matrix_sdk_crypto_ffi/machine.rs
1use std::{
2 collections::{BTreeMap, HashMap},
3 io::Cursor,
4 mem::ManuallyDrop,
5 ops::Deref,
6 sync::Arc,
7 time::Duration,
8};
9
10use js_int::UInt;
11use matrix_sdk_common::deserialized_responses::AlgorithmInfo;
12use matrix_sdk_crypto::{
13 backups::{
14 MegolmV1BackupKey as RustBackupKey, SignatureState,
15 SignatureVerification as RustSignatureCheckResult,
16 },
17 decrypt_room_key_export, encrypt_room_key_export,
18 olm::ExportedRoomKey,
19 store::types::{BackupDecryptionKey, Changes},
20 types::requests::ToDeviceRequest,
21 CollectStrategy, DecryptionSettings, LocalTrust, OlmMachine as InnerMachine,
22 UserIdentity as SdkUserIdentity,
23};
24use ruma::{
25 api::{
26 client::{
27 backup::add_backup_keys::v3::Response as KeysBackupResponse,
28 keys::{
29 claim_keys::v3::Response as KeysClaimResponse,
30 get_keys::v3::Response as KeysQueryResponse,
31 upload_keys::v3::Response as KeysUploadResponse,
32 upload_signatures::v3::Response as SignatureUploadResponse,
33 },
34 message::send_message_event::v3::Response as RoomMessageResponse,
35 sync::sync_events::{v3::ToDevice, DeviceLists as RumaDeviceLists},
36 to_device::send_event_to_device::v3::Response as ToDeviceResponse,
37 },
38 IncomingResponse,
39 },
40 events::{
41 key::verification::VerificationMethod, room::message::MessageType, AnyMessageLikeEvent,
42 AnySyncMessageLikeEvent, AnyTimelineEvent, MessageLikeEvent,
43 },
44 serde::Raw,
45 to_device::DeviceIdOrAllDevices,
46 DeviceKeyAlgorithm, EventId, OneTimeKeyAlgorithm, OwnedTransactionId, OwnedUserId, RoomId,
47 UserId,
48};
49use serde::{Deserialize, Serialize};
50use serde_json::{value::RawValue, Value};
51use tokio::runtime::Runtime;
52use zeroize::Zeroize;
53
54use crate::{
55 dehydrated_devices::DehydratedDevices,
56 error::{CryptoStoreError, DecryptionError, SecretImportError, SignatureError},
57 parse_user_id,
58 responses::{response_from_string, OwnedResponse},
59 BackupKeys, BackupRecoveryKey, BootstrapCrossSigningResult, CrossSigningKeyExport,
60 CrossSigningStatus, DecodeError, DecryptedEvent, Device, DeviceLists, EncryptionSettings,
61 EventEncryptionAlgorithm, KeyImportError, KeysImportResult, MegolmV1BackupKey,
62 ProgressListener, Request, RequestType, RequestVerificationResult, RoomKeyCounts, RoomSettings,
63 Sas, SignatureUploadRequest, StartSasResult, UserIdentity, Verification, VerificationRequest,
64};
65
66/// The return value for the [`OlmMachine::receive_sync_changes()`] method.
67///
68/// Will contain various information about the `/sync` changes the
69/// [`OlmMachine`] processed.
70#[derive(uniffi::Record)]
71pub struct SyncChangesResult {
72 /// The, now possibly decrypted, to-device events the [`OlmMachine`]
73 /// received, decrypted, and processed.
74 to_device_events: Vec<String>,
75
76 /// Information about the room keys that were extracted out of the to-device
77 /// events.
78 room_key_infos: Vec<RoomKeyInfo>,
79}
80
81/// Information on a room key that has been received or imported.
82#[derive(uniffi::Record)]
83pub struct RoomKeyInfo {
84 /// The [messaging algorithm] that this key is used for. Will be one of the
85 /// `m.megolm.*` algorithms.
86 ///
87 /// [messaging algorithm]: https://spec.matrix.org/v1.6/client-server-api/#messaging-algorithms
88 pub algorithm: String,
89
90 /// The room where the key is used.
91 pub room_id: String,
92
93 /// The Curve25519 key of the device which initiated the session originally.
94 pub sender_key: String,
95
96 /// The ID of the session that the key is for.
97 pub session_id: String,
98}
99
100impl From<matrix_sdk_crypto::store::types::RoomKeyInfo> for RoomKeyInfo {
101 fn from(value: matrix_sdk_crypto::store::types::RoomKeyInfo) -> Self {
102 Self {
103 algorithm: value.algorithm.to_string(),
104 room_id: value.room_id.to_string(),
105 sender_key: value.sender_key.to_base64(),
106 session_id: value.session_id,
107 }
108 }
109}
110
111/// A high level state machine that handles E2EE for Matrix.
112#[derive(uniffi::Object)]
113pub struct OlmMachine {
114 pub(crate) inner: ManuallyDrop<InnerMachine>,
115 pub(crate) runtime: Runtime,
116}
117
118impl Drop for OlmMachine {
119 fn drop(&mut self) {
120 // Dropping the inner OlmMachine must happen within a tokio context
121 // because deadpool drops sqlite connections in the DB pool on tokio's
122 // blocking threadpool to avoid blocking async worker threads.
123 let _guard = self.runtime.enter();
124 // SAFETY: self.inner is never used again, which is the only requirement
125 // for ManuallyDrop::drop to be used safely.
126 unsafe {
127 ManuallyDrop::drop(&mut self.inner);
128 }
129 }
130}
131
132/// A pair of outgoing room key requests, both of those are sendToDevice
133/// requests.
134#[derive(uniffi::Record)]
135pub struct KeyRequestPair {
136 /// The optional cancellation, this is None if no previous key request was
137 /// sent out for this key, thus it doesn't need to be cancelled.
138 pub cancellation: Option<Request>,
139 /// The actual key request.
140 pub key_request: Request,
141}
142
143/// The result of a signature verification of a signed JSON object.
144#[derive(Clone, Debug, PartialEq, Eq, uniffi::Record)]
145pub struct SignatureVerification {
146 /// The result of the signature verification using the public key of our own
147 /// device.
148 pub device_signature: SignatureState,
149 /// The result of the signature verification using the public key of our own
150 /// user identity.
151 pub user_identity_signature: SignatureState,
152 /// The result of the signature verification using public keys of other
153 /// devices we own.
154 pub other_devices_signatures: HashMap<String, SignatureState>,
155 /// Is the signed JSON object trusted.
156 ///
157 /// This flag tells us if the result has a valid signature from any of the
158 /// following:
159 ///
160 /// * Our own device
161 /// * Our own user identity, provided the identity is trusted as well
162 /// * Any of our own devices, provided the device is trusted as well
163 pub trusted: bool,
164}
165
166impl From<RustSignatureCheckResult> for SignatureVerification {
167 fn from(r: RustSignatureCheckResult) -> Self {
168 let trusted = r.trusted();
169
170 Self {
171 device_signature: r.device_signature,
172 user_identity_signature: r.user_identity_signature,
173 other_devices_signatures: r
174 .other_signatures
175 .into_iter()
176 .map(|(k, v)| (k.to_string(), v))
177 .collect(),
178 trusted,
179 }
180 }
181}
182
183#[matrix_sdk_ffi_macros::export]
184impl OlmMachine {
185 /// Create a new `OlmMachine`
186 ///
187 /// # Arguments
188 ///
189 /// * `user_id` - The unique ID of the user that owns this machine.
