@wireapp/core-crypto 1.0.0-rc.1 → 1.0.0-rc.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wireapp/core-crypto",
-  "version": "1.0.0-rc.1",
+  "version": "1.0.0-rc.5",
   "description": "CoreCrypto bindings for the Web",
   "type": "module",
   "module": "platforms/web/corecrypto.js",

package/platforms/web/corecrypto.d.ts

@@ -79,6 +79,24 @@ export interface ConversationConfiguration {
 	 * Implementation specific configuration
 	 */
 	custom?: CustomConfiguration;
+	/**
+	 * Trust anchors to be added in the group's context extensions
+	 */
+	perDomainTrustAnchors?: PerDomainTrustAnchor[];
+}
+/**
+ * A wrapper containing the configuration for trust anchors to be added in the group's context
+ * extensions
+ */
+export interface PerDomainTrustAnchor {
+	/**
+	 * Domain name of the owning backend this anchor refers to. One of the certificate in the chain has to have this domain in its SANs
+	 */
+	domain_name: string;
+	/**
+	 * PEM encoded (partial) certificate chain. This contains the certificate chain for the CA certificate issuing the E2E Identity certificates
+	 */
+	intermediate_certificate_chain: string;
 }
 /**
  * see [core_crypto::prelude::MlsWirePolicy]
@@ -690,6 +708,22 @@ export declare class CoreCrypto {
 	 * @returns The encrypted payload for the given group. This needs to be fanned out to the other members of the group.
 	 */
 	encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
+	/**
+	 * Updates the trust anchors for a conversation. This should be called when a federated event happens (new team added/removed).
+	 * Clients should add and/or remove trust anchors from the new backend to the conversation. The method will check
+	 * for duplicated domains and the validity of the certificate chain.
+	 *
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
+	 * epoch, use new encryption secrets etc...
+	 *
+	 * @param conversationId - The ID of the conversation
+	 * @param removeDomainNames - Domains to remove from the trust anchors
+	 * @param addTrustAnchors - New trust anchors to add to the conversation
+	 *
+	 * @returns A {@link CommitBundle}
+	 */
+	update_trust_anchors_from_conversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
 	/**
 	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
@@ -1026,30 +1060,30 @@ export declare class CoreCrypto {
 	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
 	/**
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
-	 * As a consequence, this method does not support changing the ClientId which should remain the same as the Basic one.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
+	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
 	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle user handle e.g. `alice.smith.qa@example.com`
 	 * @param expiryDays generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
 	 * @returns The new {@link WireE2eIdentity} object
 	 */
-	e2eiNewActivationEnrollment(displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
-	 * has been revoked. As a consequence, this method does not support changing neither ClientId which
-	 * should remain the same as the previous one. It lets you change the DisplayName or the handle
+	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
+	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
 	 * @param expiryDays generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
 	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle user handle e.g. `alice.smith.qa@example.com`
 	 * @returns The new {@link WireE2eIdentity} object
 	 */
-	e2eiNewRotateEnrollment(expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
+	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
 	/**
 	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
 	 *
@@ -1087,9 +1121,16 @@ export declare class CoreCrypto {
 	 * Credential generated by Wire's end-to-end identity enrollment
 	 *
 	 * @param conversationId The group's ID
-	 * @returns true if all the members have valid X509 credentials
+	 * @returns the conversation state given current members
 	 */
-	e2eiIsDegraded(conversationId: ConversationId): Promise<boolean>;
+	e2eiConversationState(conversationId: ConversationId): Promise<E2eiConversationState>;
+	/**
+	 * Returns true when end-to-end-identity is enabled for the given Ciphersuite
+	 *
+	 * @param ciphersuite of the credential to check
+	 * @returns true end-to-end identity is enabled for the given ciphersuite
+	 */
+	e2eiIsEnabled(ciphersuite: Ciphersuite): Promise<boolean>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -1325,5 +1366,24 @@ export interface AcmeChallenge {
 	 */
 	target: string;
 }
+/**
+ * Indicates the state of a Conversation regarding end-to-end identity.
