npm - @wireapp/core-crypto - Versions diffs - 1.0.0-rc.2 → 1.0.0-rc.21 - Mend

@wireapp/core-crypto 1.0.0-rc.2 → 1.0.0-rc.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +3 -1
package/package.json +12 -31
package/platforms/web/core-crypto-ffi_bg.wasm +0 -0
package/platforms/web/corecrypto.d.ts +269 -156
package/platforms/web/corecrypto.js +3118 -4904
package/platforms/web/assets/core_crypto_ffi-b7eb1191.wasm +0 -0

package/platforms/web/corecrypto.d.ts CHANGED Viewed

@@ -1,3 +1,131 @@
+/**
+* see [core_crypto::prelude::DeviceStatus]
+*/
+export enum DeviceStatus {
+	/**
+	* All is fine
+	*/
+	Valid = 0,
+	/**
+	* The Credential's certificate is expired
+	*/
+	Expired = 1,
+	/**
+	* The Credential's certificate is revoked (not implemented yet)
+	*/
+	Revoked = 2
+}
+/**
+* For creating a challenge.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+*/
+export class AcmeChallenge {
+	free(): void;
+	/**
+	* Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+	/**
+	* Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
+	* Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
+	*/
+	readonly target: string;
+	/**
+	* URL of this challenge
+	*/
+	readonly url: string;
+}
+/**
+* Holds URLs of all the standard ACME endpoint supported on an ACME server.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
+*/
+export class AcmeDirectory {
+	free(): void;
+	/**
+	* URL for creating a new account.
+	*/
+	readonly newAccount: string;
+	/**
+	* URL for fetching a new nonce. Use this only for creating a new account.
+	*/
+	readonly newNonce: string;
+	/**
+	* URL for creating a new order.
+	*/
+	readonly newOrder: string;
+	/**
+	* Revocation URL
+	*/
+	readonly revokeCert: string;
+}
+/**
+* Result of an authorization creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
+*/
+export class NewAcmeAuthz {
+	free(): void;
+	/**
+	* DNS entry associated with those challenge
+	*/
+	readonly identifier: string;
+	/**
+	* Challenge for the deviceId owned by wire-server
+	*/
+	readonly wireDpopChallenge: AcmeChallenge | undefined;
+	/**
+	* Challenge for the userId and displayName owned by the identity provider
+	*/
+	readonly wireOidcChallenge: AcmeChallenge | undefined;
+}
+/**
+* Result of an order creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
+*/
+export class NewAcmeOrder {
+	free(): void;
+	/**
+	*/
+	readonly authorizations: (Uint8Array)[];
+	/**
+	* Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+}
+/**
+* Represents the identity claims identifying a client
+* Those claims are verifiable by any member in the group
+*/
+export class WireIdentity {
+	free(): void;
+	/**
+	* X509 certificate identifying this client in the MLS group ; PEM encoded
+	*/
+	readonly certificate: string;
+	/**
+	* Unique client identifier e.g. `T4Coy4vdRzianwfOgXpn6A:6add501bacd1d90e@whitehouse.gov`
+	*/
+	readonly clientId: string;
+	/**
+	* Name as displayed in the messaging application e.g. `John Fitzgerald Kennedy`
+	*/
+	readonly displayName: string;
+	/**
+	* DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
+	*/
+	readonly domain: string;
+	/**
+	* user handle e.g. `john_wire`
+	*/
+	readonly handle: string;
+	/**
+	* Status of the Credential at the moment T when this object is created
+	*/
+	readonly status: DeviceStatus;
+	/**
+	* MLS thumbprint
+	*/
+	readonly thumbprint: string;
+}
 /**
  * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
  *
@@ -262,7 +390,7 @@ export interface RotateBundle {
 	 *
 	 * @readonly
 	 */
-	commits: CommitBundle[];
+	commits: Map<string, CommitBundle>;
 	/**
 	 * Fresh KeyPackages with the new Credential
 	 *
@@ -303,6 +431,10 @@ export interface CoreCryptoDeferredParams {
 	 * .wasm file path, this will be useful in case your bundling system likes to relocate files (i.e. what webpack does)
 	 */
 	wasmFilePath?: string;
+	/**
+	 * Number of initial KeyPackage to create when initializing the client
+	 */
+	nbKeyPackage?: number;
 }
 /**
  * Params for CoreCrypto initialization
@@ -315,19 +447,6 @@ export interface CoreCryptoParams extends CoreCryptoDeferredParams {
 	 */
 	clientId: ClientId;
 }
-/**
- * Data shape for adding clients to a conversation
- */
-export interface Invitee {
-	/**
-	 * Client ID as a byte array
-	 */
-	id: ClientId;
-	/**
-	 * MLS KeyPackage belonging to the aforementioned client
-	 */
-	kp: Uint8Array;
-}
 export interface ConversationInitBundle {
 	/**
 	 * Conversation ID of the conversation created
@@ -386,27 +505,45 @@ export interface DecryptedMessage {
 	 * Present for all messages
 	 */
 	identity?: WireIdentity;
+	/**
+	 * Only set when the decrypted message is a commit.
