npm - @wireapp/core-crypto - Versions diffs - 1.0.0-rc.5 → 1.0.0-rc.51 - Mend

@wireapp/core-crypto 1.0.0-rc.5 → 1.0.0-rc.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +4 -2
package/package.json +12 -31
package/platforms/web/core-crypto-ffi_bg.wasm +0 -0
package/platforms/web/corecrypto.d.ts +416 -212
package/platforms/web/corecrypto.js +3193 -4956
package/platforms/web/assets/core_crypto_ffi-9ad99558.wasm +0 -0

package/platforms/web/corecrypto.d.ts CHANGED Viewed

@@ -1,3 +1,74 @@
+/**
+* For creating a challenge.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+*/
+export class AcmeChallenge {
+	free(): void;
+	/**
+	* Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+	/**
+	* Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
+	* Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
+	*/
+	readonly target: string;
+	/**
+	* URL of this challenge
+	*/
+	readonly url: string;
+}
+/**
+* Dump of the PKI environemnt as PEM
+*/
+export class E2eiDumpedPkiEnv {
+	free(): void;
+	/**
+	* CRLs registered in the PKI env
+	*/
+	readonly crls: (string)[];
+	/**
+	* Intermediate CAs that are loaded
+	*/
+	readonly intermediates: (string)[];
+	/**
+	* Root CA in use (i.e. Trust Anchor)
+	*/
+	readonly root_ca: string;
+}
+/**
+* Result of an authorization creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
+*/
+export class NewAcmeAuthz {
+	free(): void;
+	/**
+	* Associated ACME Challenge
+	*/
+	readonly challenge: AcmeChallenge;
+	/**
+	* DNS entry associated with those challenge
+	*/
+	readonly identifier: string;
+	/**
+	* ACME challenge + ACME key thumbprint
+	*/
+	readonly keyauth: string | undefined;
+}
+/**
+* Result of an order creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
+*/
+export class NewAcmeOrder {
+	free(): void;
+	/**
+	*/
+	readonly authorizations: (Uint8Array)[];
+	/**
+	* Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+}
 /**
  * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
  *
@@ -79,24 +150,6 @@ export interface ConversationConfiguration {
 	 * Implementation specific configuration
 	 */
 	custom?: CustomConfiguration;
-	/**
-	 * Trust anchors to be added in the group's context extensions
-	 */
-	perDomainTrustAnchors?: PerDomainTrustAnchor[];
-}
-/**
- * A wrapper containing the configuration for trust anchors to be added in the group's context
- * extensions
- */
-export interface PerDomainTrustAnchor {
-	/**
-	 * Domain name of the owning backend this anchor refers to. One of the certificate in the chain has to have this domain in its SANs
-	 */
-	domain_name: string;
-	/**
-	 * PEM encoded (partial) certificate chain. This contains the certificate chain for the CA certificate issuing the E2E Identity certificates
-	 */
-	intermediate_certificate_chain: string;
 }
 /**
  * see [core_crypto::prelude::MlsWirePolicy]
@@ -179,6 +232,10 @@ export interface MemberAddedMessages {
 	 * @readonly
 	 */
 	groupInfo: GroupInfoBundle;
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * Data shape for a MLS generic commit + optional bundle (aka stapled commit & welcome)
@@ -262,7 +319,7 @@ export interface RotateBundle {
 	 *
 	 * @readonly
 	 */
-	commits: CommitBundle[];
+	commits: Map<string, CommitBundle>;
 	/**
 	 * Fresh KeyPackages with the new Credential
 	 *
@@ -275,6 +332,10 @@ export interface RotateBundle {
 	 * @readonly
 	 */
 	keyPackageRefsToRemove: Uint8Array[];
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * Params for CoreCrypto deferred initialization
@@ -303,6 +364,10 @@ export interface CoreCryptoDeferredParams {
 	 * .wasm file path, this will be useful in case your bundling system likes to relocate files (i.e. what webpack does)
 	 */
 	wasmFilePath?: string;
