From 3e3fc7acc3d36adb8e87029cd1156966e7eb93a5 Mon Sep 17 00:00:00 2001
From: Mathieu Amiot <amiot.mathieu@gmail.com>
Date: Tue, 20 Feb 2024 11:27:24 +0100
Subject: [PATCH] build: Release v1.0.0-rc.39

---
 CHANGELOG.md                          | 821 ++++++++++++++++++++++----
 CHANGELOG.tpl                         |  12 +-
 crypto-attributes/Cargo.toml          |   2 +-
 crypto-ffi/Cargo.toml                 |   6 +-
 crypto-ffi/bindings/gradle.properties |   2 +-
 crypto/Cargo.toml                     |  12 +-
 interop/Cargo.toml                    |   2 +-
 keystore-dump/Cargo.toml              |   2 +-
 keystore/Cargo.toml                   |   2 +-
 mls-provider/Cargo.toml               |   6 +-
 package.json                          |   2 +-
 11 files changed, 721 insertions(+), 148 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f81caa8e74..4d9ff6696c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,36 @@ Platform support legends:
     * Note: the papercuts will majorly be with the build process. Things might be very rough to integrate as no polish at all has been given yet.
 * ❌ = tier 3 support. It doesn't work just yet, but we plan to make it work.
 
+## [1.0.0-rc.39] - 2024-02-20
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Bug Fixes
+
+- Harden x509 validation & revocation checks
+
+### Documentation
+
+- Update all doc warnings including a lot of broken links
+
+### Features
+
+- Add display name in dpop token
+
+### Miscellaneous Tasks
+
+- Fix some clippy lints
+
+### Testing
+
+- Verify that registering a TA twice fails
+
+</details>
+
+* Integrated the display name in the JWT DPoP token
+* Reworked and hardened all x.509 verifications (including revocation)
+
 ## [1.0.0-rc.38] - 2024-02-16
 
 <details>
@@ -185,171 +215,698 @@ Platform support legends:
 
