@wireapp/core-crypto 1.0.0-rc.2 → 1.0.0-rc.21

package/platforms/web/corecrypto.d.ts

@@ -1,3 +1,131 @@
+/**
+* see [core_crypto::prelude::DeviceStatus]
+*/
+export enum DeviceStatus {
+	/**
+	* All is fine
+	*/
+	Valid = 0,
+	/**
+	* The Credential's certificate is expired
+	*/
+	Expired = 1,
+	/**
+	* The Credential's certificate is revoked (not implemented yet)
+	*/
+	Revoked = 2
+}
+/**
+* For creating a challenge.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+*/
+export class AcmeChallenge {
+	free(): void;
+	/**
+	* Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+	/**
+	* Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
+	* Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
+	*/
+	readonly target: string;
+	/**
+	* URL of this challenge
+	*/
+	readonly url: string;
+}
+/**
+* Holds URLs of all the standard ACME endpoint supported on an ACME server.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
+*/
+export class AcmeDirectory {
+	free(): void;
+	/**
+	* URL for creating a new account.
+	*/
+	readonly newAccount: string;
+	/**
+	* URL for fetching a new nonce. Use this only for creating a new account.
+	*/
+	readonly newNonce: string;
+	/**
+	* URL for creating a new order.
+	*/
+	readonly newOrder: string;
+	/**
+	* Revocation URL
+	*/
+	readonly revokeCert: string;
+}
+/**
+* Result of an authorization creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
+*/
+export class NewAcmeAuthz {
+	free(): void;
+	/**
+	* DNS entry associated with those challenge
+	*/
+	readonly identifier: string;
+	/**
+	* Challenge for the deviceId owned by wire-server
+	*/
+	readonly wireDpopChallenge: AcmeChallenge | undefined;
+	/**
+	* Challenge for the userId and displayName owned by the identity provider
+	*/
+	readonly wireOidcChallenge: AcmeChallenge | undefined;
+}
+/**
+* Result of an order creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
+*/
+export class NewAcmeOrder {
+	free(): void;
+	/**
+	*/
+	readonly authorizations: (Uint8Array)[];
+	/**
+	* Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+}
+/**
+* Represents the identity claims identifying a client
+* Those claims are verifiable by any member in the group
+*/
+export class WireIdentity {
+	free(): void;
+	/**
+	* X509 certificate identifying this client in the MLS group ; PEM encoded
+	*/
+	readonly certificate: string;
+	/**
+	* Unique client identifier e.g. `T4Coy4vdRzianwfOgXpn6A:6add501bacd1d90e@whitehouse.gov`
+	*/
+	readonly clientId: string;
+	/**
+	* Name as displayed in the messaging application e.g. `John Fitzgerald Kennedy`
+	*/
+	readonly displayName: string;
+	/**
+	* DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
+	*/
+	readonly domain: string;
+	/**
+	* user handle e.g. `john_wire`
+	*/
+	readonly handle: string;
+	/**
+	* Status of the Credential at the moment T when this object is created
+	*/
+	readonly status: DeviceStatus;
+	/**
+	* MLS thumbprint
+	*/
+	readonly thumbprint: string;
+}
 /**
  * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
  *
@@ -262,7 +390,7 @@ export interface RotateBundle {
 	 *
 	 * @readonly
 	 */
-	commits: CommitBundle[];
+	commits: Map<string, CommitBundle>;
 	/**
 	 * Fresh KeyPackages with the new Credential
 	 *
@@ -303,6 +431,10 @@ export interface CoreCryptoDeferredParams {
 	 * .wasm file path, this will be useful in case your bundling system likes to relocate files (i.e. what webpack does)
 	 */
 	wasmFilePath?: string;
+	/**
+	 * Number of initial KeyPackage to create when initializing the client
+	 */
+	nbKeyPackage?: number;
 }
 /**
  * Params for CoreCrypto initialization
@@ -315,19 +447,6 @@ export interface CoreCryptoParams extends CoreCryptoDeferredParams {
 	 */
 	clientId: ClientId;
 }
-/**
- * Data shape for adding clients to a conversation
- */
-export interface Invitee {
-	/**
-	 * Client ID as a byte array
-	 */
-	id: ClientId;
-	/**
-	 * MLS KeyPackage belonging to the aforementioned client
-	 */
-	kp: Uint8Array;
-}
 export interface ConversationInitBundle {
 	/**
 	 * Conversation ID of the conversation created
@@ -386,27 +505,45 @@ export interface DecryptedMessage {
 	 * Present for all messages
 	 */
 	identity?: WireIdentity;
+	/**
+	 * Only set when the decrypted message is a commit.
