feat: make public_key the entity id of StoredCredential [WPB-22045]

Cargo.toml

@@ -51,8 +51,9 @@ derive_more = { version = "2.0", features = [
 ] }
 futures-util = "0.3"
 hex = "0.4"
-idb = "0.6"
-indexmap = "2"
+
+# Until devashishdxt/idb#36 is resolved, we're keeping our fork
+idb = { git = "https://github.com/wireapp/idb", rev = "05573e5b29191fdeb442104ad1040346a3889822" }
 itertools = "0.14"
 log = { version = "0.4", features = ["kv_serde"] }
 log-reload = "0.1.3"

crypto/src/e2e_identity/mod.rs

@@ -4,6 +4,7 @@ mod error;
 pub(crate) mod id;
 pub(crate) mod identity;
 mod pki_env;
+pub(crate) use crypto::E2eiSignatureKeypair;
 pub use pki_env::NewCrlDistributionPoints;
 pub(crate) use pki_env::restore_pki_env;
 #[cfg(not(test))]

crypto/src/mls/credential/credential_ref/find.rs

@@ -72,7 +72,7 @@ impl CredentialRef {
             .map_err(KeystoreError::wrap("finding all credentials"))?
             .into_iter()
             .filter(|stored| {
-                client_id.is_none_or(|client_id| client_id.as_ref() == stored.id)
+                client_id.is_none_or(|client_id| client_id.as_ref() == stored.session_id)
                     && earliest_validity.is_none_or(|earliest_validity| earliest_validity == stored.created_at)
                     && ciphersuite.is_none_or(|ciphersuite| u16::from(ciphersuite) == stored.ciphersuite)
                     && public_key.is_none_or(|public_key| public_key == stored.public_key)
@@ -96,7 +96,7 @@ impl CredentialRef {
                 && let Ok(ciphersuite) = stored_credential.ciphersuite.try_into()
             {
                 out.push(Self {
-                    client_id: ClientId(stored_credential.id.clone()),
+                    client_id: ClientId(stored_credential.session_id.clone()),
                     r#type,
                     ciphersuite,
                     earliest_validity: stored_credential.created_at,

crypto/src/mls/credential/credential_ref/persistence.rs

@@ -63,7 +63,7 @@ impl CredentialRef {
             // these are the only checks we can currently do at the DB level: match the client id, creation timestamp,
             // public key and signature scheme
             .filter(|stored_credential|
-                        stored_credential.id == self.client_id().as_slice()
+                        stored_credential.session_id == self.client_id().as_slice()
                         && stored_credential.created_at == self.earliest_validity
                         && stored_credential.public_key == self.public_key
                         && stored_credential.ciphersuite == u16::from(self.ciphersuite)
@@ -73,7 +73,7 @@ impl CredentialRef {
                 let mls_credential = MlsCredential::tls_deserialize(&mut stored_credential.credential.as_slice())
                     .map_err(Error::tls_deserialize("mls credential"))?;
                 let ciphersuite = Ciphersuite::try_from(stored_credential.ciphersuite).map_err(RecursiveError::mls("loading ciphersuite from db"))?;
-                let signature_key_pair = openmls_basic_credential::SignatureKeyPair::from_raw(ciphersuite.signature_algorithm(), stored_credential.secret_key.to_owned(), stored_credential.public_key.to_owned());
+                let signature_key_pair = openmls_basic_credential::SignatureKeyPair::from_raw(ciphersuite.signature_algorithm(), stored_credential.private_key.to_owned(), stored_credential.public_key.to_owned());
                 let credential_type = mls_credential.credential_type().try_into().map_err(RecursiveError::mls_credential("loading credential from db"))?;
                 let earliest_validity = stored_credential.created_at;
                 Ok(Credential {

crypto/src/mls/credential/persistence.rs

@@ -28,11 +28,11 @@ impl Credential {
 
         let stored_credential = database
             .save(StoredCredential {
-                id: self.client_id().to_owned().into_inner(),
+                session_id: self.client_id().to_owned().into_inner(),
                 credential: credential_data,
                 created_at: Default::default(), // updated by the `.save` impl
                 ciphersuite: u16::from(self.ciphersuite),
-                secret_key: self.signature_key_pair.private().to_owned(),
+                private_key: self.signature_key_pair.private().to_owned(),
                 public_key: self.signature_key().public().to_owned(),
             })
             .await
@@ -45,13 +45,8 @@ impl Credential {
 