190 ///
191 /// * `device_id` - The unique ID of the device that owns this machine.
192 ///
193 /// * `path` - The path where the state of the machine should be persisted.
194 ///
195 /// * `passphrase` - The passphrase that should be used to encrypt the data
196 /// at rest in the crypto store. **Warning**, if no passphrase is given,
197 /// the store and all its data will remain unencrypted.
198 #[uniffi::constructor]
199 pub fn new(
200 user_id: String,
201 device_id: String,
202 path: String,
203 mut passphrase: Option<String>,
204 ) -> Result<Arc<Self>, CryptoStoreError> {
205 let user_id = parse_user_id(&user_id)?;
206 let device_id = device_id.as_str().into();
207 let runtime = Runtime::new().expect("Couldn't create a tokio runtime");
208
209 let store = runtime
210 .block_on(matrix_sdk_sqlite::SqliteCryptoStore::open(path, passphrase.as_deref()))?;
211
212 passphrase.zeroize();
213
214 let inner = runtime.block_on(InnerMachine::with_store(
215 &user_id,
216 device_id,
217 Arc::new(store),
218 None,
219 ))?;
220
221 Ok(Arc::new(OlmMachine { inner: ManuallyDrop::new(inner), runtime }))
222 }
223
224 /// Get the user ID of the owner of this `OlmMachine`.
225 pub fn user_id(&self) -> String {
226 self.inner.user_id().to_string()
227 }
228
229 /// Get the device ID of the device of this `OlmMachine`.
230 pub fn device_id(&self) -> String {
231 self.inner.device_id().to_string()
232 }
233
234 /// Get our own identity keys.
235 pub fn identity_keys(&self) -> HashMap<String, String> {
236 let identity_keys = self.inner.identity_keys();
237 let curve_key = identity_keys.curve25519.to_base64();
238 let ed25519_key = identity_keys.ed25519.to_base64();
239
240 HashMap::from([("ed25519".to_owned(), ed25519_key), ("curve25519".to_owned(), curve_key)])
241 }
242
243 /// Get the status of the private cross signing keys.
244 ///
245 /// This can be used to check which private cross signing keys we have
246 /// stored locally.
247 pub fn cross_signing_status(&self) -> CrossSigningStatus {
248 self.runtime.block_on(self.inner.cross_signing_status()).into()
249 }
250
251 /// Get a cross signing user identity for the given user ID.
252 ///
253 /// # Arguments
254 ///
255 /// * `user_id` - The unique id of the user that the identity belongs to
256 ///
257 /// * `timeout` - The time in seconds we should wait before returning if the
258 /// user's device list has been marked as stale. Passing a 0 as the
259 /// timeout means that we won't wait at all. **Note**, this assumes that
260 /// the requests from [`OlmMachine::outgoing_requests`] are being
261 /// processed and sent out. Namely, this waits for a `/keys/query`
262 /// response to be received.
263 pub fn get_identity(
264 &self,
265 user_id: String,
266 timeout: u32,
267 ) -> Result<Option<UserIdentity>, CryptoStoreError> {
268 let user_id = parse_user_id(&user_id)?;
269
270 let timeout = if timeout == 0 { None } else { Some(Duration::from_secs(timeout.into())) };
271
272 Ok(
273 if let Some(identity) =
274 self.runtime.block_on(self.inner.get_identity(&user_id, timeout))?
275 {
276 Some(self.runtime.block_on(UserIdentity::from_rust(identity))?)
277 } else {
278 None
279 },
280 )
281 }
282
283 /// Check if a user identity is considered to be verified by us.
284 pub fn is_identity_verified(&self, user_id: String) -> Result<bool, CryptoStoreError> {
285 let user_id = parse_user_id(&user_id)?;
286
287 Ok(
288 if let Some(identity) =
289 self.runtime.block_on(self.inner.get_identity(&user_id, None))?
290 {
291 identity.is_verified()
292 } else {
293 false
294 },
295 )
296 }
297
298 /// Manually the user with the given user ID.
299 ///
300 /// This method will attempt to sign the user identity using either our
301 /// private cross signing key, for other user identities, or our device keys
302 /// for our own user identity.
303 ///
304 /// This method can fail if we don't have the private part of our
305 /// user-signing key.
306 ///
307 /// Returns a request that needs to be sent out for the user identity to be
308 /// marked as verified.
309 pub fn verify_identity(
310 &self,
311 user_id: String,
312 ) -> Result<SignatureUploadRequest, SignatureError> {
313 let user_id = UserId::parse(user_id)?;
314
315 let user_identity = self.runtime.block_on(self.inner.get_identity(&user_id, None))?;
316
317 if let Some(user_identity) = user_identity {
318 Ok(match user_identity {
319 SdkUserIdentity::Own(i) => self.runtime.block_on(i.verify())?,
320 SdkUserIdentity::Other(i) => self.runtime.block_on(i.verify())?,
321 }
322 .into())
323 } else {
324 Err(SignatureError::UnknownUserIdentity(user_id.to_string()))
325 }
326 }
327
328 /// Get a `Device` from the store.
329 ///
330 /// # Arguments
331 ///
332 /// * `user_id` - The id of the device owner.
333 ///
334 /// * `device_id` - The id of the device itself.
335 ///
336 /// * `timeout` - The time in seconds we should wait before returning if the
337 /// user's device list has been marked as stale. Passing a 0 as the
338 /// timeout means that we won't wait at all. **Note**, this assumes that
339 /// the requests from [`OlmMachine::outgoing_requests`] are being
340 /// processed and sent out. Namely, this waits for a `/keys/query`
341 /// response to be received.
342 pub fn get_device(
343 &self,
344 user_id: String,
345 device_id: String,
346 timeout: u32,
347 ) -> Result<Option<Device>, CryptoStoreError> {
348 let user_id = parse_user_id(&user_id)?;
349
350 let timeout = if timeout == 0 { None } else { Some(Duration::from_secs(timeout.into())) };
351
352 Ok(self
353 .runtime
354 .block_on(self.inner.get_device(&user_id, device_id.as_str().into(), timeout))?
355 .map(|d| d.into()))
356 }
357
358 /// Manually verify the device of the given user with the given device ID.
359 ///
360 /// This method will attempt to sign the device using our private cross
361 /// signing key.
362 ///
363 /// This method will always fail if the device belongs to someone else, we
364 /// can only sign our own devices.
365 ///
366 /// It can also fail if we don't have the private part of our self-signing
367 /// key.
368 ///
369 /// Returns a request that needs to be sent out for the device to be marked
370 /// as verified.
371 pub fn verify_device(
372 &self,
373 user_id: String,
374 device_id: String,
375 ) -> Result<SignatureUploadRequest, SignatureError> {
376 let user_id = UserId::parse(user_id)?;
377 let device = self.runtime.block_on(self.inner.get_device(
378 &user_id,
379 device_id.as_str().into(),
380 None,
381 ))?;
382
383 if let Some(device) = device {
384 Ok(self.runtime.block_on(device.verify())?.into())
385 } else {
386 Err(SignatureError::UnknownDevice(user_id, device_id))
387 }
388 }
389
390 /// Set local trust state for the device of the given user without creating
391 /// or uploading any signatures if verified
392 pub fn set_local_trust(
393 &self,
394 user_id: String,
395 device_id: String,
396 trust_state: LocalTrust,
397 ) -> Result<(), CryptoStoreError> {
398 let user_id = parse_user_id(&user_id)?;
399
400 let device = self.runtime.block_on(self.inner.get_device(
401 &user_id,
402 device_id.as_str().into(),
403 None,
404 ))?;
405
406 if let Some(device) = device {
407 self.runtime.block_on(device.set_local_trust(trust_state))?;
408 }
409
410 Ok(())
411 }
412
413 /// Get all devices of an user.