+ * Note: this does not check pending state (pending commit, pending proposals) so it does not
+ * consider members about to be added/removed
+ */
+export declare enum E2eiConversationState {
+	/**
+	 * All clients have a valid E2EI certificate
+	 */
+	Verified = 1,
+	/**
+	 * Some clients are either still Basic or their certificate is expired
+	 */
+	Degraded = 2,
+	/**
+	 * All clients are still Basic. If all client have expired certificates, Degraded is returned.
+	 */
+	NotEnabled = 3
+}
 
 export {};

package/platforms/web/corecrypto.js

@@ -39,14 +39,6 @@ const heap = new Array(128).fill(undefined);
 heap.push(undefined, null, true, false);
 function getObject(idx) { return heap[idx]; }
 let heap_next = heap.length;
-function addHeapObject(obj) {
-    if (heap_next === heap.length)
-        heap.push(heap.length + 1);
-    const idx = heap_next;
-    heap_next = heap[idx];
-    heap[idx] = obj;
-    return idx;
-}
 function dropObject(idx) {
     if (idx < 132)
         return;
@@ -58,6 +50,14 @@ function takeObject(idx) {
     dropObject(idx);
     return ret;
 }
+function addHeapObject(obj) {
+    if (heap_next === heap.length)
+        heap.push(heap.length + 1);
+    const idx = heap_next;
+    heap_next = heap[idx];
+    heap[idx] = obj;
+    return idx;
+}
 const cachedTextDecoder = (typeof TextDecoder !== 'undefined' ? new TextDecoder('utf-8', { ignoreBOM: true, fatal: true }) : { decode: () => { throw Error('TextDecoder not available'); } });
 if (typeof TextDecoder !== 'undefined') {
     cachedTextDecoder.decode();
@@ -234,12 +234,12 @@ function makeMutClosure(arg0, arg1, dtor, f) {
     return real;
 }
 function __wbg_adapter_52(arg0, arg1, arg2) {
-    wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h8d579dd3e9d6cb9a(arg0, arg1, addHeapObject(arg2));
+    wasm$1.wasm_bindgen__convert__closures__invoke1_mut__hb865a4e905934256(arg0, arg1, addHeapObject(arg2));
 }
 function __wbg_adapter_55(arg0, arg1, arg2) {
     try {
         const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-        wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h746b8b0ddaf8393e(retptr, arg0, arg1, addHeapObject(arg2));
+        wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h2720c46d5ff6c929(retptr, arg0, arg1, addHeapObject(arg2));
         var r0 = getInt32Memory0()[retptr / 4 + 0];
         var r1 = getInt32Memory0()[retptr / 4 + 1];
         if (r1) {
@@ -313,8 +313,8 @@ function handleError(f, args) {
         wasm$1.__wbindgen_exn_store(addHeapObject(e));
     }
 }
-function __wbg_adapter_296(arg0, arg1, arg2, arg3) {
-    wasm$1.wasm_bindgen__convert__closures__invoke2_mut__h80912c0a9461abcd(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
+function __wbg_adapter_299(arg0, arg1, arg2, arg3) {
+    wasm$1.wasm_bindgen__convert__closures__invoke2_mut__h22687e7c7a9c3c35(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 }
 /**
 * see [core_crypto::prelude::MlsWirePolicy]
@@ -617,12 +617,25 @@ class ConversationConfiguration {
     * @param {(Uint8Array)[] | undefined} external_senders
     * @param {number | undefined} key_rotation_span
     * @param {number | undefined} wire_policy
+    * @param {Array<any>} per_domain_trust_anchors
     */
-    constructor(ciphersuite, external_senders, key_rotation_span, wire_policy) {
-        var ptr0 = isLikeNone(external_senders) ? 0 : passArrayJsValueToWasm0(external_senders, wasm$1.__wbindgen_malloc);
-        var len0 = WASM_VECTOR_LEN;
-        const ret = wasm$1.conversationconfiguration_new(isLikeNone(ciphersuite) ? 8 : ciphersuite, ptr0, len0, !isLikeNone(key_rotation_span), isLikeNone(key_rotation_span) ? 0 : key_rotation_span, isLikeNone(wire_policy) ? 3 : wire_policy);
-        return ConversationConfiguration.__wrap(ret);
+    constructor(ciphersuite, external_senders, key_rotation_span, wire_policy, per_domain_trust_anchors) {
+        try {
+            const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
+            var ptr0 = isLikeNone(external_senders) ? 0 : passArrayJsValueToWasm0(external_senders, wasm$1.__wbindgen_malloc);
+            var len0 = WASM_VECTOR_LEN;
