Skip to content

Commit

Permalink
fix!: Internal API changes to allow plugging credential validation
Browse files Browse the repository at this point in the history
  • Loading branch information
@OtaK
OtaK committed Jan 30, 2024
1 parent d02106b commit 0461483
Show file tree
Hide file tree
Showing 15 changed files with 53 additions and 56 deletions.
6 changes: 3 additions & 3 deletions openmls/src/framing/mls_auth_content_in.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
use std::io::Read;

use openmls_traits::{crypto::OpenMlsCrypto, types::Ciphersuite};
use openmls_traits::{types::Ciphersuite, OpenMlsCryptoProvider};
use tls_codec::Serialize as TlsSerializeTrait;

use super::{mls_auth_content::*, mls_content_in::*, *};
Expand Down Expand Up @@ -50,7 +50,7 @@ impl AuthenticatedContentIn {
pub fn validate(
self,
ciphersuite: Ciphersuite,
crypto: &impl OpenMlsCrypto,
backend: &impl OpenMlsCryptoProvider,
sender_context: Option<SenderContext>,
protocol_version: ProtocolVersion,
group: &PublicGroup,
Expand All @@ -59,7 +59,7 @@ impl AuthenticatedContentIn {
wire_format: self.wire_format,
content: self.content.validate(
ciphersuite,
crypto,
backend,
sender_context,
protocol_version,
group,
Expand Down
12 changes: 6 additions & 6 deletions openmls/src/framing/mls_content_in.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ use super::{
};

use crate::prelude::PublicGroup;
use openmls_traits::{crypto::OpenMlsCrypto, types::Ciphersuite};
use openmls_traits::{types::Ciphersuite, OpenMlsCryptoProvider};
use serde::{Deserialize, Serialize};
use tls_codec::{
Deserialize as TlsDeserializeTrait, Serialize as TlsSerializeTrait, Size, TlsDeserialize,
Expand Down Expand Up @@ -53,7 +53,7 @@ impl FramedContentIn {
pub fn validate(
self,
ciphersuite: Ciphersuite,
crypto: &impl OpenMlsCrypto,
backend: &impl OpenMlsCryptoProvider,
sender_context: Option<SenderContext>,
protocol_version: ProtocolVersion,
group: &PublicGroup,
Expand All @@ -65,7 +65,7 @@ impl FramedContentIn {
authenticated_data: self.authenticated_data,
body: self.body.validate(
ciphersuite,
crypto,
backend,
sender_context,
protocol_version,
group,
Expand Down Expand Up @@ -138,7 +138,7 @@ impl FramedContentBodyIn {
pub fn validate(
self,
ciphersuite: Ciphersuite,
crypto: &impl OpenMlsCrypto,
backend: &impl OpenMlsCryptoProvider,
sender_context: Option<SenderContext>,
protocol_version: ProtocolVersion,
group: &PublicGroup,
Expand All @@ -147,7 +147,7 @@ impl FramedContentBodyIn {
FramedContentBodyIn::Application(bytes) => FramedContentBody::Application(bytes),
FramedContentBodyIn::Proposal(proposal_in) => {
FramedContentBody::Proposal(proposal_in.validate(
crypto,
backend,
ciphersuite,
sender_context,
protocol_version,
Expand All @@ -159,7 +159,7 @@ impl FramedContentBodyIn {
.ok_or(LibraryError::custom("Forgot the commit sender context"))?;
FramedContentBody::Commit(commit_in.validate(
ciphersuite,
crypto,
backend,
sender_context,
protocol_version,
group,
Expand Down
11 changes: 5 additions & 6 deletions openmls/src/framing/validation.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
// TODO #106/#151: Update the above diagram

use openmls_traits::{
crypto::OpenMlsCrypto,
types::{Ciphersuite, CryptoError},
OpenMlsCryptoProvider,
};
Expand Down Expand Up @@ -276,14 +275,14 @@ impl UnverifiedMessage {
pub(crate) fn verify(
self,
ciphersuite: Ciphersuite,
crypto: &impl OpenMlsCrypto,
backend: &impl OpenMlsCryptoProvider,
protocol_version: ProtocolVersion,
group: &PublicGroup,
) -> Result<(AuthenticatedContent, Credential), ProcessMessageError> {
let content: AuthenticatedContentIn = match self.credential.mls_credential() {
MlsCredentialType::Basic(_) => self
.verifiable_content
.verify(crypto, &self.sender_pk)
.verify(backend.crypto(), &self.sender_pk)
.map_err(|_| ProcessMessageError::InvalidSignature)?,
MlsCredentialType::X509(certificate_chain) => {
certificate_chain
Expand All @@ -300,7 +299,7 @@ impl UnverifiedMessage {
child_cert.is_valid()?;

// verify that child is signed by parent
child_cert.is_signed_by(crypto, parent_cert)?;
child_cert.is_signed_by(backend.crypto(), parent_cert)?;