+	 * Contains buffered messages for next epoch which were received before the commit creating the epoch
+	 * because the DS did not fan them out in order.
+	 */
+	bufferedMessages?: BufferedDecryptedMessage[];
 }
 /**
- * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+ * Almost same as {@link DecryptedMessage} but avoids recursion
  */
-export interface WireIdentity {
+export interface BufferedDecryptedMessage {
+	/**
+	 * see {@link DecryptedMessage.message}
+	 */
+	message?: Uint8Array;
+	/**
+	 * see {@link DecryptedMessage.proposals}
+	 */
+	proposals: ProposalBundle[];
 	/**
-	 * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+	 * see {@link DecryptedMessage.isActive}
 	 */
-	clientId: string;
+	isActive: boolean;
+	/**
+	 * see {@link DecryptedMessage.commitDelay}
+	 */
+	commitDelay?: number;
 	/**
-	 * user handle e.g. `john_wire`
+	 * see {@link DecryptedMessage.senderClientId}
 	 */
-	handle: string;
+	senderClientId?: ClientId;
 	/**
-	 * Name as displayed in the messaging application e.g. `John Fitzgerald Kennedy`
+	 * see {@link DecryptedMessage.hasEpochChanged}
 	 */
-	displayName: string;
+	hasEpochChanged: boolean;
 	/**
-	 * DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
+	 * see {@link DecryptedMessage.identity}
 	 */
-	domain: string;
+	identity?: WireIdentity;
 }
 /**
  * Returned by all methods creating proposals. Contains a proposal message and an identifier to roll back the proposal
@@ -573,7 +710,7 @@ export declare class CoreCrypto {
 	 * });
 	 * ````
 	 */
-	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed }: CoreCryptoParams): Promise<CoreCrypto>;
+	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed, nbKeyPackage, }: CoreCryptoParams): Promise<CoreCrypto>;
 	/**
 	 * Almost identical to {@link CoreCrypto.init} but allows a 2 phase initialization of MLS.
 	 * First, calling this will set up the keystore and will allow generating proteus prekeys.
@@ -581,14 +718,15 @@ export declare class CoreCrypto {
 	 * Use this clientId to initialize MLS with {@link CoreCrypto.mlsInit}.
 	 * @param params - {@link CoreCryptoDeferredParams}
 	 */
-	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
+	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath, nbKeyPackage, }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
 	/**
 	 * Use this after {@link CoreCrypto.deferredInit} when you have a clientId. It initializes MLS.
 	 *
 	 * @param clientId - {@link CoreCryptoParams#clientId} but required
 	 * @param ciphersuites - All the ciphersuites supported by this MLS client
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
 	 */
-	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[]): Promise<void>;
+	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[], nbKeyPackage?: number): Promise<void>;
 	/**
 	 * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
 	 * This method is designed to be used in conjunction with {@link CoreCrypto.mlsInitWithClientId} and represents the first step in this process
@@ -625,7 +763,7 @@ export declare class CoreCrypto {
 	/**
 	 * Closes this {@link CoreCrypto} instance and deallocates all loaded resources
 	 *
-	 * **CAUTION**: This {@link CoreCrypto} instance won't be useable after a call to this method, but there's no way to express this requirement in TypeScript so you'll get errors instead!