     /// Delete this credential from the database
     pub(crate) async fn delete(self, database: &Database) -> Result<()> {
-        let credential_data = self
-            .mls_credential
-            .tls_serialize_detached()
-            .map_err(Error::tls_serialize("credential"))?;
-
         database
-            .cred_delete_by_credential(credential_data)
+            .remove::<StoredCredential, _>(self.signature_key_pair.public())
             .await
             .map_err(KeystoreError::wrap("deleting credential"))?;
 

crypto/src/transaction_context/e2e_identity/rotate.rs

@@ -1,14 +1,36 @@
-use openmls_traits::OpenMlsCryptoProvider;
+use openmls_basic_credential::SignatureKeyPair;
+use openmls_traits::{OpenMlsCryptoProvider as _, random::OpenMlsRand as _};
 
 use super::error::{Error, Result};
 use crate::{
-    CertificateBundle, Ciphersuite, Credential, CredentialType, E2eiEnrollment, RecursiveError,
-    e2e_identity::NewCrlDistributionPoints,
+    CertificateBundle, Ciphersuite, Credential, CredentialType, E2eiEnrollment, MlsError, RecursiveError,
+    e2e_identity::{E2eiSignatureKeypair, NewCrlDistributionPoints},
     mls::credential::{ext::CredentialExt, x509::CertificatePrivateKey},
     transaction_context::TransactionContext,
 };
 
 impl TransactionContext {
+    async fn new_sign_keypair(&self, ciphersuite: Ciphersuite) -> Result<E2eiSignatureKeypair> {
+        let mls_provider = self
+            .mls_provider()
+            .await
+            .map_err(RecursiveError::transaction("getting mls provider"))?;
+
+        let sign_keypair = &SignatureKeyPair::new(
+            ciphersuite.signature_algorithm(),
+            &mut *mls_provider
+                .rand()
+                .borrow_rand()
+                .map_err(MlsError::wrap("borrowing rng"))?,
+        )
+        .map_err(MlsError::wrap("generating new sign keypair"))?;
+
+        sign_keypair
+            .try_into()
+            .map_err(RecursiveError::e2e_identity("creating E2eiSignatureKeypair"))
+            .map_err(Into::into)
+    }
+
     /// Generates an E2EI enrollment instance for a "regular" client (with a Basic credential)
     /// willing to migrate to E2EI. As a consequence, this method does not support changing the
     /// ClientId which should remain the same as the Basic one.
@@ -36,11 +58,7 @@ impl TransactionContext {
             .map_err(|_| Error::MissingExistingClient(CredentialType::Basic))?;
         let client_id = cb.mls_credential().identity().to_owned().into();
 
-        let sign_keypair = Some(
-            cb.signature_key()
-                .try_into()
-                .map_err(RecursiveError::e2e_identity("creating E2eiSignatureKeypair"))?,
-        );
+        let sign_keypair = self.new_sign_keypair(ciphersuite).await?;
 
