@wireapp/core-crypto 1.0.0-rc.8 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +148 -34
- package/package.json +13 -32
- package/platforms/web/core-crypto-ffi_bg.wasm +0 -0
- package/platforms/web/corecrypto.d.ts +367 -185
- package/platforms/web/corecrypto.js +3301 -5118
- package/platforms/web/assets/core_crypto_ffi-ded089fb.wasm +0 -0
@@ -1,3 +1,74 @@
|
|
1
|
+
/**
|
2
|
+
* For creating a challenge.
|
3
|
+
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
|
4
|
+
*/
|
5
|
+
export class AcmeChallenge {
|
6
|
+
free(): void;
|
7
|
+
/**
|
8
|
+
* Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
|
9
|
+
*/
|
10
|
+
readonly delegate: Uint8Array;
|
11
|
+
/**
|
12
|
+
* Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
|
13
|
+
* Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
|
14
|
+
*/
|
15
|
+
readonly target: string;
|
16
|
+
/**
|
17
|
+
* URL of this challenge
|
18
|
+
*/
|
19
|
+
readonly url: string;
|
20
|
+
}
|
21
|
+
/**
|
22
|
+
* Dump of the PKI environemnt as PEM
|
23
|
+
*/
|
24
|
+
export class E2eiDumpedPkiEnv {
|
25
|
+
free(): void;
|
26
|
+
/**
|
27
|
+
* CRLs registered in the PKI env
|
28
|
+
*/
|
29
|
+
readonly crls: (string)[];
|
30
|
+
/**
|
31
|
+
* Intermediate CAs that are loaded
|
32
|
+
*/
|
33
|
+
readonly intermediates: (string)[];
|
34
|
+
/**
|
35
|
+
* Root CA in use (i.e. Trust Anchor)
|
36
|
+
*/
|
37
|
+
readonly root_ca: string;
|
38
|
+
}
|
39
|
+
/**
|
40
|
+
* Result of an authorization creation.
|
41
|
+
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
|
42
|
+
*/
|
43
|
+
export class NewAcmeAuthz {
|
44
|
+
free(): void;
|
45
|
+
/**
|
46
|
+
* Associated ACME Challenge
|
47
|
+
*/
|
48
|
+
readonly challenge: AcmeChallenge;
|
49
|
+
/**
|
50
|
+
* DNS entry associated with those challenge
|
51
|
+
*/
|
52
|
+
readonly identifier: string;
|
53
|
+
/**
|
54
|
+
* ACME challenge + ACME key thumbprint
|
55
|
+
*/
|
56
|
+
readonly keyauth: string | undefined;
|
57
|
+
}
|
58
|
+
/**
|
59
|
+
* Result of an order creation.
|
60
|
+
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
61
|
+
*/
|
62
|
+
export class NewAcmeOrder {
|
63
|
+
free(): void;
|
64
|
+
/**
|
65
|
+
*/
|
66
|
+
readonly authorizations: (Uint8Array)[];
|
67
|
+
/**
|
68
|
+
* Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
|
69
|
+
*/
|
70
|
+
readonly delegate: Uint8Array;
|
71
|
+
}
|
1
72
|
/**
|
2
73
|
* Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
|
3
74
|
*
|
@@ -47,11 +118,7 @@ export declare enum Ciphersuite {
|
|
47
118
|
/**
|
48
119
|
* DH KEM P384 | AES-GCM 256 | SHA2-384 | EcDSA P384
|
49
120
|
*/
|
50
|
-
MLS_256_DHKEMP384_AES256GCM_SHA384_P384 = 7
|
51
|
-
/**
|
52
|
-
* x25519Kyber768Draft00 Hybrid KEM | AES-GCM 128 | SHA2-256 | Ed25519
|
53
|
-
*/
|
54
|
-
MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519 = 61489
|
121
|
+
MLS_256_DHKEMP384_AES256GCM_SHA384_P384 = 7
|
55
122
|
}
|
56
123
|
export declare enum CredentialType {
|
57
124
|
/**
|
@@ -79,24 +146,6 @@ export interface ConversationConfiguration {
|
|
79
146
|
* Implementation specific configuration
|
80
147
|
*/
|
81
148
|
custom?: CustomConfiguration;
|
82
|
-
/**
|
83
|
-
* Trust anchors to be added in the group's context extensions
|
84
|
-
*/
|
85
|
-
perDomainTrustAnchors?: PerDomainTrustAnchor[];
|
86
|
-
}
|
87
|
-
/**
|
88
|
-
* A wrapper containing the configuration for trust anchors to be added in the group's context
|
89
|
-
* extensions
|
90
|
-
*/
|
91
|
-
export interface PerDomainTrustAnchor {
|
92
|
-
/**
|
93
|
-
* Domain name of the owning backend this anchor refers to. One of the certificate in the chain has to have this domain in its SANs
|
94
|
-
*/
|
95
|
-
domain_name: string;
|
96
|
-
/**
|
97
|
-
* PEM encoded (partial) certificate chain. This contains the certificate chain for the CA certificate issuing the E2E Identity certificates
|
98
|
-
*/
|
99
|
-
intermediate_certificate_chain: string;
|
100
149
|
}
|
101
150
|
/**
|
102
151
|
* see [core_crypto::prelude::MlsWirePolicy]
|
@@ -179,6 +228,10 @@ export interface MemberAddedMessages {
|
|
179
228
|
* @readonly
|
180
229
|
*/
|
181
230
|
groupInfo: GroupInfoBundle;
|
231
|
+
/**
|
232
|
+
* New CRL distribution points that appeared by the introduction of a new credential
|
233
|
+
*/
|
234
|
+
crlNewDistributionPoints?: string[];
|
182
235
|
}
|
183
236
|
/**
|
184
237
|
* Data shape for a MLS generic commit + optional bundle (aka stapled commit & welcome)
|
@@ -275,6 +328,10 @@ export interface RotateBundle {
|
|
275
328
|
* @readonly
|
276
329
|
*/
|
277
330
|
keyPackageRefsToRemove: Uint8Array[];
|
331
|
+
/**
|
332
|
+
* New CRL distribution points that appeared by the introduction of a new credential
|
333
|
+
*/
|
334
|
+
crlNewDistributionPoints?: string[];
|
278
335
|
}
|
279
336
|
/**
|
280
337
|
* Params for CoreCrypto deferred initialization
|
@@ -290,10 +347,6 @@ export interface CoreCryptoDeferredParams {
|
|
290
347
|
* This should be appropriately stored in a secure location (i.e. WebCrypto private key storage)
|
291
348
|
*/
|
292
349
|
key: string;
|
293
|
-
/**
|
294
|
-
* All the ciphersuites this MLS client can support
|
295
|
-
*/
|
296
|
-
ciphersuites: Ciphersuite[];
|
297
350
|
/**
|
298
351
|
* External PRNG entropy pool seed.