 ### Bug Fixes
 
-- Use 2 acme authorizations instead of 1
-
-</details>
+- Use 2 acme authorizations instead of 1
+
+</details>
+
+* fix(e2ei): use 2 ACME authorizations instead of 1
+
+## [1.0.0-rc.30] - 2024-01-16
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Bug Fixes
+
+- Wrong rusty-jwt-tools pinned in rc30
+
+### Features
+
+- [**breaking**] Expose keyauth in ACME authz
+
+
+### Bug Fixes
+
+- Pin rusty-jwt-tools v0.8.4 fixing an issue with the wrong signature key being used for the client DPoP token
+
+
+### Bug Fixes
+
+- Actually fix keyauth issue
+
+
+### Bug Fixes
+
+- Use rusty-jwt-tools v0.8.1 which fixes the keyauth issue
+
+
+### Bug Fixes
+
+- Previous fix was not compiling
+
+
+### Bug Fixes
+
+- E2ei keystore method 'find_all' was unimplemented on WASM for intermediate CAs & CRLs
+
+
+### Bug Fixes
+
+- Pin e2ei package tag
+- Add PKI API to bindings
+
+### Features
+
+- Added support for PKI environment
+- Change ClientId & Handle format to URIs
+
+
+### Bug Fixes
+
+- Null pointer in Javascript when calling 'new_oidc_challenge_response'
+- Swift wrapper for E2eiEnrollment was not used in other methods
+- Use 'implementation' Gradle configuration not to enforce dependencies version into consumers. Fixes #451
+
+### Features
+
+- [**breaking**] Remove PerDomainTrustAnchor extension altogether. Backward incompatible changes !
+
+
+### Bug Fixes
+
+- README mentions a task which doesn't exist ([#445](https://github.com/wireapp/core-crypto/issues/445))
+- Remove unnecessary boxing of values before persisting them in IndexedDb
+
+### Features
+
+- [**breaking**] Remove 'clientId' from activation & rotate enrollment now that we expect a specific ClientId format
+- [**breaking**] Add `get_credential_in_use()` to check the e2ei state from a GroupInfo
+- [**breaking**] Rename `E2eiConversationState::Degraded` in to `E2eiConversationState::NotVerified`
+- [**breaking**] Managed OIDC refreshToken (wpb-5012)
+
+### Miscellaneous Tasks
+
+- Remove unused 'MlsSignatureKeyPairExt' trait and 'get_indexed' method
+- Streamline "collection" in wasm storage
+- WasmEncryptedStorage::get_many was not used
+
+### Testing
+
+- Verify that clients can create conversation with x509 credentials
+
+
+### Features
+
+- [**breaking**] Canonicalize ClientId keeping only the regular version where the UserId portion is the hyphenated string representation of the UUID. Also apply this to 'getUserIdentities()'
+
+
+### Features
+
+- Better errors: 'ImplementationError' was way too often used as a fallback when the developer was too lazy to create a new error. This tries to cure that, especially with e2ei errors. It also tries to distinguish client errors from internal errors
+- [**breaking**] Simplify API of 'add_clients_to_conversation' by not requiring to repeat the ClientId of the new members alongside their KeyPackage when the former can now be extracted from the latter
+- [**breaking**] Introduce handle & team in the client dpop token
+
+### Testing
+
+- Test DB migration from 0.9.2
+
+
+### Testing
+
+- Add new keystore regression test to CI
+- Test keystore migration regressions
+
+
+### Bug Fixes
+
+- Preserve schema upgrade path between schemafix'd versions and upcoming
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.18
+
+
+### Bug Fixes
+
+- Don't depend on OpenSSL on WASM
+- Dynamic linking issue on Android with the atomic lib
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.17 ([#425](https://github.com/wireapp/core-crypto/issues/425))
+- Use actual CI cache
+
+
+### Bug Fixes
+
+- Prevent CI from overriding RUSTFLAGS
+- Added missing d.ts declarations
+- KP test was taking too much time
+
+### Documentation
+
+- Updated README.md noting Bun usage
+
+### Features
+
+- Switch from node to bun
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.16
+
+
+### Bug Fixes
+
+- Add '-latomic' flag when building for Android to dynamically link atomic lib which is supposedly causing issues with openssl
+
+### Features
+
+- Re-export e2ei types
+
+### Miscellaneous Tasks
+
+- Fix some clippy lints
+
+
+### Bug Fixes
+
+- Backward incompatible database schemas. It only preserves Proteus compatibility when migrating from CC 0.11.0 -> 1.0.0. For anything MLS-related it is recommended to wipe all the groups
+
+### Miscellaneous Tasks
+
+- Release 1.0.0-rc.14
+
+
+### Bug Fixes
+
+- Do not reapply buffered messages when rejoining with external commit
+- Coarsetime issue causing compilation error on WASM
+
+### Features
+
+- [**breaking**] Make initial number of generated KeyPackage configurable
+- Add e2ei ffi in Swift wrapper
+- [**breaking**] Add LeafNode validation
+
+### Miscellaneous Tasks
+
+- Release 1.0.0-rc.13
+- Use wasm_bindgen macros to generate Typescript classes used in e2ei enrollment process
+
+### Testing
+
+- Try fixing flaky time-based LeafNode validation tests
+
+
+### Bug Fixes
+
+- Use sed in a cross-platform way for kt edits
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.12
+
+
+### Bug Fixes
+
+- [**breaking**] UniFFI Errors
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.11
+
+
+### Bug Fixes
+
+- UniFFI symbol matching
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.10
+
+
+### Bug Fixes
+
+- Make UniFFI produce the correct symbol in bindings
+- Change e2ei enrollment identifier causing collision now that keypairs are reused
+
+### Documentation
+
+- Regenerate changelog
+
+### Features
+
+- [**breaking**] Return raw PEM certificate in `getUserIdentities` for display purpose
+- [**breaking**] Bump rusty-jwt-tools to v0.5.0. Add 'revokeCert' to AcmeDirectory
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.9
+
+
+### Bug Fixes
+
+- TLS serialization of x509 credential
+- [**breaking**] UniFFI Async cancellable routines + bytes
+- Make interop runner pick up CHROME_PATH from env
+
+### Features
+
+- Expose `getUserIdentities` through the FFI
+- [**breaking**] Also restore buffered messages on the receiver side
+- Increase max past epoch to 3 since backend inordering of messages requires client's config to backend's one + 1
+
+### Miscellaneous Tasks
+
+- Release 1.0.0-rc.8
+- Fix clippy lint on wasm tests
+- Quiet clippy new lint about non send in Arc because it comes from wasm-bindgen wrapped Javascript object which cannot be shared between threads anyway
+- Remove useless application message epoch check
+
+### Refactor
+
+- Borrow conversation_id in `new_conversation`
+
+### Testing
+
+- Fix wasm test hitting a limit. Just split them for now, waiting for a proper solution
+- Fix spinoff 0.8 compilation
+
+
+### Bug Fixes
+
+- Kotlin tests not compiling after methods became async
+
+### Features
+
+- Correlate RotateBundle with a GroupId
+
+### Miscellaneous Tasks
+
+- Release 1.0.0-rc.7
+
+
+### Bug Fixes
+
+- `e2eiRotateAll` return type was not wrapped
+- Signature KeyPair was rotated when credentials were which was zealous. Also fixes an important bug caused by inverted private & public keypair part when rotating credentials
+
+### Features
+
+- [**breaking**] Handle the case when a client tries to decrypt a Welcome referring to a KeyPackage he already has deleted locally
+- Add keystore dump exporter CLI tool
+
+### Miscellaneous Tasks
+
+- Release 1.0.0-rc.6
+
+### Testing
+
