feat!: Add validate credential async callback API

openmls/src/group/core_group/mod.rs

@@ -149,6 +149,7 @@ pub(crate) struct CoreGroupBuilder {
     config: Option<CoreGroupConfig>,
     psk_ids: Vec<PreSharedKeyId>,
     max_past_epochs: usize,
+    authentication_service_delegate: std::sync::Arc<dyn crate::AuthenticationServiceDelegate>,
 }
 
 impl CoreGroupBuilder {
@@ -157,13 +158,15 @@ impl CoreGroupBuilder {
         group_id: GroupId,
         crypto_config: CryptoConfig,
         credential_with_key: CredentialWithKey,
+        authentication_service_delegate: std::sync::Arc<dyn crate::AuthenticationServiceDelegate>,
     ) -> Self {
         let public_group_builder =
             PublicGroup::builder(group_id, crypto_config, credential_with_key);
         Self {
             config: None,
             psk_ids: vec![],
             max_past_epochs: 0,
+            authentication_service_delegate,
             public_group_builder,
         }
     }
@@ -335,8 +338,14 @@ impl CoreGroup {
         group_id: GroupId,
         crypto_config: CryptoConfig,
         credential_with_key: CredentialWithKey,
+        authentication_service_delegate: std::sync::Arc<dyn crate::AuthenticationServiceDelegate>,
     ) -> CoreGroupBuilder {
-        CoreGroupBuilder::new(group_id, crypto_config, credential_with_key)
+        CoreGroupBuilder::new(
+            group_id,
+            crypto_config,
+            credential_with_key,
+            authentication_service_delegate,
+        )
     }
 
     // === Create handshake messages ===

openmls/src/group/mls_group/creation.rs

@@ -26,13 +26,15 @@ impl MlsGroup {
         signer: &impl Signer,
         mls_group_config: &MlsGroupConfig,
         credential_with_key: CredentialWithKey,
+        authentication_service_delegate: std::sync::Arc<dyn crate::AuthenticationServiceDelegate>,
     ) -> Result<Self, NewGroupError<KeyStore::Error>> {
         Self::new_with_group_id(
             backend,
             signer,
             mls_group_config,
             GroupId::random(backend),
             credential_with_key,
+            authentication_service_delegate,
         )
         .await
     }
@@ -44,6 +46,7 @@ impl MlsGroup {
         mls_group_config: &MlsGroupConfig,
         group_id: GroupId,
         credential_with_key: CredentialWithKey,
+        authentication_service_delegate: std::sync::Arc<dyn crate::AuthenticationServiceDelegate>,
     ) -> Result<Self, NewGroupError<KeyStore::Error>> {
         // TODO #751
         let group_config = CoreGroupConfig {
@@ -54,6 +57,7 @@ impl MlsGroup {
             group_id,
             mls_group_config.crypto_config,
             credential_with_key,
+            authentication_service_delegate,
         )
         .with_config(group_config)
         .with_required_capabilities(mls_group_config.required_capabilities.clone())

openmls/src/lib.rs

@@ -185,6 +185,13 @@ pub mod schedule;
 pub mod treesync;
 pub mod versions;
 
+#[async_trait::async_trait]
+pub trait AuthenticationServiceDelegate: std::fmt::Debug + Send + Sync {
+    async fn validate_credential(&self, credential: &credentials::Credential) -> bool;
+}
+
+pub type AuthenticationServiceBoxedDelegate = std::sync::Arc<dyn AuthenticationServiceDelegate>;
+
 // Private
 pub mod binary_tree;
 mod tree;

openmls/src/schedule/kat_key_schedule.rs

@@ -251,13 +251,16 @@ pub fn generate_test_vector(
 // }
 
 #[apply(backends)]
-async fn read_test_vectors_key_schedule(backend: &impl OpenMlsCryptoProvider) {
+async fn read_test_vectors_key_schedule(
+    backend: &impl OpenMlsCryptoProvider,
+    authentication_delegate: crate::AuthenticationServiceBoxedDelegate,
+) {
     let _ = pretty_env_logger::try_init();
 
     let tests: Vec<KeyScheduleTestVector> = read("test_vectors/key-schedule.json");
 
     for test_vector in tests {
-        match run_test_vector(test_vector, backend) {
+        match run_test_vector(test_vector, backend, authentication_delegate.clone()) {
             Ok(_) => {}
             Err(e) => panic!("Error while checking key schedule test vector.\n{e:?}"),
         }
@@ -268,6 +271,7 @@ async fn read_test_vectors_key_schedule(backend: &impl OpenMlsCryptoProvider) {
 pub fn run_test_vector(
     test_vector: KeyScheduleTestVector,
     backend: &impl OpenMlsCryptoProvider,
+    _authentication_delegate: crate::AuthenticationServiceBoxedDelegate,
 ) -> Result<(), KsTestVectorError> {
     let ciphersuite = Ciphersuite::try_from(test_vector.cipher_suite).expect("Invalid ciphersuite");
     log::trace!("  {:?}", test_vector);

openmls/src/test_utils/mod.rs

@@ -28,6 +28,22 @@ use crate::{
 
 pub mod test_framework;
 