414 ///
415 /// # Arguments
416 ///
417 /// * `user_id` - The id of the device owner.
418 ///
419 /// * `timeout` - The time in seconds we should wait before returning if the
420 /// user's device list has been marked as stale. Passing a 0 as the
421 /// timeout means that we won't wait at all. **Note**, this assumes that
422 /// the requests from [`OlmMachine::outgoing_requests`] are being
423 /// processed and sent out. Namely, this waits for a `/keys/query`
424 /// response to be received.
425 pub fn get_user_devices(
426 &self,
427 user_id: String,
428 timeout: u32,
429 ) -> Result<Vec<Device>, CryptoStoreError> {
430 let user_id = parse_user_id(&user_id)?;
431
432 let timeout = if timeout == 0 { None } else { Some(Duration::from_secs(timeout.into())) };
433 Ok(self
434 .runtime
435 .block_on(self.inner.get_user_devices(&user_id, timeout))?
436 .devices()
437 .map(|d| d.into())
438 .collect())
439 }
440
441 /// Get the list of outgoing requests that need to be sent to the
442 /// homeserver.
443 ///
444 /// After the request was sent out and a successful response was received
445 /// the response body should be passed back to the state machine using the
446 /// [mark_request_as_sent()](Self::mark_request_as_sent) method.
447 ///
448 /// **Note**: This method call should be locked per call.
449 pub fn outgoing_requests(&self) -> Result<Vec<Request>, CryptoStoreError> {
450 Ok(self
451 .runtime
452 .block_on(self.inner.outgoing_requests())?
453 .into_iter()
454 .map(|r| r.into())
455 .collect())
456 }
457
458 /// Mark a request that was sent to the server as sent.
459 ///
460 /// # Arguments
461 ///
462 /// * `request_id` - The unique ID of the request that was sent out. This
463 /// needs to be an UUID.
464 ///
465 /// * `request_type` - The type of the request that was sent out.
466 ///
467 /// * `response_body` - The body of the response that was received.
468 pub fn mark_request_as_sent(
469 &self,
470 request_id: String,
471 request_type: RequestType,
472 response_body: String,
473 ) -> Result<(), CryptoStoreError> {
474 let id: OwnedTransactionId = request_id.into();
475
476 let response = response_from_string(&response_body);
477
478 let response: OwnedResponse = match request_type {
479 RequestType::KeysUpload => {
480 KeysUploadResponse::try_from_http_response(response).map(Into::into)
481 }
482 RequestType::KeysQuery => {
483 KeysQueryResponse::try_from_http_response(response).map(Into::into)
484 }
485 RequestType::ToDevice => {
486 ToDeviceResponse::try_from_http_response(response).map(Into::into)
487 }
488 RequestType::KeysClaim => {
489 KeysClaimResponse::try_from_http_response(response).map(Into::into)
490 }
491 RequestType::SignatureUpload => {
492 SignatureUploadResponse::try_from_http_response(response).map(Into::into)
493 }
494 RequestType::KeysBackup => {
495 KeysBackupResponse::try_from_http_response(response).map(Into::into)
496 }
497 RequestType::RoomMessage => {
498 RoomMessageResponse::try_from_http_response(response).map(Into::into)
499 }
500 }
501 .expect("Can't convert json string to response");
502
503 self.runtime.block_on(self.inner.mark_request_as_sent(&id, &response))?;
504
505 Ok(())
506 }
507
508 /// Let the state machine know about E2EE related sync changes that we
509 /// received from the server.
510 ///
511 /// This needs to be called after every sync, ideally before processing
512 /// any other sync changes.
513 ///
514 /// # Arguments
515 ///
516 /// * `events` - A serialized array of to-device events we received in the
517 /// current sync response.
518 ///
519 /// * `device_changes` - The list of devices that have changed in some way
520 /// since the previous sync.
521 ///
522 /// * `key_counts` - The map of uploaded one-time key types and counts.
523 pub fn receive_sync_changes(
524 &self,
525 events: String,
526 device_changes: DeviceLists,
527 key_counts: HashMap<String, i32>,
528 unused_fallback_keys: Option<Vec<String>>,
529 next_batch_token: String,
530 decryption_settings: &DecryptionSettings,
531 ) -> Result<SyncChangesResult, CryptoStoreError> {
532 let to_device: ToDevice = serde_json::from_str(&events)?;
533 let device_changes: RumaDeviceLists = device_changes.into();
534 let key_counts: BTreeMap<OneTimeKeyAlgorithm, UInt> = key_counts
535 .into_iter()
536 .map(|(k, v)| {
537 (
538 OneTimeKeyAlgorithm::from(k),
539 v.clamp(0, i32::MAX)
540 .try_into()
541 .expect("Couldn't convert key counts into an UInt"),
542 )
543 })
544 .collect();
545
546 let unused_fallback_keys: Option<Vec<OneTimeKeyAlgorithm>> =
547 unused_fallback_keys.map(|u| u.into_iter().map(OneTimeKeyAlgorithm::from).collect());
548
549 let (to_device_events, room_key_infos) =
550 self.runtime.block_on(self.inner.receive_sync_changes(
551 matrix_sdk_crypto::EncryptionSyncChanges {
552 to_device_events: to_device.events,
553 changed_devices: &device_changes,
554 one_time_keys_counts: &key_counts,
555 unused_fallback_keys: unused_fallback_keys.as_deref(),
556 next_batch_token: Some(next_batch_token),
557 },
558 decryption_settings,
559 ))?;
560
561 let to_device_events = to_device_events
562 .into_iter()
563 .map(|event| event.to_raw().json().get().to_owned())
564 .collect();
565 let room_key_infos = room_key_infos.into_iter().map(|info| info.into()).collect();
566
567 Ok(SyncChangesResult { to_device_events, room_key_infos })
568 }
569
570 /// Add the given list of users to be tracked, triggering a key query
571 /// request for them.
572 ///
573 /// The OlmMachine maintains a list of users whose devices we are keeping
574 /// track of: these are known as "tracked users". These must be users
575 /// that we share a room with, so that the server sends us updates for
576 /// their device lists.
577 ///
578 /// *Note*: Only users that aren't already tracked will be considered for an
579 /// update. It's safe to call this with already tracked users, it won't
580 /// result in excessive `/keys/query` requests.
581 ///
582 /// # Arguments
583 ///
584 /// `users` - The users that should be queued up for a key query.
585 pub fn update_tracked_users(&self, users: Vec<String>) -> Result<(), CryptoStoreError> {
586 let users: Vec<OwnedUserId> =
587 users.into_iter().filter_map(|u| UserId::parse(u).ok()).collect();
588
589 self.runtime.block_on(self.inner.update_tracked_users(users.iter().map(Deref::deref)))?;
590
591 Ok(())
592 }
593
594 /// Check if the given user is considered to be tracked.
595 ///
596 /// A user can be marked for tracking using the
597 /// [`OlmMachine::update_tracked_users()`] method.
598 pub fn is_user_tracked(&self, user_id: String) -> Result<bool, CryptoStoreError> {
599 let user_id = parse_user_id(&user_id)?;
600 Ok(self.runtime.block_on(self.inner.tracked_users())?.contains(&user_id))
601 }
602
603 /// Generate one-time key claiming requests for all the users we are missing
604 /// sessions for.