+	 * Contains buffered messages for next epoch which were received before the commit creating the epoch
+	 * because the DS did not fan them out in order.
+	 */
+	bufferedMessages?: BufferedDecryptedMessage[];
 }
 /**
- * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+ * Almost same as {@link DecryptedMessage} but avoids recursion
  */
-export interface WireIdentity {
+export interface BufferedDecryptedMessage {
+	/**
+	 * see {@link DecryptedMessage.message}
+	 */
+	message?: Uint8Array;
+	/**
+	 * see {@link DecryptedMessage.proposals}
+	 */
+	proposals: ProposalBundle[];
 	/**
-	 * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+	 * see {@link DecryptedMessage.isActive}
 	 */
-	clientId: string;
+	isActive: boolean;
+	/**
+	 * see {@link DecryptedMessage.commitDelay}
+	 */
+	commitDelay?: number;
 	/**
-	 * user handle e.g. `john_wire`
+	 * see {@link DecryptedMessage.senderClientId}
 	 */
-	handle: string;
+	senderClientId?: ClientId;
 	/**
-	 * Name as displayed in the messaging application e.g. `John Fitzgerald Kennedy`
+	 * see {@link DecryptedMessage.hasEpochChanged}
 	 */
-	displayName: string;
+	hasEpochChanged: boolean;
 	/**
-	 * DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
+	 * see {@link DecryptedMessage.identity}
 	 */
-	domain: string;
+	identity?: WireIdentity;
 }
 /**
  * Returned by all methods creating proposals. Contains a proposal message and an identifier to roll back the proposal
@@ -573,7 +710,7 @@ export declare class CoreCrypto {
 	 * });
 	 * ````
 	 */
-	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed }: CoreCryptoParams): Promise<CoreCrypto>;
+	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed, nbKeyPackage, }: CoreCryptoParams): Promise<CoreCrypto>;
 	/**
 	 * Almost identical to {@link CoreCrypto.init} but allows a 2 phase initialization of MLS.
 	 * First, calling this will set up the keystore and will allow generating proteus prekeys.
@@ -581,14 +718,15 @@ export declare class CoreCrypto {
 	 * Use this clientId to initialize MLS with {@link CoreCrypto.mlsInit}.
 	 * @param params - {@link CoreCryptoDeferredParams}
 	 */
-	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
+	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath, nbKeyPackage, }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
 	/**
 	 * Use this after {@link CoreCrypto.deferredInit} when you have a clientId. It initializes MLS.
 	 *
 	 * @param clientId - {@link CoreCryptoParams#clientId} but required
 	 * @param ciphersuites - All the ciphersuites supported by this MLS client
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
 	 */
-	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[]): Promise<void>;
+	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[], nbKeyPackage?: number): Promise<void>;
 	/**
 	 * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
 	 * This method is designed to be used in conjunction with {@link CoreCrypto.mlsInitWithClientId} and represents the first step in this process
@@ -625,7 +763,7 @@ export declare class CoreCrypto {
 	/**
 	 * Closes this {@link CoreCrypto} instance and deallocates all loaded resources
 	 *
-	 * **CAUTION**: This {@link CoreCrypto} instance won't be useable after a call to this method, but there's no way to express this requirement in TypeScript so you'll get errors instead!
