@unwanted/matrix-sdk-mini 34.12.0-1

package/lib/crypto/index.js

@@ -0,0 +1,4097 @@
+import _asyncToGenerator from "@babel/runtime/helpers/asyncToGenerator";
+import _defineProperty from "@babel/runtime/helpers/defineProperty";
+function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+/*
+Copyright 2016 OpenMarket Ltd
+Copyright 2017 Vector Creations Ltd
+Copyright 2018-2019 New Vector Ltd
+Copyright 2019-2021 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import anotherjson from "another-json";
+import { v4 as uuidv4 } from "uuid";
+import { EventType, ToDeviceMessageId } from "../@types/event.js";
+import { TypedReEmitter } from "../ReEmitter.js";
+import { logger } from "../logger.js";
+import { OlmDevice } from "./OlmDevice.js";
+import * as olmlib from "./olmlib.js";
+import { DeviceList } from "./DeviceList.js";
+import { DeviceInfo } from "./deviceinfo.js";
+import * as algorithms from "./algorithms/index.js";
+import { createCryptoStoreCacheCallbacks, CrossSigningInfo, DeviceTrustLevel, UserTrustLevel } from "./CrossSigning.js";
+import { EncryptionSetupBuilder } from "./EncryptionSetup.js";
+import { SecretStorage as LegacySecretStorage } from "./SecretStorage.js";
+import { CrossSigningKey } from "./api.js";
+import { OutgoingRoomKeyRequestManager } from "./OutgoingRoomKeyRequestManager.js";
+import { IndexedDBCryptoStore } from "./store/indexeddb-crypto-store.js";
+import { ReciprocateQRCode, SCAN_QR_CODE_METHOD, SHOW_QR_CODE_METHOD } from "./verification/QRCode.js";
+import { SAS as SASVerification } from "./verification/SAS.js";
+import { keyFromPassphrase } from "./key_passphrase.js";
+import { VerificationRequest } from "./verification/request/VerificationRequest.js";
+import { InRoomChannel, InRoomRequests } from "./verification/request/InRoomChannel.js";
+import { ToDeviceChannel, ToDeviceRequests } from "./verification/request/ToDeviceChannel.js";
+import { IllegalMethod } from "./verification/IllegalMethod.js";
+import { KeySignatureUploadError } from "../errors.js";
+import { DehydrationManager } from "./dehydration.js";
+import { BackupManager, LibOlmBackupDecryptor, backupTrustInfoFromLegacyTrustInfo } from "./backup.js";
+import { RoomEvent } from "../models/room.js";
+import { RoomMemberEvent } from "../models/room-member.js";
+import { EventStatus, MatrixEvent, MatrixEventEvent } from "../models/event.js";
+import { ClientEvent, MatrixClient } from "../client.js";
+import { RoomList } from "./RoomList.js";
+import { TypedEventEmitter } from "../models/typed-event-emitter.js";
+import { DecryptionError } from "../common-crypto/CryptoBackend.js";
+import { RoomStateEvent } from "../models/room-state.js";
+import { MapWithDefault, recursiveMapToObject } from "../utils.js";
+import { calculateKeyCheck, SECRET_STORAGE_ALGORITHM_V1_AES, ServerSideSecretStorageImpl } from "../secret-storage.js";
+import { decodeRecoveryKey, DecryptionFailureCode, encodeRecoveryKey, EventShieldColour, EventShieldReason, CryptoEvent as CryptoApiCryptoEvent } from "../crypto-api/index.js";
+import { deviceInfoToDevice } from "./device-converter.js";
+import { ClientPrefix, MatrixError, Method } from "../http-api/index.js";
+import { decodeBase64, encodeBase64 } from "../base64.js";
+import { KnownMembership } from "../@types/membership.js";
+import decryptAESSecretStorageItem from "../utils/decryptAESSecretStorageItem.js";
+import encryptAESSecretStorageItem from "../utils/encryptAESSecretStorageItem.js";
+
+/* re-exports for backwards compatibility */
+
+var DeviceVerification = DeviceInfo.DeviceVerification;
+var defaultVerificationMethods = {
+  [ReciprocateQRCode.NAME]: ReciprocateQRCode,
+  [SASVerification.NAME]: SASVerification,
+  // These two can't be used for actual verification, but we do
+  // need to be able to define them here for the verification flows
+  // to start.
+  [SHOW_QR_CODE_METHOD]: IllegalMethod,
+  [SCAN_QR_CODE_METHOD]: IllegalMethod
+};
+
+/**
+ * verification method names
+ */
+// legacy export identifier
+export var verificationMethods = {
+  RECIPROCATE_QR_CODE: ReciprocateQRCode.NAME,
+  SAS: SASVerification.NAME
+};
+// minimum time between attempting to unwedge an Olm session, if we succeeded
+// in creating a new session
+var MIN_FORCE_SESSION_INTERVAL_MS = 60 * 60 * 1000; // 1 hour
+// minimum time between attempting to unwedge an Olm session, if we failed
+// to create a new session
+var FORCE_SESSION_RETRY_INTERVAL_MS = 5 * 60 * 1000; // 5 minutes
+
+/* eslint-disable camelcase */
+
+/**
+ * The parameters of a room key request. The details of the request may
+ * vary with the crypto algorithm, but the management and storage layers for
+ * outgoing requests expect it to have 'room_id' and 'session_id' properties.
+ */
+
+/* eslint-enable camelcase */
+
+/* eslint-disable camelcase */
+
+/* eslint-enable camelcase */
+
+export var CryptoEvent = function (CryptoEvent) {
+  CryptoEvent["DeviceVerificationChanged"] = "deviceVerificationChanged";
+  CryptoEvent[CryptoEvent["UserTrustStatusChanged"] = CryptoApiCryptoEvent.UserTrustStatusChanged] = "UserTrustStatusChanged";
+  CryptoEvent["UserCrossSigningUpdated"] = "userCrossSigningUpdated";
+  CryptoEvent["RoomKeyRequest"] = "crypto.roomKeyRequest";
+  CryptoEvent["RoomKeyRequestCancellation"] = "crypto.roomKeyRequestCancellation";
+  CryptoEvent[CryptoEvent["KeyBackupStatus"] = CryptoApiCryptoEvent.KeyBackupStatus] = "KeyBackupStatus";
+  CryptoEvent[CryptoEvent["KeyBackupFailed"] = CryptoApiCryptoEvent.KeyBackupFailed] = "KeyBackupFailed";
+  CryptoEvent[CryptoEvent["KeyBackupSessionsRemaining"] = CryptoApiCryptoEvent.KeyBackupSessionsRemaining] = "KeyBackupSessionsRemaining";
+  CryptoEvent[CryptoEvent["KeyBackupDecryptionKeyCached"] = CryptoApiCryptoEvent.KeyBackupDecryptionKeyCached] = "KeyBackupDecryptionKeyCached";
+  CryptoEvent["KeySignatureUploadFailure"] = "crypto.keySignatureUploadFailure";
+  CryptoEvent["VerificationRequest"] = "crypto.verification.request";
+  CryptoEvent[CryptoEvent["VerificationRequestReceived"] = CryptoApiCryptoEvent.VerificationRequestReceived] = "VerificationRequestReceived";
+  CryptoEvent["Warning"] = "crypto.warning";
+  CryptoEvent[CryptoEvent["WillUpdateDevices"] = CryptoApiCryptoEvent.WillUpdateDevices] = "WillUpdateDevices";
+  CryptoEvent[CryptoEvent["DevicesUpdated"] = CryptoApiCryptoEvent.DevicesUpdated] = "DevicesUpdated";
+  CryptoEvent[CryptoEvent["KeysChanged"] = CryptoApiCryptoEvent.KeysChanged] = "KeysChanged";
+  CryptoEvent[CryptoEvent["LegacyCryptoStoreMigrationProgress"] = CryptoApiCryptoEvent.LegacyCryptoStoreMigrationProgress] = "LegacyCryptoStoreMigrationProgress";
+  return CryptoEvent;
+}({});
+export class Crypto extends TypedEventEmitter {
+  /**
+   * @returns The version of Olm.
+   */
+  static getOlmVersion() {
+    return OlmDevice.getOlmVersion();
+  }
+  /**
+   * Cryptography bits
+   *
+   * This module is internal to the js-sdk; the public API is via MatrixClient.
+   *
+   * @internal
+   *
+   * @param baseApis - base matrix api interface
+   *
+   * @param userId - The user ID for the local user
+   *
+   * @param deviceId - The identifier for this device.
+   *
+   * @param clientStore - the MatrixClient data store.
+   *
+   * @param cryptoStore - storage for the crypto layer.
+   *
+   * @param verificationMethods - Array of verification methods to use.
+   *    Each element can either be a string from MatrixClient.verificationMethods
+   *    or a class that implements a verification method.
+   */
+  constructor(baseApis, userId, deviceId, clientStore, cryptoStore, verificationMethods) {
+    var _this;
+    super();
+    _this = this;
+    this.baseApis = baseApis;
+    this.userId = userId;
+    this.deviceId = deviceId;
+    this.clientStore = clientStore;
+    this.cryptoStore = cryptoStore;
+    _defineProperty(this, "backupManager", void 0);
+    _defineProperty(this, "crossSigningInfo", void 0);
+    _defineProperty(this, "olmDevice", void 0);
+    _defineProperty(this, "deviceList", void 0);
+    _defineProperty(this, "dehydrationManager", void 0);
+    _defineProperty(this, "secretStorage", void 0);
+    _defineProperty(this, "roomList", void 0);
+    _defineProperty(this, "reEmitter", void 0);
+    _defineProperty(this, "verificationMethods", void 0);
+    _defineProperty(this, "supportedAlgorithms", void 0);
+    _defineProperty(this, "outgoingRoomKeyRequestManager", void 0);
+    _defineProperty(this, "toDeviceVerificationRequests", void 0);
+    _defineProperty(this, "inRoomVerificationRequests", void 0);
+    _defineProperty(this, "trustCrossSignedDevices", true);
+    // the last time we did a check for the number of one-time-keys on the server.
+    _defineProperty(this, "lastOneTimeKeyCheck", null);
+    _defineProperty(this, "oneTimeKeyCheckInProgress", false);
+    // EncryptionAlgorithm instance for each room
+    _defineProperty(this, "roomEncryptors", new Map());
+    // map from algorithm to DecryptionAlgorithm instance, for each room
+    _defineProperty(this, "roomDecryptors", new Map());
+    _defineProperty(this, "deviceKeys", {});
+    // type: key
+    _defineProperty(this, "globalBlacklistUnverifiedDevices", false);
+    _defineProperty(this, "globalErrorOnUnknownDevices", true);
+    // list of IncomingRoomKeyRequests/IncomingRoomKeyRequestCancellations
+    // we received in the current sync.
+    _defineProperty(this, "receivedRoomKeyRequests", []);
+    _defineProperty(this, "receivedRoomKeyRequestCancellations", []);
+    // true if we are currently processing received room key requests
+    _defineProperty(this, "processingRoomKeyRequests", false);
+    // controls whether device tracking is delayed
+    // until calling encryptEvent or trackRoomDevices,
+    // or done immediately upon enabling room encryption.
+    _defineProperty(this, "lazyLoadMembers", false);
+    // in case lazyLoadMembers is true,
+    // track if an initial tracking of all the room members
+    // has happened for a given room. This is delayed
+    // to avoid loading room members as long as possible.
+    _defineProperty(this, "roomDeviceTrackingState", {});
+    // The timestamp of the minimum time at which we will retry forcing establishment
+    // of a new session for each device, in milliseconds.
+    // {
+    //     userId: {
+    //         deviceId: 1234567890000,
+    //     },
+    // }
+    // Map: user Id → device Id → timestamp
+    _defineProperty(this, "forceNewSessionRetryTime", new MapWithDefault(() => new MapWithDefault(() => 0)));
+    // This flag will be unset whilst the client processes a sync response
+    // so that we don't start requesting keys until we've actually finished
+    // processing the response.
+    _defineProperty(this, "sendKeyRequestsImmediately", false);
+    _defineProperty(this, "oneTimeKeyCount", void 0);
+    _defineProperty(this, "needsNewFallback", void 0);
+    _defineProperty(this, "fallbackCleanup", void 0);
+    /*
+     * Event handler for DeviceList's userNewDevices event
+     */
+    _defineProperty(this, "onDeviceListUserCrossSigningUpdated", /*#__PURE__*/function () {
+      var _ref = _asyncToGenerator(function* (userId) {
+        if (userId === _this.userId) {
+          // An update to our own cross-signing key.
+          // Get the new key first:
+          var newCrossSigning = _this.deviceList.getStoredCrossSigningForUser(userId);
+          var seenPubkey = newCrossSigning ? newCrossSigning.getId() : null;
+          var currentPubkey = _this.crossSigningInfo.getId();
+          var changed = currentPubkey !== seenPubkey;
+          if (currentPubkey && seenPubkey && !changed) {
+            // If it's not changed, just make sure everything is up to date
+            yield _this.checkOwnCrossSigningTrust();
+          } else {
+            // We'll now be in a state where cross-signing on the account is not trusted
+            // because our locally stored cross-signing keys will not match the ones
+            // on the server for our account. So we clear our own stored cross-signing keys,
+            // effectively disabling cross-signing until the user gets verified by the device
+            // that reset the keys
+            _this.storeTrustedSelfKeys(null);
+            // emit cross-signing has been disabled
+            _this.emit(CryptoEvent.KeysChanged, {});
+            // as the trust for our own user has changed,
+            // also emit an event for this
+            _this.emit(CryptoEvent.UserTrustStatusChanged, _this.userId, _this.checkUserTrust(userId));
+          }
+        } else {
+          yield _this.checkDeviceVerifications(userId);
+
+          // Update verified before latch using the current state and save the new
+          // latch value in the device list store.
+          var crossSigning = _this.deviceList.getStoredCrossSigningForUser(userId);
+          if (crossSigning) {
+            crossSigning.updateCrossSigningVerifiedBefore(_this.checkUserTrust(userId).isCrossSigningVerified());
+            _this.deviceList.setRawStoredCrossSigningForUser(userId, crossSigning.toStorage());
+          }
+          _this.emit(CryptoEvent.UserTrustStatusChanged, userId, _this.checkUserTrust(userId));
+        }
+      });
+      return function (_x) {
+        return _ref.apply(this, arguments);
+      };
+    }());
+    _defineProperty(this, "onMembership", (event, member, oldMembership) => {
+      try {
+        this.onRoomMembership(event, member, oldMembership);
+      } catch (e) {
+        logger.error("Error handling membership change:", e);
+      }
+    });
+    _defineProperty(this, "onToDeviceEvent", event => {
+      try {
+        logger.log("received to-device ".concat(event.getType(), " from: ") + "".concat(event.getSender(), " id: ").concat(event.getContent()[ToDeviceMessageId]));
+        if (event.getType() == "m.room_key" || event.getType() == "m.forwarded_room_key") {
+          this.onRoomKeyEvent(event);
+        } else if (event.getType() == "m.room_key_request") {
+          this.onRoomKeyRequestEvent(event);
+        } else if (event.getType() === "m.secret.request") {
+          this.secretStorage.onRequestReceived(event);
+        } else if (event.getType() === "m.secret.send") {
+          this.secretStorage.onSecretReceived(event);
+        } else if (event.getType() === "m.room_key.withheld") {
+          this.onRoomKeyWithheldEvent(event);
+        } else if (event.getContent().transaction_id) {
+          this.onKeyVerificationMessage(event);
+        } else if (event.getContent().msgtype === "m.bad.encrypted") {
+          this.onToDeviceBadEncrypted(event);
+        } else if (event.isBeingDecrypted() || event.shouldAttemptDecryption()) {
+          if (!event.isBeingDecrypted()) {
+            event.attemptDecryption(this);
+          }
+          // once the event has been decrypted, try again
+          event.once(MatrixEventEvent.Decrypted, ev => {
+            this.onToDeviceEvent(ev);
+          });
+        }
+      } catch (e) {
+        logger.error("Error handling toDeviceEvent:", e);
+      }
+    });
+    /**
+     * Handle key verification requests sent as timeline events
+     *
+     * @internal
+     * @param event - the timeline event
+     * @param room - not used
+     * @param atStart - not used
+     * @param removed - not used
+     * @param whether - this is a live event
+     */
+    _defineProperty(this, "onTimelineEvent", function (event, room, atStart, removed) {
+      var {
+        liveEvent = true
+      } = arguments.length > 4 && arguments[4] !== undefined ? arguments[4] : {};
+      if (!InRoomChannel.validateEvent(event, _this.baseApis)) {
+        return;
+      }
+      var createRequest = event => {
+        var channel = new InRoomChannel(_this.baseApis, event.getRoomId());
+        return new VerificationRequest(channel, _this.verificationMethods, _this.baseApis);
+      };
+      _this.handleVerificationEvent(event, _this.inRoomVerificationRequests, createRequest, liveEvent);
+    });
+    logger.debug("Crypto: initialising roomlist...");
+    this.roomList = new RoomList(cryptoStore);
+    this.reEmitter = new TypedReEmitter(this);
+    if (verificationMethods) {
+      this.verificationMethods = new Map();
+      for (var method of verificationMethods) {
+        if (typeof method === "string") {
+          if (defaultVerificationMethods[method]) {
+            this.verificationMethods.set(method, defaultVerificationMethods[method]);
+          }
+        } else if (method["NAME"]) {
+          this.verificationMethods.set(method["NAME"], method);
+        } else {
+          logger.warn("Excluding unknown verification method ".concat(method));
+        }
+      }
+    } else {
+      this.verificationMethods = new Map(Object.entries(defaultVerificationMethods));
+    }
+    this.backupManager = new BackupManager(baseApis, /*#__PURE__*/_asyncToGenerator(function* () {
+      // try to get key from cache
+      var cachedKey = yield _this.getSessionBackupPrivateKey();
+      if (cachedKey) {
+        return cachedKey;
+      }
+
+      // try to get key from secret storage
+      var storedKey = yield _this.secretStorage.get("m.megolm_backup.v1");
+      if (storedKey) {
+        // ensure that the key is in the right format.  If not, fix the key and
+        // store the fixed version
+        var fixedKey = fixBackupKey(storedKey);
+        if (fixedKey) {
+          var keys = yield _this.secretStorage.getKey();
+          yield _this.secretStorage.store("m.megolm_backup.v1", fixedKey, [keys[0]]);
+        }
+        return decodeBase64(fixedKey || storedKey);
+      }
+
+      // try to get key from app
+      if (_this.baseApis.cryptoCallbacks && _this.baseApis.cryptoCallbacks.getBackupKey) {
+        return _this.baseApis.cryptoCallbacks.getBackupKey();
+      }
+      throw new Error("Unable to get private key");
+    }));
+    this.olmDevice = new OlmDevice(cryptoStore);
+    this.deviceList = new DeviceList(baseApis, cryptoStore, this.olmDevice);
+
+    // XXX: This isn't removed at any point, but then none of the event listeners
+    // this class sets seem to be removed at any point... :/
+    this.deviceList.on(CryptoEvent.UserCrossSigningUpdated, this.onDeviceListUserCrossSigningUpdated);
+    this.reEmitter.reEmit(this.deviceList, [CryptoEvent.DevicesUpdated, CryptoEvent.WillUpdateDevices]);
+    this.supportedAlgorithms = Array.from(algorithms.DECRYPTION_CLASSES.keys());
+    this.outgoingRoomKeyRequestManager = new OutgoingRoomKeyRequestManager(baseApis, this.deviceId, this.cryptoStore);
+    this.toDeviceVerificationRequests = new ToDeviceRequests();
+    this.inRoomVerificationRequests = new InRoomRequests();
+    var cryptoCallbacks = this.baseApis.cryptoCallbacks || {};
+    var cacheCallbacks = createCryptoStoreCacheCallbacks(cryptoStore, this.olmDevice);
+    this.crossSigningInfo = new CrossSigningInfo(userId, cryptoCallbacks, cacheCallbacks);
+    // Yes, we pass the client twice here: see SecretStorage
+    this.secretStorage = new LegacySecretStorage(baseApis, cryptoCallbacks, baseApis);
+    this.dehydrationManager = new DehydrationManager(this);
+
+    // Assuming no app-supplied callback, default to getting from SSSS.
+    if (!cryptoCallbacks.getCrossSigningKey && cryptoCallbacks.getSecretStorageKey) {
+      cryptoCallbacks.getCrossSigningKey = /*#__PURE__*/function () {
+        var _ref3 = _asyncToGenerator(function* (type) {
+          return CrossSigningInfo.getFromSecretStorage(type, _this.secretStorage);
+        });
+        return function (_x2) {
+          return _ref3.apply(this, arguments);
+        };
+      }();
+    }
+  }
+
+  /**
+   * Initialise the crypto module so that it is ready for use
+   *
+   * Returns a promise which resolves once the crypto module is ready for use.
