMegolmSessionData[]> {
+        const raw = await this.olmMachine.exportRoomKeys(() => true);
+        return JSON.parse(raw);
+    }
+
+    public async exportRoomKeysAsJson(): Promise<string> {
+        return await this.olmMachine.exportRoomKeys(() => true);
+    }
+
+    public async importRoomKeys(keys: IMegolmSessionData[], opts?: ImportRoomKeysOpts): Promise<void> {
+        return await this.backupManager.importRoomKeys(keys, opts);
+    }
+
+    public async importRoomKeysAsJson(keys: string, opts?: ImportRoomKeysOpts): Promise<void> {
+        return await this.backupManager.importRoomKeysAsJson(keys, opts);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi.userHasCrossSigningKeys}.
+     */
+    public async userHasCrossSigningKeys(userId = this.userId, downloadUncached = false): Promise<boolean> {
+        // TODO: could probably do with a more efficient way of doing this than returning the whole set and searching
+        const rustTrackedUsers: Set<RustSdkCryptoJs.UserId> = await this.olmMachine.trackedUsers();
+        let rustTrackedUser: RustSdkCryptoJs.UserId | undefined;
+        for (const u of rustTrackedUsers) {
+            if (userId === u.toString()) {
+                rustTrackedUser = u;
+                break;
+            }
+        }
+
+        if (rustTrackedUser !== undefined) {
+            if (userId === this.userId) {
+                /* make sure we have an *up-to-date* idea of the user's cross-signing keys. This is important, because if we
+                 * return "false" here, we will end up generating new cross-signing keys and replacing the existing ones.
+                 */
+                const request = this.olmMachine.queryKeysForUsers(
+                    // clone as rust layer will take ownership and it's reused later
+                    [rustTrackedUser.clone()],
+                );
+                await this.outgoingRequestProcessor.makeOutgoingRequest(request);
+            }
+            const userIdentity = await this.olmMachine.getIdentity(rustTrackedUser);
+            userIdentity?.free();
+            return userIdentity !== undefined;
+        } else if (downloadUncached) {
+            // Download the cross signing keys and check if the master key is available
+            const keyResult = await this.downloadDeviceList(new Set([userId]));
+            const keys = keyResult.master_keys?.[userId];
+
+            // No master key
+            if (!keys) return false;
+
+            // `keys` is an object with { [`ed25519:${pubKey}`]: pubKey }
+            // We assume only a single key, and we want the bare form without type
+            // prefix, so we select the values.
+            return Boolean(Object.values(keys.keys)[0]);
+        } else {
+            return false;
+        }
+    }
+
+    /**
+     * Get the device information for the given list of users.
+     *
+     * @param userIds - The users to fetch.
+     * @param downloadUncached - If true, download the device list for users whose device list we are not
+     *    currently tracking. Defaults to false, in which case such users will not appear at all in the result map.
+     *
+     * @returns A map `{@link DeviceMap}`.
+     */
+    public async getUserDeviceInfo(userIds: string[], downloadUncached = false): Promise<DeviceMap> {
+        const deviceMapByUserId = new Map<string, Map<string, Device>>();
+        const rustTrackedUsers: Set<RustSdkCryptoJs.UserId> = await this.getOlmMachineOrThrow().trackedUsers();
+
+        // Convert RustSdkCryptoJs.UserId to a `Set<string>`
+        const trackedUsers = new Set<string>();
+        rustTrackedUsers.forEach((rustUserId) => trackedUsers.add(rustUserId.toString()));
+
+        // Keep untracked user to download their keys after
+        const untrackedUsers: Set<string> = new Set();
+
+        for (const userId of userIds) {
+            // if this is a tracked user, we can just fetch the device list from the rust-sdk
+            // (NB: this is probably ok even if we race with a leave event such that we stop tracking the user's
+            // devices: the rust-sdk will return the last-known device list, which will be good enough.)
+            if (trackedUsers.has(userId)) {
+                deviceMapByUserId.set(userId, await this.getUserDevices(userId));
+            } else {
+                untrackedUsers.add(userId);
+            }
+        }
+
+        // for any users whose device lists we are not tracking, fall back to downloading the device list
+        // over HTTP.
+        if (downloadUncached && untrackedUsers.size >= 1) {
+            const queryResult = await this.downloadDeviceList(untrackedUsers);
+            Object.entries(queryResult.device_keys).forEach(([userId, deviceKeys]) =>
+                deviceMapByUserId.set(userId, deviceKeysToDeviceMap(deviceKeys)),
+            );
+        }
+
+        return deviceMapByUserId;
+    }
+
+    /**
+     * Get the device list for the given user from the olm machine
+     * @param userId - Rust SDK UserId
+     */
+    private async getUserDevices(userId: string): Promise<Map<string, Device>> {
+        const rustUserId = new RustSdkCryptoJs.UserId(userId);
+
+        // For reasons I don't really understand, the Javascript FinalizationRegistry doesn't seem to run the
+        // registered callbacks when `userDevices` goes out of scope, nor when the individual devices in the array
+        // returned by `userDevices.devices` do so.
+        //
+        // This is particularly problematic, because each of those structures holds a reference to the
+        // VerificationMachine, which in turn holds a reference to the IndexeddbCryptoStore. Hence, we end up leaking
+        // open connections to the crypto store, which means the store can't be deleted on logout.
+        //
+        // To fix this, we explicitly call `.free` on each of the objects, which tells the rust code to drop the
+        // allocated memory and decrement the refcounts for the crypto store.
+
+        // Wait for up to a second for any in-flight device list requests to complete.
+        // The reason for this isn't so much to avoid races (some level of raciness is
+        // inevitable for this method) but to make testing easier.
+        const userDevices: RustSdkCryptoJs.UserDevices = await this.olmMachine.getUserDevices(rustUserId, 1);
+        try {
+            const deviceArray: RustSdkCryptoJs.Device[] = userDevices.devices();
+            try {
+                return new Map(
+                    deviceArray.map((device) => [device.deviceId.toString(), rustDeviceToJsDevice(device, rustUserId)]),
+                );
+            } finally {
+                deviceArray.forEach((d) => d.free());
+            }
+        } finally {
+            userDevices.free();
+        }
+    }
+
+    /**
+     * Download the given user keys by calling `/keys/query` request
+     * @param untrackedUsers - download keys of these users
+     */
+    private async downloadDeviceList(untrackedUsers: Set<string>): Promise<IDownloadKeyResult> {
+        const queryBody: IQueryKeysRequest = { device_keys: {} };
+        untrackedUsers.forEach((user) => (queryBody.device_keys[user] = []));
+
+        return await this.http.authedRequest(Method.Post, "/_matrix/client/v3/keys/query", undefined, queryBody, {
+            prefix: "",
+        });
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#getTrustCrossSignedDevices}.
+     */
+    public getTrustCrossSignedDevices(): boolean {
+        return this._trustCrossSignedDevices;
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#setTrustCrossSignedDevices}.
+     */
+    public setTrustCrossSignedDevices(val: boolean): void {
+        this._trustCrossSignedDevices = val;
+        // TODO: legacy crypto goes through the list of known devices and emits DeviceVerificationChanged
+        //  events. Maybe we need to do the same?
+    }
+
+    /**
+     * Mark the given device as locally verified.
+     *
+     * Implementation of {@link CryptoApi#setDeviceVerified}.
+     */
+    public async setDeviceVerified(userId: string, deviceId: string, verified = true): Promise<void> {
+        const device: RustSdkCryptoJs.Device | undefined = await this.olmMachine.getDevice(
+            new RustSdkCryptoJs.UserId(userId),
+            new RustSdkCryptoJs.DeviceId(deviceId),
+        );
+
+        if (!device) {
+            throw new Error(`Unknown device ${userId}|${deviceId}`);
+        }
+        try {
+            await device.setLocalTrust(
+                verified ? RustSdkCryptoJs.LocalTrust.Verified : RustSdkCryptoJs.LocalTrust.Unset,
+            );
+        } finally {
+            device.free();
+        }
+    }
+
+    /**
+     * Blindly cross-sign one of our other devices.
+     *
+     * Implementation of {@link CryptoApi#crossSignDevice}.
+     */
+    public async crossSignDevice(deviceId: string): Promise<void> {
+        const device: RustSdkCryptoJs.Device | undefined = await this.olmMachine.getDevice(
+            new RustSdkCryptoJs.UserId(this.userId),
+            new RustSdkCryptoJs.DeviceId(deviceId),
+        );
+        if (!device) {
+            throw new Error(`Unknown device ${deviceId}`);
+        }
+        try {
+            const outgoingRequest: RustSdkCryptoJs.SignatureUploadRequest = await device.verify();
+            await this.outgoingRequestProcessor.makeOutgoingRequest(outgoingRequest);
+        } finally {
+            device.free();
+        }
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#getDeviceVerificationStatus}.
