@wireapp/core-crypto 1.0.0-rc.7 → 1.0.0-rc.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wireapp/core-crypto",
-  "version": "1.0.0-rc.7",
+  "version": "1.0.0-rc.8",
   "description": "CoreCrypto bindings for the Web",
   "type": "module",
   "module": "platforms/web/corecrypto.js",

package/platforms/web/corecrypto.d.ts

@@ -386,6 +386,45 @@ export interface DecryptedMessage {
 	 * Present for all messages
 	 */
 	identity?: WireIdentity;
+	/**
+	 * Only set when the decrypted message is a commit.
+	 * Contains buffered messages for next epoch which were received before the commit creating the epoch
+	 * because the DS did not fan them out in order.
+	 */
+	bufferedMessages?: BufferedDecryptedMessage[];
+}
+/**
+ * Almost same as {@link DecryptedMessage} but avoids recursion
+ */
+export interface BufferedDecryptedMessage {
+	/**
+	 * see {@link DecryptedMessage.message}
+	 */
+	message?: Uint8Array;
+	/**
+	 * see {@link DecryptedMessage.proposals}
+	 */
+	proposals: ProposalBundle[];
+	/**
+	 * see {@link DecryptedMessage.isActive}
+	 */
+	isActive: boolean;
+	/**
+	 * see {@link DecryptedMessage.commitDelay}
+	 */
+	commitDelay?: number;
+	/**
+	 * see {@link DecryptedMessage.senderClientId}
+	 */
+	senderClientId?: ClientId;
+	/**
+	 * see {@link DecryptedMessage.hasEpochChanged}
+	 */
+	hasEpochChanged: boolean;
+	/**
+	 * see {@link DecryptedMessage.identity}
+	 */
+	identity?: WireIdentity;
 }
 /**
  * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
@@ -625,7 +664,7 @@ export declare class CoreCrypto {
 	/**
 	 * Closes this {@link CoreCrypto} instance and deallocates all loaded resources
 	 *
-	 * **CAUTION**: This {@link CoreCrypto} instance won't be useable after a call to this method, but there's no way to express this requirement in TypeScript so you'll get errors instead!
+	 * **CAUTION**: This {@link CoreCrypto} instance won't be usable after a call to this method, but there's no way to express this requirement in TypeScript, so you'll get errors instead!
 	 */
 	close(): Promise<void>;
 	/**
@@ -691,7 +730,12 @@ export declare class CoreCrypto {
 	 */
 	createConversation(conversationId: ConversationId, creatorCredentialType: CredentialType, configuration?: ConversationConfiguration): Promise<any>;
 	/**
-	 * Decrypts a message for a given conversation
+	 * Decrypts a message for a given conversation.
+	 *
+	 * Note: you should catch & ignore the following error reasons:
+	 * * "We already decrypted this message once"
+	 * * "You tried to join with an external commit but did not merge it yet. We will reapply this message for you when you merge your external commit"
+	 * * "Incoming message is for a future epoch. We will buffer it until the commit for that epoch arrives"
 	 *
 	 * @param conversationId - The ID of the conversation
 	 * @param payload - The encrypted message buffer
@@ -723,7 +767,7 @@ export declare class CoreCrypto {
 	 *
 	 * @returns A {@link CommitBundle}
 	 */
-	update_trust_anchors_from_conversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
+	updateTrustAnchorsFromConversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
 	/**
 	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
@@ -737,7 +781,10 @@ export declare class CoreCrypto {
 	 */
 	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<ConversationId>;
 	/**
-	 * @returns The client's public key
+	 * Get the client's public signature key. To upload to the DS for further backend side validation
+	 *
+	 * @param ciphersuite - of the signature key to get
+	 * @returns the client's public signature key
 	 */
 	clientPublicKey(ciphersuite: Ciphersuite): Promise<Uint8Array>;
 	/**
@@ -766,7 +813,7 @@ export declare class CoreCrypto {
 	/**
 	 * Adds new clients to a conversation, assuming the current client has the right to add new clients to the conversation.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -780,7 +827,7 @@ export declare class CoreCrypto {
 	 * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
 	 * to do so, otherwise this operation does nothing.
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -791,9 +838,9 @@ export declare class CoreCrypto {
 	 */
 	removeClientsFromConversation(conversationId: ConversationId, clientIds: ClientId[]): Promise<CommitBundle>;
 	/**
-	 * Creates an update commit which forces every client to update their keypackages in the conversation
+	 * Creates an update commit which forces every client to update their LeafNode in the conversation
 	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
 	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
 	 * epoch, use new encryption secrets etc...
 	 *
@@ -823,6 +870,9 @@ export declare class CoreCrypto {
 	 * @returns A {@link ProposalBundle} containing the Proposal and its reference in order to roll it back if necessary
 	 */
 	newProposal(proposalType: ProposalType, args: ProposalArgs | AddProposalArgs | RemoveProposalArgs): Promise<ProposalBundle>;
+	/**
+	 * Creates a new external Add proposal for self client to join a conversation.
+	 */
 	newExternalProposal(externalProposalType: ExternalProposalType, args: ExternalAddProposalArgs): Promise<Uint8Array>;
 	/**
 	 * Allows to create an external commit to "apply" to join a group through its GroupInfo.
