npm - @wireapp/core-crypto - Versions diffs - 1.0.0-rc.8 → 1.0.0 - Mend

@wireapp/core-crypto 1.0.0-rc.8 → 1.0.0

Files changed (6) hide show

package/README.md +148 -34
package/package.json +13 -32
package/platforms/web/core-crypto-ffi_bg.wasm +0 -0
package/platforms/web/corecrypto.d.ts +367 -185
package/platforms/web/corecrypto.js +3301 -5118
package/platforms/web/assets/core_crypto_ffi-ded089fb.wasm +0 -0

package/platforms/web/corecrypto.d.ts CHANGED Viewed

@@ -1,3 +1,74 @@
+/**
+* For creating a challenge.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+*/
+export class AcmeChallenge {
+	free(): void;
+	/**
+	* Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+	/**
+	* Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
+	* Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
+	*/
+	readonly target: string;
+	/**
+	* URL of this challenge
+	*/
+	readonly url: string;
+}
+/**
+* Dump of the PKI environemnt as PEM
+*/
+export class E2eiDumpedPkiEnv {
+	free(): void;
+	/**
+	* CRLs registered in the PKI env
+	*/
+	readonly crls: (string)[];
+	/**
+	* Intermediate CAs that are loaded
+	*/
+	readonly intermediates: (string)[];
+	/**
+	* Root CA in use (i.e. Trust Anchor)
+	*/
+	readonly root_ca: string;
+}
+/**
+* Result of an authorization creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
+*/
+export class NewAcmeAuthz {
+	free(): void;
+	/**
+	* Associated ACME Challenge
+	*/
+	readonly challenge: AcmeChallenge;
+	/**
+	* DNS entry associated with those challenge
+	*/
+	readonly identifier: string;
+	/**
+	* ACME challenge + ACME key thumbprint
+	*/
+	readonly keyauth: string | undefined;
+}
+/**
+* Result of an order creation.
+* @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
+*/
+export class NewAcmeOrder {
+	free(): void;
+	/**
+	*/
+	readonly authorizations: (Uint8Array)[];
+	/**
+	* Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
+	*/
+	readonly delegate: Uint8Array;
+}
 /**
  * Error wrapper that takes care of extracting rich error details across the FFI (through JSON parsing)
  *
@@ -47,11 +118,7 @@ export declare enum Ciphersuite {
 	/**
 	 * DH KEM P384 | AES-GCM 256 | SHA2-384 | EcDSA P384
 	 */
-	MLS_256_DHKEMP384_AES256GCM_SHA384_P384 = 7,
-	/**
-	 *  x25519Kyber768Draft00 Hybrid KEM | AES-GCM 128 | SHA2-256 | Ed25519
-	 */
-	MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519 = 61489
+	MLS_256_DHKEMP384_AES256GCM_SHA384_P384 = 7
 }
 export declare enum CredentialType {
 	/**
@@ -79,24 +146,6 @@ export interface ConversationConfiguration {
 	 * Implementation specific configuration
 	 */
 	custom?: CustomConfiguration;
-	/**
-	 * Trust anchors to be added in the group's context extensions
-	 */
-	perDomainTrustAnchors?: PerDomainTrustAnchor[];
-}
-/**
- * A wrapper containing the configuration for trust anchors to be added in the group's context
- * extensions
- */
-export interface PerDomainTrustAnchor {
-	/**
-	 * Domain name of the owning backend this anchor refers to. One of the certificate in the chain has to have this domain in its SANs
-	 */
-	domain_name: string;
-	/**
-	 * PEM encoded (partial) certificate chain. This contains the certificate chain for the CA certificate issuing the E2E Identity certificates
-	 */
-	intermediate_certificate_chain: string;
 }
 /**
  * see [core_crypto::prelude::MlsWirePolicy]
@@ -179,6 +228,10 @@ export interface MemberAddedMessages {
 	 * @readonly
 	 */
 	groupInfo: GroupInfoBundle;
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * Data shape for a MLS generic commit + optional bundle (aka stapled commit & welcome)
@@ -275,6 +328,10 @@ export interface RotateBundle {
 	 * @readonly
 	 */
 	keyPackageRefsToRemove: Uint8Array[];
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * Params for CoreCrypto deferred initialization
@@ -290,10 +347,6 @@ export interface CoreCryptoDeferredParams {
 	 * This should be appropriately stored in a secure location (i.e. WebCrypto private key storage)
 	 */
 	key: string;
-	/**
-	 * All the ciphersuites this MLS client can support
-	 */
-	ciphersuites: Ciphersuite[];
 	/**
 	 * External PRNG entropy pool seed.
