From 5b8815b8702a77897415bea3957c77326d4d8977 Mon Sep 17 00:00:00 2001 From: beltram Date: Wed, 6 Mar 2024 17:06:24 +0100 Subject: [PATCH] fix: deduplicate CRL DPs --- crypto-ffi/src/generic.rs | 20 +++++---- crypto-ffi/src/wasm.rs | 18 ++++---- crypto/Cargo.toml | 2 +- crypto/src/e2e_identity/init_certificates.rs | 23 +++++++--- crypto/src/e2e_identity/mod.rs | 3 +- crypto/src/e2e_identity/rotate.rs | 5 ++- crypto/src/mls/conversation/commit.rs | 20 +++++---- crypto/src/mls/conversation/decrypt.rs | 19 +++++---- crypto/src/mls/conversation/proposal.rs | 10 +++-- crypto/src/mls/conversation/self_commit.rs | 2 +- crypto/src/mls/conversation/welcome.rs | 9 ++-- crypto/src/mls/credential/crl.rs | 44 ++++++++++---------- crypto/src/mls/external_commit.rs | 8 ++-- crypto/src/test_utils/x509.rs | 8 +--- 14 files changed, 110 insertions(+), 81 deletions(-) diff --git a/crypto-ffi/src/generic.rs b/crypto-ffi/src/generic.rs index 49658a943a..c0ecf1a362 100644 --- a/crypto-ffi/src/generic.rs +++ b/crypto-ffi/src/generic.rs @@ -226,7 +226,7 @@ impl TryFrom for MemberAddedMessages { welcome, commit, group_info: group_info.into(), - crl_new_distribution_points, + crl_new_distribution_points: crl_new_distribution_points.into(), }) } } @@ -242,7 +242,7 @@ impl From for WelcomeBundle { fn from(w: core_crypto::prelude::WelcomeBundle) -> Self { Self { id: w.id, - crl_new_distribution_points: w.crl_new_distribution_points, + crl_new_distribution_points: w.crl_new_distribution_points.into(), } } } @@ -367,7 +367,7 @@ impl TryFrom for RotateBundle { commits, new_key_packages, key_package_refs_to_remove, - crl_new_distribution_points, + crl_new_distribution_points: crl_new_distribution_points.into(), }) } } @@ -387,7 +387,7 @@ impl TryFrom for ProposalBundle { Ok(Self { proposal, proposal_ref, - crl_new_distribution_points, + crl_new_distribution_points: crl_new_distribution_points.into(), }) } } @@ -410,7 +410,7 @@ impl TryFrom for ConversationInitBundle { conversation_id, commit, group_info: gi.into(), - crl_new_distribution_points, + crl_new_distribution_points: crl_new_distribution_points.into(), }) } } @@ -471,7 +471,7 @@ impl TryFrom for DecryptedMessage { has_epoch_changed: from.has_epoch_changed, identity: from.identity.map(Into::into), buffered_messages, - crl_new_distribution_points: from.crl_new_distribution_points, + crl_new_distribution_points: from.crl_new_distribution_points.into(), }) } } @@ -494,7 +494,7 @@ impl TryFrom for BufferedDecryptedMessage sender_client_id: from.sender_client_id.map(ClientId), has_epoch_changed: from.has_epoch_changed, identity: from.identity.map(Into::into), - crl_new_distribution_points: from.crl_new_distribution_points, + crl_new_distribution_points: from.crl_new_distribution_points.into(), }) } } @@ -1601,7 +1601,8 @@ impl CoreCrypto { .lock() .await .e2ei_register_intermediate_ca_pem(cert_pem) - .await?) + .await? + .into()) } /// See [core_crypto::mls::MlsCentral::e2ei_register_crl] @@ -1645,7 +1646,8 @@ impl CoreCrypto { .lock() .await .e2ei_mls_init_only(e2ei, certificate_chain, nb_key_package) - .await?) + .await? + .into()) } /// See [core_crypto::mls::MlsCentral::e2ei_rotate_all] diff --git a/crypto-ffi/src/wasm.rs