+            wasm$1.conversationconfiguration_new(retptr, isLikeNone(ciphersuite) ? 8 : ciphersuite, ptr0, len0, !isLikeNone(key_rotation_span), isLikeNone(key_rotation_span) ? 0 : key_rotation_span, isLikeNone(wire_policy) ? 3 : wire_policy, addHeapObject(per_domain_trust_anchors));
+            var r0 = getInt32Memory0()[retptr / 4 + 0];
+            var r1 = getInt32Memory0()[retptr / 4 + 1];
+            var r2 = getInt32Memory0()[retptr / 4 + 2];
+            if (r2) {
+                throw takeObject(r1);
+            }
+            return ConversationConfiguration.__wrap(r0);
+        }
+        finally {
+            wasm$1.__wbindgen_add_to_stack_pointer(16);
+        }
     }
 }
 /**
@@ -702,36 +715,42 @@ let CoreCrypto$1 = class CoreCrypto {
     * Returns: [`WasmCryptoResult<WireE2eIdentity>`]
     *
     * see [core_crypto::mls::MlsCentral::e2ei_new_activation_enrollment]
+    * @param {string} client_id
     * @param {string} display_name
     * @param {string} handle
     * @param {number} expiry_days
     * @param {number} ciphersuite
     * @returns {Promise<any>}
     */
-    e2ei_new_activation_enrollment(display_name, handle, expiry_days, ciphersuite) {
-        const ptr0 = passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+    e2ei_new_activation_enrollment(client_id, display_name, handle, expiry_days, ciphersuite) {
+        const ptr0 = passStringToWasm0(client_id, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const ptr1 = passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
         const len1 = WASM_VECTOR_LEN;
-        const ret = wasm$1.corecrypto_e2ei_new_activation_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, expiry_days, ciphersuite);
+        const ptr2 = passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const len2 = WASM_VECTOR_LEN;
+        const ret = wasm$1.corecrypto_e2ei_new_activation_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, expiry_days, ciphersuite);
         return takeObject(ret);
     }
     /**
     * Returns: [`WasmCryptoResult<WireE2eIdentity>`]
     *
     * see [core_crypto::mls::MlsCentral::e2ei_new_rotate_enrollment]
+    * @param {string} client_id
     * @param {string | undefined} display_name
     * @param {string | undefined} handle
     * @param {number} expiry_days
     * @param {number} ciphersuite
     * @returns {Promise<any>}
     */
-    e2ei_new_rotate_enrollment(display_name, handle, expiry_days, ciphersuite) {
-        var ptr0 = isLikeNone(display_name) ? 0 : passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
-        var len0 = WASM_VECTOR_LEN;
-        var ptr1 = isLikeNone(handle) ? 0 : passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+    e2ei_new_rotate_enrollment(client_id, display_name, handle, expiry_days, ciphersuite) {
+        const ptr0 = passStringToWasm0(client_id, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        var ptr1 = isLikeNone(display_name) ? 0 : passStringToWasm0(display_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
         var len1 = WASM_VECTOR_LEN;
-        const ret = wasm$1.corecrypto_e2ei_new_rotate_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, expiry_days, ciphersuite);
+        var ptr2 = isLikeNone(handle) ? 0 : passStringToWasm0(handle, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        var len2 = WASM_VECTOR_LEN;
+        const ret = wasm$1.corecrypto_e2ei_new_rotate_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, expiry_days, ciphersuite);
         return takeObject(ret);
     }
     /**
@@ -788,14 +807,25 @@ let CoreCrypto$1 = class CoreCrypto {
     /**
     * Returns [`WasmCryptoResult<bool>`]
     *
-    * see [core_crypto::mls::MlsCentral::e2ei_is_degraded]
+    * see [core_crypto::mls::MlsCentral::e2ei_conversation_state]
     * @param {Uint8Array} conversation_id
     * @returns {Promise<any>}
     */
-    e2ei_is_degraded(conversation_id) {
+    e2ei_conversation_state(conversation_id) {
         const ptr0 = passArray8ToWasm0(conversation_id, wasm$1.__wbindgen_malloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm$1.corecrypto_e2ei_is_degraded(this.__wbg_ptr, ptr0, len0);
