matrix_sdk_crypto_ffi/machine.rs
1use std::{
2 collections::{BTreeMap, HashMap},
3 io::Cursor,
4 mem::ManuallyDrop,
5 ops::Deref,
6 sync::Arc,
7 time::Duration,
8};
9
10use js_int::UInt;
11use matrix_sdk_common::deserialized_responses::AlgorithmInfo;
12use matrix_sdk_crypto::{
13 backups::{
14 MegolmV1BackupKey as RustBackupKey, SignatureState,
15 SignatureVerification as RustSignatureCheckResult,
16 },
17 decrypt_room_key_export, encrypt_room_key_export,
18 olm::ExportedRoomKey,
19 store::types::{BackupDecryptionKey, Changes},
20 types::requests::ToDeviceRequest,
21 CollectStrategy, DecryptionSettings, LocalTrust, OlmMachine as InnerMachine,
22 UserIdentity as SdkUserIdentity,
23};
24use ruma::{
25 api::{
26 client::{
27 backup::add_backup_keys::v3::Response as KeysBackupResponse,
28 keys::{
29 claim_keys::v3::Response as KeysClaimResponse,
30 get_keys::v3::Response as KeysQueryResponse,
31 upload_keys::v3::Response as KeysUploadResponse,
32 upload_signatures::v3::Response as SignatureUploadResponse,
33 },
34 message::send_message_event::v3::Response as RoomMessageResponse,
35 sync::sync_events::{v3::ToDevice, DeviceLists as RumaDeviceLists},
36 to_device::send_event_to_device::v3::Response as ToDeviceResponse,
37 },
38 IncomingResponse,
39 },
40 events::{
41 key::verification::VerificationMethod, room::message::MessageType, AnyMessageLikeEvent,
42 AnySyncMessageLikeEvent, AnyTimelineEvent, MessageLikeEvent,
43 },
44 serde::Raw,
45 to_device::DeviceIdOrAllDevices,
46 DeviceKeyAlgorithm, EventId, OneTimeKeyAlgorithm, OwnedTransactionId, OwnedUserId, RoomId,
47 UserId,
48};
49use serde::{Deserialize, Serialize};
50use serde_json::{value::RawValue, Value};
51use tokio::runtime::Runtime;
52use zeroize::Zeroize;
53
54use crate::{
55 dehydrated_devices::DehydratedDevices,
56 error::{CryptoStoreError, DecryptionError, SecretImportError, SignatureError},
57 parse_user_id,
58 responses::{response_from_string, OwnedResponse},
59 BackupKeys, BackupRecoveryKey, BootstrapCrossSigningResult, CrossSigningKeyExport,
60 CrossSigningStatus, DecodeError, DecryptedEvent, Device, DeviceLists, EncryptionSettings,
61 EventEncryptionAlgorithm, KeyImportError, KeysImportResult, MegolmV1BackupKey,
62 ProgressListener, Request, RequestType, RequestVerificationResult, RoomKeyCounts, RoomSettings,
63 Sas, SignatureUploadRequest, StartSasResult, UserIdentity, Verification, VerificationRequest,
64};
65
66/// The return value for the [`OlmMachine::receive_sync_changes()`] method.
67///
68/// Will contain various information about the `/sync` changes the
69/// [`OlmMachine`] processed.
70#[derive(uniffi::Record)]
71pub struct SyncChangesResult {
72 /// The, now possibly decrypted, to-device events the [`OlmMachine`]
73 /// received, decrypted, and processed.
74 to_device_events: Vec<String>,
75
76 /// Information about the room keys that were extracted out of the to-device
77 /// events.
78 room_key_infos: Vec<RoomKeyInfo>,
79}
80
81/// Information on a room key that has been received or imported.
82#[derive(uniffi::Record)]
83pub struct RoomKeyInfo {
84 /// The [messaging algorithm] that this key is used for. Will be one of the
85 /// `m.megolm.*` algorithms.
86 ///
87 /// [messaging algorithm]: https://spec.matrix.org/v1.6/client-server-api/#messaging-algorithms
88 pub algorithm: String,
89
90 /// The room where the key is used.
91 pub room_id: String,
92
93 /// The Curve25519 key of the device which initiated the session originally.
94 pub sender_key: String,
95
96 /// The ID of the session that the key is for.
97 pub session_id: String,
98}
99
100impl From<matrix_sdk_crypto::store::types::RoomKeyInfo> for RoomKeyInfo {
101 fn from(value: matrix_sdk_crypto::store::types::RoomKeyInfo) -> Self {
102 Self {
103 algorithm: value.algorithm.to_string(),
104 room_id: value.room_id.to_string(),
105 sender_key: value.sender_key.to_base64(),
106 session_id: value.session_id,
107 }
108 }
109}
110
111/// A high level state machine that handles E2EE for Matrix.
112#[derive(uniffi::Object)]
113pub struct OlmMachine {
114 pub(crate) inner: ManuallyDrop<InnerMachine>,
115 pub(crate) runtime: Runtime,
116}
117
118impl Drop for OlmMachine {
119 fn drop(&mut self) {
120 // Dropping the inner OlmMachine must happen within a tokio context
121 // because deadpool drops sqlite connections in the DB pool on tokio's
122 // blocking threadpool to avoid blocking async worker threads.
123 let _guard = self.runtime.enter();
124 // SAFETY: self.inner is never used again, which is the only requirement
125 // for ManuallyDrop::drop to be used safely.
126 unsafe {
127 ManuallyDrop::drop(&mut self.inner);
128 }
129 }
130}
131
132/// A pair of outgoing room key requests, both of those are sendToDevice
133/// requests.
134#[derive(uniffi::Record)]
135pub struct KeyRequestPair {
136 /// The optional cancellation, this is None if no previous key request was
137 /// sent out for this key, thus it doesn't need to be cancelled.
138 pub cancellation: Option<Request>,
139 /// The actual key request.
140 pub key_request: Request,
141}
142
143/// The result of a signature verification of a signed JSON object.
144#[derive(Clone, Debug, PartialEq, Eq, uniffi::Record)]
145pub struct SignatureVerification {
146 /// The result of the signature verification using the public key of our own
147 /// device.
148 pub device_signature: SignatureState,
149 /// The result of the signature verification using the public key of our own
150 /// user identity.
151 pub user_identity_signature: SignatureState,
152 /// The result of the signature verification using public keys of other
153 /// devices we own.
154 pub other_devices_signatures: HashMap<String, SignatureState>,
155 /// Is the signed JSON object trusted.
156 ///
157 /// This flag tells us if the result has a valid signature from any of the
158 /// following:
159 ///
160 /// * Our own device
161 /// * Our own user identity, provided the identity is trusted as well
162 /// * Any of our own devices, provided the device is trusted as well
163 pub trusted: bool,
164}
165
166impl From<RustSignatureCheckResult> for SignatureVerification {
167 fn from(r: RustSignatureCheckResult) -> Self {
168 let trusted = r.trusted();
169
170 Self {
171 device_signature: r.device_signature,
172 user_identity_signature: r.user_identity_signature,
173 other_devices_signatures: r
174 .other_signatures
175 .into_iter()
176 .map(|(k, v)| (k.to_string(), v))
177 .collect(),
178 trusted,
179 }
180 }
181}
182
183#[matrix_sdk_ffi_macros::export]
184impl OlmMachine {
185 /// Create a new `OlmMachine`
186 ///
187 /// # Arguments
188 ///
189 /// * `user_id` - The unique ID of the user that owns this machine.