@@ -847,8 +897,9 @@ export declare class CoreCrypto {
 	 * and deletes the temporary one. This step makes the group operational and ready to encrypt/decrypt message
 	 *
 	 * @param conversationId - The ID of the conversation
+	 * @returns eventually decrypted buffered messages if any
 	 */
-	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<DecryptedMessage[] | undefined>;
+	mergePendingGroupFromExternalCommit(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
 	 * In case the external commit generated by {@link CoreCrypto.joinByExternalCommit} is rejected by the Delivery Service, and we
 	 * want to abort this external commit once for all, we can wipe out the pending group from the keystore in order
@@ -858,26 +909,24 @@ export declare class CoreCrypto {
 	 */
 	clearPendingGroupFromExternalCommit(conversationId: ConversationId): Promise<void>;
 	/**
-	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it
-	 * into the local group state
+	 * Allows to mark the latest commit produced as "accepted" and be able to safely merge it into the local group state
 	 *
 	 * @param conversationId - The group's ID
+	 * @returns the messages from current epoch which had been buffered, if any
 	 */
-	commitAccepted(conversationId: ConversationId): Promise<void>;
+	commitAccepted(conversationId: ConversationId): Promise<BufferedDecryptedMessage[] | undefined>;
 	/**
-	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
-	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc..
+	 * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc…
 	 *
 	 * @param conversationId - The group's ID
 	 * @param proposalRef - A reference to the proposal to delete. You get one when using {@link CoreCrypto.newProposal}
 	 */
 	clearPendingProposal(conversationId: ConversationId, proposalRef: ProposalRef): Promise<void>;
 	/**
-	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions
-	 * have changed meanwhile.
+	 * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions have changed meanwhile.
 	 *
 	 * **CAUTION**: only use this when you had an explicit response from the Delivery Service
 	 * e.g. 403. Do not use otherwise e.g. 5xx responses, timeout etc..
@@ -921,7 +970,7 @@ export declare class CoreCrypto {
 	 */
 	reseedRng(seed: Uint8Array): Promise<void>;
 	/**
-	 * Initiailizes the proteus client
+	 * Initializes the proteus client
 	 */
 	proteusInit(): Promise<void>;
 	/**
@@ -1054,47 +1103,49 @@ export declare class CoreCrypto {
 	 * Creates an enrollment instance with private key material you can use in order to fetch
 	 * a new x509 certificate from the acme server.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiMlsInitOnly}
 	 */
-	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<WireE2eIdentity>;
+	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
 	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param expiryDays generated x509 certificate expiry
+	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
+	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
-	 * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-	 * @param handle user handle e.g. `alice.smith.qa@example.com`
-	 * @returns The new {@link WireE2eIdentity} object
+	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<WireE2eIdentity>;
+	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<E2eiEnrollment>;
 	/**
-	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
+	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
+	 * that means he cannot initialize with a Basic credential
 	 *
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
+	 * @returns a MlsClient initialized with only a x509 credential
 	 */
-	e2eiMlsInitOnly(enrollment: WireE2eIdentity, certificateChain: string): Promise<void>;
+	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string): Promise<void>;
 	/**
 	 * Creates a commit in all local conversations for changing the credential. Requires first
 	 * having enrolled a new X509 certificate with either {@link CoreCrypto.e2eiNewActivationEnrollment}
@@ -1103,8 +1154,9 @@ export declare class CoreCrypto {
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
 	 * @param newKeyPackageCount - number of KeyPackages with new identity to generate
+	 * @returns a {@link RotateBundle} with commits to fan-out to other group members, KeyPackages to upload and old ones to delete
 	 */
-	e2eiRotateAll(enrollment: WireE2eIdentity, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
+	e2eiRotateAll(enrollment: E2eiEnrollment, certificateChain: string, newKeyPackageCount: number): Promise<RotateBundle>;
 	/**
 	 * Allows persisting an active enrollment (for example while redirecting the user during OAuth) in order to resume
 	 * it later with {@link e2eiEnrollmentStashPop}
@@ -1112,14 +1164,14 @@ export declare class CoreCrypto {
 	 * @param enrollment the enrollment instance to persist
 	 * @returns a handle to fetch the enrollment later with {@link e2eiEnrollmentStashPop}
 	 */
-	e2eiEnrollmentStash(enrollment: WireE2eIdentity): Promise<Uint8Array>;
+	e2eiEnrollmentStash(enrollment: E2eiEnrollment): Promise<Uint8Array>;
 	/**
 	 * Fetches the persisted enrollment and deletes it from the keystore
 	 *
 	 * @param handle returned by {@link e2eiEnrollmentStash}
 	 * @returns the persisted enrollment instance
 	 */
-	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<WireE2eIdentity>;
+	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
 	/**
 	 * Indicates when to mark a conversation as degraded i.e. when not all its members have a X509.
 	 * Credential generated by Wire's end-to-end identity enrollment
@@ -1132,9 +1184,18 @@ export declare class CoreCrypto {
 	 * Returns true when end-to-end-identity is enabled for the given Ciphersuite
 	 *
 	 * @param ciphersuite of the credential to check
-	 * @returns true end-to-end identity is enabled for the given ciphersuite
+	 * @returns true if end-to-end identity is enabled for the given ciphersuite
 	 */
 	e2eiIsEnabled(ciphersuite: Ciphersuite): Promise<boolean>;
+	/**
+	 * From a given conversation, get the identity of the members supplied. Identity is only present for members with a
+	 * Certificate Credential (after turning on end-to-end identity).