+	 * **CAUTION**: This {@link CoreCrypto} instance won't be usable after a call to this method, but there's no way to express this requirement in TypeScript, so you'll get errors instead!
 	 */
 	close(): Promise<void>;
 	/**
@@ -691,7 +829,12 @@ export declare class CoreCrypto {
 	 */
 	createConversation(conversationId: ConversationId, creatorCredentialType: CredentialType, configuration?: ConversationConfiguration): Promise<any>;
 	/**
-	 * Decrypts a message for a given conversation
+	 * Decrypts a message for a given conversation.
+	 *
+	 * Note: you should catch & ignore the following error reasons:
+	 * * "We already decrypted this message once"
+	 * * "You tried to join with an external commit but did not merge it yet. We will reapply this message for you when you merge your external commit"
+	 * * "Incoming message is for a future epoch. We will buffer it until the commit for that epoch arrives"
 	 *
 	 * @param conversationId - The ID of the conversation
 	 * @param payload - The encrypted message buffer
@@ -723,17 +866,24 @@ export declare class CoreCrypto {
 	 *
 	 * @returns A {@link CommitBundle}
 	 */
-	update_trust_anchors_from_conversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
+	updateTrustAnchorsFromConversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
 	/**
 	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
+	 * Important: you have to catch the error with this reason "Although this Welcome seems valid, the local KeyPackage
+	 * it references has already been deleted locally. Join this group with an external commit", ignore it and then try
+	 * to join this group with an external commit.
+	 *
 	 * @param welcomeMessage - TLS-serialized MLS Welcome message
 	 * @param configuration - configuration of the MLS group
 	 * @returns The conversation ID of the newly joined group. You can use the same ID to decrypt/encrypt messages
 	 */
 	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<ConversationId>;
 	/**
-	 * @returns The client's public key
+	 * Get the client's public signature key. To upload to the DS for further backend side validation
+	 *
+	 * @param ciphersuite - of the signature key to get
+	 * @returns the client's public signature key
 	 */
 	clientPublicKey(ciphersuite: Ciphersuite): Promise<Uint8Array>;
 	/**
@@ -762,21 +912,21 @@ export declare class CoreCrypto {
 	/**
 	 * Adds new clients to a conversation, assuming the current client has the right to add new clients to the conversation.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
 	 * @param conversationId - The ID of the conversation
-	 * @param clients - Array of {@link Invitee} (which are Client ID / KeyPackage pairs)
+	 * @param keyPackages - KeyPackages of the new clients to add
 	 *
 	 * @returns A {@link CommitBundle}
 	 */
-	addClientsToConversation(conversationId: ConversationId, clients: Invitee[]): Promise<MemberAddedMessages>;
+	addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<MemberAddedMessages>;
 	/**
 	 * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
 	 * to do so, otherwise this operation does nothing.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -787,9 +937,9 @@ export declare class CoreCrypto {
 	 */
 	removeClientsFromConversation(conversationId: ConversationId, clientIds: ClientId[]): Promise<CommitBundle>;
 	/**
-	 * Creates an update commit which forces every client to update their keypackages in the conversation
+	 * Creates an update commit which forces every client to update their LeafNode in the conversation
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -819,6 +969,9 @@ export declare class CoreCrypto {
 	 * @returns A {@link ProposalBundle} containing the Proposal and its reference in order to roll it back if necessary
 	 */
 	newProposal(proposalType: ProposalType, args: ProposalArgs | AddProposalArgs | RemoveProposalArgs): Promise<ProposalBundle>;
+	/**
+	 * Creates a new external Add proposal for self client to join a conversation.
+	 */
 	newExternalProposal(externalProposalType: ExternalProposalType, args: ExternalAddProposalArgs): Promise<Uint8Array>;
 	/**
 	 * Allows to create an external commit to "apply" to join a group through its GroupInfo.
