@wireapp/core-crypto 0.6.0-rc.7 → 0.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wireapp/core-crypto",
-  "version": "0.6.0-rc.7",
+  "version": "0.6.0",
   "description": "CoreCrypto bindings for the Web",
   "type": "module",
   "module": "platforms/web/corecrypto.js",

package/platforms/web/corecrypto.d.ts

@@ -408,7 +408,7 @@ export interface CoreCryptoCallbacks {
 	 * @param clientId - id of the client performing an operation requiring authorization
 	 * @returns whether the user is authorized by the logic layer to perform the operation
 	 */
-	authorize: (conversationId: Uint8Array, clientId: Uint8Array) => boolean;
+	authorize: (conversationId: Uint8Array, clientId: Uint8Array) => Promise<boolean>;
 	/**
 	 * A mix between {@link authorize} and {@link clientIsExistingGroupUser}. We currently use this callback to verify
 	 * external commits to join a group ; in such case, the client has to:
@@ -420,7 +420,7 @@ export interface CoreCryptoCallbacks {
 	 * @param existingClients - all the clients currently within the MLS group
 	 * @returns true if the external client is authorized to write to the conversation
 	 */
-	userAuthorize: (conversationId: Uint8Array, externalClientId: Uint8Array, existingClients: Uint8Array[]) => boolean;
+	userAuthorize: (conversationId: Uint8Array, externalClientId: Uint8Array, existingClients: Uint8Array[]) => Promise<boolean>;
 	/**
 	 * Callback to ensure that the given `clientId` belongs to one of the provided `existingClients`
 	 * This basically allows to defer the client ID parsing logic to the caller - because CoreCrypto is oblivious to such things
@@ -429,7 +429,7 @@ export interface CoreCryptoCallbacks {
 	 * @param clientId - id of a client
 	 * @param existingClients - all the clients currently within the MLS group
 	 */
-	clientIsExistingGroupUser: (conversationId: Uint8Array, clientId: Uint8Array, existingClients: Uint8Array[]) => boolean;
+	clientIsExistingGroupUser: (conversationId: Uint8Array, clientId: Uint8Array, existingClients: Uint8Array[]) => Promise<boolean>;
 }
 /**
  * Wrapper for the WASM-compiled version of CoreCrypto
@@ -484,6 +484,22 @@ export declare class CoreCrypto {
 	 * @param clientId - {@link CoreCryptoParams#clientId} but required
 	 */
 	mlsInit(clientId: ClientId): Promise<void>;
+	/**
+	 * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
+	 * This method is designed to be used in conjunction with {@link CoreCrypto.mlsInitWithClientID} and represents the first step in this process
+	 *
+	 * @returns This returns the TLS-serialized identity key (i.e. the signature keypair's public key)
+	 */
+	mlsGenerateKeypair(): Promise<Uint8Array>;
+	/**
+	 * Updates the current temporary Client ID with the newly provided one. This is the second step in the externally-generated clients process
+	 *
+	 * Important: This is designed to be called after {@link CoreCrypto.mlsGenerateKeyPair}
+	 *
+	 * @param clientId - The newly-allocated client ID by the MLS Authentication Service
+	 * @param signaturePublicKey - The public key you were given at the first step; This is for authentication purposes
+	 */
+	mlsInitWithClientId(clientId: ClientId, signaturePublicKey: Uint8Array): Promise<void>;
 	/** @hidden */
 	private constructor();
 	/**
@@ -503,7 +519,7 @@ export declare class CoreCrypto {
 	 *
 	 * @param callbacks - Any interface following the {@link CoreCryptoCallbacks} interface
 	 */
-	registerCallbacks(callbacks: CoreCryptoCallbacks): void;
+	registerCallbacks(callbacks: CoreCryptoCallbacks, ctx?: any): Promise<void>;
 	/**
 	 * Checks if the Client is member of a given conversation and if the MLS Group is loaded up
 	 *
@@ -831,9 +847,19 @@ export declare class CoreCrypto {
 	/**
 	 * Creates a new prekey with an automatically generated ID..
 	 *
-	 * @returns: A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey
+	 * @returns A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey
 	 */
 	proteusNewPrekeyAuto(): Promise<Uint8Array>;
+	/**
+	 * Proteus last resort prekey stuff
+	 *
+	 * @returns A CBOR-serialize version of the PreKeyBundle associated with the last resort PreKey (holding the last resort prekey id)
+	 */
+	proteusLastResortPrekey(): Promise<Uint8Array>;
+	/**
+	 * @returns The last resort PreKey id
+	 */
+	static proteusLastResortPrekeyId(): number;
 	/**
 	 * Proteus public key fingerprint
 	 * It's basically the public key encoded as an hex string
@@ -876,12 +902,12 @@ export declare class CoreCrypto {
 	/**
 	 * Creates an enrollment instance with private key material you can use in order to fetch
 	 * a new x509 certificate from the acme server.
-	 * Make sure to call [WireE2eIdentity::free] (not yet available) to dispose this instance and its associated
+	 * Make sure to call {@link WireE2eIdentity.free} to dispose this instance and its associated
 	 * keying material.
 	 *
 	 * @param ciphersuite - For generating signing key material. Only {@link Ciphersuite.MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519} is supported currently
 	 */
-	newAcmeEnrollment(): Promise<WireE2eIdentity>;
+	newAcmeEnrollment(ciphersuite?: Ciphersuite): Promise<WireE2eIdentity>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -896,6 +922,7 @@ export declare class WireE2eIdentity {
 	#private;
 	/** @hidden */
 	constructor(e2ei: unknown);
+	free(): void;
 	/**
 	 * Parses the response from `GET /acme/{provisioner-name}/directory`.
 	 * Use this {@link AcmeDirectory} in the next step to fetch the first nonce from the acme server. Use
@@ -923,15 +950,17 @@ export declare class WireE2eIdentity {
 	/**
 	 * Creates a new acme order for the handle (userId + display name) and the clientId.
