@wireapp/core-crypto 1.0.0-rc.1 → 1.0.0-rc.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wireapp/core-crypto",
-  "version": "1.0.0-rc.1",
+  "version": "1.0.0-rc.2",
   "description": "CoreCrypto bindings for the Web",
   "type": "module",
   "module": "platforms/web/corecrypto.js",

package/platforms/web/corecrypto.d.ts

@@ -79,6 +79,24 @@ export interface ConversationConfiguration {
 	 * Implementation specific configuration
 	 */
 	custom?: CustomConfiguration;
+	/**
+	 * Trust anchors to be added in the group's context extensions
+	 */
+	perDomainTrustAnchors?: PerDomainTrustAnchor[];
+}
+/**
+ * A wrapper containing the configuration for trust anchors to be added in the group's context
+ * extensions
+ */
+export interface PerDomainTrustAnchor {
+	/**
+	 * Domain name of the owning backend this anchor refers to. One of the certificate in the chain has to have this domain in its SANs
+	 */
+	domain_name: string;
+	/**
+	 * PEM encoded (partial) certificate chain. This contains the certificate chain for the CA certificate issuing the E2E Identity certificates
+	 */
+	intermediate_certificate_chain: string;
 }
 /**
  * see [core_crypto::prelude::MlsWirePolicy]
@@ -690,6 +708,22 @@ export declare class CoreCrypto {
 	 * @returns The encrypted payload for the given group. This needs to be fanned out to the other members of the group.
 	 */
 	encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
+	/**
+	 * Updates the trust anchors for a conversation. This should be called when a federated event happens (new team added/removed).
+	 * Clients should add and/or remove trust anchors from the new backend to the conversation. The method will check
+	 * for duplicated domains and the validity of the certificate chain.
+	 *
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
+	 * epoch, use new encryption secrets etc...
+	 *
+	 * @param conversationId - The ID of the conversation
+	 * @param removeDomainNames - Domains to remove from the trust anchors
+	 * @param addTrustAnchors - New trust anchors to add to the conversation
+	 *
+	 * @returns A {@link CommitBundle}
+	 */
+	update_trust_anchors_from_conversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
 	/**
 	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
@@ -1026,30 +1060,30 @@ export declare class CoreCrypto {
 	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
 	/**
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
-	 * As a consequence, this method does not support changing the ClientId which should remain the same as the Basic one.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
+	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
 	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle user handle e.g. `alice.smith.qa@example.com`
 	 * @param expiryDays generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
 	 * @returns The new {@link WireE2eIdentity} object
 	 */
-	e2eiNewActivationEnrollment(displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
-	 * has been revoked. As a consequence, this method does not support changing neither ClientId which
-	 * should remain the same as the previous one. It lets you change the DisplayName or the handle
+	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
+	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
 	 * @param expiryDays generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
 	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle user handle e.g. `alice.smith.qa@example.com`
 	 * @returns The new {@link WireE2eIdentity} object
 	 */
-	e2eiNewRotateEnrollment(expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
+	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
 	/**
 	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
 	 *

package/platforms/web/corecrypto.js

@@ -39,14 +39,6 @@ const heap = new Array(128).fill(undefined);
 heap.push(undefined, null, true, false);
 function getObject(idx) { return heap[idx]; }
 let heap_next = heap.length;
-function addHeapObject(obj) {
-    if (heap_next === heap.length)
-        heap.push(heap.length + 1);
-    const idx = heap_next;
-    heap_next = heap[idx];
-    heap[idx] = obj;
-    return idx;
-}
 function dropObject(idx) {
     if (idx < 132)
         return;
@@ -58,6 +50,14 @@ function takeObject(idx) {
     dropObject(idx);
     return ret;
 }
+function addHeapObject(obj) {
+    if (heap_next === heap.length)
+        heap.push(heap.length + 1);
+    const idx = heap_next;
+    heap_next = heap[idx];
+    heap[idx] = obj;
+    return idx;
+}
 const cachedTextDecoder = (typeof TextDecoder !== 'undefined' ? new TextDecoder('utf-8', { ignoreBOM: true, fatal: true }) : { decode: () => { throw Error('TextDecoder not available'); } });
 if (typeof TextDecoder !== 'undefined') {
