npm - @wireapp/core-crypto - Versions diffs - 1.0.0-rc.5 → 1.0.0-rc.51 - Mend

@wireapp/core-crypto 1.0.0-rc.5 → 1.0.0-rc.51

Files changed (6) hide show

package/README.md +4 -2
package/package.json +12 -31
package/platforms/web/core-crypto-ffi_bg.wasm +0 -0
package/platforms/web/corecrypto.d.ts +416 -212
package/platforms/web/corecrypto.js +3193 -4956
package/platforms/web/assets/core_crypto_ffi-9ad99558.wasm +0 -0

package/platforms/web/corecrypto.d.ts CHANGED Viewed

@@ -1,3 +1,74 @@
+/**
+* For creating a challenge.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+*/
+export class AcmeChallenge {
+	free(): void;
+	/**
+	* Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+	/**
+	* Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
+	* Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
+	*/
+	readonly target: string;
+	/**
+	* URL of this challenge
+	*/
+	readonly url: string;
+}
+/**
+* Dump of the PKI environemnt as PEM
+*/
+export class E2eiDumpedPkiEnv {
+	free(): void;
+	/**
+	* CRLs registered in the PKI env
+	*/
+	readonly crls: (string)[];
+	/**
+	* Intermediate CAs that are loaded
+	*/
+	readonly intermediates: (string)[];
+	/**
+	* Root CA in use (i.e. Trust Anchor)
+	*/
+	readonly root_ca: string;
+}
+/**
+* Result of an authorization creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
+*/
+export class NewAcmeAuthz {
+	free(): void;
+	/**
+	* Associated ACME Challenge
+	*/
+	readonly challenge: AcmeChallenge;
+	/**
+	* DNS entry associated with those challenge
+	*/
+	readonly identifier: string;
+	/**
+	* ACME challenge + ACME key thumbprint
+	*/
+	readonly keyauth: string | undefined;
+}
+/**
+* Result of an order creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
+*/
+export class NewAcmeOrder {
+	free(): void;
+	/**
+	*/
+	readonly authorizations: (Uint8Array)[];
+	/**
+	* Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+}
 /**
  * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
  *
@@ -79,24 +150,6 @@ export interface ConversationConfiguration {
 	 * Implementation specific configuration
 	 */
 	custom?: CustomConfiguration;
-	/**
-	 * Trust anchors to be added in the group's context extensions
-	 */
-	perDomainTrustAnchors?: PerDomainTrustAnchor[];
-}
-/**
- * A wrapper containing the configuration for trust anchors to be added in the group's context
- * extensions
- */
-export interface PerDomainTrustAnchor {
-	/**
-	 * Domain name of the owning backend this anchor refers to. One of the certificate in the chain has to have this domain in its SANs
-	 */
-	domain_name: string;
-	/**
-	 * PEM encoded (partial) certificate chain. This contains the certificate chain for the CA certificate issuing the E2E Identity certificates
-	 */
-	intermediate_certificate_chain: string;
 }
 /**
  * see [core_crypto::prelude::MlsWirePolicy]
@@ -179,6 +232,10 @@ export interface MemberAddedMessages {
 	 * @readonly
 	 */
 	groupInfo: GroupInfoBundle;
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * Data shape for a MLS generic commit + optional bundle (aka stapled commit & welcome)
@@ -262,7 +319,7 @@ export interface RotateBundle {
 	 *
 	 * @readonly
 	 */
-	commits: CommitBundle[];
+	commits: Map<string, CommitBundle>;
 	/**
 	 * Fresh KeyPackages with the new Credential
 	 *
@@ -275,6 +332,10 @@ export interface RotateBundle {
 	 * @readonly
 	 */
 	keyPackageRefsToRemove: Uint8Array[];
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * Params for CoreCrypto deferred initialization
@@ -303,6 +364,10 @@ export interface CoreCryptoDeferredParams {
 	 * .wasm file path, this will be useful in case your bundling system likes to relocate files (i.e. what webpack does)
 	 */
 	wasmFilePath?: string;
