feat: Added support for Credential validation

openmls/src/credentials/errors.rs

@@ -26,4 +26,6 @@ pub enum CredentialError {
     /// x509 certificate chain is either unordered or a child is missigned by its issuer
     #[error("Invalid x509 certificate chain.")]
     InvalidCertificateChain,
+    #[error("The Authentication Service callback rejected this credential")]
+    AuthenticationServiceValidationFailure,
 }

openmls/src/credentials/mod.rs

@@ -24,6 +24,9 @@
 
 use std::io::{Read, Write};
 
+use openmls_traits::{
+    authentication_service::AuthenticationServiceDelegate, OpenMlsCryptoProvider,
+};
 use serde::{Deserialize, Serialize};
 use tls_codec::{TlsDeserialize, TlsSerialize, TlsSize, VLBytes};
 
@@ -271,6 +274,50 @@ impl Credential {
             MlsCredentialType::X509(cert) => cert.identity.as_slice(),
         }
     }
+
+    pub async fn validate(
+        &self,
+        backend: &impl OpenMlsCryptoProvider,
+    ) -> Result<(), CredentialError> {
+        let tmp_certs = if let MlsCredentialType::X509(x509_certs) = &self.credential {
+            Some(
+                x509_certs
+                    .certificates
+                    .iter()
+                    .map(|bytes| bytes.as_slice())
+                    .collect::<Vec<_>>(),
+            )
+        } else {
+            None
+        };
+
+        let credential_ref = match &self.credential {
+            MlsCredentialType::Basic(basic_cred) => {
+                openmls_traits::authentication_service::CredentialRef::Basic {
+                    identity: basic_cred.identity.as_slice(),
+                }
+            }
+
+            MlsCredentialType::X509(_) => {
+                let credential_ref = openmls_traits::authentication_service::CredentialRef::X509 {
+                    certificates: tmp_certs.as_ref().unwrap().as_slice(),
+                };
+                credential_ref
+            }
+        };
+
+        if !backend
+            .authentication_service()
+            .validate_credential(credential_ref)
+            .await
+        {
+            return Err(CredentialError::AuthenticationServiceValidationFailure);
+        }
+
+        drop(tmp_certs);
+
+        Ok(())
+    }
 }
 
 impl From<MlsCredentialType> for Credential {

openmls_rust_crypto/Cargo.toml

@@ -10,6 +10,7 @@ repository = "https://github.com/openmls/openmls/tree/main/openmls_rust_crypto"
 readme = "README.md"
 
 [dependencies]
+async-trait = { workspace = true }
 openmls_traits = { version = "0.2.0", path = "../traits" }
 openmls_memory_keystore = { version = "0.2.0", path = "../memory_keystore" }
 # Rust Crypto dependencies

openmls_rust_crypto/src/lib.rs

@@ -9,6 +9,22 @@ use openmls_traits::OpenMlsCryptoProvider;
 mod provider;
 pub use provider::*;
 
+#[derive(Debug)]
+pub struct DummyAuthenticationService;
+
+#[cfg_attr(target_family = "wasm", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_family = "wasm"), async_trait::async_trait)]
+impl openmls_traits::authentication_service::AuthenticationServiceDelegate
+    for DummyAuthenticationService
+{
+    async fn validate_credential<'a>(
+        &'a self,
+        _credential: openmls_traits::authentication_service::CredentialRef<'a>,
+    ) -> bool {
+        true
+    }
+}
+
 #[derive(Default, Debug)]
 pub struct OpenMlsRustCrypto {
     crypto: RustCrypto,
@@ -19,6 +35,7 @@ impl OpenMlsCryptoProvider for OpenMlsRustCrypto {
     type CryptoProvider = RustCrypto;
     type RandProvider = RustCrypto;
     type KeyStoreProvider = MemoryKeyStore;
+    type AuthenticationServiceProvider = DummyAuthenticationService;
 
     fn crypto(&self) -> &Self::CryptoProvider {
         &self.crypto
@@ -31,4 +48,8 @@ impl OpenMlsCryptoProvider for OpenMlsRustCrypto {
     fn key_store(&self) -> &Self::KeyStoreProvider {
         &self.key_store
     }
+
+    fn authentication_service(&self) -> &Self::AuthenticationServiceProvider {
+        &DummyAuthenticationService
+    }
 }

traits/src/authentication_service.rs

@@ -0,0 +1,11 @@
+#[derive(Debug, Clone, Copy, Eq, PartialEq)]
+pub enum CredentialRef<'a> {
+    Basic { identity: &'a [u8] },
+    X509 { certificates: &'a [&'a [u8]] },
+}
+
+#[cfg_attr(target_family = "wasm", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_family = "wasm"), async_trait::async_trait)]
+pub trait AuthenticationServiceDelegate: std::fmt::Debug + Send + Sync {
+    async fn validate_credential<'a>(&'a self, credential: CredentialRef<'a>) -> bool;
+}

traits/src/traits.rs

@@ -3,6 +3,7 @@
 //! This module defines a number of traits that are used by the public
 //! API of OpenMLS.
 
+pub mod authentication_service;
 pub mod crypto;
 pub mod key_store;
 pub mod random;
@@ -17,6 +18,7 @@ pub trait OpenMlsCryptoProvider: Send + Sync {
     type CryptoProvider: crypto::OpenMlsCrypto;
     type RandProvider: random::OpenMlsRand;
     type KeyStoreProvider: key_store::OpenMlsKeyStore;
+    type AuthenticationServiceProvider: authentication_service::AuthenticationServiceDelegate;
 
     /// Get the crypto provider.
     fn crypto(&self) -> &Self::CryptoProvider;
@@ -26,4 +28,7 @@ pub trait OpenMlsCryptoProvider: Send + Sync {
 
     /// Get the key store provider.
     fn key_store(&self) -> &Self::KeyStoreProvider;
+
+    /// Get the authentication service
+    fn authentication_service(&self) -> &Self::AuthenticationServiceProvider;
 }