+   *
+   * @param exportedOlmDevice - (Optional) data from exported device
+   *     that must be re-created.
+   */
+  init() {
+    var _arguments = arguments,
+      _this2 = this;
+    return _asyncToGenerator(function* () {
+      var {
+        exportedOlmDevice,
+        pickleKey
+      } = _arguments.length > 0 && _arguments[0] !== undefined ? _arguments[0] : {};
+      logger.log("Crypto: initialising Olm...");
+      yield globalThis.Olm.init();
+      logger.log(exportedOlmDevice ? "Crypto: initialising Olm device from exported device..." : "Crypto: initialising Olm device...");
+      yield _this2.olmDevice.init({
+        fromExportedDevice: exportedOlmDevice,
+        pickleKey
+      });
+      logger.log("Crypto: loading device list...");
+      yield _this2.deviceList.load();
+
+      // build our device keys: these will later be uploaded
+      _this2.deviceKeys["ed25519:" + _this2.deviceId] = _this2.olmDevice.deviceEd25519Key;
+      _this2.deviceKeys["curve25519:" + _this2.deviceId] = _this2.olmDevice.deviceCurve25519Key;
+      logger.log("Crypto: fetching own devices...");
+      var myDevices = _this2.deviceList.getRawStoredDevicesForUser(_this2.userId);
+      if (!myDevices) {
+        myDevices = {};
+      }
+      if (!myDevices[_this2.deviceId]) {
+        // add our own deviceinfo to the cryptoStore
+        logger.log("Crypto: adding this device to the store...");
+        var deviceInfo = {
+          keys: _this2.deviceKeys,
+          algorithms: _this2.supportedAlgorithms,
+          verified: DeviceVerification.VERIFIED,
+          known: true
+        };
+        myDevices[_this2.deviceId] = deviceInfo;
+        _this2.deviceList.storeDevicesForUser(_this2.userId, myDevices);
+        _this2.deviceList.saveIfDirty();
+      }
+      yield _this2.cryptoStore.doTxn("readonly", [IndexedDBCryptoStore.STORE_ACCOUNT], txn => {
+        _this2.cryptoStore.getCrossSigningKeys(txn, keys => {
+          // can be an empty object after resetting cross-signing keys, see storeTrustedSelfKeys
+          if (keys && Object.keys(keys).length !== 0) {
+            logger.log("Loaded cross-signing public keys from crypto store");
+            _this2.crossSigningInfo.setKeys(keys);
+          }
+        });
+      });
+      // make sure we are keeping track of our own devices
+      // (this is important for key backups & things)
+      _this2.deviceList.startTrackingDeviceList(_this2.userId);
+      logger.debug("Crypto: initialising roomlist...");
+      yield _this2.roomList.init();
+      logger.log("Crypto: checking for key backup...");
+      _this2.backupManager.checkAndStart();
+    })();
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi#setDeviceIsolationMode}.
+   */
+  setDeviceIsolationMode(isolationMode) {
+    throw new Error("Not supported");
+  }
+  /**
+   * Implementation of {@link Crypto.CryptoApi#getVersion}.
+   */
+  getVersion() {
+    var olmVersionTuple = Crypto.getOlmVersion();
+    return "Olm ".concat(olmVersionTuple[0], ".").concat(olmVersionTuple[1], ".").concat(olmVersionTuple[2]);
+  }
+
+  /**
+   * Whether to trust a others users signatures of their devices.
+   * If false, devices will only be considered 'verified' if we have
+   * verified that device individually (effectively disabling cross-signing).
+   *
+   * Default: true
+   *
+   * @returns True if trusting cross-signed devices
+   */
+  getTrustCrossSignedDevices() {
+    return this.trustCrossSignedDevices;
+  }
+
+  /**
+   * @deprecated Use {@link Crypto.CryptoApi#getTrustCrossSignedDevices}.
+   */
+  getCryptoTrustCrossSignedDevices() {
+    return this.trustCrossSignedDevices;
+  }
+
+  /**
+   * See getCryptoTrustCrossSignedDevices
+   *
+   * @param val - True to trust cross-signed devices
+   */
+  setTrustCrossSignedDevices(val) {
+    this.trustCrossSignedDevices = val;
+    for (var _userId of this.deviceList.getKnownUserIds()) {
+      var devices = this.deviceList.getRawStoredDevicesForUser(_userId);
+      for (var _deviceId of Object.keys(devices)) {
+        var deviceTrust = this.checkDeviceTrust(_userId, _deviceId);
+        // If the device is locally verified then isVerified() is always true,
+        // so this will only have caused the value to change if the device is
+        // cross-signing verified but not locally verified
+        if (!deviceTrust.isLocallyVerified() && deviceTrust.isCrossSigningVerified()) {
+          var deviceObj = this.deviceList.getStoredDevice(_userId, _deviceId);
+          this.emit(CryptoEvent.DeviceVerificationChanged, _userId, _deviceId, deviceObj);
+        }
+      }
+    }
+  }
+
+  /**
+   * @deprecated Use {@link Crypto.CryptoApi#setTrustCrossSignedDevices}.
+   */
+  setCryptoTrustCrossSignedDevices(val) {
+    this.setTrustCrossSignedDevices(val);
+  }
+
+  /**
+   * Create a recovery key from a user-supplied passphrase.
+   *
+   * @param password - Passphrase string that can be entered by the user
+   *     when restoring the backup as an alternative to entering the recovery key.
+   *     Optional.
+   * @returns Object with public key metadata, encoded private
+   *     recovery key which should be disposed of after displaying to the user,
+   *     and raw private key to avoid round tripping if needed.
+   */
+  createRecoveryKeyFromPassphrase(password) {
+    return _asyncToGenerator(function* () {
+      var decryption = new globalThis.Olm.PkDecryption();
+      try {
+        if (password) {
+          var derivation = yield keyFromPassphrase(password);
+          decryption.init_with_private_key(derivation.key);
+          var privateKey = decryption.get_private_key();
+          return {
+            keyInfo: {
+              passphrase: {
+                algorithm: "m.pbkdf2",
+                iterations: derivation.iterations,
+                salt: derivation.salt
+              }
+            },
+            privateKey: privateKey,
+            encodedPrivateKey: encodeRecoveryKey(privateKey)
+          };
+        } else {
+          decryption.generate_key();
+          var _privateKey = decryption.get_private_key();
+          return {
+            privateKey: _privateKey,
+            encodedPrivateKey: encodeRecoveryKey(_privateKey)
+          };
+        }
+      } finally {
+        decryption === null || decryption === void 0 || decryption.free();
+      }
+    })();
+  }
+
+  /**
+   * Checks if the user has previously published cross-signing keys
+   *
+   * This means downloading the devicelist for the user and checking if the list includes
+   * the cross-signing pseudo-device.
+   *
+   * @internal
+   */
+  userHasCrossSigningKeys() {
+    var _arguments2 = arguments,
+      _this3 = this;
+    return _asyncToGenerator(function* () {
+      var userId = _arguments2.length > 0 && _arguments2[0] !== undefined ? _arguments2[0] : _this3.userId;
+      yield _this3.downloadKeys([userId]);
+      return _this3.deviceList.getStoredCrossSigningForUser(userId) !== null;
+    })();
+  }
+
+  /**
+   * Checks whether cross signing:
+   * - is enabled on this account and trusted by this device
+   * - has private keys either cached locally or stored in secret storage
+   *
+   * If this function returns false, bootstrapCrossSigning() can be used
+   * to fix things such that it returns true. That is to say, after
+   * bootstrapCrossSigning() completes successfully, this function should
+   * return true.
+   *
+   * The cross-signing API is currently UNSTABLE and may change without notice.
+   *
+   * @returns True if cross-signing is ready to be used on this device
+   */
+  isCrossSigningReady() {
+    var _this4 = this;
+    return _asyncToGenerator(function* () {
+      var publicKeysOnDevice = _this4.crossSigningInfo.getId();
+      var privateKeysExistSomewhere = (yield _this4.crossSigningInfo.isStoredInKeyCache()) || (yield _this4.crossSigningInfo.isStoredInSecretStorage(_this4.secretStorage));
+      return !!(publicKeysOnDevice && privateKeysExistSomewhere);
+    })();
+  }
+
+  /**
+   * Checks whether secret storage:
+   * - is enabled on this account
+   * - is storing cross-signing private keys
+   * - is storing session backup key (if enabled)
+   *
+   * If this function returns false, bootstrapSecretStorage() can be used
+   * to fix things such that it returns true. That is to say, after
+   * bootstrapSecretStorage() completes successfully, this function should
+   * return true.
+   *
+   * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+   *
+   * @returns True if secret storage is ready to be used on this device
+   */
+  isSecretStorageReady() {
+    var _this5 = this;
+    return _asyncToGenerator(function* () {
+      var secretStorageKeyInAccount = yield _this5.secretStorage.hasKey();
+      var privateKeysInStorage = yield _this5.crossSigningInfo.isStoredInSecretStorage(_this5.secretStorage);
+      var sessionBackupInStorage = !_this5.backupManager.getKeyBackupEnabled() || (yield _this5.baseApis.isKeyBackupKeyStored());
+      return !!(secretStorageKeyInAccount && privateKeysInStorage && sessionBackupInStorage);
+    })();
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi#getCrossSigningStatus}
+   */
+  getCrossSigningStatus() {
+    var _this6 = this;
+    return _asyncToGenerator(function* () {
+      var _cacheCallbacks$getCr, _cacheCallbacks$getCr2, _cacheCallbacks$getCr3;
+      var publicKeysOnDevice = Boolean(_this6.crossSigningInfo.getId());
+      var privateKeysInSecretStorage = Boolean(yield _this6.crossSigningInfo.isStoredInSecretStorage(_this6.secretStorage));
+      var cacheCallbacks = _this6.crossSigningInfo.getCacheCallbacks();
+      var masterKey = Boolean(yield (_cacheCallbacks$getCr = cacheCallbacks.getCrossSigningKeyCache) === null || _cacheCallbacks$getCr === void 0 ? void 0 : _cacheCallbacks$getCr.call(cacheCallbacks, "master"));
+      var selfSigningKey = Boolean(yield (_cacheCallbacks$getCr2 = cacheCallbacks.getCrossSigningKeyCache) === null || _cacheCallbacks$getCr2 === void 0 ? void 0 : _cacheCallbacks$getCr2.call(cacheCallbacks, "self_signing"));
+      var userSigningKey = Boolean(yield (_cacheCallbacks$getCr3 = cacheCallbacks.getCrossSigningKeyCache) === null || _cacheCallbacks$getCr3 === void 0 ? void 0 : _cacheCallbacks$getCr3.call(cacheCallbacks, "user_signing"));
+      return {
+        publicKeysOnDevice,
+        privateKeysInSecretStorage,
+        privateKeysCachedLocally: {
+          masterKey,
+          selfSigningKey,
+          userSigningKey
+        }
+      };
+    })();
+  }
+
+  /**
+   * Bootstrap cross-signing by creating keys if needed. If everything is already
+   * set up, then no changes are made, so this is safe to run to ensure
+   * cross-signing is ready for use.
+   *
+   * This function:
+   * - creates new cross-signing keys if they are not found locally cached nor in
+   *   secret storage (if it has been setup)
+   *
+   * The cross-signing API is currently UNSTABLE and may change without notice.
+   */
+  bootstrapCrossSigning() {
+    var _arguments3 = arguments,
+      _this7 = this;
+    return _asyncToGenerator(function* () {
+      var {
+        authUploadDeviceSigningKeys,
+        setupNewCrossSigning
+      } = _arguments3.length > 0 && _arguments3[0] !== undefined ? _arguments3[0] : {};
+      logger.log("Bootstrapping cross-signing");
+      var delegateCryptoCallbacks = _this7.baseApis.cryptoCallbacks;
+      var builder = new EncryptionSetupBuilder(_this7.baseApis.store.accountData, delegateCryptoCallbacks);
+      var crossSigningInfo = new CrossSigningInfo(_this7.userId, builder.crossSigningCallbacks, builder.crossSigningCallbacks);
+
+      // Reset the cross-signing keys
+      var resetCrossSigning = /*#__PURE__*/function () {
+        var _ref4 = _asyncToGenerator(function* () {
+          crossSigningInfo.resetKeys();
+          // Sign master key with device key
+          yield _this7.signObject(crossSigningInfo.keys.master);
+
+          // Store auth flow helper function, as we need to call it when uploading
+          // to ensure we handle auth errors properly.
+          builder.addCrossSigningKeys(authUploadDeviceSigningKeys, crossSigningInfo.keys);
+
+          // Cross-sign own device
+          var device = _this7.deviceList.getStoredDevice(_this7.userId, _this7.deviceId);
+          var deviceSignature = yield crossSigningInfo.signDevice(_this7.userId, device);
+          builder.addKeySignature(_this7.userId, _this7.deviceId, deviceSignature);
+
+          // Sign message key backup with cross-signing master key
+          if (_this7.backupManager.backupInfo) {
+            yield crossSigningInfo.signObject(_this7.backupManager.backupInfo.auth_data, "master");
+            builder.addSessionBackup(_this7.backupManager.backupInfo);
+          }
+        });
+        return function resetCrossSigning() {
+          return _ref4.apply(this, arguments);
+        };
+      }();
+      var publicKeysOnDevice = _this7.crossSigningInfo.getId();
+      var privateKeysInCache = yield _this7.crossSigningInfo.isStoredInKeyCache();
+      var privateKeysInStorage = yield _this7.crossSigningInfo.isStoredInSecretStorage(_this7.secretStorage);
+      var privateKeysExistSomewhere = privateKeysInCache || privateKeysInStorage;
+
+      // Log all relevant state for easier parsing of debug logs.
+      logger.log({
+        setupNewCrossSigning,
+        publicKeysOnDevice,
+        privateKeysInCache,
+        privateKeysInStorage,
+        privateKeysExistSomewhere
+      });
+      if (!privateKeysExistSomewhere || setupNewCrossSigning) {
+        logger.log("Cross-signing private keys not found locally or in secret storage, " + "creating new keys");
+        // If a user has multiple devices, it important to only call bootstrap
+        // as part of some UI flow (and not silently during startup), as they
+        // may have setup cross-signing on a platform which has not saved keys
+        // to secret storage, and this would reset them. In such a case, you
+        // should prompt the user to verify any existing devices first (and
+        // request private keys from those devices) before calling bootstrap.
+        yield resetCrossSigning();
+      } else if (publicKeysOnDevice && privateKeysInCache) {
+        logger.log("Cross-signing public keys trusted and private keys found locally");
+      } else if (privateKeysInStorage) {
+        logger.log("Cross-signing private keys not found locally, but they are available " + "in secret storage, reading storage and caching locally");
+        yield _this7.checkOwnCrossSigningTrust({
+          allowPrivateKeyRequests: true
+        });
+      }
+
+      // Assuming no app-supplied callback, default to storing new private keys in
+      // secret storage if it exists. If it does not, it is assumed this will be
+      // done as part of setting up secret storage later.
+      var crossSigningPrivateKeys = builder.crossSigningCallbacks.privateKeys;
+      if (crossSigningPrivateKeys.size && !_this7.baseApis.cryptoCallbacks.saveCrossSigningKeys) {
+        var secretStorage = new ServerSideSecretStorageImpl(builder.accountDataClientAdapter, builder.ssssCryptoCallbacks);
+        if (yield secretStorage.hasKey()) {
+          logger.log("Storing new cross-signing private keys in secret storage");
+          // This is writing to in-memory account data in
+          // builder.accountDataClientAdapter so won't fail
+          yield CrossSigningInfo.storeInSecretStorage(crossSigningPrivateKeys, secretStorage);
+        }
+      }
+      var operation = builder.buildOperation();
+      yield operation.apply(_this7);
+      // This persists private keys and public keys as trusted,
+      // only do this if apply succeeded for now as retry isn't in place yet
+      yield builder.persist(_this7);
+      logger.log("Cross-signing ready");
+    })();
+  }
+
+  /**
+   * Bootstrap Secure Secret Storage if needed by creating a default key. If everything is
+   * already set up, then no changes are made, so this is safe to run to ensure secret
+   * storage is ready for use.
+   *
+   * This function
+   * - creates a new Secure Secret Storage key if no default key exists
+   *   - if a key backup exists, it is migrated to store the key in the Secret
+   *     Storage
+   * - creates a backup if none exists, and one is requested
+   * - migrates Secure Secret Storage to use the latest algorithm, if an outdated
+   *   algorithm is found
+   *
+   * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+   *
+   * Returns:
+   *     A promise which resolves to key creation data for
+   *     SecretStorage#addKey: an object with `passphrase` etc fields.
+   */
+  // TODO this does not resolve with what it says it does
+  bootstrapSecretStorage() {
+    var _arguments4 = arguments,
+      _this8 = this;
+    return _asyncToGenerator(function* () {
+      var {
+        createSecretStorageKey = /*#__PURE__*/_asyncToGenerator(function* () {
+          return {};
+        }),
+        keyBackupInfo,
+        setupNewKeyBackup,
+        setupNewSecretStorage,
+        getKeyBackupPassphrase
+      } = _arguments4.length > 0 && _arguments4[0] !== undefined ? _arguments4[0] : {};
+      logger.log("Bootstrapping Secure Secret Storage");
+      var delegateCryptoCallbacks = _this8.baseApis.cryptoCallbacks;
+      var builder = new EncryptionSetupBuilder(_this8.baseApis.store.accountData, delegateCryptoCallbacks);
+      var secretStorage = new ServerSideSecretStorageImpl(builder.accountDataClientAdapter, builder.ssssCryptoCallbacks);
+
+      // the ID of the new SSSS key, if we create one
+      var newKeyId = null;
+
+      // create a new SSSS key and set it as default
+      var createSSSS = /*#__PURE__*/function () {
+        var _ref6 = _asyncToGenerator(function* (opts) {
+          var {
+            keyId,
+            keyInfo
+          } = yield secretStorage.addKey(SECRET_STORAGE_ALGORITHM_V1_AES, opts);
+
+          // make the private key available to encrypt 4S secrets
+          builder.ssssCryptoCallbacks.addPrivateKey(keyId, keyInfo, opts.key);
+          yield secretStorage.setDefaultKeyId(keyId);
+          return keyId;
+        });
+        return function createSSSS(_x3) {
+          return _ref6.apply(this, arguments);
+        };
+      }();
+      var ensureCanCheckPassphrase = /*#__PURE__*/function () {
+        var _ref7 = _asyncToGenerator(function* (keyId, keyInfo) {
+          if (!keyInfo.mac) {
+            var _this8$baseApis$crypt, _this8$baseApis$crypt2;
+            var key = yield (_this8$baseApis$crypt = (_this8$baseApis$crypt2 = _this8.baseApis.cryptoCallbacks).getSecretStorageKey) === null || _this8$baseApis$crypt === void 0 ? void 0 : _this8$baseApis$crypt.call(_this8$baseApis$crypt2, {
+              keys: {
+                [keyId]: keyInfo
+              }
+            }, "");
+            if (key) {
+              var privateKey = key[1];
+              builder.ssssCryptoCallbacks.addPrivateKey(keyId, keyInfo, privateKey);
+              var {
+                iv,
+                mac
+              } = yield calculateKeyCheck(privateKey);
+              keyInfo.iv = iv;
+              keyInfo.mac = mac;
+              yield builder.setAccountData("m.secret_storage.key.".concat(keyId), keyInfo);
+            }
+          }
+        });
+        return function ensureCanCheckPassphrase(_x4, _x5) {
+          return _ref7.apply(this, arguments);
+        };
+      }();
+      var signKeyBackupWithCrossSigning = /*#__PURE__*/function () {
+        var _ref8 = _asyncToGenerator(function* (keyBackupAuthData) {
+          if (_this8.crossSigningInfo.getId() && (yield _this8.crossSigningInfo.isStoredInKeyCache("master"))) {
+            try {
+              logger.log("Adding cross-signing signature to key backup");
+              yield _this8.crossSigningInfo.signObject(keyBackupAuthData, "master");
+            } catch (e) {
+              // This step is not critical (just helpful), so we catch here
+              // and continue if it fails.
+              logger.error("Signing key backup with cross-signing keys failed", e);
+            }
+          } else {
+            logger.warn("Cross-signing keys not available, skipping signature on key backup");
+          }
+        });
+        return function signKeyBackupWithCrossSigning(_x6) {
+          return _ref8.apply(this, arguments);
+        };
+      }();
+      var oldSSSSKey = yield _this8.secretStorage.getKey();
+      var [oldKeyId, oldKeyInfo] = oldSSSSKey || [null, null];
+      var storageExists = !setupNewSecretStorage && oldKeyInfo && oldKeyInfo.algorithm === SECRET_STORAGE_ALGORITHM_V1_AES;
+
+      // Log all relevant state for easier parsing of debug logs.