+	/**
+	 * Number of initial KeyPackage to create when initializing the client
+	 */
+	nbKeyPackage?: number;
 }
 /**
  * Params for CoreCrypto initialization
@@ -315,19 +380,6 @@ export interface CoreCryptoParams extends CoreCryptoDeferredParams {
 	 */
 	clientId: ClientId;
 }
-/**
- * Data shape for adding clients to a conversation
- */
-export interface Invitee {
-	/**
-	 * Client ID as a byte array
-	 */
-	id: ClientId;
-	/**
-	 * MLS KeyPackage belonging to the aforementioned client
-	 */
-	kp: Uint8Array;
-}
 export interface ConversationInitBundle {
 	/**
 	 * Conversation ID of the conversation created
@@ -348,6 +400,27 @@ export interface ConversationInitBundle {
 	 * @readonly
 	 */
 	groupInfo: GroupInfoBundle;
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
+}
+/**
+ *  Supporting struct for CRL registration result
+ */
+export interface CRLRegistration {
+	/**
+	 * Whether this CRL modifies the old CRL (i.e. has a different revocated cert list)
+	 *
+	 * @readonly
+	 */
+	dirty: boolean;
+	/**
+	 * Optional expiration timestamp
+	 *
+	 * @readonly
+	 */
+	expiration?: number;
 }
 /**
  * This is a wrapper for all the possible outcomes you can get after decrypting a message
@@ -386,17 +459,65 @@ export interface DecryptedMessage {
 	 * Present for all messages
 	 */
 	identity?: WireIdentity;
+	/**
+	 * Only set when the decrypted message is a commit.
+	 * Contains buffered messages for next epoch which were received before the commit creating the epoch
+	 * because the DS did not fan them out in order.
+	 */
+	bufferedMessages?: BufferedDecryptedMessage[];
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
+}
+/**
+ * Almost same as {@link DecryptedMessage} but avoids recursion
+ */
+export interface BufferedDecryptedMessage {
+	/**
+	 * see {@link DecryptedMessage.message}
+	 */
+	message?: Uint8Array;
+	/**
+	 * see {@link DecryptedMessage.proposals}
+	 */
+	proposals: ProposalBundle[];
+	/**
+	 * see {@link DecryptedMessage.isActive}
+	 */
+	isActive: boolean;
+	/**
+	 * see {@link DecryptedMessage.commitDelay}
+	 */
+	commitDelay?: number;
+	/**
+	 * see {@link DecryptedMessage.senderClientId}
+	 */
+	senderClientId?: ClientId;
+	/**
+	 * see {@link DecryptedMessage.hasEpochChanged}
+	 */
+	hasEpochChanged: boolean;
+	/**
+	 * see {@link DecryptedMessage.identity}
+	 */
+	identity?: WireIdentity;
+	/**
+	 * see {@link DecryptedMessage.crlNewDistributionPoints}
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
- * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+ * Represents the identity claims identifying a client
+ * Those claims are verifiable by any member in the group
  */
 export interface WireIdentity {
 	/**
-	 * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+	 * Unique client identifier
 	 */
 	clientId: string;
 	/**
-	 * user handle e.g. `john_wire`
+	 * User handle e.g. `john_wire`
 	 */
 	handle: string;
 	/**
@@ -407,6 +528,66 @@ export interface WireIdentity {
 	 * DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
 	 */
 	domain: string;
+	/**
+	 * X509 certificate identifying this client in the MLS group ; PEM encoded
+	 */
+	certificate: string;
+	/**
+	 * Status of the Credential at the moment T when this object is created
+	 */
+	status: DeviceStatus;
+	/**
+	 * MLS thumbprint
+	 */
+	thumbprint: string;
+	/**
+	 * X509 certificate serial number
+	 */
+	serialNumber: string;
+	/**
+	 * X509 certificate not before as Unix timestamp
+	 */
+	notBefore: bigint;
+	/**
+	 * X509 certificate not after as Unix timestamp
+	 */
+	notAfter: bigint;
+}
+export interface AcmeDirectory {
+	/**
+	 * URL for fetching a new nonce. Use this only for creating a new account.