+     */
+    public async getDeviceVerificationStatus(
+        userId: string,
+        deviceId: string,
+    ): Promise<DeviceVerificationStatus | null> {
+        const device: RustSdkCryptoJs.Device | undefined = await this.olmMachine.getDevice(
+            new RustSdkCryptoJs.UserId(userId),
+            new RustSdkCryptoJs.DeviceId(deviceId),
+        );
+
+        if (!device) return null;
+        try {
+            return new DeviceVerificationStatus({
+                signedByOwner: device.isCrossSignedByOwner(),
+                crossSigningVerified: device.isCrossSigningTrusted(),
+                localVerified: device.isLocallyTrusted(),
+                trustCrossSignedDevices: this._trustCrossSignedDevices,
+            });
+        } finally {
+            device.free();
+        }
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#getUserVerificationStatus}.
+     */
+    public async getUserVerificationStatus(userId: string): Promise<UserVerificationStatus> {
+        const userIdentity: RustSdkCryptoJs.UserIdentity | RustSdkCryptoJs.OwnUserIdentity | undefined =
+            await this.getOlmMachineOrThrow().getIdentity(new RustSdkCryptoJs.UserId(userId));
+        if (userIdentity === undefined) {
+            return new UserVerificationStatus(false, false, false);
+        }
+
+        const verified = userIdentity.isVerified();
+        const wasVerified = userIdentity.wasPreviouslyVerified();
+        const needsUserApproval =
+            userIdentity instanceof RustSdkCryptoJs.UserIdentity ? userIdentity.identityNeedsUserApproval() : false;
+        userIdentity.free();
+        return new UserVerificationStatus(verified, wasVerified, false, needsUserApproval);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#pinCurrentUserIdentity}.
+     */
+    public async pinCurrentUserIdentity(userId: string): Promise<void> {
+        const userIdentity: RustSdkCryptoJs.UserIdentity | RustSdkCryptoJs.OwnUserIdentity | undefined =
+            await this.getOlmMachineOrThrow().getIdentity(new RustSdkCryptoJs.UserId(userId));
+
+        if (userIdentity === undefined) {
+            throw new Error("Cannot pin identity of unknown user");
+        }
+
+        if (userIdentity instanceof RustSdkCryptoJs.OwnUserIdentity) {
+            throw new Error("Cannot pin identity of own user");
+        }
+
+        await userIdentity.pinCurrentMasterKey();
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#isCrossSigningReady}
+     */
+    public async isCrossSigningReady(): Promise<boolean> {
+        const { privateKeysInSecretStorage, privateKeysCachedLocally } = await this.getCrossSigningStatus();
+        const hasKeysInCache =
+            Boolean(privateKeysCachedLocally.masterKey) &&
+            Boolean(privateKeysCachedLocally.selfSigningKey) &&
+            Boolean(privateKeysCachedLocally.userSigningKey);
+
+        const identity = await this.getOwnIdentity();
+
+        // Cross-signing is ready if the public identity is trusted, and the private keys
+        // are either cached, or accessible via secret-storage.
+        return !!identity?.isVerified() && (hasKeysInCache || privateKeysInSecretStorage);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#getCrossSigningKeyId}
+     */
+    public async getCrossSigningKeyId(type: CrossSigningKey = CrossSigningKey.Master): Promise<string | null> {
+        const userIdentity: RustSdkCryptoJs.OwnUserIdentity | undefined = await this.olmMachine.getIdentity(
+            new RustSdkCryptoJs.UserId(this.userId),
+        );
+        if (!userIdentity) {
+            // The public keys are not available on this device
+            return null;
+        }
+
+        try {
+            const crossSigningStatus: RustSdkCryptoJs.CrossSigningStatus = await this.olmMachine.crossSigningStatus();
+
+            const privateKeysOnDevice =
+                crossSigningStatus.hasMaster && crossSigningStatus.hasUserSigning && crossSigningStatus.hasSelfSigning;
+
+            if (!privateKeysOnDevice) {
+                // The private keys are not available on this device
+                return null;
+            }
+
+            if (!userIdentity.isVerified()) {
+                // We have both public and private keys, but they don't match!
+                return null;
+            }
+
+            let key: string;
+            switch (type) {
+                case CrossSigningKey.Master:
+                    key = userIdentity.masterKey;
+                    break;
+                case CrossSigningKey.SelfSigning:
+                    key = userIdentity.selfSigningKey;
+                    break;
+                case CrossSigningKey.UserSigning:
+                    key = userIdentity.userSigningKey;
+                    break;
+                default:
+                    // Unknown type
+                    return null;
+            }
+
+            const parsedKey: CrossSigningKeyInfo = JSON.parse(key);
+            // `keys` is an object with { [`ed25519:${pubKey}`]: pubKey }
+            // We assume only a single key, and we want the bare form without type
+            // prefix, so we select the values.
+            return Object.values(parsedKey.keys)[0];
+        } finally {
+            userIdentity.free();
+        }
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#bootstrapCrossSigning}
+     */
+    public async bootstrapCrossSigning(opts: BootstrapCrossSigningOpts): Promise<void> {
+        await this.crossSigningIdentity.bootstrapCrossSigning(opts);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#isSecretStorageReady}
+     */
+    public async isSecretStorageReady(): Promise<boolean> {
+        // make sure that the cross-signing keys are stored
+        const secretsToCheck = [
+            "m.cross_signing.master",
+            "m.cross_signing.user_signing",
+            "m.cross_signing.self_signing",
+        ];
+
+        // if key backup is active, we also need to check that the backup decryption key is stored
+        const keyBackupEnabled = (await this.backupManager.getActiveBackupVersion()) != null;
+        if (keyBackupEnabled) {
+            secretsToCheck.push("m.megolm_backup.v1");
+        }
+
+        return secretStorageCanAccessSecrets(this.secretStorage, secretsToCheck);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#bootstrapSecretStorage}
+     */
+    public async bootstrapSecretStorage({
+        createSecretStorageKey,
+        setupNewSecretStorage,
+        setupNewKeyBackup,
+    }: CreateSecretStorageOpts = {}): Promise<void> {
+        // If an AES Key is already stored in the secret storage and setupNewSecretStorage is not set
+        // we don't want to create a new key
+        const isNewSecretStorageKeyNeeded = setupNewSecretStorage || !(await this.secretStorageHasAESKey());
+
+        if (isNewSecretStorageKeyNeeded) {
+            if (!createSecretStorageKey) {
+                throw new Error("unable to create a new secret storage key, createSecretStorageKey is not set");
+            }
+
+            // Create a new storage key and add it to secret storage
+            this.logger.info("bootstrapSecretStorage: creating new secret storage key");
+            const recoveryKey = await createSecretStorageKey();
+            if (!recoveryKey) {
+                throw new Error("createSecretStorageKey() callback did not return a secret storage key");
+            }
+            await this.addSecretStorageKeyToSecretStorage(recoveryKey);
+        }
+
+        const crossSigningStatus: RustSdkCryptoJs.CrossSigningStatus = await this.olmMachine.crossSigningStatus();
+        const hasPrivateKeys =
+            crossSigningStatus.hasMaster && crossSigningStatus.hasSelfSigning && crossSigningStatus.hasUserSigning;
+
+        // If we have cross-signing private keys cached, store them in secret
+        // storage if they are not there already.
+        if (
+            hasPrivateKeys &&
+            (isNewSecretStorageKeyNeeded || !(await secretStorageContainsCrossSigningKeys(this.secretStorage)))
+        ) {
+            this.logger.info("bootstrapSecretStorage: cross-signing keys not yet exported; doing so now.");
+
+            const crossSigningPrivateKeys: RustSdkCryptoJs.CrossSigningKeyExport =
+                await this.olmMachine.exportCrossSigningKeys();
+
+            if (!crossSigningPrivateKeys.masterKey) {
+                throw new Error("missing master key in cross signing private keys");
+            }
+
+            if (!crossSigningPrivateKeys.userSigningKey) {
+                throw new Error("missing user signing key in cross signing private keys");
+            }
+
+            if (!crossSigningPrivateKeys.self_signing_key) {
+                throw new Error("missing self signing key in cross signing private keys");
+            }
+
+            await this.secretStorage.store("m.cross_signing.master", crossSigningPrivateKeys.masterKey);
+            await this.secretStorage.store("m.cross_signing.user_signing", crossSigningPrivateKeys.userSigningKey);
+            await this.secretStorage.store("m.cross_signing.self_signing", crossSigningPrivateKeys.self_signing_key);
+        }
+
+        if (setupNewKeyBackup) {
+            await this.resetKeyBackup();
+        }
+    }
+
+    /**
+     * Add the secretStorage key to the secret storage
+     * - The secret storage key must have the `keyInfo` field filled
+     * - The secret storage key is set as the default key of the secret storage
+     * - Call `cryptoCallbacks.cacheSecretStorageKey` when done
+     *
+     * @param secretStorageKey - The secret storage key to add in the secret storage.
