openmls 0.4.1

This is a WIP Rust implementation of the Messaging Layer Security (MLS) protocol based on draft 12+.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

use crate::test_utils::*;
use openmls_rust_crypto::OpenMlsRustCrypto;
use tls_codec::Deserialize;

use crate::{extensions::*, key_packages::*};

#[apply(ciphersuites_and_backends)]
fn generate_key_package(ciphersuite: Ciphersuite, backend: &impl OpenMlsCryptoProvider) {
    let credential_bundle = CredentialBundle::new(
        vec![1, 2, 3],
        CredentialType::Basic,
        ciphersuite.into(),
        backend,
    )
    .expect("An unexpected error occurred.");

    // Generate a valid KeyPackage.
    let lifetime_extension = Extension::LifeTime(LifetimeExtension::new(60));
    let kpb = KeyPackageBundle::new(
        &[ciphersuite],
        &credential_bundle,
        backend,
        vec![lifetime_extension],
    )
    .expect("An unexpected error occurred.");
    std::thread::sleep(std::time::Duration::from_millis(1));
    assert!(kpb.key_package().verify(backend).is_ok());

    // Now we add an invalid lifetime.
    let lifetime_extension = Extension::LifeTime(LifetimeExtension::new(0));
    let kpb = KeyPackageBundle::new(
        &[ciphersuite],
        &credential_bundle,
        backend,
        vec![lifetime_extension],
    )
    .expect("An unexpected error occurred.");
    std::thread::sleep(std::time::Duration::from_millis(1));
    assert!(kpb.key_package().verify(backend).is_err());

    // Now with two lifetime extensions, the key package should be invalid.
    let lifetime_extension = Extension::LifeTime(LifetimeExtension::new(60));
    let kpb = KeyPackageBundle::new(
        &[ciphersuite],
        &credential_bundle,
        backend,
        vec![lifetime_extension.clone(), lifetime_extension],
    );
    assert!(kpb.is_err());
}

#[apply(ciphersuites_and_backends)]
fn decryption_key_index_computation(
    ciphersuite: Ciphersuite,
    backend: &impl OpenMlsCryptoProvider,
) {
    let id = vec![1, 2, 3];
    let credential_bundle =
        CredentialBundle::new(id, CredentialType::Basic, ciphersuite.into(), backend)
            .expect("An unexpected error occurred.");
    let mut kpb = KeyPackageBundle::new(&[ciphersuite], &credential_bundle, backend, Vec::new())
        .expect("An unexpected error occurred.")
        .unsigned();

    kpb.add_extension(Extension::LifeTime(LifetimeExtension::new(60)));
    let kpb = kpb
        .sign(backend, &credential_bundle)
        .expect("An unexpected error occurred.");
    let enc = kpb
        .key_package()
        .tls_serialize_detached()
        .expect("An unexpected error occurred.");

    // Now it's valid.
    let kp =
        KeyPackage::tls_deserialize(&mut enc.as_slice()).expect("An unexpected error occurred.");
    assert_eq!(kpb.key_package, kp);
}

#[apply(ciphersuites_and_backends)]
fn key_package_id_extension(ciphersuite: Ciphersuite, backend: &impl OpenMlsCryptoProvider) {
    let id = vec![1, 2, 3];
    let credential_bundle =
        CredentialBundle::new(id, CredentialType::Basic, ciphersuite.into(), backend)
            .expect("An unexpected error occurred.");
    let kpb = KeyPackageBundle::new(
        &[ciphersuite],
        &credential_bundle,
        backend,
        vec![Extension::LifeTime(LifetimeExtension::new(60))],
    )
    .expect("An unexpected error occurred.");
    assert!(kpb.key_package().verify(backend).is_ok());
    let mut kpb = kpb.unsigned();

    // Add an ID to the key package.
    let id = [1, 2, 3, 4];
    kpb.add_extension(Extension::ExternalKeyId(ExternalKeyIdExtension::new(&id)));

    // Sign it to make it valid.
    let kpb = kpb
        .sign(backend, &credential_bundle)
        .expect("An unexpected error occurred.");
    assert!(kpb.key_package().verify(backend).is_ok());

    // Check ID
    assert_eq!(
        &id[..],
        kpb.key_package().external_key_id().expect("No key ID")
    );
}

#[apply(backends)]
fn test_mismatch(backend: &impl OpenMlsCryptoProvider) {
    // === KeyPackageBundle negative test ===

    let ciphersuite_name = Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519;
    let signature_scheme = SignatureScheme::ECDSA_SECP256R1_SHA256;

    let credential_bundle = CredentialBundle::new(
        vec![1, 2, 3],
        CredentialType::Basic,
        signature_scheme,
        backend,
    )
    .expect("Could not create credential bundle");

    assert_eq!(
        KeyPackageBundle::new(&[ciphersuite_name], &credential_bundle, backend, vec![],),
        Err(KeyPackageBundleNewError::CiphersuiteSignatureSchemeMismatch)
    );

    // === KeyPackageBundle positive test ===

    let ciphersuite_name = Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519;
    let signature_scheme = SignatureScheme::ED25519;

    let credential_bundle = CredentialBundle::new(
        vec![1, 2, 3],
        CredentialType::Basic,
        signature_scheme,
        backend,
    )
    .expect("Could not create credential bundle");

    assert!(
        KeyPackageBundle::new(&[ciphersuite_name], &credential_bundle, backend, vec![]).is_ok()
    );
}