190 ///
191 /// * `device_id` - The unique ID of the device that owns this machine.
192 ///
193 /// * `path` - The path where the state of the machine should be persisted.
194 ///
195 /// * `passphrase` - The passphrase that should be used to encrypt the data
196 /// at rest in the crypto store. **Warning**, if no passphrase is given,
197 /// the store and all its data will remain unencrypted.
198 #[uniffi::constructor]
199 pub fn new(
200 user_id: String,
201 device_id: String,
202 path: String,
203 mut passphrase: Option<String>,
204 ) -> Result<Arc<Self>, CryptoStoreError> {
205 let user_id = parse_user_id(&user_id)?;
206 let device_id = device_id.as_str().into();
207 let runtime = Runtime::new().expect("Couldn't create a tokio runtime");
208
209 let store = runtime
210 .block_on(matrix_sdk_sqlite::SqliteCryptoStore::open(path, passphrase.as_deref()))?;
211
212 passphrase.zeroize();
213
214 let inner = runtime.block_on(InnerMachine::with_store(
215 &user_id,
216 device_id,
217 Arc::new(store),
218 None,
219 ))?;
220
221 Ok(Arc::new(OlmMachine { inner: ManuallyDrop::new(inner), runtime }))
222 }
223
224 /// Get the user ID of the owner of this `OlmMachine`.
225 pub fn user_id(&self) -> String {
226 self.inner.user_id().to_string()
227 }
228
229 /// Get the device ID of the device of this `OlmMachine`.
230 pub fn device_id(&self) -> String {
231 self.inner.device_id().to_string()
232 }
233
234 /// Get our own identity keys.
235 pub fn identity_keys(&self) -> HashMap<String, String> {
236 let identity_keys = self.inner.identity_keys();
237 let curve_key = identity_keys.curve25519.to_base64();
238 let ed25519_key = identity_keys.ed25519.to_base64();
239
240 HashMap::from([("ed25519".to_owned(), ed25519_key), ("curve25519".to_owned(), curve_key)])
241 }
242
243 /// Get the status of the private cross signing keys.
244 ///
245 /// This can be used to check which private cross signing keys we have
246 /// stored locally.
247 pub fn cross_signing_status(&self) -> CrossSigningStatus {
248 self.runtime.block_on(self.inner.cross_signing_status()).into()
249 }
250
251 /// Get a cross signing user identity for the given user ID.
252 ///
253 /// # Arguments
254 ///
255 /// * `user_id` - The unique id of the user that the identity belongs to
256 ///
257 /// * `timeout` - The time in seconds we should wait before returning if the
258 /// user's device list has been marked as stale. Passing a 0 as the
259 /// timeout means that we won't wait at all. **Note**, this assumes that
260 /// the requests from [`OlmMachine::outgoing_requests`] are being
261 /// processed and sent out. Namely, this waits for a `/keys/query`
262 /// response to be received.
263 pub fn get_identity(
264 &self,
265 user_id: String,
266 timeout: u32,
267 ) -> Result<Option<UserIdentity>, CryptoStoreError> {
268 let user_id = parse_user_id(&user_id)?;
269
270 let timeout = if timeout == 0 { None } else { Some(Duration::from_secs(timeout.into())) };
271
272 Ok(
273 if let Some(identity) =
274 self.runtime.block_on(self.inner.get_identity(&user_id, timeout))?
275 {
276 Some(self.runtime.block_on(UserIdentity::from_rust(identity))?)
277 } else {
278 None
279 },
280 )
281 }
282
283 /// Check if a user identity is considered to be verified by us.
284 pub fn is_identity_verified(&self, user_id: String) -> Result<bool, CryptoStoreError> {
285 let user_id = parse_user_id(&user_id)?;
286
287 Ok(
288 if let Some(identity) =
289 self.runtime.block_on(self.inner.get_identity(&user_id, None))?
290 {
291 identity.is_verified()
292 } else {
293 false
294 },
295 )
296 }
297
298 /// Manually the user with the given user ID.
299 ///
300 /// This method will attempt to sign the user identity using either our
301 /// private cross signing key, for other user identities, or our device keys
302 /// for our own user identity.
303 ///
304 /// This method can fail if we don't have the private part of our
305 /// user-signing key.
306 ///
307 /// Returns a request that needs to be sent out for the user identity to be
308 /// marked as verified.
309 pub fn verify_identity(
310 &self,
311 user_id: String,
312 ) -> Result<SignatureUploadRequest, SignatureError> {
313 let user_id = UserId::parse(user_id)?;
314
315 let user_identity = self.runtime.block_on(self.inner.get_identity(&user_id, None))?;
316
317 if let Some(user_identity) = user_identity {
318 Ok(match user_identity {
319 SdkUserIdentity::Own(i) => self.runtime.block_on(i.verify())?,
320 SdkUserIdentity::Other(i) => self.runtime.block_on(i.verify())?,
321 }
322 .into())
323 } else {
324 Err(SignatureError::UnknownUserIdentity(user_id.to_string()))
325 }
326 }
327
328 /// Get a `Device` from the store.
329 ///
330 /// # Arguments
331 ///
332 /// * `user_id` - The id of the device owner.
333 ///
334 /// * `device_id` - The id of the device itself.
335 ///
336 /// * `timeout` - The time in seconds we should wait before returning if the
337 /// user's device list has been marked as stale. Passing a 0 as the
338 /// timeout means that we won't wait at all. **Note**, this assumes that
339 /// the requests from [`OlmMachine::outgoing_requests`] are being
340 /// processed and sent out. Namely, this waits for a `/keys/query`
341 /// response to be received.
342 pub fn get_device(
343 &self,
344 user_id: String,
345 device_id: String,
346 timeout: u32,
347 ) -> Result<Option<Device>, CryptoStoreError> {
348 let user_id = parse_user_id(&user_id)?;
349
350 let timeout = if timeout == 0 { None } else { Some(Duration::from_secs(timeout.into())) };
351
352 Ok(self
353 .runtime
354 .block_on(self.inner.get_device(&user_id, device_id.as_str().into(), timeout))?
355 .map(|d| d.into()))
356 }
357
358 /// Manually verify the device of the given user with the given device ID.
359 ///
360 /// This method will attempt to sign the device using our private cross
361 /// signing key.
362 ///
363 /// This method will always fail if the device belongs to someone else, we
364 /// can only sign our own devices.
365 ///
366 /// It can also fail if we don't have the private part of our self-signing
367 /// key.
368 ///
369 /// Returns a request that needs to be sent out for the device to be marked
370 /// as verified.
371 pub fn verify_device(
372 &self,
373 user_id: String,
374 device_id: String,
375 ) -> Result<SignatureUploadRequest, SignatureError> {
376 let user_id = UserId::parse(user_id)?;
377 let device = self.runtime.block_on(self.inner.get_device(
378 &user_id,
379 device_id.as_str().into(),
380 None,
381 ))?;
382
383 if let Some(device) = device {
384 Ok(self.runtime.block_on(device.verify())?.into())
385 } else {
386 Err(SignatureError::UnknownDevice(user_id, device_id))
387 }
388 }
389
390 /// Set local trust state for the device of the given user without creating
391 /// or uploading any signatures if verified
392 pub fn set_local_trust(
393 &self,
394 user_id: String,
395 device_id: String,
396 trust_state: LocalTrust,
397 ) -> Result<(), CryptoStoreError> {
398 let user_id = parse_user_id(&user_id)?;
399
400 let device = self.runtime.block_on(self.inner.get_device(
401 &user_id,
402 device_id.as_str().into(),
403 None,
404 ))?;
405
406 if let Some(device) = device {
407 self.runtime.block_on(device.set_local_trust(trust_state))?;
408 }
409
410 Ok(())
411 }
412
413 /// Get all devices of an user.