+      logger.log({
+        keyBackupInfo,
+        setupNewKeyBackup,
+        setupNewSecretStorage,
+        storageExists,
+        oldKeyInfo
+      });
+      if (!storageExists && !keyBackupInfo) {
+        // either we don't have anything, or we've been asked to restart
+        // from scratch
+        logger.log("Secret storage does not exist, creating new storage key");
+
+        // if we already have a usable default SSSS key and aren't resetting
+        // SSSS just use it. otherwise, create a new one
+        // Note: we leave the old SSSS key in place: there could be other
+        // secrets using it, in theory. We could move them to the new key but a)
+        // that would mean we'd need to prompt for the old passphrase, and b)
+        // it's not clear that would be the right thing to do anyway.
+        var {
+          keyInfo,
+          privateKey
+        } = yield createSecretStorageKey();
+        newKeyId = yield createSSSS({
+          passphrase: keyInfo === null || keyInfo === void 0 ? void 0 : keyInfo.passphrase,
+          key: privateKey,
+          name: keyInfo === null || keyInfo === void 0 ? void 0 : keyInfo.name
+        });
+      } else if (!storageExists && keyBackupInfo) {
+        // we have an existing backup, but no SSSS
+        logger.log("Secret storage does not exist, using key backup key");
+
+        // if we have the backup key already cached, use it; otherwise use the
+        // callback to prompt for the key
+        var backupKey = (yield _this8.getSessionBackupPrivateKey()) || (yield getKeyBackupPassphrase === null || getKeyBackupPassphrase === void 0 ? void 0 : getKeyBackupPassphrase());
+
+        // create a new SSSS key and use the backup key as the new SSSS key
+        var opts = {
+          key: backupKey
+        };
+        if (keyBackupInfo.auth_data.private_key_salt && keyBackupInfo.auth_data.private_key_iterations) {
+          // FIXME: ???
+          opts.passphrase = {
+            algorithm: "m.pbkdf2",
+            iterations: keyBackupInfo.auth_data.private_key_iterations,
+            salt: keyBackupInfo.auth_data.private_key_salt,
+            bits: 256
+          };
+        }
+        newKeyId = yield createSSSS(opts);
+
+        // store the backup key in secret storage
+        yield secretStorage.store("m.megolm_backup.v1", encodeBase64(backupKey), [newKeyId]);
+
+        // The backup is trusted because the user provided the private key.
+        // Sign the backup with the cross-signing key so the key backup can
+        // be trusted via cross-signing.
+        yield signKeyBackupWithCrossSigning(keyBackupInfo.auth_data);
+        builder.addSessionBackup(keyBackupInfo);
+      } else {
+        // 4S is already set up
+        logger.log("Secret storage exists");
+        if (oldKeyInfo && oldKeyInfo.algorithm === SECRET_STORAGE_ALGORITHM_V1_AES) {
+          // make sure that the default key has the information needed to
+          // check the passphrase
+          yield ensureCanCheckPassphrase(oldKeyId, oldKeyInfo);
+        }
+      }
+
+      // If we have cross-signing private keys cached, store them in secret
+      // storage if they are not there already.
+      if (!_this8.baseApis.cryptoCallbacks.saveCrossSigningKeys && (yield _this8.isCrossSigningReady()) && (newKeyId || !(yield _this8.crossSigningInfo.isStoredInSecretStorage(secretStorage)))) {
+        logger.log("Copying cross-signing private keys from cache to secret storage");
+        var crossSigningPrivateKeys = yield _this8.crossSigningInfo.getCrossSigningKeysFromCache();
+        // This is writing to in-memory account data in
+        // builder.accountDataClientAdapter so won't fail
+        yield CrossSigningInfo.storeInSecretStorage(crossSigningPrivateKeys, secretStorage);
+      }
+      if (setupNewKeyBackup && !keyBackupInfo) {
+        logger.log("Creating new message key backup version");
+        var info = yield _this8.baseApis.prepareKeyBackupVersion(null /* random key */,
+        // don't write to secret storage, as it will write to this.secretStorage.
+        // Here, we want to capture all the side-effects of bootstrapping,
+        // and want to write to the local secretStorage object
+        {
+          secureSecretStorage: false
+        });
+        // write the key to 4S
+        var _privateKey2 = decodeRecoveryKey(info.recovery_key);
+        yield secretStorage.store("m.megolm_backup.v1", encodeBase64(_privateKey2));
+
+        // create keyBackupInfo object to add to builder
+        var data = {
+          algorithm: info.algorithm,
+          auth_data: info.auth_data
+        };
+
+        // Sign with cross-signing master key
+        yield signKeyBackupWithCrossSigning(data.auth_data);
+
+        // sign with the device fingerprint
+        yield _this8.signObject(data.auth_data);
+        builder.addSessionBackup(data);
+      }
+
+      // Cache the session backup key
+      var sessionBackupKey = yield secretStorage.get("m.megolm_backup.v1");
+      if (sessionBackupKey) {
+        logger.info("Got session backup key from secret storage: caching");
+        // fix up the backup key if it's in the wrong format, and replace
+        // in secret storage
+        var fixedBackupKey = fixBackupKey(sessionBackupKey);
+        if (fixedBackupKey) {
+          var keyId = newKeyId || oldKeyId;
+          yield secretStorage.store("m.megolm_backup.v1", fixedBackupKey, keyId ? [keyId] : null);
+        }
+        var decodedBackupKey = new Uint8Array(decodeBase64(fixedBackupKey || sessionBackupKey));
+        builder.addSessionBackupPrivateKeyToCache(decodedBackupKey);
+      } else if (_this8.backupManager.getKeyBackupEnabled()) {
+        // key backup is enabled but we don't have a session backup key in SSSS: see if we have one in
+        // the cache or the user can provide one, and if so, write it to SSSS
+        var _backupKey = (yield _this8.getSessionBackupPrivateKey()) || (yield getKeyBackupPassphrase === null || getKeyBackupPassphrase === void 0 ? void 0 : getKeyBackupPassphrase());
+        if (!_backupKey) {
+          // This will require user intervention to recover from since we don't have the key
+          // backup key anywhere. The user should probably just set up a new key backup and
+          // the key for the new backup will be stored. If we hit this scenario in the wild
+          // with any frequency, we should do more than just log an error.
+          logger.error("Key backup is enabled but couldn't get key backup key!");
+          return;
+        }
+        logger.info("Got session backup key from cache/user that wasn't in SSSS: saving to SSSS");
+        yield secretStorage.store("m.megolm_backup.v1", encodeBase64(_backupKey));
+      }
+      var operation = builder.buildOperation();
+      yield operation.apply(_this8);
+      // this persists private keys and public keys as trusted,
+      // only do this if apply succeeded for now as retry isn't in place yet
+      yield builder.persist(_this8);
+      logger.log("Secure Secret Storage ready");
+    })();
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi#resetKeyBackup}.
+   */
+  resetKeyBackup() {
+    var _this9 = this;
+    return _asyncToGenerator(function* () {
+      // Delete existing ones
+      // There is no use case for having several key backup version live server side.
+      // Even if not deleted it would be lost as the key to restore is lost.
+      // There should be only one backup at a time.
+      yield _this9.backupManager.deleteAllKeyBackupVersions();
+      var info = yield _this9.backupManager.prepareKeyBackupVersion();
+      yield _this9.signObject(info.auth_data);
+
+      // add new key backup
+      var {
+        version
+      } = yield _this9.baseApis.http.authedRequest(Method.Post, "/room_keys/version", undefined, info, {
+        prefix: ClientPrefix.V3
+      });
+      logger.log("Created backup version ".concat(version));
+
+      // write the key to 4S
+      var privateKey = info.privateKey;
+      yield _this9.secretStorage.store("m.megolm_backup.v1", encodeBase64(privateKey));
+      yield _this9.storeSessionBackupPrivateKey(privateKey);
+      yield _this9.backupManager.checkAndStart();
+      yield _this9.backupManager.scheduleAllGroupSessionsForBackup();
+    })();
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi#deleteKeyBackupVersion}.
+   */
+  deleteKeyBackupVersion(version) {
+    var _this10 = this;
+    return _asyncToGenerator(function* () {
+      yield _this10.backupManager.deleteKeyBackupVersion(version);
+    })();
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#addKey}.
+   */
+  addSecretStorageKey(algorithm, opts, keyID) {
+    return this.secretStorage.addKey(algorithm, opts, keyID);
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#hasKey}.
+   */
+  hasSecretStorageKey(keyID) {
+    return this.secretStorage.hasKey(keyID);
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#getKey}.
+   */
+  getSecretStorageKey(keyID) {
+    return this.secretStorage.getKey(keyID);
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#store}.
+   */
+  storeSecret(name, secret, keys) {
+    return this.secretStorage.store(name, secret, keys);
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#get}.
+   */
+  getSecret(name) {
+    return this.secretStorage.get(name);
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#isStored}.
+   */
+  isSecretStored(name) {
+    return this.secretStorage.isStored(name);
+  }
+  requestSecret(name, devices) {
+    if (!devices) {
+      devices = Object.keys(this.deviceList.getRawStoredDevicesForUser(this.userId));
+    }
+    return this.secretStorage.request(name, devices);
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#getDefaultKeyId}.
+   */
+  getDefaultSecretStorageKeyId() {
+    return this.secretStorage.getDefaultKeyId();
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#setDefaultKeyId}.
+   */
+  setDefaultSecretStorageKeyId(k) {
+    return this.secretStorage.setDefaultKeyId(k);
+  }
+
+  /**
+   * @deprecated Use {@link MatrixClient#secretStorage} and {@link SecretStorage.ServerSideSecretStorage#checkKey}.
+   */
+  checkSecretStorageKey(key, info) {
+    return this.secretStorage.checkKey(key, info);
+  }
+
+  /**
+   * Checks that a given secret storage private key matches a given public key.
+   * This can be used by the getSecretStorageKey callback to verify that the
+   * private key it is about to supply is the one that was requested.
+   *
+   * @param privateKey - The private key
+   * @param expectedPublicKey - The public key
+   * @returns true if the key matches, otherwise false
+   */
+  checkSecretStoragePrivateKey(privateKey, expectedPublicKey) {
+    var decryption = null;
+    try {
+      decryption = new globalThis.Olm.PkDecryption();
+      var gotPubkey = decryption.init_with_private_key(privateKey);
+      // make sure it agrees with the given pubkey
+      return gotPubkey === expectedPublicKey;
+    } finally {
+      var _decryption;
+      (_decryption = decryption) === null || _decryption === void 0 || _decryption.free();
+    }
+  }
+
+  /**
+   * Fetches the backup private key, if cached
+   * @returns the key, if any, or null
+   */
+  getSessionBackupPrivateKey() {
+    var _this11 = this;
+    return _asyncToGenerator(function* () {
+      var encodedKey = yield new Promise(resolve => {
+        _this11.cryptoStore.doTxn("readonly", [IndexedDBCryptoStore.STORE_ACCOUNT], txn => {
+          _this11.cryptoStore.getSecretStorePrivateKey(txn, resolve, "m.megolm_backup.v1");
+        });
+      });
+      var key = null;
+
+      // make sure we have a Uint8Array, rather than a string
+      if (typeof encodedKey === "string") {
+        key = new Uint8Array(decodeBase64(fixBackupKey(encodedKey) || encodedKey));
+        yield _this11.storeSessionBackupPrivateKey(key);
+      }
+      if (encodedKey && typeof encodedKey === "object" && "ciphertext" in encodedKey) {
+        var pickleKey = Buffer.from(_this11.olmDevice.pickleKey);
+        var decrypted = yield decryptAESSecretStorageItem(encodedKey, pickleKey, "m.megolm_backup.v1");
+        key = decodeBase64(decrypted);
+      }
+      return key;
+    })();
+  }
+
+  /**
+   * Stores the session backup key to the cache
+   * @param key - the private key
+   * @returns a promise so you can catch failures
+   */
+  storeSessionBackupPrivateKey(key, version) {
+    var _this12 = this;
+    return _asyncToGenerator(function* () {
+      if (!(key instanceof Uint8Array)) {
+        // eslint-disable-next-line @typescript-eslint/no-base-to-string
+        throw new Error("storeSessionBackupPrivateKey expects Uint8Array, got ".concat(key));
+      }
+      var pickleKey = Buffer.from(_this12.olmDevice.pickleKey);
+      var encryptedKey = yield encryptAESSecretStorageItem(encodeBase64(key), pickleKey, "m.megolm_backup.v1");
+      return _this12.cryptoStore.doTxn("readwrite", [IndexedDBCryptoStore.STORE_ACCOUNT], txn => {
+        _this12.cryptoStore.storeSecretStorePrivateKey(txn, "m.megolm_backup.v1", encryptedKey);
+      });
+    })();
+  }
+
+  /**
+   * Implementation of {@link Crypto.loadSessionBackupPrivateKeyFromSecretStorage}.
+   */
+  loadSessionBackupPrivateKeyFromSecretStorage() {
+    throw new Error("Not implmeented");
+  }
+
+  /**
+   * Get the current status of key backup.
+   *
+   * Implementation of {@link Crypto.CryptoApi.getActiveSessionBackupVersion}.
+   */
+  getActiveSessionBackupVersion() {
+    var _this13 = this;
+    return _asyncToGenerator(function* () {
+      if (_this13.backupManager.getKeyBackupEnabled()) {
+        var _this13$backupManager;
+        return (_this13$backupManager = _this13.backupManager.version) !== null && _this13$backupManager !== void 0 ? _this13$backupManager : null;
+      }
+      return null;
+    })();
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi#getKeyBackupInfo}.
+   */
+  getKeyBackupInfo() {
+    return _asyncToGenerator(function* () {
+      throw new Error("Not implemented");
+    })();
+  }
+
+  /**
+   * Determine if a key backup can be trusted.
+   *
+   * Implementation of {@link Crypto.CryptoApi.isKeyBackupTrusted}.
+   */
+  isKeyBackupTrusted(info) {
+    var _this14 = this;
+    return _asyncToGenerator(function* () {
+      var trustInfo = yield _this14.backupManager.isKeyBackupTrusted(info);
+      return backupTrustInfoFromLegacyTrustInfo(trustInfo);
+    })();
+  }
+
+  /**
+   * Force a re-check of the key backup and enable/disable it as appropriate.
+   *
+   * Implementation of {@link Crypto.CryptoApi.checkKeyBackupAndEnable}.
+   */
+  checkKeyBackupAndEnable() {
+    var _this15 = this;
+    return _asyncToGenerator(function* () {
+      var checkResult = yield _this15.backupManager.checkKeyBackup();
+      if (!checkResult || !checkResult.backupInfo) return null;
+      return {
+        backupInfo: checkResult.backupInfo,
+        trustInfo: backupTrustInfoFromLegacyTrustInfo(checkResult.trustInfo)
+      };
+    })();
+  }
+
+  /**
+   * Checks that a given cross-signing private key matches a given public key.
+   * This can be used by the getCrossSigningKey callback to verify that the
+   * private key it is about to supply is the one that was requested.
+   *
+   * @param privateKey - The private key
+   * @param expectedPublicKey - The public key
+   * @returns true if the key matches, otherwise false
+   */
+  checkCrossSigningPrivateKey(privateKey, expectedPublicKey) {
+    var signing = null;
+    try {
+      signing = new globalThis.Olm.PkSigning();
+      var gotPubkey = signing.init_with_seed(privateKey);
+      // make sure it agrees with the given pubkey
+      return gotPubkey === expectedPublicKey;
+    } finally {
+      var _signing;
+      (_signing = signing) === null || _signing === void 0 || _signing.free();
+    }
+  }
+
+  /**
+   * Run various follow-up actions after cross-signing keys have changed locally
+   * (either by resetting the keys for the account or by getting them from secret
+   * storage), such as signing the current device, upgrading device
+   * verifications, etc.
+   */
+  afterCrossSigningLocalKeyChange() {
+    var _this16 = this;
+    return _asyncToGenerator(function* () {
+      logger.info("Starting cross-signing key change post-processing");
+
+      // sign the current device with the new key, and upload to the server
+      var device = _this16.deviceList.getStoredDevice(_this16.userId, _this16.deviceId);
+      var signedDevice = yield _this16.crossSigningInfo.signDevice(_this16.userId, device);
+      logger.info("Starting background key sig upload for ".concat(_this16.deviceId));
+      var upload = _ref9 => {
+        var {
+          shouldEmit = false
+        } = _ref9;
+        return _this16.baseApis.uploadKeySignatures({
+          [_this16.userId]: {
+            [_this16.deviceId]: signedDevice
+          }
+        }).then(response => {
+          var {
+            failures
+          } = response || {};
+          if (Object.keys(failures || []).length > 0) {
+            if (shouldEmit) {
+              _this16.baseApis.emit(CryptoEvent.KeySignatureUploadFailure, failures, "afterCrossSigningLocalKeyChange", upload // continuation
+              );
+            }
+            throw new KeySignatureUploadError("Key upload failed", {
+              failures
+            });
+          }
+          logger.info("Finished background key sig upload for ".concat(_this16.deviceId));
+        }).catch(e => {
+          logger.error("Error during background key sig upload for ".concat(_this16.deviceId), e);
+        });
+      };
+      upload({
+        shouldEmit: true
+      });
+      var shouldUpgradeCb = _this16.baseApis.cryptoCallbacks.shouldUpgradeDeviceVerifications;
+      if (shouldUpgradeCb) {
+        logger.info("Starting device verification upgrade");
+
+        // Check all users for signatures if upgrade callback present
+        // FIXME: do this in batches
+        var users = {};
+        for (var [_userId2, crossSigningInfo] of Object.entries(_this16.deviceList.crossSigningInfo)) {
+          var upgradeInfo = yield _this16.checkForDeviceVerificationUpgrade(_userId2, CrossSigningInfo.fromStorage(crossSigningInfo, _userId2));
+          if (upgradeInfo) {
+            users[_userId2] = upgradeInfo;
+          }
+        }
+        if (Object.keys(users).length > 0) {
+          logger.info("Found ".concat(Object.keys(users).length, " verif users to upgrade"));
+          try {
+            var usersToUpgrade = yield shouldUpgradeCb({
+              users: users
+            });
+            if (usersToUpgrade) {
+              for (var _userId3 of usersToUpgrade) {
+                if (_userId3 in users) {
+                  yield _this16.baseApis.setDeviceVerified(_userId3, users[_userId3].crossSigningInfo.getId());
+                }
+              }
+            }
+          } catch (e) {
+            logger.log("shouldUpgradeDeviceVerifications threw an error: not upgrading", e);
+          }
+        }
+        logger.info("Finished device verification upgrade");
+      }
+      logger.info("Finished cross-signing key change post-processing");
+    })();
+  }
+
+  /**
+   * Check if a user's cross-signing key is a candidate for upgrading from device
+   * verification.
+   *
+   * @param userId - the user whose cross-signing information is to be checked
+   * @param crossSigningInfo - the cross-signing information to check
+   */
+  checkForDeviceVerificationUpgrade(userId, crossSigningInfo) {
+    var _this17 = this;
+    return _asyncToGenerator(function* () {
+      // only upgrade if this is the first cross-signing key that we've seen for
+      // them, and if their cross-signing key isn't already verified
+      var trustLevel = _this17.crossSigningInfo.checkUserTrust(crossSigningInfo);
+      if (crossSigningInfo.firstUse && !trustLevel.isVerified()) {
+        var devices = _this17.deviceList.getRawStoredDevicesForUser(userId);
+        var deviceIds = yield _this17.checkForValidDeviceSignature(userId, crossSigningInfo.keys.master, devices);
+        if (deviceIds.length) {
+          return {
+            devices: deviceIds.map(deviceId => DeviceInfo.fromStorage(devices[deviceId], deviceId)),
+            crossSigningInfo
+          };
+        }
+      }
+    })();
+  }
+
+  /**
+   * Check if the cross-signing key is signed by a verified device.