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param clientIds - identifiers of the user
+	 * @returns identities or if no member has a x509 certificate, it will return an empty List
+	 */
+	getUserIdentities(conversationId: ConversationId, clientIds: ClientId[]): Promise<WireIdentity[]>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -1143,7 +1204,7 @@ export declare class CoreCrypto {
 	static version(): string;
 }
 type JsonRawData = Uint8Array;
-export declare class WireE2eIdentity {
+export declare class E2eiEnrollment {
 	#private;
 	/** @hidden */
 	constructor(e2ei: unknown);
@@ -1252,7 +1313,7 @@ export declare class WireE2eIdentity {
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
 	 *
 	 * @param order HTTP response body
-	 * @return the finalize url to use with {@link finalizeRequest}
+	 * @return finalize url to use with {@link finalizeRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
 	checkOrderResponse(order: JsonRawData): string;

package/platforms/web/corecrypto.js

@@ -234,12 +234,12 @@ function makeMutClosure(arg0, arg1, dtor, f) {
     return real;
 }
 function __wbg_adapter_52(arg0, arg1, arg2) {
-    wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h17baf5e1d66e67f4(arg0, arg1, addHeapObject(arg2));
+    wasm$1.wasm_bindgen__convert__closures__invoke1_mut__hdb6540dbb26cf63b(arg0, arg1, addHeapObject(arg2));
 }
 function __wbg_adapter_55(arg0, arg1, arg2) {
     try {
         const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-        wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h98d6800184b7661d(retptr, arg0, arg1, addHeapObject(arg2));
+        wasm$1.wasm_bindgen__convert__closures__invoke1_mut__h5e436dc96f7334f7(retptr, arg0, arg1, addHeapObject(arg2));
         var r0 = getInt32Memory0()[retptr / 4 + 0];
         var r1 = getInt32Memory0()[retptr / 4 + 1];
         if (r1) {
@@ -313,8 +313,8 @@ function handleError(f, args) {
         wasm$1.__wbindgen_exn_store(addHeapObject(e));
     }
 }
-function __wbg_adapter_299(arg0, arg1, arg2, arg3) {
-    wasm$1.wasm_bindgen__convert__closures__invoke2_mut__haf4f26fdea6dc8ca(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
+function __wbg_adapter_310(arg0, arg1, arg2, arg3) {
+    wasm$1.wasm_bindgen__convert__closures__invoke2_mut__h5286c52f12e3fed2(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 }
 /**
 * see [core_crypto::prelude::MlsWirePolicy]
@@ -554,6 +554,83 @@ class AcmeDirectory {
     }
 }
 /**
+* to avoid recursion
+*/
+class BufferedDecryptedMessage {
+    static __wrap(ptr) {
+        ptr = ptr >>> 0;
+        const obj = Object.create(BufferedDecryptedMessage.prototype);
+        obj.__wbg_ptr = ptr;
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm$1.__wbg_buffereddecryptedmessage_free(ptr);
+    }
+    /**
+    * @returns {any}
+    */
+    get message() {
+        const ret = wasm$1.buffereddecryptedmessage_message(this.__wbg_ptr);
+        return takeObject(ret);
+    }
+    /**
+    * @returns {Array<any>}
+    */
+    get proposals() {
+        const ret = wasm$1.buffereddecryptedmessage_proposals(this.__wbg_ptr);
+        return takeObject(ret);
+    }
+    /**
+    * @returns {boolean}
+    */
+    get is_active() {
+        const ret = wasm$1.buffereddecryptedmessage_is_active(this.__wbg_ptr);
+        return ret !== 0;
+    }
+    /**
+    * @returns {number | undefined}
+    */
+    get commit_delay() {
+        try {
+            const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
+            wasm$1.buffereddecryptedmessage_commit_delay(retptr, this.__wbg_ptr);
+            var r0 = getInt32Memory0()[retptr / 4 + 0];
+            var r1 = getInt32Memory0()[retptr / 4 + 1];
+            return r0 === 0 ? undefined : r1 >>> 0;
+        }
+        finally {
+            wasm$1.__wbindgen_add_to_stack_pointer(16);
+        }
+    }
+    /**
+    * @returns {any}
+    */
+    get sender_client_id() {
+        const ret = wasm$1.buffereddecryptedmessage_sender_client_id(this.__wbg_ptr);
+        return takeObject(ret);
+    }
+    /**
+    * @returns {boolean}
+    */
+    get has_epoch_changed() {
+        const ret = wasm$1.buffereddecryptedmessage_has_epoch_changed(this.__wbg_ptr);
+        return ret !== 0;
+    }
+    /**
+    * @returns {WireIdentity | undefined}
+    */
+    get identity() {
+        const ret = wasm$1.buffereddecryptedmessage_identity(this.__wbg_ptr);
+        return ret === 0 ? undefined : WireIdentity.__wrap(ret);
+    }
+}
+/**
 */
 class CommitBundle {
     static __wrap(ptr) {
@@ -691,7 +768,7 @@ let CoreCrypto$1 = class CoreCrypto {
         wasm$1.__wbg_corecrypto_free(ptr);
     }
     /**
-    * Returns: [`WasmCryptoResult<WireE2eIdentity>`]
+    * Returns: [`WasmCryptoResult<E2eiEnrollment>`]
     *
     * see [core_crypto::mls::MlsCentral::e2ei_new_enrollment]
     * @param {string} client_id
@@ -712,7 +789,7 @@ let CoreCrypto$1 = class CoreCrypto {
         return takeObject(ret);
     }
     /**
-    * Returns: [`WasmCryptoResult<WireE2eIdentity>`]
+    * Returns: [`WasmCryptoResult<E2eiEnrollment>`]
     *
     * see [core_crypto::mls::MlsCentral::e2ei_new_activation_enrollment]
     * @param {string} client_id
@@ -733,7 +810,7 @@ let CoreCrypto$1 = class CoreCrypto {
         return takeObject(ret);
     }
     /**
-    * Returns: [`WasmCryptoResult<WireE2eIdentity>`]
+    * Returns: [`WasmCryptoResult<E2eiEnrollment>`]
     *
     * see [core_crypto::mls::MlsCentral::e2ei_new_rotate_enrollment]
     * @param {string} client_id
@@ -829,6 +906,22 @@ let CoreCrypto$1 = class CoreCrypto {
         return takeObject(ret);
     }
     /**
+    * Returns [`WasmCryptoResult<Vec<WireIdentity>>`]
+    *
+    * see [core_crypto::mls::MlsCentral::get_user_identities]