|
299
352
|
* This **must** be exactly 32 bytes
|
@@ -314,19 +367,14 @@ export interface CoreCryptoParams extends CoreCryptoDeferredParams {
|
|
314
367
|
* This should stay consistent as it will be verified against the stored signature & identity to validate the persisted credential
|
315
368
|
*/
|
316
369
|
clientId: ClientId;
|
317
|
-
}
|
318
|
-
/**
|
319
|
-
* Data shape for adding clients to a conversation
|
320
|
-
*/
|
321
|
-
export interface Invitee {
|
322
370
|
/**
|
323
|
-
*
|
371
|
+
* All the ciphersuites this MLS client can support
|
324
372
|
*/
|
325
|
-
|
373
|
+
ciphersuites: Ciphersuite[];
|
326
374
|
/**
|
327
|
-
*
|
375
|
+
* Number of initial KeyPackage to create when initializing the client
|
328
376
|
*/
|
329
|
-
|
377
|
+
nbKeyPackage?: number;
|
330
378
|
}
|
331
379
|
export interface ConversationInitBundle {
|
332
380
|
/**
|
@@ -348,6 +396,27 @@ export interface ConversationInitBundle {
|
|
348
396
|
* @readonly
|
349
397
|
*/
|
350
398
|
groupInfo: GroupInfoBundle;
|
399
|
+
/**
|
400
|
+
* New CRL distribution points that appeared by the introduction of a new credential
|
401
|
+
*/
|
402
|
+
crlNewDistributionPoints?: string[];
|
403
|
+
}
|
404
|
+
/**
|
405
|
+
* Supporting struct for CRL registration result
|
406
|
+
*/
|
407
|
+
export interface CRLRegistration {
|
408
|
+
/**
|
409
|
+
* Whether this CRL modifies the old CRL (i.e. has a different revocated cert list)
|
410
|
+
*
|
411
|
+
* @readonly
|
412
|
+
*/
|
413
|
+
dirty: boolean;
|
414
|
+
/**
|
415
|
+
* Optional expiration timestamp
|
416
|
+
*
|
417
|
+
* @readonly
|
418
|
+
*/
|
419
|
+
expiration?: number;
|
351
420
|
}
|
352
421
|
/**
|
353
422
|
* This is a wrapper for all the possible outcomes you can get after decrypting a message
|
@@ -392,6 +461,10 @@ export interface DecryptedMessage {
|
|
392
461
|
* because the DS did not fan them out in order.
|
393
462
|
*/
|
394
463
|
bufferedMessages?: BufferedDecryptedMessage[];
|
464
|
+
/**
|
465
|
+
* New CRL distribution points that appeared by the introduction of a new credential
|
466
|
+
*/
|
467
|
+
crlNewDistributionPoints?: string[];
|
395
468
|
}
|
396
469
|
/**
|
397
470
|
* Almost same as {@link DecryptedMessage} but avoids recursion
|
@@ -425,17 +498,43 @@ export interface BufferedDecryptedMessage {
|
|
425
498
|
* see {@link DecryptedMessage.identity}
|
426
499
|
*/
|
427
500
|
identity?: WireIdentity;
|
501
|
+
/**
|
502
|
+
* see {@link DecryptedMessage.crlNewDistributionPoints}
|
503
|
+
*/
|
504
|
+
crlNewDistributionPoints?: string[];
|
428
505
|
}
|
429
506
|
/**
|
430
|
-
* Represents the identity claims identifying a client
|
507
|
+
* Represents the identity claims identifying a client
|
508
|
+
* Those claims are verifiable by any member in the group
|
431
509
|
*/
|
432
510
|
export interface WireIdentity {
|
433
511
|
/**
|
434
|
-
*
|
512
|
+
* Unique client identifier
|
435
513
|
*/
|
436
514
|
clientId: string;
|
437
515
|
/**
|
438
|
-
*
|
516
|
+
* Status of the Credential at the moment T when this object is created
|
517
|
+
*/
|
518
|
+
status: DeviceStatus;
|
519
|
+
/**
|
520
|
+
* MLS thumbprint
|
521
|
+
*/
|
522
|
+
thumbprint: string;
|
523
|
+
/**
|
524
|
+
* Indicates whether the credential is Basic or X509
|
525
|
+
*/
|
526
|
+
credentialType: CredentialType;
|
527
|
+
/**
|
528
|
+
* In case {@link credentialType} is {@link CredentialType.X509} this is populated
|
529
|
+
*/
|
530
|
+
x509Identity?: X509Identity;
|
531
|
+
}
|
532
|
+
/**
|
533
|
+
* Represents the parts of {@link WireIdentity} that are specific to a X509 certificate (and not a Basic one).