+   *
+   * @param userId - the user ID whose key is being checked
+   * @param key - the key that is being checked
+   * @param devices - the user's devices.  Should be a map from device ID
+   *     to device info
+   */
+  checkForValidDeviceSignature(userId, key, devices) {
+    var _this18 = this;
+    return _asyncToGenerator(function* () {
+      var deviceIds = [];
+      if (devices && key.signatures && key.signatures[userId]) {
+        for (var signame of Object.keys(key.signatures[userId])) {
+          var [, _deviceId2] = signame.split(":", 2);
+          if (_deviceId2 in devices && devices[_deviceId2].verified === DeviceVerification.VERIFIED) {
+            try {
+              yield olmlib.verifySignature(_this18.olmDevice, key, userId, _deviceId2, devices[_deviceId2].keys[signame]);
+              deviceIds.push(_deviceId2);
+            } catch (_unused) {}
+          }
+        }
+      }
+      return deviceIds;
+    })();
+  }
+
+  /**
+   * Get the user's cross-signing key ID.
+   *
+   * @param type - The type of key to get the ID of.  One of
+   *     "master", "self_signing", or "user_signing".  Defaults to "master".
+   *
+   * @returns the key ID
+   */
+  getCrossSigningKeyId() {
+    var type = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : CrossSigningKey.Master;
+    return Promise.resolve(this.getCrossSigningId(type));
+  }
+
+  // old name, for backwards compatibility
+  getCrossSigningId(type) {
+    return this.crossSigningInfo.getId(type);
+  }
+
+  /**
+   * Get the cross signing information for a given user.
+   *
+   * @param userId - the user ID to get the cross-signing info for.
+   *
+   * @returns the cross signing information for the user.
+   */
+  getStoredCrossSigningForUser(userId) {
+    return this.deviceList.getStoredCrossSigningForUser(userId);
+  }
+
+  /**
+   * Check whether a given user is trusted.
+   *
+   * @param userId - The ID of the user to check.
+   *
+   * @returns
+   */
+  checkUserTrust(userId) {
+    var userCrossSigning = this.deviceList.getStoredCrossSigningForUser(userId);
+    if (!userCrossSigning) {
+      return new UserTrustLevel(false, false, false);
+    }
+    return this.crossSigningInfo.checkUserTrust(userCrossSigning);
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi.getUserVerificationStatus}.
+   */
+  getUserVerificationStatus(userId) {
+    var _this19 = this;
+    return _asyncToGenerator(function* () {
+      return _this19.checkUserTrust(userId);
+    })();
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi.pinCurrentUserIdentity}.
+   */
+  pinCurrentUserIdentity(userId) {
+    return _asyncToGenerator(function* () {
+      throw new Error("not implemented");
+    })();
+  }
+
+  /**
+   * Check whether a given device is trusted.
+   *
+   * @param userId - The ID of the user whose device is to be checked.
+   * @param deviceId - The ID of the device to check
+   */
+  getDeviceVerificationStatus(userId, deviceId) {
+    var _this20 = this;
+    return _asyncToGenerator(function* () {
+      var device = _this20.deviceList.getStoredDevice(userId, deviceId);
+      if (!device) {
+        return null;
+      }
+      return _this20.checkDeviceInfoTrust(userId, device);
+    })();
+  }
+
+  /**
+   * @deprecated Use {@link Crypto.CryptoApi.getDeviceVerificationStatus}.
+   */
+  checkDeviceTrust(userId, deviceId) {
+    var device = this.deviceList.getStoredDevice(userId, deviceId);
+    return this.checkDeviceInfoTrust(userId, device);
+  }
+
+  /**
+   * Check whether a given deviceinfo is trusted.
+   *
+   * @param userId - The ID of the user whose devices is to be checked.
+   * @param device - The device info object to check
+   *
+   * @deprecated Use {@link Crypto.CryptoApi.getDeviceVerificationStatus}.
+   */
+  checkDeviceInfoTrust(userId, device) {
+    var trustedLocally = !!(device !== null && device !== void 0 && device.isVerified());
+    var userCrossSigning = this.deviceList.getStoredCrossSigningForUser(userId);
+    if (device && userCrossSigning) {
+      // The trustCrossSignedDevices only affects trust of other people's cross-signing
+      // signatures
+      var trustCrossSig = this.trustCrossSignedDevices || userId === this.userId;
+      return this.crossSigningInfo.checkDeviceTrust(userCrossSigning, device, trustedLocally, trustCrossSig);
+    } else {
+      return new DeviceTrustLevel(false, false, trustedLocally, false);
+    }
+  }
+
+  /**
+   * Check whether one of our own devices is cross-signed by our
+   * user's stored keys, regardless of whether we trust those keys yet.
+   *
+   * @param deviceId - The ID of the device to check
+   *
+   * @returns true if the device is cross-signed
+   */
+  checkIfOwnDeviceCrossSigned(deviceId) {
+    var _userCrossSigning$che;
+    var device = this.deviceList.getStoredDevice(this.userId, deviceId);
+    if (!device) return false;
+    var userCrossSigning = this.deviceList.getStoredCrossSigningForUser(this.userId);
+    return (_userCrossSigning$che = userCrossSigning === null || userCrossSigning === void 0 ? void 0 : userCrossSigning.checkDeviceTrust(userCrossSigning, device, false, true).isCrossSigningVerified()) !== null && _userCrossSigning$che !== void 0 ? _userCrossSigning$che : false;
+  }
+  /**
+   * Check the copy of our cross-signing key that we have in the device list and
+   * see if we can get the private key. If so, mark it as trusted.
+   */
+  checkOwnCrossSigningTrust() {
+    var _arguments5 = arguments,
+      _this21 = this;
+    return _asyncToGenerator(function* () {
+      var {
+        allowPrivateKeyRequests = false
+      } = _arguments5.length > 0 && _arguments5[0] !== undefined ? _arguments5[0] : {};
+      var userId = _this21.userId;
+
+      // Before proceeding, ensure our cross-signing public keys have been
+      // downloaded via the device list.
+      yield _this21.downloadKeys([_this21.userId]);
+
+      // Also check which private keys are locally cached.
+      var crossSigningPrivateKeys = yield _this21.crossSigningInfo.getCrossSigningKeysFromCache();
+
+      // If we see an update to our own master key, check it against the master
+      // key we have and, if it matches, mark it as verified
+
+      // First, get the new cross-signing info
+      var newCrossSigning = _this21.deviceList.getStoredCrossSigningForUser(userId);
+      if (!newCrossSigning) {
+        logger.error("Got cross-signing update event for user " + userId + " but no new cross-signing information found!");
+        return;
+      }
+      var seenPubkey = newCrossSigning.getId();
+      var masterChanged = _this21.crossSigningInfo.getId() !== seenPubkey;
+      var masterExistsNotLocallyCached = newCrossSigning.getId() && !crossSigningPrivateKeys.has("master");
+      if (masterChanged) {
+        logger.info("Got new master public key", seenPubkey);
+      }
+      if (allowPrivateKeyRequests && (masterChanged || masterExistsNotLocallyCached)) {
+        logger.info("Attempting to retrieve cross-signing master private key");
+        var signing = null;
+        // It's important for control flow that we leave any errors alone for
+        // higher levels to handle so that e.g. cancelling access properly
+        // aborts any larger operation as well.
+        try {
+          var ret = yield _this21.crossSigningInfo.getCrossSigningKey("master", seenPubkey);
+          signing = ret[1];
+          logger.info("Got cross-signing master private key");
+        } finally {
+          var _signing2;
+          (_signing2 = signing) === null || _signing2 === void 0 || _signing2.free();
+        }
+      }
+      var oldSelfSigningId = _this21.crossSigningInfo.getId("self_signing");
+      var oldUserSigningId = _this21.crossSigningInfo.getId("user_signing");
+
+      // Update the version of our keys in our cross-signing object and the local store
+      _this21.storeTrustedSelfKeys(newCrossSigning.keys);
+      var selfSigningChanged = oldSelfSigningId !== newCrossSigning.getId("self_signing");
+      var userSigningChanged = oldUserSigningId !== newCrossSigning.getId("user_signing");
+      var selfSigningExistsNotLocallyCached = newCrossSigning.getId("self_signing") && !crossSigningPrivateKeys.has("self_signing");
+      var userSigningExistsNotLocallyCached = newCrossSigning.getId("user_signing") && !crossSigningPrivateKeys.has("user_signing");
+      var keySignatures = {};
+      if (selfSigningChanged) {
+        logger.info("Got new self-signing key", newCrossSigning.getId("self_signing"));
+      }
+      if (allowPrivateKeyRequests && (selfSigningChanged || selfSigningExistsNotLocallyCached)) {
+        logger.info("Attempting to retrieve cross-signing self-signing private key");
+        var _signing3 = null;
+        try {
+          var _ret = yield _this21.crossSigningInfo.getCrossSigningKey("self_signing", newCrossSigning.getId("self_signing"));
+          _signing3 = _ret[1];
+          logger.info("Got cross-signing self-signing private key");
+        } finally {
+          var _signing4;
+          (_signing4 = _signing3) === null || _signing4 === void 0 || _signing4.free();
+        }
+        var device = _this21.deviceList.getStoredDevice(_this21.userId, _this21.deviceId);
+        var signedDevice = yield _this21.crossSigningInfo.signDevice(_this21.userId, device);
+        keySignatures[_this21.deviceId] = signedDevice;
+      }
+      if (userSigningChanged) {
+        logger.info("Got new user-signing key", newCrossSigning.getId("user_signing"));
+      }
+      if (allowPrivateKeyRequests && (userSigningChanged || userSigningExistsNotLocallyCached)) {
+        logger.info("Attempting to retrieve cross-signing user-signing private key");
+        var _signing5 = null;
+        try {
+          var _ret2 = yield _this21.crossSigningInfo.getCrossSigningKey("user_signing", newCrossSigning.getId("user_signing"));
+          _signing5 = _ret2[1];
+          logger.info("Got cross-signing user-signing private key");
+        } finally {
+          var _signing6;
+          (_signing6 = _signing5) === null || _signing6 === void 0 || _signing6.free();
+        }
+      }
+      if (masterChanged) {
+        var masterKey = _this21.crossSigningInfo.keys.master;
+        yield _this21.signObject(masterKey);
+        var deviceSig = masterKey.signatures[_this21.userId]["ed25519:" + _this21.deviceId];
+        // Include only the _new_ device signature in the upload.
+        // We may have existing signatures from deleted devices, which will cause
+        // the entire upload to fail.
+        keySignatures[_this21.crossSigningInfo.getId()] = Object.assign({}, masterKey, {
+          signatures: {
+            [_this21.userId]: {
+              ["ed25519:" + _this21.deviceId]: deviceSig
+            }
+          }
+        });
+      }
+      var keysToUpload = Object.keys(keySignatures);
+      if (keysToUpload.length) {
+        var upload = _ref10 => {
+          var {
+            shouldEmit = false
+          } = _ref10;
+          logger.info("Starting background key sig upload for ".concat(keysToUpload));
+          return _this21.baseApis.uploadKeySignatures({
+            [_this21.userId]: keySignatures
+          }).then(response => {
+            var {
+              failures
+            } = response || {};
+            logger.info("Finished background key sig upload for ".concat(keysToUpload));
+            if (Object.keys(failures || []).length > 0) {
+              if (shouldEmit) {
+                _this21.baseApis.emit(CryptoEvent.KeySignatureUploadFailure, failures, "checkOwnCrossSigningTrust", upload);
+              }
+              throw new KeySignatureUploadError("Key upload failed", {
+                failures
+              });
+            }
+          }).catch(e => {
+            logger.error("Error during background key sig upload for ".concat(keysToUpload), e);
+          });
+        };
+        upload({
+          shouldEmit: true
+        });
+      }
+      _this21.emit(CryptoEvent.UserTrustStatusChanged, userId, _this21.checkUserTrust(userId));
+      if (masterChanged) {
+        _this21.emit(CryptoEvent.KeysChanged, {});
+        yield _this21.afterCrossSigningLocalKeyChange();
+      }
+
+      // Now we may be able to trust our key backup
+      yield _this21.backupManager.checkKeyBackup();
+      // FIXME: if we previously trusted the backup, should we automatically sign
+      // the backup with the new key (if not already signed)?
+    })();
+  }
+
+  /**
+   * Implementation of {@link CryptoBackend#getBackupDecryptor}.
+   */
+  getBackupDecryptor(backupInfo, privKey) {
+    return _asyncToGenerator(function* () {
+      if (!(privKey instanceof Uint8Array)) {
+        throw new Error("getBackupDecryptor expects Uint8Array");
+      }
+      var algorithm = yield BackupManager.makeAlgorithm(backupInfo, /*#__PURE__*/_asyncToGenerator(function* () {
+        return privKey;
+      }));
+
+      // If the pubkey computed from the private data we've been given
+      // doesn't match the one in the auth_data, the user has entered
+      // a different recovery key / the wrong passphrase.
+      if (!(yield algorithm.keyMatches(privKey))) {
+        return Promise.reject(new MatrixError({
+          errcode: MatrixClient.RESTORE_BACKUP_ERROR_BAD_KEY
+        }));
+      }
+      return new LibOlmBackupDecryptor(algorithm);
+    })();
+  }
+
+  /**
+   * Implementation of {@link CryptoBackend#importBackedUpRoomKeys}.
+   */
+  importBackedUpRoomKeys(keys, backupVersion) {
+    var opts = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {};
+    opts.source = "backup";
+    return this.importRoomKeys(keys, opts);
+  }
+
+  /**
+   * Store a set of keys as our own, trusted, cross-signing keys.
+   *
+   * @param keys - The new trusted set of keys
+   */
+  storeTrustedSelfKeys(keys) {
+    var _this22 = this;
+    return _asyncToGenerator(function* () {
+      if (keys) {
+        _this22.crossSigningInfo.setKeys(keys);
+      } else {
+        _this22.crossSigningInfo.clearKeys();
+      }
+      yield _this22.cryptoStore.doTxn("readwrite", [IndexedDBCryptoStore.STORE_ACCOUNT], txn => {
+        _this22.cryptoStore.storeCrossSigningKeys(txn, _this22.crossSigningInfo.keys);
+      });
+    })();
+  }
+
+  /**
+   * Check if the master key is signed by a verified device, and if so, prompt
+   * the application to mark it as verified.
+   *
+   * @param userId - the user ID whose key should be checked
+   */
+  checkDeviceVerifications(userId) {
+    var _this23 = this;
+    return _asyncToGenerator(function* () {
+      var shouldUpgradeCb = _this23.baseApis.cryptoCallbacks.shouldUpgradeDeviceVerifications;
+      if (!shouldUpgradeCb) {
+        // Upgrading skipped when callback is not present.
+        return;
+      }
+      logger.info("Starting device verification upgrade for ".concat(userId));
+      if (_this23.crossSigningInfo.keys.user_signing) {
+        var crossSigningInfo = _this23.deviceList.getStoredCrossSigningForUser(userId);
+        if (crossSigningInfo) {
+          var upgradeInfo = yield _this23.checkForDeviceVerificationUpgrade(userId, crossSigningInfo);
+          if (upgradeInfo) {
+            var usersToUpgrade = yield shouldUpgradeCb({
+              users: {
+                [userId]: upgradeInfo
+              }
+            });
+            if (usersToUpgrade.includes(userId)) {
+              yield _this23.baseApis.setDeviceVerified(userId, crossSigningInfo.getId());
+            }
+          }
+        }
+      }
+      logger.info("Finished device verification upgrade for ".concat(userId));
+    })();
+  }
+
+  /**
+   */
+  enableLazyLoading() {
+    this.lazyLoadMembers = true;
+  }
+
+  /**
+   * Tell the crypto module to register for MatrixClient events which it needs to
+   * listen for
+   *
+   * @param eventEmitter - event source where we can register
+   *    for event notifications
+   */
+  registerEventHandlers(eventEmitter) {
+    eventEmitter.on(RoomMemberEvent.Membership, this.onMembership);
+    eventEmitter.on(ClientEvent.ToDeviceEvent, this.onToDeviceEvent);
+    eventEmitter.on(RoomEvent.Timeline, this.onTimelineEvent);
+    eventEmitter.on(MatrixEventEvent.Decrypted, this.onTimelineEvent);
+  }
+
+  /**
+   * @deprecated this does nothing and will be removed in a future version
+   */
+  start() {
+    logger.warn("MatrixClient.crypto.start() is deprecated");
+  }
+
+  /** Stop background processes related to crypto */
+  stop() {
+    this.outgoingRoomKeyRequestManager.stop();
+    this.deviceList.stop();
+    this.dehydrationManager.stop();
+    this.backupManager.stop();
+  }
+
+  /**
+   * Get the Ed25519 key for this device
+   *
+   * @returns base64-encoded ed25519 key.
+   *
+   * @deprecated Use {@link Crypto.CryptoApi#getOwnDeviceKeys}.
+   */
+  getDeviceEd25519Key() {
+    return this.olmDevice.deviceEd25519Key;
+  }
+
+  /**
+   * Get the Curve25519 key for this device
+   *
+   * @returns base64-encoded curve25519 key.
+   *
+   * @deprecated Use {@link Crypto.CryptoApi#getOwnDeviceKeys}
+   */
+  getDeviceCurve25519Key() {
+    return this.olmDevice.deviceCurve25519Key;
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi#getOwnDeviceKeys}.
+   */
+  getOwnDeviceKeys() {
+    var _this24 = this;
+    return _asyncToGenerator(function* () {
+      if (!_this24.olmDevice.deviceCurve25519Key) {
+        throw new Error("Curve25519 key not yet created");
+      }
+      if (!_this24.olmDevice.deviceEd25519Key) {
+        throw new Error("Ed25519 key not yet created");
+      }
+      return {
+        ed25519: _this24.olmDevice.deviceEd25519Key,
+        curve25519: _this24.olmDevice.deviceCurve25519Key
+      };
+    })();
+  }
+
+  /**
+   * Set the global override for whether the client should ever send encrypted
+   * messages to unverified devices.  This provides the default for rooms which
+   * do not specify a value.
+   *
+   * @param value - whether to blacklist all unverified devices by default
+   *
+   * @deprecated Set {@link Crypto.CryptoApi#globalBlacklistUnverifiedDevices | CryptoApi.globalBlacklistUnverifiedDevices} directly.
+   */
+  setGlobalBlacklistUnverifiedDevices(value) {
+    this.globalBlacklistUnverifiedDevices = value;
+  }
+
+  /**
+   * @returns whether to blacklist all unverified devices by default
+   *
+   * @deprecated Reference {@link Crypto.CryptoApi#globalBlacklistUnverifiedDevices | CryptoApi.globalBlacklistUnverifiedDevices} directly.
+   */
+  getGlobalBlacklistUnverifiedDevices() {
+    return this.globalBlacklistUnverifiedDevices;
+  }
+
+  /**
+   * Upload the device keys to the homeserver.
+   * @returns A promise that will resolve when the keys are uploaded.
+   */
+  uploadDeviceKeys() {
+    var deviceKeys = {
+      algorithms: this.supportedAlgorithms,
+      device_id: this.deviceId,
+      keys: this.deviceKeys,
+      user_id: this.userId
+    };
+    return this.signObject(deviceKeys).then(() => {
+      return this.baseApis.uploadKeysRequest({
+        device_keys: deviceKeys
+      });
+    });
+  }
+  getNeedsNewFallback() {
+    return !!this.needsNewFallback;
+  }
+
+  // check if it's time to upload one-time keys, and do so if so.
+  maybeUploadOneTimeKeys() {
+    var _this25 = this;
+    // frequency with which to check & upload one-time keys
+    var uploadPeriod = 1000 * 60; // one minute
+
+    // max number of keys to upload at once
+    // Creating keys can be an expensive operation so we limit the
+    // number we generate in one go to avoid blocking the application
+    // for too long.
+    var maxKeysPerCycle = 5;
+    if (this.oneTimeKeyCheckInProgress) {
+      return;
+    }
+    var now = Date.now();
+    if (this.lastOneTimeKeyCheck !== null && now - this.lastOneTimeKeyCheck < uploadPeriod) {
+      // we've done a key upload recently.
+      return;
+    }
+    this.lastOneTimeKeyCheck = now;
+
+    // We need to keep a pool of one time public keys on the server so that
+    // other devices can start conversations with us. But we can only store
+    // a finite number of private keys in the olm Account object.
+    // To complicate things further then can be a delay between a device
+    // claiming a public one time key from the server and it sending us a
+    // message. We need to keep the corresponding private key locally until
+    // we receive the message.
+    // But that message might never arrive leaving us stuck with duff
+    // private keys clogging up our local storage.
+    // So we need some kind of engineering compromise to balance all of
+    // these factors.
+
+    // Check how many keys we can store in the Account object.
+    var maxOneTimeKeys = this.olmDevice.maxNumberOfOneTimeKeys();
+    // Try to keep at most half that number on the server. This leaves the
+    // rest of the slots free to hold keys that have been claimed from the
+    // server but we haven't received a message for.
+    // If we run out of slots when generating new keys then olm will
+    // discard the oldest private keys first. This will eventually clean
+    // out stale private keys that won't receive a message.