+	/**
+	 * Number of initial KeyPackage to create when initializing the client
+	 */
+	nbKeyPackage?: number;
 }
 /**
  * Params for CoreCrypto initialization
@@ -315,19 +380,6 @@ export interface CoreCryptoParams extends CoreCryptoDeferredParams {
 	 */
 	clientId: ClientId;
 }
-/**
- * Data shape for adding clients to a conversation
- */
-export interface Invitee {
-	/**
-	 * Client ID as a byte array
-	 */
-	id: ClientId;
-	/**
-	 * MLS KeyPackage belonging to the aforementioned client
-	 */
-	kp: Uint8Array;
-}
 export interface ConversationInitBundle {
 	/**
 	 * Conversation ID of the conversation created
@@ -348,6 +400,27 @@ export interface ConversationInitBundle {
 	 * @readonly
 	 */
 	groupInfo: GroupInfoBundle;
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
+}
+/**
+ *  Supporting struct for CRL registration result
+ */
+export interface CRLRegistration {
+	/**
+	 * Whether this CRL modifies the old CRL (i.e. has a different revocated cert list)
+	 *
+	 * @readonly
+	 */
+	dirty: boolean;
+	/**
+	 * Optional expiration timestamp
+	 *
+	 * @readonly
+	 */
+	expiration?: number;
 }
 /**
  * This is a wrapper for all the possible outcomes you can get after decrypting a message
@@ -386,17 +459,65 @@ export interface DecryptedMessage {
 	 * Present for all messages
 	 */
 	identity?: WireIdentity;
+	/**
+	 * Only set when the decrypted message is a commit.
+	 * Contains buffered messages for next epoch which were received before the commit creating the epoch
+	 * because the DS did not fan them out in order.
+	 */
+	bufferedMessages?: BufferedDecryptedMessage[];
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
+}
+/**
+ * Almost same as {@link DecryptedMessage} but avoids recursion
+ */
+export interface BufferedDecryptedMessage {
+	/**
+	 * see {@link DecryptedMessage.message}
+	 */
+	message?: Uint8Array;
+	/**
+	 * see {@link DecryptedMessage.proposals}
+	 */
+	proposals: ProposalBundle[];
+	/**
+	 * see {@link DecryptedMessage.isActive}
+	 */
+	isActive: boolean;
+	/**
+	 * see {@link DecryptedMessage.commitDelay}
+	 */
+	commitDelay?: number;
+	/**
+	 * see {@link DecryptedMessage.senderClientId}
+	 */
+	senderClientId?: ClientId;
+	/**
+	 * see {@link DecryptedMessage.hasEpochChanged}
+	 */
+	hasEpochChanged: boolean;
+	/**
+	 * see {@link DecryptedMessage.identity}
+	 */
+	identity?: WireIdentity;
+	/**
+	 * see {@link DecryptedMessage.crlNewDistributionPoints}
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
- * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+ * Represents the identity claims identifying a client
+ * Those claims are verifiable by any member in the group
  */
 export interface WireIdentity {
 	/**
-	 * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+	 * Unique client identifier
 	 */
 	clientId: string;
 	/**
-	 * user handle e.g. `john_wire`
+	 * User handle e.g. `john_wire`
 	 */
 	handle: string;
 	/**
@@ -407,6 +528,66 @@ export interface WireIdentity {
 	 * DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
 	 */
 	domain: string;
+	/**
+	 * X509 certificate identifying this client in the MLS group ; PEM encoded
+	 */
+	certificate: string;
+	/**
+	 * Status of the Credential at the moment T when this object is created
+	 */
+	status: DeviceStatus;
+	/**
+	 * MLS thumbprint
+	 */
+	thumbprint: string;
+	/**
+	 * X509 certificate serial number
+	 */
+	serialNumber: string;
+	/**
+	 * X509 certificate not before as Unix timestamp
+	 */
+	notBefore: bigint;
+	/**
+	 * X509 certificate not after as Unix timestamp
+	 */
+	notAfter: bigint;
+}
+export interface AcmeDirectory {
+	/**
+	 * URL for fetching a new nonce. Use this only for creating a new account.