 	 * This **must** be exactly 32 bytes
@@ -314,19 +367,14 @@ export interface CoreCryptoParams extends CoreCryptoDeferredParams {
 	 * This should stay consistent as it will be verified against the stored signature & identity to validate the persisted credential
 	 */
 	clientId: ClientId;
-}
-/**
- * Data shape for adding clients to a conversation
- */
-export interface Invitee {
 	/**
-	 * Client ID as a byte array
+	 * All the ciphersuites this MLS client can support
 	 */
-	id: ClientId;
+	ciphersuites: Ciphersuite[];
 	/**
-	 * MLS KeyPackage belonging to the aforementioned client
+	 * Number of initial KeyPackage to create when initializing the client
 	 */
-	kp: Uint8Array;
+	nbKeyPackage?: number;
 }
 export interface ConversationInitBundle {
 	/**
@@ -348,6 +396,27 @@ export interface ConversationInitBundle {
 	 * @readonly
 	 */
 	groupInfo: GroupInfoBundle;
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
+}
+/**
+ *  Supporting struct for CRL registration result
+ */
+export interface CRLRegistration {
+	/**
+	 * Whether this CRL modifies the old CRL (i.e. has a different revocated cert list)
+	 *
+	 * @readonly
+	 */
+	dirty: boolean;
+	/**
+	 * Optional expiration timestamp
+	 *
+	 * @readonly
+	 */
+	expiration?: number;
 }
 /**
  * This is a wrapper for all the possible outcomes you can get after decrypting a message
@@ -392,6 +461,10 @@ export interface DecryptedMessage {
 	 * because the DS did not fan them out in order.
 	 */
 	bufferedMessages?: BufferedDecryptedMessage[];
+	/**
+	 * New CRL distribution points that appeared by the introduction of a new credential
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * Almost same as {@link DecryptedMessage} but avoids recursion
@@ -425,17 +498,43 @@ export interface BufferedDecryptedMessage {
 	 * see {@link DecryptedMessage.identity}
 	 */
 	identity?: WireIdentity;
+	/**
+	 * see {@link DecryptedMessage.crlNewDistributionPoints}
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
- * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+ * Represents the identity claims identifying a client
+ * Those claims are verifiable by any member in the group
  */
 export interface WireIdentity {
 	/**
-	 * Represents the identity claims identifying a client. Those claims are verifiable by any member in the group
+	 * Unique client identifier
 	 */
 	clientId: string;
 	/**
-	 * user handle e.g. `john_wire`
+	 * Status of the Credential at the moment T when this object is created
+	 */
+	status: DeviceStatus;
+	/**
+	 * MLS thumbprint
+	 */
+	thumbprint: string;
+	/**
+	 * Indicates whether the credential is Basic or X509
+	 */
+	credentialType: CredentialType;
+	/**
+	 * In case {@link credentialType} is {@link CredentialType.X509} this is populated
+	 */
+	x509Identity?: X509Identity;
+}
+/**
+ * Represents the parts of {@link WireIdentity} that are specific to a X509 certificate (and not a Basic one).