+    var keyLimit = Math.floor(maxOneTimeKeys / 2);
+    var uploadLoop = /*#__PURE__*/function () {
+      var _ref12 = _asyncToGenerator(function* (keyCount) {
+        while (keyLimit > keyCount || _this25.getNeedsNewFallback()) {
+          // Ask olm to generate new one time keys, then upload them to synapse.
+          if (keyLimit > keyCount) {
+            logger.info("generating oneTimeKeys");
+            var keysThisLoop = Math.min(keyLimit - keyCount, maxKeysPerCycle);
+            yield _this25.olmDevice.generateOneTimeKeys(keysThisLoop);
+          }
+          if (_this25.getNeedsNewFallback()) {
+            var fallbackKeys = yield _this25.olmDevice.getFallbackKey();
+            // if fallbackKeys is non-empty, we've already generated a
+            // fallback key, but it hasn't been published yet, so we
+            // can use that instead of generating a new one
+            if (!fallbackKeys.curve25519 || Object.keys(fallbackKeys.curve25519).length == 0) {
+              logger.info("generating fallback key");
+              if (_this25.fallbackCleanup) {
+                // cancel any pending fallback cleanup because generating
+                // a new fallback key will already drop the old fallback
+                // that would have been dropped, and we don't want to kill
+                // the current key
+                clearTimeout(_this25.fallbackCleanup);
+                delete _this25.fallbackCleanup;
+              }
+              yield _this25.olmDevice.generateFallbackKey();
+            }
+          }
+          logger.info("calling uploadOneTimeKeys");
+          var res = yield _this25.uploadOneTimeKeys();
+          if (res.one_time_key_counts && res.one_time_key_counts.signed_curve25519) {
+            // if the response contains a more up to date value use this
+            // for the next loop
+            keyCount = res.one_time_key_counts.signed_curve25519;
+          } else {
+            throw new Error("response for uploading keys does not contain " + "one_time_key_counts.signed_curve25519");
+          }
+        }
+      });
+      return function uploadLoop(_x7) {
+        return _ref12.apply(this, arguments);
+      };
+    }();
+    this.oneTimeKeyCheckInProgress = true;
+    Promise.resolve().then(() => {
+      if (this.oneTimeKeyCount !== undefined) {
+        // We already have the current one_time_key count from a /sync response.
+        // Use this value instead of asking the server for the current key count.
+        return Promise.resolve(this.oneTimeKeyCount);
+      }
+      // ask the server how many keys we have
+      return this.baseApis.uploadKeysRequest({}).then(res => {
+        return res.one_time_key_counts.signed_curve25519 || 0;
+      });
+    }).then(keyCount => {
+      // Start the uploadLoop with the current keyCount. The function checks if
+      // we need to upload new keys or not.
+      // If there are too many keys on the server then we don't need to
+      // create any more keys.
+      return uploadLoop(keyCount);
+    }).catch(e => {
+      logger.error("Error uploading one-time keys", e.stack || e);
+    }).finally(() => {
+      // reset oneTimeKeyCount to prevent start uploading based on old data.
+      // it will be set again on the next /sync-response
+      this.oneTimeKeyCount = undefined;
+      this.oneTimeKeyCheckInProgress = false;
+    });
+  }
+
+  // returns a promise which resolves to the response
+  uploadOneTimeKeys() {
+    var _this26 = this;
+    return _asyncToGenerator(function* () {
+      var promises = [];
+      var fallbackJson;
+      if (_this26.getNeedsNewFallback()) {
+        fallbackJson = {};
+        var fallbackKeys = yield _this26.olmDevice.getFallbackKey();
+        for (var [keyId, key] of Object.entries(fallbackKeys.curve25519)) {
+          var k = {
+            key,
+            fallback: true
+          };
+          fallbackJson["signed_curve25519:" + keyId] = k;
+          promises.push(_this26.signObject(k));
+        }
+        _this26.needsNewFallback = false;
+      }
+      var oneTimeKeys = yield _this26.olmDevice.getOneTimeKeys();
+      var oneTimeJson = {};
+      for (var _keyId in oneTimeKeys.curve25519) {
+        if (oneTimeKeys.curve25519.hasOwnProperty(_keyId)) {
+          var _k = {
+            key: oneTimeKeys.curve25519[_keyId]
+          };
+          oneTimeJson["signed_curve25519:" + _keyId] = _k;
+          promises.push(_this26.signObject(_k));
+        }
+      }
+      yield Promise.all(promises);
+      var requestBody = {
+        one_time_keys: oneTimeJson
+      };
+      if (fallbackJson) {
+        requestBody["org.matrix.msc2732.fallback_keys"] = fallbackJson;
+        requestBody["fallback_keys"] = fallbackJson;
+      }
+      var res = yield _this26.baseApis.uploadKeysRequest(requestBody);
+      if (fallbackJson) {
+        _this26.fallbackCleanup = setTimeout(() => {
+          delete _this26.fallbackCleanup;
+          _this26.olmDevice.forgetOldFallbackKey();
+        }, 60 * 60 * 1000);
+      }
+      yield _this26.olmDevice.markKeysAsPublished();
+      return res;
+    })();
+  }
+
+  /**
+   * Download the keys for a list of users and stores the keys in the session
+   * store.
+   * @param userIds - The users to fetch.
+   * @param forceDownload - Always download the keys even if cached.
+   *
+   * @returns A promise which resolves to a map `userId->deviceId->{@link DeviceInfo}`.
+   */
+  downloadKeys(userIds, forceDownload) {
+    return this.deviceList.downloadKeys(userIds, !!forceDownload);
+  }
+
+  /**
+   * Get the stored device keys for a user id
+   *
+   * @param userId - the user to list keys for.
+   *
+   * @returns list of devices, or null if we haven't
+   * managed to get a list of devices for this user yet.
+   */
+  getStoredDevicesForUser(userId) {
+    return this.deviceList.getStoredDevicesForUser(userId);
+  }
+
+  /**
+   * Get the device information for the given list of users.
+   *
+   * @param userIds - The users to fetch.
+   * @param downloadUncached - If true, download the device list for users whose device list we are not
+   *    currently tracking. Defaults to false, in which case such users will not appear at all in the result map.
+   *
+   * @returns A map `{@link DeviceMap}`.
+   */
+  getUserDeviceInfo(userIds) {
+    var _arguments6 = arguments,
+      _this27 = this;
+    return _asyncToGenerator(function* () {
+      var downloadUncached = _arguments6.length > 1 && _arguments6[1] !== undefined ? _arguments6[1] : false;
+      var deviceMapByUserId = new Map();
+      // Keep the users without device to download theirs keys
+      var usersWithoutDeviceInfo = [];
+      var _loop = function* _loop(_userId4) {
+        var deviceInfos = yield _this27.getStoredDevicesForUser(_userId4);
+        // If there are device infos for a userId, we transform it into a map
+        // Else, the keys will be downloaded after
+        if (deviceInfos) {
+          var deviceMap = new Map(
+          // Convert DeviceInfo to Device
+          deviceInfos.map(deviceInfo => [deviceInfo.deviceId, deviceInfoToDevice(deviceInfo, _userId4)]));
+          deviceMapByUserId.set(_userId4, deviceMap);
+        } else {
+          usersWithoutDeviceInfo.push(_userId4);
+        }
+      };
+      for (var _userId4 of userIds) {
+        yield* _loop(_userId4);
+      }
+
+      // Download device info for users without device infos
+      if (downloadUncached && usersWithoutDeviceInfo.length > 0) {
+        var newDeviceInfoMap = yield _this27.downloadKeys(usersWithoutDeviceInfo);
+        newDeviceInfoMap.forEach((deviceInfoMap, userId) => {
+          var deviceMap = new Map();
+          // Convert DeviceInfo to Device
+          deviceInfoMap.forEach((deviceInfo, deviceId) => deviceMap.set(deviceId, deviceInfoToDevice(deviceInfo, userId)));
+
+          // Put the new device infos into the returned map
+          deviceMapByUserId.set(userId, deviceMap);
+        });
+      }
+      return deviceMapByUserId;
+    })();
+  }
+
+  /**
+   * Get the stored keys for a single device
+   *
+   *
+   * @returns device, or undefined
+   * if we don't know about this device
+   */
+  getStoredDevice(userId, deviceId) {
+    return this.deviceList.getStoredDevice(userId, deviceId);
+  }
+
+  /**
+   * Save the device list, if necessary
+   *
+   * @param delay - Time in ms before which the save actually happens.
+   *     By default, the save is delayed for a short period in order to batch
+   *     multiple writes, but this behaviour can be disabled by passing 0.
+   *
+   * @returns true if the data was saved, false if
+   *     it was not (eg. because no changes were pending). The promise
+   *     will only resolve once the data is saved, so may take some time
+   *     to resolve.
+   */
+  saveDeviceList(delay) {
+    return this.deviceList.saveIfDirty(delay);
+  }
+
+  /**
+   * Mark the given device as locally verified.
+   *
+   * Implementation of {@link Crypto.CryptoApi#setDeviceVerified}.
+   */
+  setDeviceVerified(userId, deviceId) {
+    var _arguments7 = arguments,
+      _this28 = this;
+    return _asyncToGenerator(function* () {
+      var verified = _arguments7.length > 2 && _arguments7[2] !== undefined ? _arguments7[2] : true;
+      yield _this28.setDeviceVerification(userId, deviceId, verified);
+    })();
+  }
+
+  /**
+   * Blindly cross-sign one of our other devices.
+   *
+   * Implementation of {@link Crypto.CryptoApi#crossSignDevice}.
+   */
+  crossSignDevice(deviceId) {
+    var _this29 = this;
+    return _asyncToGenerator(function* () {
+      yield _this29.setDeviceVerified(_this29.userId, deviceId, true);
+    })();
+  }
+
+  /**
+   * Update the blocked/verified state of the given device
+   *
+   * @param userId - owner of the device
+   * @param deviceId - unique identifier for the device or user's
+   * cross-signing public key ID.
+   *
+   * @param verified - whether to mark the device as verified. Null to
+   *     leave unchanged.
+   *
+   * @param blocked - whether to mark the device as blocked. Null to
+   *      leave unchanged.
+   *
+   * @param known - whether to mark that the user has been made aware of
+   *      the existence of this device. Null to leave unchanged
+   *
+   * @param keys - The list of keys that was present
+   * during the device verification. This will be double checked with the list
+   * of keys the given device has currently.
+   *
+   * @returns updated DeviceInfo
+   */
+  setDeviceVerification(userId, deviceId) {
+    var _arguments8 = arguments,
+      _this30 = this;
+    return _asyncToGenerator(function* () {
+      var verified = _arguments8.length > 2 && _arguments8[2] !== undefined ? _arguments8[2] : null;
+      var blocked = _arguments8.length > 3 && _arguments8[3] !== undefined ? _arguments8[3] : null;
+      var known = _arguments8.length > 4 && _arguments8[4] !== undefined ? _arguments8[4] : null;
+      var keys = _arguments8.length > 5 ? _arguments8[5] : undefined;
+      // Check if the 'device' is actually a cross signing key
+      // The js-sdk's verification treats cross-signing keys as devices
+      // and so uses this method to mark them verified.
+      var xsk = _this30.deviceList.getStoredCrossSigningForUser(userId);
+      if ((xsk === null || xsk === void 0 ? void 0 : xsk.getId()) === deviceId) {
+        if (blocked !== null || known !== null) {
+          throw new Error("Cannot set blocked or known for a cross-signing key");
+        }
+        if (!verified) {
+          throw new Error("Cannot set a cross-signing key as unverified");
+        }
+        var gotKeyId = keys ? Object.values(keys)[0] : null;
+        if (keys && (Object.values(keys).length !== 1 || gotKeyId !== xsk.getId())) {
+          throw new Error("Key did not match expected value: expected ".concat(xsk.getId(), ", got ").concat(gotKeyId));
+        }
+        if (!_this30.crossSigningInfo.getId() && userId === _this30.crossSigningInfo.userId) {
+          _this30.storeTrustedSelfKeys(xsk.keys);
+          // This will cause our own user trust to change, so emit the event
+          _this30.emit(CryptoEvent.UserTrustStatusChanged, _this30.userId, _this30.checkUserTrust(userId));
+        }
+
+        // Now sign the master key with our user signing key (unless it's ourself)
+        if (userId !== _this30.userId) {
+          logger.info("Master key " + xsk.getId() + " for " + userId + " marked verified. Signing...");
+          var device = yield _this30.crossSigningInfo.signUser(xsk);
+          if (device) {
+            var _upload = /*#__PURE__*/function () {
+              var _ref14 = _asyncToGenerator(function* (_ref13) {
+                var {
+                  shouldEmit = false
+                } = _ref13;
+                logger.info("Uploading signature for " + userId + "...");
+                var response = yield _this30.baseApis.uploadKeySignatures({
+                  [userId]: {
+                    [deviceId]: device
+                  }
+                });
+                var {
+                  failures
+                } = response || {};
+                if (Object.keys(failures || []).length > 0) {
+                  if (shouldEmit) {
+                    _this30.baseApis.emit(CryptoEvent.KeySignatureUploadFailure, failures, "setDeviceVerification", _upload);
+                  }
+                  /* Throwing here causes the process to be cancelled and the other
+                   * user to be notified */
+                  throw new KeySignatureUploadError("Key upload failed", {
+                    failures
+                  });
+                }
+              });
+              return function upload(_x8) {
+                return _ref14.apply(this, arguments);
+              };
+            }();
+            yield _upload({
+              shouldEmit: true
+            });
+
+            // This will emit events when it comes back down the sync
+            // (we could do local echo to speed things up)
+          }
+          return device;
+        } else {
+          return xsk;
+        }
+      }
+      var devices = _this30.deviceList.getRawStoredDevicesForUser(userId);
+      if (!devices || !devices[deviceId]) {
+        throw new Error("Unknown device " + userId + ":" + deviceId);
+      }
+      var dev = devices[deviceId];
+      var verificationStatus = dev.verified;
+      if (verified) {
+        if (keys) {
+          for (var [keyId, key] of Object.entries(keys)) {
+            if (dev.keys[keyId] !== key) {
+              throw new Error("Key did not match expected value: expected ".concat(key, ", got ").concat(dev.keys[keyId]));
+            }
+          }
+        }
+        verificationStatus = DeviceVerification.VERIFIED;
+      } else if (verified !== null && verificationStatus == DeviceVerification.VERIFIED) {
+        verificationStatus = DeviceVerification.UNVERIFIED;
+      }
+      if (blocked) {
+        verificationStatus = DeviceVerification.BLOCKED;
+      } else if (blocked !== null && verificationStatus == DeviceVerification.BLOCKED) {
+        verificationStatus = DeviceVerification.UNVERIFIED;
+      }
+      var knownStatus = dev.known;
+      if (known !== null) {
+        knownStatus = known;
+      }
+      if (dev.verified !== verificationStatus || dev.known !== knownStatus) {
+        dev.verified = verificationStatus;
+        dev.known = knownStatus;
+        _this30.deviceList.storeDevicesForUser(userId, devices);
+        _this30.deviceList.saveIfDirty();
+      }
+
+      // do cross-signing
+      if (verified && userId === _this30.userId) {
+        logger.info("Own device " + deviceId + " marked verified: signing");
+
+        // Signing only needed if other device not already signed
+        var _device;
+        var deviceTrust = _this30.checkDeviceTrust(userId, deviceId);
+        if (deviceTrust.isCrossSigningVerified()) {
+          logger.log("Own device ".concat(deviceId, " already cross-signing verified"));
+        } else {
+          _device = yield _this30.crossSigningInfo.signDevice(userId, DeviceInfo.fromStorage(dev, deviceId));
+        }
+        if (_device) {
+          var _upload2 = /*#__PURE__*/function () {
+            var _ref16 = _asyncToGenerator(function* (_ref15) {
+              var {
+                shouldEmit = false
+              } = _ref15;
+              logger.info("Uploading signature for " + deviceId);
+              var response = yield _this30.baseApis.uploadKeySignatures({
+                [userId]: {
+                  [deviceId]: _device
+                }
+              });
+              var {
+                failures
+              } = response || {};
+              if (Object.keys(failures || []).length > 0) {
+                if (shouldEmit) {
+                  _this30.baseApis.emit(CryptoEvent.KeySignatureUploadFailure, failures, "setDeviceVerification", _upload2 // continuation
+                  );
+                }
+                throw new KeySignatureUploadError("Key upload failed", {
+                  failures
+                });
+              }
+            });
+            return function upload(_x9) {
+              return _ref16.apply(this, arguments);
+            };
+          }();
+          yield _upload2({
+            shouldEmit: true
+          });
+          // XXX: we'll need to wait for the device list to be updated
+        }
+      }
+      var deviceObj = DeviceInfo.fromStorage(dev, deviceId);
+      _this30.emit(CryptoEvent.DeviceVerificationChanged, userId, deviceId, deviceObj);
+      return deviceObj;
+    })();
+  }
+  findVerificationRequestDMInProgress(roomId, userId) {
+    return this.inRoomVerificationRequests.findRequestInProgress(roomId, userId);
+  }
+  getVerificationRequestsToDeviceInProgress(userId) {
+    return this.toDeviceVerificationRequests.getRequestsInProgress(userId);
+  }
+  requestVerificationDM(userId, roomId) {
+    var existingRequest = this.inRoomVerificationRequests.findRequestInProgress(roomId);
+    if (existingRequest) {
+      return Promise.resolve(existingRequest);
+    }
+    var channel = new InRoomChannel(this.baseApis, roomId, userId);
+    return this.requestVerificationWithChannel(userId, channel, this.inRoomVerificationRequests);
+  }
+
+  /** @deprecated Use `requestOwnUserVerificationToDevice` or `requestDeviceVerification` */
+  requestVerification(userId, devices) {
+    if (!devices) {
+      devices = Object.keys(this.deviceList.getRawStoredDevicesForUser(userId));
+    }
+    var existingRequest = this.toDeviceVerificationRequests.findRequestInProgress(userId, devices);
+    if (existingRequest) {
+      return Promise.resolve(existingRequest);
+    }
+    var channel = new ToDeviceChannel(this.baseApis, userId, devices, ToDeviceChannel.makeTransactionId());
+    return this.requestVerificationWithChannel(userId, channel, this.toDeviceVerificationRequests);
+  }
+  requestOwnUserVerification() {
+    return this.requestVerification(this.userId);
+  }
+  requestDeviceVerification(userId, deviceId) {
+    return this.requestVerification(userId, [deviceId]);
+  }
+  requestVerificationWithChannel(userId, channel, requestsMap) {
+    var _this31 = this;
+    return _asyncToGenerator(function* () {
+      var request = new VerificationRequest(channel, _this31.verificationMethods, _this31.baseApis);
+      // if transaction id is already known, add request
+      if (channel.transactionId) {
+        requestsMap.setRequestByChannel(channel, request);
+      }
+      yield request.sendRequest();
+      // don't replace the request created by a racing remote echo
+      var racingRequest = requestsMap.getRequestByChannel(channel);
+      if (racingRequest) {
+        request = racingRequest;
+      } else {
+        logger.log("Crypto: adding new request to " + "requestsByTxnId with id ".concat(channel.transactionId, " ").concat(channel.roomId));
+        requestsMap.setRequestByChannel(channel, request);
+      }
+      return request;
+    })();
+  }
+  beginKeyVerification(method, userId, deviceId) {
+    var transactionId = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : null;
+    var request;
+    if (transactionId) {
+      request = this.toDeviceVerificationRequests.getRequestBySenderAndTxnId(userId, transactionId);
+      if (!request) {
+        throw new Error("No request found for user ".concat(userId, " with ") + "transactionId ".concat(transactionId));
+      }
+    } else {
+      transactionId = ToDeviceChannel.makeTransactionId();
+      var _channel = new ToDeviceChannel(this.baseApis, userId, [deviceId], transactionId, deviceId);
+      request = new VerificationRequest(_channel, this.verificationMethods, this.baseApis);
+      this.toDeviceVerificationRequests.setRequestBySenderAndTxnId(userId, transactionId, request);
+    }
+    return request.beginKeyVerification(method, {
+      userId,
+      deviceId
+    });
+  }
+  legacyDeviceVerification(userId, deviceId, method) {
+    var _this32 = this;
+    return _asyncToGenerator(function* () {
+      var transactionId = ToDeviceChannel.makeTransactionId();
+      var channel = new ToDeviceChannel(_this32.baseApis, userId, [deviceId], transactionId, deviceId);
+      var request = new VerificationRequest(channel, _this32.verificationMethods, _this32.baseApis);
+      _this32.toDeviceVerificationRequests.setRequestBySenderAndTxnId(userId, transactionId, request);
+      var verifier = request.beginKeyVerification(method, {
+        userId,
+        deviceId
+      });
+      // either reject by an error from verify() while sending .start
+      // or resolve when the request receives the
+      // local (fake remote) echo for sending the .start event
+      yield Promise.race([verifier.verify(), request.waitFor(r => r.started)]);
+      return request;
+    })();
+  }
+
+  /**
+   * Get information on the active olm sessions with a user
+   * <p>
+   * Returns a map from device id to an object with keys 'deviceIdKey' (the
+   * device's curve25519 identity key) and 'sessions' (an array of objects in the
+   * same format as that returned by
+   * {@link OlmDevice#getSessionInfoForDevice}).