@@ -843,8 +996,9 @@ export declare class CoreCrypto {
 	 * and deletes the temporary one. This step makes the group operational and ready to encrypt/decrypt message
 	 *
 	 * @param conversationId - The ID of the conversation
+	 * @returns eventually decrypted buffered messages if any
 	 */
-	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<DecryptedMessage[] | undefined>;
+	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
 	 * In case the external commit generated by {@link CoreCrypto.joinByExternalCommit} is rejected by the Delivery Service, and we
 	 * want to abort this external commit once for all, we can wipe out the pending group from the keystore in order
@@ -854,26 +1008,24 @@ export declare class CoreCrypto {
 	 */
 	clearPendingGroupFromExternalCommit(conversationId: ConversationId): Promise<void>;
 	/**
-	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it
-	 * into the local group state
+	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it into the local group state
 	 *
 	 * @param conversationId - The group's ID
+	 * @returns the messages from current epoch which had been buffered, if any
 	 */
-	commitAccepted(conversationId: ConversationId): Promise<void>;
+	commitAccepted(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
-	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
-	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc..
+	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc…
 	 *
 	 * @param conversationId - The group's ID
 	 * @param proposalRef - A reference to the proposal to delete. You get one when using {@link CoreCrypto.newProposal}
 	 */
 	clearPendingProposal(conversationId: ConversationId, proposalRef: ProposalRef): Promise<void>;
 	/**
-	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
 	 * e.g. 403. Do not use otherwise e.g. 5xx responses, timeout etc..
@@ -917,7 +1069,7 @@ export declare class CoreCrypto {
 	 */
 	reseedRng(seed: Uint8Array): Promise<void>;
 	/**
-	 * Initiailizes the proteus client
+	 * Initializes the proteus client
 	 */
 	proteusInit(): Promise<void>;
 	/**
@@ -1050,47 +1202,53 @@ export declare class CoreCrypto {
 	 * Creates an enrollment instance with private key material you can use in order to fetch
 	 * a new x509 certificate from the acme server.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiMlsInitOnly}
 	 */
-	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
 	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
+	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
 	/**
-	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
+	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
+	 * that means he cannot initialize with a Basic credential
 	 *
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
+	 * @returns a MlsClient initialized with only a x509 credential
 	 */
-	e2eiMlsInitOnly(enrollment: WireE2eIdentity, certificateChain: string): Promise<void>;
+	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<void>;
 	/**
 	 * Creates a commit in all local conversations for changing the credential. Requires first
 	 * having enrolled a new X509 certificate with either {@link CoreCrypto.e2eiNewActivationEnrollment}
@@ -1099,8 +1257,9 @@ export declare class CoreCrypto {
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
 	 * @param newKeyPackageCount - number of KeyPackages with new identity to generate
+	 * @returns a {@link RotateBundle} with commits to fan-out to other group members, KeyPackages to upload and old ones to delete
 	 */
-	e2eiRotateAll(enrollment: WireE2eIdentity, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
+	e2eiRotateAll(enrollment: E2eiEnrollment, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
 	/**
 	 * Allows persisting an active enrollment (for example while redirecting the user during OAuth) in order to resume
 	 * it later with {@link e2eiEnrollmentStashPop}
@@ -1108,22 +1267,48 @@ export declare class CoreCrypto {
 	 * @param enrollment the enrollment instance to persist
 	 * @returns a handle to fetch the enrollment later with {@link e2eiEnrollmentStashPop}
 	 */
-	e2eiEnrollmentStash(enrollment: WireE2eIdentity): Promise<Uint8Array>;
+	e2eiEnrollmentStash(enrollment: E2eiEnrollment): Promise<Uint8Array>;
 	/**
 	 * Fetches the persisted enrollment and deletes it from the keystore
 	 *
 	 * @param handle returned by {@link e2eiEnrollmentStash}
 	 * @returns the persisted enrollment instance
 	 */
-	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<WireE2eIdentity>;
+	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
 	/**
 	 * Indicates when to mark a conversation as degraded i.e. when not all its members have a X509.