+    * @param {Uint8Array} conversation_id
+    * @param {(Uint8Array)[]} client_ids
+    * @returns {Promise<any>}
+    */
+    get_user_identities(conversation_id, client_ids) {
+        const ptr0 = passArray8ToWasm0(conversation_id, wasm$1.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passArrayJsValueToWasm0(client_ids, wasm$1.__wbindgen_malloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm$1.corecrypto_get_user_identities(this.__wbg_ptr, ptr0, len0, ptr1, len1);
+        return takeObject(ret);
+    }
+    /**
     * Returns the current version of CoreCrypto
     * @returns {string}
     */
@@ -1766,14 +1859,14 @@ class DecryptedMessage {
     * @returns {any}
     */
     get message() {
-        const ret = wasm$1.decryptedmessage_message(this.__wbg_ptr);
+        const ret = wasm$1.buffereddecryptedmessage_message(this.__wbg_ptr);
         return takeObject(ret);
     }
     /**
     * @returns {Array<any>}
     */
     get proposals() {
-        const ret = wasm$1.decryptedmessage_proposals(this.__wbg_ptr);
+        const ret = wasm$1.buffereddecryptedmessage_proposals(this.__wbg_ptr);
         return takeObject(ret);
     }
     /**
@@ -1789,7 +1882,7 @@ class DecryptedMessage {
     get commit_delay() {
         try {
             const retptr = wasm$1.__wbindgen_add_to_stack_pointer(-16);
-            wasm$1.decryptedmessage_commit_delay(retptr, this.__wbg_ptr);
+            wasm$1.buffereddecryptedmessage_commit_delay(retptr, this.__wbg_ptr);
             var r0 = getInt32Memory0()[retptr / 4 + 0];
             var r1 = getInt32Memory0()[retptr / 4 + 1];
             return r0 === 0 ? undefined : r1 >>> 0;
@@ -1802,7 +1895,7 @@ class DecryptedMessage {
     * @returns {any}
     */
     get sender_client_id() {
-        const ret = wasm$1.decryptedmessage_sender_client_id(this.__wbg_ptr);
+        const ret = wasm$1.buffereddecryptedmessage_sender_client_id(this.__wbg_ptr);
         return takeObject(ret);
     }
     /**
@@ -1816,9 +1909,16 @@ class DecryptedMessage {
     * @returns {WireIdentity | undefined}
     */
     get identity() {
-        const ret = wasm$1.decryptedmessage_identity(this.__wbg_ptr);
+        const ret = wasm$1.buffereddecryptedmessage_identity(this.__wbg_ptr);
         return ret === 0 ? undefined : WireIdentity.__wrap(ret);
     }
+    /**
+    * @returns {Array<any> | undefined}
+    */
+    get buffered_messages() {
+        const ret = wasm$1.decryptedmessage_buffered_messages(this.__wbg_ptr);
+        return takeObject(ret);
+    }
 }
 /**
 */
@@ -2869,18 +2969,14 @@ function __wbg_get_imports() {
         const ret = getObject(arg0).length;
         return ret;
     };
-    imports.wbg.__wbg_new_8125e318e6245eed = function (arg0) {
-        const ret = new Uint8Array(getObject(arg0));
-        return addHeapObject(ret);
-    };
     imports.wbg.__wbg_call_01734de55d61e11d = function () {
         return handleError(function (arg0, arg1, arg2) {
             const ret = getObject(arg0).call(getObject(arg1), getObject(arg2));
             return addHeapObject(ret);
         }, arguments);
     };
-    imports.wbg.__wbg_new_b51585de1b234aff = function () {
-        const ret = new Object();
+    imports.wbg.__wbg_new_8125e318e6245eed = function (arg0) {
+        const ret = new Uint8Array(getObject(arg0));
         return addHeapObject(ret);
     };
     imports.wbg.__wbg_new_898a68150f225f2e = function () {
@@ -2890,26 +2986,33 @@ function __wbg_get_imports() {
     imports.wbg.__wbg_set_502d29070ea18557 = function (arg0, arg1, arg2) {
         getObject(arg0)[arg1 >>> 0] = takeObject(arg2);
     };
+    imports.wbg.__wbg_ffiwiree2eidentity_new = function (arg0) {
+        const ret = FfiWireE2EIdentity.__wrap(arg0);
+        return addHeapObject(ret);
+    };
+    imports.wbg.__wbg_push_ca1c26067ef907ac = function (arg0, arg1) {
+        const ret = getObject(arg0).push(getObject(arg1));
+        return ret;
+    };
     imports.wbg.__wbindgen_bigint_from_u64 = function (arg0) {
         const ret = BigInt.asUintN(64, arg0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbindgen_number_new = function (arg0) {
-        const ret = arg0;
+    imports.wbg.__wbg_new_b51585de1b234aff = function () {
+        const ret = new Object();
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_ffiwiree2eidentity_new = function (arg0) {
-        const ret = FfiWireE2EIdentity.__wrap(arg0);
+    imports.wbg.__wbg_set_841ac57cff3d672b = function (arg0, arg1, arg2) {
+        getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
+    };
+    imports.wbg.__wbindgen_number_new = function (arg0) {
+        const ret = arg0;
         return addHeapObject(ret);
     };
     imports.wbg.__wbg_proteusautoprekeybundle_new = function (arg0) {
         const ret = ProteusAutoPrekeyBundle.__wrap(arg0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_push_ca1c26067ef907ac = function (arg0, arg1) {
-        const ret = getObject(arg0).push(getObject(arg1));
-        return ret;
-    };
     imports.wbg.__wbg_new_56693dbed0c32988 = function () {
         const ret = new Map();
         return addHeapObject(ret);
@@ -2922,18 +3025,18 @@ function __wbg_get_imports() {
         const ret = new Error(getStringFromWasm0(arg0, arg1));
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_openCursor_555d508ba71b21cc = function () {
-        return handleError(function (arg0, arg1) {
-            const ret = getObject(arg0).openCursor(getObject(arg1));
-            return addHeapObject(ret);
-        }, arguments);
-    };
     imports.wbg.__wbg_openCursor_4d6f62b69b34be26 = function () {
         return handleError(function (arg0) {
             const ret = getObject(arg0).openCursor();
             return addHeapObject(ret);