+        const ret = wasm$1.corecrypto_e2ei_conversation_state(this.__wbg_ptr, ptr0, len0);
+        return takeObject(ret);
+    }
+    /**
+    * Returns [`WasmCryptoResult<bool>`]
+    *
+    * see [core_crypto::mls::MlsCentral::e2ei_is_enabled]
+    * @param {number} ciphersuite
+    * @returns {Promise<any>}
+    */
+    e2ei_is_enabled(ciphersuite) {
+        const ret = wasm$1.corecrypto_e2ei_is_enabled(this.__wbg_ptr, ciphersuite);
         return takeObject(ret);
     }
     /**
@@ -1177,9 +1207,26 @@ let CoreCrypto$1 = class CoreCrypto {
         return takeObject(ret);
     }
     /**
+    * Returns: [`WasmCryptoResult<CommitBundle>`]
+    *
+    * see [core_crypto::mls::MlsCentral::update_trust_anchors_from_conversation]
+    * @param {Uint8Array} conversation_id
+    * @param {(string)[]} remove_domain_names
+    * @param {Array<any>} add_trust_anchors
+    * @returns {Promise<any>}
+    */
+    update_trust_anchors_from_conversation(conversation_id, remove_domain_names, add_trust_anchors) {
+        const ptr0 = passArray8ToWasm0(conversation_id, wasm$1.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passArrayJsValueToWasm0(remove_domain_names, wasm$1.__wbindgen_malloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm$1.corecrypto_update_trust_anchors_from_conversation(this.__wbg_ptr, ptr0, len0, ptr1, len1, addHeapObject(add_trust_anchors));
+        return takeObject(ret);
+    }
+    /**
     * Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
     *
-    * see [core_crypto::mls::MlsCentral::new_proposal]
+    * see [core_crypto::mls::MlsCentral::new_add_proposal]
     * @param {Uint8Array} conversation_id
     * @param {Uint8Array} keypackage
     * @returns {Promise<any>}
@@ -1195,7 +1242,7 @@ let CoreCrypto$1 = class CoreCrypto {
     /**
     * Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
     *
-    * see [core_crypto::mls::MlsCentral::new_proposal]
+    * see [core_crypto::mls::MlsCentral::new_update_proposal]
     * @param {Uint8Array} conversation_id
     * @returns {Promise<any>}
     */
@@ -1208,7 +1255,7 @@ let CoreCrypto$1 = class CoreCrypto {
     /**
     * Returns: [`WasmCryptoResult<js_sys::Uint8Array>`]
     *
-    * see [core_crypto::mls::MlsCentral::new_proposal]
+    * see [core_crypto::mls::MlsCentral::new_remove_proposal]
     * @param {Uint8Array} conversation_id
     * @param {Uint8Array} client_id
     * @returns {Promise<any>}
@@ -2436,6 +2483,37 @@ class NewAcmeOrder {
 }
 /**
 */
+class PerDomainTrustAnchor {
+    static __wrap(ptr) {
+        ptr = ptr >>> 0;
+        const obj = Object.create(PerDomainTrustAnchor.prototype);
+        obj.__wbg_ptr = ptr;
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm$1.__wbg_perdomaintrustanchor_free(ptr);
+    }
+    /**
+    * @param {string} domain_name
+    * @param {string} intermediate_certificate_chain
+    */
+    constructor(domain_name, intermediate_certificate_chain) {
+        const ptr0 = passStringToWasm0(domain_name, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(intermediate_certificate_chain, wasm$1.__wbindgen_malloc, wasm$1.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm$1.perdomaintrustanchor_new(ptr0, len0, ptr1, len1);
+        return PerDomainTrustAnchor.__wrap(ret);
+    }
+}
+/**
+*/
 class ProposalBundle {
     static __wrap(ptr) {
         ptr = ptr >>> 0;
@@ -2727,6 +2805,9 @@ async function __wbg_load(module, imports) {
 function __wbg_get_imports() {
     const imports = {};
     imports.wbg = {};
+    imports.wbg.__wbindgen_object_drop_ref = function (arg0) {
+        takeObject(arg0);
+    };
     imports.wbg.__wbindgen_object_clone_ref = function (arg0) {
         const ret = getObject(arg0);
         return addHeapObject(ret);
@@ -2736,9 +2817,6 @@ function __wbg_get_imports() {
         const ret = typeof (val) === 'object' && val !== null;
         return ret;
     };
-    imports.wbg.__wbindgen_object_drop_ref = function (arg0) {
-        takeObject(arg0);
-    };
     imports.wbg.__wbg_getwithrefkey_5e6d9547403deab8 = function (arg0, arg1) {