605 ///
606 /// After the request was sent out and a successful response was received
607 /// the response body should be passed back to the state machine using the
608 /// [mark_request_as_sent()](Self::mark_request_as_sent) method.
609 ///
610 /// This method should be called every time before a call to
611 /// [`share_room_key()`](Self::share_room_key) is made.
612 ///
613 /// # Arguments
614 ///
615 /// * `users` - The list of users for which we would like to establish 1:1
616 /// Olm sessions for.
617 pub fn get_missing_sessions(
618 &self,
619 users: Vec<String>,
620 ) -> Result<Option<Request>, CryptoStoreError> {
621 let users: Vec<OwnedUserId> =
622 users.into_iter().filter_map(|u| UserId::parse(u).ok()).collect();
623
624 Ok(self
625 .runtime
626 .block_on(self.inner.get_missing_sessions(users.iter().map(Deref::deref)))?
627 .map(|r| r.into()))
628 }
629
630 /// Get the stored room settings, such as the encryption algorithm or
631 /// whether to encrypt only for trusted devices.
632 ///
633 /// These settings can be modified via
634 /// [set_room_algorithm()](Self::set_room_algorithm) and
635 /// [set_room_only_allow_trusted_devices()](Self::set_room_only_allow_trusted_devices)
636 /// methods.
637 pub fn get_room_settings(
638 &self,
639 room_id: String,
640 ) -> Result<Option<RoomSettings>, CryptoStoreError> {
641 let room_id = RoomId::parse(room_id)?;
642 let settings = self
643 .runtime
644 .block_on(self.inner.store().get_room_settings(&room_id))?
645 .map(|v| v.try_into())
646 .transpose()?;
647 Ok(settings)
648 }
649
650 /// Set the room algorithm used for encrypting messages to one of the
651 /// available variants
652 pub fn set_room_algorithm(
653 &self,
654 room_id: String,
655 algorithm: EventEncryptionAlgorithm,
656 ) -> Result<(), CryptoStoreError> {
657 let room_id = RoomId::parse(room_id)?;
658 self.runtime.block_on(async move {
659 let mut settings =
660 self.inner.store().get_room_settings(&room_id).await?.unwrap_or_default();
661 settings.algorithm = algorithm.into();
662 self.inner
663 .store()
664 .save_changes(Changes {
665 room_settings: HashMap::from([(room_id, settings)]),
666 ..Default::default()
667 })
668 .await?;
669 Ok(())
670 })
671 }
672
673 /// Set flag whether this room should encrypt messages for untrusted
674 /// devices, or whether they should be excluded from the conversation.
675 ///
676 /// Note that per-room setting may be overridden by a global
677 /// [set_only_allow_trusted_devices()](Self::set_only_allow_trusted_devices)
678 /// method.
679 pub fn set_room_only_allow_trusted_devices(
680 &self,
681 room_id: String,
682 only_allow_trusted_devices: bool,
683 ) -> Result<(), CryptoStoreError> {
684 let room_id = RoomId::parse(room_id)?;
685 self.runtime.block_on(async move {
686 let mut settings =
687 self.inner.store().get_room_settings(&room_id).await?.unwrap_or_default();
688 settings.only_allow_trusted_devices = only_allow_trusted_devices;
689 self.inner
690 .store()
691 .save_changes(Changes {
692 room_settings: HashMap::from([(room_id, settings)]),
693 ..Default::default()
694 })
695 .await?;
696 Ok(())
697 })
698 }
699
700 /// Check whether there is a global flag to only encrypt messages for
701 /// trusted devices or for everyone.
702 ///
703 /// Note that if the global flag is false, individual rooms may still be
704 /// encrypting only for trusted devices, depending on the per-room
705 /// `only_allow_trusted_devices` flag.
706 pub fn get_only_allow_trusted_devices(&self) -> Result<bool, CryptoStoreError> {
707 let block = self.runtime.block_on(self.inner.store().get_only_allow_trusted_devices())?;
708 Ok(block)
709 }
710
711 /// Set global flag whether to encrypt messages for untrusted devices, or
712 /// whether they should be excluded from the conversation.
713 ///
714 /// Note that if enabled, it will override any per-room settings.
715 pub fn set_only_allow_trusted_devices(
716 &self,
717 only_allow_trusted_devices: bool,
718 ) -> Result<(), CryptoStoreError> {
719 self.runtime.block_on(
720 self.inner.store().set_only_allow_trusted_devices(only_allow_trusted_devices),
721 )?;
722 Ok(())
723 }
724
725 /// Share a room key with the given list of users for the given room.
726 ///
727 /// After the request was sent out and a successful response was received
728 /// the response body should be passed back to the state machine using the
729 /// [mark_request_as_sent()](Self::mark_request_as_sent) method.
730 ///
731 /// This method should be called every time before a call to
732 /// [`encrypt()`](Self::encrypt) with the given `room_id` is made.
733 ///
734 /// # Arguments
735 ///
736 /// * `room_id` - The unique id of the room, note that this doesn't strictly
737 /// need to be a Matrix room, it just needs to be an unique identifier for
738 /// the group that will participate in the conversation.
739 ///
740 /// * `users` - The list of users which are considered to be members of the
741 /// room and should receive the room key.
742 ///
743 /// * `settings` - The settings that should be used for the room key.
744 pub fn share_room_key(
745 &self,
746 room_id: String,
747 users: Vec<String>,
748 settings: EncryptionSettings,
749 ) -> Result<Vec<Request>, CryptoStoreError> {
750 let users: Vec<OwnedUserId> =
751 users.into_iter().filter_map(|u| UserId::parse(u).ok()).collect();
752
753 let room_id = RoomId::parse(room_id)?;
754 let requests = self.runtime.block_on(self.inner.share_room_key(
755 &room_id,
756 users.iter().map(Deref::deref),
757 settings,
758 ))?;
759
760 Ok(requests.into_iter().map(|r| r.as_ref().into()).collect())
761 }
762
763 /// Encrypt the given event with the given type and content for the given
764 /// room.
765 ///
766 /// **Note**: A room key needs to be shared with the group of users that are
767 /// members in the given room. If this is not done this method will panic.
768 ///
769 /// The usual flow to encrypt an event using this state machine is as
770 /// follows:
771 ///
772 /// 1. Get the one-time key claim request to establish 1:1 Olm sessions for
773 /// the room members of the room we wish to participate in. This is done
774 /// using the [`get_missing_sessions()`](Self::get_missing_sessions)
775 /// method. This method call should be locked per call.
776 ///
777 /// 2. Share a room key with all the room members using the
778 /// [`share_room_key()`](Self::share_room_key). This method call should
779 /// be locked per room.
780 ///
781 /// 3. Encrypt the event using this method.
782 ///
783 /// 4. Send the encrypted event to the server.
784 ///
785 /// After the room key is shared steps 1 and 2 will become noops, unless
786 /// there's some changes in the room membership or in the list of devices a
787 /// member has.
788 ///
789 /// # Arguments
790 ///
791 /// * `room_id` - The unique id of the room where the event will be sent to.
792 ///
793 /// * `even_type` - The type of the event.
794 ///
795 /// * `content` - The serialized content of the event.