+	 */
+	newNonce: string;
+	/**
+	 * URL for creating a new account.
+	 */
+	newAccount: string;
+	/**
+	 * URL for creating a new order.
+	 */
+	newOrder: string;
+	/**
+	 * Revocation URL
+	 */
+	revokeCert: string;
+}
+/**
+ * Indicates the standalone status of a device Credential in a MLS group at a moment T.
+ * This does not represent the states where a device is not using MLS or is not using end-to-end identity
+ */
+export declare enum DeviceStatus {
+	/**
+	 * All is fine
+	 */
+	Valid = 1,
+	/**
+	 * The Credential's certificate is expired
+	 */
+	Expired = 2,
+	/**
+	 * The Credential's certificate is revoked
+	 */
+	Revoked = 3
 }
 /**
  * Returned by all methods creating proposals. Contains a proposal message and an identifier to roll back the proposal
@@ -424,6 +605,26 @@ export interface ProposalBundle {
 	 * @readonly
 	 */
 	proposalRef: ProposalRef;
+	/**
+	 *  New CRL Distribution of members of this group
+	 *
+	 * @readonly
+	 */
+	crlNewDistributionPoints?: string[];
+}
+export interface WelcomeBundle {
+	/**
+	 * Conversation ID
+	 *
+	 * @readonly
+	 */
+	id: Uint8Array;
+	/**
+	 *  New CRL Distribution of members of this group
+	 *
+	 * @readonly
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * MLS Proposal type
@@ -540,6 +741,10 @@ export interface CoreCryptoCallbacks {
  */
 export declare class CoreCrypto {
 	#private;
+	/**
+	 * Should only be used internally
+	 */
+	inner(): unknown;
 	/**
 	 * This is your entrypoint to initialize {@link CoreCrypto}!
 	 *
@@ -573,7 +778,7 @@ export declare class CoreCrypto {
 	 * });
 	 * ````
 	 */
-	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed }: CoreCryptoParams): Promise<CoreCrypto>;
+	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed, nbKeyPackage, }: CoreCryptoParams): Promise<CoreCrypto>;
 	/**
 	 * Almost identical to {@link CoreCrypto.init} but allows a 2 phase initialization of MLS.
 	 * First, calling this will set up the keystore and will allow generating proteus prekeys.
@@ -581,14 +786,15 @@ export declare class CoreCrypto {
 	 * Use this clientId to initialize MLS with {@link CoreCrypto.mlsInit}.
 	 * @param params - {@link CoreCryptoDeferredParams}
 	 */
-	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
+	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath, nbKeyPackage, }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
 	/**
 	 * Use this after {@link CoreCrypto.deferredInit} when you have a clientId. It initializes MLS.
 	 *
 	 * @param clientId - {@link CoreCryptoParams#clientId} but required
 	 * @param ciphersuites - All the ciphersuites supported by this MLS client
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
 	 */
-	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[]): Promise<void>;
+	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[], nbKeyPackage?: number): Promise<void>;
 	/**
 	 * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
 	 * This method is designed to be used in conjunction with {@link CoreCrypto.mlsInitWithClientId} and represents the first step in this process
@@ -625,7 +831,7 @@ export declare class CoreCrypto {
 	/**
 	 * Closes this {@link CoreCrypto} instance and deallocates all loaded resources
 	 *
-	 * **CAUTION**: This {@link CoreCrypto} instance won't be useable after a call to this method, but there's no way to express this requirement in TypeScript so you'll get errors instead!
+	 * **CAUTION**: This {@link CoreCrypto} instance won't be usable after a call to this method, but there's no way to express this requirement in TypeScript, so you'll get errors instead!
 	 */
 	close(): Promise<void>;
 	/**
@@ -691,7 +897,12 @@ export declare class CoreCrypto {
 	 */
 	createConversation(conversationId: ConversationId, creatorCredentialType: CredentialType, configuration?: ConversationConfiguration): Promise<any>;
 	/**
-	 * Decrypts a message for a given conversation
+	 * Decrypts a message for a given conversation.