+#[derive(Debug)]
+pub struct DummyAuthenticationDelegate;
+
+impl DummyAuthenticationDelegate {
+    pub fn new() -> crate::AuthenticationServiceBoxedDelegate {
+        std::sync::Arc::new(Self)
+    }
+}
+
+#[async_trait::async_trait]
+impl crate::AuthenticationServiceDelegate for DummyAuthenticationDelegate {
+    async fn validate_credential(&self, _credential: &crate::credentials::Credential) -> bool {
+        true
+    }
+}
+
 // pub(crate) fn write(file_name: &str, obj: impl Serialize) {
 //     let mut file = match File::create(file_name) {
 //         Ok(f) => f,
@@ -205,12 +221,16 @@ pub use openmls_rust_crypto::OpenMlsRustCrypto;
 
 #[template]
 #[export]
-#[rstest(backend,
-    case::rust_crypto(&OpenMlsRustCrypto::default()),
+#[rstest(backend, authentication_delegate,
+    case::rust_crypto(&OpenMlsRustCrypto::default(), DummyAuthenticationDelegate::new()),
   )
 ]
 #[allow(non_snake_case)]
-pub async fn backends(backend: &impl OpenMlsCryptoProvider) {}
+pub async fn backends(
+    backend: &impl OpenMlsCryptoProvider,
+    authentication_delegate: AuthenticationServiceBoxedDelegate,
+) {
+}
 
 // === Ciphersuites ===
 
@@ -243,17 +263,18 @@ pub async fn ciphersuites(ciphersuite: Ciphersuite) {}
 
 #[template]
 #[export]
-#[rstest(ciphersuite, backend,
-    case::rust_crypto_MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519(Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519, &OpenMlsRustCrypto::default()),
-    case::rust_crypto_MLS_128_DHKEMP256_AES128GCM_SHA256_P256(Ciphersuite::MLS_128_DHKEMP256_AES128GCM_SHA256_P256, &OpenMlsRustCrypto::default()),
-    case::rust_crypto_MLS_256_DHKEMP384_AES256GCM_SHA384_P384(Ciphersuite::MLS_256_DHKEMP384_AES256GCM_SHA384_P384, &OpenMlsRustCrypto::default()),
-    case::rust_crypto_MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519(Ciphersuite::MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519, &OpenMlsRustCrypto::default()),
-    case::rust_crypto_MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519(Ciphersuite::MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519, &OpenMlsRustCrypto::default()),
+#[rstest(ciphersuite, backend, authentication_delegate,
+    case::rust_crypto_MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519(Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519, &OpenMlsRustCrypto::default(), crate::DummyAuthenticationDelegate::new()),
+    case::rust_crypto_MLS_128_DHKEMP256_AES128GCM_SHA256_P256(Ciphersuite::MLS_128_DHKEMP256_AES128GCM_SHA256_P256, &OpenMlsRustCrypto::default(), crate::DummyAuthenticationDelegate::new()),
+    case::rust_crypto_MLS_256_DHKEMP384_AES256GCM_SHA384_P384(Ciphersuite::MLS_256_DHKEMP384_AES256GCM_SHA384_P384, &OpenMlsRustCrypto::default(), crate::DummyAuthenticationDelegate::new()),
+    case::rust_crypto_MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519(Ciphersuite::MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519, &OpenMlsRustCrypto::default(), crate::DummyAuthenticationDelegate::new()),
+    case::rust_crypto_MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519(Ciphersuite::MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519, &OpenMlsRustCrypto::default(), crate::DummyAuthenticationDelegate::new()),
   )
 ]
 #[allow(non_snake_case)]
 pub async fn ciphersuites_and_backends(
     ciphersuite: Ciphersuite,
     backend: &impl OpenMlsCryptoProvider,
+    authentication_delegate: crate::AuthenticationServiceBoxedDelegate,
 ) {
 }

openmls/src/tree/tests_and_kats/kats/kat_encryption.rs

@@ -167,6 +167,7 @@ async fn generate_credential(
 async fn group(
     ciphersuite: Ciphersuite,
     backend: &impl OpenMlsCryptoProvider,
+    authentication_service_delegate: std::sync::Arc<dyn crate::AuthenticationServiceDelegate>,
 ) -> (CoreGroup, CredentialWithKey, SignatureKeyPair) {
     use crate::group::config::CryptoConfig;
 