 	 *
-	 * @param handle domain of the authorization server e.g. `idp.example.org`
-	 * @param clientId domain of the wire-server e.g. `wire.example.org`
+	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param domain DNS name of owning backend e.g. `example.com`
+	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `impp:wireapp=NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ/6add501bacd1d90e@example.com`
+	 * @param handle user handle e.g. `impp:wireapp=alice.smith.qa@example.com`
 	 * @param expiryDays generated x509 certificate expiry
 	 * @param directory you got from {@link directoryResponse}
 	 * @param account you got from {@link newAccountResponse}
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderRequest(handle: string, clientId: string, expiryDays: number, directory: AcmeDirectory, account: AcmeAccount, previousNonce: string): JsonRawData;
+	newOrderRequest(displayName: string, domain: string, clientId: string, handle: string, expiryDays: number, directory: AcmeDirectory, account: AcmeAccount, previousNonce: string): JsonRawData;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-order`.
 	 *
@@ -978,14 +1007,25 @@ export declare class WireE2eIdentity {
 	 */
 	createDpopToken(accessTokenUrl: string, userId: string, clientId: bigint, domain: string, clientIdChallenge: AcmeChallenge, backendNonce: string, expiryDays: number): string;
 	/**
-	 * Creates a new challenge request.
+	 * Creates a new challenge request for Wire Dpop challenge.
+	 *
+	 * @param accessToken returned by wire-server from https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/post_clients__cid__access_token
+	 * @param dpopChallenge you found after {@link newAuthzResponse}
+	 * @param account you found after {@link newAccountResponse}
+	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+	 */
+	newDpopChallengeRequest(accessToken: string, dpopChallenge: AcmeChallenge, account: AcmeAccount, previousNonce: string): JsonRawData;
+	/**
+	 * Creates a new challenge request for Wire Oidc challenge.
 	 *
-	 * @param handleChallenge you found after {@link newAuthzResponse}
+	 * @param idToken you get back from Identity Provider
+	 * @param oidcChallenge you found after {@link newAuthzResponse}
 	 * @param account you found after {@link newAccountResponse}
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newChallengeRequest(handleChallenge: AcmeChallenge, account: AcmeAccount, previousNonce: string): JsonRawData;
+	newOidcChallengeRequest(idToken: string, oidcChallenge: AcmeChallenge, account: AcmeAccount, previousNonce: string): JsonRawData;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}`.
 	 *
@@ -1012,13 +1052,12 @@ export declare class WireE2eIdentity {
 	/**
 	 * Final step before fetching the certificate.
 	 *
-	 * @param domains - domains you want to generate a certificate for e.g. `["wire.com"]`
 	 * @param order - order you got from {@link checkOrderResponse}
 	 * @param account - account you found after {@link newAccountResponse}
 	 * @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeRequest(domains: string[], order: AcmeOrder, account: AcmeAccount, previousNonce: string): JsonRawData;
+	finalizeRequest(order: AcmeOrder, account: AcmeAccount, previousNonce: string): JsonRawData;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}/finalize`.
 	 *

package/platforms/web/corecrypto.js

@@ -34,14 +34,6 @@ const heap = new Array(128).fill(undefined);
 heap.push(undefined, null, true, false);
 function getObject(idx) { return heap[idx]; }
 let heap_next = heap.length;
-function addHeapObject(obj) {
-    if (heap_next === heap.length)
-        heap.push(heap.length + 1);
-    const idx = heap_next;
-    heap_next = heap[idx];
-    heap[idx] = obj;
-    return idx;
-}
 function dropObject(idx) {
     if (idx < 132)
         return;
@@ -53,6 +45,14 @@ function takeObject(idx) {
     dropObject(idx);
     return ret;
 }
+function addHeapObject(obj) {
+    if (heap_next === heap.length)
+        heap.push(heap.length + 1);
+    const idx = heap_next;
+    heap_next = heap[idx];
+    heap[idx] = obj;
+    return idx;
+}
 const cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
 cachedTextDecoder.decode();
 let cachedUint8Memory0 = null;
@@ -228,7 +228,7 @@ function makeMutClosure(arg0, arg1, dtor, f) {
 function __wbg_adapter_52(arg0, arg1, arg2) {
     try {
         const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-        wasm$1._dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h0b669391a1ca469a(retptr, arg0, arg1, addHeapObject(arg2));
+        wasm$1._dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__h07d37b19e83c7ae3(retptr, arg0, arg1, addHeapObject(arg2));
         var r0 = getInt32Memory0()[retptr / 4 + 0];
         var r1 = getInt32Memory0()[retptr / 4 + 1];
         if (r1) {
@@ -240,7 +240,7 @@ function __wbg_adapter_52(arg0, arg1, arg2) {
     }
 }
 function __wbg_adapter_55(arg0, arg1, arg2) {
-    wasm$1._dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__ha3d8e2730fb8635e(arg0, arg1, addHeapObject(arg2));
+    wasm$1._dyn_core__ops__function__FnMut__A____Output___R_as_wasm_bindgen__closure__WasmClosure___describe__invoke__hde4447b48c9e13f3(arg0, arg1, addHeapObject(arg2));
 }
 function _assertClass(instance, klass) {
     if (!(instance instanceof klass)) {
@@ -279,23 +279,6 @@ function getArrayJsValueFromWasm0(ptr, len) {
     }
     return result;
 }
-/**
-* Returns the current version of CoreCrypto
-* @returns {string}
-*/
-function version() {
-    try {
-        const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-        wasm$1.version(retptr);
-        var r0 = getInt32Memory0()[retptr / 4 + 0];
-        var r1 = getInt32Memory0()[retptr / 4 + 1];
-        return getStringFromWasm0(r0, r1);
-    }
-    finally {
-        wasm$1.__wbindgen_add_to_stack_pointer(16);