414 ///
415 /// # Arguments
416 ///
417 /// * `user_id` - The id of the device owner.
418 ///
419 /// * `timeout` - The time in seconds we should wait before returning if the
420 /// user's device list has been marked as stale. Passing a 0 as the
421 /// timeout means that we won't wait at all. **Note**, this assumes that
422 /// the requests from [`OlmMachine::outgoing_requests`] are being
423 /// processed and sent out. Namely, this waits for a `/keys/query`
424 /// response to be received.
425 pub fn get_user_devices(
426 &self,
427 user_id: String,
428 timeout: u32,
429 ) -> Result<Vec<Device>, CryptoStoreError> {
430 let user_id = parse_user_id(&user_id)?;
431
432 let timeout = if timeout == 0 { None } else { Some(Duration::from_secs(timeout.into())) };
433 Ok(self
434 .runtime
435 .block_on(self.inner.get_user_devices(&user_id, timeout))?
436 .devices()
437 .map(|d| d.into())
438 .collect())
439 }
440
441 /// Get the list of outgoing requests that need to be sent to the
442 /// homeserver.
443 ///
444 /// After the request was sent out and a successful response was received
445 /// the response body should be passed back to the state machine using the
446 /// [mark_request_as_sent()](Self::mark_request_as_sent) method.
447 ///
448 /// **Note**: This method call should be locked per call.
449 pub fn outgoing_requests(&self) -> Result<Vec<Request>, CryptoStoreError> {
450 Ok(self
451 .runtime
452 .block_on(self.inner.outgoing_requests())?
453 .into_iter()
454 .map(|r| r.into())
455 .collect())
456 }
457
458 /// Mark a request that was sent to the server as sent.
459 ///
460 /// # Arguments
461 ///
462 /// * `request_id` - The unique ID of the request that was sent out. This
463 /// needs to be an UUID.
464 ///
465 /// * `request_type` - The type of the request that was sent out.
466 ///
467 /// * `response_body` - The body of the response that was received.
468 pub fn mark_request_as_sent(
469 &self,
470 request_id: String,
471 request_type: RequestType,
472 response_body: String,
473 ) -> Result<(), CryptoStoreError> {
474 let id: OwnedTransactionId = request_id.into();
475
476 let response = response_from_string(&response_body);
477
478 let response: OwnedResponse = match request_type {
479 RequestType::KeysUpload => {
480 KeysUploadResponse::try_from_http_response(response).map(Into::into)
481 }
482 RequestType::KeysQuery => {
483 KeysQueryResponse::try_from_http_response(response).map(Into::into)
484 }
485 RequestType::ToDevice => {
486 ToDeviceResponse::try_from_http_response(response).map(Into::into)
487 }
488 RequestType::KeysClaim => {
489 KeysClaimResponse::try_from_http_response(response).map(Into::into)
490 }
491 RequestType::SignatureUpload => {
492 SignatureUploadResponse::try_from_http_response(response).map(Into::into)
493 }
494 RequestType::KeysBackup => {
495 KeysBackupResponse::try_from_http_response(response).map(Into::into)
496 }
497 RequestType::RoomMessage => {
498 RoomMessageResponse::try_from_http_response(response).map(Into::into)
499 }
500 }
501 .expect("Can't convert json string to response");
502
503 self.runtime.block_on(self.inner.mark_request_as_sent(&id, &response))?;
504
505 Ok(())
506 }
507
508 /// Let the state machine know about E2EE related sync changes that we
509 /// received from the server.
510 ///
511 /// This needs to be called after every sync, ideally before processing
512 /// any other sync changes.
513 ///
514 /// # Arguments
515 ///
516 /// * `events` - A serialized array of to-device events we received in the
517 /// current sync response.
518 ///
519 /// * `device_changes` - The list of devices that have changed in some way
520 /// since the previous sync.
521 ///
522 /// * `key_counts` - The map of uploaded one-time key types and counts.
523 pub fn receive_sync_changes(
524 &self,
525 events: String,
526 device_changes: DeviceLists,
527 key_counts: HashMap<String, i32>,
528 unused_fallback_keys: Option<Vec<String>>,
529 next_batch_token: String,
530 decryption_settings: &DecryptionSettings,
531 ) -> Result<SyncChangesResult, CryptoStoreError> {
532 let to_device: ToDevice = serde_json::from_str(&events)?;
533 let device_changes: RumaDeviceLists = device_changes.into();
534 let key_counts: BTreeMap<OneTimeKeyAlgorithm, UInt> = key_counts
535 .into_iter()
536 .map(|(k, v)| {
537 (
538 OneTimeKeyAlgorithm::from(k),
539 v.clamp(0, i32::MAX)
540 .try_into()
541 .expect("Couldn't convert key counts into an UInt"),
542 )
543 })
544 .collect();
545
546 let unused_fallback_keys: Option<Vec<OneTimeKeyAlgorithm>> =
547 unused_fallback_keys.map(|u| u.into_iter().map(OneTimeKeyAlgorithm::from).collect());
548
549 let (to_device_events, room_key_infos) =
550 self.runtime.block_on(self.inner.receive_sync_changes(
551 matrix_sdk_crypto::EncryptionSyncChanges {
552 to_device_events: to_device.events,
553 changed_devices: &device_changes,
554 one_time_keys_counts: &key_counts,
555 unused_fallback_keys: unused_fallback_keys.as_deref(),
556 next_batch_token: Some(next_batch_token),
557 },
558 decryption_settings,
559 ))?;
560
561 let to_device_events = to_device_events
562 .into_iter()
563 .map(|event| event.to_raw().json().get().to_owned())
564 .collect();
565 let room_key_infos = room_key_infos.into_iter().map(|info| info.into()).collect();
566
567 Ok(SyncChangesResult { to_device_events, room_key_infos })
568 }
569
570 /// Add the given list of users to be tracked, triggering a key query
571 /// request for them.
572 ///
573 /// The OlmMachine maintains a list of users whose devices we are keeping
574 /// track of: these are known as "tracked users". These must be users
575 /// that we share a room with, so that the server sends us updates for
576 /// their device lists.
577 ///
578 /// *Note*: Only users that aren't already tracked will be considered for an
579 /// update. It's safe to call this with already tracked users, it won't
580 /// result in excessive `/keys/query` requests.
581 ///
582 /// # Arguments
583 ///
584 /// `users` - The users that should be queued up for a key query.
585 pub fn update_tracked_users(&self, users: Vec<String>) -> Result<(), CryptoStoreError> {
586 let users: Vec<OwnedUserId> =
587 users.into_iter().filter_map(|u| UserId::parse(u).ok()).collect();
588
589 self.runtime.block_on(self.inner.update_tracked_users(users.iter().map(Deref::deref)))?;
590
591 Ok(())
592 }
593
594 /// Check if the given user is considered to be tracked.