+	 *
+	 * Note: you should catch & ignore the following error reasons:
+	 * * "We already decrypted this message once"
+	 * * "You tried to join with an external commit but did not merge it yet. We will reapply this message for you when you merge your external commit"
+	 * * "Incoming message is for a future epoch. We will buffer it until the commit for that epoch arrives"
 	 *
 	 * @param conversationId - The ID of the conversation
 	 * @param payload - The encrypted message buffer
@@ -708,34 +919,26 @@ export declare class CoreCrypto {
 	 * @returns The encrypted payload for the given group. This needs to be fanned out to the other members of the group.
 	 */
 	encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
-	/**
-	 * Updates the trust anchors for a conversation. This should be called when a federated event happens (new team added/removed).
-	 * Clients should add and/or remove trust anchors from the new backend to the conversation. The method will check
-	 * for duplicated domains and the validity of the certificate chain.
-	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
-	 *
-	 * @param conversationId - The ID of the conversation
-	 * @param removeDomainNames - Domains to remove from the trust anchors
-	 * @param addTrustAnchors - New trust anchors to add to the conversation
-	 *
-	 * @returns A {@link CommitBundle}
-	 */
-	update_trust_anchors_from_conversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
 	/**
 	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
+	 * Important: you have to catch the error with this reason "Although this Welcome seems valid, the local KeyPackage
+	 * it references has already been deleted locally. Join this group with an external commit", ignore it and then try
+	 * to join this group with an external commit.
+	 *
 	 * @param welcomeMessage - TLS-serialized MLS Welcome message
 	 * @param configuration - configuration of the MLS group
 	 * @returns The conversation ID of the newly joined group. You can use the same ID to decrypt/encrypt messages
 	 */
-	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<ConversationId>;
+	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<WelcomeBundle>;
 	/**
-	 * @returns The client's public key
+	 * Get the client's public signature key. To upload to the DS for further backend side validation
+	 *
+	 * @param ciphersuite - of the signature key to get
+	 * @param credentialType - of the public key to look for
+	 * @returns the client's public signature key
 	 */
-	clientPublicKey(ciphersuite: Ciphersuite): Promise<Uint8Array>;
+	clientPublicKey(ciphersuite: Ciphersuite, credentialType: CredentialType): Promise<Uint8Array>;
 	/**
 	 *
 	 * @param ciphersuite - of the KeyPackages to count
@@ -762,21 +965,21 @@ export declare class CoreCrypto {
 	/**
 	 * Adds new clients to a conversation, assuming the current client has the right to add new clients to the conversation.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
 	 * @param conversationId - The ID of the conversation
-	 * @param clients - Array of {@link Invitee} (which are Client ID / KeyPackage pairs)
+	 * @param keyPackages - KeyPackages of the new clients to add
 	 *
 	 * @returns A {@link CommitBundle}
 	 */
-	addClientsToConversation(conversationId: ConversationId, clients: Invitee[]): Promise<MemberAddedMessages>;
+	addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<MemberAddedMessages>;
 	/**
 	 * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
 	 * to do so, otherwise this operation does nothing.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -787,9 +990,9 @@ export declare class CoreCrypto {
 	 */
 	removeClientsFromConversation(conversationId: ConversationId, clientIds: ClientId[]): Promise<CommitBundle>;
 	/**
-	 * Creates an update commit which forces every client to update their keypackages in the conversation
+	 * Creates an update commit which forces every client to update their LeafNode in the conversation
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -819,6 +1022,9 @@ export declare class CoreCrypto {
 	 * @returns A {@link ProposalBundle} containing the Proposal and its reference in order to roll it back if necessary
 	 */
 	newProposal(proposalType: ProposalType, args: ProposalArgs | AddProposalArgs | RemoveProposalArgs): Promise<ProposalBundle>;
+	/**
+	 * Creates a new external Add proposal for self client to join a conversation.