-        wasm$1.__wbindgen_free(r0, r1);
-    }
-}
 function handleError(f, args) {
     try {
         return f.apply(this, args);
@@ -307,8 +290,8 @@ function handleError(f, args) {
 function getArrayU8FromWasm0(ptr, len) {
     return getUint8Memory0().subarray(ptr / 1, ptr / 1 + len);
 }
-function __wbg_adapter_267(arg0, arg1, arg2, arg3) {
-    wasm$1.wasm_bindgen__convert__closures__invoke2_mut__h191981cd1d6b08cc(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
+function __wbg_adapter_268(arg0, arg1, arg2, arg3) {
+    wasm$1.wasm_bindgen__convert__closures__invoke2_mut__h1934ea7100a9edf0(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 }
 /**
 * see [core_crypto::prelude::MlsWirePolicy]
@@ -659,6 +642,23 @@ let CoreCrypto$1 = class CoreCrypto {
         wasm$1.__wbg_corecrypto_free(ptr);
     }
     /**
+    * Returns the current version of CoreCrypto
+    * @returns {string}
+    */
+    static version() {
+        try {
+            const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
+            wasm$1.corecrypto_version(retptr);
+            var r0 = getInt32Memory0()[retptr / 4 + 0];
+            var r1 = getInt32Memory0()[retptr / 4 + 1];
+            return getStringFromWasm0(r0, r1);
+        }
+        finally {
+            wasm$1.__wbindgen_add_to_stack_pointer(16);
+            wasm$1.__wbindgen_free(r0, r1);
+        }
+    }
+    /**
     * see [core_crypto::MlsCentral::try_new]
     * @param {string} path
     * @param {string} key
@@ -707,6 +707,32 @@ let CoreCrypto$1 = class CoreCrypto {
         return takeObject(ret);
     }
     /**
+    * Returns [`WasmCryptoResult<Vec<u8>>`]
+    *
+    * See [core_crypto::MlsCentral::mls_generate_keypair]
+    * @returns {Promise<any>}
+    */
+    mls_generate_keypair() {
+        const ret = wasm$1.corecrypto_mls_generate_keypair(this.ptr);
+        return takeObject(ret);
+    }
+    /**
+    * Returns [`WasmCryptoResult<()>`]
+    *
+    * See [core_crypto::MlsCentral::mls_init_with_client_id]
+    * @param {Uint8Array} client_id
+    * @param {Uint8Array} signature_public_key
+    * @returns {Promise<any>}
+    */
+    mls_init_with_client_id(client_id, signature_public_key) {
+        const ptr0 = passArray8ToWasm0(client_id, wasm$1.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passArray8ToWasm0(signature_public_key, wasm$1.__wbindgen_malloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm$1.corecrypto_mls_init_with_client_id(this.ptr, ptr0, len0, ptr1, len1);
+        return takeObject(ret);
+    }
+    /**
     * Returns: [`WasmCryptoResult<()>`]
     *
     * see [core_crypto::MlsCentral::close]
@@ -1227,7 +1253,7 @@ let CoreCrypto$1 = class CoreCrypto {
     * see [core_crypto::proteus::ProteusCentral::encrypt]
     * @param {string} session_id
     * @param {Uint8Array} plaintext
-    * @returns {Promise<Uint8Array>}
+    * @returns {Promise<Promise<any>>}
     */
     proteus_encrypt(session_id, plaintext) {
         const ptr0 = passStringToWasm0(session_id, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
@@ -1243,7 +1269,7 @@ let CoreCrypto$1 = class CoreCrypto {
     * see [core_crypto::proteus::ProteusCentral::encrypt_batched]
     * @param {(string)[]} sessions
     * @param {Uint8Array} plaintext
-    * @returns {Promise<Map<any, any>>}
+    * @returns {Promise<any>}
     */
     proteus_encrypt_batched(sessions, plaintext) {
         const ptr0 = passArrayJsValueToWasm0(sessions, wasm$1.__wbindgen_malloc);
@@ -1258,7 +1284,7 @@ let CoreCrypto$1 = class CoreCrypto {
     *
     * see [core_crypto::proteus::ProteusCentral::new_prekey]
     * @param {number} prekey_id
-    * @returns {Promise<Uint8Array>}
+    * @returns {Promise<Promise<any>>}
     */
     proteus_new_prekey(prekey_id) {
         const ret = wasm$1.corecrypto_proteus_new_prekey(this.ptr, prekey_id);
@@ -1268,13 +1294,45 @@ let CoreCrypto$1 = class CoreCrypto {
     * Returns: [`WasmCryptoResult<Uint8Array>`]
     *
     * see [core_crypto::proteus::ProteusCentral::new_prekey]
-    * @returns {Promise<Uint8Array>}
+    * @returns {Promise<Promise<any>>}
     */
     proteus_new_prekey_auto() {
         const ret = wasm$1.corecrypto_proteus_new_prekey_auto(this.ptr);
         return takeObject(ret);
     }
     /**
+    * Returns [`WasmCryptoResult<Uint8Array>`]
+    *
+    * see [core_crypto::proteus::ProteusCentral::last_resort_prekey]
+    * @returns {Promise<any>}
+    */
+    proteus_last_resort_prekey() {
+        const ret = wasm$1.corecrypto_proteus_last_resort_prekey(this.ptr);
+        return takeObject(ret);
+    }
+    /**
+    * Returns: [`WasmCryptoResult<u16>`]
+    *
+    * see [core_crypto::proteus::ProteusCentral::last_resort_prekey_id]
+    * @returns {number}
+    */
+    static proteus_last_resort_prekey_id() {
+        try {
+            const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
+            wasm$1.corecrypto_proteus_last_resort_prekey_id(retptr);
+            var r0 = getInt32Memory0()[retptr / 4 + 0];
+            var r1 = getInt32Memory0()[retptr / 4 + 1];
+            var r2 = getInt32Memory0()[retptr / 4 + 2];
+            if (r2) {
+                throw takeObject(r1);
+            }
+            return r0;
+        }
+        finally {
+            wasm$1.__wbindgen_add_to_stack_pointer(16);
+        }
+    }
+    /**
     * Returns: [`WasmCryptoResult<String>`]
     *
     * see [core_crypto::proteus::ProteusCentral::fingerprint]
@@ -1421,9 +1479,10 @@ class CoreCryptoWasmCallbacks {
     * @param {Function} authorize
     * @param {Function} user_authorize
     * @param {Function} client_is_existing_group_user
+    * @param {any} ctx
     */
-    constructor(authorize, user_authorize, client_is_existing_group_user) {
-        const ret = wasm$1.corecryptowasmcallbacks_new(addHeapObject(authorize), addHeapObject(user_authorize), addHeapObject(client_is_existing_group_user));