+   * <p>
+   * This method is provided for debugging purposes.
+   *
+   * @param userId - id of user to inspect
+   */
+  getOlmSessionsForUser(userId) {
+    var _this33 = this;
+    return _asyncToGenerator(function* () {
+      var devices = _this33.getStoredDevicesForUser(userId) || [];
+      var result = {};
+      for (var device of devices) {
+        var deviceKey = device.getIdentityKey();
+        var sessions = yield _this33.olmDevice.getSessionInfoForDevice(deviceKey);
+        result[device.deviceId] = {
+          deviceIdKey: deviceKey,
+          sessions: sessions
+        };
+      }
+      return result;
+    })();
+  }
+
+  /**
+   * Get the device which sent an event
+   *
+   * @param event - event to be checked
+   */
+  getEventSenderDeviceInfo(event) {
+    var senderKey = event.getSenderKey();
+    var algorithm = event.getWireContent().algorithm;
+    if (!senderKey || !algorithm) {
+      return null;
+    }
+    if (event.isKeySourceUntrusted()) {
+      // we got the key for this event from a source that we consider untrusted
+      return null;
+    }
+
+    // senderKey is the Curve25519 identity key of the device which the event
+    // was sent from. In the case of Megolm, it's actually the Curve25519
+    // identity key of the device which set up the Megolm session.
+
+    var device = this.deviceList.getDeviceByIdentityKey(algorithm, senderKey);
+    if (device === null) {
+      // we haven't downloaded the details of this device yet.
+      return null;
+    }
+
+    // so far so good, but now we need to check that the sender of this event
+    // hadn't advertised someone else's Curve25519 key as their own. We do that
+    // by checking the Ed25519 claimed by the event (or, in the case of megolm,
+    // the event which set up the megolm session), to check that it matches the
+    // fingerprint of the purported sending device.
+    //
+    // (see https://github.com/vector-im/vector-web/issues/2215)
+
+    var claimedKey = event.getClaimedEd25519Key();
+    if (!claimedKey) {
+      logger.warn("Event " + event.getId() + " claims no ed25519 key: " + "cannot verify sending device");
+      return null;
+    }
+    if (claimedKey !== device.getFingerprint()) {
+      logger.warn("Event " + event.getId() + " claims ed25519 key " + claimedKey + " but sender device has key " + device.getFingerprint());
+      return null;
+    }
+    return device;
+  }
+
+  /**
+   * Get information about the encryption of an event
+   *
+   * @param event - event to be checked
+   *
+   * @returns An object with the fields:
+   *    - encrypted: whether the event is encrypted (if not encrypted, some of the
+   *      other properties may not be set)
+   *    - senderKey: the sender's key
+   *    - algorithm: the algorithm used to encrypt the event
+   *    - authenticated: whether we can be sure that the owner of the senderKey
+   *      sent the event
+   *    - sender: the sender's device information, if available
+   *    - mismatchedSender: if the event's ed25519 and curve25519 keys don't match
+   *      (only meaningful if `sender` is set)
+   */
+  getEventEncryptionInfo(event) {
+    var _event$getSenderKey, _this$deviceList$getD;
+    var ret = {};
+    ret.senderKey = (_event$getSenderKey = event.getSenderKey()) !== null && _event$getSenderKey !== void 0 ? _event$getSenderKey : undefined;
+    ret.algorithm = event.getWireContent().algorithm;
+    if (!ret.senderKey || !ret.algorithm) {
+      ret.encrypted = false;
+      return ret;
+    }
+    ret.encrypted = true;
+    if (event.isKeySourceUntrusted()) {
+      // we got the key this event from somewhere else
+      // TODO: check if we can trust the forwarders.
+      ret.authenticated = false;
+    } else {
+      ret.authenticated = true;
+    }
+
+    // senderKey is the Curve25519 identity key of the device which the event
+    // was sent from. In the case of Megolm, it's actually the Curve25519
+    // identity key of the device which set up the Megolm session.
+
+    ret.sender = (_this$deviceList$getD = this.deviceList.getDeviceByIdentityKey(ret.algorithm, ret.senderKey)) !== null && _this$deviceList$getD !== void 0 ? _this$deviceList$getD : undefined;
+
+    // so far so good, but now we need to check that the sender of this event
+    // hadn't advertised someone else's Curve25519 key as their own. We do that
+    // by checking the Ed25519 claimed by the event (or, in the case of megolm,
+    // the event which set up the megolm session), to check that it matches the
+    // fingerprint of the purported sending device.
+    //
+    // (see https://github.com/vector-im/vector-web/issues/2215)
+
+    var claimedKey = event.getClaimedEd25519Key();
+    if (!claimedKey) {
+      logger.warn("Event " + event.getId() + " claims no ed25519 key: " + "cannot verify sending device");
+      ret.mismatchedSender = true;
+    }
+    if (ret.sender && claimedKey !== ret.sender.getFingerprint()) {
+      logger.warn("Event " + event.getId() + " claims ed25519 key " + claimedKey + "but sender device has key " + ret.sender.getFingerprint());
+      ret.mismatchedSender = true;
+    }
+    return ret;
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi.getEncryptionInfoForEvent}.
+   */
+  getEncryptionInfoForEvent(event) {
+    var _this34 = this;
+    return _asyncToGenerator(function* () {
+      var encryptionInfo = _this34.getEventEncryptionInfo(event);
+      if (!encryptionInfo.encrypted) {
+        return null;
+      }
+      var senderId = event.getSender();
+      if (!senderId || encryptionInfo.mismatchedSender) {
+        // something definitely wrong is going on here
+
+        // previously: E2EState.Warning -> E2ePadlockUnverified -> Red/"Encrypted by an unverified session"
+        return {
+          shieldColour: EventShieldColour.RED,
+          shieldReason: EventShieldReason.MISMATCHED_SENDER_KEY
+        };
+      }
+      var userTrust = _this34.checkUserTrust(senderId);
+      if (!userTrust.isCrossSigningVerified()) {
+        // If the message is unauthenticated, then display a grey
+        // shield, otherwise if the user isn't cross-signed then
+        // nothing's needed
+        if (!encryptionInfo.authenticated) {
+          // previously: E2EState.Unauthenticated -> E2ePadlockUnauthenticated -> Grey/"The authenticity of this encrypted message can't be guaranteed on this device."
+          return {
+            shieldColour: EventShieldColour.GREY,
+            shieldReason: EventShieldReason.AUTHENTICITY_NOT_GUARANTEED
+          };
+        } else {
+          // previously: E2EState.Normal -> no icon
+          return {
+            shieldColour: EventShieldColour.NONE,
+            shieldReason: null
+          };
+        }
+      }
+      var eventSenderTrust = senderId && encryptionInfo.sender && (yield _this34.getDeviceVerificationStatus(senderId, encryptionInfo.sender.deviceId));
+      if (!eventSenderTrust) {
+        // previously: E2EState.Unknown -> E2ePadlockUnknown -> Grey/"Encrypted by a deleted session"
+        return {
+          shieldColour: EventShieldColour.GREY,
+          shieldReason: EventShieldReason.UNKNOWN_DEVICE
+        };
+      }
+      if (!eventSenderTrust.isVerified()) {
+        // previously: E2EState.Warning -> E2ePadlockUnverified -> Red/"Encrypted by an unverified session"
+        return {
+          shieldColour: EventShieldColour.RED,
+          shieldReason: EventShieldReason.UNSIGNED_DEVICE
+        };
+      }
+      if (!encryptionInfo.authenticated) {
+        // previously: E2EState.Unauthenticated -> E2ePadlockUnauthenticated -> Grey/"The authenticity of this encrypted message can't be guaranteed on this device."
+        return {
+          shieldColour: EventShieldColour.GREY,
+          shieldReason: EventShieldReason.AUTHENTICITY_NOT_GUARANTEED
+        };
+      }
+
+      // previously: E2EState.Verified -> no icon
+      return {
+        shieldColour: EventShieldColour.NONE,
+        shieldReason: null
+      };
+    })();
+  }
+
+  /**
+   * Forces the current outbound group session to be discarded such
+   * that another one will be created next time an event is sent.
+   *
+   * @param roomId - The ID of the room to discard the session for
+   *
+   * This should not normally be necessary.
+   */
+  forceDiscardSession(roomId) {
+    var alg = this.roomEncryptors.get(roomId);
+    if (alg === undefined) throw new Error("Room not encrypted");
+    if (alg.forceDiscardSession === undefined) {
+      throw new Error("Room encryption algorithm doesn't support session discarding");
+    }
+    alg.forceDiscardSession();
+    return Promise.resolve();
+  }
+
+  /**
+   * Configure a room to use encryption (ie, save a flag in the cryptoStore).
+   *
+   * @param roomId - The room ID to enable encryption in.
+   *
+   * @param config - The encryption config for the room.
+   *
+   * @param inhibitDeviceQuery - true to suppress device list query for
+   *   users in the room (for now). In case lazy loading is enabled,
+   *   the device query is always inhibited as the members are not tracked.
+   *
+   * @deprecated It is normally incorrect to call this method directly. Encryption
+   *   is enabled by receiving an `m.room.encryption` event (which we may have sent
+   *   previously).
+   */
+  setRoomEncryption(roomId, config, inhibitDeviceQuery) {
+    var _this35 = this;
+    return _asyncToGenerator(function* () {
+      var room = _this35.clientStore.getRoom(roomId);
+      if (!room) {
+        throw new Error("Unable to enable encryption tracking devices in unknown room ".concat(roomId));
+      }
+      yield _this35.setRoomEncryptionImpl(room, config);
+      if (!_this35.lazyLoadMembers && !inhibitDeviceQuery) {
+        _this35.deviceList.refreshOutdatedDeviceLists();
+      }
+    })();
+  }
+
+  /**
+   * Set up encryption for a room.
+   *
+   * This is called when an <tt>m.room.encryption</tt> event is received. It saves a flag
+   * for the room in the cryptoStore (if it wasn't already set), sets up an "encryptor" for
+   * the room, and enables device-list tracking for the room.
+   *
+   * It does <em>not</em> initiate a device list query for the room. That is normally
+   * done once we finish processing the sync, in onSyncCompleted.
+   *
+   * @param room - The room to enable encryption in.
+   * @param config - The encryption config for the room.
+   */
+  setRoomEncryptionImpl(room, config) {
+    var _this36 = this;
+    return _asyncToGenerator(function* () {
+      var roomId = room.roomId;
+
+      // ignore crypto events with no algorithm defined
+      // This will happen if a crypto event is redacted before we fetch the room state
+      // It would otherwise just throw later as an unknown algorithm would, but we may
+      // as well catch this here
+      if (!config.algorithm) {
+        logger.log("Ignoring setRoomEncryption with no algorithm");
+        return;
+      }
+
+      // if state is being replayed from storage, we might already have a configuration
+      // for this room as they are persisted as well.
+      // We just need to make sure the algorithm is initialized in this case.
+      // However, if the new config is different,
+      // we should bail out as room encryption can't be changed once set.
+      var existingConfig = _this36.roomList.getRoomEncryption(roomId);
+      if (existingConfig) {
+        if (JSON.stringify(existingConfig) != JSON.stringify(config)) {
+          logger.error("Ignoring m.room.encryption event which requests " + "a change of config in " + roomId);
+          return;
+        }
+      }
+      // if we already have encryption in this room, we should ignore this event,
+      // as it would reset the encryption algorithm.
+      // This is at least expected to be called twice, as sync calls onCryptoEvent
+      // for both the timeline and state sections in the /sync response,
+      // the encryption event would appear in both.
+      // If it's called more than twice though,
+      // it signals a bug on client or server.
+      var existingAlg = _this36.roomEncryptors.get(roomId);
+      if (existingAlg) {
+        return;
+      }
+
+      // _roomList.getRoomEncryption will not race with _roomList.setRoomEncryption
+      // because it first stores in memory. We should await the promise only
+      // after all the in-memory state (roomEncryptors and _roomList) has been updated
+      // to avoid races when calling this method multiple times. Hence keep a hold of the promise.
+      var storeConfigPromise = null;
+      if (!existingConfig) {
+        storeConfigPromise = _this36.roomList.setRoomEncryption(roomId, config);
+      }
+      var AlgClass = algorithms.ENCRYPTION_CLASSES.get(config.algorithm);
+      if (!AlgClass) {
+        throw new Error("Unable to encrypt with " + config.algorithm);
+      }
+      var alg = new AlgClass({
+        userId: _this36.userId,
+        deviceId: _this36.deviceId,
+        crypto: _this36,
+        olmDevice: _this36.olmDevice,
+        baseApis: _this36.baseApis,
+        roomId,
+        config
+      });
+      _this36.roomEncryptors.set(roomId, alg);
+      if (storeConfigPromise) {
+        yield storeConfigPromise;
+      }
+      logger.log("Enabling encryption in ".concat(roomId));
+
+      // we don't want to force a download of the full membership list of this room, but as soon as we have that
+      // list we can start tracking the device list.
+      if (room.membersLoaded()) {
+        yield _this36.trackRoomDevicesImpl(room);
+      } else {
+        // wait for the membership list to be loaded
+        var onState = _state => {
+          room.off(RoomStateEvent.Update, onState);
+          if (room.membersLoaded()) {
+            _this36.trackRoomDevicesImpl(room).catch(e => {
+              logger.error("Error enabling device tracking in ".concat(roomId), e);
+            });
+          }
+        };
+        room.on(RoomStateEvent.Update, onState);
+      }
+    })();
+  }
+
+  /**
+   * Make sure we are tracking the device lists for all users in this room.
+   *
+   * @param roomId - The room ID to start tracking devices in.
+   * @returns when all devices for the room have been fetched and marked to track
+   * @deprecated there's normally no need to call this function: device list tracking
+   *    will be enabled as soon as we have the full membership list.
+   */
+  trackRoomDevices(roomId) {
+    var room = this.clientStore.getRoom(roomId);
+    if (!room) {
+      throw new Error("Unable to start tracking devices in unknown room ".concat(roomId));
+    }
+    return this.trackRoomDevicesImpl(room);
+  }
+
+  /**
+   * Make sure we are tracking the device lists for all users in this room.
+   *
+   * This is normally called when we are about to send an encrypted event, to make sure
+   * we have all the devices in the room; but it is also called when processing an
+   * m.room.encryption state event (if lazy-loading is disabled), or when members are
+   * loaded (if lazy-loading is enabled), to prepare the device list.
+   *
+   * @param room - Room to enable device-list tracking in
+   */
+  trackRoomDevicesImpl(room) {
+    var _this37 = this;
+    var roomId = room.roomId;
+    var trackMembers = /*#__PURE__*/function () {
+      var _ref17 = _asyncToGenerator(function* () {
+        // not an encrypted room
+        if (!_this37.roomEncryptors.has(roomId)) {
+          return;
+        }
+        logger.log("Starting to track devices for room ".concat(roomId, " ..."));
+        var members = yield room.getEncryptionTargetMembers();
+        members.forEach(m => {
+          _this37.deviceList.startTrackingDeviceList(m.userId);
+        });
+      });
+      return function trackMembers() {
+        return _ref17.apply(this, arguments);
+      };
+    }();
+    var promise = this.roomDeviceTrackingState[roomId];
+    if (!promise) {
+      promise = trackMembers();
+      this.roomDeviceTrackingState[roomId] = promise.catch(err => {
+        delete this.roomDeviceTrackingState[roomId];
+        throw err;
+      });
+    }
+    return promise;
+  }
+
+  /**
+   * Try to make sure we have established olm sessions for all known devices for
+   * the given users.
+   *
+   * @param users - list of user ids
+   * @param force - If true, force a new Olm session to be created. Default false.
+   *
+   * @returns resolves once the sessions are complete, to
+   *    an Object mapping from userId to deviceId to
+   *    `IOlmSessionResult`
+   */
+  ensureOlmSessionsForUsers(users, force) {
+    // map user Id → DeviceInfo[]
+    var devicesByUser = new Map();
+    for (var _userId5 of users) {
+      var userDevices = [];
+      devicesByUser.set(_userId5, userDevices);
+      var devices = this.getStoredDevicesForUser(_userId5) || [];
+      for (var deviceInfo of devices) {
+        var key = deviceInfo.getIdentityKey();
+        if (key == this.olmDevice.deviceCurve25519Key) {
+          // don't bother setting up session to ourself
+          continue;
+        }
+        if (deviceInfo.verified == DeviceVerification.BLOCKED) {
+          // don't bother setting up sessions with blocked users
+          continue;
+        }
+        userDevices.push(deviceInfo);
+      }
+    }
+    return olmlib.ensureOlmSessionsForDevices(this.olmDevice, this.baseApis, devicesByUser, force);
+  }
+
+  /**
+   * Get a list containing all of the room keys
+   *
+   * @returns a list of session export objects
+   */
+  exportRoomKeys() {
+    var _this38 = this;
+    return _asyncToGenerator(function* () {
+      var exportedSessions = [];
+      yield _this38.cryptoStore.doTxn("readonly", [IndexedDBCryptoStore.STORE_INBOUND_GROUP_SESSIONS], txn => {
+        _this38.cryptoStore.getAllEndToEndInboundGroupSessions(txn, s => {
+          if (s === null) return;
+          var sess = _this38.olmDevice.exportInboundGroupSession(s.senderKey, s.sessionId, s.sessionData);
+          delete sess.first_known_index;
+          sess.algorithm = olmlib.MEGOLM_ALGORITHM;
+          exportedSessions.push(sess);
+        });
+      });
+      return exportedSessions;
+    })();
+  }
+
+  /**
+   * Get a JSON list containing all of the room keys
+   *
+   * @returns a JSON string encoding a list of session
+   *    export objects, each of which is an IMegolmSessionData
+   */
+  exportRoomKeysAsJson() {
+    var _this39 = this;
+    return _asyncToGenerator(function* () {
+      return JSON.stringify(yield _this39.exportRoomKeys());
+    })();
+  }
+
+  /**
+   * Import a list of room keys previously exported by exportRoomKeys
+   *
+   * @param keys - a list of session export objects
+   * @returns a promise which resolves once the keys have been imported
+   */
+  importRoomKeys(keys) {
+    var opts = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+    var successes = 0;
+    var failures = 0;
+    var total = keys.length;
+    function updateProgress() {
+      var _opts$progressCallbac;
+      (_opts$progressCallbac = opts.progressCallback) === null || _opts$progressCallbac === void 0 || _opts$progressCallbac.call(opts, {
+        stage: "load_keys",
+        successes,
+        failures,
+        total
+      });
+    }
+    return Promise.all(keys.map(key => {
+      if (!key.room_id || !key.algorithm) {
+        logger.warn("ignoring room key entry with missing fields", key);
+        failures++;
+        if (opts.progressCallback) {
+          updateProgress();
+        }
+        return null;
+      }
+      var alg = this.getRoomDecryptor(key.room_id, key.algorithm);
+      return alg.importRoomKey(key, opts).finally(() => {
+        successes++;
+        if (opts.progressCallback) {
+          updateProgress();
+        }
+      });
+    })).then();
+  }
+
+  /**
+   * Import a JSON string encoding a list of room keys previously
+   * exported by exportRoomKeysAsJson
+   *
+   * @param keys - a JSON string encoding a list of session export
+   *    objects, each of which is an IMegolmSessionData
+   * @param opts - options object
+   * @returns a promise which resolves once the keys have been imported
+   */
+  importRoomKeysAsJson(keys, opts) {
+    var _this40 = this;
+    return _asyncToGenerator(function* () {
+      return yield _this40.importRoomKeys(JSON.parse(keys));
+    })();
+  }
+
+  /**
+   * Counts the number of end to end session keys that are waiting to be backed up
+   * @returns Promise which resolves to the number of sessions requiring backup
+   */
+  countSessionsNeedingBackup() {
+    return this.backupManager.countSessionsNeedingBackup();
+  }
+
+  /**
+   * Perform any background tasks that can be done before a message is ready to
+   * send, in order to speed up sending of the message.