+	 */
+	newNonce: string;
+	/**
+	 * URL for creating a new account.
+	 */
+	newAccount: string;
+	/**
+	 * URL for creating a new order.
+	 */
+	newOrder: string;
+	/**
+	 * Revocation URL
+	 */
+	revokeCert: string;
+}
+/**
+ * Indicates the standalone status of a device Credential in a MLS group at a moment T.
+ * This does not represent the states where a device is not using MLS or is not using end-to-end identity
+ */
+export declare enum DeviceStatus {
+	/**
+	 * All is fine
+	 */
+	Valid = 1,
+	/**
+	 * The Credential's certificate is expired
+	 */
+	Expired = 2,
+	/**
+	 * The Credential's certificate is revoked
+	 */
+	Revoked = 3
 }
 /**
  * Returned by all methods creating proposals. Contains a proposal message and an identifier to roll back the proposal
@@ -424,6 +605,26 @@ export interface ProposalBundle {
 	 * @readonly
 	 */
 	proposalRef: ProposalRef;
+	/**
+	 *  New CRL Distribution of members of this group
+	 *
+	 * @readonly
+	 */
+	crlNewDistributionPoints?: string[];
+}
+export interface WelcomeBundle {
+	/**
+	 * Conversation ID
+	 *
+	 * @readonly
+	 */
+	id: Uint8Array;
+	/**
+	 *  New CRL Distribution of members of this group
+	 *
+	 * @readonly
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * MLS Proposal type
@@ -540,6 +741,10 @@ export interface CoreCryptoCallbacks {
  */
 export declare class CoreCrypto {
 	#private;
+	/**
+	 * Should only be used internally
+	 */
+	inner(): unknown;
 	/**
 	 * This is your entrypoint to initialize {@link CoreCrypto}!
 	 *
@@ -573,7 +778,7 @@ export declare class CoreCrypto {
 	 * });
 	 * ````
 	 */
-	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed }: CoreCryptoParams): Promise<CoreCrypto>;
+	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed, nbKeyPackage, }: CoreCryptoParams): Promise<CoreCrypto>;
 	/**
 	 * Almost identical to {@link CoreCrypto.init} but allows a 2 phase initialization of MLS.
 	 * First, calling this will set up the keystore and will allow generating proteus prekeys.
@@ -581,14 +786,15 @@ export declare class CoreCrypto {
 	 * Use this clientId to initialize MLS with {@link CoreCrypto.mlsInit}.
 	 * @param params - {@link CoreCryptoDeferredParams}
 	 */
-	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
+	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath, nbKeyPackage, }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
 	/**
 	 * Use this after {@link CoreCrypto.deferredInit} when you have a clientId. It initializes MLS.
 	 *
 	 * @param clientId - {@link CoreCryptoParams#clientId} but required
 	 * @param ciphersuites - All the ciphersuites supported by this MLS client
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
 	 */
-	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[]): Promise<void>;
+	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[], nbKeyPackage?: number): Promise<void>;
 	/**
 	 * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
 	 * This method is designed to be used in conjunction with {@link CoreCrypto.mlsInitWithClientId} and represents the first step in this process
@@ -625,7 +831,7 @@ export declare class CoreCrypto {
 	/**
 	 * Closes this {@link CoreCrypto} instance and deallocates all loaded resources
 	 *
-	 * **CAUTION**: This {@link CoreCrypto} instance won't be useable after a call to this method, but there's no way to express this requirement in TypeScript so you'll get errors instead!
+	 * **CAUTION**: This {@link CoreCrypto} instance won't be usable after a call to this method, but there's no way to express this requirement in TypeScript, so you'll get errors instead!
 	 */
 	close(): Promise<void>;
 	/**
@@ -691,7 +897,12 @@ export declare class CoreCrypto {
 	 */
 	createConversation(conversationId: ConversationId, creatorCredentialType: CredentialType, configuration?: ConversationConfiguration): Promise<any>;
 	/**
-	 * Decrypts a message for a given conversation
+	 * Decrypts a message for a given conversation.