595 ///
596 /// A user can be marked for tracking using the
597 /// [`OlmMachine::update_tracked_users()`] method.
598 pub fn is_user_tracked(&self, user_id: String) -> Result<bool, CryptoStoreError> {
599 let user_id = parse_user_id(&user_id)?;
600 Ok(self.runtime.block_on(self.inner.tracked_users())?.contains(&user_id))
601 }
602
603 /// Generate one-time key claiming requests for all the users we are missing
604 /// sessions for.
605 ///
606 /// After the request was sent out and a successful response was received
607 /// the response body should be passed back to the state machine using the
608 /// [mark_request_as_sent()](Self::mark_request_as_sent) method.
609 ///
610 /// This method should be called every time before a call to
611 /// [`share_room_key()`](Self::share_room_key) is made.
612 ///
613 /// # Arguments
614 ///
615 /// * `users` - The list of users for which we would like to establish 1:1
616 /// Olm sessions for.
617 pub fn get_missing_sessions(
618 &self,
619 users: Vec<String>,
620 ) -> Result<Option<Request>, CryptoStoreError> {
621 let users: Vec<OwnedUserId> =
622 users.into_iter().filter_map(|u| UserId::parse(u).ok()).collect();
623
624 Ok(self
625 .runtime
626 .block_on(self.inner.get_missing_sessions(users.iter().map(Deref::deref)))?
627 .map(|r| r.into()))
628 }
629
630 /// Get the stored room settings, such as the encryption algorithm or
631 /// whether to encrypt only for trusted devices.
632 ///
633 /// These settings can be modified via
634 /// [set_room_algorithm()](Self::set_room_algorithm) and
635 /// [set_room_only_allow_trusted_devices()](Self::set_room_only_allow_trusted_devices)
636 /// methods.
637 pub fn get_room_settings(
638 &self,
639 room_id: String,
640 ) -> Result<Option<RoomSettings>, CryptoStoreError> {
641 let room_id = RoomId::parse(room_id)?;
642 let settings = self
643 .runtime
644 .block_on(self.inner.store().get_room_settings(&room_id))?
645 .map(|v| v.try_into())
646 .transpose()?;
647 Ok(settings)
648 }
649
650 /// Set the room algorithm used for encrypting messages to one of the
651 /// available variants
652 pub fn set_room_algorithm(
653 &self,
654 room_id: String,
655 algorithm: EventEncryptionAlgorithm,
656 ) -> Result<(), CryptoStoreError> {
657 let room_id = RoomId::parse(room_id)?;
658 self.runtime.block_on(async move {
659 let mut settings =
660 self.inner.store().get_room_settings(&room_id).await?.unwrap_or_default();
661 settings.algorithm = algorithm.into();
662 self.inner
663 .store()
664 .save_changes(Changes {
665 room_settings: HashMap::from([(room_id, settings)]),
666 ..Default::default()
667 })
668 .await?;
669 Ok(())
670 })
671 }
672
673 /// Set flag whether this room should encrypt messages for untrusted
674 /// devices, or whether they should be excluded from the conversation.
675 ///
676 /// Note that per-room setting may be overridden by a global
677 /// [set_only_allow_trusted_devices()](Self::set_only_allow_trusted_devices)
678 /// method.
679 pub fn set_room_only_allow_trusted_devices(
680 &self,
681 room_id: String,
682 only_allow_trusted_devices: bool,
683 ) -> Result<(), CryptoStoreError> {
684 let room_id = RoomId::parse(room_id)?;
685 self.runtime.block_on(async move {
686 let mut settings =
687 self.inner.store().get_room_settings(&room_id).await?.unwrap_or_default();
688 settings.only_allow_trusted_devices = only_allow_trusted_devices;
689 self.inner
690 .store()
691 .save_changes(Changes {
692 room_settings: HashMap::from([(room_id, settings)]),
693 ..Default::default()
694 })
695 .await?;
696 Ok(())
697 })
698 }
699
700 /// Check whether there is a global flag to only encrypt messages for
701 /// trusted devices or for everyone.
702 ///
703 /// Note that if the global flag is false, individual rooms may still be
704 /// encrypting only for trusted devices, depending on the per-room
705 /// `only_allow_trusted_devices` flag.
706 pub fn get_only_allow_trusted_devices(&self) -> Result<bool, CryptoStoreError> {
707 let block = self.runtime.block_on(self.inner.store().get_only_allow_trusted_devices())?;
708 Ok(block)
709 }
710
711 /// Set global flag whether to encrypt messages for untrusted devices, or
712 /// whether they should be excluded from the conversation.
713 ///
714 /// Note that if enabled, it will override any per-room settings.
715 pub fn set_only_allow_trusted_devices(
716 &self,
717 only_allow_trusted_devices: bool,
718 ) -> Result<(), CryptoStoreError> {
719 self.runtime.block_on(
720 self.inner.store().set_only_allow_trusted_devices(only_allow_trusted_devices),
721 )?;
722 Ok(())
723 }
724
725 /// Share a room key with the given list of users for the given room.
726 ///
727 /// After the request was sent out and a successful response was received
728 /// the response body should be passed back to the state machine using the
729 /// [mark_request_as_sent()](Self::mark_request_as_sent) method.
730 ///
731 /// This method should be called every time before a call to
732 /// [`encrypt()`](Self::encrypt) with the given `room_id` is made.
733 ///
734 /// # Arguments
735 ///
736 /// * `room_id` - The unique id of the room, note that this doesn't strictly
737 /// need to be a Matrix room, it just needs to be an unique identifier for
738 /// the group that will participate in the conversation.
739 ///
740 /// * `users` - The list of users which are considered to be members of the
741 /// room and should receive the room key.
742 ///
743 /// * `settings` - The settings that should be used for the room key.
744 pub fn share_room_key(
745 &self,
746 room_id: String,
747 users: Vec<String>,
748 settings: EncryptionSettings,
749 ) -> Result<Vec<Request>, CryptoStoreError> {
750 let users: Vec<OwnedUserId> =
751 users.into_iter().filter_map(|u| UserId::parse(u).ok()).collect();
752
753 let room_id = RoomId::parse(room_id)?;
754 let requests = self.runtime.block_on(self.inner.share_room_key(
755 &room_id,
756 users.iter().map(Deref::deref),
757 settings,
758 ))?;
759
760 Ok(requests.into_iter().map(|r| r.as_ref().into()).collect())
761 }
762
763 /// Encrypt the given event with the given type and content for the given
764 /// room.
765 ///
766 /// **Note**: A room key needs to be shared with the group of users that are
767 /// members in the given room. If this is not done this method will panic.
768 ///
769 /// The usual flow to encrypt an event using this state machine is as
770 /// follows:
771 ///
772 /// 1. Get the one-time key claim request to establish 1:1 Olm sessions for
773 /// the room members of the room we wish to participate in. This is done
774 /// using the [`get_missing_sessions()`](Self::get_missing_sessions)
775 /// method. This method call should be locked per call.
776 ///
777 /// 2. Share a room key with all the room members using the
778 /// [`share_room_key()`](Self::share_room_key). This method call should
779 /// be locked per room.
780 ///
781 /// 3. Encrypt the event using this method.
782 ///
783 /// 4. Send the encrypted event to the server.
784 ///
785 /// After the room key is shared steps 1 and 2 will become noops, unless
786 /// there's some changes in the room membership or in the list of devices a
787 /// member has.