+- Add a roundtrip test for e2ei credential rotation to tackle a false positive regression
+
+
+### Bug Fixes
+
+- E2ei enum for conversation state was unused and failing the Typescript publication. Now CI will have the same compiler flags when checking bindings in order to prevent this again
+
+### Miscellaneous Tasks
+
+- Release 1.0.0-rc.5
+
+
+### Miscellaneous Tasks
+
+- Release 1.0.0-rc.4
+- Patch visibility issue for enum 'E2eiConversationState' which was failing when building Typescript bindings
+
+</details>
+
+* fix(e2ei): include "keyauth" in the ACME authorization, turn challenge non-optional in ACME authorization and stop including keyauth in the ACME challenge request. This version only works with IdP supporting extra OAuth claims (and by consequence only work with Keycloak and not Dex)
+
+## [1.0.0-rc.29] - 2024-01-16
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Bug Fixes
+
+- Pin rusty-jwt-tools v0.8.4 fixing an issue with the wrong signature key being used for the client DPoP token
+
+</details>
+
+* fix(e2ei): issue with the wrong signature key being used for the client DPoP token
+
+## [1.0.0-rc.28] - 2024-01-15
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Bug Fixes
+
+- Actually fix keyauth issue
+
+</details>
+
+* fix(e2ei): issue related to invalid 'keyauth'
+
+## [1.0.0-rc.26] - 2024-01-15
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Bug Fixes
+
+- Previous fix was not compiling
+
+</details>
+
+* fix(e2ei): e2ei keystore method 'find_all' was unimplemented on WASM for intermediate CAs & CRLs
+
+## [1.0.0-rc.24] - 2024-01-15
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Bug Fixes
+
+- Pin e2ei package tag
+- Add PKI API to bindings
+
+### Features
+
+- Added support for PKI environment
+- Change ClientId & Handle format to URIs
+
+</details>
+
+* feat(e2ei): add methods to register root/intermediate certificates and CRLs. Also checks revocation status when asking for a conversation/user/device state.
+* feat(e2ei): change ClientId & Handle to URIs with the scheme 'wireapp://'. Use '!' as delimiter in the ClientId
+
+## [1.0.0-rc.23] - 2024-01-08
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Bug Fixes
+
+- Null pointer in Javascript when calling 'new_oidc_challenge_response'
+- Swift wrapper for E2eiEnrollment was not used in other methods
+- Use 'implementation' Gradle configuration not to enforce dependencies version into consumers. Fixes #451
+
+### Features
+
+- [**breaking**] Remove PerDomainTrustAnchor extension altogether. Backward incompatible changes !
+
+</details>
+
+* feat(mls)!: remove `PerDomainTrustAnchor` extension from required capabilities. Backward incompatible changes ! If you ever migrate from a previous version to this one take care of deleting all your groups
+* fix(e2ei): fix a null pointer in the Javascript API
+* fix(e2ei): Swift wrapper for E2eiEnrollment was not used in other methods
+* fix: use 'implementation' Gradle configuration not to enforce dependencies version into consumers
+
+## [1.0.0-rc.22] - 2023-12-13
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Bug Fixes
+
+- README mentions a task which doesn't exist ([#445](https://github.com/wireapp/core-crypto/issues/445))
+- Remove unnecessary boxing of values before persisting them in IndexedDb
+
+### Features
+
+- [**breaking**] Remove 'clientId' from activation & rotate enrollment now that we expect a specific ClientId format
+- [**breaking**] Add `get_credential_in_use()` to check the e2ei state from a GroupInfo
+- [**breaking**] Rename `E2eiConversationState::Degraded` in to `E2eiConversationState::NotVerified`
+- [**breaking**] Managed OIDC refreshToken (wpb-5012)
+
+### Miscellaneous Tasks
+
+- Remove unused 'MlsSignatureKeyPairExt' trait and 'get_indexed' method
+- Streamline "collection" in wasm storage
+- WasmEncryptedStorage::get_many was not used
+
+### Testing
+
+- Verify that clients can create conversation with x509 credentials
+
+</details>
+
+* feat(e2ei)!: manage OIDC refreshToken in CoreCrypto's encrypted-at-rest store. As a consequence, some methods went async (all the enrollment ones in WASM). The refreshToken has to be supplied in `newOidcChallengeRequest()` and is persisted in `newOidcChallengeResponse()`. Clients should fetch it back from an `Enrollment` created by `newRotateEnrollment()` with the new `getRefreshToken()` method.
+* feat(e2ei)!: remove 'clientId' from `newActivationEnrollment()` & `newRotateEnrollment()`. We can do this now that we expect a specific ClientId format.
+* feat(e2ei): add `getCredentialInUse(GroupInfo)` to check the e2ei state from a GroupInfo. This allows verifying the state of a conversation before joining it (and potentially degrading the e2ei state).
+* feat(e2ei)!: rename `E2eiConversationState::Degraded` in to `E2eiConversationState::NotVerified`
+
+## [1.0.0-rc.21] - 2023-12-05
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Features
+
+- [**breaking**] Canonicalize ClientId keeping only the regular version where the UserId portion is the hyphenated string representation of the UUID. Also apply this to 'getUserIdentities()'
+
+</details>
+
+* feat!: canonicalize ClientId keeping only the regular version where the UserId portion is the hyphenated string representation of the UUID. Also apply this to `getUserIdentities()`
+
+## [1.0.0-rc.20] - 2023-12-04
+
+<details>
+    <summary>git-conventional changelog</summary>
+
+### Features
+
+- Better errors: 'ImplementationError' was way too often used as a fallback when the developer was too lazy to create a new error. This tries to cure that, especially with e2ei errors. It also tries to distinguish client errors from internal errors
+- [**breaking**] Simplify API of 'add_clients_to_conversation' by not requiring to repeat the ClientId of the new members alongside their KeyPackage when the former can now be extracted from the latter
+- [**breaking**] Introduce handle & team in the client dpop token
+
+### Testing
+
+- Test DB migration from 0.9.2
+
+
+### Testing
+
+- Add new keystore regression test to CI
+- Test keystore migration regressions
+
+
+### Bug Fixes
+
+- Preserve schema upgrade path between schemafix'd versions and upcoming
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.18
+
+
+### Bug Fixes
+
+- Don't depend on OpenSSL on WASM
+- Dynamic linking issue on Android with the atomic lib
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.17 ([#425](https://github.com/wireapp/core-crypto/issues/425))
+- Use actual CI cache
+
+
+### Bug Fixes
+
+- Prevent CI from overriding RUSTFLAGS
+- Added missing d.ts declarations
+- KP test was taking too much time
+
+### Documentation
+
+- Updated README.md noting Bun usage
+
+### Features
+
+- Switch from node to bun
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.16
+
+
+### Bug Fixes
+
+- Add '-latomic' flag when building for Android to dynamically link atomic lib which is supposedly causing issues with openssl
+
+### Features
+
+- Re-export e2ei types
+
+### Miscellaneous Tasks
+
+- Fix some clippy lints
+
+
+### Bug Fixes
+
+- Backward incompatible database schemas. It only preserves Proteus compatibility when migrating from CC 0.11.0 -> 1.0.0. For anything MLS-related it is recommended to wipe all the groups
 