+     */
+    private async addSecretStorageKeyToSecretStorage(secretStorageKey: GeneratedSecretStorageKey): Promise<void> {
+        const secretStorageKeyObject = await this.secretStorage.addKey(SECRET_STORAGE_ALGORITHM_V1_AES, {
+            passphrase: secretStorageKey.keyInfo?.passphrase,
+            name: secretStorageKey.keyInfo?.name,
+            key: secretStorageKey.privateKey,
+        });
+
+        await this.secretStorage.setDefaultKeyId(secretStorageKeyObject.keyId);
+
+        this.cryptoCallbacks.cacheSecretStorageKey?.(
+            secretStorageKeyObject.keyId,
+            secretStorageKeyObject.keyInfo,
+            secretStorageKey.privateKey,
+        );
+    }
+
+    /**
+     * Check if a secret storage AES Key is already added in secret storage
+     *
+     * @returns True if an AES key is in the secret storage
+     */
+    private async secretStorageHasAESKey(): Promise<boolean> {
+        // See if we already have an AES secret-storage key.
+        const secretStorageKeyTuple = await this.secretStorage.getKey();
+
+        if (!secretStorageKeyTuple) return false;
+
+        const [, keyInfo] = secretStorageKeyTuple;
+
+        // Check if the key is an AES key
+        return keyInfo.algorithm === SECRET_STORAGE_ALGORITHM_V1_AES;
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#getCrossSigningStatus}
+     */
+    public async getCrossSigningStatus(): Promise<CrossSigningStatus> {
+        const userIdentity: RustSdkCryptoJs.OwnUserIdentity | null = await this.getOlmMachineOrThrow().getIdentity(
+            new RustSdkCryptoJs.UserId(this.userId),
+        );
+
+        const publicKeysOnDevice =
+            Boolean(userIdentity?.masterKey) &&
+            Boolean(userIdentity?.selfSigningKey) &&
+            Boolean(userIdentity?.userSigningKey);
+        userIdentity?.free();
+
+        const privateKeysInSecretStorage = await secretStorageContainsCrossSigningKeys(this.secretStorage);
+        const crossSigningStatus: RustSdkCryptoJs.CrossSigningStatus | null =
+            await this.getOlmMachineOrThrow().crossSigningStatus();
+
+        return {
+            publicKeysOnDevice,
+            privateKeysInSecretStorage,
+            privateKeysCachedLocally: {
+                masterKey: Boolean(crossSigningStatus?.hasMaster),
+                userSigningKey: Boolean(crossSigningStatus?.hasUserSigning),
+                selfSigningKey: Boolean(crossSigningStatus?.hasSelfSigning),
+            },
+        };
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#createRecoveryKeyFromPassphrase}
+     */
+    public async createRecoveryKeyFromPassphrase(password?: string): Promise<GeneratedSecretStorageKey> {
+        if (password) {
+            // Generate the key from the passphrase
+            // first we generate a random salt
+            const salt = randomString(32);
+            // then we derive the key from the passphrase
+            const recoveryKey = await deriveRecoveryKeyFromPassphrase(
+                password,
+                salt,
+                this.RECOVERY_KEY_DERIVATION_ITERATIONS,
+            );
+            return {
+                keyInfo: {
+                    passphrase: {
+                        algorithm: "m.pbkdf2",
+                        iterations: this.RECOVERY_KEY_DERIVATION_ITERATIONS,
+                        salt,
+                    },
+                },
+                privateKey: recoveryKey,
+                encodedPrivateKey: encodeRecoveryKey(recoveryKey),
+            };
+        } else {
+            // Using the navigator crypto API to generate the private key
+            const key = new Uint8Array(32);
+            globalThis.crypto.getRandomValues(key);
+            return {
+                privateKey: key,
+                encodedPrivateKey: encodeRecoveryKey(key),
+            };
+        }
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#getEncryptionInfoForEvent}.
+     */
+    public async getEncryptionInfoForEvent(event: MatrixEvent): Promise<EventEncryptionInfo | null> {
+        return this.eventDecryptor.getEncryptionInfoForEvent(event);
+    }
+
+    /**
+     * Returns to-device verification requests that are already in progress for the given user id.
+     *
+     * Implementation of {@link CryptoApi#getVerificationRequestsToDeviceInProgress}
+     *
+     * @param userId - the ID of the user to query
+     *
+     * @returns the VerificationRequests that are in progress
+     */
+    public getVerificationRequestsToDeviceInProgress(userId: string): VerificationRequest[] {
+        const requests: RustSdkCryptoJs.VerificationRequest[] = this.olmMachine.getVerificationRequests(
+            new RustSdkCryptoJs.UserId(userId),
+        );
+        return requests
+            .filter((request) => request.roomId === undefined)
+            .map(
+                (request) =>
+                    new RustVerificationRequest(
+                        this.olmMachine,
+                        request,
+                        this.outgoingRequestProcessor,
+                        this._supportedVerificationMethods,
+                    ),
+            );
+    }
+
+    /**
+     * Finds a DM verification request that is already in progress for the given room id
+     *
+     * Implementation of {@link CryptoApi#findVerificationRequestDMInProgress}
+     *
+     * @param roomId - the room to use for verification
+     * @param userId - search the verification request for the given user
+     *
+     * @returns the VerificationRequest that is in progress, if any
+     *
+     */
+    public findVerificationRequestDMInProgress(roomId: string, userId?: string): VerificationRequest | undefined {
+        if (!userId) throw new Error("missing userId");
+
+        const requests: RustSdkCryptoJs.VerificationRequest[] = this.olmMachine.getVerificationRequests(
+            new RustSdkCryptoJs.UserId(userId),
+        );
+
+        // Search for the verification request for the given room id
+        const request = requests.find((request) => request.roomId?.toString() === roomId);
+
+        if (request) {
+            return new RustVerificationRequest(
+                this.olmMachine,
+                request,
+                this.outgoingRequestProcessor,
+                this._supportedVerificationMethods,
+            );
+        }
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#requestVerificationDM}
+     */
+    public async requestVerificationDM(userId: string, roomId: string): Promise<VerificationRequest> {
+        const userIdentity: RustSdkCryptoJs.UserIdentity | undefined = await this.olmMachine.getIdentity(
+            new RustSdkCryptoJs.UserId(userId),
+        );
+
+        if (!userIdentity) throw new Error(`unknown userId ${userId}`);
+
+        try {
+            // Transform the verification methods into rust objects
+            const methods = this._supportedVerificationMethods.map((method) =>
+                verificationMethodIdentifierToMethod(method),
+            );
+            // Get the request content to send to the DM room
+            const verificationEventContent: string = await userIdentity.verificationRequestContent(methods);
+
+            // Send the request content to send to the DM room
+            const eventId = await this.sendVerificationRequestContent(roomId, verificationEventContent);
+
+            // Get a verification request
+            const request: RustSdkCryptoJs.VerificationRequest = await userIdentity.requestVerification(
+                new RustSdkCryptoJs.RoomId(roomId),
+                new RustSdkCryptoJs.EventId(eventId),
+                methods,
+            );
+            return new RustVerificationRequest(
+                this.olmMachine,
+                request,
+                this.outgoingRequestProcessor,
+                this._supportedVerificationMethods,
+            );
+        } finally {
+            userIdentity.free();
+        }
+    }
+
+    /**
+     * Send the verification content to a room
+     * See https://spec.matrix.org/v1.7/client-server-api/#put_matrixclientv3roomsroomidsendeventtypetxnid
+     *
+     * Prefer to use {@link OutgoingRequestProcessor.makeOutgoingRequest} when dealing with {@link RustSdkCryptoJs.RoomMessageRequest}
+     *
+     * @param roomId - the targeted room
+     * @param verificationEventContent - the request body.
+     *
+     * @returns the event id
+     */
+    private async sendVerificationRequestContent(roomId: string, verificationEventContent: string): Promise<string> {
+        const txId = randomString(32);
+        // Send the verification request content to the DM room
+        const { event_id: eventId } = await this.http.authedRequest<{ event_id: string }>(
+            Method.Put,
+            `/_matrix/client/v3/rooms/${encodeURIComponent(roomId)}/send/m.room.message/${encodeURIComponent(txId)}`,
+            undefined,
+            verificationEventContent,
+            {
+                prefix: "",
+            },
+        );
+
+        return eventId;
+    }
+
+    /**
+     * The verification methods we offer to the other side during an interactive verification.
+     */
+    private _supportedVerificationMethods: string[] = ALL_VERIFICATION_METHODS;
+
+    /**
+     * Set the verification methods we offer to the other side during an interactive verification.
+     *
+     * If `undefined`, we will offer all the methods supported by the Rust SDK.
+     */
+    public setSupportedVerificationMethods(methods: string[] | undefined): void {
+        // by default, the Rust SDK does not offer `m.qr_code.scan.v1`, but we do want to offer that.