         }, arguments);
     };
+    imports.wbg.__wbg_openCursor_555d508ba71b21cc = function () {
+        return handleError(function (arg0, arg1) {
+            const ret = getObject(arg0).openCursor(getObject(arg1));
+            return addHeapObject(ret);
+        }, arguments);
+    };
     imports.wbg.__wbg_setonsuccess_f518a37d8228a576 = function (arg0, arg1) {
         getObject(arg0).onsuccess = getObject(arg1);
     };
@@ -2990,9 +3093,6 @@ function __wbg_get_imports() {
         const ret = CoreCrypto$1.__wrap(arg0);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbg_set_841ac57cff3d672b = function (arg0, arg1, arg2) {
-        getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
-    };
     imports.wbg.__wbg_instanceof_Promise_0e98a5bf082e090f = function (arg0) {
         let result;
         try {
@@ -3044,7 +3144,7 @@ function __wbg_get_imports() {
                 const a = state0.a;
                 state0.a = 0;
                 try {
-                    return __wbg_adapter_299(a, state0.b, arg0, arg1);
+                    return __wbg_adapter_310(a, state0.b, arg0, arg1);
                 }
                 finally {
                     state0.a = a;
@@ -3069,6 +3169,10 @@ function __wbg_get_imports() {
         const ret = ProposalBundle.__wrap(arg0);
         return addHeapObject(ret);
     };
+    imports.wbg.__wbg_buffereddecryptedmessage_new = function (arg0) {
+        const ret = BufferedDecryptedMessage.__wrap(arg0);
+        return addHeapObject(ret);
+    };
     imports.wbg.__wbg_commitbundle_new = function (arg0) {
         const ret = CommitBundle.__wrap(arg0);
         return addHeapObject(ret);
@@ -3142,18 +3246,18 @@ function __wbg_get_imports() {
         const ret = Date.now();
         return ret;
     };
-    imports.wbg.__wbg_put_fb32824d87feec5c = function () {
-        return handleError(function (arg0, arg1, arg2) {
-            const ret = getObject(arg0).put(getObject(arg1), getObject(arg2));
-            return addHeapObject(ret);
-        }, arguments);
-    };
     imports.wbg.__wbg_put_d6937bc51f51a398 = function () {
         return handleError(function (arg0, arg1) {
             const ret = getObject(arg0).put(getObject(arg1));
             return addHeapObject(ret);
         }, arguments);
     };
+    imports.wbg.__wbg_put_fb32824d87feec5c = function () {
+        return handleError(function (arg0, arg1, arg2) {
+            const ret = getObject(arg0).put(getObject(arg1), getObject(arg2));
+            return addHeapObject(ret);
+        }, arguments);
+    };
     imports.wbg.__wbg_delete_ca1cfc48f1f7981c = function () {
         return handleError(function (arg0, arg1) {
             const ret = getObject(arg0).delete(getObject(arg1));
@@ -3493,12 +3597,12 @@ function __wbg_get_imports() {
             return addHeapObject(ret);
         }, arguments);
     };
-    imports.wbg.__wbindgen_closure_wrapper1999 = function (arg0, arg1, arg2) {
-        const ret = makeMutClosure(arg0, arg1, 169, __wbg_adapter_52);
+    imports.wbg.__wbindgen_closure_wrapper1725 = function (arg0, arg1, arg2) {
+        const ret = makeMutClosure(arg0, arg1, 149, __wbg_adapter_52);
         return addHeapObject(ret);
     };
-    imports.wbg.__wbindgen_closure_wrapper4745 = function (arg0, arg1, arg2) {
-        const ret = makeMutClosure(arg0, arg1, 169, __wbg_adapter_55);
+    imports.wbg.__wbindgen_closure_wrapper4854 = function (arg0, arg1, arg2) {
+        const ret = makeMutClosure(arg0, arg1, 149, __wbg_adapter_55);
         return addHeapObject(ret);
     };
     return imports;
@@ -3539,6 +3643,7 @@ var exports = /*#__PURE__*/Object.freeze({
     __proto__: null,
     AcmeChallenge: AcmeChallenge,
     AcmeDirectory: AcmeDirectory,
+    BufferedDecryptedMessage: BufferedDecryptedMessage,
     Ciphersuite: Ciphersuite$1,
     CommitBundle: CommitBundle,
     ConversationConfiguration: ConversationConfiguration,
@@ -3564,26 +3669,35 @@ var exports = /*#__PURE__*/Object.freeze({
     initSync: initSync
 });
 
-var wasm = async (opt = {}) => {
-                let {importHook, serverPath} = opt;
+const wasm_path = "assets/core_crypto_ffi-ded089fb.wasm";
 
-                let path = "assets/core_crypto_ffi-663eb4cf.wasm";
+            
+            var wasm = async (opt = {}) => {
+                let {importHook, serverPath, initializeHook} = opt;
+
+                let final_path = wasm_path;
 
                 if (serverPath != null) {
-                    path = serverPath + /[^\/\\]*$/.exec(path)[0];
+                    final_path = serverPath + /[^\/\\]*$/.exec(final_path)[0];
                 }
 
                 if (importHook != null) {
-                    path = importHook(path);
+                    final_path = importHook(final_path);
+                }
+
+                if (initializeHook != null) {
+                    await initializeHook(__wbg_init, final_path);
+
+                } else {
+                    await __wbg_init(final_path);
                 }
 
-                await __wbg_init(path);
                 return exports;
             };
 
 // Wire
 // Copyright (C) 2022 Wire Swiss GmbH
-var _a, _CoreCrypto_module, _CoreCrypto_cc, _CoreCrypto_assertModuleLoaded, _WireE2eIdentity_e2ei;
+var _a, _CoreCrypto_module, _CoreCrypto_cc, _CoreCrypto_assertModuleLoaded, _E2eiEnrollment_enrollment;
 /**
  * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
  *
@@ -3891,7 +4005,7 @@ class CoreCrypto {
     /**
      * Closes this {@link CoreCrypto} instance and deallocates all loaded resources
      *
-     * **CAUTION**: This {@link CoreCrypto} instance won't be useable after a call to this method, but there's no way to express this requirement in TypeScript so you'll get errors instead!