+    constructor(authorize, user_authorize, client_is_existing_group_user, ctx) {
+        const ret = wasm$1.corecryptowasmcallbacks_new(addHeapObject(authorize), addHeapObject(user_authorize), addHeapObject(client_is_existing_group_user), addHeapObject(ctx));
         return CoreCryptoWasmCallbacks.__wrap(ret);
     }
 }
@@ -1605,24 +1664,30 @@ class FfiWireE2EIdentity {
     }
     /**
     * See [core_crypto::e2e_identity::WireE2eIdentity::new_order_request]
-    * @param {string} handle
+    * @param {string} display_name
+    * @param {string} domain
     * @param {string} client_id
+    * @param {string} handle
     * @param {number} expiry_days
     * @param {any} directory
     * @param {Uint8Array} account
     * @param {string} previous_nonce
     * @returns {Uint8Array}
     */
-    new_order_request(handle, client_id, expiry_days, directory, account, previous_nonce) {
+    new_order_request(display_name, domain, client_id, handle, expiry_days, directory, account, previous_nonce) {
         try {
             const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-            const ptr0 = passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const ptr0 = passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
             const len0 = WASM_VECTOR_LEN;
-            const ptr1 = passStringToWasm0(client_id, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const ptr1 = passStringToWasm0(domain, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
             const len1 = WASM_VECTOR_LEN;
-            const ptr2 = passStringToWasm0(previous_nonce, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const ptr2 = passStringToWasm0(client_id, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
             const len2 = WASM_VECTOR_LEN;
-            wasm$1.ffiwiree2eidentity_new_order_request(retptr, this.ptr, ptr0, len0, ptr1, len1, expiry_days, addHeapObject(directory), addHeapObject(account), ptr2, len2);
+            const ptr3 = passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const len3 = WASM_VECTOR_LEN;
+            const ptr4 = passStringToWasm0(previous_nonce, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const len4 = WASM_VECTOR_LEN;
+            wasm$1.ffiwiree2eidentity_new_order_request(retptr, this.ptr, ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3, expiry_days, addHeapObject(directory), addHeapObject(account), ptr4, len4);
             var r0 = getInt32Memory0()[retptr / 4 + 0];
             var r1 = getInt32Memory0()[retptr / 4 + 1];
             var r2 = getInt32Memory0()[retptr / 4 + 2];
@@ -1746,18 +1811,49 @@ class FfiWireE2EIdentity {
         }
     }
     /**
-    * See [core_crypto::e2e_identity::WireE2eIdentity::new_challenge_request]
-    * @param {any} handle_challenge
+    * See [core_crypto::e2e_identity::WireE2eIdentity::new_dpop_challenge_request]
+    * @param {string} access_token
+    * @param {any} dpop_challenge
     * @param {Uint8Array} account
     * @param {string} previous_nonce
     * @returns {Uint8Array}
     */
-    new_challenge_request(handle_challenge, account, previous_nonce) {
+    new_dpop_challenge_request(access_token, dpop_challenge, account, previous_nonce) {
         try {
             const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-            const ptr0 = passStringToWasm0(previous_nonce, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const ptr0 = passStringToWasm0(access_token, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
             const len0 = WASM_VECTOR_LEN;
-            wasm$1.ffiwiree2eidentity_new_challenge_request(retptr, this.ptr, addHeapObject(handle_challenge), addHeapObject(account), ptr0, len0);
+            const ptr1 = passStringToWasm0(previous_nonce, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const len1 = WASM_VECTOR_LEN;
+            wasm$1.ffiwiree2eidentity_new_dpop_challenge_request(retptr, this.ptr, ptr0, len0, addHeapObject(dpop_challenge), addHeapObject(account), ptr1, len1);
+            var r0 = getInt32Memory0()[retptr / 4 + 0];
+            var r1 = getInt32Memory0()[retptr / 4 + 1];
+            var r2 = getInt32Memory0()[retptr / 4 + 2];
+            if (r2) {
+                throw takeObject(r1);
+            }
+            return takeObject(r0);
+        }
+        finally {
+            wasm$1.__wbindgen_add_to_stack_pointer(16);
+        }
+    }
+    /**
+    * See [core_crypto::e2e_identity::WireE2eIdentity::new_oidc_challenge_request]
+    * @param {string} id_token
+    * @param {any} oidc_challenge
+    * @param {Uint8Array} account
+    * @param {string} previous_nonce
+    * @returns {Uint8Array}
+    */
+    new_oidc_challenge_request(id_token, oidc_challenge, account, previous_nonce) {
+        try {
+            const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
+            const ptr0 = passStringToWasm0(id_token, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const len0 = WASM_VECTOR_LEN;
+            const ptr1 = passStringToWasm0(previous_nonce, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+            const len1 = WASM_VECTOR_LEN;
+            wasm$1.ffiwiree2eidentity_new_oidc_challenge_request(retptr, this.ptr, ptr0, len0, addHeapObject(oidc_challenge), addHeapObject(account), ptr1, len1);
             var r0 = getInt32Memory0()[retptr / 4 + 0];
             var r1 = getInt32Memory0()[retptr / 4 + 1];
             var r2 = getInt32Memory0()[retptr / 4 + 2];
@@ -1838,20 +1934,17 @@ class FfiWireE2EIdentity {
     }
     /**
     * See [core_crypto::e2e_identity::WireE2eIdentity::finalize_request]
-    * @param {(string)[]} domains
     * @param {Uint8Array} order
     * @param {Uint8Array} account
     * @param {string} previous_nonce
     * @returns {Uint8Array}
