wireapp · coriolinus · Dec 20, 2024 · Nov 27, 2024 · Nov 27, 2024 · Nov 27, 2024
@@ -27,7 +27,7 @@ use crate::UniffiCustomTypeConverter;
 pub use core_crypto::prelude::ConversationId;
 use core_crypto::{
     prelude::{
-        ClientIdentifier, CryptoError, E2eIdentityError, EntropySeed, KeyPackageIn, KeyPackageRef,
+        ClientIdentifier, CryptoError, EntropySeed, Error, KeyPackageIn, KeyPackageRef,
         MlsBufferedConversationDecryptMessage, MlsCentral, MlsCentralConfiguration, MlsCiphersuite, MlsCommitBundle,
         MlsConversationConfiguration, MlsConversationCreationMessage, MlsConversationDecryptMessage,
         MlsConversationInitBundle, MlsCustomConfiguration, MlsGroupInfoBundle, MlsProposalBundle, MlsRotateBundle,
@@ -223,8 +223,8 @@ impl From<CryptoError> for CoreCryptoError {
     }
 }
 
-impl From<E2eIdentityError> for CoreCryptoError {
-    fn from(e: E2eIdentityError) -> Self {
+impl From<Error> for CoreCryptoError {
+    fn from(e: Error) -> Self {
         Self::E2eiError(e.to_string())
     }
 }

@@ -1,7 +1,6 @@
 use crate::{
     mls::credential::ext::CredentialExt,
-    prelude::{ConversationId, CryptoResult, MlsCentral, MlsConversation, MlsCredentialType},
-    MlsError,
+    prelude::{ConversationId, MlsCentral, MlsConversation, MlsCredentialType},
 };
 
 use mls_crypto_provider::MlsCryptoProvider;
@@ -16,6 +15,8 @@ use openmls::{
     treesync::RatchetTree,
 };
 
+use super::error::Result;
+
 /// Indicates the state of a Conversation regarding end-to-end identity.
 ///
 /// Note: this does not check pending state (pending commit, pending proposals) so it does not
@@ -34,7 +35,7 @@ pub enum E2eiConversationState {
 impl CentralContext {
     /// Indicates when to mark a conversation as not verified i.e. when not all its members have a X509
     /// Credential generated by Wire's end-to-end identity enrollment
-    pub async fn e2ei_conversation_state(&self, id: &ConversationId) -> CryptoResult<E2eiConversationState> {
+    pub async fn e2ei_conversation_state(&self, id: &ConversationId) -> Result<E2eiConversationState> {
         let conversation = self.get_conversation(id).await?;
         let conversation_guard = conversation.read().await;
         conversation_guard
@@ -43,10 +44,7 @@ impl CentralContext {
     }
 
     /// See [MlsCentral::e2ei_verify_group_state].
-    pub async fn e2ei_verify_group_state(
-        &self,
-        group_info: VerifiableGroupInfo,
-    ) -> CryptoResult<E2eiConversationState> {
+    pub async fn e2ei_verify_group_state(&self, group_info: VerifiableGroupInfo) -> Result<E2eiConversationState> {
         let mls_provider = self.mls_provider().await?;
         let auth_service = mls_provider.authentication_service();
         auth_service.refresh_time_of_interest().await;
@@ -74,16 +72,13 @@ impl CentralContext {
         &self,
         group_info: VerifiableGroupInfo,
         credential_type: MlsCredentialType,
-    ) -> CryptoResult<E2eiConversationState> {
+    ) -> Result<E2eiConversationState> {
         let cs = group_info.ciphersuite().into();
         // Not verifying the supplied the GroupInfo here could let attackers lure the clients about
         // the e2ei state of a conversation and as a consequence degrade this conversation for all
         // participants once joining it.
         // This 👇 verifies the GroupInfo and the RatchetTree btw
-        let rt = group_info
-            .take_ratchet_tree(&self.mls_provider().await?, false)
-            .await
-            .map_err(MlsError::from)?;
+        let rt = group_info.take_ratchet_tree(&self.mls_provider().await?, false).await?;
         let mls_provider = self.mls_provider().await?;
         let auth_service = mls_provider.authentication_service().borrow().await;
         get_credential_in_use_in_ratchet_tree(cs, rt, credential_type, auth_service.as_ref()).await
@@ -92,10 +87,7 @@ impl CentralContext {
 