+ */
+export interface X509Identity {
+	/**
+	 * User handle e.g. `john_wire`
 	 */
 	handle: string;
 	/**
@@ -446,6 +545,58 @@ export interface WireIdentity {
 	 * DNS domain for which this identity proof was generated e.g. `whitehouse.gov`
 	 */
 	domain: string;
+	/**
+	 * X509 certificate identifying this client in the MLS group ; PEM encoded
+	 */
+	certificate: string;
+	/**
+	 * X509 certificate serial number
+	 */
+	serialNumber: string;
+	/**
+	 * X509 certificate not before as Unix timestamp
+	 */
+	notBefore: bigint;
+	/**
+	 * X509 certificate not after as Unix timestamp
+	 */
+	notAfter: bigint;
+}
+export interface AcmeDirectory {
+	/**
+	 * URL for fetching a new nonce. Use this only for creating a new account.
+	 */
+	newNonce: string;
+	/**
+	 * URL for creating a new account.
+	 */
+	newAccount: string;
+	/**
+	 * URL for creating a new order.
+	 */
+	newOrder: string;
+	/**
+	 * Revocation URL
+	 */
+	revokeCert: string;
+}
+/**
+ * Indicates the standalone status of a device Credential in a MLS group at a moment T.
+ * This does not represent the states where a device is not using MLS or is not using end-to-end identity
+ */
+export declare enum DeviceStatus {
+	/**
+	 * All is fine
+	 */
+	Valid = 1,
+	/**
+	 * The Credential's certificate is expired
+	 */
+	Expired = 2,
+	/**
+	 * The Credential's certificate is revoked
+	 */
+	Revoked = 3
 }
 /**
  * Returned by all methods creating proposals. Contains a proposal message and an identifier to roll back the proposal
@@ -463,6 +614,26 @@ export interface ProposalBundle {
 	 * @readonly
 	 */
 	proposalRef: ProposalRef;
+	/**
+	 *  New CRL Distribution of members of this group
+	 *
+	 * @readonly
+	 */
+	crlNewDistributionPoints?: string[];
+}
+export interface WelcomeBundle {
+	/**
+	 * Conversation ID
+	 *
+	 * @readonly
+	 */
+	id: Uint8Array;
+	/**
+	 *  New CRL Distribution of members of this group
+	 *
+	 * @readonly
+	 */
+	crlNewDistributionPoints?: string[];
 }
 /**
  * MLS Proposal type
@@ -574,11 +745,43 @@ export interface CoreCryptoCallbacks {
 	 */
 	clientIsExistingGroupUser: (conversationId: Uint8Array, clientId: Uint8Array, existingClients: Uint8Array[], parent_conversation_clients?: Uint8Array[]) => Promise<boolean>;
 }
+/**
+ * An interface to register a logger in CoreCrypto
+ **/
+export interface CoreCryptoLogger {
+	/**
+	 * This method will be called by Core Crypto to log messages. It is up to the implementer to decide how to handle the message and where to actually log it.
+	 * @param level - the level of the logged message. it will also be present in the json message
+	 * @param json_msg - message to log in json format
+	 **/
+	log: (level: CoreCryptoLogLevel, json_msg: string) => void;
+}
+/**
+ * Defines the maximum log level for the logs from Core Crypto
+ **/
+export declare enum CoreCryptoLogLevel {
+	Off = 1,
+	Trace = 2,
+	Debug = 3,
+	Info = 4,
+	Warn = 5,
+	Error = 6
+}
+/**
+ * Initializes the global logger for Core Crypto and registers the callback. Can be called only once
+ * @param logger - the interface to be called when something is going to be logged
+ * @param level - the max level that should be logged
+ **/
+export declare function initLogger(logger: CoreCryptoLogger, level: CoreCryptoLogLevel, ctx?: any): void;
 /**
  * Wrapper for the WASM-compiled version of CoreCrypto
  */
 export declare class CoreCrypto {
 	#private;
+	/**
+	 * Should only be used internally
+	 */
+	inner(): unknown;
 	/**
 	 * This is your entrypoint to initialize {@link CoreCrypto}!