         const ret = getObject(arg0)[getObject(arg1)];
         return addHeapObject(ret);
@@ -2797,41 +2875,41 @@ function __wbg_get_imports() {
             return addHeapObject(ret);
         }, arguments);
     };
-    imports.wbg.__wbg_new_8125e318e6245eed = function (arg0) {
-        const ret = new Uint8Array(getObject(arg0));
+    imports.wbg.__wbindgen_number_new = function (arg0) {
+        const ret = arg0;
         return addHeapObject(ret);
     };
     imports.wbg.__wbg_new_898a68150f225f2e = function () {
         const ret = new Array();
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_push_ca1c26067ef907ac = function (arg0, arg1) {
-        const ret = getObject(arg0).push(getObject(arg1));
-        return ret;
+    imports.wbg.__wbg_set_502d29070ea18557 = function (arg0, arg1, arg2) {
+        getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
     };
-    imports.wbg.__wbg_ffiwiree2eidentity_new = function (arg0) {
-        const ret = FfiWireE2EIdentity.__wrap(arg0);
+    imports.wbg.__wbg_new_8125e318e6245eed = function (arg0) {
+        const ret = new Uint8Array(getObject(arg0));
+        return addHeapObject(ret);
+    };
+    imports.wbg.__wbg_new_b51585de1b234aff = function () {
+        const ret = new Object();
         return addHeapObject(ret);
     };
     imports.wbg.__wbg_proteusautoprekeybundle_new = function (arg0) {
         const ret = ProteusAutoPrekeyBundle.__wrap(arg0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_new_b51585de1b234aff = function () {
-        const ret = new Object();
-        return addHeapObject(ret);
+    imports.wbg.__wbg_push_ca1c26067ef907ac = function (arg0, arg1) {
+        const ret = getObject(arg0).push(getObject(arg1));
+        return ret;
     };
-    imports.wbg.__wbg_set_502d29070ea18557 = function (arg0, arg1, arg2) {
-        getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
+    imports.wbg.__wbg_ffiwiree2eidentity_new = function (arg0) {
+        const ret = FfiWireE2EIdentity.__wrap(arg0);
+        return addHeapObject(ret);
     };
     imports.wbg.__wbindgen_bigint_from_u64 = function (arg0) {
         const ret = BigInt.asUintN(64, arg0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbindgen_number_new = function (arg0) {
-        const ret = arg0;
-        return addHeapObject(ret);
-    };
     imports.wbg.__wbg_new_56693dbed0c32988 = function () {
         const ret = new Map();
         return addHeapObject(ret);
@@ -2840,6 +2918,9 @@ function __wbg_get_imports() {
         const ret = getObject(arg0).set(getObject(arg1), getObject(arg2));
         return addHeapObject(ret);
     };
+    imports.wbg.__wbg_set_841ac57cff3d672b = function (arg0, arg1, arg2) {
+        getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
+    };
     imports.wbg.__wbg_new_d258248ed531ff54 = function (arg0, arg1) {
         const ret = new Error(getStringFromWasm0(arg0, arg1));
         return addHeapObject(ret);
@@ -2912,9 +2993,6 @@ function __wbg_get_imports() {
         const ret = CoreCrypto$1.__wrap(arg0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_set_841ac57cff3d672b = function (arg0, arg1, arg2) {
-        getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
-    };
     imports.wbg.__wbg_instanceof_Promise_0e98a5bf082e090f = function (arg0) {
         let result;
         try {
@@ -2966,7 +3044,7 @@ function __wbg_get_imports() {
                 const a = state0.a;
                 state0.a = 0;
                 try {
-                    return __wbg_adapter_296(a, state0.b, arg0, arg1);
+                    return __wbg_adapter_299(a, state0.b, arg0, arg1);
                 }
                 finally {
                     state0.a = a;
@@ -3415,11 +3493,11 @@ function __wbg_get_imports() {
             return addHeapObject(ret);
         }, arguments);
     };
-    imports.wbg.__wbindgen_closure_wrapper1977 = function (arg0, arg1, arg2) {
+    imports.wbg.__wbindgen_closure_wrapper1966 = function (arg0, arg1, arg2) {