     */
-    finalize_request(domains, order, account, previous_nonce) {
+    finalize_request(order, account, previous_nonce) {
         try {
             const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-            const ptr0 = passArrayJsValueToWasm0(domains, wasm$1.__wbindgen_malloc);
+            const ptr0 = passStringToWasm0(previous_nonce, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
             const len0 = WASM_VECTOR_LEN;
-            const ptr1 = passStringToWasm0(previous_nonce, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
-            const len1 = WASM_VECTOR_LEN;
-            wasm$1.ffiwiree2eidentity_finalize_request(retptr, this.ptr, ptr0, len0, addHeapObject(order), addHeapObject(account), ptr1, len1);
+            wasm$1.ffiwiree2eidentity_finalize_request(retptr, this.ptr, addHeapObject(order), addHeapObject(account), ptr0, len0);
             var r0 = getInt32Memory0()[retptr / 4 + 0];
             var r1 = getInt32Memory0()[retptr / 4 + 1];
             var r2 = getInt32Memory0()[retptr / 4 + 2];
@@ -2049,16 +2142,16 @@ class NewAcmeAuthz {
     }
     /**
     * @param {string} identifier
-    * @param {AcmeChallenge | undefined} wire_http_challenge
+    * @param {AcmeChallenge | undefined} wire_dpop_challenge
     * @param {AcmeChallenge | undefined} wire_oidc_challenge
     */
-    constructor(identifier, wire_http_challenge, wire_oidc_challenge) {
+    constructor(identifier, wire_dpop_challenge, wire_oidc_challenge) {
         const ptr0 = passStringToWasm0(identifier, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
         let ptr1 = 0;
-        if (!isLikeNone(wire_http_challenge)) {
-            _assertClass(wire_http_challenge, AcmeChallenge);
-            ptr1 = wire_http_challenge.__destroy_into_raw();
+        if (!isLikeNone(wire_dpop_challenge)) {
+            _assertClass(wire_dpop_challenge, AcmeChallenge);
+            ptr1 = wire_dpop_challenge.__destroy_into_raw();
         }
         let ptr2 = 0;
         if (!isLikeNone(wire_oidc_challenge)) {
@@ -2087,8 +2180,8 @@ class NewAcmeAuthz {
     /**
     * @returns {AcmeChallenge | undefined}
     */
-    get wire_http_challenge() {
-        const ret = wasm$1.newacmeauthz_wire_http_challenge(this.ptr);
+    get wire_dpop_challenge() {
+        const ret = wasm$1.newacmeauthz_wire_dpop_challenge(this.ptr);
         return ret === 0 ? undefined : AcmeChallenge.__wrap(ret);
     }
     /**
@@ -2244,6 +2337,27 @@ async function load(module, imports) {
 function getImports() {
     const imports = {};
     imports.wbg = {};
+    imports.wbg.__wbg_new_f9876326328f45ed = function () {
+        const ret = new Object();
+        return addHeapObject(ret);
+    };
+    imports.wbg.__wbg_new_b525de17f44a8943 = function () {
+        const ret = new Array();
+        return addHeapObject(ret);
+    };
+    imports.wbg.__wbg_set_17224bc548dd1d7b = function (arg0, arg1, arg2) {
+        getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
+    };
+    imports.wbg.__wbg_set_20cbc34131e76824 = function (arg0, arg1, arg2) {
+        getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
+    };
+    imports.wbg.__wbindgen_object_drop_ref = function (arg0) {
+        takeObject(arg0);
+    };
+    imports.wbg.__wbindgen_number_new = function (arg0) {
+        const ret = arg0;
+        return addHeapObject(ret);
+    };
     imports.wbg.__wbindgen_object_clone_ref = function (arg0) {
         const ret = getObject(arg0);
         return addHeapObject(ret);
@@ -2253,9 +2367,6 @@ function getImports() {
         const ret = typeof (val) === 'object' && val !== null;
         return ret;
     };
-    imports.wbg.__wbindgen_object_drop_ref = function (arg0) {
-        takeObject(arg0);
-    };
     imports.wbg.__wbg_getwithrefkey_15c62c2b8546208d = function (arg0, arg1) {
         const ret = getObject(arg0)[getObject(arg1)];
         return addHeapObject(ret);
@@ -2296,42 +2407,16 @@ function getImports() {
         const ret = getObject(arg0).length;
         return ret;
     };
+    imports.wbg.__wbg_new_537b7341ce90bb31 = function (arg0) {
+        const ret = new Uint8Array(getObject(arg0));
+        return addHeapObject(ret);
+    };
     imports.wbg.__wbg_call_9495de66fdbe016b = function () {
         return handleError(function (arg0, arg1, arg2) {
             const ret = getObject(arg0).call(getObject(arg1), getObject(arg2));
             return addHeapObject(ret);
         }, arguments);
     };
-    imports.wbg.__wbg_new_537b7341ce90bb31 = function (arg0) {
-        const ret = new Uint8Array(getObject(arg0));
-        return addHeapObject(ret);
-    };
-    imports.wbg.__wbindgen_bigint_from_u64 = function (arg0) {
-        const ret = BigInt.asUintN(64, arg0);
-        return addHeapObject(ret);
-    };
-    imports.wbg.__wbg_new_f9876326328f45ed = function () {
-        const ret = new Object();
-        return addHeapObject(ret);
-    };
-    imports.wbg.__wbg_new_b525de17f44a8943 = function () {
-        const ret = new Array();
-        return addHeapObject(ret);
-    };
-    imports.wbg.__wbg_set_17224bc548dd1d7b = function (arg0, arg1, arg2) {
-        getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
-    };
-    imports.wbg.__wbg_set_20cbc34131e76824 = function (arg0, arg1, arg2) {
-        getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
-    };
-    imports.wbg.__wbindgen_number_new = function (arg0) {
-        const ret = arg0;
-        return addHeapObject(ret);
-    };
-    imports.wbg.__wbg_ffiwiree2eidentity_new = function (arg0) {
-        const ret = FfiWireE2EIdentity.__wrap(arg0);
-        return addHeapObject(ret);
-    };
     imports.wbg.__wbg_new_9d3a9ce4282a18a8 = function (arg0, arg1) {
         try {
             var state0 = { a: arg0, b: arg1 };