+	 *
+	 * Note: you should catch & ignore the following error reasons:
+	 * * "We already decrypted this message once"
+	 * * "You tried to join with an external commit but did not merge it yet. We will reapply this message for you when you merge your external commit"
+	 * * "Incoming message is for a future epoch. We will buffer it until the commit for that epoch arrives"
 	 *
 	 * @param conversationId - The ID of the conversation
 	 * @param payload - The encrypted message buffer
@@ -708,34 +919,26 @@ export declare class CoreCrypto {
 	 * @returns The encrypted payload for the given group. This needs to be fanned out to the other members of the group.
 	 */
 	encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
-	/**
-	 * Updates the trust anchors for a conversation. This should be called when a federated event happens (new team added/removed).
-	 * Clients should add and/or remove trust anchors from the new backend to the conversation. The method will check
-	 * for duplicated domains and the validity of the certificate chain.
-	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
-	 *
-	 * @param conversationId - The ID of the conversation
-	 * @param removeDomainNames - Domains to remove from the trust anchors
-	 * @param addTrustAnchors - New trust anchors to add to the conversation
-	 *
-	 * @returns A {@link CommitBundle}
-	 */
-	update_trust_anchors_from_conversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
 	/**
 	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
+	 * Important: you have to catch the error with this reason "Although this Welcome seems valid, the local KeyPackage
+	 * it references has already been deleted locally. Join this group with an external commit", ignore it and then try
+	 * to join this group with an external commit.
+	 *
 	 * @param welcomeMessage - TLS-serialized MLS Welcome message
 	 * @param configuration - configuration of the MLS group
 	 * @returns The conversation ID of the newly joined group. You can use the same ID to decrypt/encrypt messages
 	 */
-	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<ConversationId>;
+	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<WelcomeBundle>;
 	/**
-	 * @returns The client's public key
+	 * Get the client's public signature key. To upload to the DS for further backend side validation
+	 *
+	 * @param ciphersuite - of the signature key to get
+	 * @param credentialType - of the public key to look for
+	 * @returns the client's public signature key
 	 */
-	clientPublicKey(ciphersuite: Ciphersuite): Promise<Uint8Array>;
+	clientPublicKey(ciphersuite: Ciphersuite, credentialType: CredentialType): Promise<Uint8Array>;
 	/**
 	 *
 	 * @param ciphersuite - of the KeyPackages to count
@@ -762,21 +965,21 @@ export declare class CoreCrypto {
 	/**
 	 * Adds new clients to a conversation, assuming the current client has the right to add new clients to the conversation.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
 	 * @param conversationId - The ID of the conversation
-	 * @param clients - Array of {@link Invitee} (which are Client ID / KeyPackage pairs)
+	 * @param keyPackages - KeyPackages of the new clients to add
 	 *
 	 * @returns A {@link CommitBundle}
 	 */
-	addClientsToConversation(conversationId: ConversationId, clients: Invitee[]): Promise<MemberAddedMessages>;
+	addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<MemberAddedMessages>;
 	/**
 	 * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
 	 * to do so, otherwise this operation does nothing.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -787,9 +990,9 @@ export declare class CoreCrypto {
 	 */
 	removeClientsFromConversation(conversationId: ConversationId, clientIds: ClientId[]): Promise<CommitBundle>;
 	/**
-	 * Creates an update commit which forces every client to update their keypackages in the conversation
+	 * Creates an update commit which forces every client to update their LeafNode in the conversation
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -819,6 +1022,9 @@ export declare class CoreCrypto {
 	 * @returns A {@link ProposalBundle} containing the Proposal and its reference in order to roll it back if necessary
 	 */
 	newProposal(proposalType: ProposalType, args: ProposalArgs | AddProposalArgs | RemoveProposalArgs): Promise<ProposalBundle>;
+	/**
+	 * Creates a new external Add proposal for self client to join a conversation.