|
534
|
+
*/
|
535
|
+
export interface X509Identity {
|
536
|
+
/**
|
537
|
+
* User handle e.g. `john_wire`
|
439
538
|
*/
|
440
539
|
handle: string;
|
441
540
|
/**
|
@@ -446,6 +545,58 @@ export interface WireIdentity {
|
|
446
545
|
* DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
|
447
546
|
*/
|
448
547
|
domain: string;
|
548
|
+
/**
|
549
|
+
* X509 certificate identifying this client in the MLS group ; PEM encoded
|
550
|
+
*/
|
551
|
+
certificate: string;
|
552
|
+
/**
|
553
|
+
* X509 certificate serial number
|
554
|
+
*/
|
555
|
+
serialNumber: string;
|
556
|
+
/**
|
557
|
+
* X509 certificate not before as Unix timestamp
|
558
|
+
*/
|
559
|
+
notBefore: bigint;
|
560
|
+
/**
|
561
|
+
* X509 certificate not after as Unix timestamp
|
562
|
+
*/
|
563
|
+
notAfter: bigint;
|
564
|
+
}
|
565
|
+
export interface AcmeDirectory {
|
566
|
+
/**
|
567
|
+
* URL for fetching a new nonce. Use this only for creating a new account.
|
568
|
+
*/
|
569
|
+
newNonce: string;
|
570
|
+
/**
|
571
|
+
* URL for creating a new account.
|
572
|
+
*/
|
573
|
+
newAccount: string;
|
574
|
+
/**
|
575
|
+
* URL for creating a new order.
|
576
|
+
*/
|
577
|
+
newOrder: string;
|
578
|
+
/**
|
579
|
+
* Revocation URL
|
580
|
+
*/
|
581
|
+
revokeCert: string;
|
582
|
+
}
|
583
|
+
/**
|
584
|
+
* Indicates the standalone status of a device Credential in a MLS group at a moment T.
|
585
|
+
* This does not represent the states where a device is not using MLS or is not using end-to-end identity
|
586
|
+
*/
|
587
|
+
export declare enum DeviceStatus {
|
588
|
+
/**
|
589
|
+
* All is fine
|
590
|
+
*/
|
591
|
+
Valid = 1,
|
592
|
+
/**
|
593
|
+
* The Credential's certificate is expired
|
594
|
+
*/
|
595
|
+
Expired = 2,
|
596
|
+
/**
|
597
|
+
* The Credential's certificate is revoked
|
598
|
+
*/
|
599
|
+
Revoked = 3
|
449
600
|
}
|
450
601
|
/**
|
451
602
|
* Returned by all methods creating proposals. Contains a proposal message and an identifier to roll back the proposal
|
@@ -463,6 +614,26 @@ export interface ProposalBundle {
|
|
463
614
|
* @readonly
|
464
615
|
*/
|
465
616
|
proposalRef: ProposalRef;
|
617
|
+
/**
|
618
|
+
* New CRL Distribution of members of this group
|
619
|
+
*
|
620
|
+
* @readonly
|
621
|
+
*/
|
622
|
+
crlNewDistributionPoints?: string[];
|
623
|
+
}
|
624
|
+
export interface WelcomeBundle {
|
625
|
+
/**
|
626
|
+
* Conversation ID
|
627
|
+
*
|
628
|
+
* @readonly
|
629
|
+
*/
|
630
|
+
id: Uint8Array;
|
631
|
+
/**
|
632
|
+
* New CRL Distribution of members of this group
|
633
|
+
*
|
634
|
+
* @readonly
|
635
|
+
*/
|
636
|
+
crlNewDistributionPoints?: string[];
|
466
637
|
}
|
467
638
|
/**
|
468
639
|
* MLS Proposal type
|
@@ -574,11 +745,43 @@ export interface CoreCryptoCallbacks {
|
|
574
745
|
*/
|
575
746
|
clientIsExistingGroupUser: (conversationId: Uint8Array, clientId: Uint8Array, existingClients: Uint8Array[], parent_conversation_clients?: Uint8Array[]) => Promise<boolean>;
|
576
747
|
}
|
748
|
+
/**
|
749
|
+
* An interface to register a logger in CoreCrypto
|
750
|
+
**/
|
751
|
+
export interface CoreCryptoLogger {
|
752
|
+
/**
|
753
|
+
* This method will be called by Core Crypto to log messages. It is up to the implementer to decide how to handle the message and where to actually log it.
|
754
|
+
* @param level - the level of the logged message. it will also be present in the json message
|
755
|
+
* @param json_msg - message to log in json format
|
756
|
+
**/
|
757
|
+
log: (level: CoreCryptoLogLevel, json_msg: string) => void;
|
758
|
+
}
|
759
|
+
/**
|
760
|
+
* Defines the maximum log level for the logs from Core Crypto
|
761
|
+
**/
|
762
|
+
export declare enum CoreCryptoLogLevel {
|
763
|
+
Off = 1,
|
764
|
+
Trace = 2,
|
765
|
+
Debug = 3,
|
766
|
+
Info = 4,
|
767
|
+
Warn = 5,
|
768
|
+
Error = 6
|
769
|
+
}
|
770
|
+
/**
|
771
|
+
* Initializes the global logger for Core Crypto and registers the callback. Can be called only once
|
772
|
+
* @param logger - the interface to be called when something is going to be logged
|
773
|
+
* @param level - the max level that should be logged
|
774
|
+
**/
|
775
|
+
export declare function initLogger(logger: CoreCryptoLogger, level: CoreCryptoLogLevel, ctx?: any): void;
|
577
776
|
/**
|
578
777
|
* Wrapper for the WASM-compiled version of CoreCrypto
|
579
778
|
*/
|
580
779
|
export declare class CoreCrypto {
|
581
780
|
#private;
|
781
|
+
/**
|
782
|
+
* Should only be used internally
|
783
|
+
*/
|
784
|
+
inner(): unknown;
|
582
785
|
/**
|
583
786
|
* This is your entrypoint to initialize {@link CoreCrypto}!