b/crypto-ffi/src/wasm.rs index f8c19e165a..f0f50d476b 100644 --- a/crypto-ffi/src/wasm.rs +++ b/crypto-ffi/src/wasm.rs @@ -302,7 +302,7 @@ impl TryFrom for MemberAddedMessages { welcome, commit, group_info: pgs.into(), - crl_new_distribution_points, + crl_new_distribution_points: crl_new_distribution_points.into(), }) } } @@ -460,7 +460,7 @@ impl TryFrom for RotateBundle { commits, new_key_packages, key_package_refs_to_remove, - crl_new_distribution_points, + crl_new_distribution_points: crl_new_distribution_points.into(), }) } } @@ -506,7 +506,7 @@ impl TryFrom for ProposalBundle { Ok(Self { proposal, proposal_ref, - crl_new_distribution_points, + crl_new_distribution_points: crl_new_distribution_points.into(), }) } } @@ -558,7 +558,7 @@ impl TryFrom for ConversationInitBundle { conversation_id, commit, group_info: pgs.into(), - crl_new_distribution_points, + crl_new_distribution_points: crl_new_distribution_points.into(), }) } } @@ -592,7 +592,7 @@ impl From for WelcomeBundle { fn from(w: core_crypto::prelude::WelcomeBundle) -> Self { Self { id: w.id, - crl_new_distribution_points: w.crl_new_distribution_points, + crl_new_distribution_points: w.crl_new_distribution_points.into(), } } } @@ -651,7 +651,7 @@ impl TryFrom for DecryptedMessage { has_epoch_changed: from.has_epoch_changed, identity: from.identity.map(Into::into), buffered_messages, - crl_new_distribution_points: from.crl_new_distribution_points, + crl_new_distribution_points: from.crl_new_distribution_points.into(), }) } } @@ -759,7 +759,7 @@ impl TryFrom for BufferedDecryptedMessage sender_client_id: from.sender_client_id.map(ClientId::into), has_epoch_changed: from.has_epoch_changed, identity: from.identity.map(Into::into), - crl_new_distribution_points: from.crl_new_distribution_points, + crl_new_distribution_points: from.crl_new_distribution_points.into(), }) } } @@ -2534,7 +2534,7 @@ impl CoreCrypto { let this = this.read().await; let crls = this.e2ei_register_intermediate_ca_pem(cert_pem).await?; - let crls = if let Some(crls) = crls { + let crls = if let Some(crls) = &*crls { js_sys::Array::from_iter(crls.into_iter().map(JsValue::from)) } else { js_sys::Array::new() @@ -2582,7 +2582,7 @@ impl CoreCrypto { .e2ei_mls_init_only(enrollment, certificate_chain, nb_key_package) .await?; - let crls = if let Some(crls) = crls { + let crls = if let Some(crls) = &*crls { js_sys::Array::from_iter(crls.into_iter().map(JsValue::from)) } else { js_sys::Array::new() diff --git a/crypto/Cargo.toml b/crypto/Cargo.toml index 4864780ba2..c027848010 100644 --- a/crypto/Cargo.toml +++ b/crypto/Cargo.toml @@ -24,7 +24,7 @@ uniffi = ["dep:uniffi"] [dependencies] thiserror = "1.0" -derive_more = { version = "0.99", features = ["from", "into", "deref"] } +derive_more = { version = "0.99", features = ["from", "into", "deref", "deref_mut"] } strum = { version = "0.26", features = ["derive"] } cfg-if = "1.0" hex = "0.4" diff --git a/crypto/src/e2e_identity/init_certificates.rs b/crypto/src/e2e_identity/init_certificates.rs index a64dac6d06..042d2af2d3 100644 --- a/crypto/src/e2e_identity/init_certificates.rs +++ b/crypto/src/e2e_identity/init_certificates.rs @@ -2,6 +2,7 @@ use