+	 */
 	newExternalProposal(externalProposalType: ExternalProposalType, args: ExternalAddProposalArgs): Promise<Uint8Array>;
 	/**
 	 * Allows to create an external commit to "apply" to join a group through its GroupInfo.
@@ -843,8 +1049,9 @@ export declare class CoreCrypto {
 	 * and deletes the temporary one. This step makes the group operational and ready to encrypt/decrypt message
 	 *
 	 * @param conversationId - The ID of the conversation
+	 * @returns eventually decrypted buffered messages if any
 	 */
-	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<DecryptedMessage[] | undefined>;
+	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
 	 * In case the external commit generated by {@link CoreCrypto.joinByExternalCommit} is rejected by the Delivery Service, and we
 	 * want to abort this external commit once for all, we can wipe out the pending group from the keystore in order
@@ -854,26 +1061,24 @@ export declare class CoreCrypto {
 	 */
 	clearPendingGroupFromExternalCommit(conversationId: ConversationId): Promise<void>;
 	/**
-	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it
-	 * into the local group state
+	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it into the local group state
 	 *
 	 * @param conversationId - The group's ID
+	 * @returns the messages from current epoch which had been buffered, if any
 	 */
-	commitAccepted(conversationId: ConversationId): Promise<void>;
+	commitAccepted(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
-	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
-	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc..
+	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc…
 	 *
 	 * @param conversationId - The group's ID
 	 * @param proposalRef - A reference to the proposal to delete. You get one when using {@link CoreCrypto.newProposal}
 	 */
 	clearPendingProposal(conversationId: ConversationId, proposalRef: ProposalRef): Promise<void>;
 	/**
-	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
 	 * e.g. 403. Do not use otherwise e.g. 5xx responses, timeout etc..
@@ -893,6 +1098,15 @@ export declare class CoreCrypto {
 	 * @returns A `Uint8Array` representing the derived key
 	 */
 	exportSecretKey(conversationId: ConversationId, keyLength: number): Promise<Uint8Array>;
+	/**
+	 * Returns the raw public key of the single external sender present in this group.
+	 * This should be used to initialize a subconversation
+	 *
+	 * @param conversationId - The group's ID
+	 *
+	 * @returns A `Uint8Array` representing the external sender raw public key
+	 */
+	getExternalSender(conversationId: ConversationId): Promise<Uint8Array>;
 	/**
 	 * Returns all clients from group's members
 	 *
@@ -917,7 +1131,7 @@ export declare class CoreCrypto {
 	 */
 	reseedRng(seed: Uint8Array): Promise<void>;
 	/**
-	 * Initiailizes the proteus client
+	 * Initializes the proteus client
 	 */
 	proteusInit(): Promise<void>;
 	/**
@@ -1050,47 +1264,91 @@ export declare class CoreCrypto {
 	 * Creates an enrollment instance with private key material you can use in order to fetch
 	 * a new x509 certificate from the acme server.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiMlsInitOnly}
 	 */
-	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewActivationEnrollment(displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
 	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
+	e2eiNewRotateEnrollment(expirySec: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
 	/**
-	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
+	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
+	 * that means he cannot initialize with a Basic credential
 	 *
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
+	 * @returns a MlsClient initialized with only a x509 credential
+	 */
+	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<string[] | undefined>;
+	/**
+	 * Dumps the PKI environment as PEM
+	 *
+	 * @returns a struct with different fields representing the PKI environment as PEM strings
 	 */
-	e2eiMlsInitOnly(enrollment: WireE2eIdentity, certificateChain: string): Promise<void>;
+	e2eiDumpPKIEnv(): Promise<E2eiDumpedPkiEnv | undefined>;
+	/**
+	 * @returns whether the E2EI PKI environment is setup (i.e. Root CA, Intermediates, CRLs)
+	 */
+	e2eiIsPKIEnvSetup(): Promise<boolean>;
+	/**
+	 * Registers a Root Trust Anchor CA for the use in E2EI processing.