Ok((parent_idx, parent_cert))
},
Expand All @@ -312,13 +311,13 @@ impl UnverifiedMessage {
})??;
self.verifiable_content
// sender pk should be the leaf certificate
.verify(crypto, &self.sender_pk)
.verify(backend.crypto(), &self.sender_pk)
.map_err(|_| ProcessMessageError::InvalidSignature)?
}
};
let content = content.validate(
ciphersuite,
crypto,
backend,
self.sender_context,
protocol_version,
group,
Expand Down
2 changes: 1 addition & 1 deletion openmls/src/group/core_group/new_from_welcome.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ impl CoreGroup {
)?;

KeyPackageIn::from(key_package.clone()).validate(
backend.crypto(),
backend,
ProtocolVersion::Mls10,
&public_group,
)?;
Expand Down
2 changes: 1 addition & 1 deletion openmls/src/group/core_group/process.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ impl CoreGroup {
// - ValSem246 (as part of ValSem010)
let (content, credential) = unverified_message.verify(
self.ciphersuite(),
backend.crypto(),
backend,
self.version(),
self.public_group(),
)?;
Expand Down
4 changes: 2 additions & 2 deletions openmls/src/group/core_group/test_proposals.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ async fn proposal_queue_functions(ciphersuite: Ciphersuite, backend: &impl OpenM
let kpi = KeyPackageIn::from(alice_update_key_package.clone());

assert!(kpi
.standalone_validate(backend.crypto(), ProtocolVersion::Mls10)
.standalone_validate(backend, ProtocolVersion::Mls10)
.is_ok());

let group_context = GroupContext::new(
Expand Down Expand Up @@ -196,7 +196,7 @@ async fn proposal_queue_order(ciphersuite: Ciphersuite, backend: &impl OpenMlsCr
let kpi = KeyPackageIn::from(alice_update_key_package.clone());

assert!(kpi
.standalone_validate(backend.crypto(), ProtocolVersion::Mls10)
.standalone_validate(backend, ProtocolVersion::Mls10)
.is_ok());

let group_context = GroupContext::new(
Expand Down
2 changes: 1 addition & 1 deletion openmls/src/group/mls_group/membership.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ impl MlsGroup {
.into_iter()
.map(|key_package| {
let key_package = key_package.validate(
backend.crypto(),
backend,
ProtocolVersion::Mls10,
self.group().public_group(),
)?;
Expand Down
4 changes: 2 additions & 2 deletions openmls/src/group/mls_group/proposal.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ impl MlsGroup {
self.is_operational()?;

let key_package = joiner_key_package.validate(
backend.crypto(),
backend,
ProtocolVersion::Mls10,
self.group().public_group(),
)?;
Expand Down Expand Up @@ -249,7 +249,7 @@ impl MlsGroup {
self.is_operational()?;

let key_package = joiner_key_package.validate(
backend.crypto(),
backend,
ProtocolVersion::Mls10,
self.group().public_group(),
)?;
Expand Down
8 changes: 2 additions & 6 deletions openmls/src/group/public_group/process.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,12 +203,8 @@ impl PublicGroup {
// Checks the following semantic validation:
// - ValSem010
// - ValSem246 (as part of ValSem010)
let (content, credential) = unverified_message.verify(
self.ciphersuite(),
backend.crypto(),
self.version(),
group,
)?;
let (content, credential) =
unverified_message.verify(self.ciphersuite(), backend, self.version(), group)?;

match content.sender() {
Sender::Member(_) | Sender::NewMemberCommit | Sender::NewMemberProposal => {
Expand Down
2 changes: 1 addition & 1 deletion openmls/src/group/tests/test_proposal_validation.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1084,7 +1084,7 @@ async fn test_valsem105(ciphersuite: Ciphersuite, backend: &impl OpenMlsCryptoPr
.await;

let kpi: KeyPackageIn = charlie_key_package.clone().into();
kpi.standalone_validate(backend.crypto(), ProtocolVersion::Mls10)
kpi.standalone_validate(backend, ProtocolVersion::Mls10)
.unwrap();

// Let's just pick a ciphersuite that's not the one we're testing right now.
Expand Down
18 changes: 9 additions & 9 deletions openmls/src/key_packages/key_package_in.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ use crate::{
},
versions::ProtocolVersion,
};
use openmls_traits::{crypto::OpenMlsCrypto, types::Ciphersuite};
use openmls_traits::{types::Ciphersuite, OpenMlsCryptoProvider};
use serde::{Deserialize, Serialize};
use tls_codec::{Serialize as TlsSerializeTrait, TlsDeserialize, TlsSerialize, TlsSize};

Expand Down Expand Up @@ -116,25 +116,25 @@ impl KeyPackageIn {
/// [`KeyPackageVerifyError`] otherwise.
pub fn validate(
self,
crypto: &impl OpenMlsCrypto,
backend: &impl OpenMlsCryptoProvider,
protocol_version: ProtocolVersion,
group: &PublicGroup,
) -> Result<KeyPackage, KeyPackageVerifyError> {
self._validate(crypto, protocol_version, Some(group))
self._validate(backend, protocol_version, Some(group))
}