crate::{e2e_identity::CrlRegistration, prelude::MlsCentral, CryptoError, Cry use core_crypto_keystore::entities::{E2eiAcmeCA, E2eiCrl, E2eiIntermediateCert, EntityBase, UniqueEntity}; use mls_crypto_provider::MlsCryptoProvider; use openmls_traits::OpenMlsCryptoProvider; +use std::collections::HashSet; use std::ops::DerefMut; use wire_e2e_identity::prelude::x509::{ extract_crl_uris, extract_expiration_from_crl, @@ -9,6 +10,15 @@ use wire_e2e_identity::prelude::x509::{ }; use x509_cert::der::Decode; +#[derive(Debug, Clone, derive_more::From, derive_more::Into, derive_more::Deref, derive_more::DerefMut)] +pub struct NewCrlDistributionPoint(Option>); + +impl From for Option> { + fn from(mut dp: NewCrlDistributionPoint) -> Self { + dp.take().map(|d| d.into_iter().collect()) + } +} + impl MlsCentral { /// Registers a Root Trust Anchor CA for the use in E2EI processing. /// @@ -64,13 +74,16 @@ impl MlsCentral { /// /// # Parameters /// * `cert_pem` - PEM certificate to register as an Intermediate CA - pub async fn e2ei_register_intermediate_ca_pem(&self, cert_pem: String) -> CryptoResult>> { + pub async fn e2ei_register_intermediate_ca_pem(&self, cert_pem: String) -> CryptoResult { // Parse/decode PEM cert let inter_ca = PkiEnvironment::decode_pem_cert(cert_pem).map_err(|e| CryptoError::E2eiError(e.into()))?; self.e2ei_register_intermediate_ca(inter_ca).await } - pub(crate) async fn e2ei_register_intermediate_ca_der(&self, cert_der: &[u8]) -> CryptoResult>> { + pub(crate) async fn e2ei_register_intermediate_ca_der( + &self, + cert_der: &[u8], + ) -> CryptoResult { let inter_ca = x509_cert::Certificate::from_der(cert_der)?; self.e2ei_register_intermediate_ca(inter_ca).await } @@ -78,7 +91,7 @@ impl MlsCentral { async fn e2ei_register_intermediate_ca( &self, inter_ca: x509_cert::Certificate, - ) -> CryptoResult>> { + ) -> CryptoResult { // TrustAnchor must have been registered at this point let ta = E2eiAcmeCA::find_unique(self.mls_backend.key_store().borrow_conn().await?.deref_mut()).await?; let ta = x509_cert::Certificate::from_der(&ta.content)?; @@ -86,7 +99,7 @@ impl MlsCentral { // the `/federation` endpoint from smallstep repeats the root CA // so we filter it out here so that clients don't have to do it if inter_ca == ta { - return Ok(None); + return Ok(None.into()); } let intermediate_crl = extract_crl_uris(&inter_ca) @@ -120,7 +133,7 @@ impl MlsCentral { self.init_pki_env().await?; - Ok(intermediate_crl) + Ok(intermediate_crl.into()) } /// Registers a CRL for the use in E2EI processing. diff --git a/crypto/src/e2e_identity/mod.rs b/crypto/src/e2e_identity/mod.rs index 71bed4c54e..fd478f5e6a 100644 --- a/crypto/src/e2e_identity/mod.rs +++ b/crypto/src/e2e_identity/mod.rs @@ -6,6 +6,7 @@ use wire_e2e_identity::prelude::{E2eiAcmeAuthorization, RustyE2eIdentity}; use error::*; use mls_crypto_provider::MlsCryptoProvider; +use crate::e2e_identity::init_certificates::NewCrlDistributionPoint; use crate::{ e2e_identity::{crypto::E2eiSignatureKeypair, id::QualifiedE2eiClientId}, mls::credential::x509::CertificatePrivateKey, @@ -78,7 +79,7 @@ impl MlsCentral { enrollment: E2eiEnrollment, certificate_chain: String, nb_init_key_packages: Option, - ) -> CryptoResult>> { + ) -> CryptoResult { let