     cachedTextDecoder.decode();
@@ -234,12 +234,12 @@ function makeMutClosure(arg0, arg1, dtor, f) {
     return real;
 }
 function __wbg_adapter_52(arg0, arg1, arg2) {
-    wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h8d579dd3e9d6cb9a(arg0, arg1, addHeapObject(arg2));
+    wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h79cafe3df8446843(arg0, arg1, addHeapObject(arg2));
 }
 function __wbg_adapter_55(arg0, arg1, arg2) {
     try {
         const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-        wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h746b8b0ddaf8393e(retptr, arg0, arg1, addHeapObject(arg2));
+        wasm$1.wasm_bindgen__convert__closures__invoke1_mut__he1696d119fd3caab(retptr, arg0, arg1, addHeapObject(arg2));
         var r0 = getInt32Memory0()[retptr / 4 + 0];
         var r1 = getInt32Memory0()[retptr / 4 + 1];
         if (r1) {
@@ -313,8 +313,8 @@ function handleError(f, args) {
         wasm$1.__wbindgen_exn_store(addHeapObject(e));
     }
 }
-function __wbg_adapter_296(arg0, arg1, arg2, arg3) {
-    wasm$1.wasm_bindgen__convert__closures__invoke2_mut__h80912c0a9461abcd(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
+function __wbg_adapter_298(arg0, arg1, arg2, arg3) {
+    wasm$1.wasm_bindgen__convert__closures__invoke2_mut__h2ada45b9b70febc7(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 }
 /**
 * see [core_crypto::prelude::MlsWirePolicy]
@@ -617,12 +617,25 @@ class ConversationConfiguration {
     * @param {(Uint8Array)[] | undefined} external_senders
     * @param {number | undefined} key_rotation_span
     * @param {number | undefined} wire_policy
+    * @param {Array<any>} per_domain_trust_anchors
     */
-    constructor(ciphersuite, external_senders, key_rotation_span, wire_policy) {
-        var ptr0 = isLikeNone(external_senders) ? 0 : passArrayJsValueToWasm0(external_senders, wasm$1.__wbindgen_malloc);
-        var len0 = WASM_VECTOR_LEN;
-        const ret = wasm$1.conversationconfiguration_new(isLikeNone(ciphersuite) ? 8 : ciphersuite, ptr0, len0, !isLikeNone(key_rotation_span), isLikeNone(key_rotation_span) ? 0 : key_rotation_span, isLikeNone(wire_policy) ? 3 : wire_policy);
-        return ConversationConfiguration.__wrap(ret);
+    constructor(ciphersuite, external_senders, key_rotation_span, wire_policy, per_domain_trust_anchors) {
+        try {
+            const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
+            var ptr0 = isLikeNone(external_senders) ? 0 : passArrayJsValueToWasm0(external_senders, wasm$1.__wbindgen_malloc);
+            var len0 = WASM_VECTOR_LEN;
+            wasm$1.conversationconfiguration_new(retptr, isLikeNone(ciphersuite) ? 8 : ciphersuite, ptr0, len0, !isLikeNone(key_rotation_span), isLikeNone(key_rotation_span) ? 0 : key_rotation_span, isLikeNone(wire_policy) ? 3 : wire_policy, addHeapObject(per_domain_trust_anchors));
+            var r0 = getInt32Memory0()[retptr / 4 + 0];
+            var r1 = getInt32Memory0()[retptr / 4 + 1];
+            var r2 = getInt32Memory0()[retptr / 4 + 2];
+            if (r2) {
+                throw takeObject(r1);
+            }
+            return ConversationConfiguration.__wrap(r0);
+        }
+        finally {
+            wasm$1.__wbindgen_add_to_stack_pointer(16);
+        }
     }
 }
 /**
@@ -702,36 +715,42 @@ let CoreCrypto$1 = class CoreCrypto {
     * Returns: [`WasmCryptoResult<WireE2eIdentity>`]
     *
     * see [core_crypto::mls::MlsCentral::e2ei_new_activation_enrollment]
+    * @param {string} client_id
     * @param {string} display_name
     * @param {string} handle
     * @param {number} expiry_days
     * @param {number} ciphersuite
     * @returns {Promise<any>}
     */
-    e2ei_new_activation_enrollment(display_name, handle, expiry_days, ciphersuite) {
-        const ptr0 = passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+    e2ei_new_activation_enrollment(client_id, display_name, handle, expiry_days, ciphersuite) {
+        const ptr0 = passStringToWasm0(client_id, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const ptr1 = passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
         const len1 = WASM_VECTOR_LEN;
-        const ret = wasm$1.corecrypto_e2ei_new_activation_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, expiry_days, ciphersuite);
+        const ptr2 = passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const len2 = WASM_VECTOR_LEN;
+        const ret = wasm$1.corecrypto_e2ei_new_activation_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, expiry_days, ciphersuite);
         return takeObject(ret);
     }
     /**
     * Returns: [`WasmCryptoResult<WireE2eIdentity>`]
     *
     * see [core_crypto::mls::MlsCentral::e2ei_new_rotate_enrollment]