+     * **CAUTION**: This {@link CoreCrypto} instance won't be usable after a call to this method, but there's no way to express this requirement in TypeScript, so you'll get errors instead!
      */
     async close() {
         await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").close());
@@ -3985,7 +4099,12 @@ class CoreCrypto {
         }
     }
     /**
-     * Decrypts a message for a given conversation
+     * Decrypts a message for a given conversation.
+     *
+     * Note: you should catch & ignore the following error reasons:
+     * * "We already decrypted this message once"
+     * * "You tried to join with an external commit but did not merge it yet. We will reapply this message for you when you merge your external commit"
+     * * "Incoming message is for a future epoch. We will buffer it until the commit for that epoch arrives"
      *
      * @param conversationId - The ID of the conversation
      * @param payload - The encrypted message buffer
@@ -4010,6 +4129,16 @@ class CoreCrypto {
                 senderClientId: ffiDecryptedMessage.sender_client_id,
                 commitDelay,
                 hasEpochChanged: ffiDecryptedMessage.has_epoch_changed,
+                bufferedMessages: ffiDecryptedMessage.buffered_messages?.map(m => {
+                    return {
+                        message: m.message,
+                        proposals: m.proposals,
+                        isActive: m.is_active,
+                        senderClientId: m.sender_client_id,
+                        commitDelay: m.commit_delay,
+                        hasEpochChanged: m.has_epoch_changed,
+                    };
+                }),
             };
             return ret;
         }
@@ -4043,7 +4172,7 @@ class CoreCrypto {
      *
      * @returns A {@link CommitBundle}
      */
-    async update_trust_anchors_from_conversation(conversationId, removeDomainNames, addTrustAnchors) {
+    async updateTrustAnchorsFromConversation(conversationId, removeDomainNames, addTrustAnchors) {
         try {
             const ffiRet = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").update_trust_anchors_from_conversation(conversationId, removeDomainNames, addTrustAnchors));
             const gi = ffiRet.group_info;
@@ -4084,7 +4213,10 @@ class CoreCrypto {
         }
     }
     /**
-     * @returns The client's public key
+     * Get the client's public signature key. To upload to the DS for further backend side validation
+     *
+     * @param ciphersuite - of the signature key to get
+     * @returns the client's public signature key
      */
     async clientPublicKey(ciphersuite) {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").client_public_key(ciphersuite));
@@ -4121,7 +4253,7 @@ class CoreCrypto {
     /**
      * Adds new clients to a conversation, assuming the current client has the right to add new clients to the conversation.
      *
-     * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+     * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
      * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
      * epoch, use new encryption secrets etc...
      *
@@ -4155,7 +4287,7 @@ class CoreCrypto {
      * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
      * to do so, otherwise this operation does nothing.
      *
-     * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+     * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
      * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
      * epoch, use new encryption secrets etc...
      *
@@ -4184,9 +4316,9 @@ class CoreCrypto {
         }
     }
     /**
-     * Creates an update commit which forces every client to update their keypackages in the conversation
+     * Creates an update commit which forces every client to update their LeafNode in the conversation
      *
-     * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
+     * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterward **ONLY IF** the Delivery Service responds
      * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
      * epoch, use new encryption secrets etc...
      *
@@ -4274,6 +4406,9 @@ class CoreCrypto {
                 throw new Error("Invalid proposal type!");
         }
     }
+    /**
+     * Creates a new external Add proposal for self client to join a conversation.
+     */
     async newExternalProposal(externalProposalType, args) {
         switch (externalProposalType) {
             case ExternalProposalType.Add: {
@@ -4327,6 +4462,7 @@ class CoreCrypto {
      * and deletes the temporary one. This step makes the group operational and ready to encrypt/decrypt message
      *
      * @param conversationId - The ID of the conversation
+     * @returns eventually decrypted buffered messages if any
      */
     async mergePendingGroupFromExternalCommit(conversationId) {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").merge_pending_group_from_external_commit(conversationId));
@@ -4342,20 +4478,19 @@ class CoreCrypto {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").clear_pending_group_from_external_commit(conversationId));
     }
     /**
-     * Allows to mark the latest commit produced as "accepted" and be able to safely merge it
-     * into the local group state
+     * Allows to mark the latest commit produced as "accepted" and be able to safely merge it into the local group state
      *
      * @param conversationId - The group's ID
+     * @returns the messages from current epoch which had been buffered, if any
      */
     async commitAccepted(conversationId) {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").commit_accepted(conversationId));
     }
     /**
-     * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions
-     * have changed meanwhile.
+     * Allows to remove a pending proposal (rollback). Use this when backend rejects the proposal you just sent e.g. if permissions have changed meanwhile.