|
584
787
|
*
|
@@ -612,7 +815,7 @@ export declare class CoreCrypto {
|
|
612
815
|
* });
|
613
816
|
* ````
|
614
817
|
*/
|
615
|
-
static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed }: CoreCryptoParams): Promise<CoreCrypto>;
|
818
|
+
static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed, nbKeyPackage, }: CoreCryptoParams): Promise<CoreCrypto>;
|
616
819
|
/**
|
617
820
|
* Almost identical to {@link CoreCrypto.init} but allows a 2 phase initialization of MLS.
|
618
821
|
* First, calling this will set up the keystore and will allow generating proteus prekeys.
|
@@ -620,14 +823,15 @@ export declare class CoreCrypto {
|
|
620
823
|
* Use this clientId to initialize MLS with {@link CoreCrypto.mlsInit}.
|
621
824
|
* @param params - {@link CoreCryptoDeferredParams}
|
622
825
|
*/
|
623
|
-
static deferredInit({ databaseName, key,
|
826
|
+
static deferredInit({ databaseName, key, entropySeed, wasmFilePath, }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
|
624
827
|
/**
|
625
828
|
* Use this after {@link CoreCrypto.deferredInit} when you have a clientId. It initializes MLS.
|
626
829
|
*
|
627
830
|
* @param clientId - {@link CoreCryptoParams#clientId} but required
|
628
831
|
* @param ciphersuites - All the ciphersuites supported by this MLS client
|
832
|
+
* @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
|
629
833
|
*/
|
630
|
-
mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[]): Promise<void>;
|
834
|
+
mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[], nbKeyPackage?: number): Promise<void>;
|
631
835
|
/**
|
632
836
|
* Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
|
633
837
|
* This method is designed to be used in conjunction with {@link CoreCrypto.mlsInitWithClientId} and represents the first step in this process
|
@@ -711,6 +915,12 @@ export declare class CoreCrypto {
|
|
711
915
|
* ```
|
712
916
|
*/
|
713
917
|
conversationEpoch(conversationId: ConversationId): Promise<number>;
|
918
|
+
/**
|
919
|
+
* Returns the ciphersuite of a conversation
|
920
|
+
*
|
921
|
+
* @returns the ciphersuite of the conversation
|
922
|
+
*/
|
923
|
+
conversationCiphersuite(conversationId: ConversationId): Promise<Ciphersuite>;
|
714
924
|
/**
|
715
925
|
* Wipes and destroys the local storage of a given conversation / MLS group
|
716
926
|
*
|
@@ -752,22 +962,6 @@ export declare class CoreCrypto {
|
|
752
962
|
* @returns The encrypted payload for the given group. This needs to be fanned out to the other members of the group.
|
753
963
|
*/
|
754
964
|
encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
|
755
|
-
/**
|
756
|
-
* Updates the trust anchors for a conversation. This should be called when a federated event happens (new team added/removed).
|
757
|
-
* Clients should add and/or remove trust anchors from the new backend to the conversation. The method will check
|
758
|
-
* for duplicated domains and the validity of the certificate chain.
|
759
|
-
*
|
760
|
-
* **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
|
761
|
-
* '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
|
762
|
-
* epoch, use new encryption secrets etc...
|
763
|
-
*
|
764
|
-
* @param conversationId - The ID of the conversation
|
765
|
-
* @param removeDomainNames - Domains to remove from the trust anchors
|
766
|
-
* @param addTrustAnchors - New trust anchors to add to the conversation
|
767
|
-
*
|
768
|
-
* @returns A {@link CommitBundle}
|
769
|
-
*/
|
770
|
-
updateTrustAnchorsFromConversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
|
771
965
|
/**
|
772
966
|
* Ingest a TLS-serialized MLS welcome message to join an existing MLS group
|
773
967
|
*
|
@@ -779,14 +973,15 @@ export declare class CoreCrypto {
|
|
779
973
|
* @param configuration - configuration of the MLS group
|
780
974
|
* @returns The conversation ID of the newly joined group. You can use the same ID to decrypt/encrypt messages
|
781
975
|
*/
|
782
|
-
processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<
|
976
|
+
processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<WelcomeBundle>;
|
783
977
|
/**
|
784
978
|
* Get the client's public signature key. To upload to the DS for further backend side validation
|
785
979
|
*
|
786
980
|
* @param ciphersuite - of the signature key to get
|
981
|
+
* @param credentialType - of the public key to look for
|
787
982
|
* @returns the client's public signature key
|
788
983
|
*/
|
789
|
-
clientPublicKey(ciphersuite: Ciphersuite): Promise<Uint8Array>;
|
984
|
+
clientPublicKey(ciphersuite: Ciphersuite, credentialType: CredentialType): Promise<Uint8Array>;
|
790
985
|
/**
|
791
986
|
*
|
792
987
|
* @param ciphersuite - of the KeyPackages to count
|
@@ -818,11 +1013,11 @@ export declare class CoreCrypto {
|
|
818
1013
|
* epoch, use new encryption secrets etc...