+        this._supportedVerificationMethods = methods ?? ALL_VERIFICATION_METHODS;
+    }
+
+    /**
+     * Send a verification request to our other devices.
+     *
+     * If a verification is already in flight, returns it. Otherwise, initiates a new one.
+     *
+     * Implementation of {@link CryptoApi#requestOwnUserVerification}.
+     *
+     * @returns a VerificationRequest when the request has been sent to the other party.
+     */
+    public async requestOwnUserVerification(): Promise<VerificationRequest> {
+        const userIdentity: RustSdkCryptoJs.OwnUserIdentity | undefined = await this.olmMachine.getIdentity(
+            new RustSdkCryptoJs.UserId(this.userId),
+        );
+        if (userIdentity === undefined) {
+            throw new Error("cannot request verification for this device when there is no existing cross-signing key");
+        }
+
+        try {
+            const [request, outgoingRequest]: [RustSdkCryptoJs.VerificationRequest, RustSdkCryptoJs.ToDeviceRequest] =
+                await userIdentity.requestVerification(
+                    this._supportedVerificationMethods.map(verificationMethodIdentifierToMethod),
+                );
+            await this.outgoingRequestProcessor.makeOutgoingRequest(outgoingRequest);
+            return new RustVerificationRequest(
+                this.olmMachine,
+                request,
+                this.outgoingRequestProcessor,
+                this._supportedVerificationMethods,
+            );
+        } finally {
+            userIdentity.free();
+        }
+    }
+
+    /**
+     * Request an interactive verification with the given device.
+     *
+     * If a verification is already in flight, returns it. Otherwise, initiates a new one.
+     *
+     * Implementation of {@link CryptoApi#requestDeviceVerification}.
+     *
+     * @param userId - ID of the owner of the device to verify
+     * @param deviceId - ID of the device to verify
+     *
+     * @returns a VerificationRequest when the request has been sent to the other party.
+     */
+    public async requestDeviceVerification(userId: string, deviceId: string): Promise<VerificationRequest> {
+        const device: RustSdkCryptoJs.Device | undefined = await this.olmMachine.getDevice(
+            new RustSdkCryptoJs.UserId(userId),
+            new RustSdkCryptoJs.DeviceId(deviceId),
+        );
+
+        if (!device) {
+            throw new Error("Not a known device");
+        }
+
+        try {
+            const [request, outgoingRequest] = device.requestVerification(
+                this._supportedVerificationMethods.map(verificationMethodIdentifierToMethod),
+            );
+            await this.outgoingRequestProcessor.makeOutgoingRequest(outgoingRequest);
+            return new RustVerificationRequest(
+                this.olmMachine,
+                request,
+                this.outgoingRequestProcessor,
+                this._supportedVerificationMethods,
+            );
+        } finally {
+            device.free();
+        }
+    }
+
+    /**
+     * Fetch the backup decryption key we have saved in our store.
+     *
+     * Implementation of {@link CryptoApi#getSessionBackupPrivateKey}.
+     *
+     * @returns the key, if any, or null
+     */
+    public async getSessionBackupPrivateKey(): Promise<Uint8Array | null> {
+        const backupKeys: RustSdkCryptoJs.BackupKeys = await this.olmMachine.getBackupKeys();
+        if (!backupKeys.decryptionKey) return null;
+        return Buffer.from(backupKeys.decryptionKey.toBase64(), "base64");
+    }
+
+    /**
+     * Store the backup decryption key.
+     *
+     * Implementation of {@link CryptoApi#storeSessionBackupPrivateKey}.
+     *
+     * @param key - the backup decryption key
+     * @param version - the backup version for this key.
+     */
+    public async storeSessionBackupPrivateKey(key: Uint8Array, version?: string): Promise<void> {
+        const base64Key = encodeBase64(key);
+
+        if (!version) {
+            throw new Error("storeSessionBackupPrivateKey: version is required");
+        }
+
+        await this.backupManager.saveBackupDecryptionKey(
+            RustSdkCryptoJs.BackupDecryptionKey.fromBase64(base64Key),
+            version,
+        );
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#loadSessionBackupPrivateKeyFromSecretStorage}.
+     */
+    public async loadSessionBackupPrivateKeyFromSecretStorage(): Promise<void> {
+        const backupKey = await this.secretStorage.get("m.megolm_backup.v1");
+        if (!backupKey) {
+            throw new Error("loadSessionBackupPrivateKeyFromSecretStorage: missing decryption key in secret storage");
+        }
+
+        const keyBackupInfo = await this.backupManager.getServerBackupInfo();
+        if (!keyBackupInfo || !keyBackupInfo.version) {
+            throw new Error("loadSessionBackupPrivateKeyFromSecretStorage: unable to get backup version");
+        }
+
+        const backupDecryptionKey = RustSdkCryptoJs.BackupDecryptionKey.fromBase64(backupKey);
+        if (!decryptionKeyMatchesKeyBackupInfo(backupDecryptionKey, keyBackupInfo)) {
+            throw new Error("loadSessionBackupPrivateKeyFromSecretStorage: decryption key does not match backup info");
+        }
+
+        await this.backupManager.saveBackupDecryptionKey(backupDecryptionKey, keyBackupInfo.version);
+    }
+
+    /**
+     * Get the current status of key backup.
+     *
+     * Implementation of {@link CryptoApi#getActiveSessionBackupVersion}.
+     */
+    public async getActiveSessionBackupVersion(): Promise<string | null> {
+        return await this.backupManager.getActiveBackupVersion();
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#getKeyBackupInfo}.
+     */
+    public async getKeyBackupInfo(): Promise<KeyBackupInfo | null> {
+        return (await this.backupManager.getServerBackupInfo()) || null;
+    }
+
+    /**
+     * Determine if a key backup can be trusted.
+     *
+     * Implementation of {@link CryptoApi#isKeyBackupTrusted}.
+     */
+    public async isKeyBackupTrusted(info: KeyBackupInfo): Promise<BackupTrustInfo> {
+        return await this.backupManager.isKeyBackupTrusted(info);
+    }
+
+    /**
+     * Force a re-check of the key backup and enable/disable it as appropriate.
+     *
+     * Implementation of {@link CryptoApi#checkKeyBackupAndEnable}.
+     */
+    public async checkKeyBackupAndEnable(): Promise<KeyBackupCheck | null> {
+        return await this.backupManager.checkKeyBackupAndEnable(true);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#deleteKeyBackupVersion}.
+     */
+    public async deleteKeyBackupVersion(version: string): Promise<void> {
+        await this.backupManager.deleteKeyBackupVersion(version);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#resetKeyBackup}.
+     */
+    public async resetKeyBackup(): Promise<void> {
+        const backupInfo = await this.backupManager.setupKeyBackup((o) => this.signObject(o));
+
+        // we want to store the private key in 4S
+        // need to check if 4S is set up?
+        if (await this.secretStorageHasAESKey()) {
+            await this.secretStorage.store("m.megolm_backup.v1", backupInfo.decryptionKey.toBase64());
+        }
+
+        // we can check and start async
+        this.checkKeyBackupAndEnable();
+    }
+
+    /**
+     * Signs the given object with the current device and current identity (if available).
+     * As defined in {@link https://spec.matrix.org/v1.8/appendices/#signing-json | Signing JSON}.
+     *
+     * Helper for {@link RustCrypto#resetKeyBackup}.
+     *
+     * @param obj - The object to sign
+     */
+    private async signObject<T extends ISignableObject & object>(obj: T): Promise<void> {
+        const sigs = new Map(Object.entries(obj.signatures || {}));
+        const unsigned = obj.unsigned;
+
+        delete obj.signatures;
+        delete obj.unsigned;
+
+        const userSignatures = sigs.get(this.userId) || {};
+
+        const canonalizedJson = anotherjson.stringify(obj);
+        const signatures: RustSdkCryptoJs.Signatures = await this.olmMachine.sign(canonalizedJson);
+
+        const map = JSON.parse(signatures.asJSON());
+
+        sigs.set(this.userId, { ...userSignatures, ...map[this.userId] });
+
+        if (unsigned !== undefined) obj.unsigned = unsigned;
+        obj.signatures = Object.fromEntries(sigs.entries());
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#restoreKeyBackupWithPassphrase}.
+     */
+    public async restoreKeyBackupWithPassphrase(
+        passphrase: string,
+        opts?: KeyBackupRestoreOpts,
+    ): Promise<KeyBackupRestoreResult> {
+        const backupInfo = await this.backupManager.getServerBackupInfo();
+        if (!backupInfo?.version) {
+            throw new Error("No backup info available");
+        }
+
+        const privateKey = await keyFromAuthData(backupInfo.auth_data, passphrase);
+
+        // Cache the key
+        await this.storeSessionBackupPrivateKey(privateKey, backupInfo.version);
+        return this.restoreKeyBackup(opts);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#restoreKeyBackup}.