+	 * **CAUTION**: This {@link CoreCrypto} instance won't be usable after a call to this method, but there's no way to express this requirement in TypeScript, so you'll get errors instead!
 	 */
 	close(): Promise<void>;
 	/**
@@ -691,7 +829,12 @@ export declare class CoreCrypto {
 	 */
 	createConversation(conversationId: ConversationId, creatorCredentialType: CredentialType, configuration?: ConversationConfiguration): Promise<any>;
 	/**
-	 * Decrypts a message for a given conversation
+	 * Decrypts a message for a given conversation.
+	 *
+	 * Note: you should catch & ignore the following error reasons:
+	 * * "We already decrypted this message once"
+	 * * "You tried to join with an external commit but did not merge it yet. We will reapply this message for you when you merge your external commit"
+	 * * "Incoming message is for a future epoch. We will buffer it until the commit for that epoch arrives"
 	 *
 	 * @param conversationId - The ID of the conversation
 	 * @param payload - The encrypted message buffer
@@ -723,17 +866,24 @@ export declare class CoreCrypto {
 	 *
 	 * @returns A {@link CommitBundle}
 	 */
-	update_trust_anchors_from_conversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
+	updateTrustAnchorsFromConversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
 	/**
 	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
+	 * Important: you have to catch the error with this reason "Although this Welcome seems valid, the local KeyPackage
+	 * it references has already been deleted locally. Join this group with an external commit", ignore it and then try
+	 * to join this group with an external commit.
+	 *
 	 * @param welcomeMessage - TLS-serialized MLS Welcome message
 	 * @param configuration - configuration of the MLS group
 	 * @returns The conversation ID of the newly joined group. You can use the same ID to decrypt/encrypt messages
 	 */
 	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<ConversationId>;
 	/**
-	 * @returns The client's public key
+	 * Get the client's public signature key. To upload to the DS for further backend side validation
+	 *
+	 * @param ciphersuite - of the signature key to get
+	 * @returns the client's public signature key
 	 */
 	clientPublicKey(ciphersuite: Ciphersuite): Promise<Uint8Array>;
 	/**
@@ -762,21 +912,21 @@ export declare class CoreCrypto {
 	/**
 	 * Adds new clients to a conversation, assuming the current client has the right to add new clients to the conversation.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
 	 * @param conversationId - The ID of the conversation
-	 * @param clients - Array of {@link Invitee} (which are Client ID / KeyPackage pairs)
+	 * @param keyPackages - KeyPackages of the new clients to add
 	 *
 	 * @returns A {@link CommitBundle}
 	 */
-	addClientsToConversation(conversationId: ConversationId, clients: Invitee[]): Promise<MemberAddedMessages>;
+	addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<MemberAddedMessages>;
 	/**
 	 * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
 	 * to do so, otherwise this operation does nothing.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -787,9 +937,9 @@ export declare class CoreCrypto {
 	 */
 	removeClientsFromConversation(conversationId: ConversationId, clientIds: ClientId[]): Promise<CommitBundle>;
 	/**
-	 * Creates an update commit which forces every client to update their keypackages in the conversation
+	 * Creates an update commit which forces every client to update their LeafNode in the conversation
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -819,6 +969,9 @@ export declare class CoreCrypto {
 	 * @returns A {@link ProposalBundle} containing the Proposal and its reference in order to roll it back if necessary
 	 */
 	newProposal(proposalType: ProposalType, args: ProposalArgs | AddProposalArgs | RemoveProposalArgs): Promise<ProposalBundle>;
+	/**
+	 * Creates a new external Add proposal for self client to join a conversation.
+	 */
 	newExternalProposal(externalProposalType: ExternalProposalType, args: ExternalAddProposalArgs): Promise<Uint8Array>;
 	/**
 	 * Allows to create an external commit to "apply" to join a group through its GroupInfo.