|
819
1014
|
*
|
820
1015
|
* @param conversationId - The ID of the conversation
|
821
|
-
* @param
|
1016
|
+
* @param keyPackages - KeyPackages of the new clients to add
|
822
1017
|
*
|
823
1018
|
* @returns A {@link CommitBundle}
|
824
1019
|
*/
|
825
|
-
addClientsToConversation(conversationId: ConversationId,
|
1020
|
+
addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<MemberAddedMessages>;
|
826
1021
|
/**
|
827
1022
|
* Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
|
828
1023
|
* to do so, otherwise this operation does nothing.
|
@@ -946,6 +1141,15 @@ export declare class CoreCrypto {
|
|
946
1141
|
* @returns A `Uint8Array` representing the derived key
|
947
1142
|
*/
|
948
1143
|
exportSecretKey(conversationId: ConversationId, keyLength: number): Promise<Uint8Array>;
|
1144
|
+
/**
|
1145
|
+
* Returns the raw public key of the single external sender present in this group.
|
1146
|
+
* This should be used to initialize a subconversation
|
1147
|
+
*
|
1148
|
+
* @param conversationId - The group's ID
|
1149
|
+
*
|
1150
|
+
* @returns A `Uint8Array` representing the external sender raw public key
|
1151
|
+
*/
|
1152
|
+
getExternalSender(conversationId: ConversationId): Promise<Uint8Array>;
|
949
1153
|
/**
|
950
1154
|
* Returns all clients from group's members
|
951
1155
|
*
|
@@ -1103,49 +1307,91 @@ export declare class CoreCrypto {
|
|
1103
1307
|
* Creates an enrollment instance with private key material you can use in order to fetch
|
1104
1308
|
* a new x509 certificate from the acme server.
|
1105
1309
|
*
|
1106
|
-
* @param clientId - client identifier
|
1310
|
+
* @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
|
1107
1311
|
* @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
|
1108
1312
|
* @param handle - user handle e.g. `alice.smith.qa@example.com`
|
1109
|
-
* @param
|
1313
|
+
* @param expirySec - generated x509 certificate expiry
|
1110
1314
|
* @param ciphersuite - for generating signing key material
|
1315
|
+
* @param team - name of the Wire team a user belongs to
|
1111
1316
|
* @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiMlsInitOnly}
|
1112
1317
|
*/
|
1113
|
-
e2eiNewEnrollment(clientId: string, displayName: string, handle: string,
|
1318
|
+
e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
|
1114
1319
|
/**
|
1115
1320
|
* Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
|
1116
1321
|
* Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
|
1117
1322
|
*
|
1118
|
-
* @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
|
1119
1323
|
* @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
|
1120
1324
|
* @param handle - user handle e.g. `alice.smith.qa@example.com`
|
1121
|
-
* @param
|
1325
|
+
* @param expirySec - generated x509 certificate expiry
|
1122
1326
|
* @param ciphersuite - for generating signing key material
|
1327
|
+
* @param team - name of the Wire team a user belongs to
|
1123
1328
|
* @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
|
1124
1329
|
*/
|
1125
|
-
e2eiNewActivationEnrollment(
|
1330
|
+
e2eiNewActivationEnrollment(displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
|
1126
1331
|
/**
|
1127
1332
|
* Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
|
1128
1333
|
* having to change/rotate their credential, either because the former one is expired or it
|
1129
1334
|
* has been revoked. It lets you change the DisplayName or the handle
|
1130
1335
|
* if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
|
1131
1336
|
*
|
1132
|
-
* @param
|
1133
|
-
* @param expiryDays - generated x509 certificate expiry
|
1337
|
+
* @param expirySec - generated x509 certificate expiry
|
1134
1338
|
* @param ciphersuite - for generating signing key material
|
1135
1339
|
* @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
|
1136
1340
|
* @param handle - user handle e.g. `alice.smith.qa@example.com`
|
1341
|
+
* @param team - name of the Wire team a user belongs to
|
1137
1342
|
* @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
|
1138
1343
|
*/
|
1139
|
-
e2eiNewRotateEnrollment(
|
1344
|
+
e2eiNewRotateEnrollment(expirySec: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
|
1140
1345
|
/**
|
1141
1346
|
* Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
|
1142
1347
|
* that means he cannot initialize with a Basic credential
|
1143
1348
|
*
|
1144
1349
|
* @param enrollment - the enrollment instance used to fetch the certificates
|
1145
1350
|
* @param certificateChain - the raw response from ACME server
|
1351
|
+
* @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
|
1146
1352
|
* @returns a MlsClient initialized with only a x509 credential
|
1147
1353
|
*/
|
1148
|
-
e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string): Promise<
|
1354
|
+
e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<string[] | undefined>;
|
1355
|
+
/**
|
1356
|
+
* Dumps the PKI environment as PEM
|
1357
|
+
*
|
1358
|
+
* @returns a struct with different fields representing the PKI environment as PEM strings
|
1359
|
+
*/
|
1360
|
+
e2eiDumpPKIEnv(): Promise<E2eiDumpedPkiEnv | undefined>;
|
1361
|
+
/**
|
1362
|
+
* @returns whether the E2EI PKI environment is setup (i.e. Root CA, Intermediates, CRLs)
|
1363
|
+
*/
|
1364
|
+
e2eiIsPKIEnvSetup(): Promise<boolean>;
|
1365
|
+
/**
|
1366
|
+
* Registers a Root Trust Anchor CA for the use in E2EI processing.