      *
      * **CAUTION**: only use this when you had an explicit response from the Delivery Service
-     * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc..
+     * e.g. 403 or 409. Do not use otherwise e.g. 5xx responses, timeout etc…
      *
      * @param conversationId - The group's ID
      * @param proposalRef - A reference to the proposal to delete. You get one when using {@link CoreCrypto.newProposal}
@@ -4364,8 +4499,7 @@ class CoreCrypto {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").clear_pending_proposal(conversationId, proposalRef));
     }
     /**
-     * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions
-     * have changed meanwhile.
+     * Allows to remove a pending commit (rollback). Use this when backend rejects the commit you just sent e.g. if permissions have changed meanwhile.
      *
      * **CAUTION**: only use this when you had an explicit response from the Delivery Service
      * e.g. 403. Do not use otherwise e.g. 5xx responses, timeout etc..
@@ -4422,7 +4556,7 @@ class CoreCrypto {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").reseed_rng(seed));
     }
     /**
-     * Initiailizes the proteus client
+     * Initializes the proteus client
      */
     async proteusInit() {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").proteus_init());
@@ -4599,31 +4733,31 @@ class CoreCrypto {
      * Creates an enrollment instance with private key material you can use in order to fetch
      * a new x509 certificate from the acme server.
      *
-     * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-     * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-     * @param handle user handle e.g. `alice.smith.qa@example.com`
-     * @param expiryDays generated x509 certificate expiry
+     * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
+     * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+     * @param handle - user handle e.g. `alice.smith.qa@example.com`
+     * @param expiryDays - generated x509 certificate expiry
      * @param ciphersuite - for generating signing key material
-     * @returns The new {@link WireE2eIdentity} object
+     * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiMlsInitOnly}
      */
     async e2eiNewEnrollment(clientId, displayName, handle, expiryDays, ciphersuite) {
         const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
-        return new WireE2eIdentity(e2ei);
+        return new E2eiEnrollment(e2ei);
     }
     /**
      * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
      * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
      *
-     * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-     * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-     * @param handle user handle e.g. `alice.smith.qa@example.com`
-     * @param expiryDays generated x509 certificate expiry
+     * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
+     * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+     * @param handle - user handle e.g. `alice.smith.qa@example.com`
+     * @param expiryDays - generated x509 certificate expiry
      * @param ciphersuite - for generating signing key material
-     * @returns The new {@link WireE2eIdentity} object
+     * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
      */
     async e2eiNewActivationEnrollment(clientId, displayName, handle, expiryDays, ciphersuite) {
         const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_activation_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
-        return new WireE2eIdentity(e2ei);
+        return new E2eiEnrollment(e2ei);
     }
     /**
      * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
@@ -4631,22 +4765,24 @@ class CoreCrypto {
      * has been revoked. It lets you change the DisplayName or the handle
      * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
      *
-     * @param clientId client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-     * @param expiryDays generated x509 certificate expiry
+     * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
+     * @param expiryDays - generated x509 certificate expiry
      * @param ciphersuite - for generating signing key material
-     * @param displayName human readable name displayed in the application e.g. `Smith, Alice M (QA)`
-     * @param handle user handle e.g. `alice.smith.qa@example.com`
-     * @returns The new {@link WireE2eIdentity} object
+     * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
+     * @param handle - user handle e.g. `alice.smith.qa@example.com`
+     * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
      */
     async e2eiNewRotateEnrollment(clientId, expiryDays, ciphersuite, displayName, handle) {
         const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_new_rotate_enrollment(clientId, displayName, handle, expiryDays, ciphersuite));
-        return new WireE2eIdentity(e2ei);
+        return new E2eiEnrollment(e2ei);
     }
     /**
-     * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ; that means he cannot initialize with a Basic credential
+     * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
+     * that means he cannot initialize with a Basic credential
      *
      * @param enrollment - the enrollment instance used to fetch the certificates
      * @param certificateChain - the raw response from ACME server
+     * @returns a MlsClient initialized with only a x509 credential
      */
     async e2eiMlsInitOnly(enrollment, certificateChain) {
         return await __classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_mls_init_only(enrollment.inner(), certificateChain);
@@ -4659,6 +4795,7 @@ class CoreCrypto {
      * @param enrollment - the enrollment instance used to fetch the certificates
      * @param certificateChain - the raw response from ACME server
      * @param newKeyPackageCount - number of KeyPackages with new identity to generate
+     * @returns a {@link RotateBundle} with commits to fan-out to other group members, KeyPackages to upload and old ones to delete
      */
     async e2eiRotateAll(enrollment, certificateChain, newKeyPackageCount) {
         const ffiRet = await __classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_rotate_all(enrollment.inner(), certificateChain, newKeyPackageCount);
@@ -4687,7 +4824,7 @@ class CoreCrypto {
      */
     async e2eiEnrollmentStashPop(handle) {
         const e2ei = await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_enrollment_stash_pop(handle));
-        return new WireE2eIdentity(e2ei);
+        return new E2eiEnrollment(e2ei);
     }
     /**
      * Indicates when to mark a conversation as degraded i.e. when not all its members have a X509.
@@ -4705,11 +4842,22 @@ class CoreCrypto {
      * Returns true when end-to-end-identity is enabled for the given Ciphersuite
      *
      * @param ciphersuite of the credential to check
-     * @returns true end-to-end identity is enabled for the given ciphersuite
+     * @returns true if end-to-end identity is enabled for the given ciphersuite
      */
     async e2eiIsEnabled(ciphersuite) {
         return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").e2ei_is_enabled(ciphersuite));
     }
+    /**
+     * From a given conversation, get the identity of the members supplied. Identity is only present for members with a
+     * Certificate Credential (after turning on end-to-end identity).
