Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
@beltram
beltram committed Dec 1, 2023
1 parent b1f347a commit a539de8
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 5 deletions.
5 changes: 5 additions & 0 deletions crypto-ffi/src/generic.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1818,6 +1818,11 @@ impl E2eiEnrollment {
pub async fn certificate_request(&self, previous_nonce: String) -> CoreCryptoResult<Vec<u8>> {
Ok(self.0.lock().await.certificate_request(previous_nonce)?)
}

/// See [core_crypto::e2e_identity::refresh_token::RefreshToken]
pub async fn get_refresh_token(&self) -> CoreCryptoResult<String> {
Ok(self.0.lock().await.get_refresh_token().map(Into::into)?)
}
}

#[derive(Debug, uniffi::Record)]
Expand Down
13 changes: 8 additions & 5 deletions crypto/src/e2e_identity/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,8 @@ use wire_e2e_identity::prelude::RustyE2eIdentity;
use error::*;
use mls_crypto_provider::MlsCryptoProvider;

use crate::e2e_identity::refresh_token::RefreshToken;
use crate::{
e2e_identity::crypto::E2eiSignatureKeypair,
e2e_identity::{crypto::E2eiSignatureKeypair, refresh_token::RefreshToken},
mls::credential::x509::CertificatePrivateKey,
prelude::{id::ClientId, identifier::ClientIdentifier, CertificateBundle, MlsCentral, MlsCiphersuite},
CryptoResult,
Expand All @@ -18,7 +17,7 @@ pub(crate) mod device_status;
pub mod enabled;
pub mod error;
pub(crate) mod identity;
mod refresh_token;
pub(crate) mod refresh_token;
pub(crate) mod rotate;
pub(crate) mod stash;
pub mod types;
Expand All @@ -43,6 +42,8 @@ impl MlsCentral {
expiry_days: u32,
ciphersuite: MlsCiphersuite,
) -> CryptoResult<E2eiEnrollment> {
let signature_keypair = None; // fresh install without a Basic client. Supplying None will generate a new keypair
let refresh_token = None; // fresh install so no refresh token registered yet
E2eiEnrollment::try_new(
client_id,
display_name,
Expand All @@ -51,7 +52,8 @@ impl MlsCentral {
expiry_days,
&self.mls_backend,
ciphersuite,
None,
signature_keypair,
refresh_token,
)
}

Expand Down Expand Up @@ -127,6 +129,7 @@ impl E2eiEnrollment {
backend: &MlsCryptoProvider,
ciphersuite: MlsCiphersuite,
sign_keypair: Option<E2eiSignatureKeypair>,
refresh_token: Option<RefreshToken>,
) -> CryptoResult<Self> {
let alg = ciphersuite.try_into()?;
let sign_sk = match sign_keypair {
Expand All @@ -150,7 +153,7 @@ impl E2eiEnrollment {
valid_order: None,
finalize: None,
ciphersuite,
refresh_token: None, // TODO
refresh_token,
})
}

Expand Down
23 changes: 23 additions & 0 deletions crypto/src/e2e_identity/refresh_token.rs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,29 @@
use super::E2eiEnrollment;
use crate::prelude::{E2eIdentityError, E2eIdentityResult, MlsCentral};
use crate::CryptoResult;
use zeroize::Zeroize;

/// An OIDC refresh token managed by CoreCrypto to benefir from encryption-at-rest
#[derive(Debug, serde::Serialize, serde::Deserialize, Zeroize, derive_more::From, derive_more::Deref)]
#[zeroize(drop)]
pub struct RefreshToken(String);

impl E2eiEnrollment {
/// Lets clients retrieve the OIDC refresh token to try to renew the user's authorization.
/// If it's expired, the user needs to reauthenticate and they will update the refresh token
/// in [E2eiEnrollment::new_oidc_challenge_request]
pub fn get_refresh_token(&self) -> E2eIdentityResult<&str> {
self.refresh_token
.as_ref()
.map(|rt| rt.as_str())
.ok_or(E2eIdentityError::OutOfOrderEnrollment(
"No OIDC refresh token registered yet",
))
}
}

impl MlsCentral {
pub(crate) fn find_refresh_token(&self) -> CryptoResult<RefreshToken> {
todo!()
}
}
8 changes: 8 additions & 0 deletions crypto/src/e2e_identity/rotate.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ impl MlsCentral {

let sign_keypair = Some(cb.signature_key.clone().try_into()?);

let refresh_token = None; // no x509 credential yet at this point so no OIDC authn yet so no refresh token to restore
E2eiEnrollment::try_new(
client_id,
display_name,
Expand All @@ -92,6 +93,7 @@ impl MlsCentral {
&self.mls_backend,
ciphersuite,
sign_keypair,
refresh_token,
)
}

Expand Down Expand Up @@ -124,6 +126,11 @@ impl MlsCentral {
let display_name = display_name.unwrap_or(existing_identity.display_name);
let handle = handle.unwrap_or(existing_identity.handle);

// Since we are renewing an e2ei certificate we MUST have already generated one hence we MUST
// already have done an OIDC authn and gotten a refresh token from it we also MUST have stored
// in CoreCrypto
let refresh_token = self.find_refresh_token()?;

E2eiEnrollment::try_new(
client_id,
display_name,
Expand All @@ -133,6 +140,7 @@ impl MlsCentral {
&self.mls_backend,
ciphersuite,
sign_keypair,
Some(refresh_token),
)
}

Expand Down
1 change: 1 addition & 0 deletions crypto/src/e2e_identity/stash.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ pub mod tests {
&backend,
e.ciphersuite,
None,
None,
)
.unwrap();
(enrollment, cc)
Expand Down

0 comments on commit a539de8

Please sign in to comment.