 impl MlsCentral {
     /// Verifies a Group state before joining it
-    pub async fn e2ei_verify_group_state(
-        &self,
-        group_info: VerifiableGroupInfo,
-    ) -> CryptoResult<E2eiConversationState> {
+    pub async fn e2ei_verify_group_state(&self, group_info: VerifiableGroupInfo) -> Result<E2eiConversationState> {
         self.mls_backend
             .authentication_service()
             .refresh_time_of_interest()
@@ -128,16 +120,13 @@ impl MlsCentral {
         &self,
         group_info: VerifiableGroupInfo,
         credential_type: MlsCredentialType,
-    ) -> CryptoResult<E2eiConversationState> {
+    ) -> Result<E2eiConversationState> {
         let cs = group_info.ciphersuite().into();
         // Not verifying the supplied the GroupInfo here could let attackers lure the clients about
         // the e2ei state of a conversation and as a consequence degrade this conversation for all
         // participants once joining it.
         // This 👇 verifies the GroupInfo and the RatchetTree btw
-        let rt = group_info
-            .take_ratchet_tree(&self.mls_backend, false)
-            .await
-            .map_err(MlsError::from)?;
+        let rt = group_info.take_ratchet_tree(&self.mls_backend, false).await?;
         get_credential_in_use_in_ratchet_tree(
             cs,
             rt,
@@ -149,7 +138,7 @@ impl MlsCentral {
 }
 
 impl MlsConversation {
-    async fn e2ei_conversation_state(&self, backend: &MlsCryptoProvider) -> CryptoResult<E2eiConversationState> {
+    async fn e2ei_conversation_state(&self, backend: &MlsCryptoProvider) -> Result<E2eiConversationState> {
         backend.authentication_service().refresh_time_of_interest().await;
         Ok(compute_state(
             self.ciphersuite(),
@@ -166,7 +155,7 @@ async fn get_credential_in_use_in_ratchet_tree(
     ratchet_tree: RatchetTree,
     credential_type: MlsCredentialType,
     env: Option<&wire_e2e_identity::prelude::x509::revocation::PkiEnvironment>,
-) -> CryptoResult<E2eiConversationState> {
+) -> Result<E2eiConversationState> {
     let credentials = ratchet_tree.iter().filter_map(|n| match n {
         Some(Node::LeafNode(ln)) => Some(ln.credential()),
         _ => None,

@@ -1,5 +1,5 @@
 use super::error::*;
-use crate::{prelude::MlsCiphersuite, CryptoError, CryptoResult, MlsError};
+use crate::prelude::MlsCiphersuite;
 use mls_crypto_provider::{MlsCryptoProvider, PkiKeypair, RustCrypto};
 use openmls_basic_credential::SignatureKeyPair as OpenMlsSignatureKeyPair;
 use openmls_traits::{
@@ -14,32 +14,32 @@ impl super::E2eiEnrollment {
     pub(super) fn new_sign_key(
         ciphersuite: MlsCiphersuite,
         backend: &MlsCryptoProvider,
-    ) -> CryptoResult<E2eiSignatureKeypair> {
+    ) -> Result<E2eiSignatureKeypair> {
         let (sk, _) = backend
             .crypto()
             .signature_key_gen(ciphersuite.signature_algorithm())
-            .map_err(MlsError::from)?;
+            .map_err(Error::SignatureKeyGen)?;
         E2eiSignatureKeypair::try_new(ciphersuite.signature_algorithm(), sk)
     }
 
-    pub(super) fn get_sign_key_for_mls(&self) -> CryptoResult<Vec<u8>> {
+    pub(super) fn get_sign_key_for_mls(&self) -> Result<Vec<u8>> {
         let sk = match self.ciphersuite.signature_algorithm() {
             SignatureScheme::ECDSA_SECP256R1_SHA256 | SignatureScheme::ECDSA_SECP384R1_SHA384 => self.sign_sk.to_vec(),
             SignatureScheme::ECDSA_SECP521R1_SHA512 => RustCrypto::normalize_p521_secret_key(&self.sign_sk).to_vec(),
             SignatureScheme::ED25519 => RustCrypto::normalize_ed25519_key(self.sign_sk.as_slice())
-                .map_err(MlsError::from)?
+                .map_err(Error::NormalizingEd25519Key)?
                 .to_bytes()
                 .to_vec(),
-            SignatureScheme::ED448 => return Err(E2eIdentityError::NotYetSupported.into()),
+            SignatureScheme::ED448 => return Err(Error::NotYetSupported.into()),
         };
         Ok(sk)
     }
 }
 
 impl TryFrom<MlsCiphersuite> for JwsAlgorithm {
-    type Error = E2eIdentityError;
+    type Error = Error;
 