         E2eiEnrollment::try_new(
             client_id,
@@ -50,7 +68,7 @@ impl TransactionContext {
             expiry_sec,
             &mls_provider,
             ciphersuite,
-            sign_keypair,
+            Some(sign_keypair),
             false, // no x509 credential yet at this point so no OIDC authn yet so no refresh token to restore
         )
         .map_err(RecursiveError::e2e_identity("creating new enrollment"))
@@ -84,11 +102,7 @@ impl TransactionContext {
             .await
             .map_err(|_| Error::MissingExistingClient(CredentialType::X509))?;
         let client_id = cb.mls_credential().identity().to_owned().into();
-        let sign_keypair = Some(
-            cb.signature_key()
-                .try_into()
-                .map_err(RecursiveError::e2e_identity("creating E2eiSignatureKeypair"))?,
-        );
+        let sign_keypair = self.new_sign_keypair(ciphersuite).await?;
         let existing_identity = cb
             .to_mls_credential_with_key()
             .extract_identity(ciphersuite, None)
@@ -107,7 +121,7 @@ impl TransactionContext {
             expiry_sec,
             &mls_provider,
             ciphersuite,
-            sign_keypair,
+            Some(sign_keypair),
             true, /* Since we are renewing an e2ei certificate we MUST have already generated one hence we MUST
                    * already have done an OIDC authn and gotten a refresh token from it */
         )

keystore-dump/src/main.rs

@@ -53,7 +53,7 @@ async fn main() -> anyhow::Result<()> {
             core_crypto::Ciphersuite::try_from(cred.ciphersuite)
                 .expect("ciphersuite from db")
                 .signature_algorithm(),
-            cred.secret_key.to_owned(),
+            cred.private_key.to_owned(),
             cred.public_key.to_owned(),
         );
         let date = chrono::Utc
@@ -62,11 +62,11 @@ async fn main() -> anyhow::Result<()> {
             .ok_or_else(|| anyhow!("Cannot parse credential creation date"))?;
 
         credentials.push(serde_json::json!({
-            "id": cred.id,
+            "session_id": cred.session_id,
             "credential": mls_credential,
             "created_at": date,
             "mls_keypair": mls_keypair,
-            "secret_key": cred.secret_key,
+            "private_key": cred.private_key,
             "public_key": cred.public_key,
         }));
     }

keystore/Cargo.toml

@@ -81,7 +81,6 @@ js-sys = "0.3"
 web-sys = { version = "0.3", features = ["console"] }
 wasm-bindgen = "0.2"
 serde-wasm-bindgen = "0.6"
-indexmap.workspace = true
 # Async WASM stuff
 wasm-bindgen-futures = "0.4"
 # Crypto stuff
@@ -113,6 +112,9 @@ smol.workspace = true
 version = "0.8"
 features = ["async_futures", "html_reports"]
 
+[target.'cfg(target_family = "wasm")'.dev-dependencies]
+console_error_panic_hook = "0.1"
+
 [package.metadata.wasm-pack.profile.release]
 wasm-opt = [
   "-Os",

keystore/src/connection/mod.rs

@@ -392,14 +392,6 @@ impl Database {
             .remove_pending_messages_by_conversation_id(conversation_id)
             .await
     }
-
-    pub async fn cred_delete_by_credential(&self, cred: Vec<u8>) -> CryptoKeystoreResult<()> {
-        let transaction_guard = self.transaction.lock().await;
-        let Some(transaction) = transaction_guard.as_ref() else {
-            return Err(CryptoKeystoreError::MutatingOperationWithoutTransaction);
-        };
-        transaction.cred_delete_by_credential(cred).await
-    }
 }
 
 #[cfg_attr(target_family = "wasm", async_trait::async_trait(?Send))]

keystore/src/connection/platform/generic/meta_migrations/v16.rs

@@ -49,21 +49,21 @@ pub(crate) fn meta_migration(conn: &mut rusqlite::Connection) -> CryptoKeystoreR
         if let Some(c) = migrate_to_new_credential(&v5, &kp)? {
             tx.execute(
                 "INSERT INTO mls_credentials_new (
-                        id,
+                        session_id,
                         credential,
                         created_at,
                         signature_scheme,
                         public_key,
-                        secret_key
+                        private_key
                     )
                     VALUES (?1, ?2, datetime(?3, 'unixepoch'), ?4, ?5, ?6)",
                 (
-                    c.id.clone(),
+                    c.session_id.clone(),
                     c.credential.clone(),
                     c.created_at,
                     c.signature_scheme,
                     c.public_key.clone(),
-                    c.secret_key.clone(),
+                    c.private_key.clone(),
                 ),
             )?;
 