/// Verify that this key package is valid disregarding the group it is supposed to be used with.
pub fn standalone_validate(
self,
crypto: &impl OpenMlsCrypto,
backend: &impl OpenMlsCryptoProvider,
protocol_version: ProtocolVersion,
) -> Result<KeyPackage, KeyPackageVerifyError> {
self._validate(crypto, protocol_version, None)
self._validate(backend, protocol_version, None)
}

fn _validate(
self,
crypto: &impl OpenMlsCrypto,
backend: &impl OpenMlsCryptoProvider,
protocol_version: ProtocolVersion,
group: Option<&PublicGroup>,
) -> Result<KeyPackage, KeyPackageVerifyError> {
Expand All @@ -154,9 +154,9 @@ impl KeyPackageIn {
let leaf_node = match verifiable_leaf_node {
VerifiableLeafNode::KeyPackage(leaf_node) => {
if let Some(group) = group {
leaf_node.validate(group, crypto)?
leaf_node.validate(group, backend.crypto())?
} else {
leaf_node.standalone_validate(crypto, signature_scheme)?
leaf_node.standalone_validate(backend.crypto(), signature_scheme)?
}
}
_ => return Err(KeyPackageVerifyError::InvalidLeafNodeSourceType),
Expand All @@ -174,7 +174,7 @@ impl KeyPackageIn {

// Verify the KeyPackage signature
let key_package = VerifiableKeyPackage::new(self.payload.into(), self.signature)
.verify::<KeyPackage>(crypto, signature_key)
.verify::<KeyPackage>(backend.crypto(), signature_key)
.map_err(|_| KeyPackageVerifyError::InvalidSignature)?;

// Extension included in the extensions or leaf_node.extensions fields
Expand Down
8 changes: 4 additions & 4 deletions openmls/src/key_packages/test_key_packages.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ async fn generate_key_package(ciphersuite: Ciphersuite, backend: &impl OpenMlsCr

let kpi = KeyPackageIn::from(key_package);
assert!(kpi
.standalone_validate(backend.crypto(), ProtocolVersion::Mls10)
.standalone_validate(backend, ProtocolVersion::Mls10)
.is_ok());
}

Expand Down Expand Up @@ -100,7 +100,7 @@ async fn application_id_extension(ciphersuite: Ciphersuite, backend: &impl OpenM

let kpi = KeyPackageIn::from(key_package.clone());
assert!(kpi
.standalone_validate(backend.crypto(), ProtocolVersion::Mls10)
.standalone_validate(backend, ProtocolVersion::Mls10)
.is_ok());

// Check ID
Expand Down Expand Up @@ -136,7 +136,7 @@ async fn key_package_validation(ciphersuite: Ciphersuite, backend: &impl OpenMls
let kpi = KeyPackageIn::tls_deserialize(&mut encoded.as_slice()).unwrap();

let err = kpi
.standalone_validate(backend.crypto(), ProtocolVersion::Mls10)
.standalone_validate(backend, ProtocolVersion::Mls10)
.unwrap_err();
// Expect an invalid protocol version error
assert_eq!(err, KeyPackageVerifyError::InvalidProtocolVersion);
Expand All @@ -155,7 +155,7 @@ async fn key_package_validation(ciphersuite: Ciphersuite, backend: &impl OpenMls
let kpi = KeyPackageIn::tls_deserialize(&mut encoded.as_slice()).unwrap();

let err = kpi
.standalone_validate(backend.crypto(), ProtocolVersion::Mls10)
.standalone_validate(backend, ProtocolVersion::Mls10)
.unwrap_err();
// Expect an invalid init/encryption key error
assert_eq!(err, KeyPackageVerifyError::InitKeyEqualsEncryptionKey);
Expand Down
6 changes: 3 additions & 3 deletions openmls/src/messages/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,15 +192,15 @@ impl CommitIn {
pub fn validate(
self,
ciphersuite: Ciphersuite,
crypto: &impl OpenMlsCrypto,
backend: &impl OpenMlsCryptoProvider,
sender_context: SenderContext,
protocol_version: ProtocolVersion,
group: &PublicGroup,
) -> Result<Commit, ValidationError> {
let proposals = self
.proposals
.into_iter()
.map(|p| p.validate(crypto, ciphersuite, protocol_version, group))
.map(|p| p.validate(backend, ciphersuite, protocol_version, group))
.collect::<Result<Vec<_>, _>>()?;

let path = if let Some(path) = self.path {
Expand Down Expand Up @@ -234,7 +234,7 @@ impl CommitIn {
TreePosition::new(group_id, new_leaf_index)
}
};
Some(path.into_verified(crypto, tree_position, group)?)
Some(path.into_verified(backend.crypto(), tree_position, group)?)
} else {
None
};
Expand Down
Loading

0 comments on commit 0461483

Please sign in to comment.