+    * @param {string} client_id
     * @param {string | undefined} display_name
     * @param {string | undefined} handle
     * @param {number} expiry_days
     * @param {number} ciphersuite
     * @returns {Promise<any>}
     */
-    e2ei_new_rotate_enrollment(display_name, handle, expiry_days, ciphersuite) {
-        var ptr0 = isLikeNone(display_name) ? 0 : passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
-        var len0 = WASM_VECTOR_LEN;
-        var ptr1 = isLikeNone(handle) ? 0 : passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+    e2ei_new_rotate_enrollment(client_id, display_name, handle, expiry_days, ciphersuite) {
+        const ptr0 = passStringToWasm0(client_id, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        var ptr1 = isLikeNone(display_name) ? 0 : passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
         var len1 = WASM_VECTOR_LEN;
-        const ret = wasm$1.corecrypto_e2ei_new_rotate_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, expiry_days, ciphersuite);
+        var ptr2 = isLikeNone(handle) ? 0 : passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        var len2 = WASM_VECTOR_LEN;
+        const ret = wasm$1.corecrypto_e2ei_new_rotate_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, expiry_days, ciphersuite);
         return takeObject(ret);
     }
     /**
@@ -1177,6 +1196,23 @@ let CoreCrypto$1 = class CoreCrypto {
         return takeObject(ret);
     }
     /**
+    * Returns: [`WasmCryptoResult<CommitBundle>`]
+    *
+    * see [core_crypto::mls::MlsCentral::update_trust_anchors_from_conversation]
+    * @param {Uint8Array} conversation_id
+    * @param {(string)[]} remove_domain_names
+    * @param {Array<any>} add_trust_anchors
+    * @returns {Promise<any>}
+    */
+    update_trust_anchors_from_conversation(conversation_id, remove_domain_names, add_trust_anchors) {
+        const ptr0 = passArray8ToWasm0(conversation_id, wasm$1.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passArrayJsValueToWasm0(remove_domain_names, wasm$1.__wbindgen_malloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm$1.corecrypto_update_trust_anchors_from_conversation(this.__wbg_ptr, ptr0, len0, ptr1, len1, addHeapObject(add_trust_anchors));
+        return takeObject(ret);
+    }
+    /**
     * Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
     *
     * see [core_crypto::mls::MlsCentral::new_proposal]
@@ -2436,6 +2472,37 @@ class NewAcmeOrder {
 }
 /**
 */
+class PerDomainTrustAnchor {
+    static __wrap(ptr) {
+        ptr = ptr >>> 0;
+        const obj = Object.create(PerDomainTrustAnchor.prototype);
+        obj.__wbg_ptr = ptr;
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm$1.__wbg_perdomaintrustanchor_free(ptr);
+    }
+    /**
+    * @param {string} domain_name
+    * @param {string} intermediate_certificate_chain
+    */
+    constructor(domain_name, intermediate_certificate_chain) {
+        const ptr0 = passStringToWasm0(domain_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(intermediate_certificate_chain, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm$1.perdomaintrustanchor_new(ptr0, len0, ptr1, len1);
+        return PerDomainTrustAnchor.__wrap(ret);
+    }
+}
+/**
+*/
 class ProposalBundle {
     static __wrap(ptr) {
         ptr = ptr >>> 0;
@@ -2727,6 +2794,9 @@ async function __wbg_load(module, imports) {
 function __wbg_get_imports() {
     const imports = {};
     imports.wbg = {};
+    imports.wbg.__wbindgen_object_drop_ref = function (arg0) {
+        takeObject(arg0);
+    };
     imports.wbg.__wbindgen_object_clone_ref = function (arg0) {
         const ret = getObject(arg0);
         return addHeapObject(ret);
@@ -2736,9 +2806,6 @@ function __wbg_get_imports() {
         const ret = typeof (val) === 'object' && val !== null;
         return ret;
     };
-    imports.wbg.__wbindgen_object_drop_ref = function (arg0) {
-        takeObject(arg0);
-    };
     imports.wbg.__wbg_getwithrefkey_5e6d9547403deab8 = function (arg0, arg1) {
         const ret = getObject(arg0)[getObject(arg1)];
         return addHeapObject(ret);
@@ -2791,6 +2858,10 @@ function __wbg_get_imports() {
         const ret = getObject(arg0).length;
         return ret;
     };
+    imports.wbg.__wbg_new_b51585de1b234aff = function () {
+        const ret = new Object();
+        return addHeapObject(ret);
+    };
     imports.wbg.__wbg_call_01734de55d61e11d = function () {
         return handleError(function (arg0, arg1, arg2) {
             const ret = getObject(arg0).call(getObject(arg1), getObject(arg2));
@@ -2813,23 +2884,19 @@ function __wbg_get_imports() {
         const ret = FfiWireE2EIdentity.__wrap(arg0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_proteusautoprekeybundle_new = function (arg0) {