 	 *
@@ -612,7 +815,7 @@ export declare class CoreCrypto {
 	 * });
 	 * ````
 	 */
-	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed }: CoreCryptoParams): Promise<CoreCrypto>;
+	static init({ databaseName, key, clientId, wasmFilePath, ciphersuites, entropySeed, nbKeyPackage, }: CoreCryptoParams): Promise<CoreCrypto>;
 	/**
 	 * Almost identical to {@link CoreCrypto.init} but allows a 2 phase initialization of MLS.
 	 * First, calling this will set up the keystore and will allow generating proteus prekeys.
@@ -620,14 +823,15 @@ export declare class CoreCrypto {
 	 * Use this clientId to initialize MLS with {@link CoreCrypto.mlsInit}.
 	 * @param params - {@link CoreCryptoDeferredParams}
 	 */
-	static deferredInit({ databaseName, key, ciphersuites, entropySeed, wasmFilePath }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
+	static deferredInit({ databaseName, key, entropySeed, wasmFilePath, }: CoreCryptoDeferredParams): Promise<CoreCrypto>;
 	/**
 	 * Use this after {@link CoreCrypto.deferredInit} when you have a clientId. It initializes MLS.
 	 *
 	 * @param clientId - {@link CoreCryptoParams#clientId} but required
 	 * @param ciphersuites - All the ciphersuites supported by this MLS client
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
 	 */
-	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[]): Promise<void>;
+	mlsInit(clientId: ClientId, ciphersuites: Ciphersuite[], nbKeyPackage?: number): Promise<void>;
 	/**
 	 * Generates a MLS KeyPair/CredentialBundle with a temporary, random client ID.
 	 * This method is designed to be used in conjunction with {@link CoreCrypto.mlsInitWithClientId} and represents the first step in this process
@@ -711,6 +915,12 @@ export declare class CoreCrypto {
 	 * ```
 	 */
 	conversationEpoch(conversationId: ConversationId): Promise<number>;
+	/**
+	 * Returns the ciphersuite of a conversation
+	 *
+	 * @returns the ciphersuite of the conversation
+	 */
+	conversationCiphersuite(conversationId: ConversationId): Promise<Ciphersuite>;
 	/**
 	 * Wipes and destroys the local storage of a given conversation / MLS group
 	 *
@@ -752,22 +962,6 @@ export declare class CoreCrypto {
 	 * @returns The encrypted payload for the given group. This needs to be fanned out to the other members of the group.
 	 */
 	encryptMessage(conversationId: ConversationId, message: Uint8Array): Promise<Uint8Array>;
-	/**
-	 * Updates the trust anchors for a conversation. This should be called when a federated event happens (new team added/removed).
-	 * Clients should add and/or remove trust anchors from the new backend to the conversation. The method will check
-	 * for duplicated domains and the validity of the certificate chain.
-	 *
-	 * **CAUTION**: {@link CoreCrypto.commitAccepted} **HAS TO** be called afterwards **ONLY IF** the Delivery Service responds
-	 * '200 OK' to the {@link CommitBundle} upload. It will "merge" the commit locally i.e. increment the local group
-	 * epoch, use new encryption secrets etc...