sk = enrollment.get_sign_key_for_mls()?; let cs = enrollment.ciphersuite; let certificate_chain = enrollment diff --git a/crypto/src/e2e_identity/rotate.rs b/crypto/src/e2e_identity/rotate.rs index d5785cc537..74b8a3a647 100644 --- a/crypto/src/e2e_identity/rotate.rs +++ b/crypto/src/e2e_identity/rotate.rs @@ -6,6 +6,7 @@ use openmls_traits::OpenMlsCryptoProvider; use core_crypto_keystore::{entities::MlsKeyPackage, CryptoKeystoreMls}; use mls_crypto_provider::MlsCryptoProvider; +use crate::e2e_identity::init_certificates::NewCrlDistributionPoint; use crate::{ mls::credential::{ext::CredentialExt, x509::CertificatePrivateKey, CredentialBundle}, prelude::{ @@ -239,7 +240,7 @@ pub struct MlsRotateBundle { /// All the now deprecated KeyPackages. Once deleted remotely, delete them locally with [MlsCentral::delete_keypackages] pub key_package_refs_to_remove: Vec, /// New CRL distribution points that appeared by the introduction of a new credential - pub crl_new_distribution_points: Option>, + pub crl_new_distribution_points: NewCrlDistributionPoint, } impl MlsRotateBundle { @@ -251,7 +252,7 @@ impl MlsRotateBundle { HashMap, Vec>, Vec>, - Option>, + NewCrlDistributionPoint, )> { use openmls::prelude::TlsSerializeTrait as _; diff --git a/crypto/src/mls/conversation/commit.rs b/crypto/src/mls/conversation/commit.rs index d8811ed6d9..eb9a65ea06 100644 --- a/crypto/src/mls/conversation/commit.rs +++ b/crypto/src/mls/conversation/commit.rs @@ -6,9 +6,11 @@ //! | 1+ pend. Proposal | ✅ | ❌ | use openmls::prelude::{KeyPackageIn, LeafNode, LeafNodeIndex, MlsMessageOut}; +use std::collections::HashSet; use mls_crypto_provider::MlsCryptoProvider; +use crate::e2e_identity::init_certificates::NewCrlDistributionPoint; use crate::{ mls::credential::{crl::extract_dp, CredentialBundle}, prelude::{Client, ClientId, ConversationId, CryptoError, CryptoResult, MlsCentral, MlsError, MlsGroupInfoBundle}, @@ -151,15 +153,10 @@ impl MlsConversation { openmls::prelude::MlsCredentialType::X509(cert) => Some(cert), _ => None, }) - .try_fold(vec![], |mut acc, c| { + .try_fold(HashSet::new(), |mut acc, c| { acc.extend(extract_dp(c)?); CryptoResult::Ok(acc) })?; - let crl_new_distribution_points = if crl_new_distribution_points.is_empty() { - None - } else { - Some(crl_new_distribution_points) - }; let (commit, welcome, gi) = self .group @@ -173,6 +170,13 @@ impl MlsConversation { self.persist_group_when_changed(backend, false).await?; + let crl_new_distribution_points = if crl_new_distribution_points.is_empty() { + None + } else { + Some(crl_new_distribution_points) + } + .into(); + Ok(MlsConversationCreationMessage { welcome, commit, @@ -303,7 +307,7 @@ pub struct MlsConversationCreationMessage { /// `GroupInfo` if the commit is merged pub group_info: MlsGroupInfoBundle, /// New CRL distribution points that appeared by the introduction of a new credential - pub crl_new_distribution_points: Option>, + pub crl_new_distribution_points: NewCrlDistributionPoint, } impl MlsConversationCreationMessage { @@ -312,7 +316,7 @@ impl MlsConversationCreationMessage { /// 1 -> commit /// 2 -> group_info #[allow(clippy::type_complexity)] - pub fn to_bytes(self) -> CryptoResult<(Vec, Vec, MlsGroupInfoBundle, Option>)> { + pub