-* fix(e2ei): use 2 ACME authorizations instead of 1
+### Miscellaneous Tasks
 
-## [1.0.0-rc.30] - 2024-01-16
+- Release 1.0.0-rc.14
 
-<details>
-    <summary>git-conventional changelog</summary>
 
 ### Bug Fixes
 
-- Wrong rusty-jwt-tools pinned in rc30
+- Do not reapply buffered messages when rejoining with external commit
+- Coarsetime issue causing compilation error on WASM
 
 ### Features
 
-- [**breaking**] Expose keyauth in ACME authz
+- [**breaking**] Make initial number of generated KeyPackage configurable
+- Add e2ei ffi in Swift wrapper
+- [**breaking**] Add LeafNode validation
 
-</details>
+### Miscellaneous Tasks
 
-* fix(e2ei): include "keyauth" in the ACME authorization, turn challenge non-optional in ACME authorization and stop including keyauth in the ACME challenge request. This version only works with IdP supporting extra OAuth claims (and by consequence only work with Keycloak and not Dex)
+- Release 1.0.0-rc.13
+- Use wasm_bindgen macros to generate Typescript classes used in e2ei enrollment process
 
-## [1.0.0-rc.29] - 2024-01-16
+### Testing
 
-<details>
-    <summary>git-conventional changelog</summary>
+- Try fixing flaky time-based LeafNode validation tests
 
-### Bug Fixes
 
-- Pin rusty-jwt-tools v0.8.4 fixing an issue with the wrong signature key being used for the client DPoP token
+### Bug Fixes
 
-</details>
+- Use sed in a cross-platform way for kt edits
 
-* fix(e2ei): issue with the wrong signature key being used for the client DPoP token
+### Miscellaneous Tasks
 
-## [1.0.0-rc.28] - 2024-01-15
+- Release v1.0.0-rc.12
 
-<details>
-    <summary>git-conventional changelog</summary>
 
 ### Bug Fixes
 
-- Actually fix keyauth issue
+- [**breaking**] UniFFI Errors
 
-</details>
+### Miscellaneous Tasks
 
-* fix(e2ei): issue related to invalid 'keyauth'
+- Release v1.0.0-rc.11
 
-## [1.0.0-rc.26] - 2024-01-15
 
-<details>
-    <summary>git-conventional changelog</summary>
+### Bug Fixes
+
+- UniFFI symbol matching
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.10
+
 
 ### Bug Fixes
 
-- Previous fix was not compiling
+- Make UniFFI produce the correct symbol in bindings
+- Change e2ei enrollment identifier causing collision now that keypairs are reused
 
-</details>
+### Documentation
 
-* fix(e2ei): e2ei keystore method 'find_all' was unimplemented on WASM for intermediate CAs & CRLs
+- Regenerate changelog
 
-## [1.0.0-rc.24] - 2024-01-15
+### Features
+
+- [**breaking**] Return raw PEM certificate in `getUserIdentities` for display purpose
+- [**breaking**] Bump rusty-jwt-tools to v0.5.0. Add 'revokeCert' to AcmeDirectory
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.9
 
-<details>
-    <summary>git-conventional changelog</summary>
 
 ### Bug Fixes
 
-- Pin e2ei package tag
-- Add PKI API to bindings
+- TLS serialization of x509 credential
+- [**breaking**] UniFFI Async cancellable routines + bytes
+- Make interop runner pick up CHROME_PATH from env
 
 ### Features
 
-- Added support for PKI environment
-- Change ClientId & Handle format to URIs
+- Expose `getUserIdentities` through the FFI
+- [**breaking**] Also restore buffered messages on the receiver side
+- Increase max past epoch to 3 since backend inordering of messages requires client's config to backend's one + 1
 