|
1367
|
+
*
|
1368
|
+
* Please note that without a Root Trust Anchor, all validations *will* fail;
|
1369
|
+
* So this is the first step to perform after initializing your E2EI client
|
1370
|
+
*
|
1371
|
+
* @param trustAnchorPEM - PEM certificate to anchor as a Trust Root
|
1372
|
+
*/
|
1373
|
+
e2eiRegisterAcmeCA(trustAnchorPEM: string): Promise<void>;
|
1374
|
+
/**
|
1375
|
+
* Registers an Intermediate CA for the use in E2EI processing.
|
1376
|
+
*
|
1377
|
+
* Please note that a Root Trust Anchor CA is needed to validate Intermediate CAs;
|
1378
|
+
* You **need** to have a Root CA registered before calling this
|
1379
|
+
*
|
1380
|
+
* @param certPEM - PEM certificate to register as an Intermediate CA
|
1381
|
+
*/
|
1382
|
+
e2eiRegisterIntermediateCA(certPEM: string): Promise<string[] | undefined>;
|
1383
|
+
/**
|
1384
|
+
* Registers a CRL for the use in E2EI processing.
|
1385
|
+
*
|
1386
|
+
* Please note that a Root Trust Anchor CA is needed to validate CRLs;
|
1387
|
+
* You **need** to have a Root CA registered before calling this
|
1388
|
+
*
|
1389
|
+
* @param crlDP - CRL Distribution Point; Basically the URL you fetched it from
|
1390
|
+
* @param crlDER - DER representation of the CRL
|
1391
|
+
*
|
1392
|
+
* @returns a {@link CRLRegistration} with the dirty state of the new CRL (see struct) and its expiration timestamp
|
1393
|
+
*/
|
1394
|
+
e2eiRegisterCRL(crlDP: string, crlDER: Uint8Array): Promise<CRLRegistration>;
|
1149
1395
|
/**
|
1150
1396
|
* Creates a commit in all local conversations for changing the credential. Requires first
|
1151
1397
|
* having enrolled a new X509 certificate with either {@link CoreCrypto.e2eiNewActivationEnrollment}
|
@@ -1173,7 +1419,7 @@ export declare class CoreCrypto {
|
|
1173
1419
|
*/
|
1174
1420
|
e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
|
1175
1421
|
/**
|
1176
|
-
* Indicates when to mark a conversation as
|
1422
|
+
* Indicates when to mark a conversation as not verified i.e. when not all its members have a X509.
|
1177
1423
|
* Credential generated by Wire's end-to-end identity enrollment
|
1178
1424
|
*
|
1179
1425
|
* @param conversationId The group's ID
|
@@ -1192,10 +1438,29 @@ export declare class CoreCrypto {
|
|
1192
1438
|
* Certificate Credential (after turning on end-to-end identity).
|
1193
1439
|
*
|
1194
1440
|
* @param conversationId - identifier of the conversation
|
1195
|
-
* @param
|
1441
|
+
* @param deviceIds - identifiers of the devices
|
1196
1442
|
* @returns identities or if no member has a x509 certificate, it will return an empty List
|
1197
1443
|
*/
|
1198
|
-
|
1444
|
+
getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity[]>;
|
1445
|
+
/**
|
1446
|
+
* From a given conversation, get the identity of the users (device holders) supplied.
|
1447
|
+
* Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
|
1448
|
+
* If no member has a x509 certificate, it will return an empty Vec.
|
1449
|
+
*
|
1450
|
+
* @param conversationId - identifier of the conversation
|
1451
|
+
* @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
|
1452
|
+
* @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
|
1453
|
+
*/
|
1454
|
+
getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
|
1455
|
+
/**
|
1456
|
+
* Gets the e2ei conversation state from a `GroupInfo`. Useful to check if the group has e2ei
|
1457
|
+
* turned on or not before joining it.
|
1458
|
+
*
|
1459
|
+
* @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
|
1460
|
+
* @param credentialType - kind of Credential to check usage of. Defaults to X509 for now as no other value will give any result.
|
1461
|
+
* @returns see {@link E2eiConversationState}
|
1462
|
+
*/
|
1463
|
+
getCredentialInUse(groupInfo: Uint8Array, credentialType?: CredentialType): Promise<E2eiConversationState>;
|
1199
1464
|
/**
|
1200
1465
|
* Returns the current version of {@link CoreCrypto}
|
1201
1466
|
*
|
@@ -1221,7 +1486,7 @@ export declare class E2eiEnrollment {
|
|
1221
1486
|
* @param directory HTTP response body
|
1222
1487
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
|
1223
1488
|
*/
|
1224
|
-
directoryResponse(directory: JsonRawData): AcmeDirectory
|
1489
|
+
directoryResponse(directory: JsonRawData): Promise<AcmeDirectory>;
|
1225
1490
|
/**
|
1226
1491
|
* For creating a new acme account. This returns a signed JWS-alike request body to send to
|
1227
1492
|
* `POST /acme/{provisioner-name}/new-account`.
|
@@ -1229,27 +1494,27 @@ export declare class E2eiEnrollment {
|
|
1229
1494
|
* @param previousNonce you got from calling `HEAD {@link AcmeDirectory.newNonce}`
|
1230
1495
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
|
1231
1496
|
*/
|
1232
|
-
newAccountRequest(previousNonce: string): JsonRawData
|
1497
|
+
newAccountRequest(previousNonce: string): Promise<JsonRawData>;
|
1233
1498
|
/**
|
1234
1499
|
* Parses the response from `POST /acme/{provisioner-name}/new-account`.