@@ -843,8 +996,9 @@ export declare class CoreCrypto {
 	 * and deletes the temporary one. This step makes the group operational and ready to encrypt/decrypt message
 	 *
 	 * @param conversationId - The ID of the conversation
+	 * @returns eventually decrypted buffered messages if any
 	 */
-	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<DecryptedMessage[] | undefined>;
+	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
 	 * In case the external commit generated by {@link CoreCrypto.joinByExternalCommit} is rejected by the Delivery Service, and we
 	 * want to abort this external commit once for all, we can wipe out the pending group from the keystore in order
@@ -854,26 +1008,24 @@ export declare class CoreCrypto {
 	 */
 	clearPendingGroupFromExternalCommit(conversationId: ConversationId): Promise<void>;
 	/**
-	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it
-	 * into the local group state
+	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it into the local group state
 	 *
 	 * @param conversationId - The group's ID
+	 * @returns the messages from current epoch which had been buffered, if any
 	 */
-	commitAccepted(conversationId: ConversationId): Promise<void>;
+	commitAccepted(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
-	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
-	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc..
+	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc…
 	 *
 	 * @param conversationId - The group's ID
 	 * @param proposalRef - A reference to the proposal to delete. You get one when using {@link CoreCrypto.newProposal}
 	 */
 	clearPendingProposal(conversationId: ConversationId, proposalRef: ProposalRef): Promise<void>;
 	/**
-	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
 	 * e.g. 403. Do not use otherwise e.g. 5xx responses, timeout etc..
@@ -917,7 +1069,7 @@ export declare class CoreCrypto {
 	 */
 	reseedRng(seed: Uint8Array): Promise<void>;
 	/**
-	 * Initiailizes the proteus client
+	 * Initializes the proteus client
 	 */
 	proteusInit(): Promise<void>;
 	/**
@@ -1050,47 +1202,53 @@ export declare class CoreCrypto {
 	 * Creates an enrollment instance with private key material you can use in order to fetch
 	 * a new x509 certificate from the acme server.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiMlsInitOnly}
 	 */
-	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
 	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
+	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
 	/**
-	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
+	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
+	 * that means he cannot initialize with a Basic credential
 	 *
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
+	 * @returns a MlsClient initialized with only a x509 credential
 	 */
-	e2eiMlsInitOnly(enrollment: WireE2eIdentity, certificateChain: string): Promise<void>;
+	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<void>;
 	/**
 	 * Creates a commit in all local conversations for changing the credential. Requires first
 	 * having enrolled a new X509 certificate with either {@link CoreCrypto.e2eiNewActivationEnrollment}
@@ -1099,8 +1257,9 @@ export declare class CoreCrypto {
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
 	 * @param newKeyPackageCount - number of KeyPackages with new identity to generate
+	 * @returns a {@link RotateBundle} with commits to fan-out to other group members, KeyPackages to upload and old ones to delete
 	 */
-	e2eiRotateAll(enrollment: WireE2eIdentity, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
+	e2eiRotateAll(enrollment: E2eiEnrollment, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
 	/**
 	 * Allows persisting an active enrollment (for example while redirecting the user during OAuth) in order to resume
 	 * it later with {@link e2eiEnrollmentStashPop}
@@ -1108,22 +1267,48 @@ export declare class CoreCrypto {
 	 * @param enrollment the enrollment instance to persist
 	 * @returns a handle to fetch the enrollment later with {@link e2eiEnrollmentStashPop}
 	 */
-	e2eiEnrollmentStash(enrollment: WireE2eIdentity): Promise<Uint8Array>;
+	e2eiEnrollmentStash(enrollment: E2eiEnrollment): Promise<Uint8Array>;
 	/**
 	 * Fetches the persisted enrollment and deletes it from the keystore
 	 *
 	 * @param handle returned by {@link e2eiEnrollmentStash}
 	 * @returns the persisted enrollment instance
 	 */
-	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<WireE2eIdentity>;
+	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
 	/**
 	 * Indicates when to mark a conversation as degraded i.e. when not all its members have a X509.