+	 */
 	newExternalProposal(externalProposalType: ExternalProposalType, args: ExternalAddProposalArgs): Promise<Uint8Array>;
 	/**
 	 * Allows to create an external commit to "apply" to join a group through its GroupInfo.
@@ -843,8 +1049,9 @@ export declare class CoreCrypto {
 	 * and deletes the temporary one. This step makes the group operational and ready to encrypt/decrypt message
 	 *
 	 * @param conversationId - The ID of the conversation
+	 * @returns eventually decrypted buffered messages if any
 	 */
-	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<DecryptedMessage[] | undefined>;
+	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
 	 * In case the external commit generated by {@link CoreCrypto.joinByExternalCommit} is rejected by the Delivery Service, and we
 	 * want to abort this external commit once for all, we can wipe out the pending group from the keystore in order
@@ -854,26 +1061,24 @@ export declare class CoreCrypto {
 	 */
 	clearPendingGroupFromExternalCommit(conversationId: ConversationId): Promise<void>;
 	/**
-	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it
-	 * into the local group state
+	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it into the local group state
 	 *
 	 * @param conversationId - The group's ID
+	 * @returns the messages from current epoch which had been buffered, if any
 	 */
-	commitAccepted(conversationId: ConversationId): Promise<void>;
+	commitAccepted(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
-	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
-	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc..
+	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc…
 	 *
 	 * @param conversationId - The group's ID
 	 * @param proposalRef - A reference to the proposal to delete. You get one when using {@link CoreCrypto.newProposal}
 	 */
 	clearPendingProposal(conversationId: ConversationId, proposalRef: ProposalRef): Promise<void>;
 	/**
-	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
 	 * e.g. 403. Do not use otherwise e.g. 5xx responses, timeout etc..
@@ -893,6 +1098,15 @@ export declare class CoreCrypto {
 	 * @returns A `Uint8Array` representing the derived key
 	 */
 	exportSecretKey(conversationId: ConversationId, keyLength: number): Promise<Uint8Array>;
+	/**
+	 * Returns the raw public key of the single external sender present in this group.
+	 * This should be used to initialize a subconversation
+	 *
+	 * @param conversationId - The group's ID
+	 *
+	 * @returns A `Uint8Array` representing the external sender raw public key
+	 */
+	getExternalSender(conversationId: ConversationId): Promise<Uint8Array>;
 	/**
 	 * Returns all clients from group's members
 	 *
@@ -917,7 +1131,7 @@ export declare class CoreCrypto {
 	 */
 	reseedRng(seed: Uint8Array): Promise<void>;
 	/**
-	 * Initiailizes the proteus client
+	 * Initializes the proteus client
 	 */
 	proteusInit(): Promise<void>;
 	/**
@@ -1050,47 +1264,91 @@ export declare class CoreCrypto {
 	 * Creates an enrollment instance with private key material you can use in order to fetch
 	 * a new x509 certificate from the acme server.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiMlsInitOnly}
 	 */
-	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewActivationEnrollment(displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
 	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param team - name of the Wire team a user belongs to
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
+	e2eiNewRotateEnrollment(expirySec: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
 	/**
-	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
+	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
+	 * that means he cannot initialize with a Basic credential
 	 *
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
+	 * @returns a MlsClient initialized with only a x509 credential
+	 */
+	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<string[] | undefined>;
+	/**
+	 * Dumps the PKI environment as PEM
+	 *
+	 * @returns a struct with different fields representing the PKI environment as PEM strings
 	 */
-	e2eiMlsInitOnly(enrollment: WireE2eIdentity, certificateChain: string): Promise<void>;
+	e2eiDumpPKIEnv(): Promise<E2eiDumpedPkiEnv | undefined>;
+	/**
+	 * @returns whether the E2EI PKI environment is setup (i.e. Root CA, Intermediates, CRLs)
+	 */
+	e2eiIsPKIEnvSetup(): Promise<boolean>;
+	/**
+	 * Registers a Root Trust Anchor CA for the use in E2EI processing.