-	 *
-	 * @param conversationId - The ID of the conversation
-	 * @param removeDomainNames - Domains to remove from the trust anchors
-	 * @param addTrustAnchors - New trust anchors to add to the conversation
-	 *
-	 * @returns A {@link CommitBundle}
-	 */
-	updateTrustAnchorsFromConversation(conversationId: ConversationId, removeDomainNames: string[], addTrustAnchors: PerDomainTrustAnchor[]): Promise<CommitBundle>;
 	/**
 	 * Ingest a TLS-serialized MLS welcome message to join an existing MLS group
 	 *
@@ -779,14 +973,15 @@ export declare class CoreCrypto {
 	 * @param configuration - configuration of the MLS group
 	 * @returns The conversation ID of the newly joined group. You can use the same ID to decrypt/encrypt messages
 	 */
-	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<ConversationId>;
+	processWelcomeMessage(welcomeMessage: Uint8Array, configuration?: CustomConfiguration): Promise<WelcomeBundle>;
 	/**
 	 * Get the client's public signature key. To upload to the DS for further backend side validation
 	 *
 	 * @param ciphersuite - of the signature key to get
+	 * @param credentialType - of the public key to look for
 	 * @returns the client's public signature key
 	 */
-	clientPublicKey(ciphersuite: Ciphersuite): Promise<Uint8Array>;
+	clientPublicKey(ciphersuite: Ciphersuite, credentialType: CredentialType): Promise<Uint8Array>;
 	/**
 	 *
 	 * @param ciphersuite - of the KeyPackages to count
@@ -818,11 +1013,11 @@ export declare class CoreCrypto {
 	 * epoch, use new encryption secrets etc...
 	 *
 	 * @param conversationId - The ID of the conversation
-	 * @param clients - Array of {@link Invitee} (which are Client ID / KeyPackage pairs)
+	 * @param keyPackages - KeyPackages of the new clients to add
 	 *
 	 * @returns A {@link CommitBundle}
 	 */
-	addClientsToConversation(conversationId: ConversationId, clients: Invitee[]): Promise<MemberAddedMessages>;
+	addClientsToConversation(conversationId: ConversationId, keyPackages: Uint8Array[]): Promise<MemberAddedMessages>;
 	/**
 	 * Removes the provided clients from a conversation; Assuming those clients exist and the current client is allowed
 	 * to do so, otherwise this operation does nothing.
@@ -946,6 +1141,15 @@ export declare class CoreCrypto {
 	 * @returns A `Uint8Array` representing the derived key
 	 */
 	exportSecretKey(conversationId: ConversationId, keyLength: number): Promise<Uint8Array>;
+	/**
+	 * Returns the raw public key of the single external sender present in this group.
+	 * This should be used to initialize a subconversation
+	 *
+	 * @param conversationId - The group's ID
+	 *
+	 * @returns A `Uint8Array` representing the external sender raw public key
+	 */
+	getExternalSender(conversationId: ConversationId): Promise<Uint8Array>;
 	/**
 	 * Returns all clients from group's members
 	 *
@@ -1103,49 +1307,91 @@ export declare class CoreCrypto {
 	 * Creates an enrollment instance with private key material you can use in order to fetch
 	 * a new x509 certificate from the acme server.
 	 *
-	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
 	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays - generated x509 certificate expiry
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
+	 * @param team - name of the Wire team a user belongs to
 	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiMlsInitOnly}
 	 */
-	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<E2eiEnrollment>;
+	e2eiNewEnrollment(clientId: string, displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
 	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
-	 * @param expiryDays - generated x509 certificate expiry
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
+	 * @param team - name of the Wire team a user belongs to
 	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite): Promise<E2eiEnrollment>;
+	e2eiNewActivationEnrollment(displayName: string, handle: string, expirySec: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
 	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `NDUyMGUyMmY2YjA3NGU3NjkyZjE1NjJjZTAwMmQ2NTQ:6add501bacd1d90e@example.com`
-	 * @param expiryDays - generated x509 certificate expiry
+	 * @param expirySec - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
 	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
+	 * @param team - name of the Wire team a user belongs to
 	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string): Promise<E2eiEnrollment>;
+	e2eiNewRotateEnrollment(expirySec: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
 	 * that means he cannot initialize with a Basic credential
 	 *
 	 * @param enrollment - the enrollment instance used to fetch the certificates
 	 * @param certificateChain - the raw response from ACME server
+	 * @param nbKeyPackage - number of initial KeyPackage to create when initializing the client
 	 * @returns a MlsClient initialized with only a x509 credential
 	 */
-	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string): Promise<void>;
+	e2eiMlsInitOnly(enrollment: E2eiEnrollment, certificateChain: string, nbKeyPackage?: number): Promise<string[] | undefined>;
+	/**
+	 * Dumps the PKI environment as PEM
+	 *
+	 * @returns a struct with different fields representing the PKI environment as PEM strings
+	 */
+	e2eiDumpPKIEnv(): Promise<E2eiDumpedPkiEnv | undefined>;
+	/**
+	 * @returns whether the E2EI PKI environment is setup (i.e. Root CA, Intermediates, CRLs)
+	 */
+	e2eiIsPKIEnvSetup(): Promise<boolean>;
+	/**
+	 * Registers a Root Trust Anchor CA for the use in E2EI processing.