 	 * Credential generated by Wire's end-to-end identity enrollment
 	 *
 	 * @param conversationId The group's ID
-	 * @returns true if all the members have valid X509 credentials
+	 * @returns the conversation state given current members
+	 */
+	e2eiConversationState(conversationId: ConversationId): Promise<E2eiConversationState>;
+	/**
+	 * Returns true when end-to-end-identity is enabled for the given Ciphersuite
+	 *
+	 * @param ciphersuite of the credential to check
+	 * @returns true if end-to-end identity is enabled for the given ciphersuite
+	 */
+	e2eiIsEnabled(ciphersuite: Ciphersuite): Promise<boolean>;
+	/**
+	 * From a given conversation, get the identity of the members supplied. Identity is only present for members with a
+	 * Certificate Credential (after turning on end-to-end identity).
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param deviceIds - identifiers of the devices
+	 * @returns identities or if no member has a x509 certificate, it will return an empty List
+	 */
+	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity[]>;
+	/**
+	 * From a given conversation, get the identity of the users (device holders) supplied.
+	 * Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
+	 * If no member has a x509 certificate, it will return an empty Vec.
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
+	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
 	 */
-	e2eiIsDegraded(conversationId: ConversationId): Promise<boolean>;
+	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -1132,7 +1317,7 @@ export declare class CoreCrypto {
 	static version(): string;
 }
 type JsonRawData = Uint8Array;
-export declare class WireE2eIdentity {
+export declare class E2eiEnrollment {
 	#private;
 	/** @hidden */
 	constructor(e2ei: unknown);
@@ -1241,7 +1426,7 @@ export declare class WireE2eIdentity {
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
 	 *
 	 * @param order HTTP response body
-	 * @return the finalize url to use with {@link finalizeRequest}
+	 * @return finalize url to use with {@link finalizeRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
 	checkOrderResponse(order: JsonRawData): string;
@@ -1269,95 +1454,23 @@ export declare class WireE2eIdentity {
 	certificateRequest(previousNonce: string): JsonRawData;
 }
 /**
- * Holds URLs of all the standard ACME endpoint supported on an ACME server.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
- */
-export interface AcmeDirectory {
-	/**
-	 * URL for fetching a new nonce. Use this only for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newNonce: string;
-	/**
-	 * URL for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newAccount: string;
-	/**
-	 * URL for creating a new order.
-	 *
-	 * @readonly
-	 */
-	newOrder: string;
-}
-/**
- * Result of an order creation
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
+ * Indicates the state of a Conversation regarding end-to-end identity.
+ * Note: this does not check pending state (pending commit, pending proposals) so it does not
+ * consider members about to be added/removed
  */
-export interface NewAcmeOrder {
+export declare enum E2eiConversationState {
 	/**
-	 * Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
-	 */
-	delegate: Uint8Array;
-	/**
-	 * An authorization for each domain to create
-	 *
-	 * @readonly
-	 */
-	authorizations: Uint8Array[];
-}
-/**
- * Result of an authorization creation.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
- */
-export interface NewAcmeAuthz {
-	/**
-	 * DNS entry associated with those challenge
-	 *
-	 * @readonly
-	 */
-	identifier: string;
-	/**
-	 * Challenge for the clientId
-	 *
-	 * @readonly
-	 */
-	wireDpopChallenge?: AcmeChallenge;
-	/**
-	 * Challenge for the userId and displayName
-	 *
-	 * @readonly
-	 */
-	wireOidcChallenge?: AcmeChallenge;
-}
-/**
- * For creating a challenge
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
- */
-export interface AcmeChallenge {
-	/**
-	 * Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
+	 * All clients have a valid E2EI certificate
 	 */
-	delegate: Uint8Array;
+	Verified = 1,
 	/**
-	 * URL of this challenge
-	 *
-	 * @readonly
+	 * Some clients are either still Basic or their certificate is expired
 	 */
-	url: string;
+	Degraded = 2,
 	/**
-	 * Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
-	 * Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
-	 *
-	 * @readonly
+	 * All clients are still Basic. If all client have expired certificates, Degraded is returned.
 	 */
-	target: string;
+	NotEnabled = 3
 }
 export {};