788 ///
789 /// # Arguments
790 ///
791 /// * `room_id` - The unique id of the room where the event will be sent to.
792 ///
793 /// * `even_type` - The type of the event.
794 ///
795 /// * `content` - The serialized content of the event.
796 pub fn encrypt(
797 &self,
798 room_id: String,
799 event_type: String,
800 content: String,
801 ) -> Result<String, CryptoStoreError> {
802 let room_id = RoomId::parse(room_id)?;
803 let content = serde_json::from_str(&content)?;
804
805 let encrypted_content = self
806 .runtime
807 .block_on(self.inner.encrypt_room_event_raw(&room_id, &event_type, &content))
808 .expect("Encrypting an event produced an error");
809
810 Ok(serde_json::to_string(&encrypted_content)?)
811 }
812
813 /// Encrypt the given event with the given type and content for the given
814 /// device. This method is used to send an event to a specific device.
815 ///
816 /// # Arguments
817 ///
818 /// * `user_id` - The ID of the user who owns the target device.
819 /// * `device_id` - The ID of the device to which the message will be sent.
820 /// * `event_type` - The event type.
821 /// * `content` - The serialized content of the event.
822 ///
823 /// # Returns
824 /// A `Result` containing the request to be sent out if the encryption was
825 /// successful. If the device is not found, the result will be `Ok(None)`.
826 ///
827 /// The caller should ensure that there is an olm session (see
828 /// `get_missing_sessions`) with the target device before calling this
829 /// method.
830 pub fn create_encrypted_to_device_request(
831 &self,
832 user_id: String,
833 device_id: String,
834 event_type: String,
835 content: String,
836 share_strategy: CollectStrategy,
837 ) -> Result<Option<Request>, CryptoStoreError> {
838 let user_id = parse_user_id(&user_id)?;
839 let device_id = device_id.as_str().into();
840 let content = serde_json::from_str(&content)?;
841
842 let device = self.runtime.block_on(self.inner.get_device(&user_id, device_id, None))?;
843
844 if let Some(device) = device {
845 let encrypted_content = self.runtime.block_on(device.encrypt_event_raw(
846 &event_type,
847 &content,
848 share_strategy,
849 ))?;
850
851 let request = ToDeviceRequest::new(
852 user_id.as_ref(),
853 DeviceIdOrAllDevices::DeviceId(device_id.to_owned()),
854 "m.room.encrypted",
855 encrypted_content.cast(),
856 );
857
858 Ok(Some(request.into()))
859 } else {
860 Ok(None)
861 }
862 }
863
864 /// Decrypt the given event that was sent in the given room.
865 ///
866 /// # Arguments
867 ///
868 /// * `event` - The serialized encrypted version of the event.
869 ///
870 /// * `room_id` - The unique id of the room where the event was sent to.
871 ///
872 /// * `strict_shields` - If `true`, messages will be decorated with strict
873 /// warnings (use `false` to match legacy behaviour where unsafe keys have
874 /// lower severity warnings and unverified identities are not decorated).
875 /// * `decryption_settings` - The setting for decrypting messages.
876 pub fn decrypt_room_event(
877 &self,
878 event: String,
879 room_id: String,
880 handle_verification_events: bool,
881 strict_shields: bool,
882 decryption_settings: DecryptionSettings,
883 ) -> Result<DecryptedEvent, DecryptionError> {
884 // Element Android wants only the content and the type and will create a
885 // decrypted event with those two itself, this struct makes sure we
886 // throw away all the other fields.
887 #[derive(Deserialize, Serialize)]
888 struct Event<'a> {
889 #[serde(rename = "type")]
890 event_type: String,
891 #[serde(borrow)]
892 content: &'a RawValue,
893 }
894
895 let event: Raw<_> = serde_json::from_str(&event)?;
896 let room_id = RoomId::parse(room_id)?;
897
898 let decrypted = self.runtime.block_on(self.inner.decrypt_room_event(
899 &event,
900 &room_id,
901 &decryption_settings,
902 ))?;
903
904 if handle_verification_events {
905 if let Ok(AnyTimelineEvent::MessageLike(e)) = decrypted.event.deserialize() {
906 match &e {
907 AnyMessageLikeEvent::RoomMessage(MessageLikeEvent::Original(
908 original_event,
909 )) => {
910 if let MessageType::VerificationRequest(_) = &original_event.content.msgtype
911 {
912 self.runtime.block_on(self.inner.receive_verification_event(&e))?;
913 }
914 }
915 _ if e.event_type().to_string().starts_with("m.key.verification") => {
916 self.runtime.block_on(self.inner.receive_verification_event(&e))?;
917 }
918 _ => (),
919 }
920 }
921 }
922
923 let encryption_info = decrypted.encryption_info;
924
925 let event_json: Event<'_> = serde_json::from_str(decrypted.event.json().get())?;
926
927 Ok(match &encryption_info.algorithm_info {
928 AlgorithmInfo::MegolmV1AesSha2 {
929 curve25519_key,
930 sender_claimed_keys,
931 session_id: _,
932 } => DecryptedEvent {
933 clear_event: serde_json::to_string(&event_json)?,
934 sender_curve25519_key: curve25519_key.to_owned(),
935 claimed_ed25519_key: sender_claimed_keys.get(&DeviceKeyAlgorithm::Ed25519).cloned(),
936 forwarding_curve25519_chain: vec![],
937 shield_state: if strict_shields {
938 encryption_info.verification_state.to_shield_state_strict().into()
939 } else {
940 encryption_info.verification_state.to_shield_state_lax().into()
941 },
942 },
943 AlgorithmInfo::OlmV1Curve25519AesSha2 { .. } => {
944 // cannot happen because `decrypt_room_event` would have fail to decrypt olm for
945 // a room (EventError::UnsupportedAlgorithm)
946 panic!("Unsupported olm algorithm in room")
947 }
948 })
949 }
950
951 /// Request or re-request a room key that was used to encrypt the given
952 /// event.
953 ///
954 /// # Arguments
955 ///
956 /// * `event` - The undecryptable event that we would wish to request a room
957 /// key for.
958 ///
959 /// * `room_id` - The id of the room the event was sent to.
960 pub fn request_room_key(
961 &self,
962 event: String,
963 room_id: String,
964 ) -> Result<KeyRequestPair, DecryptionError> {
965 let event: Raw<_> = serde_json::from_str(&event)?;
966 let room_id = RoomId::parse(room_id)?;
967
968 let (cancel, request) =
969 self.runtime.block_on(self.inner.request_room_key(&event, &room_id))?;
970
971 let cancellation = cancel.map(|r| r.into());
972 let key_request = request.into();
973
974 Ok(KeyRequestPair { cancellation, key_request })
975 }
976
977 /// Export all of our room keys.
978 ///
979 /// # Arguments
980 ///
981 /// * `passphrase` - The passphrase that should be used to encrypt the key
982 /// export.
983 ///
984 /// * `rounds` - The number of rounds that should be used when expanding the
985 /// passphrase into an key.
986 pub fn export_room_keys(
987 &self,
988 passphrase: String,
989 rounds: i32,
990 ) -> Result<String, CryptoStoreError> {
991 let keys = self.runtime.block_on(self.inner.store().export_room_keys(|_| true))?;
992
993 let encrypted = encrypt_room_key_export(&keys, &passphrase, rounds as u32)
994 .map_err(CryptoStoreError::Serialization)?;
995
996 Ok(encrypted)
997 }
998
999 /// Import room keys from the given serialized key export.
