feat: upgrade OpenMLS 0.5 → 0.8 for security patches and GREASE support

Migrates all MLS code in quicprochat-core from OpenMLS 0.5 to 0.8: - StorageProvider replaces OpenMlsKeyStore (keystore.rs full rewrite) - HybridCryptoProvider updated for new OpenMlsProvider trait - Group operations updated for new API signatures - MLS state persistence via MemoryStorage serialization - tls_codec 0.3 → 0.4, openmls_traits/rust_crypto 0.2 → 0.5
2026-03-08 17:50:15 +01:00
parent 077f48f19c
commit a05da9b751
20 changed files with 1433 additions and 657 deletions
--- a/crates/quicprochat-core/src/keypackage.rs
+++ b/crates/quicprochat-core/src/keypackage.rs
@@ -17,10 +17,10 @@
 //! The resulting bytes are opaque to the quicprochat transport layer.

 use openmls::prelude::{
-    Ciphersuite, Credential, CredentialType, CredentialWithKey, CryptoConfig, KeyPackage,
-    KeyPackageIn, TlsDeserializeTrait, TlsSerializeTrait,
+    BasicCredential, Ciphersuite, CredentialWithKey, KeyPackage, KeyPackageIn,
 };
 use openmls_rust_crypto::OpenMlsRustCrypto;
+use tls_codec::{Deserialize as TlsDeserializeTrait, Serialize as TlsSerializeTrait};
 use sha2::{Digest, Sha256};

 use crate::{error::CoreError, identity::IdentityKeypair};
@@ -74,8 +74,8 @@ pub fn generate_key_package(identity: &IdentityKeypair) -> Result<(Vec<u8>, Vec<

    // Build a BasicCredential using the raw Ed25519 public key bytes as the
    // MLS identity. Per RFC 9420, any byte string may serve as the identity.
-    let credential = Credential::new(identity.public_key_bytes().to_vec(), CredentialType::Basic)
-        .map_err(|e| CoreError::Mls(format!("{e:?}")))?;
+    let credential: openmls::prelude::Credential =
+        BasicCredential::new(identity.public_key_bytes().to_vec()).into();

    // The `signature_key` in CredentialWithKey is the Ed25519 public key that
    // will be used to verify the KeyPackage's leaf node signature.
@@ -87,19 +87,13 @@ pub fn generate_key_package(identity: &IdentityKeypair) -> Result<(Vec<u8>, Vec<

    // `IdentityKeypair` implements `openmls_traits::signatures::Signer`
    // so it can be passed directly to the builder.
-    let key_package = KeyPackage::builder()
-        .build(
-            CryptoConfig::with_default_version(CIPHERSUITE),
-            &backend,
-            identity,
-            credential_with_key,
-        )
+    let key_package_bundle = KeyPackage::builder()
+        .build(CIPHERSUITE, &backend, identity, credential_with_key)
        .map_err(|e| CoreError::Mls(format!("{e:?}")))?;

-    // TLS-encode the KeyPackage using the trait from the openmls prelude.
-    // This uses tls_codec 0.3 (the same version openmls uses internally),
-    // avoiding a duplicate-trait conflict with tls_codec 0.4.
-    let tls_bytes = key_package
+    // TLS-encode the KeyPackage.
+    let tls_bytes = key_package_bundle
+        .key_package()
        .tls_serialize_detached()
        .map_err(|e| CoreError::Mls(format!("{e:?}")))?;