796 pub fn encrypt(
797 &self,
798 room_id: String,
799 event_type: String,
800 content: String,
801 ) -> Result<String, CryptoStoreError> {
802 let room_id = RoomId::parse(room_id)?;
803 let content = serde_json::from_str(&content)?;
804
805 let encrypted_content = self
806 .runtime
807 .block_on(self.inner.encrypt_room_event_raw(&room_id, &event_type, &content))
808 .expect("Encrypting an event produced an error");
809
810 Ok(serde_json::to_string(&encrypted_content)?)
811 }
812
813 /// Encrypt the given event with the given type and content for the given
814 /// device. This method is used to send an event to a specific device.
815 ///
816 /// # Arguments
817 ///
818 /// * `user_id` - The ID of the user who owns the target device.
819 /// * `device_id` - The ID of the device to which the message will be sent.
820 /// * `event_type` - The event type.
821 /// * `content` - The serialized content of the event.
822 ///
823 /// # Returns
824 /// A `Result` containing the request to be sent out if the encryption was
825 /// successful. If the device is not found, the result will be `Ok(None)`.
826 ///
827 /// The caller should ensure that there is an olm session (see
828 /// `get_missing_sessions`) with the target device before calling this
829 /// method.
830 pub fn create_encrypted_to_device_request(
831 &self,
832 user_id: String,
833 device_id: String,
834 event_type: String,
835 content: String,
836 share_strategy: CollectStrategy,
837 ) -> Result<Option<Request>, CryptoStoreError> {
838 let user_id = parse_user_id(&user_id)?;
839 let device_id = device_id.as_str().into();
840 let content = serde_json::from_str(&content)?;
841
842 let device = self.runtime.block_on(self.inner.get_device(&user_id, device_id, None))?;
843
844 if let Some(device) = device {
845 let encrypted_content = self.runtime.block_on(device.encrypt_event_raw(
846 &event_type,
847 &content,
848 share_strategy,
849 ))?;
850
851 let request = ToDeviceRequest::new(
852 user_id.as_ref(),
853 DeviceIdOrAllDevices::DeviceId(device_id.to_owned()),
854 "m.room.encrypted",
855 encrypted_content.cast(),
856 );
857
858 Ok(Some(request.into()))
859 } else {
860 Ok(None)
861 }
862 }
863
864 /// Decrypt the given event that was sent in the given room.
865 ///
866 /// # Arguments
867 ///
868 /// * `event` - The serialized encrypted version of the event.
869 ///
870 /// * `room_id` - The unique id of the room where the event was sent to.
871 ///
872 /// * `handle_verification_events` - if the supplied event is a verification
873 /// event, use it to update the verification state. **Note**: it is
874 /// recommended to avoid setting this flag to true and use the explicit
875 /// [`OlmMachine::receive_verification_event`] method instead:
876 /// verification events sometimes need preparation before we can handle
877 /// them: see the documentation for
878 /// [`OlmMachine::receive_verification_event`].
879 ///
880 /// * `strict_shields` - If `true`, messages will be decorated with strict
881 /// warnings (use `false` to match legacy behaviour where unsafe keys have
882 /// lower severity warnings and unverified identities are not decorated).
883 ///
884 /// * `decryption_settings` - The setting for decrypting messages.
885 pub fn decrypt_room_event(
886 &self,
887 event: String,
888 room_id: String,
889 handle_verification_events: bool,
890 strict_shields: bool,
891 decryption_settings: DecryptionSettings,
892 ) -> Result<DecryptedEvent, DecryptionError> {
893 // Element Android wants only the content and the type and will create a
894 // decrypted event with those two itself, this struct makes sure we
895 // throw away all the other fields.
896 #[derive(Deserialize, Serialize)]
897 struct Event<'a> {
898 #[serde(rename = "type")]
899 event_type: String,
900 #[serde(borrow)]
901 content: &'a RawValue,
902 }
903
904 let event: Raw<_> = serde_json::from_str(&event)?;
905 let room_id = RoomId::parse(room_id)?;
906
907 let decrypted = self.runtime.block_on(self.inner.decrypt_room_event(
908 &event,
909 &room_id,
910 &decryption_settings,
911 ))?;
912
913 if handle_verification_events {
914 if let Ok(AnyTimelineEvent::MessageLike(e)) = decrypted.event.deserialize() {
915 match &e {
916 AnyMessageLikeEvent::RoomMessage(MessageLikeEvent::Original(
917 original_event,
918 )) => {
919 if let MessageType::VerificationRequest(_) = &original_event.content.msgtype
920 {
921 self.runtime.block_on(self.inner.receive_verification_event(&e))?;
922 }
923 }
924 _ if e.event_type().to_string().starts_with("m.key.verification") => {
925 self.runtime.block_on(self.inner.receive_verification_event(&e))?;
926 }
927 _ => (),
928 }
929 }
930 }
931
932 let encryption_info = decrypted.encryption_info;
933
934 let event_json: Event<'_> = serde_json::from_str(decrypted.event.json().get())?;
935
936 Ok(match &encryption_info.algorithm_info {
937 AlgorithmInfo::MegolmV1AesSha2 {
938 curve25519_key,
939 sender_claimed_keys,
940 session_id: _,
941 } => DecryptedEvent {
942 clear_event: serde_json::to_string(&event_json)?,
943 sender_curve25519_key: curve25519_key.to_owned(),
944 claimed_ed25519_key: sender_claimed_keys.get(&DeviceKeyAlgorithm::Ed25519).cloned(),
945 forwarding_curve25519_chain: vec![],
946 shield_state: if strict_shields {
947 encryption_info.verification_state.to_shield_state_strict().into()
948 } else {
949 encryption_info.verification_state.to_shield_state_lax().into()
950 },
951 },
952 AlgorithmInfo::OlmV1Curve25519AesSha2 { .. } => {
953 // cannot happen because `decrypt_room_event` would have fail to decrypt olm for
954 // a room (EventError::UnsupportedAlgorithm)
955 panic!("Unsupported olm algorithm in room")
956 }
957 })
958 }
959
960 /// Request or re-request a room key that was used to encrypt the given
961 /// event.
962 ///
963 /// # Arguments
964 ///
965 /// * `event` - The undecryptable event that we would wish to request a room
966 /// key for.
967 ///
968 /// * `room_id` - The id of the room the event was sent to.
969 pub fn request_room_key(
970 &self,
971 event: String,
972 room_id: String,
973 ) -> Result<KeyRequestPair, DecryptionError> {
974 let event: Raw<_> = serde_json::from_str(&event)?;
975 let room_id = RoomId::parse(room_id)?;
976
977 let (cancel, request) =
978 self.runtime.block_on(self.inner.request_room_key(&event, &room_id))?;
979
980 let cancellation = cancel.map(|r| r.into());
981 let key_request = request.into();
982
983 Ok(KeyRequestPair { cancellation, key_request })
984 }
985
986 /// Export all of our room keys.
987 ///
988 /// # Arguments
989 ///
990 /// * `passphrase` - The passphrase that should be used to encrypt the key
991 /// export.
992 ///
993 /// * `rounds` - The number of rounds that should be used when expanding the
994 /// passphrase into an key.
995 pub fn export_room_keys(
996 &self,
997 passphrase: String,
998 rounds: i32,
999 ) -> Result<String, CryptoStoreError> {
1000 let keys = self.runtime.block_on(self.inner.store().export_room_keys(|_| true))?;
1001
1002 let encrypted = encrypt_room_key_export(&keys, &passphrase, rounds as u32)
1003 .map_err(CryptoStoreError::Serialization)?;
1004
1005 Ok(encrypted)
1006 }
1007
1008 /// Import room keys from the given serialized key export.