fn to_bytes(self) -> CryptoResult<(Vec, Vec, MlsGroupInfoBundle, NewCrlDistributionPoint)> { use openmls::prelude::TlsSerializeTrait as _; let welcome = self.welcome.tls_serialize_detached().map_err(MlsError::from)?; let msg = self.commit.tls_serialize_detached().map_err(MlsError::from)?; diff --git a/crypto/src/mls/conversation/decrypt.rs b/crypto/src/mls/conversation/decrypt.rs index 4b0ef2572d..76459a9489 100644 --- a/crypto/src/mls/conversation/decrypt.rs +++ b/crypto/src/mls/conversation/decrypt.rs @@ -17,11 +17,13 @@ use openmls::{ }, }; use openmls_traits::OpenMlsCryptoProvider; +use std::collections::HashSet; use tls_codec::Deserialize; use core_crypto_keystore::entities::MlsPendingMessage; use mls_crypto_provider::MlsCryptoProvider; +use crate::e2e_identity::init_certificates::NewCrlDistributionPoint; use crate::{ e2e_identity::conversation_state::compute_state, group_store::GroupStoreValue, @@ -66,7 +68,7 @@ pub struct MlsConversationDecryptMessage { /// because the DS did not fan them out in order. pub buffered_messages: Option>, /// New CRL distribution points that appeared by the introduction of a new credential - pub crl_new_distribution_points: Option>, + pub crl_new_distribution_points: NewCrlDistributionPoint, } /// Type safe recursion of [MlsConversationDecryptMessage] @@ -87,7 +89,7 @@ pub struct MlsBufferedConversationDecryptMessage { /// see [MlsConversationDecryptMessage] pub identity: Option, /// see [MlsConversationDecryptMessage] - pub crl_new_distribution_points: Option>, + pub crl_new_distribution_points: NewCrlDistributionPoint, } impl From for MlsBufferedConversationDecryptMessage { @@ -142,7 +144,7 @@ impl MlsConversation { has_epoch_changed: false, identity, buffered_messages: None, - crl_new_distribution_points: None, + crl_new_distribution_points: None.into(), }, ProcessedMessageContent::ProposalMessage(proposal) => { let crl_dps = extract_crl_uris_from_proposals(&[proposal.proposal().clone()])?; @@ -189,11 +191,12 @@ impl MlsConversation { // - This requires a change in OpenMLS to get access to it let crl_dps_from_proposals = extract_crl_uris_from_proposals(proposal_refs.as_ref())?; let crl_dps_from_update_path = extract_crl_uris_from_update_path(&staged_commit)?; - let crl_new_distribution_points = get_new_crl_distribution_points( - backend, - [crl_dps_from_proposals, crl_dps_from_update_path].concat(), - ) - .await?; + + let mut crl_dps = HashSet::new(); + crl_dps.extend(crl_dps_from_proposals); + crl_dps.extend(crl_dps_from_update_path); + + let crl_new_distribution_points = get_new_crl_distribution_points(backend, crl_dps).await?; // getting the pending has to be done before `merge_staged_commit` otherwise it's wiped out let pending_commit = self.group.pending_commit().cloned(); diff --git a/crypto/src/mls/conversation/proposal.rs b/crypto/src/mls/conversation/proposal.rs index 93636f9d1f..ba1f1c8782 100644 --- a/crypto/src/mls/conversation/proposal.rs +++ b/crypto/src/mls/conversation/proposal.rs @@ -9,6 +9,7 @@ use openmls::{binary_tree::LeafNodeIndex, framing::MlsMessageOut, key_packages:: use mls_crypto_provider::MlsCryptoProvider; +use crate::e2e_identity::init_certificates::NewCrlDistributionPoint; use