+	 *
+	 * Please note that without a Root Trust Anchor, all validations *will* fail;
+	 * So this is the first step to perform after initializing your E2EI client
+	 *
+	 * @param trustAnchorPEM - PEM certificate to anchor as a Trust Root
+	 */
+	e2eiRegisterAcmeCA(trustAnchorPEM: string): Promise<void>;
+	/**
+	 * Registers an Intermediate CA for the use in E2EI processing.
+	 *
+	 * Please note that a Root Trust Anchor CA is needed to validate Intermediate CAs;
+	 * You **need** to have a Root CA registered before calling this
+	 *
+	 * @param certPEM - PEM certificate to register as an Intermediate CA
+	 */
+	e2eiRegisterIntermediateCA(certPEM: string): Promise<string[] | undefined>;
+	/**
+	 * Registers a CRL for the use in E2EI processing.
+	 *
+	 * Please note that a Root Trust Anchor CA is needed to validate CRLs;
+	 * You **need** to have a Root CA registered before calling this
+	 *
+	 * @param crlDP - CRL Distribution Point; Basically the URL you fetched it from
+	 * @param crlDER - DER representation of the CRL
+	 *
+	 * @returns a {@link CRLRegistration} with the dirty state of the new CRL (see struct) and its expiration timestamp
+	 */
+	e2eiRegisterCRL(crlDP: string, crlDER: Uint8Array): Promise<CRLRegistration>;
 	/**
 	 * Creates a commit in all local conversations for changing the credential. Requires first
 	 * having enrolled a new X509 certificate with either {@link CoreCrypto.e2eiNewActivationEnrollment}
@@ -1099,8 +1357,9 @@ export declare class CoreCrypto {
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
 	 * @param newKeyPackageCount - number of KeyPackages with new identity to generate
+	 * @returns a {@link RotateBundle} with commits to fan-out to other group members, KeyPackages to upload and old ones to delete
 	 */
-	e2eiRotateAll(enrollment: WireE2eIdentity, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
+	e2eiRotateAll(enrollment: E2eiEnrollment, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
 	/**
 	 * Allows persisting an active enrollment (for example while redirecting the user during OAuth) in order to resume
 	 * it later with {@link e2eiEnrollmentStashPop}
@@ -1108,16 +1367,16 @@ export declare class CoreCrypto {
 	 * @param enrollment the enrollment instance to persist
 	 * @returns a handle to fetch the enrollment later with {@link e2eiEnrollmentStashPop}
 	 */
-	e2eiEnrollmentStash(enrollment: WireE2eIdentity): Promise<Uint8Array>;
+	e2eiEnrollmentStash(enrollment: E2eiEnrollment): Promise<Uint8Array>;
 	/**
 	 * Fetches the persisted enrollment and deletes it from the keystore
 	 *
 	 * @param handle returned by {@link e2eiEnrollmentStash}
 	 * @returns the persisted enrollment instance
 	 */
-	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<WireE2eIdentity>;
+	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
 	/**
-	 * Indicates when to mark a conversation as degraded i.e. when not all its members have a X509.
+	 * Indicates when to mark a conversation as not verified i.e. when not all its members have a X509.
 	 * Credential generated by Wire's end-to-end identity enrollment
 	 *
 	 * @param conversationId The group's ID
@@ -1128,9 +1387,37 @@ export declare class CoreCrypto {
 	 * Returns true when end-to-end-identity is enabled for the given Ciphersuite
 	 *
 	 * @param ciphersuite of the credential to check
-	 * @returns true end-to-end identity is enabled for the given ciphersuite
+	 * @returns true if end-to-end identity is enabled for the given ciphersuite
 	 */
 	e2eiIsEnabled(ciphersuite: Ciphersuite): Promise<boolean>;
+	/**
+	 * From a given conversation, get the identity of the members supplied. Identity is only present for members with a
+	 * Certificate Credential (after turning on end-to-end identity).