1009 ///
1010 /// # Arguments
1011 ///
1012 /// * `keys` - The serialized version of the key export.
1013 ///
1014 /// * `passphrase` - The passphrase that was used to encrypt the key export.
1015 ///
1016 /// * `progress_listener` - A callback that can be used to introspect the
1017 /// progress of the key import.
1018 pub fn import_room_keys(
1019 &self,
1020 keys: String,
1021 passphrase: String,
1022 progress_listener: Box<dyn ProgressListener>,
1023 ) -> Result<KeysImportResult, KeyImportError> {
1024 let keys = Cursor::new(keys);
1025 let keys = decrypt_room_key_export(keys, &passphrase)?;
1026 self.import_room_keys_helper(keys, None, progress_listener)
1027 }
1028
1029 /// Import room keys from the given serialized unencrypted key export.
1030 ///
1031 /// This method is the same as [`OlmMachine::import_room_keys`] but the
1032 /// decryption step is skipped and should be performed by the caller. This
1033 /// should be used if the room keys are coming from the server-side backup,
1034 /// the method will mark all imported room keys as backed up.
1035 ///
1036 /// **Note**: This has been deprecated. Use
1037 /// [`OlmMachine::import_room_keys_from_backup`] instead.
1038 ///
1039 /// # Arguments
1040 ///
1041 /// * `keys` - The serialized version of the unencrypted key export.
1042 ///
1043 /// * `progress_listener` - A callback that can be used to introspect the
1044 /// progress of the key import.
1045 pub fn import_decrypted_room_keys(
1046 &self,
1047 keys: String,
1048 progress_listener: Box<dyn ProgressListener>,
1049 ) -> Result<KeysImportResult, KeyImportError> {
1050 // Assume that the keys came from the current backup version.
1051 let backup_version = self.runtime.block_on(self.inner.backup_machine().backup_version());
1052 let keys: Vec<Value> = serde_json::from_str(&keys)?;
1053 let keys = keys.into_iter().map(serde_json::from_value).filter_map(|k| k.ok()).collect();
1054 self.import_room_keys_helper(keys, backup_version.as_deref(), progress_listener)
1055 }
1056
1057 /// Import room keys from the given serialized unencrypted key export.
1058 ///
1059 /// This method is the same as [`OlmMachine::import_room_keys`] but the
1060 /// decryption step is skipped and should be performed by the caller. This
1061 /// should be used if the room keys are coming from the server-side backup.
1062 /// The method will mark all imported room keys as backed up.
1063 ///
1064 /// # Arguments
1065 ///
1066 /// * `keys` - The serialized version of the unencrypted key export.
1067 ///
1068 /// * `backup_version` - The version of the backup that these keys came
1069 /// from.
1070 ///
1071 /// * `progress_listener` - A callback that can be used to introspect the
1072 /// progress of the key import.
1073 pub fn import_room_keys_from_backup(
1074 &self,
1075 keys: String,
1076 backup_version: String,
1077 progress_listener: Box<dyn ProgressListener>,
1078 ) -> Result<KeysImportResult, KeyImportError> {
1079 let keys: Vec<Value> = serde_json::from_str(&keys)?;
1080 let keys = keys.into_iter().map(serde_json::from_value).filter_map(|k| k.ok()).collect();
1081 self.import_room_keys_helper(keys, Some(&backup_version), progress_listener)
1082 }
1083
1084 /// Discard the currently active room key for the given room if there is
1085 /// one.
1086 pub fn discard_room_key(&self, room_id: String) -> Result<(), CryptoStoreError> {
1087 let room_id = RoomId::parse(room_id)?;
1088
1089 self.runtime.block_on(self.inner.discard_room_key(&room_id))?;
1090
1091 Ok(())
1092 }
1093
1094 /// Receive an unencrypted verification event.
1095 ///
1096 /// This method can be used to pass verification events that are happening
1097 /// in unencrypted rooms to the `OlmMachine`.
1098 ///
1099 /// **Note**: This has been deprecated.
1100 pub fn receive_unencrypted_verification_event(
1101 &self,
1102 event: String,
1103 room_id: String,
1104 ) -> Result<(), CryptoStoreError> {
1105 self.receive_verification_event(event, room_id)
1106 }
1107
1108 /// Receive a verification event.
1109 ///
1110 /// This method can be used to pass verification events that are happening
1111 /// in rooms to the `OlmMachine`. The event should be in the decrypted form.
1112 ///
1113 /// **Note**: If the supplied event is an `m.room.message` event with
1114 /// `msgtype: m.key.verification.request`, then the device information for
1115 /// the sending user must be up-to-date before calling this method
1116 /// (otherwise, the request will be ignored). It is hard to guarantee this
1117 /// is the case, but you can maximize your chances by explicitly making a
1118 /// request to /keys/query for the user's device info, and processing the
1119 /// response with [`OlmMachine::mark_request_as_sent`].
1120 pub fn receive_verification_event(
1121 &self,
1122 event: String,
1123 room_id: String,
1124 ) -> Result<(), CryptoStoreError> {
1125 let room_id = RoomId::parse(room_id)?;
1126 let event: AnySyncMessageLikeEvent = serde_json::from_str(&event)?;
1127
1128 let event = event.into_full_event(room_id);
1129
1130 self.runtime.block_on(self.inner.receive_verification_event(&event))?;
1131
1132 Ok(())
1133 }
1134
1135 /// Get all the verification requests that we share with the given user.
1136 ///
1137 /// # Arguments
1138 ///
1139 /// * `user_id` - The ID of the user for which we would like to fetch the
1140 /// verification requests.
1141 pub fn get_verification_requests(&self, user_id: String) -> Vec<Arc<VerificationRequest>> {
1142 let Ok(user_id) = UserId::parse(user_id) else {
1143 return vec![];
1144 };
1145
1146 self.inner
1147 .get_verification_requests(&user_id)
1148 .into_iter()
1149 .map(|v| {
1150 VerificationRequest { inner: v, runtime: self.runtime.handle().to_owned() }.into()
1151 })
1152 .collect()
1153 }
1154
1155 /// Get a verification requests that we share with the given user with the
1156 /// given flow id.
1157 ///
1158 /// # Arguments
1159 ///
1160 /// * `user_id` - The ID of the user for which we would like to fetch the
1161 /// verification requests.
1162 ///
1163 /// * `flow_id` - The ID that uniquely identifies the verification flow.
1164 pub fn get_verification_request(
1165 &self,
1166 user_id: String,
1167 flow_id: String,
1168 ) -> Option<Arc<VerificationRequest>> {
1169 let user_id = UserId::parse(user_id).ok()?;
1170
1171 self.inner.get_verification_request(&user_id, flow_id).map(|v| {
1172 VerificationRequest { inner: v, runtime: self.runtime.handle().to_owned() }.into()
1173 })
1174 }
1175
1176 /// Get an m.key.verification.request content for the given user.
1177 ///
1178 /// # Arguments
1179 ///
1180 /// * `user_id` - The ID of the user which we would like to request to
1181 /// verify.
1182 ///
1183 /// * `methods` - The list of verification methods we want to advertise to
1184 /// support.