+	 *
+	 * Please note that without a Root Trust Anchor, all validations *will* fail;
+	 * So this is the first step to perform after initializing your E2EI client
+	 *
+	 * @param trustAnchorPEM - PEM certificate to anchor as a Trust Root
+	 */
+	e2eiRegisterAcmeCA(trustAnchorPEM: string): Promise<void>;
+	/**
+	 * Registers an Intermediate CA for the use in E2EI processing.
+	 *
+	 * Please note that a Root Trust Anchor CA is needed to validate Intermediate CAs;
+	 * You **need** to have a Root CA registered before calling this
+	 *
+	 * @param certPEM - PEM certificate to register as an Intermediate CA
+	 */
+	e2eiRegisterIntermediateCA(certPEM: string): Promise<string[] | undefined>;
+	/**
+	 * Registers a CRL for the use in E2EI processing.
+	 *
+	 * Please note that a Root Trust Anchor CA is needed to validate CRLs;
+	 * You **need** to have a Root CA registered before calling this
+	 *
+	 * @param crlDP - CRL Distribution Point; Basically the URL you fetched it from
+	 * @param crlDER - DER representation of the CRL
+	 *
+	 * @returns a {@link CRLRegistration} with the dirty state of the new CRL (see struct) and its expiration timestamp
+	 */
+	e2eiRegisterCRL(crlDP: string, crlDER: Uint8Array): Promise<CRLRegistration>;
 	/**
 	 * Creates a commit in all local conversations for changing the credential. Requires first
 	 * having enrolled a new X509 certificate with either {@link CoreCrypto.e2eiNewActivationEnrollment}
@@ -1099,8 +1357,9 @@ export declare class CoreCrypto {
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
 	 * @param newKeyPackageCount - number of KeyPackages with new identity to generate
+	 * @returns a {@link RotateBundle} with commits to fan-out to other group members, KeyPackages to upload and old ones to delete
 	 */
-	e2eiRotateAll(enrollment: WireE2eIdentity, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
+	e2eiRotateAll(enrollment: E2eiEnrollment, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
 	/**
 	 * Allows persisting an active enrollment (for example while redirecting the user during OAuth) in order to resume
 	 * it later with {@link e2eiEnrollmentStashPop}
@@ -1108,16 +1367,16 @@ export declare class CoreCrypto {
 	 * @param enrollment the enrollment instance to persist
 	 * @returns a handle to fetch the enrollment later with {@link e2eiEnrollmentStashPop}
 	 */
-	e2eiEnrollmentStash(enrollment: WireE2eIdentity): Promise<Uint8Array>;
+	e2eiEnrollmentStash(enrollment: E2eiEnrollment): Promise<Uint8Array>;
 	/**
 	 * Fetches the persisted enrollment and deletes it from the keystore
 	 *
 	 * @param handle returned by {@link e2eiEnrollmentStash}
 	 * @returns the persisted enrollment instance
 	 */
-	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<WireE2eIdentity>;
+	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
 	/**
-	 * Indicates when to mark a conversation as degraded i.e. when not all its members have a X509.
+	 * Indicates when to mark a conversation as not verified i.e. when not all its members have a X509.
 	 * Credential generated by Wire's end-to-end identity enrollment
 	 *
 	 * @param conversationId The group's ID
@@ -1128,9 +1387,37 @@ export declare class CoreCrypto {
 	 * Returns true when end-to-end-identity is enabled for the given Ciphersuite
 	 *
 	 * @param ciphersuite of the credential to check
-	 * @returns true end-to-end identity is enabled for the given ciphersuite
+	 * @returns true if end-to-end identity is enabled for the given ciphersuite
 	 */
 	e2eiIsEnabled(ciphersuite: Ciphersuite): Promise<boolean>;
+	/**
+	 * From a given conversation, get the identity of the members supplied. Identity is only present for members with a
+	 * Certificate Credential (after turning on end-to-end identity).