1000 ///
1001 /// # Arguments
1002 ///
1003 /// * `keys` - The serialized version of the key export.
1004 ///
1005 /// * `passphrase` - The passphrase that was used to encrypt the key export.
1006 ///
1007 /// * `progress_listener` - A callback that can be used to introspect the
1008 /// progress of the key import.
1009 pub fn import_room_keys(
1010 &self,
1011 keys: String,
1012 passphrase: String,
1013 progress_listener: Box<dyn ProgressListener>,
1014 ) -> Result<KeysImportResult, KeyImportError> {
1015 let keys = Cursor::new(keys);
1016 let keys = decrypt_room_key_export(keys, &passphrase)?;
1017 self.import_room_keys_helper(keys, None, progress_listener)
1018 }
1019
1020 /// Import room keys from the given serialized unencrypted key export.
1021 ///
1022 /// This method is the same as [`OlmMachine::import_room_keys`] but the
1023 /// decryption step is skipped and should be performed by the caller. This
1024 /// should be used if the room keys are coming from the server-side backup,
1025 /// the method will mark all imported room keys as backed up.
1026 ///
1027 /// **Note**: This has been deprecated. Use
1028 /// [`OlmMachine::import_room_keys_from_backup`] instead.
1029 ///
1030 /// # Arguments
1031 ///
1032 /// * `keys` - The serialized version of the unencrypted key export.
1033 ///
1034 /// * `progress_listener` - A callback that can be used to introspect the
1035 /// progress of the key import.
1036 pub fn import_decrypted_room_keys(
1037 &self,
1038 keys: String,
1039 progress_listener: Box<dyn ProgressListener>,
1040 ) -> Result<KeysImportResult, KeyImportError> {
1041 // Assume that the keys came from the current backup version.
1042 let backup_version = self.runtime.block_on(self.inner.backup_machine().backup_version());
1043 let keys: Vec<Value> = serde_json::from_str(&keys)?;
1044 let keys = keys.into_iter().map(serde_json::from_value).filter_map(|k| k.ok()).collect();
1045 self.import_room_keys_helper(keys, backup_version.as_deref(), progress_listener)
1046 }
1047
1048 /// Import room keys from the given serialized unencrypted key export.
1049 ///
1050 /// This method is the same as [`OlmMachine::import_room_keys`] but the
1051 /// decryption step is skipped and should be performed by the caller. This
1052 /// should be used if the room keys are coming from the server-side backup.
1053 /// The method will mark all imported room keys as backed up.
1054 ///
1055 /// # Arguments
1056 ///
1057 /// * `keys` - The serialized version of the unencrypted key export.
1058 ///
1059 /// * `backup_version` - The version of the backup that these keys came
1060 /// from.
1061 ///
1062 /// * `progress_listener` - A callback that can be used to introspect the
1063 /// progress of the key import.
1064 pub fn import_room_keys_from_backup(
1065 &self,
1066 keys: String,
1067 backup_version: String,
1068 progress_listener: Box<dyn ProgressListener>,
1069 ) -> Result<KeysImportResult, KeyImportError> {
1070 let keys: Vec<Value> = serde_json::from_str(&keys)?;
1071 let keys = keys.into_iter().map(serde_json::from_value).filter_map(|k| k.ok()).collect();
1072 self.import_room_keys_helper(keys, Some(&backup_version), progress_listener)
1073 }
1074
1075 /// Discard the currently active room key for the given room if there is
1076 /// one.
1077 pub fn discard_room_key(&self, room_id: String) -> Result<(), CryptoStoreError> {
1078 let room_id = RoomId::parse(room_id)?;
1079
1080 self.runtime.block_on(self.inner.discard_room_key(&room_id))?;
1081
1082 Ok(())
1083 }
1084
1085 /// Receive an unencrypted verification event.
1086 ///
1087 /// This method can be used to pass verification events that are happening
1088 /// in unencrypted rooms to the `OlmMachine`.
1089 ///
1090 /// **Note**: This has been deprecated.
1091 pub fn receive_unencrypted_verification_event(
1092 &self,
1093 event: String,
1094 room_id: String,
1095 ) -> Result<(), CryptoStoreError> {
1096 self.receive_verification_event(event, room_id)
1097 }
1098
1099 /// Receive a verification event.
1100 ///
1101 /// This method can be used to pass verification events that are happening
1102 /// in rooms to the `OlmMachine`. The event should be in the decrypted form.
1103 pub fn receive_verification_event(
1104 &self,
1105 event: String,
1106 room_id: String,
1107 ) -> Result<(), CryptoStoreError> {
1108 let room_id = RoomId::parse(room_id)?;
1109 let event: AnySyncMessageLikeEvent = serde_json::from_str(&event)?;
1110
1111 let event = event.into_full_event(room_id);
1112
1113 self.runtime.block_on(self.inner.receive_verification_event(&event))?;
1114
1115 Ok(())
1116 }
1117
1118 /// Get all the verification requests that we share with the given user.
1119 ///
1120 /// # Arguments
1121 ///
1122 /// * `user_id` - The ID of the user for which we would like to fetch the
1123 /// verification requests.
1124 pub fn get_verification_requests(&self, user_id: String) -> Vec<Arc<VerificationRequest>> {
1125 let Ok(user_id) = UserId::parse(user_id) else {
1126 return vec![];
1127 };
1128
1129 self.inner
1130 .get_verification_requests(&user_id)
1131 .into_iter()
1132 .map(|v| {
1133 VerificationRequest { inner: v, runtime: self.runtime.handle().to_owned() }.into()
1134 })
1135 .collect()
1136 }
1137
1138 /// Get a verification requests that we share with the given user with the
1139 /// given flow id.
1140 ///
1141 /// # Arguments
1142 ///
1143 /// * `user_id` - The ID of the user for which we would like to fetch the
1144 /// verification requests.
1145 ///
1146 /// * `flow_id` - The ID that uniquely identifies the verification flow.
1147 pub fn get_verification_request(
1148 &self,
1149 user_id: String,
1150 flow_id: String,
1151 ) -> Option<Arc<VerificationRequest>> {
1152 let user_id = UserId::parse(user_id).ok()?;
1153
1154 self.inner.get_verification_request(&user_id, flow_id).map(|v| {
1155 VerificationRequest { inner: v, runtime: self.runtime.handle().to_owned() }.into()
1156 })
1157 }
1158
1159 /// Get an m.key.verification.request content for the given user.
1160 ///
1161 /// # Arguments
1162 ///
1163 /// * `user_id` - The ID of the user which we would like to request to
1164 /// verify.
1165 ///
1166 /// * `methods` - The list of verification methods we want to advertise to
1167 /// support.
1168 pub fn verification_request_content(
1169 &self,
1170 user_id: String,
1171 methods: Vec<String>,
1172 ) -> Result<Option<String>, CryptoStoreError> {
1173 let user_id = parse_user_id(&user_id)?;
1174
1175 let identity = self.runtime.block_on(self.inner.get_identity(&user_id, None))?;
1176
1177 let methods = methods.into_iter().map(VerificationMethod::from).collect();
1178
1179 Ok(if let Some(identity) = identity.and_then(|i| i.other()) {
1180 let content = identity.verification_request_content(Some(methods));
1181 Some(serde_json::to_string(&content)?)
1182 } else {
1183 None
1184 })
1185 }
1186
1187 /// Request a verification flow to begin with the given user in the given
1188 /// room.