1185 pub fn verification_request_content(
1186 &self,
1187 user_id: String,
1188 methods: Vec<String>,
1189 ) -> Result<Option<String>, CryptoStoreError> {
1190 let user_id = parse_user_id(&user_id)?;
1191
1192 let identity = self.runtime.block_on(self.inner.get_identity(&user_id, None))?;
1193
1194 let methods = methods.into_iter().map(VerificationMethod::from).collect();
1195
1196 Ok(if let Some(identity) = identity.and_then(|i| i.other()) {
1197 let content = identity.verification_request_content(Some(methods));
1198 Some(serde_json::to_string(&content)?)
1199 } else {
1200 None
1201 })
1202 }
1203
1204 /// Request a verification flow to begin with the given user in the given
1205 /// room.
1206 ///
1207 /// # Arguments
1208 ///
1209 /// * `user_id` - The ID of the user which we would like to request to
1210 /// verify.
1211 ///
1212 /// * `room_id` - The ID of the room that represents a DM with the given
1213 /// user.
1214 ///
1215 /// * `event_id` - The event ID of the `m.key.verification.request` event
1216 /// that we sent out to request the verification to begin. The content for
1217 /// this request can be created using the [verification_request_content()]
1218 /// method.
1219 ///
1220 /// * `methods` - The list of verification methods we advertised as
1221 /// supported in the `m.key.verification.request` event.
1222 ///
1223 /// [verification_request_content()]: Self::verification_request_content
1224 pub fn request_verification(
1225 &self,
1226 user_id: String,
1227 room_id: String,
1228 event_id: String,
1229 methods: Vec<String>,
1230 ) -> Result<Option<Arc<VerificationRequest>>, CryptoStoreError> {
1231 let user_id = parse_user_id(&user_id)?;
1232 let event_id = EventId::parse(event_id)?;
1233 let room_id = RoomId::parse(room_id)?;
1234
1235 let identity = self.runtime.block_on(self.inner.get_identity(&user_id, None))?;
1236
1237 let methods = methods.into_iter().map(VerificationMethod::from).collect();
1238
1239 Ok(if let Some(identity) = identity.and_then(|i| i.other()) {
1240 let request = identity.request_verification(&room_id, &event_id, Some(methods));
1241
1242 Some(
1243 VerificationRequest { inner: request, runtime: self.runtime.handle().to_owned() }
1244 .into(),
1245 )
1246 } else {
1247 None
1248 })
1249 }
1250
1251 /// Request a verification flow to begin with the given user's device.
1252 ///
1253 /// # Arguments
1254 ///
1255 /// * `user_id` - The ID of the user which we would like to request to
1256 /// verify.
1257 ///
1258 /// * `device_id` - The ID of the device that we wish to verify.
1259 ///
1260 /// * `methods` - The list of verification methods we advertised as
1261 /// supported in the `m.key.verification.request` event.
1262 pub fn request_verification_with_device(
1263 &self,
1264 user_id: String,
1265 device_id: String,
1266 methods: Vec<String>,
1267 ) -> Result<Option<RequestVerificationResult>, CryptoStoreError> {
1268 let user_id = parse_user_id(&user_id)?;
1269 let device_id = device_id.as_str().into();
1270
1271 let methods = methods.into_iter().map(VerificationMethod::from).collect();
1272
1273 Ok(
1274 if let Some(device) =
1275 self.runtime.block_on(self.inner.get_device(&user_id, device_id, None))?
1276 {
1277 let (verification, request) = device.request_verification_with_methods(methods);
1278
1279 Some(RequestVerificationResult {
1280 verification: VerificationRequest {
1281 inner: verification,
1282 runtime: self.runtime.handle().to_owned(),
1283 }
1284 .into(),
1285 request: request.into(),
1286 })
1287 } else {
1288 None
1289 },
1290 )
1291 }
1292
1293 /// Request a verification flow to begin with our other devices.
1294 ///
1295 /// # Arguments
1296 ///
1297 /// `methods` - The list of verification methods we want to advertise to
1298 /// support.
1299 pub fn request_self_verification(
1300 &self,
1301 methods: Vec<String>,
1302 ) -> Result<Option<RequestVerificationResult>, CryptoStoreError> {
1303 let identity =
1304 self.runtime.block_on(self.inner.get_identity(self.inner.user_id(), None))?;
1305
1306 let methods = methods.into_iter().map(VerificationMethod::from).collect();
1307
1308 Ok(if let Some(identity) = identity.and_then(|i| i.own()) {
1309 let (verification, request) =
1310 self.runtime.block_on(identity.request_verification_with_methods(methods))?;
1311 Some(RequestVerificationResult {
1312 verification: VerificationRequest {
1313 inner: verification,
1314 runtime: self.runtime.handle().to_owned(),
1315 }
1316 .into(),
1317 request: request.into(),
1318 })
1319 } else {
1320 None
1321 })
1322 }
1323
1324 /// Get a verification flow object for the given user with the given flow
1325 /// id.
1326 ///
1327 /// # Arguments
1328 ///
1329 /// * `user_id` - The ID of the user for which we would like to fetch the
1330 /// verification.
1331 ///
1332 /// * `flow_id` - The ID that uniquely identifies the verification flow.
1333 pub fn get_verification(&self, user_id: String, flow_id: String) -> Option<Arc<Verification>> {
1334 let user_id = UserId::parse(user_id).ok()?;
1335
1336 self.inner
1337 .get_verification(&user_id, &flow_id)
1338 .map(|v| Verification { inner: v, runtime: self.runtime.handle().to_owned() }.into())
1339 }
1340
1341 /// Start short auth string verification with a device without going
1342 /// through a verification request first.
1343 ///
1344 /// **Note**: This has been largely deprecated and the
1345 /// [request_verification_with_device()] method should be used instead.
1346 ///
1347 /// # Arguments
1348 ///
1349 /// * `user_id` - The ID of the user for which we would like to start the
1350 /// SAS verification.
1351 ///
1352 /// * `device_id` - The ID of device we would like to verify.
1353 ///
1354 /// [request_verification_with_device()]: Self::request_verification_with_device
1355 pub fn start_sas_with_device(
1356 &self,
1357 user_id: String,
1358 device_id: String,
1359 ) -> Result<Option<StartSasResult>, CryptoStoreError> {
1360 let user_id = parse_user_id(&user_id)?;
1361 let device_id = device_id.as_str().into();
1362
1363 Ok(
1364 if let Some(device) =
1365 self.runtime.block_on(self.inner.get_device(&user_id, device_id, None))?
1366 {
1367 let (sas, request) = self.runtime.block_on(device.start_verification())?;
1368
1369 Some(StartSasResult {
1370 sas: Sas { inner: Box::new(sas), runtime: self.runtime.handle().to_owned() }
1371 .into(),
1372 request: request.into(),
1373 })
1374 } else {
1375 None
1376 },
1377 )
1378 }
1379
1380 /// Create a new private cross signing identity and create a request to
1381 /// upload the public part of it to the server.
1382 pub fn bootstrap_cross_signing(&self) -> Result<BootstrapCrossSigningResult, CryptoStoreError> {
1383 Ok(self.runtime.block_on(self.inner.bootstrap_cross_signing(true))?.into())
1384 }
1385
1386 /// Export all our private cross signing keys.
1387 ///
1388 /// The export will contain the seed for the ed25519 keys as a base64
1389 /// encoded string.
1390 ///
1391 /// This method returns `None` if we don't have any private cross signing
1392 /// keys.
1393 pub fn export_cross_signing_keys(
1394 &self,
1395 ) -> Result<Option<CrossSigningKeyExport>, CryptoStoreError> {
1396 Ok(self.runtime.block_on(self.inner.export_cross_signing_keys())?.map(|e| e.into()))
1397 }
1398
1399 /// Import our private cross signing keys.