@@ -2339,7 +2424,7 @@ function getImports() {
                 const a = state0.a;
                 state0.a = 0;
                 try {
-                    return __wbg_adapter_267(a, state0.b, arg0, arg1);
+                    return __wbg_adapter_268(a, state0.b, arg0, arg1);
                 }
                 finally {
                     state0.a = a;
@@ -2352,6 +2437,10 @@ function getImports() {
             state0.a = state0.b = 0;
         }
     };
+    imports.wbg.__wbg_ffiwiree2eidentity_new = function (arg0) {
+        const ret = FfiWireE2EIdentity.__wrap(arg0);
+        return addHeapObject(ret);
+    };
     imports.wbg.__wbg_push_49c286f04dd3bf59 = function (arg0, arg1) {
         const ret = getObject(arg0).push(getObject(arg1));
         return ret;
@@ -2364,6 +2453,10 @@ function getImports() {
         const ret = getObject(arg0).set(getObject(arg1), getObject(arg2));
         return addHeapObject(ret);
     };
+    imports.wbg.__wbindgen_bigint_from_u64 = function (arg0) {
+        const ret = BigInt.asUintN(64, arg0);
+        return addHeapObject(ret);
+    };
     imports.wbg.__wbg_setonsuccess_925a7718d3f62bc1 = function (arg0, arg1) {
         getObject(arg0).onsuccess = getObject(arg1);
     };
@@ -2448,8 +2541,8 @@ function getImports() {
             return addHeapObject(ret);
         }, arguments);
     };
-    imports.wbg.__wbg_length_ea0846e494e3b16e = function (arg0) {
-        const ret = getObject(arg0).length;
+    imports.wbg.__wbg_now_78244d2ced74c026 = function () {
+        const ret = performance.now();
         return ret;
     };
     imports.wbg.__wbg_reject_57029f54148d79c3 = function (arg0) {
@@ -2464,10 +2557,6 @@ function getImports() {
         const ret = Date.now();
         return ret;
     };
-    imports.wbg.__wbg_now_78244d2ced74c026 = function () {
-        const ret = performance.now();
-        return ret;
-    };
     imports.wbg.__wbg_new_abda76e883ba8a5f = function () {
         const ret = new Error();
         return addHeapObject(ret);
@@ -2642,10 +2731,6 @@ function getImports() {
         const ret = new Uint8Array(arg0 >>> 0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_charCodeAt_d78a90aced59e02f = function (arg0, arg1) {
-        const ret = getObject(arg0).charCodeAt(arg1 >>> 0);
-        return ret;
-    };
     imports.wbg.__wbg_next_88560ec06a094dea = function () {
         return handleError(function (arg0) {
             const ret = getObject(arg0).next();
@@ -2727,12 +2812,6 @@ function getImports() {
         const ret = getObject(arg0).target;
         return isLikeNone(ret) ? 0 : addHeapObject(ret);
     };
-    imports.wbg.__wbg_error_f64b8d41ed4d2fdc = function () {
-        return handleError(function (arg0) {
-            const ret = getObject(arg0).error;
-            return isLikeNone(ret) ? 0 : addHeapObject(ret);
-        }, arguments);
-    };
     imports.wbg.__wbg_result_3a1fef332bc47038 = function () {
         return handleError(function (arg0) {
             const ret = getObject(arg0).result;
@@ -2773,6 +2852,12 @@ function getImports() {
             getObject(arg0).deleteObjectStore(getStringFromWasm0(arg1, arg2));
         }, arguments);
     };
+    imports.wbg.__wbg_error_f64b8d41ed4d2fdc = function () {
+        return handleError(function (arg0) {
+            const ret = getObject(arg0).error;
+            return isLikeNone(ret) ? 0 : addHeapObject(ret);
+        }, arguments);
+    };
     imports.wbg.__wbindgen_is_falsy = function (arg0) {
         const ret = !getObject(arg0);
         return ret;
@@ -2818,29 +2903,6 @@ function getImports() {
         const ret = getObject(arg0).toString();
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_instanceof_Window_e266f02eee43b570 = function (arg0) {
-        let result;
-        try {
-            result = getObject(arg0) instanceof Window;
-        }
-        catch {
-            result = false;
-        }
-        const ret = result;
-        return ret;
-    };
-    imports.wbg.__wbg_crypto_71b946c90b06fb5b = function () {
-        return handleError(function (arg0) {
-            const ret = getObject(arg0).crypto;
-            return addHeapObject(ret);
-        }, arguments);
-    };
-    imports.wbg.__wbg_getRandomValues_2a91ccd2d6c499b0 = function () {
-        return handleError(function (arg0, arg1, arg2) {
-            const ret = getObject(arg0).getRandomValues(getArrayU8FromWasm0(arg1, arg2));
-            return addHeapObject(ret);
-        }, arguments);
-    };
     imports.wbg.__wbg_instanceof_Uint8Array_01cebe79ca606cca = function (arg0) {
         let result;
         try {
@@ -2888,6 +2950,10 @@ function getImports() {
         const ret = getObject(arg0).then(getObject(arg1));
         return addHeapObject(ret);
     };
+    imports.wbg.__wbg_then_f753623316e2873a = function (arg0, arg1, arg2) {
+        const ret = getObject(arg0).then(getObject(arg1), getObject(arg2));
+        return addHeapObject(ret);
+    };
     imports.wbg.__wbg_resolve_fd40f858d9db1a04 = function (arg0) {
         const ret = Promise.resolve(getObject(arg0));
         return addHeapObject(ret);
@@ -2952,12 +3018,12 @@ function getImports() {
             return addHeapObject(ret);
         }, arguments);
     };
-    imports.wbg.__wbindgen_closure_wrapper4324 = function (arg0, arg1, arg2) {
-        const ret = makeMutClosure(arg0, arg1, 145, __wbg_adapter_52);
+    imports.wbg.__wbindgen_closure_wrapper4410 = function (arg0, arg1, arg2) {
+        const ret = makeMutClosure(arg0, arg1, 143, __wbg_adapter_52);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbindgen_closure_wrapper4778 = function (arg0, arg1, arg2) {
-        const ret = makeMutClosure(arg0, arg1, 145, __wbg_adapter_55);
+    imports.wbg.__wbindgen_closure_wrapper4895 = function (arg0, arg1, arg2) {