-</details>
+### Miscellaneous Tasks
 
-* feat(e2ei): add methods to register root/intermediate certificates and CRLs. Also checks revocation status when asking for a conversation/user/device state.
-* feat(e2ei): change ClientId & Handle to URIs with the scheme 'wireapp://'. Use '!' as delimiter in the ClientId
+- Release 1.0.0-rc.8
+- Fix clippy lint on wasm tests
+- Quiet clippy new lint about non send in Arc because it comes from wasm-bindgen wrapped Javascript object which cannot be shared between threads anyway
+- Remove useless application message epoch check
 
-## [1.0.0-rc.23] - 2024-01-08
+### Refactor
+
+- Borrow conversation_id in `new_conversation`
+
+### Testing
+
+- Fix wasm test hitting a limit. Just split them for now, waiting for a proper solution
+- Fix spinoff 0.8 compilation
 
-<details>
-    <summary>git-conventional changelog</summary>
 
 ### Bug Fixes
 
-- Null pointer in Javascript when calling 'new_oidc_challenge_response'
-- Swift wrapper for E2eiEnrollment was not used in other methods
-- Use 'implementation' Gradle configuration not to enforce dependencies version into consumers. Fixes #451
+- Kotlin tests not compiling after methods became async
 
 ### Features
 
-- [**breaking**] Remove PerDomainTrustAnchor extension altogether. Backward incompatible changes !
-
-</details>
+- Correlate RotateBundle with a GroupId
 
-* feat(mls)!: remove `PerDomainTrustAnchor` extension from required capabilities. Backward incompatible changes ! If you ever migrate from a previous version to this one take care of deleting all your groups
-* fix(e2ei): fix a null pointer in the Javascript API
-* fix(e2ei): Swift wrapper for E2eiEnrollment was not used in other methods
-* fix: use 'implementation' Gradle configuration not to enforce dependencies version into consumers
+### Miscellaneous Tasks
 
-## [1.0.0-rc.22] - 2023-12-13
+- Release 1.0.0-rc.7
 
-<details>
-    <summary>git-conventional changelog</summary>
 
 ### Bug Fixes
 
-- README mentions a task which doesn't exist ([#445](https://github.com/wireapp/core-crypto/issues/445))
-- Remove unnecessary boxing of values before persisting them in IndexedDb
+- `e2eiRotateAll` return type was not wrapped
+- Signature KeyPair was rotated when credentials were which was zealous. Also fixes an important bug caused by inverted private & public keypair part when rotating credentials
 
 ### Features
 
-- [**breaking**] Remove 'clientId' from activation & rotate enrollment now that we expect a specific ClientId format
-- [**breaking**] Add `get_credential_in_use()` to check the e2ei state from a GroupInfo
-- [**breaking**] Rename `E2eiConversationState::Degraded` in to `E2eiConversationState::NotVerified`
-- [**breaking**] Managed OIDC refreshToken (wpb-5012)
+- [**breaking**] Handle the case when a client tries to decrypt a Welcome referring to a KeyPackage he already has deleted locally
+- Add keystore dump exporter CLI tool
 
 ### Miscellaneous Tasks
 
-- Remove unused 'MlsSignatureKeyPairExt' trait and 'get_indexed' method
-- Streamline "collection" in wasm storage
-- WasmEncryptedStorage::get_many was not used
+- Release 1.0.0-rc.6
 
 ### Testing
 
-- Verify that clients can create conversation with x509 credentials
+- Add a roundtrip test for e2ei credential rotation to tackle a false positive regression
 
-</details>
 
-* feat(e2ei)!: manage OIDC refreshToken in CoreCrypto's encrypted-at-rest store. As a consequence, some methods went async (all the enrollment ones in WASM). The refreshToken has to be supplied in `newOidcChallengeRequest()` and is persisted in `newOidcChallengeResponse()`. Clients should fetch it back from an `Enrollment` created by `newRotateEnrollment()` with the new `getRefreshToken()` method.
-* feat(e2ei)!: remove 'clientId' from `newActivationEnrollment()` & `newRotateEnrollment()`. We can do this now that we expect a specific ClientId format.
-* feat(e2ei): add `getCredentialInUse(GroupInfo)` to check the e2ei state from a GroupInfo. This allows verifying the state of a conversation before joining it (and potentially degrading the e2ei state).
-* feat(e2ei)!: rename `E2eiConversationState::Degraded` in to `E2eiConversationState::NotVerified`
+### Bug Fixes
 
-## [1.0.0-rc.21] - 2023-12-05
+- E2ei enum for conversation state was unused and failing the Typescript publication. Now CI will have the same compiler flags when checking bindings in order to prevent this again
 
-<details>
-    <summary>git-conventional changelog</summary>
+### Miscellaneous Tasks
 
-### Features
+- Release 1.0.0-rc.5
 
-- [**breaking**] Canonicalize ClientId keeping only the regular version where the UserId portion is the hyphenated string representation of the UUID. Also apply this to 'getUserIdentities()'
 
-</details>
+### Miscellaneous Tasks
 
-* feat!: canonicalize ClientId keeping only the regular version where the UserId portion is the hyphenated string representation of the UUID. Also apply this to `getUserIdentities()`
+- Release 1.0.0-rc.4
+- Patch visibility issue for enum 'E2eiConversationState' which was failing when building Typescript bindings
 
-## [1.0.0-rc.20] - 2023-12-04
 
-<details>
-    <summary>git-conventional changelog</summary>
+### Bug Fixes
+
+- Proteus wasm test now uses wasm-browser-run
+- Cargo doc fixes for wasm-browser-run
+- Interop runner now uses wasm-browser-run to install chromedriver
+- Support chromedriver 115 delivery method
+- `e2ei_rotate_all` was returning 'undefined' on WASM
+- [**breaking**] Entities leaked. Some methods handling the lifecycle of a MLS group were not cleaning created entities correctly. This avoids required storage space to grow linearly.
 