1400 ///
1401 /// The export needs to contain the seed for the ed25519 keys as a base64
1402 /// encoded string.
1403 pub fn import_cross_signing_keys(
1404 &self,
1405 export: CrossSigningKeyExport,
1406 ) -> Result<(), SecretImportError> {
1407 self.runtime.block_on(self.inner.import_cross_signing_keys(export.into()))?;
1408
1409 Ok(())
1410 }
1411
1412 /// Request missing local secrets from our devices (cross signing private
1413 /// keys, megolm backup). This will ask the sdk to create outgoing
1414 /// request to get the missing secrets.
1415 ///
1416 /// The requests will be processed as soon as `outgoing_requests()` is
1417 /// called to process them.
1418 pub fn query_missing_secrets_from_other_sessions(&self) -> Result<bool, CryptoStoreError> {
1419 Ok(self.runtime.block_on(self.inner.query_missing_secrets_from_other_sessions())?)
1420 }
1421
1422 /// Activate the given backup key to be used with the given backup version.
1423 ///
1424 /// **Warning**: The caller needs to make sure that the given `BackupKey` is
1425 /// trusted, otherwise we might be encrypting room keys that a malicious
1426 /// party could decrypt.
1427 ///
1428 /// The [`OlmMachine::verify_backup`] method can be used to so.
1429 pub fn enable_backup_v1(
1430 &self,
1431 key: MegolmV1BackupKey,
1432 version: String,
1433 ) -> Result<(), DecodeError> {
1434 let backup_key = RustBackupKey::from_base64(&key.public_key)?;
1435 backup_key.set_version(version);
1436
1437 self.runtime.block_on(self.inner.backup_machine().enable_backup_v1(backup_key))?;
1438
1439 Ok(())
1440 }
1441
1442 /// Are we able to encrypt room keys.
1443 ///
1444 /// This returns true if we have an active `BackupKey` and backup version
1445 /// registered with the state machine.
1446 pub fn backup_enabled(&self) -> bool {
1447 self.runtime.block_on(self.inner.backup_machine().enabled())
1448 }
1449
1450 /// Disable and reset our backup state.
1451 ///
1452 /// This will remove any pending backup request, remove the backup key and
1453 /// reset the backup state of each room key we have.
1454 pub fn disable_backup(&self) -> Result<(), CryptoStoreError> {
1455 Ok(self.runtime.block_on(self.inner.backup_machine().disable_backup())?)
1456 }
1457
1458 /// Encrypt a batch of room keys and return a request that needs to be sent
1459 /// out to backup the room keys.
1460 pub fn backup_room_keys(&self) -> Result<Option<Request>, CryptoStoreError> {
1461 let request = self.runtime.block_on(self.inner.backup_machine().backup())?;
1462
1463 let request = request.map(|r| r.into());
1464
1465 Ok(request)
1466 }
1467
1468 /// Get the number of backed up room keys and the total number of room keys.
1469 pub fn room_key_counts(&self) -> Result<RoomKeyCounts, CryptoStoreError> {
1470 Ok(self.runtime.block_on(self.inner.backup_machine().room_key_counts())?.into())
1471 }
1472
1473 /// Store the recovery key in the crypto store.
1474 ///
1475 /// This is useful if the client wants to support gossiping of the backup
1476 /// key.
1477 pub fn save_recovery_key(
1478 &self,
1479 key: Option<Arc<BackupRecoveryKey>>,
1480 version: Option<String>,
1481 ) -> Result<(), CryptoStoreError> {
1482 let key = key.map(|k| {
1483 // We need to clone here due to FFI limitations but RecoveryKey does
1484 // not want to expose clone since it's private key material.
1485 let mut encoded = k.to_base64();
1486 let key = BackupDecryptionKey::from_base64(&encoded)
1487 .expect("Encoding and decoding from base64 should always work");
1488 encoded.zeroize();
1489 key
1490 });
1491 Ok(self.runtime.block_on(self.inner.backup_machine().save_decryption_key(key, version))?)
1492 }
1493
1494 /// Get the backup keys we have saved in our crypto store.
1495 pub fn get_backup_keys(&self) -> Result<Option<Arc<BackupKeys>>, CryptoStoreError> {
1496 Ok(self
1497 .runtime
1498 .block_on(self.inner.backup_machine().get_backup_keys())?
1499 .try_into()
1500 .ok()
1501 .map(Arc::new))
1502 }
1503
1504 /// Sign the given message using our device key and if available cross
1505 /// signing master key.
1506 pub fn sign(
1507 &self,
1508 message: String,
1509 ) -> Result<HashMap<String, HashMap<String, String>>, CryptoStoreError> {
1510 Ok(self
1511 .runtime
1512 .block_on(self.inner.sign(&message))?
1513 .into_iter()
1514 .map(|(k, v)| {
1515 (
1516 k.to_string(),
1517 v.into_iter()
1518 .map(|(k, v)| {
1519 (
1520 k.to_string(),
1521 match v {
1522 Ok(s) => s.to_base64(),
1523 Err(i) => i.source,
1524 },
1525 )
1526 })
1527 .collect(),
1528 )
1529 })
1530 .collect())
1531 }
1532
1533 /// Check if the given backup has been verified by us or by another of our
1534 /// devices that we trust.
1535 ///
1536 /// The `backup_info` should be a JSON encoded object with the following
1537 /// format:
1538 ///
1539 /// ```json
1540 /// {
1541 /// "algorithm": "m.megolm_backup.v1.curve25519-aes-sha2",
1542 /// "auth_data": {
1543 /// "public_key":"XjhWTCjW7l59pbfx9tlCBQolfnIQWARoKOzjTOPSlWM",
1544 /// "signatures": {}
1545 /// }
1546 /// }
1547 /// ```
1548 pub fn verify_backup(
1549 &self,
1550 backup_info: String,
1551 ) -> Result<SignatureVerification, CryptoStoreError> {
1552 let backup_info = serde_json::from_str(&backup_info)?;
1553
1554 Ok(self
1555 .runtime
1556 .block_on(self.inner.backup_machine().verify_backup(backup_info, false))?
1557 .into())
1558 }
1559
1560 /// Manage dehydrated devices.
1561 pub fn dehydrated_devices(&self) -> Arc<DehydratedDevices> {
1562 DehydratedDevices {
1563 inner: ManuallyDrop::new(self.inner.dehydrated_devices()),
1564 runtime: self.runtime.handle().to_owned(),
1565 }
1566 .into()
1567 }
1568}
1569
1570impl OlmMachine {
1571 fn import_room_keys_helper(
1572 &self,
1573 keys: Vec<ExportedRoomKey>,
1574 from_backup_version: Option<&str>,
1575 progress_listener: Box<dyn ProgressListener>,
1576 ) -> Result<KeysImportResult, KeyImportError> {
1577 let listener = |progress: usize, total: usize| {
1578 progress_listener.on_progress(progress as i32, total as i32)
1579 };
1580
1581 let result = self.runtime.block_on(self.inner.store().import_room_keys(
1582 keys,
1583 from_backup_version,
1584 listener,
1585 ))?;
1586
1587 Ok(KeysImportResult {
1588 imported: result.imported_count as i64,
1589 total: result.total_count as i64,
1590 keys: result
1591 .keys
1592 .into_iter()
1593 .map(|(r, m)| {
1594 (
1595 r.to_string(),
1596 m.into_iter().map(|(s, k)| (s, k.into_iter().collect())).collect(),
1597 )
1598 })
1599 .collect(),
1600 })
1601 }
1602}