1189 ///
1190 /// # Arguments
1191 ///
1192 /// * `user_id` - The ID of the user which we would like to request to
1193 /// verify.
1194 ///
1195 /// * `room_id` - The ID of the room that represents a DM with the given
1196 /// user.
1197 ///
1198 /// * `event_id` - The event ID of the `m.key.verification.request` event
1199 /// that we sent out to request the verification to begin. The content for
1200 /// this request can be created using the [verification_request_content()]
1201 /// method.
1202 ///
1203 /// * `methods` - The list of verification methods we advertised as
1204 /// supported in the `m.key.verification.request` event.
1205 ///
1206 /// [verification_request_content()]: Self::verification_request_content
1207 pub fn request_verification(
1208 &self,
1209 user_id: String,
1210 room_id: String,
1211 event_id: String,
1212 methods: Vec<String>,
1213 ) -> Result<Option<Arc<VerificationRequest>>, CryptoStoreError> {
1214 let user_id = parse_user_id(&user_id)?;
1215 let event_id = EventId::parse(event_id)?;
1216 let room_id = RoomId::parse(room_id)?;
1217
1218 let identity = self.runtime.block_on(self.inner.get_identity(&user_id, None))?;
1219
1220 let methods = methods.into_iter().map(VerificationMethod::from).collect();
1221
1222 Ok(if let Some(identity) = identity.and_then(|i| i.other()) {
1223 let request = identity.request_verification(&room_id, &event_id, Some(methods));
1224
1225 Some(
1226 VerificationRequest { inner: request, runtime: self.runtime.handle().to_owned() }
1227 .into(),
1228 )
1229 } else {
1230 None
1231 })
1232 }
1233
1234 /// Request a verification flow to begin with the given user's device.
1235 ///
1236 /// # Arguments
1237 ///
1238 /// * `user_id` - The ID of the user which we would like to request to
1239 /// verify.
1240 ///
1241 /// * `device_id` - The ID of the device that we wish to verify.
1242 ///
1243 /// * `methods` - The list of verification methods we advertised as
1244 /// supported in the `m.key.verification.request` event.
1245 pub fn request_verification_with_device(
1246 &self,
1247 user_id: String,
1248 device_id: String,
1249 methods: Vec<String>,
1250 ) -> Result<Option<RequestVerificationResult>, CryptoStoreError> {
1251 let user_id = parse_user_id(&user_id)?;
1252 let device_id = device_id.as_str().into();
1253
1254 let methods = methods.into_iter().map(VerificationMethod::from).collect();
1255
1256 Ok(
1257 if let Some(device) =
1258 self.runtime.block_on(self.inner.get_device(&user_id, device_id, None))?
1259 {
1260 let (verification, request) = device.request_verification_with_methods(methods);
1261
1262 Some(RequestVerificationResult {
1263 verification: VerificationRequest {
1264 inner: verification,
1265 runtime: self.runtime.handle().to_owned(),
1266 }
1267 .into(),
1268 request: request.into(),
1269 })
1270 } else {
1271 None
1272 },
1273 )
1274 }
1275
1276 /// Request a verification flow to begin with our other devices.
1277 ///
1278 /// # Arguments
1279 ///
1280 /// `methods` - The list of verification methods we want to advertise to
1281 /// support.
1282 pub fn request_self_verification(
1283 &self,
1284 methods: Vec<String>,
1285 ) -> Result<Option<RequestVerificationResult>, CryptoStoreError> {
1286 let identity =
1287 self.runtime.block_on(self.inner.get_identity(self.inner.user_id(), None))?;
1288
1289 let methods = methods.into_iter().map(VerificationMethod::from).collect();
1290
1291 Ok(if let Some(identity) = identity.and_then(|i| i.own()) {
1292 let (verification, request) =
1293 self.runtime.block_on(identity.request_verification_with_methods(methods))?;
1294 Some(RequestVerificationResult {
1295 verification: VerificationRequest {
1296 inner: verification,
1297 runtime: self.runtime.handle().to_owned(),
1298 }
1299 .into(),
1300 request: request.into(),
1301 })
1302 } else {
1303 None
1304 })
1305 }
1306
1307 /// Get a verification flow object for the given user with the given flow
1308 /// id.
1309 ///
1310 /// # Arguments
1311 ///
1312 /// * `user_id` - The ID of the user for which we would like to fetch the
1313 /// verification.
1314 ///
1315 /// * `flow_id` - The ID that uniquely identifies the verification flow.
1316 pub fn get_verification(&self, user_id: String, flow_id: String) -> Option<Arc<Verification>> {
1317 let user_id = UserId::parse(user_id).ok()?;
1318
1319 self.inner
1320 .get_verification(&user_id, &flow_id)
1321 .map(|v| Verification { inner: v, runtime: self.runtime.handle().to_owned() }.into())
1322 }
1323
1324 /// Start short auth string verification with a device without going
1325 /// through a verification request first.
1326 ///
1327 /// **Note**: This has been largely deprecated and the
1328 /// [request_verification_with_device()] method should be used instead.
1329 ///
1330 /// # Arguments
1331 ///
1332 /// * `user_id` - The ID of the user for which we would like to start the
1333 /// SAS verification.
1334 ///
1335 /// * `device_id` - The ID of device we would like to verify.
1336 ///
1337 /// [request_verification_with_device()]: Self::request_verification_with_device
1338 pub fn start_sas_with_device(
1339 &self,
1340 user_id: String,
1341 device_id: String,
1342 ) -> Result<Option<StartSasResult>, CryptoStoreError> {
1343 let user_id = parse_user_id(&user_id)?;
1344 let device_id = device_id.as_str().into();
1345
1346 Ok(
1347 if let Some(device) =
1348 self.runtime.block_on(self.inner.get_device(&user_id, device_id, None))?
1349 {
1350 let (sas, request) = self.runtime.block_on(device.start_verification())?;
1351
1352 Some(StartSasResult {
1353 sas: Sas { inner: Box::new(sas), runtime: self.runtime.handle().to_owned() }
1354 .into(),
1355 request: request.into(),
1356 })
1357 } else {
1358 None
1359 },
1360 )
1361 }
1362
1363 /// Create a new private cross signing identity and create a request to
1364 /// upload the public part of it to the server.
1365 pub fn bootstrap_cross_signing(&self) -> Result<BootstrapCrossSigningResult, CryptoStoreError> {
1366 Ok(self.runtime.block_on(self.inner.bootstrap_cross_signing(true))?.into())
1367 }
1368
1369 /// Export all our private cross signing keys.
1370 ///
1371 /// The export will contain the seed for the ed25519 keys as a base64
1372 /// encoded string.
1373 ///
1374 /// This method returns `None` if we don't have any private cross signing
1375 /// keys.
1376 pub fn export_cross_signing_keys(
1377 &self,
1378 ) -> Result<Option<CrossSigningKeyExport>, CryptoStoreError> {
1379 Ok(self.runtime.block_on(self.inner.export_cross_signing_keys())?.map(|e| e.into()))
1380 }
1381
1382 /// Import our private cross signing keys.
1383 ///
1384 /// The export needs to contain the seed for the ed25519 keys as a base64
1385 /// encoded string.