+     */
+    public async restoreKeyBackup(opts?: KeyBackupRestoreOpts): Promise<KeyBackupRestoreResult> {
+        // Get the decryption key from the crypto store
+        const backupKeys: RustSdkCryptoJs.BackupKeys = await this.olmMachine.getBackupKeys();
+        const { decryptionKey, backupVersion } = backupKeys;
+        if (!decryptionKey || !backupVersion) throw new Error("No decryption key found in crypto store");
+
+        const decodedDecryptionKey = decodeBase64(decryptionKey.toBase64());
+
+        const backupInfo = await this.backupManager.requestKeyBackupVersion(backupVersion);
+        if (!backupInfo) throw new Error(`Backup version to restore ${backupVersion} not found on server`);
+
+        const backupDecryptor = await this.getBackupDecryptor(backupInfo, decodedDecryptionKey);
+
+        try {
+            opts?.progressCallback?.({
+                stage: "fetch",
+            });
+
+            return await this.backupManager.restoreKeyBackup(backupVersion, backupDecryptor, opts);
+        } finally {
+            // Free to avoid to keep in memory the decryption key stored in it. To avoid to exposing it to an attacker.
+            backupDecryptor.free();
+        }
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#isDehydrationSupported}.
+     */
+    public async isDehydrationSupported(): Promise<boolean> {
+        return await this.dehydratedDeviceManager.isSupported();
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#startDehydration}.
+     */
+    public async startDehydration(createNewKey?: boolean): Promise<void> {
+        if (!(await this.isCrossSigningReady()) || !(await this.isSecretStorageReady())) {
+            throw new Error("Device dehydration requires cross-signing and secret storage to be set up");
+        }
+        return await this.dehydratedDeviceManager.start(createNewKey);
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#importSecretsBundle}.
+     */
+    public async importSecretsBundle(
+        secrets: Parameters<NonNullable<CryptoApi["importSecretsBundle"]>>[0],
+    ): Promise<void> {
+        const secretsBundle = RustSdkCryptoJs.SecretsBundle.from_json(secrets);
+        await this.getOlmMachineOrThrow().importSecretsBundle(secretsBundle); // this method frees the SecretsBundle
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#exportSecretsBundle}.
+     */
+    public async exportSecretsBundle(): ReturnType<NonNullable<CryptoApi["exportSecretsBundle"]>> {
+        const secretsBundle = await this.getOlmMachineOrThrow().exportSecretsBundle();
+        const secrets = secretsBundle.to_json();
+        secretsBundle.free();
+        return secrets;
+    }
+
+    /**
+     * Implementation of {@link CryptoApi#encryptToDeviceMessages}.
+     */
+    public async encryptToDeviceMessages(
+        eventType: string,
+        devices: { userId: string; deviceId: string }[],
+        payload: ToDevicePayload,
+    ): Promise<ToDeviceBatch> {
+        const logger = new LogSpan(this.logger, "encryptToDeviceMessages");
+        const uniqueUsers = new Set(devices.map(({ userId }) => userId));
+
+        // This will ensure we have Olm sessions for all of the users' devices.
+        // However, we only care about some of the devices.
+        // So, perhaps we can optimise this later on.
+        await this.keyClaimManager.ensureSessionsForUsers(
+            logger,
+            Array.from(uniqueUsers).map((userId) => new RustSdkCryptoJs.UserId(userId)),
+        );
+        const batch: ToDeviceBatch = {
+            batch: [],
+            eventType: EventType.RoomMessageEncrypted,
+        };
+
+        await Promise.all(
+            devices.map(async ({ userId, deviceId }) => {
+                const device: RustSdkCryptoJs.Device | undefined = await this.olmMachine.getDevice(
+                    new RustSdkCryptoJs.UserId(userId),
+                    new RustSdkCryptoJs.DeviceId(deviceId),
+                );
+
+                if (device) {
+                    const encryptedPayload = JSON.parse(await device.encryptToDeviceEvent(eventType, payload));
+                    batch.batch.push({
+                        deviceId,
+                        userId,
+                        payload: encryptedPayload,
+                    });
+                } else {
+                    this.logger.warn(`encryptToDeviceMessages: unknown device ${userId}:${deviceId}`);
+                }
+            }),
+        );
+
+        return batch;
+    }
+
+    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+    //
+    // SyncCryptoCallbacks implementation
+    //
+    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /**
+     * Apply sync changes to the olm machine
+     * @param events - the received to-device messages
+     * @param oneTimeKeysCounts - the received one time key counts
+     * @param unusedFallbackKeys - the received unused fallback keys
+     * @param devices - the received device list updates
+     * @returns A list of preprocessed to-device messages.
+     */
+    private async receiveSyncChanges({
+        events,
+        oneTimeKeysCounts = new Map<string, number>(),
+        unusedFallbackKeys,
+        devices = new RustSdkCryptoJs.DeviceLists(),
+    }: {
+        events?: IToDeviceEvent[];
+        oneTimeKeysCounts?: Map<string, number>;
+        unusedFallbackKeys?: Set<string>;
+        devices?: RustSdkCryptoJs.DeviceLists;
+    }): Promise<IToDeviceEvent[]> {
+        const result = await logDuration(logger, "receiveSyncChanges", async () => {
+            return await this.olmMachine.receiveSyncChanges(
+                events ? JSON.stringify(events) : "[]",
+                devices,
+                oneTimeKeysCounts,
+                unusedFallbackKeys,
+            );
+        });
+
+        // receiveSyncChanges returns a JSON-encoded list of decrypted to-device messages.
+        return JSON.parse(result);
+    }
+
+    /** called by the sync loop to preprocess incoming to-device messages
+     *
+     * @param events - the received to-device messages
+     * @returns A list of preprocessed to-device messages.
+     */
+    public async preprocessToDeviceMessages(events: IToDeviceEvent[]): Promise<IToDeviceEvent[]> {
+        // send the received to-device messages into receiveSyncChanges. We have no info on device-list changes,
+        // one-time-keys, or fallback keys, so just pass empty data.
+        const processed = await this.receiveSyncChanges({ events });
+
+        // look for interesting to-device messages
+        for (const message of processed) {
+            if (message.type === EventType.KeyVerificationRequest) {
+                const sender = message.sender;
+                const transactionId = message.content.transaction_id;
+                if (transactionId && sender) {
+                    this.onIncomingKeyVerificationRequest(sender, transactionId);
+                }
+            }
+        }
+        return processed;
+    }
+
+    /** called by the sync loop to process one time key counts and unused fallback keys
+     *
+     * @param oneTimeKeysCounts - the received one time key counts
+     * @param unusedFallbackKeys - the received unused fallback keys
+     */
+    public async processKeyCounts(
+        oneTimeKeysCounts?: Record<string, number>,
+        unusedFallbackKeys?: string[],
+    ): Promise<void> {
+        const mapOneTimeKeysCount = oneTimeKeysCounts && new Map<string, number>(Object.entries(oneTimeKeysCounts));
+        const setUnusedFallbackKeys = unusedFallbackKeys && new Set<string>(unusedFallbackKeys);
+
+        if (mapOneTimeKeysCount !== undefined || setUnusedFallbackKeys !== undefined) {
+            await this.receiveSyncChanges({
+                oneTimeKeysCounts: mapOneTimeKeysCount,
+                unusedFallbackKeys: setUnusedFallbackKeys,
+            });
+        }
+    }
+
+    /** called by the sync loop to process the notification that device lists have
+     * been changed.
+     *
+     * @param deviceLists - device_lists field from /sync
+     */
+    public async processDeviceLists(deviceLists: IDeviceLists): Promise<void> {
+        const devices = new RustSdkCryptoJs.DeviceLists(
+            deviceLists.changed?.map((userId) => new RustSdkCryptoJs.UserId(userId)),
+            deviceLists.left?.map((userId) => new RustSdkCryptoJs.UserId(userId)),
+        );
+        await this.receiveSyncChanges({ devices });
+    }
+
+    /** called by the sync loop on m.room.encrypted events
+     *
+     * @param room - in which the event was received
+     * @param event - encryption event to be processed
+     */
+    public async onCryptoEvent(room: Room, event: MatrixEvent): Promise<void> {
+        const config = event.getContent();
+        const settings = new RustSdkCryptoJs.RoomSettings();
+
+        if (config.algorithm === "m.megolm.v1.aes-sha2") {
+            settings.algorithm = RustSdkCryptoJs.EncryptionAlgorithm.MegolmV1AesSha2;
+        } else {
+            // Among other situations, this happens if the crypto state event is redacted.
+            this.logger.warn(`Room ${room.roomId}: ignoring crypto event with invalid algorithm ${config.algorithm}`);
+            return;
+        }
+
+        try {
+            settings.sessionRotationPeriodMs = config.rotation_period_ms;
+            settings.sessionRotationPeriodMessages = config.rotation_period_msgs;
+            await this.olmMachine.setRoomSettings(new RustSdkCryptoJs.RoomId(room.roomId), settings);
+        } catch (e) {
+            this.logger.warn(`Room ${room.roomId}: ignoring crypto event which caused error: ${e}`);
+            return;
+        }
+
+        // If we got this far, the SDK found the event acceptable.
