diff --git a/openmls/src/framing/mls_auth_content_in.rs b/openmls/src/framing/mls_auth_content_in.rs index 214a618352..1492e64bd1 100644 --- a/openmls/src/framing/mls_auth_content_in.rs +++ b/openmls/src/framing/mls_auth_content_in.rs @@ -9,7 +9,7 @@ use std::io::Read; -use openmls_traits::{crypto::OpenMlsCrypto, types::Ciphersuite}; +use openmls_traits::{types::Ciphersuite, OpenMlsCryptoProvider}; use tls_codec::Serialize as TlsSerializeTrait; use super::{mls_auth_content::*, mls_content_in::*, *}; @@ -50,7 +50,7 @@ impl AuthenticatedContentIn { pub fn validate( self, ciphersuite: Ciphersuite, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, sender_context: Option, protocol_version: ProtocolVersion, group: &PublicGroup, @@ -59,7 +59,7 @@ impl AuthenticatedContentIn { wire_format: self.wire_format, content: self.content.validate( ciphersuite, - crypto, + backend, sender_context, protocol_version, group, diff --git a/openmls/src/framing/mls_content_in.rs b/openmls/src/framing/mls_content_in.rs index dce5797e9b..22c06115d6 100644 --- a/openmls/src/framing/mls_content_in.rs +++ b/openmls/src/framing/mls_content_in.rs @@ -19,7 +19,7 @@ use super::{ }; use crate::prelude::PublicGroup; -use openmls_traits::{crypto::OpenMlsCrypto, types::Ciphersuite}; +use openmls_traits::{types::Ciphersuite, OpenMlsCryptoProvider}; use serde::{Deserialize, Serialize}; use tls_codec::{ Deserialize as TlsDeserializeTrait, Serialize as TlsSerializeTrait, Size, TlsDeserialize, @@ -53,7 +53,7 @@ impl FramedContentIn { pub fn validate( self, ciphersuite: Ciphersuite, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, sender_context: Option, protocol_version: ProtocolVersion, group: &PublicGroup, @@ -65,7 +65,7 @@ impl FramedContentIn { authenticated_data: self.authenticated_data, body: self.body.validate( ciphersuite, - crypto, + backend, sender_context, protocol_version, group, @@ -138,7 +138,7 @@ impl FramedContentBodyIn { pub fn validate( self, ciphersuite: Ciphersuite, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, sender_context: Option, protocol_version: ProtocolVersion, group: &PublicGroup, @@ -147,7 +147,7 @@ impl FramedContentBodyIn { FramedContentBodyIn::Application(bytes) => FramedContentBody::Application(bytes), FramedContentBodyIn::Proposal(proposal_in) => { FramedContentBody::Proposal(proposal_in.validate( - crypto, + backend, ciphersuite, sender_context, protocol_version, @@ -159,7 +159,7 @@ impl FramedContentBodyIn { .ok_or(LibraryError::custom("Forgot the commit sender context"))?; FramedContentBody::Commit(commit_in.validate( ciphersuite, - crypto, + backend, sender_context, protocol_version, group, diff --git a/openmls/src/framing/validation.rs b/openmls/src/framing/validation.rs index 92098e304d..c6b1b73e08 100644 --- a/openmls/src/framing/validation.rs +++ b/openmls/src/framing/validation.rs @@ -24,7 +24,6 @@ // TODO #106/#151: Update the above diagram use openmls_traits::{ - crypto::OpenMlsCrypto, types::{Ciphersuite, CryptoError}, OpenMlsCryptoProvider, }; @@ -276,14 +275,14 @@ impl UnverifiedMessage { pub(crate) fn verify( self, ciphersuite: Ciphersuite, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, protocol_version: ProtocolVersion, group: &PublicGroup, ) -> Result<(AuthenticatedContent, Credential), ProcessMessageError> { let content: AuthenticatedContentIn = match self.credential.mls_credential() { MlsCredentialType::Basic(_) => self .verifiable_content - .verify(crypto, &self.sender_pk) + .verify(backend.crypto(), &self.sender_pk) .map_err(|_| ProcessMessageError::InvalidSignature)?, MlsCredentialType::X509(certificate_chain) => { certificate_chain @@ -300,7 +299,7 @@ impl UnverifiedMessage { child_cert.is_valid()?; // verify that child is signed by parent - child_cert.is_signed_by(crypto, parent_cert)?; + child_cert.is_signed_by(backend.crypto(), parent_cert)?; Ok((parent_idx, parent_cert)) }, @@ -312,13 +311,13 @@ impl UnverifiedMessage { })??; self.verifiable_content // sender pk should be the leaf certificate - .verify(crypto, &self.sender_pk) + .verify(backend.crypto(), &self.sender_pk) .map_err(|_| ProcessMessageError::InvalidSignature)? } }; let content = content.validate( ciphersuite, - crypto, + backend, self.sender_context, protocol_version, group, diff --git a/openmls/src/group/core_group/new_from_welcome.rs b/openmls/src/group/core_group/new_from_welcome.rs index e4cf491058..ce6fc6481e 100644 --- a/openmls/src/group/core_group/new_from_welcome.rs +++ b/openmls/src/group/core_group/new_from_welcome.rs @@ -154,7 +154,7 @@ impl CoreGroup { )?; KeyPackageIn::from(key_package.clone()).validate( - backend.crypto(), + backend, ProtocolVersion::Mls10, &public_group, )?; diff --git a/openmls/src/group/core_group/process.rs b/openmls/src/group/core_group/process.rs index fd27c82340..ab54f56db4 100644 --- a/openmls/src/group/core_group/process.rs +++ b/openmls/src/group/core_group/process.rs @@ -51,7 +51,7 @@ impl CoreGroup { // - ValSem246 (as part of ValSem010) let (content, credential) = unverified_message.verify( self.ciphersuite(), - backend.crypto(), + backend, self.version(), self.public_group(), )?; diff --git a/openmls/src/group/core_group/test_proposals.rs b/openmls/src/group/core_group/test_proposals.rs index de3515b50e..d68959685f 100644 --- a/openmls/src/group/core_group/test_proposals.rs +++ b/openmls/src/group/core_group/test_proposals.rs @@ -50,7 +50,7 @@ async fn proposal_queue_functions(ciphersuite: Ciphersuite, backend: &impl OpenM let kpi = KeyPackageIn::from(alice_update_key_package.clone()); assert!(kpi - .standalone_validate(backend.crypto(), ProtocolVersion::Mls10) + .standalone_validate(backend, ProtocolVersion::Mls10) .is_ok()); let group_context = GroupContext::new( @@ -196,7 +196,7 @@ async fn proposal_queue_order(ciphersuite: Ciphersuite, backend: &impl OpenMlsCr let kpi = KeyPackageIn::from(alice_update_key_package.clone()); assert!(kpi - .standalone_validate(backend.crypto(), ProtocolVersion::Mls10) + .standalone_validate(backend, ProtocolVersion::Mls10) .is_ok()); let group_context = GroupContext::new( diff --git a/openmls/src/group/mls_group/membership.rs b/openmls/src/group/mls_group/membership.rs index 832c5b478a..a4ab72f9dd 100644 --- a/openmls/src/group/mls_group/membership.rs +++ b/openmls/src/group/mls_group/membership.rs @@ -49,7 +49,7 @@ impl MlsGroup { .into_iter() .map(|key_package| { let key_package = key_package.validate( - backend.crypto(), + backend, ProtocolVersion::Mls10, self.group().public_group(), )?; diff --git a/openmls/src/group/mls_group/proposal.rs b/openmls/src/group/mls_group/proposal.rs index 1f66126eaa..d895d547f5 100644 --- a/openmls/src/group/mls_group/proposal.rs +++ b/openmls/src/group/mls_group/proposal.rs @@ -106,7 +106,7 @@ impl MlsGroup { self.is_operational()?; let key_package = joiner_key_package.validate( - backend.crypto(), + backend, ProtocolVersion::Mls10, self.group().public_group(), )?; @@ -249,7 +249,7 @@ impl MlsGroup { self.is_operational()?; let key_package = joiner_key_package.validate( - backend.crypto(), + backend, ProtocolVersion::Mls10, self.group().public_group(), )?; diff --git a/openmls/src/group/public_group/process.rs b/openmls/src/group/public_group/process.rs index 518f28820b..0892be8f70 100644 --- a/openmls/src/group/public_group/process.rs +++ b/openmls/src/group/public_group/process.rs @@ -203,12 +203,8 @@ impl PublicGroup { // Checks the following semantic validation: // - ValSem010 // - ValSem246 (as part of ValSem010) - let (content, credential) = unverified_message.verify( - self.ciphersuite(), - backend.crypto(), - self.version(), - group, - )?; + let (content, credential) = + unverified_message.verify(self.ciphersuite(), backend, self.version(), group)?; match content.sender() { Sender::Member(_) | Sender::NewMemberCommit | Sender::NewMemberProposal => { diff --git a/openmls/src/group/tests/test_proposal_validation.rs b/openmls/src/group/tests/test_proposal_validation.rs index b2cff815d4..3865f1c11b 100644 --- a/openmls/src/group/tests/test_proposal_validation.rs +++ b/openmls/src/group/tests/test_proposal_validation.rs @@ -1084,7 +1084,7 @@ async fn test_valsem105(ciphersuite: Ciphersuite, backend: &impl OpenMlsCryptoPr .await; let kpi: KeyPackageIn = charlie_key_package.clone().into(); - kpi.standalone_validate(backend.crypto(), ProtocolVersion::Mls10) + kpi.standalone_validate(backend, ProtocolVersion::Mls10) .unwrap(); // Let's just pick a ciphersuite that's not the one we're testing right now. diff --git a/openmls/src/key_packages/key_package_in.rs b/openmls/src/key_packages/key_package_in.rs index 2bc20f3526..9b35d95be4 100644 --- a/openmls/src/key_packages/key_package_in.rs +++ b/openmls/src/key_packages/key_package_in.rs @@ -12,7 +12,7 @@ use crate::{ }, versions::ProtocolVersion, }; -use openmls_traits::{crypto::OpenMlsCrypto, types::Ciphersuite}; +use openmls_traits::{types::Ciphersuite, OpenMlsCryptoProvider}; use serde::{Deserialize, Serialize}; use tls_codec::{Serialize as TlsSerializeTrait, TlsDeserialize, TlsSerialize, TlsSize}; @@ -116,25 +116,25 @@ impl KeyPackageIn { /// [`KeyPackageVerifyError`] otherwise. pub fn validate( self, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, protocol_version: ProtocolVersion, group: &PublicGroup, ) -> Result { - self._validate(crypto, protocol_version, Some(group)) + self._validate(backend, protocol_version, Some(group)) } /// Verify that this key package is valid disregarding the group it is supposed to be used with. pub fn standalone_validate( self, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, protocol_version: ProtocolVersion, ) -> Result { - self._validate(crypto, protocol_version, None) + self._validate(backend, protocol_version, None) } fn _validate( self, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, protocol_version: ProtocolVersion, group: Option<&PublicGroup>, ) -> Result { @@ -154,9 +154,9 @@ impl KeyPackageIn { let leaf_node = match verifiable_leaf_node { VerifiableLeafNode::KeyPackage(leaf_node) => { if let Some(group) = group { - leaf_node.validate(group, crypto)? + leaf_node.validate(group, backend.crypto())? } else { - leaf_node.standalone_validate(crypto, signature_scheme)? + leaf_node.standalone_validate(backend.crypto(), signature_scheme)? } } _ => return Err(KeyPackageVerifyError::InvalidLeafNodeSourceType), @@ -174,7 +174,7 @@ impl KeyPackageIn { // Verify the KeyPackage signature let key_package = VerifiableKeyPackage::new(self.payload.into(), self.signature) - .verify::(crypto, signature_key) + .verify::(backend.crypto(), signature_key) .map_err(|_| KeyPackageVerifyError::InvalidSignature)?; // Extension included in the extensions or leaf_node.extensions fields diff --git a/openmls/src/key_packages/test_key_packages.rs b/openmls/src/key_packages/test_key_packages.rs index 4e733fc6d2..f2458ca8c7 100644 --- a/openmls/src/key_packages/test_key_packages.rs +++ b/openmls/src/key_packages/test_key_packages.rs @@ -47,7 +47,7 @@ async fn generate_key_package(ciphersuite: Ciphersuite, backend: &impl OpenMlsCr let kpi = KeyPackageIn::from(key_package); assert!(kpi - .standalone_validate(backend.crypto(), ProtocolVersion::Mls10) + .standalone_validate(backend, ProtocolVersion::Mls10) .is_ok()); } @@ -100,7 +100,7 @@ async fn application_id_extension(ciphersuite: Ciphersuite, backend: &impl OpenM let kpi = KeyPackageIn::from(key_package.clone()); assert!(kpi - .standalone_validate(backend.crypto(), ProtocolVersion::Mls10) + .standalone_validate(backend, ProtocolVersion::Mls10) .is_ok()); // Check ID @@ -136,7 +136,7 @@ async fn key_package_validation(ciphersuite: Ciphersuite, backend: &impl OpenMls let kpi = KeyPackageIn::tls_deserialize(&mut encoded.as_slice()).unwrap(); let err = kpi - .standalone_validate(backend.crypto(), ProtocolVersion::Mls10) + .standalone_validate(backend, ProtocolVersion::Mls10) .unwrap_err(); // Expect an invalid protocol version error assert_eq!(err, KeyPackageVerifyError::InvalidProtocolVersion); @@ -155,7 +155,7 @@ async fn key_package_validation(ciphersuite: Ciphersuite, backend: &impl OpenMls let kpi = KeyPackageIn::tls_deserialize(&mut encoded.as_slice()).unwrap(); let err = kpi - .standalone_validate(backend.crypto(), ProtocolVersion::Mls10) + .standalone_validate(backend, ProtocolVersion::Mls10) .unwrap_err(); // Expect an invalid init/encryption key error assert_eq!(err, KeyPackageVerifyError::InitKeyEqualsEncryptionKey); diff --git a/openmls/src/messages/mod.rs b/openmls/src/messages/mod.rs index 82cf125dbf..63adb4ac5c 100644 --- a/openmls/src/messages/mod.rs +++ b/openmls/src/messages/mod.rs @@ -192,7 +192,7 @@ impl CommitIn { pub fn validate( self, ciphersuite: Ciphersuite, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, sender_context: SenderContext, protocol_version: ProtocolVersion, group: &PublicGroup, @@ -200,7 +200,7 @@ impl CommitIn { let proposals = self .proposals .into_iter() - .map(|p| p.validate(crypto, ciphersuite, protocol_version, group)) + .map(|p| p.validate(backend, ciphersuite, protocol_version, group)) .collect::, _>>()?; let path = if let Some(path) = self.path { @@ -234,7 +234,7 @@ impl CommitIn { TreePosition::new(group_id, new_leaf_index) } }; - Some(path.into_verified(crypto, tree_position, group)?) + Some(path.into_verified(backend.crypto(), tree_position, group)?) } else { None }; diff --git a/openmls/src/messages/proposals_in.rs b/openmls/src/messages/proposals_in.rs index 4f1d897379..c79d948ff9 100644 --- a/openmls/src/messages/proposals_in.rs +++ b/openmls/src/messages/proposals_in.rs @@ -17,7 +17,7 @@ use crate::{ use crate::prelude::PublicGroup; use