+     *
+     * @param conversationId - identifier of the conversation
+     * @param clientIds - identifiers of the user
+     * @returns identities or if no member has a x509 certificate, it will return an empty List
+     */
+    async getUserIdentities(conversationId, clientIds) {
+        return await CoreCryptoError.asyncMapErr(__classPrivateFieldGet(this, _CoreCrypto_cc, "f").get_user_identities(conversationId, clientIds));
+    }
     /**
      * Returns the current version of {@link CoreCrypto}
      *
@@ -4727,21 +4875,21 @@ _a = CoreCrypto, _CoreCrypto_cc = new WeakMap(), _CoreCrypto_assertModuleLoaded
 };
 /** @hidden */
 _CoreCrypto_module = { value: void 0 };
-class WireE2eIdentity {
+class E2eiEnrollment {
     /** @hidden */
     constructor(e2ei) {
         /** @hidden */
-        _WireE2eIdentity_e2ei.set(this, void 0);
-        __classPrivateFieldSet(this, _WireE2eIdentity_e2ei, e2ei, "f");
+        _E2eiEnrollment_enrollment.set(this, void 0);
+        __classPrivateFieldSet(this, _E2eiEnrollment_enrollment, e2ei, "f");
     }
     free() {
-        __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").free();
+        __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").free();
     }
     /**
      * Should only be used internally
      */
     inner() {
-        return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f");
+        return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f");
     }
     /**
      * Parses the response from `GET /acme/{provisioner-name}/directory`.
@@ -4753,7 +4901,7 @@ class WireE2eIdentity {
      */
     directoryResponse(directory) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").directory_response(directory);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").directory_response(directory);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4768,7 +4916,7 @@ class WireE2eIdentity {
      */
     newAccountRequest(previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_account_request(previousNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_account_request(previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4781,7 +4929,7 @@ class WireE2eIdentity {
      */
     newAccountResponse(account) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_account_response(account);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_account_response(account);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4795,7 +4943,7 @@ class WireE2eIdentity {
      */
     newOrderRequest(previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_order_request(previousNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_order_request(previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4809,7 +4957,7 @@ class WireE2eIdentity {
      */
     newOrderResponse(order) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_order_response(order);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_order_response(order);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4825,7 +4973,7 @@ class WireE2eIdentity {
      */
     newAuthzRequest(url, previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_authz_request(url, previousNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_authz_request(url, previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4839,7 +4987,7 @@ class WireE2eIdentity {
      */
     newAuthzResponse(authz) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_authz_response(authz);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_authz_response(authz);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4858,7 +5006,7 @@ class WireE2eIdentity {
      */
     createDpopToken(expirySecs, backendNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").create_dpop_token(expirySecs, backendNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").create_dpop_token(expirySecs, backendNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4873,7 +5021,7 @@ class WireE2eIdentity {
      */
     newDpopChallengeRequest(accessToken, previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_dpop_challenge_request(accessToken, previousNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_dpop_challenge_request(accessToken, previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4888,7 +5036,7 @@ class WireE2eIdentity {
      */
     newOidcChallengeRequest(idToken, previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_oidc_challenge_request(idToken, previousNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_oidc_challenge_request(idToken, previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4902,7 +5050,7 @@ class WireE2eIdentity {
      */
     newChallengeResponse(challenge) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").new_challenge_response(challenge);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").new_challenge_response(challenge);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4917,7 +5065,7 @@ class WireE2eIdentity {
      */
     checkOrderRequest(orderUrl, previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").check_order_request(orderUrl, previousNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").check_order_request(orderUrl, previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4927,12 +5075,12 @@ class WireE2eIdentity {
      * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
      *
      * @param order HTTP response body
-     * @return the finalize url to use with {@link finalizeRequest}
+     * @return finalize url to use with {@link finalizeRequest}
      * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
      */
     checkOrderResponse(order) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").check_order_response(order);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").check_order_response(order);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4946,7 +5094,7 @@ class WireE2eIdentity {
      */
     finalizeRequest(previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").finalize_request(previousNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").finalize_request(previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4961,7 +5109,7 @@ class WireE2eIdentity {
      */
     finalizeResponse(finalize) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").finalize_response(finalize);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").finalize_response(finalize);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
@@ -4975,14 +5123,14 @@ class WireE2eIdentity {
      */
     certificateRequest(previousNonce) {
         try {
-            return __classPrivateFieldGet(this, _WireE2eIdentity_e2ei, "f").certificate_request(previousNonce);
+            return __classPrivateFieldGet(this, _E2eiEnrollment_enrollment, "f").certificate_request(previousNonce);
         }
         catch (e) {
             throw CoreCryptoError.fromStdError(e);
         }
     }
 }
-_WireE2eIdentity_e2ei = new WeakMap();
+_E2eiEnrollment_enrollment = new WeakMap();
 /**
  * Indicates the state of a Conversation regarding end-to-end identity.
  * Note: this does not check pending state (pending commit, pending proposals) so it does not
@@ -5004,4 +5152,4 @@ var E2eiConversationState;
     E2eiConversationState[E2eiConversationState["NotEnabled"] = 3] = "NotEnabled";
 })(E2eiConversationState || (E2eiConversationState = {}));
 
-export { Ciphersuite, CoreCrypto, CoreCryptoError, CredentialType, E2eiConversationState, ExternalProposalType, GroupInfoEncryptionType, ProposalType, RatchetTreeType, WireE2eIdentity, WirePolicy };
+export { Ciphersuite, CoreCrypto, CoreCryptoError, CredentialType, E2eiConversationState, E2eiEnrollment, ExternalProposalType, GroupInfoEncryptionType, ProposalType, RatchetTreeType, WirePolicy };