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param deviceIds - identifiers of the devices
+	 * @returns identities or if no member has a x509 certificate, it will return an empty List
+	 */
+	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity[]>;
+	/**
+	 * From a given conversation, get the identity of the users (device holders) supplied.
+	 * Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
+	 * If no member has a x509 certificate, it will return an empty Vec.
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
+	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
+	 */
+	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
+	/**
+	 * Gets the e2ei conversation state from a `GroupInfo`. Useful to check if the group has e2ei
+	 * turned on or not before joining it.
+	 *
+	 * @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
+	 * @param credentialType - kind of Credential to check usage of. Defaults to X509 for now as no other value will give any result.
+	 * @returns see {@link E2eiConversationState}
+	 */
+	getCredentialInUse(groupInfo: Uint8Array, credentialType?: CredentialType): Promise<E2eiConversationState>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -1139,7 +1426,7 @@ export declare class CoreCrypto {
 	static version(): string;
 }
 type JsonRawData = Uint8Array;
-export declare class WireE2eIdentity {
+export declare class E2eiEnrollment {
 	#private;
 	/** @hidden */
 	constructor(e2ei: unknown);
@@ -1156,7 +1443,7 @@ export declare class WireE2eIdentity {
 	 * @param directory HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
 	 */
-	directoryResponse(directory: JsonRawData): AcmeDirectory;
+	directoryResponse(directory: JsonRawData): Promise<AcmeDirectory>;
 	/**
 	 * For creating a new acme account. This returns a signed JWS-alike request body to send to
 	 * `POST /acme/{provisioner-name}/new-account`.
@@ -1164,27 +1451,27 @@ export declare class WireE2eIdentity {
 	 * @param previousNonce you got from calling `HEAD {@link AcmeDirectory.newNonce}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	newAccountRequest(previousNonce: string): JsonRawData;
+	newAccountRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-account`.
 	 * @param account HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	newAccountResponse(account: JsonRawData): void;
+	newAccountResponse(account: JsonRawData): Promise<void>;
 	/**
 	 * Creates a new acme order for the handle (userId + display name) and the clientId.
 	 *
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderRequest(previousNonce: string): JsonRawData;
+	newOrderRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-order`.
 	 *
 	 * @param order HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderResponse(order: JsonRawData): NewAcmeOrder;
+	newOrderResponse(order: JsonRawData): Promise<NewAcmeOrder>;
 	/**
 	 * Creates a new authorization request.
 	 *
@@ -1193,14 +1480,14 @@ export declare class WireE2eIdentity {
 	 * previous to this method if you are creating the second authorization)
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	newAuthzRequest(url: string, previousNonce: string): JsonRawData;
+	newAuthzRequest(url: string, previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 *
 	 * @param authz HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	newAuthzResponse(authz: JsonRawData): NewAcmeAuthz;
+	newAuthzResponse(authz: JsonRawData): Promise<NewAcmeAuthz>;
 	/**
 	 * Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces
 	 * (from wire-server & acme server) and will be verified by the acme server when verifying the
@@ -1212,7 +1499,7 @@ export declare class WireE2eIdentity {
 	 * @param expirySecs of the client Dpop JWT. This should be equal to the grace period set in Team Management
 	 * @param backendNonce you get by calling `GET /clients/token/nonce` on wire-server as defined here {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/get_clients__client__nonce}
 	 */
-	createDpopToken(expirySecs: number, backendNonce: string): Uint8Array;
+	createDpopToken(expirySecs: number, backendNonce: string): Promise<Uint8Array>;
 	/**
 	 * Creates a new challenge request for Wire Dpop challenge.
 	 *
@@ -1220,7 +1507,14 @@ export declare class WireE2eIdentity {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newDpopChallengeRequest(accessToken: string, previousNonce: string): JsonRawData;
+	newDpopChallengeRequest(accessToken: string, previousNonce: string): Promise<JsonRawData>;
+	/**
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the DPoP challenge.
+	 *
+	 * @param challenge HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+	 */
+	newDpopChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
 	 * Creates a new challenge request for Wire Oidc challenge.