crate::treesync::node::validate::ValidatableLeafNode; -use openmls_traits::{crypto::OpenMlsCrypto, types::Ciphersuite}; +use openmls_traits::{crypto::OpenMlsCrypto, types::Ciphersuite, OpenMlsCryptoProvider}; use serde::{Deserialize, Serialize}; use tls_codec::{TlsDeserialize, TlsSerialize, TlsSize}; @@ -97,7 +97,7 @@ impl ProposalIn { /// Returns a [`Proposal`] after successful validation. pub(crate) fn validate( self, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, ciphersuite: Ciphersuite, sender_context: Option, protocol_version: ProtocolVersion, @@ -105,12 +105,12 @@ impl ProposalIn { ) -> Result { Ok(match self { ProposalIn::Add(add) => { - Proposal::Add(add.validate(crypto, protocol_version, ciphersuite, group)?) + Proposal::Add(add.validate(backend, protocol_version, ciphersuite, group)?) } ProposalIn::Update(update) => { let sender_context = sender_context.ok_or(ValidationError::CommitterIncludedOwnUpdate)?; - Proposal::Update(update.validate(crypto, sender_context, group)?) + Proposal::Update(update.validate(backend.crypto(), sender_context, group)?) } ProposalIn::Remove(remove) => Proposal::Remove(remove), ProposalIn::PreSharedKey(psk) => Proposal::PreSharedKey(psk), @@ -149,12 +149,14 @@ impl AddProposalIn { /// Returns a [`AddProposal`] after successful validation. pub(crate) fn validate( self, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, protocol_version: ProtocolVersion, ciphersuite: Ciphersuite, group: &PublicGroup, ) -> Result { - let key_package = self.key_package.validate(crypto, protocol_version, group)?; + let key_package = self + .key_package + .validate(backend, protocol_version, group)?; // Verify that the ciphersuite is valid if key_package.ciphersuite() != ciphersuite { return Err(ValidationError::InvalidAddProposalCiphersuite); @@ -226,14 +228,14 @@ impl ProposalOrRefIn { /// Returns a [`ProposalOrRef`] after successful validation. pub(crate) fn validate( self, - crypto: &impl OpenMlsCrypto, + backend: &impl OpenMlsCryptoProvider, ciphersuite: Ciphersuite, protocol_version: ProtocolVersion, group: &PublicGroup, ) -> Result { Ok(match self { ProposalOrRefIn::Proposal(proposal_in) => ProposalOrRef::Proposal( - proposal_in.validate(crypto, ciphersuite, None, protocol_version, group)?, + proposal_in.validate(backend, ciphersuite, None, protocol_version, group)?, ), ProposalOrRefIn::Reference(reference) => ProposalOrRef::Reference(reference), }) diff --git a/openmls/src/tree/tests_and_kats/kats/kat_message_protection.rs b/openmls/src/tree/tests_and_kats/kats/kat_message_protection.rs index b5980f5c6b..1349a5d8f3 100644 --- a/openmls/src/tree/tests_and_kats/kats/kat_message_protection.rs +++ b/openmls/src/tree/tests_and_kats/kats/kat_message_protection.rs @@ -419,7 +419,7 @@ pub async fn run_test_vector( let processed_message: AuthenticatedContent = processed_unverified_message .verify( ciphersuite, - backend.crypto(), + backend, ProtocolVersion::Mls10, group.public_group(), ) @@ -564,7 +564,7 @@ pub async fn run_test_vector( let processed_message: AuthenticatedContent = processed_unverified_message .verify( ciphersuite, - backend.crypto(), + backend, ProtocolVersion::Mls10, group.public_group(), ) @@ -612,7 +612,7 @@ pub async fn run_test_vector( let processed_message: AuthenticatedContent = processed_unverified_message .verify( ciphersuite, - backend.crypto(), + backend, ProtocolVersion::Mls10, group.public_group(), )