|
1235
1500
|
* @param account HTTP response body
|
1236
1501
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
|
1237
1502
|
*/
|
1238
|
-
newAccountResponse(account: JsonRawData): void
|
1503
|
+
newAccountResponse(account: JsonRawData): Promise<void>;
|
1239
1504
|
/**
|
1240
1505
|
* Creates a new acme order for the handle (userId + display name) and the clientId.
|
1241
1506
|
*
|
1242
1507
|
* @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
|
1243
1508
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
1244
1509
|
*/
|
1245
|
-
newOrderRequest(previousNonce: string): JsonRawData
|
1510
|
+
newOrderRequest(previousNonce: string): Promise<JsonRawData>;
|
1246
1511
|
/**
|
1247
1512
|
* Parses the response from `POST /acme/{provisioner-name}/new-order`.
|
1248
1513
|
*
|
1249
1514
|
* @param order HTTP response body
|
1250
1515
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
1251
1516
|
*/
|
1252
|
-
newOrderResponse(order: JsonRawData): NewAcmeOrder
|
1517
|
+
newOrderResponse(order: JsonRawData): Promise<NewAcmeOrder>;
|
1253
1518
|
/**
|
1254
1519
|
* Creates a new authorization request.
|
1255
1520
|
*
|
@@ -1258,14 +1523,14 @@ export declare class E2eiEnrollment {
|
|
1258
1523
|
* previous to this method if you are creating the second authorization)
|
1259
1524
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
|
1260
1525
|
*/
|
1261
|
-
newAuthzRequest(url: string, previousNonce: string): JsonRawData
|
1526
|
+
newAuthzRequest(url: string, previousNonce: string): Promise<JsonRawData>;
|
1262
1527
|
/**
|
1263
1528
|
* Parses the response from `POST /acme/{provisioner-name}/authz/{authz-id}`
|
1264
1529
|
*
|
1265
1530
|
* @param authz HTTP response body
|
1266
1531
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
|
1267
1532
|
*/
|
1268
|
-
newAuthzResponse(authz: JsonRawData): NewAcmeAuthz
|
1533
|
+
newAuthzResponse(authz: JsonRawData): Promise<NewAcmeAuthz>;
|
1269
1534
|
/**
|
1270
1535
|
* Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces
|
1271
1536
|
* (from wire-server & acme server) and will be verified by the acme server when verifying the
|
@@ -1277,7 +1542,7 @@ export declare class E2eiEnrollment {
|
|
1277
1542
|
* @param expirySecs of the client Dpop JWT. This should be equal to the grace period set in Team Management
|
1278
1543
|
* @param backendNonce you get by calling `GET /clients/token/nonce` on wire-server as defined here {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/get_clients__client__nonce}
|
1279
1544
|
*/
|
1280
|
-
createDpopToken(expirySecs: number, backendNonce: string): Uint8Array
|
1545
|
+
createDpopToken(expirySecs: number, backendNonce: string): Promise<Uint8Array>;
|
1281
1546
|
/**
|
1282
1547
|
* Creates a new challenge request for Wire Dpop challenge.
|
1283
1548
|
*
|
@@ -1285,7 +1550,14 @@ export declare class E2eiEnrollment {
|
|
1285
1550
|
* @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
|
1286
1551
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
|
1287
1552
|
*/
|
1288
|
-
newDpopChallengeRequest(accessToken: string, previousNonce: string): JsonRawData
|
1553
|
+
newDpopChallengeRequest(accessToken: string, previousNonce: string): Promise<JsonRawData>;
|
1554
|
+
/**
|
1555
|
+
* Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the DPoP challenge.
|
1556
|
+
*
|
1557
|
+
* @param challenge HTTP response body
|
1558
|
+
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
|
1559
|
+
*/
|
1560
|
+
newDpopChallengeResponse(challenge: JsonRawData): Promise<void>;
|
1289
1561
|
/**
|
1290
1562
|
* Creates a new challenge request for Wire Oidc challenge.
|
1291
1563
|
*
|
@@ -1293,14 +1565,15 @@ export declare class E2eiEnrollment {
|
|
1293
1565
|
* @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
|
1294
1566
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
|
1295
1567
|
*/
|
1296
|
-
newOidcChallengeRequest(idToken: string, previousNonce: string): JsonRawData
|
1568
|
+
newOidcChallengeRequest(idToken: string, previousNonce: string): Promise<JsonRawData>;
|
1297
1569
|
/**
|
1298
|
-
* Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}
|
1570
|
+
* Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the OIDC challenge.
|
1299
1571
|
*
|
1572
|
+
* @param cc the CoreCrypto instance
|
1300
1573
|
* @param challenge HTTP response body
|
1301
1574
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
|
1302
1575
|
*/
|
1303
|
-
|
1576
|
+
newOidcChallengeResponse(challenge: JsonRawData): Promise<void>;
|
1304
1577
|
/**
|
1305
1578
|
* Verifies that the previous challenge has been completed.
|
1306
1579
|
*
|
@@ -1308,7 +1581,7 @@ export declare class E2eiEnrollment {
|
|
1308
1581
|
* @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/challenge/{challenge-id}`
|
1309
1582
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
1310
1583
|
*/
|
1311
|
-
checkOrderRequest(orderUrl: string, previousNonce: string): JsonRawData
|
1584
|
+
checkOrderRequest(orderUrl: string, previousNonce: string): Promise<JsonRawData>;
|
1312
1585
|
/**
|
1313
1586
|
* Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
|
1314
1587
|
*
|
@@ -1316,14 +1589,14 @@ export declare class E2eiEnrollment {
|
|
1316
1589
|
* @return finalize url to use with {@link finalizeRequest}
|
1317
1590
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
1318
1591
|
*/
|
1319
|
-
checkOrderResponse(order: JsonRawData): string
|
1592
|
+
checkOrderResponse(order: JsonRawData): Promise<string>;
|
1320
1593
|
/**
|
1321
1594
|
* Final step before fetching the certificate.