crate::{ mls::credential::crl::extract_dp, prelude::{Client, MlsConversation, MlsProposalRef}, @@ -33,7 +34,8 @@ impl MlsConversation { let crl_new_distribution_points = match key_package.credential().mls_credential() { openmls::prelude::MlsCredentialType::X509(cert) => Some(extract_dp(cert)?), _ => None, - }; + } + .into(); let (proposal, proposal_ref) = self .group @@ -122,7 +124,7 @@ pub struct MlsProposalBundle { /// A unique identifier of the proposal to rollback it later if required pub proposal_ref: MlsProposalRef, /// New CRL distribution points that appeared by the introduction of a new credential - pub crl_new_distribution_points: Option>, + pub crl_new_distribution_points: NewCrlDistributionPoint, } impl From<(MlsMessageOut, openmls::prelude::hash_ref::ProposalRef)> for MlsProposalBundle { @@ -130,7 +132,7 @@ impl From<(MlsMessageOut, openmls::prelude::hash_ref::ProposalRef)> for MlsPropo Self { proposal, proposal_ref: proposal_ref.into(), - crl_new_distribution_points: None, + crl_new_distribution_points: None.into(), } } } @@ -140,7 +142,7 @@ impl MlsProposalBundle { /// 0 -> proposal /// 1 -> proposal reference #[allow(clippy::type_complexity)] - pub fn to_bytes(self) -> CryptoResult<(Vec, Vec, Option>)> { + pub fn to_bytes(self) -> CryptoResult<(Vec, Vec, NewCrlDistributionPoint)> { use openmls::prelude::TlsSerializeTrait as _; let proposal = self.proposal.tls_serialize_detached().map_err(MlsError::from)?; let proposal_ref = self.proposal_ref.to_bytes(); diff --git a/crypto/src/mls/conversation/self_commit.rs b/crypto/src/mls/conversation/self_commit.rs index 808584ae5f..6e3e69ea64 100644 --- a/crypto/src/mls/conversation/self_commit.rs +++ b/crypto/src/mls/conversation/self_commit.rs @@ -87,7 +87,7 @@ impl MlsConversation { has_epoch_changed: true, identity, buffered_messages: None, - crl_new_distribution_points: None, + crl_new_distribution_points: None.into(), }) } } diff --git a/crypto/src/mls/conversation/welcome.rs b/crypto/src/mls/conversation/welcome.rs index a1529f7f5f..08675e408a 100644 --- a/crypto/src/mls/conversation/welcome.rs +++ b/crypto/src/mls/conversation/welcome.rs @@ -1,3 +1,4 @@ +use crate::e2e_identity::init_certificates::NewCrlDistributionPoint; use crate::mls::credential::crl::extract_dp; use crate::{ group_store::GroupStore, @@ -10,6 +11,7 @@ use core_crypto_keystore::entities::PersistedMlsPendingGroup; use mls_crypto_provider::MlsCryptoProvider; use openmls::prelude::{MlsGroup, MlsMessageIn, MlsMessageInBody, Welcome}; use openmls_traits::OpenMlsCryptoProvider; +use std::collections::HashSet; use tls_codec::Deserialize; /// Contains everything client needs to know after decrypting an (encrypted) Welcome message @@ -18,7 +20,7 @@ pub struct WelcomeBundle { /// MLS Group Id pub id: ConversationId, /// New CRL distribution points that appeared by the introduction of a new credential - pub crl_new_distribution_points: Option>, + pub crl_new_distribution_points: NewCrlDistributionPoint, } impl MlsCentral { @@ -85,7 +87,7 @@ impl MlsCentral { openmls::prelude::MlsCredentialType::X509(cert) => Some(cert), _ => None, }) - .try_fold(vec![], |mut acc, c| { + .try_fold(HashSet::new(), |mut