+   *
+   * @param room - the room the event is in
+   */
+  prepareToEncrypt(room) {
+    var alg = this.roomEncryptors.get(room.roomId);
+    if (alg) {
+      alg.prepareToEncrypt(room);
+    }
+  }
+
+  /**
+   * Encrypt an event according to the configuration of the room.
+   *
+   * @param event -  event to be sent
+   *
+   * @param room - destination room.
+   *
+   * @returns Promise which resolves when the event has been
+   *     encrypted, or null if nothing was needed
+   */
+  encryptEvent(event, room) {
+    var _this41 = this;
+    return _asyncToGenerator(function* () {
+      var roomId = event.getRoomId();
+      var alg = _this41.roomEncryptors.get(roomId);
+      if (!alg) {
+        // MatrixClient has already checked that this room should be encrypted,
+        // so this is an unexpected situation.
+        throw new Error("Room " + roomId + " was previously configured to use encryption, but is " + "no longer. Perhaps the homeserver is hiding the " + "configuration event.");
+      }
+
+      // wait for all the room devices to be loaded
+      yield _this41.trackRoomDevicesImpl(room);
+      var content = event.getContent();
+      // If event has an m.relates_to then we need
+      // to put this on the wrapping event instead
+      var mRelatesTo = content["m.relates_to"];
+      if (mRelatesTo) {
+        // Clone content here so we don't remove `m.relates_to` from the local-echo
+        content = Object.assign({}, content);
+        delete content["m.relates_to"];
+      }
+
+      // Treat element's performance metrics the same as `m.relates_to` (when present)
+      var elementPerfMetrics = content["io.element.performance_metrics"];
+      if (elementPerfMetrics) {
+        content = Object.assign({}, content);
+        delete content["io.element.performance_metrics"];
+      }
+      var encryptedContent = yield alg.encryptMessage(room, event.getType(), content);
+      if (mRelatesTo) {
+        encryptedContent["m.relates_to"] = mRelatesTo;
+      }
+      if (elementPerfMetrics) {
+        encryptedContent["io.element.performance_metrics"] = elementPerfMetrics;
+      }
+      event.makeEncrypted("m.room.encrypted", encryptedContent, _this41.olmDevice.deviceCurve25519Key, _this41.olmDevice.deviceEd25519Key);
+    })();
+  }
+
+  /**
+   * Decrypt a received event
+   *
+   *
+   * @returns resolves once we have
+   *  finished decrypting. Rejects with an `algorithms.DecryptionError` if there
+   *  is a problem decrypting the event.
+   */
+  decryptEvent(event) {
+    var _this42 = this;
+    return _asyncToGenerator(function* () {
+      if (event.isRedacted()) {
+        // Try to decrypt the redaction event, to support encrypted
+        // redaction reasons.  If we can't decrypt, just fall back to using
+        // the original redacted_because.
+        var redactionEvent = new MatrixEvent(_objectSpread({
+          room_id: event.getRoomId()
+        }, event.getUnsigned().redacted_because));
+        var redactedBecause = event.getUnsigned().redacted_because;
+        if (redactionEvent.isEncrypted()) {
+          try {
+            var decryptedEvent = yield _this42.decryptEvent(redactionEvent);
+            redactedBecause = decryptedEvent.clearEvent;
+          } catch (e) {
+            logger.warn("Decryption of redaction failed. Falling back to unencrypted event.", e);
+          }
+        }
+        return {
+          clearEvent: {
+            room_id: event.getRoomId(),
+            type: "m.room.message",
+            content: {},
+            unsigned: {
+              redacted_because: redactedBecause
+            }
+          }
+        };
+      } else {
+        var content = event.getWireContent();
+        var alg = _this42.getRoomDecryptor(event.getRoomId(), content.algorithm);
+        return alg.decryptEvent(event);
+      }
+    })();
+  }
+
+  /**
+   * Handle the notification from /sync that device lists have
+   * been changed.
+   *
+   * @param deviceLists - device_lists field from /sync
+   */
+  processDeviceLists(deviceLists) {
+    var _this43 = this;
+    return _asyncToGenerator(function* () {
+      // Here, we're relying on the fact that we only ever save the sync data after
+      // sucessfully saving the device list data, so we're guaranteed that the device
+      // list store is at least as fresh as the sync token from the sync store, ie.
+      // any device changes received in sync tokens prior to the 'next' token here
+      // have been processed and are reflected in the current device list.
+      // If we didn't make this assumption, we'd have to use the /keys/changes API
+      // to get key changes between the sync token in the device list and the 'old'
+      // sync token used here to make sure we didn't miss any.
+      yield _this43.evalDeviceListChanges(deviceLists);
+    })();
+  }
+
+  /**
+   * Send a request for some room keys, if we have not already done so
+   *
+   * @param resend - whether to resend the key request if there is
+   *    already one
+   *
+   * @returns a promise that resolves when the key request is queued
+   */
+  requestRoomKey(requestBody, recipients) {
+    var resend = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : false;
+    return this.outgoingRoomKeyRequestManager.queueRoomKeyRequest(requestBody, recipients, resend).then(() => {
+      if (this.sendKeyRequestsImmediately) {
+        this.outgoingRoomKeyRequestManager.sendQueuedRequests();
+      }
+    }).catch(e => {
+      // this normally means we couldn't talk to the store
+      logger.error("Error requesting key for event", e);
+    });
+  }
+
+  /**
+   * Cancel any earlier room key request
+   *
+   * @param requestBody - parameters to match for cancellation
+   */
+  cancelRoomKeyRequest(requestBody) {
+    this.outgoingRoomKeyRequestManager.cancelRoomKeyRequest(requestBody).catch(e => {
+      logger.warn("Error clearing pending room key requests", e);
+    });
+  }
+
+  /**
+   * Re-send any outgoing key requests, eg after verification
+   * @returns
+   */
+  cancelAndResendAllOutgoingKeyRequests() {
+    var _this44 = this;
+    return _asyncToGenerator(function* () {
+      yield _this44.outgoingRoomKeyRequestManager.cancelAndResendAllOutgoingRequests();
+    })();
+  }
+
+  /**
+   * handle an m.room.encryption event
+   *
+   * @param room - in which the event was received
+   * @param event - encryption event to be processed
+   */
+  onCryptoEvent(room, event) {
+    var _this45 = this;
+    return _asyncToGenerator(function* () {
+      var content = event.getContent();
+      yield _this45.setRoomEncryptionImpl(room, content);
+    })();
+  }
+
+  /**
+   * Called before the result of a sync is processed
+   *
+   * @param syncData -  the data from the 'MatrixClient.sync' event
+   */
+  onSyncWillProcess(syncData) {
+    var _this46 = this;
+    return _asyncToGenerator(function* () {
+      if (!syncData.oldSyncToken) {
+        // If there is no old sync token, we start all our tracking from
+        // scratch, so mark everything as untracked. onCryptoEvent will
+        // be called for all e2e rooms during the processing of the sync,
+        // at which point we'll start tracking all the users of that room.
+        logger.log("Initial sync performed - resetting device tracking state");
+        _this46.deviceList.stopTrackingAllDeviceLists();
+        // we always track our own device list (for key backups etc)
+        _this46.deviceList.startTrackingDeviceList(_this46.userId);
+        _this46.roomDeviceTrackingState = {};
+      }
+      _this46.sendKeyRequestsImmediately = false;
+    })();
+  }
+
+  /**
+   * handle the completion of a /sync
+   *
+   * This is called after the processing of each successful /sync response.
+   * It is an opportunity to do a batch process on the information received.
+   *
+   * @param syncData -  the data from the 'MatrixClient.sync' event
+   */
+  onSyncCompleted(syncData) {
+    var _this47 = this;
+    return _asyncToGenerator(function* () {
+      var _syncData$nextSyncTok;
+      _this47.deviceList.setSyncToken((_syncData$nextSyncTok = syncData.nextSyncToken) !== null && _syncData$nextSyncTok !== void 0 ? _syncData$nextSyncTok : null);
+      _this47.deviceList.saveIfDirty();
+
+      // we always track our own device list (for key backups etc)
+      _this47.deviceList.startTrackingDeviceList(_this47.userId);
+      _this47.deviceList.refreshOutdatedDeviceLists();
+
+      // we don't start uploading one-time keys until we've caught up with
+      // to-device messages, to help us avoid throwing away one-time-keys that we
+      // are about to receive messages for
+      // (https://github.com/vector-im/element-web/issues/2782).
+      if (!syncData.catchingUp) {
+        _this47.maybeUploadOneTimeKeys();
+        _this47.processReceivedRoomKeyRequests();
+
+        // likewise don't start requesting keys until we've caught up
+        // on to_device messages, otherwise we'll request keys that we're
+        // just about to get.
+        _this47.outgoingRoomKeyRequestManager.sendQueuedRequests();
+
+        // Sync has finished so send key requests straight away.
+        _this47.sendKeyRequestsImmediately = true;
+      }
+    })();
+  }
+
+  /**
+   * Trigger the appropriate invalidations and removes for a given
+   * device list
+   *
+   * @param deviceLists - device_lists field from /sync, or response from
+   * /keys/changes
+   */
+  evalDeviceListChanges(deviceLists) {
+    var _this48 = this;
+    return _asyncToGenerator(function* () {
+      if (Array.isArray(deviceLists === null || deviceLists === void 0 ? void 0 : deviceLists.changed)) {
+        deviceLists.changed.forEach(u => {
+          _this48.deviceList.invalidateUserDeviceList(u);
+        });
+      }
+      if (Array.isArray(deviceLists === null || deviceLists === void 0 ? void 0 : deviceLists.left) && deviceLists.left.length) {
+        // Check we really don't share any rooms with these users
+        // any more: the server isn't required to give us the
+        // exact correct set.
+        var e2eUserIds = new Set(yield _this48.getTrackedE2eUsers());
+        deviceLists.left.forEach(u => {
+          if (!e2eUserIds.has(u)) {
+            _this48.deviceList.stopTrackingDeviceList(u);
+          }
+        });
+      }
+    })();
+  }
+
+  /**
+   * Get a list of all the IDs of users we share an e2e room with
+   * for which we are tracking devices already
+   *
+   * @returns List of user IDs
+   */
+  getTrackedE2eUsers() {
+    var _this49 = this;
+    return _asyncToGenerator(function* () {
+      var e2eUserIds = [];
+      for (var room of _this49.getTrackedE2eRooms()) {
+        var members = yield room.getEncryptionTargetMembers();
+        for (var member of members) {
+          e2eUserIds.push(member.userId);
+        }
+      }
+      return e2eUserIds;
+    })();
+  }
+
+  /**
+   * Get a list of the e2e-enabled rooms we are members of,
+   * and for which we are already tracking the devices
+   *
+   * @returns
+   */
+  getTrackedE2eRooms() {
+    return this.clientStore.getRooms().filter(room => {
+      // check for rooms with encryption enabled
+      var alg = this.roomEncryptors.get(room.roomId);
+      if (!alg) {
+        return false;
+      }
+      if (!this.roomDeviceTrackingState[room.roomId]) {
+        return false;
+      }
+
+      // ignore any rooms which we have left
+      var myMembership = room.getMyMembership();
+      return myMembership === KnownMembership.Join || myMembership === KnownMembership.Invite;
+    });
+  }
+
+  /**
+   * Encrypts and sends a given object via Olm to-device messages to a given
+   * set of devices.
+   * @param userDeviceInfoArr - the devices to send to
+   * @param payload - fields to include in the encrypted payload
+   * @returns Promise which
+   *     resolves once the message has been encrypted and sent to the given
+   *     userDeviceMap, and returns the `{ contentMap, deviceInfoByDeviceId }`
+   *     of the successfully sent messages.
+   *
+   * @deprecated Instead use {@link encryptToDeviceMessages} followed by {@link MatrixClient.queueToDevice}.
+   */
+  encryptAndSendToDevices(userDeviceInfoArr, payload) {
+    var _this50 = this;
+    return _asyncToGenerator(function* () {
+      try {
+        var toDeviceBatch = yield _this50.prepareToDeviceBatch(userDeviceInfoArr, payload);
+        try {
+          yield _this50.baseApis.queueToDevice(toDeviceBatch);
+        } catch (e) {
+          logger.error("sendToDevice failed", e);
+          throw e;
+        }
+      } catch (e) {
+        logger.error("encryptAndSendToDevices promises failed", e);
+        throw e;
+      }
+    })();
+  }
+  prepareToDeviceBatch(userDeviceInfoArr, payload) {
+    var _this51 = this;
+    return _asyncToGenerator(function* () {
+      var toDeviceBatch = {
+        eventType: EventType.RoomMessageEncrypted,
+        batch: []
+      };
+      yield Promise.all(userDeviceInfoArr.map(/*#__PURE__*/function () {
+        var _ref19 = _asyncToGenerator(function* (_ref18) {
+          var {
+            userId,
+            deviceInfo
+          } = _ref18;
+          var deviceId = deviceInfo.deviceId;
+          var encryptedContent = {
+            algorithm: olmlib.OLM_ALGORITHM,
+            sender_key: _this51.olmDevice.deviceCurve25519Key,
+            ciphertext: {},
+            [ToDeviceMessageId]: uuidv4()
+          };
+          toDeviceBatch.batch.push({
+            userId,
+            deviceId,
+            payload: encryptedContent
+          });
+          yield olmlib.ensureOlmSessionsForDevices(_this51.olmDevice, _this51.baseApis, new Map([[userId, [deviceInfo]]]));
+          yield olmlib.encryptMessageForDevice(encryptedContent.ciphertext, _this51.userId, _this51.deviceId, _this51.olmDevice, userId, deviceInfo, payload);
+        });
+        return function (_x10) {
+          return _ref19.apply(this, arguments);
+        };
+      }()));
+
+      // prune out any devices that encryptMessageForDevice could not encrypt for,
+      // in which case it will have just not added anything to the ciphertext object.
+      // There's no point sending messages to devices if we couldn't encrypt to them,
+      // since that's effectively a blank message.
+      toDeviceBatch.batch = toDeviceBatch.batch.filter(msg => {
+        if (Object.keys(msg.payload.ciphertext).length > 0) {
+          return true;
+        } else {
+          logger.log("No ciphertext for device ".concat(msg.userId, ":").concat(msg.deviceId, ": pruning"));
+          return false;
+        }
+      });
+      return toDeviceBatch;
+    })();
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi#encryptToDeviceMessages}.
+   */
+  encryptToDeviceMessages(eventType, devices, payload) {
+    var _this52 = this;
+    return _asyncToGenerator(function* () {
+      var userIds = new Set(devices.map(_ref20 => {
+        var {
+          userId
+        } = _ref20;
+        return userId;
+      }));
+      var deviceInfoMap = yield _this52.downloadKeys(Array.from(userIds), false);
+      var userDeviceInfoArr = [];
+      devices.forEach(_ref21 => {
+        var {
+          userId,
+          deviceId
+        } = _ref21;
+        var devices = deviceInfoMap.get(userId);
+        if (!devices) {
+          logger.warn("No devices found for user ".concat(userId));
+          return;
+        }
+        if (devices.has(deviceId)) {
+          // Send the message to a specific device
+          userDeviceInfoArr.push({
+            userId,
+            deviceInfo: devices.get(deviceId)
+          });
+        } else {
+          logger.warn("No device found for user ".concat(userId, " with id ").concat(deviceId));
+        }
+      });
+      return _this52.prepareToDeviceBatch(userDeviceInfoArr, payload);
+    })();
+  }
+  preprocessToDeviceMessages(events) {
+    return _asyncToGenerator(function* () {
+      // all we do here is filter out encrypted to-device messages with the wrong algorithm. Decryption
+      // happens later in decryptEvent, via the EventMapper
+      return events.filter(toDevice => {
+        var _toDevice$content;
+        if (toDevice.type === EventType.RoomMessageEncrypted && !["m.olm.v1.curve25519-aes-sha2"].includes((_toDevice$content = toDevice.content) === null || _toDevice$content === void 0 ? void 0 : _toDevice$content.algorithm)) {
+          logger.log("Ignoring invalid encrypted to-device event from " + toDevice.sender);
+          return false;
+        }
+        return true;
+      });
+    })();
+  }
+
+  /**
+   * Stores the current one_time_key count which will be handled later (in a call of
+   * onSyncCompleted).
+   *
+   * @param currentCount - The current count of one_time_keys to be stored
+   */
+  updateOneTimeKeyCount(currentCount) {
+    if (isFinite(currentCount)) {
+      this.oneTimeKeyCount = currentCount;
+    } else {
+      throw new TypeError("Parameter for updateOneTimeKeyCount has to be a number");
+    }
+  }
+  processKeyCounts(oneTimeKeysCounts, unusedFallbackKeys) {
+    if (oneTimeKeysCounts !== undefined) {
+      this.updateOneTimeKeyCount(oneTimeKeysCounts["signed_curve25519"] || 0);
+    }
+    if (unusedFallbackKeys !== undefined) {
+      // If `unusedFallbackKeys` is defined, that means `device_unused_fallback_key_types`
+      // is present in the sync response, which indicates that the server supports fallback keys.
+      //
+      // If there's no unused signed_curve25519 fallback key, we need a new one.
+      this.needsNewFallback = !unusedFallbackKeys.includes("signed_curve25519");
+    }
+    return Promise.resolve();
+  }
+  /**
+   * Handle a key event
+   *
+   * @internal
+   * @param event - key event
+   */
+  onRoomKeyEvent(event) {
+    var content = event.getContent();
+    if (!content.room_id || !content.algorithm) {
+      logger.error("key event is missing fields");
+      return;
+    }
+    if (!this.backupManager.checkedForBackup) {
+      // don't bother awaiting on this - the important thing is that we retry if we
+      // haven't managed to check before
+      this.backupManager.checkAndStart();
+    }
+    var alg = this.getRoomDecryptor(content.room_id, content.algorithm);
+    alg.onRoomKeyEvent(event);
+  }
+
+  /**
+   * Handle a key withheld event
+   *
+   * @internal
+   * @param event - key withheld event
+   */
+  onRoomKeyWithheldEvent(event) {
+    var content = event.getContent();
+    if (content.code !== "m.no_olm" && (!content.room_id || !content.session_id) || !content.algorithm || !content.sender_key) {
+      logger.error("key withheld event is missing fields");
+      return;
+    }
+    logger.info("Got room key withheld event from ".concat(event.getSender(), " ") + "for ".concat(content.algorithm, " session ").concat(content.sender_key, "|").concat(content.session_id, " ") + "in room ".concat(content.room_id, " with code ").concat(content.code, " (").concat(content.reason, ")"));
+    var alg = this.getRoomDecryptor(content.room_id, content.algorithm);
+    if (alg.onRoomKeyWithheldEvent) {
+      alg.onRoomKeyWithheldEvent(event);
+    }
+    if (!content.room_id) {
+      // retry decryption for all events sent by the sender_key.  This will
+      // update the events to show a message indicating that the olm session was
+      // wedged.
+      var roomDecryptors = this.getRoomDecryptors(content.algorithm);
+      for (var decryptor of roomDecryptors) {
+        decryptor.retryDecryptionFromSender(content.sender_key);
+      }
+    }
+  }
+
+  /**
+   * Handle a general key verification event.
+   *
+   * @internal
+   * @param event - verification start event
+   */
+  onKeyVerificationMessage(event) {
+    if (!ToDeviceChannel.validateEvent(event, this.baseApis)) {
+      return;
+    }
+    var createRequest = event => {
+      if (!ToDeviceChannel.canCreateRequest(ToDeviceChannel.getEventType(event))) {
+        return;
+      }
+      var content = event.getContent();
+      var deviceId = content && content.from_device;
+      if (!deviceId) {
+        return;
+      }
+      var userId = event.getSender();
+      var channel = new ToDeviceChannel(this.baseApis, userId, [deviceId]);
+      return new VerificationRequest(channel, this.verificationMethods, this.baseApis);
+    };
+    this.handleVerificationEvent(event, this.toDeviceVerificationRequests, createRequest);
+  }
+  handleVerificationEvent(event, requestsMap, createRequest) {
+    var _arguments9 = arguments,
+      _this53 = this;
+    return _asyncToGenerator(function* () {
+      var isLiveEvent = _arguments9.length > 3 && _arguments9[3] !== undefined ? _arguments9[3] : true;
+      // Wait for event to get its final ID with pendingEventOrdering: "chronological", since DM channels depend on it.