keystore/src/connection/platform/generic/meta_migrations/v18.rs

@@ -26,47 +26,47 @@ pub(crate) fn meta_migration(conn: &mut rusqlite::Connection) -> CryptoKeystoreR
 
     let mut credential_stmt = tx.prepare(&format!(
         "SELECT
-            id,
+            session_id,
             credential,
             unixepoch(created_at) AS created_at,
             signature_scheme,
             public_key,
-            secret_key
+            private_key
          FROM {credential_table}",
         credential_table = StoredCredential::COLLECTION_NAME,
     ))?;
 
     let mut rows = credential_stmt.query([])?;
     while let Some(row) = rows.next()? {
         let v6 = V6Credential {
-            id: row.get("id")?,
+            session_id: row.get("session_id")?,
             credential: row.get("credential")?,
             created_at: row.get("created_at")?,
             signature_scheme: row.get("signature_scheme")?,
             public_key: row.get("public_key")?,
-            secret_key: row.get("secret_key")?,
+            private_key: row.get("private_key")?,
         };
 
         // Insert the new credential into temporary mls_credentials_new table, that will be renamed in the next
         // migration
         if let Some(ciphersuite) = ciphersuite_for_signature_scheme(v6.signature_scheme) {
             tx.execute(
                 "INSERT INTO mls_credentials_new (
-                        id,
+                        session_id,
                         credential,
                         created_at,
                         ciphersuite,
                         public_key,
-                        secret_key
+                        private_key
                     )
                     VALUES (?1, ?2, datetime(?3, 'unixepoch'), ?4, ?5, ?6)",
                 (
-                    v6.id.clone(),
+                    v6.session_id.clone(),
                     v6.credential.clone(),
                     v6.created_at,
                     ciphersuite,
                     v6.public_key.clone(),
-                    v6.secret_key.clone(),
+                    v6.private_key.clone(),
                 ),
             )?;
         }

keystore/src/connection/platform/generic/meta_migrations/v19.rs

@@ -34,10 +34,10 @@ pub(crate) fn meta_migration(conn: &mut rusqlite::Connection) -> CryptoKeystoreR
             Ok(StoredCredential {
                 ciphersuite: row.get("ciphersuite")?,
                 public_key: row.get("public_key")?,
-                id: Vec::new(),         // not relevant for this application
-                credential: Vec::new(), // not relevant for this application
-                created_at: 0,          // not relevant for this application
-                secret_key: Vec::new(), // not relevant for this application
+                session_id: Vec::new(),  // not relevant for this application
+                credential: Vec::new(),  // not relevant for this application
+                created_at: 0,           // not relevant for this application
+                private_key: Vec::new(), // not relevant for this application
             })
         })?
         .filter_map(|row| row.ok())

keystore/src/connection/platform/generic/migrations/V16__prepare_credential_merge.sql

@@ -1,9 +1,9 @@
 CREATE TABLE mls_credentials_new (
-    id BLOB NOT NULL,
+    session_id BLOB NOT NULL,
     credential BLOB NOT NULL,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     signature_scheme INT NOT NULL,
     public_key BLOB NOT NULL,
-    secret_key BLOB NOT NULL
+    private_key BLOB NOT NULL
 );
 

keystore/src/connection/platform/generic/migrations/V18__prepare_credential_ciphersuite.sql

@@ -1,8 +1,8 @@
 CREATE TABLE mls_credentials_new (
-    id BLOB NOT NULL,
+    session_id BLOB NOT NULL,
     credential BLOB NOT NULL,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     ciphersuite INT NOT NULL,
     public_key BLOB NOT NULL,
-    secret_key BLOB NOT NULL
+    private_key BLOB NOT NULL
 );