@@ -177,6 +178,7 @@ async fn group(
         GroupId::random(backend),
         CryptoConfig::with_default_version(ciphersuite),
         credential_with_key.clone(),
+        authentication_service_delegate,
     )
     .build(backend, &signer)
     .await
@@ -189,6 +191,7 @@ async fn group(
 async fn receiver_group(
     ciphersuite: Ciphersuite,
     backend: &impl OpenMlsCryptoProvider,
+    authentication_service_delegate: crate::AuthenticationServiceBoxedDelegate,
     group_id: GroupId,
 ) -> (CoreGroup, CredentialWithKey, SignatureKeyPair) {
     use crate::group::config::CryptoConfig;
@@ -204,6 +207,7 @@ async fn receiver_group(
         group_id,
         CryptoConfig::with_default_version(ciphersuite),
         credential_with_key.clone(),
+        authentication_service_delegate,
     )
     .build(backend, &signer)
     .await
@@ -328,6 +332,7 @@ pub async fn generate_test_vector(
     n_generations: u32,
     n_leaves: u32,
     ciphersuite: Ciphersuite,
+    authentication_delegate: crate::AuthenticationServiceBoxedDelegate,
 ) -> EncryptionTestVector {
     use crate::binary_tree::array_representation::TreeSize;
 
@@ -358,7 +363,7 @@ pub async fn generate_test_vector(
         nonce: bytes_to_hex(sender_data_nonce.as_slice()),
     };
 
-    let (mut group, _, signer) = group(ciphersuite, &crypto).await;
+    let (mut group, _, signer) = group(ciphersuite, &crypto, authentication_delegate.clone()).await;
     *group.message_secrets_test_mut().sender_data_secret_mut() = SenderDataSecret::from_slice(
         sender_data_secret_bytes,
         ProtocolVersion::default(),
@@ -482,6 +487,7 @@ pub async fn generate_test_vector(
 pub async fn run_test_vector(
     test_vector: EncryptionTestVector,
     backend: &impl OpenMlsCryptoProvider,
+    authentication_delegate: crate::AuthenticationServiceBoxedDelegate,
 ) -> Result<(), EncTestVectorError> {
     use tls_codec::{Deserialize, Serialize};
 
@@ -612,6 +618,7 @@ pub async fn run_test_vector(
             let (mut group, _, _) = receiver_group(
                 ciphersuite,
                 backend,
+                authentication_delegate.clone(),
                 mls_ciphertext_application.group_id().clone(),
             )
             .await;
@@ -767,6 +774,7 @@ pub async fn run_test_vector(
             let (mut group, _, _) = receiver_group(
                 ciphersuite,
                 backend,
+                authentication_delegate.clone(),
                 mls_ciphertext_handshake.group_id().clone(),
             )
             .await;
@@ -822,14 +830,17 @@ pub async fn run_test_vector(
 }
 
 #[apply(backends)]
-async fn read_test_vectors_encryption(backend: &impl OpenMlsCryptoProvider) {
+async fn read_test_vectors_encryption(
+    backend: &impl OpenMlsCryptoProvider,
+    authentication_delegate: crate::AuthenticationServiceBoxedDelegate,
+) {
     let _ = pretty_env_logger::try_init();
     log::debug!("Reading test vectors ...");
 
     let tests: Vec<EncryptionTestVector> = read("test_vectors/kat_encryption_openmls.json");
 
     for test_vector in tests {
-        match run_test_vector(test_vector, backend).await {
+        match run_test_vector(test_vector, backend, authentication_delegate.clone()).await {
             Ok(_) => {}
             Err(e) => panic!("Error while checking encryption test vector.\n{e:?}"),
         }
@@ -847,7 +858,7 @@ async fn read_test_vectors_encryption(backend: &impl OpenMlsCryptoProvider) {
     ];
     for &tv_file in tv_files.iter() {
         let tv: EncryptionTestVector = read(tv_file);
-        run_test_vector(tv, backend)
+        run_test_vector(tv, backend, authentication_delegate.clone())
             .await
             .expect("Error while checking key schedule test vector.");
     }

openmls/src/tree/tests_and_kats/kats/secret_tree.rs

@@ -191,7 +191,10 @@ pub fn run_test_vector(
 }
 
 #[apply(backends)]
-async fn read_test_vectors_st(backend: &impl OpenMlsCryptoProvider) {
+async fn read_test_vectors_st(
+    backend: &impl OpenMlsCryptoProvider,
+    authentication_delegate: crate::AuthenticationServiceBoxedDelegate,
+) {
     let _ = pretty_env_logger::try_init();
     log::debug!("Reading test vectors ...");