-    fn try_from(cs: MlsCiphersuite) -> E2eIdentityResult<Self> {
+    fn try_from(cs: MlsCiphersuite) -> Result<Self> {
         let cs = openmls_traits::types::Ciphersuite::from(cs);
         Ok(match cs {
             Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519
@@ -48,9 +48,7 @@ impl TryFrom<MlsCiphersuite> for JwsAlgorithm {
             Ciphersuite::MLS_256_DHKEMP384_AES256GCM_SHA384_P384 => JwsAlgorithm::P384,
             Ciphersuite::MLS_256_DHKEMP521_AES256GCM_SHA512_P521 => JwsAlgorithm::P521,
             Ciphersuite::MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448
-            | Ciphersuite::MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448 => {
-                return Err(E2eIdentityError::NotYetSupported)
-            }
+            | Ciphersuite::MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448 => return Err(Error::NotYetSupported),
         })
     }
 }
@@ -60,16 +58,16 @@ impl TryFrom<MlsCiphersuite> for JwsAlgorithm {
 pub struct E2eiSignatureKeypair(Vec<u8>);
 
 impl E2eiSignatureKeypair {
-    pub fn try_new(sc: SignatureScheme, sk: Vec<u8>) -> CryptoResult<Self> {
+    pub fn try_new(sc: SignatureScheme, sk: Vec<u8>) -> Result<Self> {
         let keypair = PkiKeypair::new(sc, sk)?;
         Ok(Self(keypair.signing_key_bytes()))
     }
 }
 
 impl TryFrom<&OpenMlsSignatureKeyPair> for E2eiSignatureKeypair {
-    type Error = CryptoError;
+    type Error = Error;
 
-    fn try_from(kp: &OpenMlsSignatureKeyPair) -> CryptoResult<Self> {
+    fn try_from(kp: &OpenMlsSignatureKeyPair) -> Result<Self> {
         Self::try_new(kp.signature_scheme(), kp.private().to_vec())
     }
 }
@@ -1,44 +1,49 @@
 //! Utility for clients to get the current state of E2EI when the app resumes
 
+use super::error::{Error, Result};
 use crate::context::CentralContext;
-use crate::prelude::{Client, CryptoError, CryptoResult, MlsCentral, MlsCredentialType};
+use crate::mls;
+use crate::prelude::{Client, MlsCentral, MlsCredentialType};
 use openmls_traits::types::SignatureScheme;
 
 impl CentralContext {
     /// See [MlsCentral::e2ei_is_enabled]
-    pub async fn e2ei_is_enabled(&self, signature_scheme: SignatureScheme) -> CryptoResult<bool> {
+    pub async fn e2ei_is_enabled(&self, signature_scheme: SignatureScheme) -> Result<bool> {
         let client = self.mls_client().await?;
         client.e2ei_is_enabled(signature_scheme).await
     }
 }
 
 impl MlsCentral {
     /// Returns true when end-to-end-identity is enabled for the given SignatureScheme
-    pub async fn e2ei_is_enabled(&self, signature_scheme: SignatureScheme) -> CryptoResult<bool> {
+    pub async fn e2ei_is_enabled(&self, signature_scheme: SignatureScheme) -> Result<bool> {
         self.mls_client.e2ei_is_enabled(signature_scheme).await
     }
 }
 
 impl Client {
-    async fn e2ei_is_enabled(&self, signature_scheme: SignatureScheme) -> CryptoResult<bool> {
+    async fn e2ei_is_enabled(&self, signature_scheme: SignatureScheme) -> Result<bool> {
         let x509_result = self
             .find_most_recent_credential_bundle(signature_scheme, MlsCredentialType::X509)
             .await;
         match x509_result {
-            Err(CryptoError::CredentialNotFound(MlsCredentialType::X509)) => {
+            Err(mls::client::error::Error::CredentialNotFound(MlsCredentialType::X509)) => {
                 self.find_most_recent_credential_bundle(signature_scheme, MlsCredentialType::Basic)
-                    .await?;
+                    .await
+                    .map_err(Error::mls_client(
+                        "finding most recent basic credential bundle after searching for x509",
+                    ))?;
                 Ok(false)
             }
-            Err(e) => Err(e),
+            Err(e) => Err(Error::mls_client("finding most recent x509 credential bundle")(e)),
             Ok(_) => Ok(true),
         }
     }
 }
 
 #[cfg(test)]
 mod tests {
-    use crate::{prelude::MlsCredentialType, test_utils::*, CryptoError};
+    use crate::{e2e_identity::error::Error, prelude::MlsCredentialType, test_utils::*, CryptoError};
     use openmls_traits::types::SignatureScheme;
     use wasm_bindgen_test::*;
 