+	 *
+	 * Please note that without a Root Trust Anchor, all validations *will* fail;
+	 * So this is the first step to perform after initializing your E2EI client
+	 *
+	 * @param trustAnchorPEM - PEM certificate to anchor as a Trust Root
+	 */
+	e2eiRegisterAcmeCA(trustAnchorPEM: string): Promise<void>;
+	/**
+	 * Registers an Intermediate CA for the use in E2EI processing.
+	 *
+	 * Please note that a Root Trust Anchor CA is needed to validate Intermediate CAs;
+	 * You **need** to have a Root CA registered before calling this
+	 *
+	 * @param certPEM - PEM certificate to register as an Intermediate CA
+	 */
+	e2eiRegisterIntermediateCA(certPEM: string): Promise<string[] | undefined>;
+	/**
+	 * Registers a CRL for the use in E2EI processing.
+	 *
+	 * Please note that a Root Trust Anchor CA is needed to validate CRLs;
+	 * You **need** to have a Root CA registered before calling this
+	 *
+	 * @param crlDP - CRL Distribution Point; Basically the URL you fetched it from
+	 * @param crlDER - DER representation of the CRL
+	 *
+	 * @returns a {@link CRLRegistration} with the dirty state of the new CRL (see struct) and its expiration timestamp
+	 */
+	e2eiRegisterCRL(crlDP: string, crlDER: Uint8Array): Promise<CRLRegistration>;
 	/**
 	 * Creates a commit in all local conversations for changing the credential. Requires first
 	 * having enrolled a new X509 certificate with either {@link CoreCrypto.e2eiNewActivationEnrollment}
@@ -1173,7 +1419,7 @@ export declare class CoreCrypto {
 	 */
 	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
 	/**
-	 * Indicates when to mark a conversation as degraded i.e. when not all its members have a X509.
+	 * Indicates when to mark a conversation as not verified i.e. when not all its members have a X509.
 	 * Credential generated by Wire's end-to-end identity enrollment
 	 *
 	 * @param conversationId The group's ID
@@ -1192,10 +1438,29 @@ export declare class CoreCrypto {
 	 * Certificate Credential (after turning on end-to-end identity).
 	 *
 	 * @param conversationId - identifier of the conversation
-	 * @param clientIds - identifiers of the user
+	 * @param deviceIds - identifiers of the devices
 	 * @returns identities or if no member has a x509 certificate, it will return an empty List
 	 */
-	getUserIdentities(conversationId: ConversationId, clientIds: ClientId[]): Promise<WireIdentity[]>;
+	getDeviceIdentities(conversationId: ConversationId, deviceIds: ClientId[]): Promise<WireIdentity[]>;
+	/**
+	 * From a given conversation, get the identity of the users (device holders) supplied.
+	 * Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
+	 * If no member has a x509 certificate, it will return an empty Vec.