+        // We need to either create or update the active RoomEncryptor.
+        const existingEncryptor = this.roomEncryptors[room.roomId];
+        if (existingEncryptor) {
+            existingEncryptor.onCryptoEvent(config);
+        } else {
+            this.roomEncryptors[room.roomId] = new RoomEncryptor(
+                this.olmMachine,
+                this.keyClaimManager,
+                this.outgoingRequestsManager,
+                room,
+                config,
+            );
+        }
+    }
+
+    /** called by the sync loop after processing each sync.
+     *
+     * TODO: figure out something equivalent for sliding sync.
+     *
+     * @param syncState - information on the completed sync.
+     */
+    public onSyncCompleted(syncState: OnSyncCompletedData): void {
+        // Processing the /sync may have produced new outgoing requests which need sending, so kick off the outgoing
+        // request loop, if it's not already running.
+        this.outgoingRequestsManager.doProcessOutgoingRequests().catch((e) => {
+            this.logger.warn("onSyncCompleted: Error processing outgoing requests", e);
+        });
+    }
+
+    /**
+     * Handle an incoming m.key.verification.request event, received either in-room or in a to-device message.
+     *
+     * @param sender - the sender of the event
+     * @param transactionId - the transaction ID for the verification. For to-device messages, this comes from the
+     *    content of the message; for in-room messages it is the event ID.
+     */
+    private onIncomingKeyVerificationRequest(sender: string, transactionId: string): void {
+        const request: RustSdkCryptoJs.VerificationRequest | undefined = this.olmMachine.getVerificationRequest(
+            new RustSdkCryptoJs.UserId(sender),
+            transactionId,
+        );
+
+        if (request) {
+            this.emit(
+                CryptoEvent.VerificationRequestReceived,
+                new RustVerificationRequest(
+                    this.olmMachine,
+                    request,
+                    this.outgoingRequestProcessor,
+                    this._supportedVerificationMethods,
+                ),
+            );
+        } else {
+            // There are multiple reasons this can happen; probably the most likely is that the event is an
+            // in-room event which is too old.
+            this.logger.info(
+                `Ignoring just-received verification request ${transactionId} which did not start a rust-side verification`,
+            );
+        }
+    }
+
+    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+    //
+    // Other public functions
+    //
+    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /** called by the MatrixClient on a room membership event
+     *
+     * @param event - The matrix event which caused this event to fire.
+     * @param member - The member whose RoomMember.membership changed.
+     * @param oldMembership - The previous membership state. Null if it's a new member.
+     */
+    public onRoomMembership(event: MatrixEvent, member: RoomMember, oldMembership?: string): void {
+        const enc = this.roomEncryptors[event.getRoomId()!];
+        if (!enc) {
+            // not encrypting in this room
+            return;
+        }
+        enc.onRoomMembership(member);
+    }
+
+    /** Callback for OlmMachine.registerRoomKeyUpdatedCallback
+     *
+     * Called by the rust-sdk whenever there is an update to (megolm) room keys. We
+     * check if we have any events waiting for the given keys, and schedule them for
+     * a decryption retry if so.
+     *
+     * @param keys - details of the updated keys
+     */
+    public async onRoomKeysUpdated(keys: RustSdkCryptoJs.RoomKeyInfo[]): Promise<void> {
+        for (const key of keys) {
+            this.onRoomKeyUpdated(key);
+        }
+        this.backupManager.maybeUploadKey();
+    }
+
+    private onRoomKeyUpdated(key: RustSdkCryptoJs.RoomKeyInfo): void {
+        if (this.stopped) return;
+        this.logger.debug(
+            `Got update for session ${key.sessionId} from sender ${key.senderKey.toBase64()} in ${key.roomId.toString()}`,
+        );
+        const pendingList = this.eventDecryptor.getEventsPendingRoomKey(key.roomId.toString(), key.sessionId);
+        if (pendingList.length === 0) return;
+
+        this.logger.debug(
+            "Retrying decryption on events:",
+            pendingList.map((e) => `${e.getId()}`),
+        );
+
+        // Have another go at decrypting events with this key.
+        //
+        // We don't want to end up blocking the callback from Rust, which could otherwise end up dropping updates,
+        // so we don't wait for the decryption to complete. In any case, there is no need to wait:
+        // MatrixEvent.attemptDecryption ensures that there is only one decryption attempt happening at once,
+        // and deduplicates repeated attempts for the same event.
+        for (const ev of pendingList) {
+            ev.attemptDecryption(this, { isRetry: true }).catch((_e) => {
+                this.logger.info(`Still unable to decrypt event ${ev.getId()} after receiving key`);
+            });
+        }
+    }
+
+    /**
+     * Callback for `OlmMachine.registerRoomKeyWithheldCallback`.
+     *
+     * Called by the rust sdk whenever we are told that a key has been withheld. We see if we had any events that
+     * failed to decrypt for the given session, and update their status if so.
+     *
+     * @param withheld - Details of the withheld sessions.
+     */
+    public async onRoomKeysWithheld(withheld: RustSdkCryptoJs.RoomKeyWithheldInfo[]): Promise<void> {
+        for (const session of withheld) {
+            this.logger.debug(`Got withheld message for session ${session.sessionId} in ${session.roomId.toString()}`);
+            const pendingList = this.eventDecryptor.getEventsPendingRoomKey(
+                session.roomId.toString(),
+                session.sessionId,
+            );
+            if (pendingList.length === 0) return;
+
+            // The easiest way to update the status of the event is to have another go at decrypting it.
+            this.logger.debug(
+                "Retrying decryption on events:",
+                pendingList.map((e) => `${e.getId()}`),
+            );
+
+            for (const ev of pendingList) {
+                ev.attemptDecryption(this, { isRetry: true }).catch((_e) => {
+                    // It's somewhat expected that we still can't decrypt here.
+                });
+            }
+        }
+    }
+
+    /**
+     * Callback for `OlmMachine.registerUserIdentityUpdatedCallback`
+     *
+     * Called by the rust-sdk whenever there is an update to any user's cross-signing status. We re-check their trust
+     * status and emit a `UserTrustStatusChanged` event, as well as a `KeysChanged` if it is our own identity that changed.
+     *
+     * @param userId - the user with the updated identity
+     */
+    public async onUserIdentityUpdated(userId: RustSdkCryptoJs.UserId): Promise<void> {
+        const newVerification = await this.getUserVerificationStatus(userId.toString());
+        this.emit(CryptoEvent.UserTrustStatusChanged, userId.toString(), newVerification);
+
+        // If our own user identity has changed, we may now trust the key backup where we did not before.
+        // So, re-check the key backup status and enable it if available.
+        if (userId.toString() === this.userId) {
+            this.emit(CryptoEvent.KeysChanged, {});
+            await this.checkKeyBackupAndEnable();
+        }
+    }
+
+    /**
+     * Callback for `OlmMachine.registerDevicesUpdatedCallback`
+     *
+     * Called when users' devices have updated. Emits `WillUpdateDevices` and `DevicesUpdated`. In the JavaScript
+     * crypto backend, these events are called at separate times, with `WillUpdateDevices` being emitted just before
+     * the devices are saved, and `DevicesUpdated` being emitted just after. But the OlmMachine only gives us
+     * one event, so we emit both events here.
+     *
+     * @param userIds - an array of user IDs of users whose devices have updated.
+     */
+    public async onDevicesUpdated(userIds: string[]): Promise<void> {
+        this.emit(CryptoEvent.WillUpdateDevices, userIds, false);
+        this.emit(CryptoEvent.DevicesUpdated, userIds, false);
+    }
+
+    /**
+     * Handles secret received from the rust secret inbox.
+     *
+     * The gossipped secrets are received using the `m.secret.send` event type
+     * and are guaranteed to have been received over a 1-to-1 Olm
+     * Session from a verified device.
+     *
+     * The only secret currently handled in this way is `m.megolm_backup.v1`.
+     *
+     * @param name - the secret name
+     * @param value - the secret value
+     */
+    private async handleSecretReceived(name: string, value: string): Promise<boolean> {
+        this.logger.debug(`onReceiveSecret: Received secret ${name}`);
+        if (name === "m.megolm_backup.v1") {
+            return await this.backupManager.handleBackupSecretReceived(value);
+            // XXX at this point we should probably try to download the backup and import the keys,
+            // or at least retry for the current decryption failures?
+            // Maybe add some signaling when a new secret is received, and let clients handle it?
+            // as it's where the restore from backup APIs are exposed.
+        }
+        return false;
+    }
+
+    /**
+     * Called when a new secret is received in the rust secret inbox.
+     *
+     * Will poll the secret inbox and handle the secrets received.