-        const ret = ProteusAutoPrekeyBundle.__wrap(arg0);
-        return addHeapObject(ret);
-    };
-    imports.wbg.__wbg_new_b51585de1b234aff = function () {
-        const ret = new Object();
+    imports.wbg.__wbindgen_number_new = function (arg0) {
+        const ret = arg0;
         return addHeapObject(ret);
     };
     imports.wbg.__wbg_set_502d29070ea18557 = function (arg0, arg1, arg2) {
         getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
     };
-    imports.wbg.__wbindgen_bigint_from_u64 = function (arg0) {
-        const ret = BigInt.asUintN(64, arg0);
+    imports.wbg.__wbg_proteusautoprekeybundle_new = function (arg0) {
+        const ret = ProteusAutoPrekeyBundle.__wrap(arg0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbindgen_number_new = function (arg0) {
-        const ret = arg0;
+    imports.wbg.__wbindgen_bigint_from_u64 = function (arg0) {
+        const ret = BigInt.asUintN(64, arg0);
         return addHeapObject(ret);
     };
     imports.wbg.__wbg_new_56693dbed0c32988 = function () {
@@ -2966,7 +3033,7 @@ function __wbg_get_imports() {
                 const a = state0.a;
                 state0.a = 0;
                 try {
-                    return __wbg_adapter_296(a, state0.b, arg0, arg1);
+                    return __wbg_adapter_298(a, state0.b, arg0, arg1);
                 }
                 finally {
                     state0.a = a;
@@ -3241,6 +3308,12 @@ function __wbg_get_imports() {
         const ret = getObject(arg0).target;
         return isLikeNone(ret) ? 0 : addHeapObject(ret);
     };
+    imports.wbg.__wbg_error_8a79f35fe9368563 = function () {
+        return handleError(function (arg0) {
+            const ret = getObject(arg0).error;
+            return isLikeNone(ret) ? 0 : addHeapObject(ret);
+        }, arguments);
+    };
     imports.wbg.__wbg_result_edff16ff107d6acb = function () {
         return handleError(function (arg0) {
             const ret = getObject(arg0).result;
@@ -3281,12 +3354,6 @@ function __wbg_get_imports() {
             getObject(arg0).deleteObjectStore(getStringFromWasm0(arg1, arg2));
         }, arguments);
     };
-    imports.wbg.__wbg_error_8a79f35fe9368563 = function () {
-        return handleError(function (arg0) {
-            const ret = getObject(arg0).error;
-            return isLikeNone(ret) ? 0 : addHeapObject(ret);
-        }, arguments);
-    };
     imports.wbg.__wbindgen_is_falsy = function (arg0) {
         const ret = !getObject(arg0);
         return ret;
@@ -3415,12 +3482,12 @@ function __wbg_get_imports() {
             return addHeapObject(ret);
         }, arguments);
     };
-    imports.wbg.__wbindgen_closure_wrapper1977 = function (arg0, arg1, arg2) {
-        const ret = makeMutClosure(arg0, arg1, 166, __wbg_adapter_52);
+    imports.wbg.__wbindgen_closure_wrapper1985 = function (arg0, arg1, arg2) {
+        const ret = makeMutClosure(arg0, arg1, 168, __wbg_adapter_52);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbindgen_closure_wrapper4646 = function (arg0, arg1, arg2) {
-        const ret = makeMutClosure(arg0, arg1, 166, __wbg_adapter_55);
+    imports.wbg.__wbindgen_closure_wrapper4701 = function (arg0, arg1, arg2) {
+        const ret = makeMutClosure(arg0, arg1, 168, __wbg_adapter_55);
         return addHeapObject(ret);
     };
     return imports;
@@ -3476,6 +3543,7 @@ var exports = /*#__PURE__*/Object.freeze({
     MemberAddedMessages: MemberAddedMessages,
     NewAcmeAuthz: NewAcmeAuthz,
     NewAcmeOrder: NewAcmeOrder,
+    PerDomainTrustAnchor: PerDomainTrustAnchor,
     ProposalBundle: ProposalBundle,
     ProteusAutoPrekeyBundle: ProteusAutoPrekeyBundle,
     RotateBundle: RotateBundle,
@@ -3488,7 +3556,7 @@ var exports = /*#__PURE__*/Object.freeze({
 var wasm = async (opt = {}) => {
                 let {importHook, serverPath} = opt;
 
-                let path = "assets/core_crypto_ffi-ca75d34d.wasm";
+                let path = "assets/core_crypto_ffi-b7eb1191.wasm";
 
                 if (serverPath != null) {
                     path = serverPath + /[^\/\\]*$/.exec(path)[0];
@@ -3896,8 +3964,8 @@ class CoreCrypto {
      */
     async createConversation(conversationId, creatorCredentialType, configuration = {}) {
         try {
-            const { ciphersuite, externalSenders, custom = {} } = configuration || {};
-            const config = new (__classPrivateFieldGet(CoreCrypto, _a, "f", _CoreCrypto_module).ConversationConfiguration)(ciphersuite, externalSenders, custom?.keyRotationSpan);
+            const { ciphersuite, externalSenders, custom = {}, perDomainTrustAnchors = [] } = configuration || {};