 ### Features
 
-- Better errors: 'ImplementationError' was way too often used as a fallback when the developer was too lazy to create a new error. This tries to cure that, especially with e2ei errors. It also tries to distinguish client errors from internal errors
-- [**breaking**] Simplify API of 'add_clients_to_conversation' by not requiring to repeat the ClientId of the new members alongside their KeyPackage when the former can now be extracted from the latter
-- [**breaking**] Introduce handle & team in the client dpop token
+- [**breaking**] Rename `e2eiIsDegraded` by `e2eiConversationState` and change return type to an enumeration instead of a boolean to match all the e2ei states a conversation could have.
+- Add `e2ei_is_enabled` for clients to spot if their MLS client is enrolled for end-to-end identity
 
-### Testing
+### Miscellaneous Tasks
 
-- Test DB migration from 0.9.2
+- Release 1.0.0-rc.3
+- Update rstest versions
+- Updated xtask deps
 
 </details>
 
@@ -381,6 +938,14 @@ Platform support legends:
 <details>
     <summary>git-conventional changelog</summary>
 
+### Bug Fixes
+
+- Preserve schema upgrade path between schemafix'd versions and upcoming
+
+### Miscellaneous Tasks
+
+- Release v1.0.0-rc.18
+
 </details>
 
 * Native platforms only: Preserve database schema upgrade path from 0.8.x, 1.0.0-pre.6+schemafix-0007 and onwards.
@@ -833,11 +1398,6 @@ In that case he has to catch & ignore the "OrphanWelcome" error and to rejoin th
 <details>
     <summary>git-conventional changelog</summary>
 
-### Miscellaneous Tasks
-
-- Release 1.0.0-rc.4
-- Patch visibility issue for enum 'E2eiConversationState' which was failing when building Typescript bindings
-
 </details>
 
 * Fix WASM publication issues
@@ -847,26 +1407,6 @@ In that case he has to catch & ignore the "OrphanWelcome" error and to rejoin th
 <details>
     <summary>git-conventional changelog</summary>
 
-### Bug Fixes
-
-- Proteus wasm test now uses wasm-browser-run
-- Cargo doc fixes for wasm-browser-run
-- Interop runner now uses wasm-browser-run to install chromedriver
-- Support chromedriver 115 delivery method
-- `e2ei_rotate_all` was returning 'undefined' on WASM
-- [**breaking**] Entities leaked. Some methods handling the lifecycle of a MLS group were not cleaning created entities correctly. This avoids required storage space to grow linearly.
-
-### Features
-
-- [**breaking**] Rename `e2eiIsDegraded` by `e2eiConversationState` and change return type to an enumeration instead of a boolean to match all the e2ei states a conversation could have.
-- Add `e2ei_is_enabled` for clients to spot if their MLS client is enrolled for end-to-end identity
-
-### Miscellaneous Tasks
-
-- Release 1.0.0-rc.3
-- Update rstest versions
-- Updated xtask deps
-
 </details>
 
 
@@ -943,24 +1483,6 @@ In that case he has to catch & ignore the "OrphanWelcome" error and to rejoin th
 <details>
     <summary>git-conventional changelog</summary>
 
-### Bug Fixes
-
-- Make clippy happy
-- Xtask release fix for kotlin sonatype publishing
-- Disable stripping to allow FFI to build
-- Incorrect error value in tests
-
-### Features
-
-- [**breaking**] Prevent conversation overwrite when joining
-- [**breaking**] Detect duplicate messages from previous epoch and fail with a dedicated error
-- Publish to Sonatype instead of Github Packages ([#347](https://github.com/wireapp/core-crypto/issues/347))
-
-### Miscellaneous Tasks
-
-- Release v1.0.0-pre.7
-- Pin dependencies on wireapp org forks
-
 </details>
 
 * **[BREAKING]** We now detect duplicate messages from previous epochs, as such the `GenerationOutOfBound` error is now named `DuplicateMessage`.
@@ -987,6 +1509,47 @@ In that case he has to catch & ignore the "OrphanWelcome" error and to rejoin th
 - PostQuantum Ciphersuite
 - [**breaking**] Remove `export_group_info()`
 