+        const ret = makeMutClosure(arg0, arg1, 143, __wbg_adapter_55);
         return addHeapObject(ret);
     };
     return imports;
@@ -3011,14 +3077,13 @@ var exports = /*#__PURE__*/Object.freeze({
     PublicGroupStateBundle: PublicGroupStateBundle,
     WirePolicy: WirePolicy$1,
     default: init,
-    initSync: initSync,
-    version: version
+    initSync: initSync
 });
 
 var wasm = async (opt = {}) => {
                 let {importHook, serverPath} = opt;
 
-                let path = "assets/core_crypto_ffi-734d7b2f.wasm";
+                let path = "assets/core_crypto_ffi-49b28313.wasm";
 
                 if (serverPath != null) {
                     path = serverPath + /[^\/\\]*$/.exec(path)[0];
@@ -3034,7 +3099,7 @@ var wasm = async (opt = {}) => {
 
 // Wire
 // Copyright (C) 2022 Wire Swiss GmbH
-var _a, _CoreCrypto_module, _CoreCrypto_cc, _WireE2eIdentity_e2ei;
+var _a, _CoreCrypto_module, _CoreCrypto_cc, _CoreCrypto_assertModuleLoaded, _WireE2eIdentity_e2ei;
 /**
  * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
  *
@@ -3054,7 +3119,7 @@ class CoreCryptoError extends Error {
         this.proteusErrorCode = richError.proteusErrorCode;
     }
     static fallback(msg, ...params) {
-        console.warn("Cannot build CoreCryptoError, falling back to standard Error");
+        console.warn(`Cannot build CoreCryptoError, falling back to standard Error! ctx: ${msg}`);
         // @ts-ignore
         return new Error(msg, ...params);
     }
@@ -3277,6 +3342,26 @@ class CoreCrypto {
     async mlsInit(clientId) {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").mls_init(clientId));
     }
+    /**
+     * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
+     * This method is designed to be used in conjunction with {@link CoreCrypto.mlsInitWithClientID} and represents the first step in this process
+     *
+     * @returns This returns the TLS-serialized identity key (i.e. the signature keypair's public key)
+     */
+    async mlsGenerateKeypair() {
+        return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").mls_generate_keypair());
+    }
+    /**
+     * Updates the current temporary Client ID with the newly provided one. This is the second step in the externally-generated clients process
+     *
+     * Important: This is designed to be called after {@link CoreCrypto.mlsGenerateKeyPair}
+     *
+     * @param clientId - The newly-allocated client ID by the MLS Authentication Service
+     * @param signaturePublicKey - The public key you were given at the first step; This is for authentication purposes
+     */
+    async mlsInitWithClientId(clientId, signaturePublicKey) {
+        return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").mls_init_with_client_id(clientId, signaturePublicKey));
+    }
     /** @hidden */
     constructor(cc) {
         /** @hidden */
@@ -3304,10 +3389,10 @@ class CoreCrypto {
      *
      * @param callbacks - Any interface following the {@link CoreCryptoCallbacks} interface
      */
-    registerCallbacks(callbacks) {
+    async registerCallbacks(callbacks, ctx = null) {
         try {
-            const wasmCallbacks = new (__classPrivateFieldGet(CoreCrypto, _a, "f", _CoreCrypto_module).CoreCryptoWasmCallbacks)(callbacks.authorize, callbacks.userAuthorize, callbacks.clientIsExistingGroupUser);
-            __classPrivateFieldGet(this, _CoreCrypto_cc, "f").set_callbacks(wasmCallbacks);
+            const wasmCallbacks = new (__classPrivateFieldGet(CoreCrypto, _a, "f", _CoreCrypto_module).CoreCryptoWasmCallbacks)(callbacks.authorize, callbacks.userAuthorize, callbacks.clientIsExistingGroupUser, ctx);
+            await __classPrivateFieldGet(this, _CoreCrypto_cc, "f").set_callbacks(wasmCallbacks);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -3385,6 +3470,9 @@ class CoreCrypto {
      * @returns a {@link DecryptedMessage}. Note that {@link DecryptedMessage#message} is `undefined` when the encrypted payload contains a system message such a proposal or commit
      */
     async decryptMessage(conversationId, payload) {
+        if (!payload?.length) {
+            throw new Error("decryptMessage payload is empty or null");
+        }
         try {
             const ffiDecryptedMessage = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").decrypt_message(conversationId, payload));
             const commitDelay = ffiDecryptedMessage.commit_delay ?
@@ -3865,11 +3953,26 @@ class CoreCrypto {
     /**
      * Creates a new prekey with an automatically generated ID..
      *
-     * @returns: A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey
+     * @returns A CBOR-serialized version of the PreKeyBundle corresponding to the newly generated and stored PreKey
      */
     async proteusNewPrekeyAuto() {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").proteus_new_prekey_auto());
     }
+    /**
+     * Proteus last resort prekey stuff
+     *
+     * @returns A CBOR-serialize version of the PreKeyBundle associated with the last resort PreKey (holding the last resort prekey id)
+     */
+    async proteusLastResortPrekey() {
+        return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").proteus_last_resort_prekey());
+    }
+    /**
+     * @returns The last resort PreKey id
+     */
+    static proteusLastResortPrekeyId() {
+        __classPrivateFieldGet(this, _a, "m", _CoreCrypto_assertModuleLoaded).call(this);
+        return __classPrivateFieldGet(this, _a, "f", _CoreCrypto_module).CoreCrypto.proteus_last_resort_prekey_id();
+    }
     /**
      * Proteus public key fingerprint
      * It's basically the public key encoded as an hex string
@@ -3929,13 +4032,16 @@ class CoreCrypto {
     /**
      * Creates an enrollment instance with private key material you can use in order to fetch
      * a new x509 certificate from the acme server.