         const ret = makeMutClosure(arg0, arg1, 166, __wbg_adapter_52);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbindgen_closure_wrapper4646 = function (arg0, arg1, arg2) {
+    imports.wbg.__wbindgen_closure_wrapper4730 = function (arg0, arg1, arg2) {
         const ret = makeMutClosure(arg0, arg1, 166, __wbg_adapter_55);
         return addHeapObject(ret);
     };
@@ -3476,6 +3554,7 @@ var exports = /*#__PURE__*/Object.freeze({
     MemberAddedMessages: MemberAddedMessages,
     NewAcmeAuthz: NewAcmeAuthz,
     NewAcmeOrder: NewAcmeOrder,
+    PerDomainTrustAnchor: PerDomainTrustAnchor,
     ProposalBundle: ProposalBundle,
     ProteusAutoPrekeyBundle: ProteusAutoPrekeyBundle,
     RotateBundle: RotateBundle,
@@ -3488,7 +3567,7 @@ var exports = /*#__PURE__*/Object.freeze({
 var wasm = async (opt = {}) => {
                 let {importHook, serverPath} = opt;
 
-                let path = "assets/core_crypto_ffi-ca75d34d.wasm";
+                let path = "assets/core_crypto_ffi-9ad99558.wasm";
 
                 if (serverPath != null) {
                     path = serverPath + /[^\/\\]*$/.exec(path)[0];
@@ -3896,8 +3975,8 @@ class CoreCrypto {
      */
     async createConversation(conversationId, creatorCredentialType, configuration = {}) {
         try {
-            const { ciphersuite, externalSenders, custom = {} } = configuration || {};
-            const config = new (__classPrivateFieldGet(CoreCrypto, _a, "f", _CoreCrypto_module).ConversationConfiguration)(ciphersuite, externalSenders, custom?.keyRotationSpan);
+            const { ciphersuite, externalSenders, custom = {}, perDomainTrustAnchors = [] } = configuration || {};
+            const config = new (__classPrivateFieldGet(CoreCrypto, _a, "f", _CoreCrypto_module).ConversationConfiguration)(ciphersuite, externalSenders, custom?.keyRotationSpan, custom?.wirePolicy, perDomainTrustAnchors);
             const ret = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").create_conversation(conversationId, creatorCredentialType, config));
             return ret;
         }
@@ -3949,6 +4028,40 @@ class CoreCrypto {
     async encryptMessage(conversationId, message) {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").encrypt_message(conversationId, message));
     }
+    /**
+     * Updates the trust anchors for a conversation. This should be called when a federated event happens (new team added/removed).
+     * Clients should add and/or remove trust anchors from the new backend to the conversation. The method will check
+     * for duplicated domains and the validity of the certificate chain.
+     *
+     * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+     * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
+     * epoch, use new encryption secrets etc...
+     *
+     * @param conversationId - The ID of the conversation
+     * @param removeDomainNames - Domains to remove from the trust anchors
+     * @param addTrustAnchors - New trust anchors to add to the conversation
+     *
+     * @returns A {@link CommitBundle}
+     */
+    async update_trust_anchors_from_conversation(conversationId, removeDomainNames, addTrustAnchors) {
+        try {
+            const ffiRet = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").update_trust_anchors_from_conversation(conversationId, removeDomainNames, addTrustAnchors));
+            const gi = ffiRet.group_info;
+            const ret = {
+                welcome: ffiRet.welcome,
+                commit: ffiRet.commit,
+                groupInfo: {
+                    encryptionType: gi.encryption_type,
+                    ratchetTreeType: gi.ratchet_tree_type,
+                    payload: gi.payload
+                },
+            };
+            return ret;
+        }
+        catch (e) {
+            throw CoreCryptoError.fromStdError(e);
+        }
+    }
     /**
      * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
      *
@@ -4495,34 +4608,34 @@ class CoreCrypto {
     }
     /**
      * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
-     * As a consequence, this method does not support changing the ClientId which should remain the same as the Basic one.
      * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
      *
+     * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
      * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
      * @param handle user handle e.g. `alice.smith.qa@example.com`
      * @param expiryDays generated x509 certificate expiry
      * @param ciphersuite - for generating signing key material
      * @returns The new {@link WireE2eIdentity} object
      */
-    async e2eiNewActivationEnrollment(displayName, handle, expiryDays, ciphersuite) {
-        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_activation_enrollment(displayName, handle, expiryDays, ciphersuite));
+    async e2eiNewActivationEnrollment(clientId, displayName, handle, expiryDays, ciphersuite) {
+        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_activation_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
         return new WireE2eIdentity(e2ei);
     }
     /**
      * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
      * having to change/rotate their credential, either because the former one is expired or it
-     * has been revoked. As a consequence, this method does not support changing neither ClientId which
-     * should remain the same as the previous one. It lets you change the DisplayName or the handle
+     * has been revoked. It lets you change the DisplayName or the handle
      * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
      *
+     * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
      * @param expiryDays generated x509 certificate expiry
      * @param ciphersuite - for generating signing key material
      * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
      * @param handle user handle e.g. `alice.smith.qa@example.com`
      * @returns The new {@link WireE2eIdentity} object
      */
-    async e2eiNewRotateEnrollment(expiryDays, ciphersuite, displayName, handle) {
-        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_rotate_enrollment(displayName, handle, expiryDays, ciphersuite));
+    async e2eiNewRotateEnrollment(clientId, expiryDays, ciphersuite, displayName, handle) {
+        const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_rotate_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
         return new WireE2eIdentity(e2ei);
     }
     /**
@@ -4571,10 +4684,21 @@ class CoreCrypto {
      * Credential generated by Wire's end-to-end identity enrollment
      *
      * @param conversationId The group's ID
-     * @returns true if all the members have valid X509 credentials
+     * @returns the conversation state given current members
+     */
+    async e2eiConversationState(conversationId) {
+        let state = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_conversation_state(conversationId));
+        // @ts-ignore
+        return E2eiConversationState[E2eiConversationState[state]];
+    }
+    /**
+     * Returns true when end-to-end-identity is enabled for the given Ciphersuite
+     *
+     * @param ciphersuite of the credential to check
+     * @returns true end-to-end identity is enabled for the given ciphersuite
      */
-    async e2eiIsDegraded(conversationId) {
-        return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_is_degraded(conversationId));
+    async e2eiIsEnabled(ciphersuite) {
+        return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_is_enabled(ciphersuite));
     }
     /**
      * Returns the current version of {@link CoreCrypto}
@@ -4849,5 +4973,25 @@ class WireE2eIdentity {
     }
 }
 _WireE2eIdentity_e2ei = new WeakMap();
+/**
+ * Indicates the state of a Conversation regarding end-to-end identity.
+ * Note: this does not check pending state (pending commit, pending proposals) so it does not
+ * consider members about to be added/removed
+ */
+var E2eiConversationState;
+(function (E2eiConversationState) {
+    /**
+     * All clients have a valid E2EI certificate
+     */
+    E2eiConversationState[E2eiConversationState["Verified"] = 1] = "Verified";
+    /**
+     * Some clients are either still Basic or their certificate is expired
+     */
+    E2eiConversationState[E2eiConversationState["Degraded"] = 2] = "Degraded";
+    /**
+     * All clients are still Basic. If all client have expired certificates, Degraded is returned.
+     */
+    E2eiConversationState[E2eiConversationState["NotEnabled"] = 3] = "NotEnabled";
+})(E2eiConversationState || (E2eiConversationState = {}));
 
-export { Ciphersuite, CoreCrypto, CoreCryptoError, CredentialType, ExternalProposalType, GroupInfoEncryptionType, ProposalType, RatchetTreeType, WireE2eIdentity, WirePolicy };
+export { Ciphersuite, CoreCrypto, CoreCryptoError, CredentialType, E2eiConversationState, ExternalProposalType, GroupInfoEncryptionType, ProposalType, RatchetTreeType, WireE2eIdentity, WirePolicy };