1386 pub fn import_cross_signing_keys(
1387 &self,
1388 export: CrossSigningKeyExport,
1389 ) -> Result<(), SecretImportError> {
1390 self.runtime.block_on(self.inner.import_cross_signing_keys(export.into()))?;
1391
1392 Ok(())
1393 }
1394
1395 /// Request missing local secrets from our devices (cross signing private
1396 /// keys, megolm backup). This will ask the sdk to create outgoing
1397 /// request to get the missing secrets.
1398 ///
1399 /// The requests will be processed as soon as `outgoing_requests()` is
1400 /// called to process them.
1401 pub fn query_missing_secrets_from_other_sessions(&self) -> Result<bool, CryptoStoreError> {
1402 Ok(self.runtime.block_on(self.inner.query_missing_secrets_from_other_sessions())?)
1403 }
1404
1405 /// Activate the given backup key to be used with the given backup version.
1406 ///
1407 /// **Warning**: The caller needs to make sure that the given `BackupKey` is
1408 /// trusted, otherwise we might be encrypting room keys that a malicious
1409 /// party could decrypt.
1410 ///
1411 /// The [`OlmMachine::verify_backup`] method can be used to so.
1412 pub fn enable_backup_v1(
1413 &self,
1414 key: MegolmV1BackupKey,
1415 version: String,
1416 ) -> Result<(), DecodeError> {
1417 let backup_key = RustBackupKey::from_base64(&key.public_key)?;
1418 backup_key.set_version(version);
1419
1420 self.runtime.block_on(self.inner.backup_machine().enable_backup_v1(backup_key))?;
1421
1422 Ok(())
1423 }
1424
1425 /// Are we able to encrypt room keys.
1426 ///
1427 /// This returns true if we have an active `BackupKey` and backup version
1428 /// registered with the state machine.
1429 pub fn backup_enabled(&self) -> bool {
1430 self.runtime.block_on(self.inner.backup_machine().enabled())
1431 }
1432
1433 /// Disable and reset our backup state.
1434 ///
1435 /// This will remove any pending backup request, remove the backup key and
1436 /// reset the backup state of each room key we have.
1437 pub fn disable_backup(&self) -> Result<(), CryptoStoreError> {
1438 Ok(self.runtime.block_on(self.inner.backup_machine().disable_backup())?)
1439 }
1440
1441 /// Encrypt a batch of room keys and return a request that needs to be sent
1442 /// out to backup the room keys.
1443 pub fn backup_room_keys(&self) -> Result<Option<Request>, CryptoStoreError> {
1444 let request = self.runtime.block_on(self.inner.backup_machine().backup())?;
1445
1446 let request = request.map(|r| r.into());
1447
1448 Ok(request)
1449 }
1450
1451 /// Get the number of backed up room keys and the total number of room keys.
1452 pub fn room_key_counts(&self) -> Result<RoomKeyCounts, CryptoStoreError> {
1453 Ok(self.runtime.block_on(self.inner.backup_machine().room_key_counts())?.into())
1454 }
1455
1456 /// Store the recovery key in the crypto store.
1457 ///
1458 /// This is useful if the client wants to support gossiping of the backup
1459 /// key.
1460 pub fn save_recovery_key(
1461 &self,
1462 key: Option<Arc<BackupRecoveryKey>>,
1463 version: Option<String>,
1464 ) -> Result<(), CryptoStoreError> {
1465 let key = key.map(|k| {
1466 // We need to clone here due to FFI limitations but RecoveryKey does
1467 // not want to expose clone since it's private key material.
1468 let mut encoded = k.to_base64();
1469 let key = BackupDecryptionKey::from_base64(&encoded)
1470 .expect("Encoding and decoding from base64 should always work");
1471 encoded.zeroize();
1472 key
1473 });
1474 Ok(self.runtime.block_on(self.inner.backup_machine().save_decryption_key(key, version))?)
1475 }
1476
1477 /// Get the backup keys we have saved in our crypto store.
1478 pub fn get_backup_keys(&self) -> Result<Option<Arc<BackupKeys>>, CryptoStoreError> {
1479 Ok(self
1480 .runtime
1481 .block_on(self.inner.backup_machine().get_backup_keys())?
1482 .try_into()
1483 .ok()
1484 .map(Arc::new))
1485 }
1486
1487 /// Sign the given message using our device key and if available cross
1488 /// signing master key.
1489 pub fn sign(
1490 &self,
1491 message: String,
1492 ) -> Result<HashMap<String, HashMap<String, String>>, CryptoStoreError> {
1493 Ok(self
1494 .runtime
1495 .block_on(self.inner.sign(&message))?
1496 .into_iter()
1497 .map(|(k, v)| {
1498 (
1499 k.to_string(),
1500 v.into_iter()
1501 .map(|(k, v)| {
1502 (
1503 k.to_string(),
1504 match v {
1505 Ok(s) => s.to_base64(),
1506 Err(i) => i.source,
1507 },
1508 )
1509 })
1510 .collect(),
1511 )
1512 })
1513 .collect())
1514 }
1515
1516 /// Check if the given backup has been verified by us or by another of our
1517 /// devices that we trust.
1518 ///
1519 /// The `backup_info` should be a JSON encoded object with the following
1520 /// format:
1521 ///
1522 /// ```json
1523 /// {
1524 /// "algorithm": "m.megolm_backup.v1.curve25519-aes-sha2",
1525 /// "auth_data": {
1526 /// "public_key":"XjhWTCjW7l59pbfx9tlCBQolfnIQWARoKOzjTOPSlWM",
1527 /// "signatures": {}
1528 /// }
1529 /// }
1530 /// ```
1531 pub fn verify_backup(
1532 &self,
1533 backup_info: String,
1534 ) -> Result<SignatureVerification, CryptoStoreError> {
1535 let backup_info = serde_json::from_str(&backup_info)?;
1536
1537 Ok(self
1538 .runtime
1539 .block_on(self.inner.backup_machine().verify_backup(backup_info, false))?
1540 .into())
1541 }
1542
1543 /// Manage dehydrated devices.
1544 pub fn dehydrated_devices(&self) -> Arc<DehydratedDevices> {
1545 DehydratedDevices {
1546 inner: ManuallyDrop::new(self.inner.dehydrated_devices()),
1547 runtime: self.runtime.handle().to_owned(),
1548 }
1549 .into()
1550 }
1551}
1552
1553impl OlmMachine {
1554 fn import_room_keys_helper(
1555 &self,
1556 keys: Vec<ExportedRoomKey>,
1557 from_backup_version: Option<&str>,
1558 progress_listener: Box<dyn ProgressListener>,
1559 ) -> Result<KeysImportResult, KeyImportError> {
1560 let listener = |progress: usize, total: usize| {
1561 progress_listener.on_progress(progress as i32, total as i32)
1562 };
1563
1564 let result = self.runtime.block_on(self.inner.store().import_room_keys(
1565 keys,
1566 from_backup_version,
1567 listener,
1568 ))?;
1569
1570 Ok(KeysImportResult {
1571 imported: result.imported_count as i64,
1572 total: result.total_count as i64,
1573 keys: result
1574 .keys
1575 .into_iter()
1576 .map(|(r, m)| {
1577 (
1578 r.to_string(),
1579 m.into_iter().map(|(s, k)| (s, k.into_iter().collect())).collect(),
1580 )
1581 })
1582 .collect(),
1583 })
1584 }
1585}