+      if (event.isSending() && event.status != EventStatus.SENT) {
+        var eventIdListener;
+        var statusListener;
+        try {
+          yield new Promise((resolve, reject) => {
+            eventIdListener = resolve;
+            statusListener = () => {
+              if (event.status == EventStatus.CANCELLED) {
+                reject(new Error("Event status set to CANCELLED."));
+              }
+            };
+            event.once(MatrixEventEvent.LocalEventIdReplaced, eventIdListener);
+            event.on(MatrixEventEvent.Status, statusListener);
+          });
+        } catch (err) {
+          logger.error("error while waiting for the verification event to be sent: ", err);
+          return;
+        } finally {
+          event.removeListener(MatrixEventEvent.LocalEventIdReplaced, eventIdListener);
+          event.removeListener(MatrixEventEvent.Status, statusListener);
+        }
+      }
+      var request = requestsMap.getRequest(event);
+      var isNewRequest = false;
+      if (!request) {
+        request = createRequest(event);
+        // a request could not be made from this event, so ignore event
+        if (!request) {
+          logger.log("Crypto: could not find VerificationRequest for " + "".concat(event.getType(), ", and could not create one, so ignoring."));
+          return;
+        }
+        isNewRequest = true;
+        requestsMap.setRequest(event, request);
+      }
+      event.setVerificationRequest(request);
+      try {
+        yield request.channel.handleEvent(event, request, isLiveEvent);
+      } catch (err) {
+        logger.error("error while handling verification event", err);
+      }
+      var shouldEmit = isNewRequest && !request.initiatedByMe && !request.invalid &&
+      // check it has enough events to pass the UNSENT stage
+      !request.observeOnly;
+      if (shouldEmit) {
+        _this53.baseApis.emit(CryptoEvent.VerificationRequest, request);
+        _this53.baseApis.emit(CryptoEvent.VerificationRequestReceived, request);
+      }
+    })();
+  }
+
+  /**
+   * Handle a toDevice event that couldn't be decrypted
+   *
+   * @internal
+   * @param event - undecryptable event
+   */
+  onToDeviceBadEncrypted(event) {
+    var _this54 = this;
+    return _asyncToGenerator(function* () {
+      var content = event.getWireContent();
+      var sender = event.getSender();
+      var algorithm = content.algorithm;
+      var deviceKey = content.sender_key;
+      _this54.baseApis.emit(ClientEvent.UndecryptableToDeviceEvent, event);
+
+      // retry decryption for all events sent by the sender_key.  This will
+      // update the events to show a message indicating that the olm session was
+      // wedged.
+      var retryDecryption = () => {
+        var roomDecryptors = _this54.getRoomDecryptors(olmlib.MEGOLM_ALGORITHM);
+        for (var decryptor of roomDecryptors) {
+          decryptor.retryDecryptionFromSender(deviceKey);
+        }
+      };
+      if (sender === undefined || deviceKey === undefined || deviceKey === undefined) {
+        return;
+      }
+
+      // check when we can force a new session with this device: if we've already done so
+      // recently, don't do it again.
+      var forceNewSessionRetryTimeDevices = _this54.forceNewSessionRetryTime.getOrCreate(sender);
+      var forceNewSessionRetryTime = forceNewSessionRetryTimeDevices.getOrCreate(deviceKey);
+      if (forceNewSessionRetryTime > Date.now()) {
+        logger.debug("New session already forced with device ".concat(sender, ":").concat(deviceKey, ": ") + "not forcing another until at least ".concat(new Date(forceNewSessionRetryTime).toUTCString()));
+        yield _this54.olmDevice.recordSessionProblem(deviceKey, "wedged", true);
+        retryDecryption();
+        return;
+      }
+
+      // make sure we don't retry to unwedge too soon even if we fail to create a new session
+      forceNewSessionRetryTimeDevices.set(deviceKey, Date.now() + FORCE_SESSION_RETRY_INTERVAL_MS);
+
+      // establish a new olm session with this device since we're failing to decrypt messages
+      // on a current session.
+      // Note that an undecryptable message from another device could easily be spoofed -
+      // is there anything we can do to mitigate this?
+      var device = _this54.deviceList.getDeviceByIdentityKey(algorithm, deviceKey);
+      if (!device) {
+        // if we don't know about the device, fetch the user's devices again
+        // and retry before giving up
+        yield _this54.downloadKeys([sender], false);
+        device = _this54.deviceList.getDeviceByIdentityKey(algorithm, deviceKey);
+        if (!device) {
+          logger.info("Couldn't find device for identity key " + deviceKey + ": not re-establishing session");
+          yield _this54.olmDevice.recordSessionProblem(deviceKey, "wedged", false);
+          retryDecryption();
+          return;
+        }
+      }
+      var devicesByUser = new Map([[sender, [device]]]);
+      yield olmlib.ensureOlmSessionsForDevices(_this54.olmDevice, _this54.baseApis, devicesByUser, true);
+      forceNewSessionRetryTimeDevices.set(deviceKey, Date.now() + MIN_FORCE_SESSION_INTERVAL_MS);
+
+      // Now send a blank message on that session so the other side knows about it.
+      // (The keyshare request is sent in the clear so that won't do)
+      // We send this first such that, as long as the toDevice messages arrive in the
+      // same order we sent them, the other end will get this first, set up the new session,
+      // then get the keyshare request and send the key over this new session (because it
+      // is the session it has most recently received a message on).
+      var encryptedContent = {
+        algorithm: olmlib.OLM_ALGORITHM,
+        sender_key: _this54.olmDevice.deviceCurve25519Key,
+        ciphertext: {},
+        [ToDeviceMessageId]: uuidv4()
+      };
+      yield olmlib.encryptMessageForDevice(encryptedContent.ciphertext, _this54.userId, _this54.deviceId, _this54.olmDevice, sender, device, {
+        type: "m.dummy"
+      });
+      yield _this54.olmDevice.recordSessionProblem(deviceKey, "wedged", true);
+      retryDecryption();
+      yield _this54.baseApis.sendToDevice("m.room.encrypted", new Map([[sender, new Map([[device.deviceId, encryptedContent]])]]));
+
+      // Most of the time this probably won't be necessary since we'll have queued up a key request when
+      // we failed to decrypt the message and will be waiting a bit for the key to arrive before sending
+      // it. This won't always be the case though so we need to re-send any that have already been sent
+      // to avoid races.
+      var requestsToResend = yield _this54.outgoingRoomKeyRequestManager.getOutgoingSentRoomKeyRequest(sender, device.deviceId);
+      for (var keyReq of requestsToResend) {
+        _this54.requestRoomKey(keyReq.requestBody, keyReq.recipients, true);
+      }
+    })();
+  }
+
+  /**
+   * Handle a change in the membership state of a member of a room
+   *
+   * @internal
+   * @param event -  event causing the change
+   * @param member -  user whose membership changed
+   * @param oldMembership -  previous membership
+   */
+  onRoomMembership(event, member, oldMembership) {
+    // this event handler is registered on the *client* (as opposed to the room
+    // member itself), which means it is only called on changes to the *live*
+    // membership state (ie, it is not called when we back-paginate, nor when
+    // we load the state in the initialsync).
+    //
+    // Further, it is automatically registered and called when new members
+    // arrive in the room.
+
+    var roomId = member.roomId;
+    var alg = this.roomEncryptors.get(roomId);
+    if (!alg) {
+      // not encrypting in this room
+      return;
+    }
+    // only mark users in this room as tracked if we already started tracking in this room
+    // this way we don't start device queries after sync on behalf of this room which we won't use
+    // the result of anyway, as we'll need to do a query again once all the members are fetched
+    // by calling _trackRoomDevices
+    if (roomId in this.roomDeviceTrackingState) {
+      var _this$clientStore$get;
+      if (member.membership == KnownMembership.Join) {
+        logger.log("Join event for " + member.userId + " in " + roomId);
+        // make sure we are tracking the deviceList for this user
+        this.deviceList.startTrackingDeviceList(member.userId);
+      } else if (member.membership == KnownMembership.Invite && (_this$clientStore$get = this.clientStore.getRoom(roomId)) !== null && _this$clientStore$get !== void 0 && _this$clientStore$get.shouldEncryptForInvitedMembers()) {
+        logger.log("Invite event for " + member.userId + " in " + roomId);
+        this.deviceList.startTrackingDeviceList(member.userId);
+      }
+    }
+    alg.onRoomMembership(event, member, oldMembership);
+  }
+
+  /**
+   * Called when we get an m.room_key_request event.
+   *
+   * @internal
+   * @param event - key request event
+   */
+  onRoomKeyRequestEvent(event) {
+    var content = event.getContent();
+    if (content.action === "request") {
+      // Queue it up for now, because they tend to arrive before the room state
+      // events at initial sync, and we want to see if we know anything about the
+      // room before passing them on to the app.
+      var req = new IncomingRoomKeyRequest(event);
+      this.receivedRoomKeyRequests.push(req);
+    } else if (content.action === "request_cancellation") {
+      var _req = new IncomingRoomKeyRequestCancellation(event);
+      this.receivedRoomKeyRequestCancellations.push(_req);
+    }
+  }
+
+  /**
+   * Process any m.room_key_request events which were queued up during the
+   * current sync.
+   *
+   * @internal
+   */
+  processReceivedRoomKeyRequests() {
+    var _this55 = this;
+    return _asyncToGenerator(function* () {
+      if (_this55.processingRoomKeyRequests) {
+        // we're still processing last time's requests; keep queuing new ones
+        // up for now.
+        return;
+      }
+      _this55.processingRoomKeyRequests = true;
+      try {
+        // we need to grab and clear the queues in the synchronous bit of this method,
+        // so that we don't end up racing with the next /sync.
+        var requests = _this55.receivedRoomKeyRequests;
+        _this55.receivedRoomKeyRequests = [];
+        var cancellations = _this55.receivedRoomKeyRequestCancellations;
+        _this55.receivedRoomKeyRequestCancellations = [];
+
+        // Process all of the requests, *then* all of the cancellations.
+        //
+        // This makes sure that if we get a request and its cancellation in the
+        // same /sync result, then we process the request before the
+        // cancellation (and end up with a cancelled request), rather than the
+        // cancellation before the request (and end up with an outstanding
+        // request which should have been cancelled.)
+        yield Promise.all(requests.map(req => _this55.processReceivedRoomKeyRequest(req)));
+        yield Promise.all(cancellations.map(cancellation => _this55.processReceivedRoomKeyRequestCancellation(cancellation)));
+      } catch (e) {
+        logger.error("Error processing room key requsts: ".concat(e));
+      } finally {
+        _this55.processingRoomKeyRequests = false;
+      }
+    })();
+  }
+
+  /**
+   * Helper for processReceivedRoomKeyRequests
+   *
+   */
+  processReceivedRoomKeyRequest(req) {
+    var _this56 = this;
+    return _asyncToGenerator(function* () {
+      var userId = req.userId;
+      var deviceId = req.deviceId;
+      var body = req.requestBody;
+      var roomId = body.room_id;
+      var alg = body.algorithm;
+      logger.log("m.room_key_request from ".concat(userId, ":").concat(deviceId) + " for ".concat(roomId, " / ").concat(body.session_id, " (id ").concat(req.requestId, ")"));
+      if (userId !== _this56.userId) {
+        if (!_this56.roomEncryptors.get(roomId)) {
+          logger.debug("room key request for unencrypted room ".concat(roomId));
+          return;
+        }
+        var encryptor = _this56.roomEncryptors.get(roomId);
+        var device = _this56.deviceList.getStoredDevice(userId, deviceId);
+        if (!device) {
+          logger.debug("Ignoring keyshare for unknown device ".concat(userId, ":").concat(deviceId));
+          return;
+        }
+        try {
+          yield encryptor.reshareKeyWithDevice(body.sender_key, body.session_id, userId, device);
+        } catch (e) {
+          logger.warn("Failed to re-share keys for session " + body.session_id + " with device " + userId + ":" + device.deviceId, e);
+        }
+        return;
+      }
+      if (deviceId === _this56.deviceId) {
+        // We'll always get these because we send room key requests to
+        // '*' (ie. 'all devices') which includes the sending device,
+        // so ignore requests from ourself because apart from it being
+        // very silly, it won't work because an Olm session cannot send
+        // messages to itself.
+        // The log here is probably superfluous since we know this will
+        // always happen, but let's log anyway for now just in case it
+        // causes issues.
+        logger.log("Ignoring room key request from ourselves");
+        return;
+      }
+
+      // todo: should we queue up requests we don't yet have keys for,
+      // in case they turn up later?
+
+      // if we don't have a decryptor for this room/alg, we don't have
+      // the keys for the requested events, and can drop the requests.
+      if (!_this56.roomDecryptors.has(roomId)) {
+        logger.log("room key request for unencrypted room ".concat(roomId));
+        return;
+      }
+      var decryptor = _this56.roomDecryptors.get(roomId).get(alg);
+      if (!decryptor) {
+        logger.log("room key request for unknown alg ".concat(alg, " in room ").concat(roomId));
+        return;
+      }
+      if (!(yield decryptor.hasKeysForKeyRequest(req))) {
+        logger.log("room key request for unknown session ".concat(roomId, " / ") + body.session_id);
+        return;
+      }
+      req.share = () => {
+        decryptor.shareKeysWithDevice(req);
+      };
+
+      // if the device is verified already, share the keys
+      if (_this56.checkDeviceTrust(userId, deviceId).isVerified()) {
+        logger.log("device is already verified: sharing keys");
+        req.share();
+        return;
+      }
+      _this56.emit(CryptoEvent.RoomKeyRequest, req);
+    })();
+  }
+
+  /**
+   * Helper for processReceivedRoomKeyRequests
+   *
+   */
+  processReceivedRoomKeyRequestCancellation(cancellation) {
+    var _this57 = this;
+    return _asyncToGenerator(function* () {
+      logger.log("m.room_key_request cancellation for ".concat(cancellation.userId, ":") + "".concat(cancellation.deviceId, " (id ").concat(cancellation.requestId, ")"));
+
+      // we should probably only notify the app of cancellations we told it
+      // about, but we don't currently have a record of that, so we just pass
+      // everything through.
+      _this57.emit(CryptoEvent.RoomKeyRequestCancellation, cancellation);
+    })();
+  }
+
+  /**
+   * Get a decryptor for a given room and algorithm.
+   *
+   * If we already have a decryptor for the given room and algorithm, return
+   * it. Otherwise try to instantiate it.
+   *
+   * @internal
+   *
+   * @param roomId -   room id for decryptor. If undefined, a temporary
+   * decryptor is instantiated.
+   *
+   * @param algorithm -  crypto algorithm
+   *
+   * @throws `DecryptionError` if the algorithm is unknown
+   */
+  getRoomDecryptor(roomId, algorithm) {
+    var decryptors;
+    var alg;
+    if (roomId) {
+      decryptors = this.roomDecryptors.get(roomId);
+      if (!decryptors) {
+        decryptors = new Map();
+        this.roomDecryptors.set(roomId, decryptors);
+      }
+      alg = decryptors.get(algorithm);
+      if (alg) {
+        return alg;
+      }
+    }
+    var AlgClass = algorithms.DECRYPTION_CLASSES.get(algorithm);
+    if (!AlgClass) {
+      throw new DecryptionError(DecryptionFailureCode.UNKNOWN_ENCRYPTION_ALGORITHM, 'Unknown encryption algorithm "' + algorithm + '".');
+    }
+    alg = new AlgClass({
+      userId: this.userId,
+      crypto: this,
+      olmDevice: this.olmDevice,
+      baseApis: this.baseApis,
+      roomId: roomId !== null && roomId !== void 0 ? roomId : undefined
+    });
+    if (decryptors) {
+      decryptors.set(algorithm, alg);
+    }
+    return alg;
+  }
+
+  /**
+   * Get all the room decryptors for a given encryption algorithm.
+   *
+   * @param algorithm - The encryption algorithm
+   *
+   * @returns An array of room decryptors
+   */
+  getRoomDecryptors(algorithm) {
+    var decryptors = [];
+    for (var d of this.roomDecryptors.values()) {
+      if (d.has(algorithm)) {
+        decryptors.push(d.get(algorithm));
+      }
+    }
+    return decryptors;
+  }
+
+  /**
+   * sign the given object with our ed25519 key
+   *
+   * @param obj -  Object to which we will add a 'signatures' property
+   */
+  signObject(obj) {
+    var _this58 = this;
+    return _asyncToGenerator(function* () {
+      var sigs = new Map(Object.entries(obj.signatures || {}));
+      var unsigned = obj.unsigned;
+      delete obj.signatures;
+      delete obj.unsigned;
+      var userSignatures = sigs.get(_this58.userId) || {};
+      sigs.set(_this58.userId, userSignatures);
+      userSignatures["ed25519:" + _this58.deviceId] = yield _this58.olmDevice.sign(anotherjson.stringify(obj));
+      obj.signatures = recursiveMapToObject(sigs);
+      if (unsigned !== undefined) obj.unsigned = unsigned;
+    })();
+  }
+
+  /**
+   * @returns true if the room with the supplied ID is encrypted. False if the
+   * room is not encrypted, or is unknown to us.
+   */
+  isRoomEncrypted(roomId) {
+    return this.roomList.isRoomEncrypted(roomId);
+  }
+
+  /**
+   * Implementation of {@link Crypto.CryptoApi#isEncryptionEnabledInRoom}.
+   */
+  isEncryptionEnabledInRoom(roomId) {
+    var _this59 = this;
+    return _asyncToGenerator(function* () {
+      return _this59.isRoomEncrypted(roomId);
+    })();
+  }
+
+  /**
+   * @returns information about the encryption on the room with the supplied
+   * ID, or null if the room is not encrypted or unknown to us.
+   */
+  getRoomEncryption(roomId) {
+    return this.roomList.getRoomEncryption(roomId);
+  }
+
+  /**
+   * Returns whether dehydrated devices are supported by the crypto backend
+   * and by the server.
+   */
+  isDehydrationSupported() {
+    return _asyncToGenerator(function* () {
+      return false;
+    })();
+  }
+
+  /**
+   * Stub function -- dehydration is not implemented here, so throw error
+   */
+  startDehydration(createNewKey) {
+    return _asyncToGenerator(function* () {
+      throw new Error("Not implemented");
+    })();
+  }
+
+  /**
+   * Stub function -- restoreKeyBackup is not implemented here, so throw error
+   */
+  restoreKeyBackup(opts) {
+    throw new Error("Not implemented");
+  }
+
+  /**
+   * Stub function -- restoreKeyBackupWithPassphrase is not implemented here, so throw error
+   */
+  restoreKeyBackupWithPassphrase(passphrase, opts) {
+    throw new Error("Not implemented");
+  }
+}
+
+/**
+ * Fix up the backup key, that may be in the wrong format due to a bug in a
+ * migration step.  Some backup keys were stored as a comma-separated list of
+ * integers, rather than a base64-encoded byte array.  If this function is
+ * passed a string that looks like a list of integers rather than a base64
+ * string, it will attempt to convert it to the right format.
+ *
+ * @param key - the key to check
+ * @returns If the key is in the wrong format, then the fixed
+ * key will be returned. Otherwise null will be returned.
+ *
+ */
+export function fixBackupKey(key) {
+  if (typeof key !== "string" || key.indexOf(",") < 0) {
+    return null;
+  }
+  var fixedKey = Uint8Array.from(key.split(","), x => parseInt(x));
+  return encodeBase64(fixedKey);
+}
+
+/**
+ * Represents a received m.room_key_request event
+ */
+export class IncomingRoomKeyRequest {
+  constructor(event) {
+    /** user requesting the key */
+    _defineProperty(this, "userId", void 0);
+    /** device requesting the key */
+    _defineProperty(this, "deviceId", void 0);
+    /** unique id for the request */
+    _defineProperty(this, "requestId", void 0);
+    _defineProperty(this, "requestBody", void 0);
+    /**
+     * callback which, when called, will ask
+     *    the relevant crypto algorithm implementation to share the keys for
+     *    this request.
+     */
+    _defineProperty(this, "share", void 0);
+    var content = event.getContent();
+    this.userId = event.getSender();
+    this.deviceId = content.requesting_device_id;
+    this.requestId = content.request_id;
+    this.requestBody = content.body || {};
+    this.share = () => {
+      throw new Error("don't know how to share keys for this request yet");
+    };
+  }
+}
+
+/**
+ * Represents a received m.room_key_request cancellation
+ */
+class IncomingRoomKeyRequestCancellation {
+  constructor(event) {
+    /** user requesting the cancellation */
+    _defineProperty(this, "userId", void 0);
+    /** device requesting the cancellation */
+    _defineProperty(this, "deviceId", void 0);
+    /** unique id for the request to be cancelled */
+    _defineProperty(this, "requestId", void 0);
+    var content = event.getContent();
+    this.userId = event.getSender();
+    this.deviceId = content.requesting_device_id;
+    this.requestId = content.request_id;
+  }
+}
+
+// a number of types are re-exported for backwards compatibility, in case any applications are referencing it.
+//# sourceMappingURL=index.js.map