acc, c| { acc.extend(extract_dp(c)?); CryptoResult::Ok(acc) })?; @@ -93,7 +95,8 @@ impl MlsCentral { None } else { Some(crl_new_distribution_points) - }; + } + .into(); let id = conversation.id.clone(); self.mls_groups.insert(id.clone(), conversation); diff --git a/crypto/src/mls/credential/crl.rs b/crypto/src/mls/credential/crl.rs index b280dd79b1..d52ea6339d 100644 --- a/crypto/src/mls/credential/crl.rs +++ b/crypto/src/mls/credential/crl.rs @@ -1,12 +1,14 @@ +use crate::e2e_identity::init_certificates::NewCrlDistributionPoint; use crate::prelude::MlsCentral; use crate::{CryptoError, CryptoResult}; use core_crypto_keystore::entities::E2eiCrl; use mls_crypto_provider::MlsCryptoProvider; use openmls::prelude::{Certificate, MlsCredentialType, Proposal, StagedCommit}; use openmls_traits::OpenMlsCryptoProvider; +use std::collections::HashSet; use wire_e2e_identity::prelude::x509::extract_crl_uris; -pub(crate) fn extract_crl_uris_from_proposals(proposals: &[Proposal]) -> CryptoResult> { +pub(crate) fn extract_crl_uris_from_proposals(proposals: &[Proposal]) -> CryptoResult> { proposals .iter() .filter_map(|p| match p { @@ -19,22 +21,22 @@ pub(crate) fn extract_crl_uris_from_proposals(proposals: &[Proposal]) -> CryptoR MlsCredentialType::X509(cert) => Some(cert), _ => None, }) - .try_fold(vec![], |mut acc, c| { + .try_fold(HashSet::new(), |mut acc, c| { acc.extend(extract_dp(c)?); CryptoResult::Ok(acc) }) } -pub(crate) fn extract_crl_uris_from_update_path(commit: &StagedCommit) -> CryptoResult> { +pub(crate) fn extract_crl_uris_from_update_path(commit: &StagedCommit) -> CryptoResult> { if let Some(update_path) = commit.get_update_path_leaf_node() { if let MlsCredentialType::X509(cert) = update_path.credential().mls_credential() { return extract_dp(cert); } } - Ok(vec![]) + Ok(HashSet::new()) } -pub(crate) fn extract_dp(cert: &Certificate) -> CryptoResult> { +pub(crate) fn extract_dp(cert: &Certificate) -> CryptoResult> { Ok(cert .certificates .iter() @@ -52,20 +54,21 @@ pub(crate) fn extract_dp(cert: &Certificate) -> CryptoResult> { pub(crate) async fn get_new_crl_distribution_points( backend: &MlsCryptoProvider, - crl_dps: Vec, -) -> CryptoResult>> { + crl_dps: HashSet, +) -> CryptoResult { if !crl_dps.is_empty() { let stored_crls = backend.key_store().find_all::(Default::default()).await?; - let stored_crl_dps: Vec<&str> = stored_crls.iter().map(|crl| crl.distribution_point.as_str()).collect(); + let stored_crl_dps: HashSet<&str> = stored_crls.iter().map(|crl| crl.distribution_point.as_str()).collect(); Ok(Some( crl_dps .into_iter() .filter(|dp| stored_crl_dps.contains(&dp.as_str())) .collect(), - )) + ) + .into()) } else { - Ok(None) + Ok(None.into()) } } @@ -75,17 +78,17 @@ impl MlsCentral { pub(crate) async fn extract_dp_on_init( &mut self, certificate_chain: &[Vec], - ) -> CryptoResult>> { + ) -> CryptoResult { use x509_cert::der::Decode as _; // Own intermediates are not provided by smallstep in the /federation endpoint so we got to intercept them here, at issuance let size = certificate_chain.len(); - let mut crl_new_distribution_points = vec![]; + let mut crl_new_distribution_points = HashSet::new(); if size > 1 { for int in