|
1322
1595
|
*
|
1323
1596
|
* @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
|
1324
1597
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
1325
1598
|
*/
|
1326
|
-
finalizeRequest(previousNonce: string): JsonRawData
|
1599
|
+
finalizeRequest(previousNonce: string): Promise<JsonRawData>;
|
1327
1600
|
/**
|
1328
1601
|
* Parses the response from `POST /acme/{provisioner-name}/order/{order-id}/finalize`.
|
1329
1602
|
*
|
@@ -1331,105 +1604,14 @@ export declare class E2eiEnrollment {
|
|
1331
1604
|
* @return the certificate url to use with {@link certificateRequest}
|
1332
1605
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
1333
1606
|
*/
|
1334
|
-
finalizeResponse(finalize: JsonRawData): string
|
1607
|
+
finalizeResponse(finalize: JsonRawData): Promise<string>;
|
1335
1608
|
/**
|
1336
1609
|
* Creates a request for finally fetching the x509 certificate.
|
1337
1610
|
*
|
1338
1611
|
* @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}/finalize`
|
1339
1612
|
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
|
1340
1613
|
*/
|
1341
|
-
certificateRequest(previousNonce: string): JsonRawData
|
1342
|
-
}
|
1343
|
-
/**
|
1344
|
-
* Holds URLs of all the standard ACME endpoint supported on an ACME server.
|
1345
|
-
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
|
1346
|
-
*/
|
1347
|
-
export interface AcmeDirectory {
|
1348
|
-
/**
|
1349
|
-
* URL for fetching a new nonce. Use this only for creating a new account.
|
1350
|
-
*
|
1351
|
-
* @readonly
|
1352
|
-
*/
|
1353
|
-
newNonce: string;
|
1354
|
-
/**
|
1355
|
-
* URL for creating a new account.
|
1356
|
-
*
|
1357
|
-
* @readonly
|
1358
|
-
*/
|
1359
|
-
newAccount: string;
|
1360
|
-
/**
|
1361
|
-
* URL for creating a new order.
|
1362
|
-
*
|
1363
|
-
* @readonly
|
1364
|
-
*/
|
1365
|
-
newOrder: string;
|
1366
|
-
}
|
1367
|
-
/**
|
1368
|
-
* Result of an order creation
|
1369
|
-
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
|
1370
|
-
*/
|
1371
|
-
export interface NewAcmeOrder {
|
1372
|
-
/**
|
1373
|
-
* Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
|
1374
|
-
*
|
1375
|
-
* @readonly
|
1376
|
-
*/
|
1377
|
-
delegate: Uint8Array;
|
1378
|
-
/**
|
1379
|
-
* An authorization for each domain to create
|
1380
|
-
*
|
1381
|
-
* @readonly
|
1382
|
-
*/
|
1383
|
-
authorizations: Uint8Array[];
|
1384
|
-
}
|
1385
|
-
/**
|
1386
|
-
* Result of an authorization creation.
|
1387
|
-
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
|
1388
|
-
*/
|
1389
|
-
export interface NewAcmeAuthz {
|
1390
|
-
/**
|
1391
|
-
* DNS entry associated with those challenge
|
1392
|
-
*
|
1393
|
-
* @readonly
|
1394
|
-
*/
|
1395
|
-
identifier: string;
|
1396
|
-
/**
|
1397
|
-
* Challenge for the clientId
|
1398
|
-
*
|
1399
|
-
* @readonly
|
1400
|
-
*/
|
1401
|
-
wireDpopChallenge?: AcmeChallenge;
|
1402
|
-
/**
|
1403
|
-
* Challenge for the userId and displayName
|
1404
|
-
*
|
1405
|
-
* @readonly
|
1406
|
-
*/
|
1407
|
-
wireOidcChallenge?: AcmeChallenge;
|
1408
|
-
}
|
1409
|
-
/**
|
1410
|
-
* For creating a challenge
|
1411
|
-
* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
|
1412
|
-
*/
|
1413
|
-
export interface AcmeChallenge {
|
1414
|
-
/**
|
1415
|
-
* Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
|
1416
|
-
*
|
1417
|
-
* @readonly
|
1418
|
-
*/
|
1419
|
-
delegate: Uint8Array;
|
1420
|
-
/**
|
1421
|
-
* URL of this challenge
|
1422
|
-
*
|
1423
|
-
* @readonly
|
1424
|
-
*/
|
1425
|
-
url: string;
|
1426
|
-
/**
|
1427
|
-
* Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
|
1428
|
-
* Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
|
1429
|
-
*
|
1430
|
-
* @readonly
|
1431
|
-
*/
|
1432
|
-
target: string;
|
1614
|
+
certificateRequest(previousNonce: string): Promise<JsonRawData>;
|
1433
1615
|
}
|
1434
1616
|
/**
|
1435
1617
|
* Indicates the state of a Conversation regarding end-to-end identity.
|
@@ -1444,9 +1626,9 @@ export declare enum E2eiConversationState {
|
|
1444
1626
|
/**
|
1445
1627
|
* Some clients are either still Basic or their certificate is expired
|
1446
1628
|
*/
|
1447
|
-
|
1629
|
+
NotVerified = 2,
|
1448
1630
|
/**
|
1449
|
-
* All clients are still Basic. If all client have expired certificates,
|
1631
|
+
* All clients are still Basic. If all client have expired certificates, NotVerified is returned.
|
1450
1632
|
*/
|
1451
1633
|
NotEnabled = 3
|
1452
1634
|
}
|