+            const config = new (__classPrivateFieldGet(CoreCrypto, _a, "f", _CoreCrypto_module).ConversationConfiguration)(ciphersuite, externalSenders, custom?.keyRotationSpan, custom?.wirePolicy, perDomainTrustAnchors);
             const ret = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").create_conversation(conversationId, creatorCredentialType, config));
             return ret;
         }
@@ -3949,6 +4017,40 @@ class CoreCrypto {
     async encryptMessage(conversationId, message) {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").encrypt_message(conversationId, message));
     }
+    /**
+     * Updates the trust anchors for a conversation. This should be called when a federated event happens (new team added/removed).
+     * Clients should add and/or remove trust anchors from the new backend to the conversation. The method will check
+     * for duplicated domains and the validity of the certificate chain.
+     *
+     * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+     * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
+     * epoch, use new encryption secrets etc...
+     *
+     * @param conversationId - The ID of the conversation
+     * @param removeDomainNames - Domains to remove from the trust anchors
+     * @param addTrustAnchors - New trust anchors to add to the conversation
+     *
+     * @returns A {@link CommitBundle}
+     */
+    async update_trust_anchors_from_conversation(conversationId, removeDomainNames, addTrustAnchors) {
+        try {
+            const ffiRet = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").update_trust_anchors_from_conversation(conversationId, removeDomainNames, addTrustAnchors));
+            const gi = ffiRet.group_info;
+            const ret = {
+                welcome: ffiRet.welcome,
+                commit: ffiRet.commit,
+                groupInfo: {
+                    encryptionType: gi.encryption_type,
+                    ratchetTreeType: gi.ratchet_tree_type,
+                    payload: gi.payload
+                },
+            };
+            return ret;
+        }
+        catch (e) {
+            throw CoreCryptoError.fromStdError(e);
+        }
+    }
     /**
      * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
      *
@@ -4495,34 +4597,34 @@ class CoreCrypto {
     }
     /**
      * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
-     * As a consequence, this method does not support changing the ClientId which should remain the same as the Basic one.
      * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
      *
+     * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
      * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
      * @param handle user handle e.g. `alice.smith.qa@example.com`
      * @param expiryDays generated x509 certificate expiry
      * @param ciphersuite - for generating signing key material
      * @returns The new {@link WireE2eIdentity} object
      */
-    async e2eiNewActivationEnrollment(displayName, handle, expiryDays, ciphersuite) {
-        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_activation_enrollment(displayName, handle, expiryDays, ciphersuite));
+    async e2eiNewActivationEnrollment(clientId, displayName, handle, expiryDays, ciphersuite) {
+        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_activation_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
         return new WireE2eIdentity(e2ei);
     }
     /**
      * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
      * having to change/rotate their credential, either because the former one is expired or it
-     * has been revoked. As a consequence, this method does not support changing neither ClientId which
-     * should remain the same as the previous one. It lets you change the DisplayName or the handle
+     * has been revoked. It lets you change the DisplayName or the handle
      * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
      *
+     * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
      * @param expiryDays generated x509 certificate expiry
      * @param ciphersuite - for generating signing key material
      * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
      * @param handle user handle e.g. `alice.smith.qa@example.com`
      * @returns The new {@link WireE2eIdentity} object
      */
-    async e2eiNewRotateEnrollment(expiryDays, ciphersuite, displayName, handle) {
-        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_rotate_enrollment(displayName, handle, expiryDays, ciphersuite));
+    async e2eiNewRotateEnrollment(clientId, expiryDays, ciphersuite, displayName, handle) {
+        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_rotate_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
         return new WireE2eIdentity(e2ei);
     }
     /**