certificate_chain.iter().skip(1).rev() { - let crl_dp = self.e2ei_register_intermediate_ca_der(int).await?; - if let Some(mut crl_dp) = crl_dp { - crl_new_distribution_points.append(&mut crl_dp); + let mut crl_dp = self.e2ei_register_intermediate_ca_der(int).await?; + if let Some(crl_dp) = crl_dp.take() { + crl_new_distribution_points.extend(crl_dp); } } } @@ -93,17 +96,16 @@ impl MlsCentral { let ee = certificate_chain.first().ok_or(CryptoError::InvalidCertificateChain)?; let ee = x509_cert::Certificate::from_der(ee)?; - let ee_crl_dp = extract_crl_uris(&ee) - .map_err(|e| CryptoError::E2eiError(e.into()))? - .map(|s| s.into_iter().collect()); - if let Some(mut crl_dp) = ee_crl_dp { - crl_new_distribution_points.append(&mut crl_dp); + let mut ee_crl_dp = extract_crl_uris(&ee).map_err(|e| CryptoError::E2eiError(e.into()))?; + if let Some(crl_dp) = ee_crl_dp.take() { + crl_new_distribution_points.extend(crl_dp); } let crl_new_distribution_points = if !crl_new_distribution_points.is_empty() { Some(crl_new_distribution_points) } else { None - }; + } + .into(); Ok(crl_new_distribution_points) } diff --git a/crypto/src/mls/external_commit.rs b/crypto/src/mls/external_commit.rs index e4f03000b1..55f6f43465 100644 --- a/crypto/src/mls/external_commit.rs +++ b/crypto/src/mls/external_commit.rs @@ -26,6 +26,7 @@ use core_crypto_keystore::{ CryptoKeystoreMls, }; +use crate::e2e_identity::init_certificates::NewCrlDistributionPoint; use crate::{ e2e_identity::conversation_state::compute_state, group_store::GroupStoreValue, @@ -47,7 +48,7 @@ pub struct MlsConversationInitBundle { /// `GroupInfo` which becomes valid when the external commit is accepted by the Delivery Service pub group_info: MlsGroupInfoBundle, /// New CRL distribution points that appeared by the introduction of a new credential - pub crl_new_distribution_points: Option>, + pub crl_new_distribution_points: NewCrlDistributionPoint, } impl MlsConversationInitBundle { @@ -55,7 +56,7 @@ impl MlsConversationInitBundle { /// 0 -> external commit /// 1 -> public group state #[allow(clippy::type_complexity)] - pub fn to_bytes(self) -> CryptoResult<(Vec, MlsGroupInfoBundle, Option>)> { + pub fn to_bytes(self) -> CryptoResult<(Vec, MlsGroupInfoBundle, NewCrlDistributionPoint)> { let commit = self.commit.tls_serialize_detached().map_err(MlsError::from)?; Ok((commit, self.group_info, self.crl_new_distribution_points)) } @@ -129,7 +130,8 @@ impl MlsCentral { let crl_new_distribution_points = match cb.credential.mls_credential() { openmls::prelude::MlsCredentialType::X509(cert) => Some(extract_dp(cert)?), _ => None, - }; + } + .into(); self.mls_backend .key_store() diff --git a/crypto/src/test_utils/x509.rs b/crypto/src/test_utils/x509.rs index c3d76b05a8..38bdba3152 100644 --- a/crypto/src/test_utils/x509.rs +++ b/crypto/src/test_utils/x509.rs @@ -232,17 +232,13 @@ impl X509TestChain { let revoked_serial_numbers: Vec> = actors .iter() - .filter_map(|actor| { - actor.is_revoked.then(|| { - actor + .filter(|&actor| actor.is_revoked).map(|actor| actor .certificate .certificate .tbs_certificate .serial_number .as_bytes() - .into() - }) - }) + .into()) .collect(); let local_crl_dp = local_intermediate.crl_dps.first().unwrap().clone();