+
+### Bug Fixes
+
+- Backend sends raw GroupInfo, we were trying to deserialize it from a MlsMessage
+
+
+### Bug Fixes
+
+- Pin a version of openmls with a fix in tls_codec related to variable length encoding
+
+### Testing
+
+- Fix external commit test was not merging the external commit
+
+
+### Bug Fixes
+
+- Typo in build xcframework task
+
+
+### Features
+
+- CoreCrypto draft-20 upgrade
+- Generate XCFramework when releasing for Swift ([#330](https://github.com/wireapp/core-crypto/issues/330))
+
+
+### Features
+
+- Add `e2ei_is_degraded` to flag a conversation as degraded when at least 1 member is not using a e2ei certificate
+
+
+### Bug Fixes
+
+- Usize to u64 conversion error on Android in `client_valid_keypackages_count`. Whatever the reason this applies a default meaningful value
+- [**breaking**] Creating a MLS group does not consume an existing KeyPackage anymore, instead it always generates a new local one. Also, explicitly ask for the credential type of the creator before creating a new MLS group.
+- Mobile FFI was failing when initializing MLS client due to a Arc being incremented one too many times. Also add the E2EI API in the Kotlin wrapper and a test for it
+
+### Features
+
+- [**breaking**] Hide everywhere `Vec<Ciphersuite>` appears in the public API since it seems to fail for obscure reasons on aarch64 Android devices. Undo when we have a better understanding of the root cause of this
+
 </details>
 
 * feat!: PostQuantum Ciphersuite support ! Using [Xyber768](https://www.ietf.org/archive/id/draft-westerbaan-cfrg-hpke-xyber768d00-02.html) for Key Exchange.
diff --git a/CHANGELOG.tpl b/CHANGELOG.tpl
index a16cb6db18..3315d58f0c 100644
--- a/CHANGELOG.tpl
+++ b/CHANGELOG.tpl
@@ -7,11 +7,21 @@ Platform support legends:
     * Note: the papercuts will majorly be with the build process. Things might be very rough to integrate as no polish at all has been given yet.
 * ❌ = tier 3 support. It doesn't work just yet, but we plan to make it work.
 
+## [1.0.0-rc.39] - 2024-02-20
+
+<details>
+    <summary>git-conventional changelog</summary>
+{{git-cliff tag="v1.0.0-rc.39" unreleased=true}}
+</details>
+
+* Integrated the display name in the JWT DPoP token
+* Reworked and hardened all x.509 verifications (including revocation)
+
 ## [1.0.0-rc.38] - 2024-02-16
 
 <details>
     <summary>git-conventional changelog</summary>
-{{git-cliff tag="v1.0.0-rc.38" unreleased=true}}
+{{git-cliff tag="v1.0.0-rc.38"}}
 </details>
 
 * Add `getExternalSender()` to init a subconversation with the parent external sender
diff --git a/crypto-attributes/Cargo.toml b/crypto-attributes/Cargo.toml
index 1780153105..c40346a206 100644
--- a/crypto-attributes/Cargo.toml
+++ b/crypto-attributes/Cargo.toml
@@ -2,7 +2,7 @@
 name = "core-crypto-attributes"
 description = "Macros for core-crypto"
 repository = "https://github.com/wireapp/core-crypto"
-version = "1.0.0-rc.38"
+version = "1.0.0-rc.39"
 edition = "2021"
 license = "GPL-3.0-only"
 
diff --git a/crypto-ffi/Cargo.toml b/crypto-ffi/Cargo.toml
index 38461be98b..f60da7ed24 100644
--- a/crypto-ffi/Cargo.toml
+++ b/crypto-ffi/Cargo.toml
@@ -2,7 +2,7 @@
 name = "core-crypto-ffi"
 description = "Platform-specific bindings (Android, iOS, WASM) for CoreCrypto"
 repository = "https://github.com/wireapp/core-crypto"
-version = "1.0.0-rc.38"
+version = "1.0.0-rc.39"
 edition = "2021"
 license = "GPL-3.0-only"
 publish = false
@@ -35,7 +35,7 @@ sha2 = { version = "0.10", features = ["force-soft"] }
 [target.'cfg(not(target_family = "wasm"))'.dependencies]
 # UniFFI - Android + iOS bindings - Runtime support
 uniffi = { workspace = true }
-core-crypto = { version = "^1.0.0-rc.38", path = "../crypto", features = ["uniffi"] }
+core-crypto = { version = "^1.0.0-rc.39", path = "../crypto", features = ["uniffi"] }
 
 [target.wasm32-unknown-unknown.dependencies]
 wasm-bindgen = "0.2"
@@ -46,7 +46,7 @@ serde = { version = "1.0", features = ["derive"] }
 js-sys = "0.3"
 web-sys = "0.3"
 strum = "0.26"
-core-crypto = { version = "^1.0.0-rc.38", path = "../crypto" }
+core-crypto = { version = "^1.0.0-rc.39", path = "../crypto" }
 
 
 # UniFFI - Android + iOS bindings - Build support
diff --git a/crypto-ffi/bindings/gradle.properties b/crypto-ffi/bindings/gradle.properties
index 16739154b9..8d2ef136cb 100644
--- a/crypto-ffi/bindings/gradle.properties
+++ b/crypto-ffi/bindings/gradle.properties
@@ -15,7 +15,7 @@ kotlin.code.style=official
 