+	 *
+	 * @param conversationId - identifier of the conversation
+	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
+	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
+	 */
+	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
+	/**
+	 * Gets the e2ei conversation state from a `GroupInfo`. Useful to check if the group has e2ei
+	 * turned on or not before joining it.
+	 *
+	 * @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
+	 * @param credentialType - kind of Credential to check usage of. Defaults to X509 for now as no other value will give any result.
+	 * @returns see {@link E2eiConversationState}
+	 */
+	getCredentialInUse(groupInfo: Uint8Array, credentialType?: CredentialType): Promise<E2eiConversationState>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -1221,7 +1486,7 @@ export declare class E2eiEnrollment {
 	 * @param directory HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
 	 */
-	directoryResponse(directory: JsonRawData): AcmeDirectory;
+	directoryResponse(directory: JsonRawData): Promise<AcmeDirectory>;
 	/**
 	 * For creating a new acme account. This returns a signed JWS-alike request body to send to
 	 * `POST /acme/{provisioner-name}/new-account`.
@@ -1229,27 +1494,27 @@ export declare class E2eiEnrollment {
 	 * @param previousNonce you got from calling `HEAD {@link AcmeDirectory.newNonce}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	newAccountRequest(previousNonce: string): JsonRawData;
+	newAccountRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-account`.
 	 * @param account HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	newAccountResponse(account: JsonRawData): void;
+	newAccountResponse(account: JsonRawData): Promise<void>;
 	/**
 	 * Creates a new acme order for the handle (userId + display name) and the clientId.
 	 *
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderRequest(previousNonce: string): JsonRawData;
+	newOrderRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-order`.
 	 *
 	 * @param order HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderResponse(order: JsonRawData): NewAcmeOrder;
+	newOrderResponse(order: JsonRawData): Promise<NewAcmeOrder>;
 	/**
 	 * Creates a new authorization request.
 	 *
@@ -1258,14 +1523,14 @@ export declare class E2eiEnrollment {
 	 * previous to this method if you are creating the second authorization)
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	newAuthzRequest(url: string, previousNonce: string): JsonRawData;
+	newAuthzRequest(url: string, previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 *
 	 * @param authz HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	newAuthzResponse(authz: JsonRawData): NewAcmeAuthz;
+	newAuthzResponse(authz: JsonRawData): Promise<NewAcmeAuthz>;
 	/**
 	 * Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces
 	 * (from wire-server & acme server) and will be verified by the acme server when verifying the
@@ -1277,7 +1542,7 @@ export declare class E2eiEnrollment {
 	 * @param expirySecs of the client Dpop JWT. This should be equal to the grace period set in Team Management
 	 * @param backendNonce you get by calling `GET /clients/token/nonce` on wire-server as defined here {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/get_clients__client__nonce}
 	 */
-	createDpopToken(expirySecs: number, backendNonce: string): Uint8Array;
+	createDpopToken(expirySecs: number, backendNonce: string): Promise<Uint8Array>;
 	/**
 	 * Creates a new challenge request for Wire Dpop challenge.
 	 *
@@ -1285,7 +1550,14 @@ export declare class E2eiEnrollment {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newDpopChallengeRequest(accessToken: string, previousNonce: string): JsonRawData;
+	newDpopChallengeRequest(accessToken: string, previousNonce: string): Promise<JsonRawData>;
+	/**
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the DPoP challenge.
+	 *
+	 * @param challenge HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+	 */
+	newDpopChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
 	 * Creates a new challenge request for Wire Oidc challenge.
 	 *
@@ -1293,14 +1565,15 @@ export declare class E2eiEnrollment {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newOidcChallengeRequest(idToken: string, previousNonce: string): JsonRawData;
+	newOidcChallengeRequest(idToken: string, previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}`.
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the OIDC challenge.
 	 *
+	 * @param cc the CoreCrypto instance
 	 * @param challenge HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newChallengeResponse(challenge: JsonRawData): void;
+	newOidcChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
 	 * Verifies that the previous challenge has been completed.