+     *
+     * @param name - The name of the secret received.
+     */
+    public async checkSecrets(name: string): Promise<void> {
+        const pendingValues: string[] = await this.olmMachine.getSecretsFromInbox(name);
+        for (const value of pendingValues) {
+            if (await this.handleSecretReceived(name, value)) {
+                // If we have a valid secret for that name there is no point of processing the other secrets values.
+                // It's probably the same secret shared by another device.
+                break;
+            }
+        }
+
+        // Important to call this after handling the secrets as good hygiene.
+        await this.olmMachine.deleteSecretsFromInbox(name);
+    }
+
+    /**
+     * Handle a live event received via /sync.
+     * See {@link ClientEventHandlerMap#event}
+     *
+     * @param event - live event
+     */
+    public async onLiveEventFromSync(event: MatrixEvent): Promise<void> {
+        // Ignore state event or remote echo
+        // transaction_id is provided in case of remote echo {@link https://spec.matrix.org/v1.7/client-server-api/#local-echo}
+        if (event.isState() || !!event.getUnsigned().transaction_id) return;
+
+        const processEvent = async (evt: MatrixEvent): Promise<void> => {
+            // Process only verification event
+            if (isVerificationEvent(event)) {
+                await this.onKeyVerificationEvent(evt);
+            }
+        };
+
+        // If the event is encrypted of in failure, we wait for decryption
+        if (event.isDecryptionFailure() || event.isEncrypted()) {
+            // 5 mins
+            const TIMEOUT_DELAY = 5 * 60 * 1000;
+
+            // After 5mins, we are not expecting the event to be decrypted
+            const timeoutId = setTimeout(() => event.off(MatrixEventEvent.Decrypted, onDecrypted), TIMEOUT_DELAY);
+
+            const onDecrypted = (decryptedEvent: MatrixEvent, error?: Error): void => {
+                if (error) return;
+
+                clearTimeout(timeoutId);
+                event.off(MatrixEventEvent.Decrypted, onDecrypted);
+                processEvent(decryptedEvent);
+            };
+
+            event.on(MatrixEventEvent.Decrypted, onDecrypted);
+        } else {
+            await processEvent(event);
+        }
+    }
+
+    /**
+     * Handle an in-room key verification event.
+     *
+     * @param event - a key validation request event.
+     */
+    private async onKeyVerificationEvent(event: MatrixEvent): Promise<void> {
+        const roomId = event.getRoomId();
+
+        if (!roomId) {
+            throw new Error("missing roomId in the event");
+        }
+
+        this.logger.debug(
+            `Incoming verification event ${event.getId()} type ${event.getType()} from ${event.getSender()}`,
+        );
+
+        await this.olmMachine.receiveVerificationEvent(
+            JSON.stringify({
+                event_id: event.getId(),
+                type: event.getType(),
+                sender: event.getSender(),
+                state_key: event.getStateKey(),
+                content: event.getContent(),
+                origin_server_ts: event.getTs(),
+            }),
+            new RustSdkCryptoJs.RoomId(roomId),
+        );
+
+        if (
+            event.getType() === EventType.RoomMessage &&
+            event.getContent().msgtype === MsgType.KeyVerificationRequest
+        ) {
+            this.onIncomingKeyVerificationRequest(event.getSender()!, event.getId()!);
+        }
+
+        // that may have caused us to queue up outgoing requests, so make sure we send them.
+        this.outgoingRequestsManager.doProcessOutgoingRequests().catch((e) => {
+            this.logger.warn("onKeyVerificationRequest: Error processing outgoing requests", e);
+        });
+    }
+
+    /**
+     * Returns the cross-signing user identity of the current user.
+     *
+     * Not part of the public crypto-api interface.
+     * Used during migration from legacy js-crypto to update local trust if needed.
+     */
+    public async getOwnIdentity(): Promise<RustSdkCryptoJs.OwnUserIdentity | undefined> {
+        return await this.olmMachine.getIdentity(new RustSdkCryptoJs.UserId(this.userId));
+    }
+}
+
+class EventDecryptor {
+    /**
+     * Events which we couldn't decrypt due to unknown sessions / indexes.
+     *
+     * Map from roomId to sessionId to Set of MatrixEvents
+     */
+    private eventsPendingKey = new MapWithDefault<string, MapWithDefault<string, Set<MatrixEvent>>>(
+        () => new MapWithDefault<string, Set<MatrixEvent>>(() => new Set()),
+    );
+
+    public constructor(
+        private readonly logger: Logger,
+        private readonly olmMachine: RustSdkCryptoJs.OlmMachine,
+        private readonly perSessionBackupDownloader: PerSessionKeyBackupDownloader,
+    ) {}
+
+    public async attemptEventDecryption(
+        event: MatrixEvent,
+        isolationMode: DeviceIsolationMode,
+    ): Promise<IEventDecryptionResult> {
+        // add the event to the pending list *before* attempting to decrypt.
+        // then, if the key turns up while decryption is in progress (and
+        // decryption fails), we will schedule a retry.
+        // (fixes https://github.com/vector-im/element-web/issues/5001)
+        this.addEventToPendingList(event);
+
+        let trustRequirement;
+
+        switch (isolationMode.kind) {
+            case DeviceIsolationModeKind.AllDevicesIsolationMode:
+                trustRequirement = RustSdkCryptoJs.TrustRequirement.Untrusted;
+                break;
+            case DeviceIsolationModeKind.OnlySignedDevicesIsolationMode:
+                trustRequirement = RustSdkCryptoJs.TrustRequirement.CrossSignedOrLegacy;
+                break;
+        }
+
+        try {
+            const res = (await this.olmMachine.decryptRoomEvent(
+                stringifyEvent(event),
+                new RustSdkCryptoJs.RoomId(event.getRoomId()!),
+                new RustSdkCryptoJs.DecryptionSettings(trustRequirement),
+            )) as RustSdkCryptoJs.DecryptedRoomEvent;
+
+            // Success. We can remove the event from the pending list, if
+            // that hasn't already happened.
+            this.removeEventFromPendingList(event);
+
+            return {
+                clearEvent: JSON.parse(res.event),
+                claimedEd25519Key: res.senderClaimedEd25519Key,
+                senderCurve25519Key: res.senderCurve25519Key,
+                forwardingCurve25519KeyChain: res.forwardingCurve25519KeyChain,
+            };
+        } catch (err) {
+            if (err instanceof RustSdkCryptoJs.MegolmDecryptionError) {
+                this.onMegolmDecryptionError(event, err, await this.perSessionBackupDownloader.getServerBackupInfo());
+            } else {
+                throw new DecryptionError(DecryptionFailureCode.UNKNOWN_ERROR, "Unknown error");
+            }
+        }
+    }
+
+    /**
+     * Handle a `MegolmDecryptionError` returned by the rust SDK.
+     *
+     * Fires off a request to the `perSessionBackupDownloader`, if appropriate, and then throws a `DecryptionError`.
+     *
+     * @param event - The event which could not be decrypted.
+     * @param err - The error from the Rust SDK.
+     * @param serverBackupInfo - Details about the current backup from the server. `null` if there is no backup.
+     *     `undefined` if our attempt to check failed.
+     */
+    private onMegolmDecryptionError(
+        event: MatrixEvent,
+        err: RustSdkCryptoJs.MegolmDecryptionError,
+        serverBackupInfo: KeyBackupInfo | null | undefined,
+    ): never {
+        const content = event.getWireContent();
+        const errorDetails = { sender_key: content.sender_key, session_id: content.session_id };
+
+        // If the error looks like it might be recoverable from backup, queue up a request to try that.
+        if (
+            err.code === RustSdkCryptoJs.DecryptionErrorCode.MissingRoomKey ||
+            err.code === RustSdkCryptoJs.DecryptionErrorCode.UnknownMessageIndex
+        ) {
+            this.perSessionBackupDownloader.onDecryptionKeyMissingError(event.getRoomId()!, content.session_id!);
+
+            // If the server is telling us our membership at the time the event
+            // was sent, and it isn't "join", we use a different error code.
+            const membership = event.getMembershipAtEvent();
+            if (membership && membership !== KnownMembership.Join && membership !== KnownMembership.Invite) {
+                throw new DecryptionError(
+                    DecryptionFailureCode.HISTORICAL_MESSAGE_USER_NOT_JOINED,
+                    "This message was sent when we were not a member of the room.",
+                    errorDetails,
+                );
+            }
+
+            // If the event was sent before this device was created, we use some different error codes.