 	 *
@@ -1228,14 +1522,15 @@ export declare class WireE2eIdentity {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newOidcChallengeRequest(idToken: string, previousNonce: string): JsonRawData;
+	newOidcChallengeRequest(idToken: string, previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}`.
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the OIDC challenge.
 	 *
+	 * @param cc the CoreCrypto instance
 	 * @param challenge HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newChallengeResponse(challenge: JsonRawData): void;
+	newOidcChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
 	 * Verifies that the previous challenge has been completed.
 	 *
@@ -1243,22 +1538,22 @@ export declare class WireE2eIdentity {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/challenge/{challenge-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	checkOrderRequest(orderUrl: string, previousNonce: string): JsonRawData;
+	checkOrderRequest(orderUrl: string, previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
 	 *
 	 * @param order HTTP response body
-	 * @return the finalize url to use with {@link finalizeRequest}
+	 * @return finalize url to use with {@link finalizeRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	checkOrderResponse(order: JsonRawData): string;
+	checkOrderResponse(order: JsonRawData): Promise<string>;
 	/**
 	 * Final step before fetching the certificate.
 	 *
 	 * @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeRequest(previousNonce: string): JsonRawData;
+	finalizeRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}/finalize`.
 	 *
@@ -1266,105 +1561,14 @@ export declare class WireE2eIdentity {
 	 * @return the certificate url to use with {@link certificateRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeResponse(finalize: JsonRawData): string;
+	finalizeResponse(finalize: JsonRawData): Promise<string>;
 	/**
 	 * Creates a request for finally fetching the x509 certificate.
 	 *
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}/finalize`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
 	 */
-	certificateRequest(previousNonce: string): JsonRawData;
-}
-/**
- * Holds URLs of all the standard ACME endpoint supported on an ACME server.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
- */
-export interface AcmeDirectory {
-	/**
-	 * URL for fetching a new nonce. Use this only for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newNonce: string;
-	/**
-	 * URL for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newAccount: string;
-	/**
-	 * URL for creating a new order.
-	 *
-	 * @readonly
-	 */
-	newOrder: string;
-}
-/**
- * Result of an order creation
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
- */
-export interface NewAcmeOrder {
-	/**
-	 * Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
-	 */
-	delegate: Uint8Array;
-	/**
-	 * An authorization for each domain to create
-	 *
-	 * @readonly
-	 */
-	authorizations: Uint8Array[];
-}
-/**
- * Result of an authorization creation.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
- */
-export interface NewAcmeAuthz {
-	/**
-	 * DNS entry associated with those challenge
-	 *
-	 * @readonly
-	 */
-	identifier: string;
-	/**
-	 * Challenge for the clientId
-	 *
-	 * @readonly
-	 */
-	wireDpopChallenge?: AcmeChallenge;
-	/**
-	 * Challenge for the userId and displayName
-	 *
-	 * @readonly
-	 */
-	wireOidcChallenge?: AcmeChallenge;
-}
-/**
- * For creating a challenge
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
- */
-export interface AcmeChallenge {
-	/**
-	 * Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
-	 */
-	delegate: Uint8Array;
-	/**
-	 * URL of this challenge
-	 *
-	 * @readonly
-	 */
-	url: string;
-	/**
-	 * Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
-	 * Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
-	 *
-	 * @readonly
-	 */
-	target: string;
+	certificateRequest(previousNonce: string): Promise<JsonRawData>;
 }
 /**
  * Indicates the state of a Conversation regarding end-to-end identity.
@@ -1379,9 +1583,9 @@ export declare enum E2eiConversationState {
 	/**
 	 * Some clients are either still Basic or their certificate is expired
 	 */
-	Degraded = 2,
+	NotVerified = 2,
 	/**
-	 * All clients are still Basic. If all client have expired certificates, Degraded is returned.
+	 * All clients are still Basic. If all client have expired certificates, NotVerified is returned.
 	 */
 	NotEnabled = 3
 }