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param deviceIds - identifiers of the devices
+	 * @returns identities or if no member has a x509 certificate, it will return an empty List
+	 */
+	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity[]>;
+	/**
+	 * From a given conversation, get the identity of the users (device holders) supplied.
+	 * Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
+	 * If no member has a x509 certificate, it will return an empty Vec.
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
+	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
+	 */
+	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
+	/**
+	 * Gets the e2ei conversation state from a `GroupInfo`. Useful to check if the group has e2ei
+	 * turned on or not before joining it.
+	 *
+	 * @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
+	 * @param credentialType - kind of Credential to check usage of. Defaults to X509 for now as no other value will give any result.
+	 * @returns see {@link E2eiConversationState}
+	 */
+	getCredentialInUse(groupInfo: Uint8Array, credentialType?: CredentialType): Promise<E2eiConversationState>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -1139,7 +1426,7 @@ export declare class CoreCrypto {
 	static version(): string;
 }
 type JsonRawData = Uint8Array;
-export declare class WireE2eIdentity {
+export declare class E2eiEnrollment {
 	#private;
 	/** @hidden */
 	constructor(e2ei: unknown);
@@ -1156,7 +1443,7 @@ export declare class WireE2eIdentity {
 	 * @param directory HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
 	 */
-	directoryResponse(directory: JsonRawData): AcmeDirectory;
+	directoryResponse(directory: JsonRawData): Promise<AcmeDirectory>;
 	/**
 	 * For creating a new acme account. This returns a signed JWS-alike request body to send to
 	 * `POST /acme/{provisioner-name}/new-account`.
@@ -1164,27 +1451,27 @@ export declare class WireE2eIdentity {
 	 * @param previousNonce you got from calling `HEAD {@link AcmeDirectory.newNonce}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	newAccountRequest(previousNonce: string): JsonRawData;
+	newAccountRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-account`.
 	 * @param account HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	newAccountResponse(account: JsonRawData): void;
+	newAccountResponse(account: JsonRawData): Promise<void>;
 	/**
 	 * Creates a new acme order for the handle (userId + display name) and the clientId.
 	 *
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderRequest(previousNonce: string): JsonRawData;
+	newOrderRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-order`.
 	 *
 	 * @param order HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderResponse(order: JsonRawData): NewAcmeOrder;
+	newOrderResponse(order: JsonRawData): Promise<NewAcmeOrder>;
 	/**
 	 * Creates a new authorization request.
 	 *
@@ -1193,14 +1480,14 @@ export declare class WireE2eIdentity {
 	 * previous to this method if you are creating the second authorization)
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	newAuthzRequest(url: string, previousNonce: string): JsonRawData;
+	newAuthzRequest(url: string, previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 *
 	 * @param authz HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	newAuthzResponse(authz: JsonRawData): NewAcmeAuthz;
+	newAuthzResponse(authz: JsonRawData): Promise<NewAcmeAuthz>;
 	/**
 	 * Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces
 	 * (from wire-server & acme server) and will be verified by the acme server when verifying the
@@ -1212,7 +1499,7 @@ export declare class WireE2eIdentity {
 	 * @param expirySecs of the client Dpop JWT. This should be equal to the grace period set in Team Management
 	 * @param backendNonce you get by calling `GET /clients/token/nonce` on wire-server as defined here {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/get_clients__client__nonce}
 	 */
-	createDpopToken(expirySecs: number, backendNonce: string): Uint8Array;
+	createDpopToken(expirySecs: number, backendNonce: string): Promise<Uint8Array>;
 	/**
 	 * Creates a new challenge request for Wire Dpop challenge.
 	 *
@@ -1220,7 +1507,14 @@ export declare class WireE2eIdentity {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newDpopChallengeRequest(accessToken: string, previousNonce: string): JsonRawData;
+	newDpopChallengeRequest(accessToken: string, previousNonce: string): Promise<JsonRawData>;
+	/**
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the DPoP challenge.
+	 *
+	 * @param challenge HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+	 */
+	newDpopChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
 	 * Creates a new challenge request for Wire Oidc challenge.