@@ -66,7 +71,8 @@ mod tests {
             Box::pin(async move {
                 assert!(matches!(
                     cc.context.e2ei_is_enabled(case.signature_scheme()).await.unwrap_err(),
-                    CryptoError::MlsNotInitialized
+                    Error::CryptoError(boxed)
+                    if matches!(*boxed, CryptoError::MlsNotInitialized)
                 ));
             })
         })
@@ -85,7 +91,8 @@ mod tests {
                 };
                 assert!(matches!(
                     cc.context.e2ei_is_enabled(other_sc).await.unwrap_err(),
-                    CryptoError::CredentialNotFound(_)
+                    Error::CryptoError(boxed)
+                    if matches!(*boxed, CryptoError::CredentialNotFound(_))
                 ));
             })
         })

@@ -3,14 +3,12 @@
 use crate::prelude::MlsCredentialType;
 use core_crypto_keystore::CryptoKeystoreError;
 
-/// Wrapper over a [Result] of an end to end identity error
-pub type E2eIdentityResult<T> = Result<T, E2eIdentityError>;
+/// Wrapper over a [Result][core::result::Result] of an end to end identity error
+pub type Result<T, E = Error> = core::result::Result<T, E>;
 
 /// End to end identity errors
 #[derive(Debug, thiserror::Error)]
-#[cfg_attr(feature = "uniffi", derive(uniffi::Error))]
-#[cfg_attr(feature = "uniffi", uniffi(flat_error))]
-pub enum E2eIdentityError {
+pub enum Error {
     /// Client misused this library
     #[error("Incorrect usage of this API")]
     ImplementationError,
@@ -44,4 +42,64 @@ pub enum E2eIdentityError {
     /// We already have an ACME Root Trust Anchor registered. Cannot proceed but this is usually indicative of double registration and can be ignored
     #[error("We already have an ACME Root Trust Anchor registered. Cannot proceed but this is usually indicative of double registration and can be ignored")]
     TrustAnchorAlreadyRegistered,
+    /// Getting MLS ratchet tree
+    #[error("Getting MLS ratchet tree")]
+    MlsRatchetTree(#[from] openmls::messages::group_info::GroupInfoError),
+    /// Generating signature key
+    #[error("Generating signature key")]
+    SignatureKeyGen(#[source] openmls_traits::types::CryptoError),
+    #[error("Normalizing ed25519 key")]
+    /// Normalizing ed25519 key
+    NormalizingEd25519Key(#[source] openmls_traits::types::CryptoError),
+    #[error("Generating new PKI keypair")]
+    /// Generating new PKi keypair
+    GeneratePkiKeypair(#[from] mls_crypto_provider::MlsProviderError),
+    /// The encountered ClientId does not match Wire's definition
+    #[error("The encountered ClientId does not match Wire's definition")]
+    InvalidClientId,
+    /// see [`x509_cert::der::Error`]
+    #[error(transparent)]
+    X509CertDerError(#[from] x509_cert::der::Error),
+    /// This function accepts a list of IDs as a parameter, but that list was empty
+    #[error("This function accepts a list of IDs as a parameter, but that list was empty")]
+    EmptyInputIdList,
+    /// Getting user identities
+    #[error("Getting user identities")]
+    GetUserIdentities(#[source] crate::mls::client::error::Error),
+    /// PKI environment must ben set before calling this function
+    #[error("PKI Environment must be set before calling this function")]
+    PkiEnvironmentUnset,
+    /// Computing key package hash ref
+    #[error("Computing key package hash ref")]
+    KeyPackageHashRef(#[from] openmls::error::LibraryError),
+    /// Serializing key package for TLS
+    #[error("Serializing key package for TLS")]
+    TlsSerializingKeyPackage(#[from] tls_codec::Error),
+    /// Something in the MLS client went wrong
+    #[error("{context}")]
+    MlsClient {
+        /// What was happening when the error was thrown
+        context: &'static str,
+        /// The inner error which was produced
+        #[source]
+        source: crate::mls::client::error::Error,
+    },
+    /// Compatibility wrapper
+    ///
+    /// This should be removed before merging this branch, but it allows an easier migration path to module-specific errors.
+    #[deprecated]
+    #[error(transparent)]
+    CryptoError(Box<crate::CryptoError>),
+}
+
+impl From<crate::CryptoError> for Error {
+    fn from(value: crate::CryptoError) -> Self {
+        Self::CryptoError(Box::new(value))
+    }
+}
+
+impl Error {
+    pub(crate) fn mls_client(context: &'static str) -> impl FnOnce(crate::mls::client::error::Error) -> Self {
+        move |source| Self::MlsClient { context, source }
+    }
 }