 	 * Credential generated by Wire's end-to-end identity enrollment
 	 *
 	 * @param conversationId The group's ID
-	 * @returns true if all the members have valid X509 credentials
+	 * @returns the conversation state given current members
+	 */
+	e2eiConversationState(conversationId: ConversationId): Promise<E2eiConversationState>;
+	/**
+	 * Returns true when end-to-end-identity is enabled for the given Ciphersuite
+	 *
+	 * @param ciphersuite of the credential to check
+	 * @returns true if end-to-end identity is enabled for the given ciphersuite
+	 */
+	e2eiIsEnabled(ciphersuite: Ciphersuite): Promise<boolean>;
+	/**
+	 * From a given conversation, get the identity of the members supplied. Identity is only present for members with a
+	 * Certificate Credential (after turning on end-to-end identity).
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param deviceIds - identifiers of the devices
+	 * @returns identities or if no member has a x509 certificate, it will return an empty List
+	 */
+	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity[]>;
+	/**
+	 * From a given conversation, get the identity of the users (device holders) supplied.
+	 * Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
+	 * If no member has a x509 certificate, it will return an empty Vec.
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
+	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
 	 */
-	e2eiIsDegraded(conversationId: ConversationId): Promise<boolean>;
+	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -1132,7 +1317,7 @@ export declare class CoreCrypto {
 	static version(): string;
 }
 type JsonRawData = Uint8Array;
-export declare class WireE2eIdentity {
+export declare class E2eiEnrollment {
 	#private;
 	/** @hidden */
 	constructor(e2ei: unknown);
@@ -1241,7 +1426,7 @@ export declare class WireE2eIdentity {
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
 	 *
 	 * @param order HTTP response body
-	 * @return the finalize url to use with {@link finalizeRequest}
+	 * @return finalize url to use with {@link finalizeRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
 	checkOrderResponse(order: JsonRawData): string;
@@ -1269,95 +1454,23 @@ export declare class WireE2eIdentity {
 	certificateRequest(previousNonce: string): JsonRawData;
 }
 /**
- * Holds URLs of all the standard ACME endpoint supported on an ACME server.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
- */
-export interface AcmeDirectory {
-	/**
-	 * URL for fetching a new nonce. Use this only for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newNonce: string;
-	/**
-	 * URL for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newAccount: string;
-	/**
-	 * URL for creating a new order.
-	 *
-	 * @readonly
-	 */
-	newOrder: string;
-}
-/**
- * Result of an order creation
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
+ * Indicates the state of a Conversation regarding end-to-end identity.
+ * Note: this does not check pending state (pending commit, pending proposals) so it does not
+ * consider members about to be added/removed
  */
-export interface NewAcmeOrder {
+export declare enum E2eiConversationState {
 	/**
-	 * Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
-	 */
-	delegate: Uint8Array;
-	/**
-	 * An authorization for each domain to create
-	 *
-	 * @readonly
-	 */
-	authorizations: Uint8Array[];
-}
-/**
- * Result of an authorization creation.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
- */
-export interface NewAcmeAuthz {
-	/**
-	 * DNS entry associated with those challenge
-	 *
-	 * @readonly
-	 */
-	identifier: string;
-	/**
-	 * Challenge for the clientId
-	 *
-	 * @readonly
-	 */
-	wireDpopChallenge?: AcmeChallenge;
-	/**
-	 * Challenge for the userId and displayName
-	 *
-	 * @readonly
-	 */
-	wireOidcChallenge?: AcmeChallenge;
-}
-/**
- * For creating a challenge
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
- */
-export interface AcmeChallenge {
-	/**
-	 * Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
+	 * All clients have a valid E2EI certificate
 	 */
-	delegate: Uint8Array;
+	Verified = 1,
 	/**
-	 * URL of this challenge
-	 *
-	 * @readonly
+	 * Some clients are either still Basic or their certificate is expired
 	 */
-	url: string;
+	Degraded = 2,
 	/**
-	 * Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
-	 * Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
-	 *
-	 * @readonly
+	 * All clients are still Basic. If all client have expired certificates, Degraded is returned.
 	 */
-	target: string;
+	NotEnabled = 3
 }
 
 export {};