 	 *
@@ -1228,14 +1522,15 @@ export declare class WireE2eIdentity {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newOidcChallengeRequest(idToken: string, previousNonce: string): JsonRawData;
+	newOidcChallengeRequest(idToken: string, previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}`.
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the OIDC challenge.
 	 *
+	 * @param cc the CoreCrypto instance
 	 * @param challenge HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newChallengeResponse(challenge: JsonRawData): void;
+	newOidcChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
 	 * Verifies that the previous challenge has been completed.
 	 *
@@ -1243,22 +1538,22 @@ export declare class WireE2eIdentity {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/challenge/{challenge-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	checkOrderRequest(orderUrl: string, previousNonce: string): JsonRawData;
+	checkOrderRequest(orderUrl: string, previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
 	 *
 	 * @param order HTTP response body
-	 * @return the finalize url to use with {@link finalizeRequest}
+	 * @return finalize url to use with {@link finalizeRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	checkOrderResponse(order: JsonRawData): string;
+	checkOrderResponse(order: JsonRawData): Promise<string>;
 	/**
 	 * Final step before fetching the certificate.
 	 *
 	 * @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeRequest(previousNonce: string): JsonRawData;
+	finalizeRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}/finalize`.
 	 *
@@ -1266,105 +1561,14 @@ export declare class WireE2eIdentity {
 	 * @return the certificate url to use with {@link certificateRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeResponse(finalize: JsonRawData): string;
+	finalizeResponse(finalize: JsonRawData): Promise<string>;
 	/**
 	 * Creates a request for finally fetching the x509 certificate.
 	 *
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}/finalize`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
 	 */
-	certificateRequest(previousNonce: string): JsonRawData;
-}
-/**
- * Holds URLs of all the standard ACME endpoint supported on an ACME server.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
- */
-export interface AcmeDirectory {
-	/**
-	 * URL for fetching a new nonce. Use this only for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newNonce: string;
-	/**
-	 * URL for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newAccount: string;
-	/**
-	 * URL for creating a new order.
-	 *
-	 * @readonly
-	 */
-	newOrder: string;
-}
-/**
- * Result of an order creation
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
- */
-export interface NewAcmeOrder {
-	/**
-	 * Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
-	 */
-	delegate: Uint8Array;
-	/**
-	 * An authorization for each domain to create
-	 *
-	 * @readonly
-	 */
-	authorizations: Uint8Array[];
-}
-/**
- * Result of an authorization creation.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
- */
-export interface NewAcmeAuthz {
-	/**
-	 * DNS entry associated with those challenge
-	 *
-	 * @readonly
-	 */
-	identifier: string;
-	/**
-	 * Challenge for the clientId
-	 *
-	 * @readonly
-	 */
-	wireDpopChallenge?: AcmeChallenge;
-	/**
-	 * Challenge for the userId and displayName
-	 *
-	 * @readonly
-	 */
-	wireOidcChallenge?: AcmeChallenge;
-}
-/**
- * For creating a challenge
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
- */
-export interface AcmeChallenge {
-	/**
-	 * Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
-	 */
-	delegate: Uint8Array;
-	/**
-	 * URL of this challenge
-	 *
-	 * @readonly
-	 */
-	url: string;
-	/**
-	 * Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
-	 * Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
-	 *
-	 * @readonly
-	 */
-	target: string;
+	certificateRequest(previousNonce: string): Promise<JsonRawData>;
 }
 /**
  * Indicates the state of a Conversation regarding end-to-end identity.
@@ -1379,9 +1583,9 @@ export declare enum E2eiConversationState {
 	/**
 	 * Some clients are either still Basic or their certificate is expired
 	 */
-	Degraded = 2,
+	NotVerified = 2,
 	/**
-	 * All clients are still Basic. If all client have expired certificates, Degraded is returned.
+	 * All clients are still Basic. If all client have expired certificates, NotVerified is returned.
 	 */
 	NotEnabled = 3
 }