+            if (event.getTs() <= this.olmMachine.deviceCreationTimeMs) {
+                if (serverBackupInfo === null) {
+                    throw new DecryptionError(
+                        DecryptionFailureCode.HISTORICAL_MESSAGE_NO_KEY_BACKUP,
+                        "This message was sent before this device logged in, and there is no key backup on the server.",
+                        errorDetails,
+                    );
+                } else if (!this.perSessionBackupDownloader.isKeyBackupDownloadConfigured()) {
+                    throw new DecryptionError(
+                        DecryptionFailureCode.HISTORICAL_MESSAGE_BACKUP_UNCONFIGURED,
+                        "This message was sent before this device logged in, and key backup is not working.",
+                        errorDetails,
+                    );
+                } else {
+                    throw new DecryptionError(
+                        DecryptionFailureCode.HISTORICAL_MESSAGE_WORKING_BACKUP,
+                        "This message was sent before this device logged in. Key backup is working, but we still do not (yet) have the key.",
+                        errorDetails,
+                    );
+                }
+            }
+        }
+
+        // If we got a withheld code, expose that.
+        if (err.maybe_withheld) {
+            // Unfortunately the Rust SDK API doesn't let us distinguish between different withheld cases, other than
+            // by string-matching.
+            const failureCode =
+                err.maybe_withheld === "The sender has disabled encrypting to unverified devices."
+                    ? DecryptionFailureCode.MEGOLM_KEY_WITHHELD_FOR_UNVERIFIED_DEVICE
+                    : DecryptionFailureCode.MEGOLM_KEY_WITHHELD;
+            throw new DecryptionError(failureCode, err.maybe_withheld, errorDetails);
+        }
+
+        switch (err.code) {
+            case RustSdkCryptoJs.DecryptionErrorCode.MissingRoomKey:
+                throw new DecryptionError(
+                    DecryptionFailureCode.MEGOLM_UNKNOWN_INBOUND_SESSION_ID,
+                    "The sender's device has not sent us the keys for this message.",
+                    errorDetails,
+                );
+
+            case RustSdkCryptoJs.DecryptionErrorCode.UnknownMessageIndex:
+                throw new DecryptionError(
+                    DecryptionFailureCode.OLM_UNKNOWN_MESSAGE_INDEX,
+                    "The sender's device has not sent us the keys for this message at this index.",
+                    errorDetails,
+                );
+
+            case RustSdkCryptoJs.DecryptionErrorCode.SenderIdentityPreviouslyVerified:
+                // We're refusing to decrypt due to not trusting the sender,
+                // rather than failing to decrypt due to lack of keys, so we
+                // don't need to keep it on the pending list.
+                this.removeEventFromPendingList(event);
+                throw new DecryptionError(
+                    DecryptionFailureCode.SENDER_IDENTITY_PREVIOUSLY_VERIFIED,
+                    "The sender identity is unverified, but was previously verified.",
+                );
+
+            case RustSdkCryptoJs.DecryptionErrorCode.UnknownSenderDevice:
+                // We're refusing to decrypt due to not trusting the sender,
+                // rather than failing to decrypt due to lack of keys, so we
+                // don't need to keep it on the pending list.
+                this.removeEventFromPendingList(event);
+                throw new DecryptionError(
+                    DecryptionFailureCode.UNKNOWN_SENDER_DEVICE,
+                    "The sender device is not known.",
+                );
+
+            case RustSdkCryptoJs.DecryptionErrorCode.UnsignedSenderDevice:
+                // We're refusing to decrypt due to not trusting the sender,
+                // rather than failing to decrypt due to lack of keys, so we
+                // don't need to keep it on the pending list.
+                this.removeEventFromPendingList(event);
+                throw new DecryptionError(
+                    DecryptionFailureCode.UNSIGNED_SENDER_DEVICE,
+                    "The sender identity is not cross-signed.",
+                );
+
+            // We don't map MismatchedIdentityKeys for now, as there is no equivalent in legacy.
+            // Just put it on the `UNKNOWN_ERROR` bucket.
+            default:
+                throw new DecryptionError(DecryptionFailureCode.UNKNOWN_ERROR, err.description, errorDetails);
+        }
+    }
+
+    public async getEncryptionInfoForEvent(event: MatrixEvent): Promise<EventEncryptionInfo | null> {
+        if (!event.getClearContent() || event.isDecryptionFailure()) {
+            // not successfully decrypted
+            return null;
+        }
+
+        // special-case outgoing events, which the rust crypto-sdk will barf on
+        if (event.status !== null) {
+            return { shieldColour: EventShieldColour.NONE, shieldReason: null };
+        }
+
+        const encryptionInfo = await this.olmMachine.getRoomEventEncryptionInfo(
+            stringifyEvent(event),
+            new RustSdkCryptoJs.RoomId(event.getRoomId()!),
+        );
+
+        return rustEncryptionInfoToJsEncryptionInfo(this.logger, encryptionInfo);
+    }
+
+    /**
+     * Look for events which are waiting for a given megolm session
+     *
+     * Returns a list of events which were encrypted by `session` and could not be decrypted
+     */
+    public getEventsPendingRoomKey(roomId: string, sessionId: string): MatrixEvent[] {
+        const roomPendingEvents = this.eventsPendingKey.get(roomId);
+        if (!roomPendingEvents) return [];
+
+        const sessionPendingEvents = roomPendingEvents.get(sessionId);
+        if (!sessionPendingEvents) return [];
+
+        return [...sessionPendingEvents];
+    }
+
+    /**
+     * Add an event to the list of those awaiting their session keys.
+     */
+    private addEventToPendingList(event: MatrixEvent): void {
+        const roomId = event.getRoomId();
+        // We shouldn't have events without a room id here.
+        if (!roomId) return;
+
+        const roomPendingEvents = this.eventsPendingKey.getOrCreate(roomId);
+        const sessionPendingEvents = roomPendingEvents.getOrCreate(event.getWireContent().session_id);
+        sessionPendingEvents.add(event);
+    }
+
+    /**
+     * Remove an event from the list of those awaiting their session keys.
+     */
+    private removeEventFromPendingList(event: MatrixEvent): void {
+        const roomId = event.getRoomId();
+        if (!roomId) return;
+
+        const roomPendingEvents = this.eventsPendingKey.getOrCreate(roomId);
+        if (!roomPendingEvents) return;
+
+        const sessionPendingEvents = roomPendingEvents.get(event.getWireContent().session_id);
+        if (!sessionPendingEvents) return;
+
+        sessionPendingEvents.delete(event);
+
+        // also clean up the higher-level maps if they are now empty
+        if (sessionPendingEvents.size === 0) {
+            roomPendingEvents.delete(event.getWireContent().session_id);
+            if (roomPendingEvents.size === 0) {
+                this.eventsPendingKey.delete(roomId);
+            }
+        }
+    }
+}
+
+function stringifyEvent(event: MatrixEvent): string {
+    return JSON.stringify({
+        event_id: event.getId(),
+        type: event.getWireType(),
+        sender: event.getSender(),
+        state_key: event.getStateKey(),
+        content: event.getWireContent(),
+        origin_server_ts: event.getTs(),
+    });
+}
+
+function rustEncryptionInfoToJsEncryptionInfo(
+    logger: Logger,
+    encryptionInfo: RustSdkCryptoJs.EncryptionInfo | undefined,
+): EventEncryptionInfo | null {
+    if (encryptionInfo === undefined) {
+        // not decrypted here
+        return null;
+    }
+
+    // TODO: use strict shield semantics.
+    const shieldState = encryptionInfo.shieldState(false);
+
+    let shieldColour: EventShieldColour;
+    switch (shieldState.color) {
+        case RustSdkCryptoJs.ShieldColor.Grey:
+            shieldColour = EventShieldColour.GREY;
+            break;
+        case RustSdkCryptoJs.ShieldColor.None:
+            shieldColour = EventShieldColour.NONE;
+            break;
+        default:
+            shieldColour = EventShieldColour.RED;
+    }
+
+    let shieldReason: EventShieldReason | null;
+    if (shieldState.message === undefined) {
+        shieldReason = null;
+    } else if (shieldState.message === "Encrypted by an unverified user.") {
+        // this case isn't actually used with lax shield semantics.
+        shieldReason = EventShieldReason.UNVERIFIED_IDENTITY;
+    } else if (shieldState.message === "Encrypted by a device not verified by its owner.") {
+        shieldReason = EventShieldReason.UNSIGNED_DEVICE;
+    } else if (
+        shieldState.message === "The authenticity of this encrypted message can't be guaranteed on this device."
+    ) {
+        shieldReason = EventShieldReason.AUTHENTICITY_NOT_GUARANTEED;
+    } else if (shieldState.message === "Encrypted by an unknown or deleted device.") {
+        shieldReason = EventShieldReason.UNKNOWN_DEVICE;
+    } else {
+        logger.warn(`Unknown shield state message '${shieldState.message}'`);
+        shieldReason = EventShieldReason.UNKNOWN;
+    }
+
+    return { shieldColour, shieldReason };
+}
+
+type CryptoEvents = (typeof CryptoEvent)[keyof typeof CryptoEvent];
+type RustCryptoEvents = Exclude<CryptoEvents, CryptoEvent.LegacyCryptoStoreMigrationProgress>;