-     * Make sure to call [WireE2eIdentity::free] (not yet available) to dispose this instance and its associated
+     * Make sure to call {@link WireE2eIdentity.free} to dispose this instance and its associated
      * keying material.
      *
      * @param ciphersuite - For generating signing key material. Only {@link Ciphersuite.MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519} is supported currently
      */
-    async newAcmeEnrollment() {
-        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").new_acme_enrollment(Ciphersuite.MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519));
+    async newAcmeEnrollment(ciphersuite = Ciphersuite.MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519) {
+        if (ciphersuite !== Ciphersuite.MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519) {
+            throw new Error("This ACME ciphersuite isn't supported. Only `Ciphersuite.MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519` is as of now");
+        }
+        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").new_acme_enrollment(ciphersuite));
         return new WireE2eIdentity(e2ei);
     }
     /**
@@ -3944,13 +4050,15 @@ class CoreCrypto {
      * @returns The `core-crypto-ffi` version as defined in its `Cargo.toml` file
      */
     static version() {
-        if (!__classPrivateFieldGet(this, _a, "f", _CoreCrypto_module)) {
-            throw new Error("Internal module hasn't been initialized. Please use `await CoreCrypto.init(params)`!");
-        }
-        return __classPrivateFieldGet(this, _a, "f", _CoreCrypto_module).version();
+        __classPrivateFieldGet(this, _a, "m", _CoreCrypto_assertModuleLoaded).call(this);
+        return __classPrivateFieldGet(this, _a, "f", _CoreCrypto_module).CoreCrypto.version();
     }
 }
-_a = CoreCrypto, _CoreCrypto_cc = new WeakMap();
+_a = CoreCrypto, _CoreCrypto_cc = new WeakMap(), _CoreCrypto_assertModuleLoaded = function _CoreCrypto_assertModuleLoaded() {
+    if (!__classPrivateFieldGet(this, _a, "f", _CoreCrypto_module)) {
+        throw new Error("Internal module hasn't been initialized. Please use `await CoreCrypto.init(params)` or `await CoreCrypto.deferredInit(params)` !");
+    }
+};
 /** @hidden */
 _CoreCrypto_module = { value: void 0 };
 class WireE2eIdentity {
@@ -3960,6 +4068,9 @@ class WireE2eIdentity {
         _WireE2eIdentity_e2ei.set(this, void 0);
         __classPrivateFieldSet(this, _WireE2eIdentity_e2ei, e2ei, "f");
     }
+    free() {
+        __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").free();
+    }
     /**
      * Parses the response from `GET /acme/{provisioner-name}/directory`.
      * Use this {@link AcmeDirectory} in the next step to fetch the first nonce from the acme server. Use
@@ -4008,17 +4119,19 @@ class WireE2eIdentity {
     /**
      * Creates a new acme order for the handle (userId + display name) and the clientId.
      *
-     * @param handle domain of the authorization server e.g. `idp.example.org`
-     * @param clientId domain of the wire-server e.g. `wire.example.org`
+     * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
+     * @param domain DNS name of owning backend e.g. `example.com`
+     * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `impp:wireapp=NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ/6add501bacd1d90e@example.com`
+     * @param handle user handle e.g. `impp:wireapp=alice.smith.qa@example.com`
      * @param expiryDays generated x509 certificate expiry
      * @param directory you got from {@link directoryResponse}
      * @param account you got from {@link newAccountResponse}
      * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
      * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
      */
-    newOrderRequest(handle, clientId, expiryDays, directory, account, previousNonce) {
+    newOrderRequest(displayName, domain, clientId, handle, expiryDays, directory, account, previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_order_request(handle, clientId, expiryDays, directory, account, previousNonce);
+            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_order_request(displayName, domain, clientId, handle, expiryDays, directory, account, previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4098,16 +4211,34 @@ class WireE2eIdentity {
         }
     }
     /**
-     * Creates a new challenge request.
+     * Creates a new challenge request for Wire Dpop challenge.
+     *
+     * @param accessToken returned by wire-server from https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/post_clients__cid__access_token
+     * @param dpopChallenge you found after {@link newAuthzResponse}
+     * @param account you found after {@link newAccountResponse}
+     * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
+     * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+     */
+    newDpopChallengeRequest(accessToken, dpopChallenge, account, previousNonce) {
+        try {
+            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_dpop_challenge_request(accessToken, dpopChallenge, account, previousNonce);
+        }
+        catch (e) {
+            throw CoreCryptoError.fromStdError(e);
+        }
+    }
+    /**
+     * Creates a new challenge request for Wire Oidc challenge.
      *
-     * @param handleChallenge you found after {@link newAuthzResponse}
+     * @param idToken you get back from Identity Provider
+     * @param oidcChallenge you found after {@link newAuthzResponse}
      * @param account you found after {@link newAccountResponse}
      * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
      * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
      */
-    newChallengeRequest(handleChallenge, account, previousNonce) {
+    newOidcChallengeRequest(idToken, oidcChallenge, account, previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_challenge_request(handleChallenge, account, previousNonce);
+            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_oidc_challenge_request(idToken, oidcChallenge, account, previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4160,15 +4291,14 @@ class WireE2eIdentity {
     /**
      * Final step before fetching the certificate.
      *
-     * @param domains - domains you want to generate a certificate for e.g. `["wire.com"]`
      * @param order - order you got from {@link checkOrderResponse}
      * @param account - account you found after {@link newAccountResponse}
      * @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
      * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
      */
-    finalizeRequest(domains, order, account, previousNonce) {
+    finalizeRequest(order, account, previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").finalize_request(domains, order, account, previousNonce);
+            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").finalize_request(order, account, previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);