 	 *
@@ -1308,7 +1581,7 @@ export declare class E2eiEnrollment {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/challenge/{challenge-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	checkOrderRequest(orderUrl: string, previousNonce: string): JsonRawData;
+	checkOrderRequest(orderUrl: string, previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
 	 *
@@ -1316,14 +1589,14 @@ export declare class E2eiEnrollment {
 	 * @return finalize url to use with {@link finalizeRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	checkOrderResponse(order: JsonRawData): string;
+	checkOrderResponse(order: JsonRawData): Promise<string>;
 	/**
 	 * Final step before fetching the certificate.
 	 *
 	 * @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeRequest(previousNonce: string): JsonRawData;
+	finalizeRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}/finalize`.
 	 *
@@ -1331,105 +1604,14 @@ export declare class E2eiEnrollment {
 	 * @return the certificate url to use with {@link certificateRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeResponse(finalize: JsonRawData): string;
+	finalizeResponse(finalize: JsonRawData): Promise<string>;
 	/**
 	 * Creates a request for finally fetching the x509 certificate.
 	 *
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}/finalize`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
 	 */
-	certificateRequest(previousNonce: string): JsonRawData;
-}
-/**
- * Holds URLs of all the standard ACME endpoint supported on an ACME server.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
- */
-export interface AcmeDirectory {
-	/**
-	 * URL for fetching a new nonce. Use this only for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newNonce: string;
-	/**
-	 * URL for creating a new account.
-	 *
-	 * @readonly
-	 */
-	newAccount: string;
-	/**
-	 * URL for creating a new order.
-	 *
-	 * @readonly
-	 */
-	newOrder: string;
-}
-/**
- * Result of an order creation
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
- */
-export interface NewAcmeOrder {
-	/**
-	 * Contains raw JSON data of this order. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
-	 */
-	delegate: Uint8Array;
-	/**
-	 * An authorization for each domain to create
-	 *
-	 * @readonly
-	 */
-	authorizations: Uint8Array[];
-}
-/**
- * Result of an authorization creation.
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
- */
-export interface NewAcmeAuthz {
-	/**
-	 * DNS entry associated with those challenge
-	 *
-	 * @readonly
-	 */
-	identifier: string;
-	/**
-	 * Challenge for the clientId
-	 *
-	 * @readonly
-	 */
-	wireDpopChallenge?: AcmeChallenge;
-	/**
-	 * Challenge for the userId and displayName
-	 *
-	 * @readonly
-	 */
-	wireOidcChallenge?: AcmeChallenge;
-}
-/**
- * For creating a challenge
- * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
- */
-export interface AcmeChallenge {
-	/**
-	 * Contains raw JSON data of this challenge. This is parsed by the underlying Rust library hence should not be accessed
-	 *
-	 * @readonly
-	 */
-	delegate: Uint8Array;
-	/**
-	 * URL of this challenge
-	 *
-	 * @readonly
-	 */
-	url: string;
-	/**
-	 * Non-standard, Wire specific claim. Indicates the consumer from where it should get the challenge proof.
-	 * Either from wire-server "/access-token" endpoint in case of a DPoP challenge, or from an OAuth token endpoint for an OIDC challenge
-	 *
-	 * @readonly
-	 */
-	target: string;
+	certificateRequest(previousNonce: string): Promise<JsonRawData>;
 }
 /**
  * Indicates the state of a Conversation regarding end-to-end identity.
@@ -1444,9 +1626,9 @@ export declare enum E2eiConversationState {
 	/**
 	 * Some clients are either still Basic or their certificate is expired
 	 */
-	Degraded = 2,
+	NotVerified = 2,
 	/**
-	 * All clients are still Basic. If all client have expired certificates, Degraded is returned.
+	 * All clients are still Basic. If all client have expired certificates, NotVerified is returned.
 	 */
 	NotEnabled = 3
 }