 # gradle-maven-publish configuration
 GROUP=com.wire
-VERSION_NAME=1.0.0-rc.38
+VERSION_NAME=1.0.0-rc.39
 SONATYPE_HOST=DEFAULT
 SONATYPE_AUTOMATIC_RELEASE=true
 RELEASE_SIGNING_ENABLED=true
diff --git a/crypto/Cargo.toml b/crypto/Cargo.toml
index 1a02c5a4ad..253ac7d991 100644
--- a/crypto/Cargo.toml
+++ b/crypto/Cargo.toml
@@ -2,7 +2,7 @@
 name = "core-crypto"
 description = "Abstraction over OpenMLS with persistent keystore"
 repository = "https://github.com/wireapp/core-crypto"
-version = "1.0.0-rc.38"
+version = "1.0.0-rc.39"
 edition = "2021"
 license = "GPL-3.0-only"
 publish = false
@@ -77,13 +77,13 @@ rexie = { version = "0.4", optional = true }
 base64 = { version = "0.21", optional = true }
 
 [target.'cfg(not(target_os = "ios"))'.dependencies]
-core-crypto-keystore = { version = "^1.0.0-rc.38", path = "../keystore" }
+core-crypto-keystore = { version = "^1.0.0-rc.39", path = "../keystore" }
 
 [target.'cfg(target_os = "ios")'.dependencies]
-core-crypto-keystore = { version = "^1.0.0-rc.38", path = "../keystore", features = ["ios-wal-compat"] }
+core-crypto-keystore = { version = "^1.0.0-rc.39", path = "../keystore", features = ["ios-wal-compat"] }
 
 [dependencies.mls-crypto-provider]
-version = "^1.0.0-rc.38"
+version = "^1.0.0-rc.39"
 path = "../mls-provider"
 
 [dev-dependencies]
@@ -107,7 +107,7 @@ fluvio-wasm-timer = "0.2"
 time = { version = "0.3", features = ["wasm-bindgen"] }
 
 [dev-dependencies.core-crypto-keystore]
-version = "^1.0.0-rc.38"
+version = "^1.0.0-rc.39"
 path = "../keystore"
 features = ["dummy-entity"]
 
@@ -120,7 +120,7 @@ version = "0.5"
 features = ["async_std", "html_reports"]
 
 [dev-dependencies.core-crypto-attributes]
-version = "^1.0.0-rc.38"
+version = "^1.0.0-rc.39"
 path = "../crypto-attributes"
 
 [package.metadata.wasm-pack.profile.release]
diff --git a/interop/Cargo.toml b/interop/Cargo.toml
index dc343a81f1..219d3c941e 100644
--- a/interop/Cargo.toml
+++ b/interop/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "interop"
-version = "1.0.0-rc.38"
+version = "1.0.0-rc.39"
 edition = "2021"
 license = "GPL-3.0-only"
 
diff --git a/keystore-dump/Cargo.toml b/keystore-dump/Cargo.toml
index 9b5584ad29..6182566367 100644
--- a/keystore-dump/Cargo.toml
+++ b/keystore-dump/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "keystore-dump"
 description = "Dumps a keystore to JSON on stdout"
-version = "1.0.0-rc.38"
+version = "1.0.0-rc.39"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
diff --git a/keystore/Cargo.toml b/keystore/Cargo.toml
index 5624982303..3db1f7d96e 100644
--- a/keystore/Cargo.toml
+++ b/keystore/Cargo.toml
@@ -2,7 +2,7 @@
 name = "core-crypto-keystore"
 description = "Encrypted keystore with support for OpenMLS and Proteus"
 repository = "https://github.com/wireapp/core-crypto"
-version = "1.0.0-rc.38"
+version = "1.0.0-rc.39"
 edition = "2021"
 license = "GPL-3.0-only"
 publish = false
diff --git a/mls-provider/Cargo.toml b/mls-provider/Cargo.toml
index d2b8ffac29..225a9c155f 100644
--- a/mls-provider/Cargo.toml
+++ b/mls-provider/Cargo.toml
@@ -2,7 +2,7 @@
 name = "mls-crypto-provider"
 description = "MLS Crypto Provider wrapping core-crypto-keystore"
 repository = "https://github.com/wireapp/core-crypto"
-version = "1.0.0-rc.38"
+version = "1.0.0-rc.39"
 edition = "2021"
 license = "GPL-3.0-only"
 publish = false
@@ -49,10 +49,10 @@ version = "0.10"
 features = ["x25519", "p256", "p384", "xyber768d00", "serde_impls"]
 
 [target.'cfg(not(target_os = "ios"))'.dependencies]
-core-crypto-keystore = { version = "^1.0.0-rc.38", path = "../keystore" }
+core-crypto-keystore = { version = "^1.0.0-rc.39", path = "../keystore" }
 
 [target.'cfg(target_os = "ios")'.dependencies]
-core-crypto-keystore = { version = "^1.0.0-rc.38", path = "../keystore", features = ["ios-wal-compat"] }
+core-crypto-keystore = { version = "^1.0.0-rc.39", path = "../keystore", features = ["ios-wal-compat"] }
 
 [dev-dependencies]
 wasm-bindgen-test = "0.3"
diff --git a/package.json b/package.json
index 0d3f279902..e4490de791 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@wireapp/core-crypto",
-  "version": "1.0.0-rc.38",
+  "version": "1.0.0-rc.39",
   "description": "CoreCrypto bindings for the Web",
   "type": "module",
   "module": "platforms/web/corecrypto.js",