matrix_sdk::encryption::identities

Struct Device

Source
pub struct Device { /* private fields */ }
Expand description

A device represents a E2EE capable client or device of an user.

A Device is backed by device keys that are uploaded to the server.

The device keys for our own device will be automatically uploaded by the SDK and the private parts of our device keys never leave this device.

Device keys consist of an Ed25519 keypair and a Curve25519 keypair. Only the public parts of those keypairs will be uploaded to the server.

                ┌──────────────────────────────────┐
                │              Device              │
                ├──────────────────────────────────┤
                │            Device Keys           │
                ├────────────────┬─────────────────┤
                │   Ed25519 Key  │  Curve25519 Key │
                └────────────────┴─────────────────┘

The Ed25519 key will be used to uniquely identify the Device while the Curve25519 key is used to establish 1-to-1 encrypted communication channels between two devices.

Implementations§

Source§

impl Device

Source

pub async fn request_verification(&self) -> Result<VerificationRequest>

Request an interactive verification with this Device.

Returns a VerificationRequest object that can be used to control the verification flow.

The default methods that are supported are m.sas.v1 and m.qr_code.show.v1, if this isn’t desirable the request_verification_with_methods() method can be used to override this. m.qr_code.show.v1 is only available if the qrcode feature is enabled, which it is by default.

§Examples
let device =
    client.encryption().get_device(alice, device_id!("DEVICEID")).await?;

if let Some(device) = device {
    let verification = device.request_verification().await?;
}
Source

pub async fn request_verification_with_methods( &self, methods: Vec<VerificationMethod>, ) -> Result<VerificationRequest>

Request an interactive verification with this Device.

Returns a VerificationRequest object that can be used to control the verification flow.

§Arguments
  • methods - The verification methods that we want to support. Must be non-empty.
§Panics

This method will panic if methods is empty.

§Examples
let device =
    client.encryption().get_device(alice, device_id!("DEVICEID")).await?;

// We don't want to support showing a QR code, we only support SAS
// verification
let methods = vec![VerificationMethod::SasV1];

if let Some(device) = device {
    let verification =
        device.request_verification_with_methods(methods).await?;
}
Source

pub async fn start_verification(&self) -> Result<SasVerification>

👎Deprecated since 0.4.0: directly starting a verification is deprecated in the spec. Users should instead use request_verification()

Start an interactive verification with this Device

Returns a SasVerification object that represents the interactive verification flow.

This method has been deprecated in the spec and the request_verification() method should be used instead.

§Examples
let device =
    client.encryption().get_device(alice, device_id!("DEVICEID")).await?;

if let Some(device) = device {
    let verification = device.start_verification().await?;
}
Source

pub async fn verify(&self) -> Result<(), ManualVerifyError>

Manually verify this device.

This method will attempt to sign the device using our private cross signing key.

This method will always fail if the device belongs to someone else, we can only sign our own devices.

It can also fail if we don’t have the private part of our self-signing key.

The state of our private cross signing keys can be inspected using the Encryption::cross_signing_status() method.

§Problems of manual verification

Manual verification may be more convenient to use, i.e. both devices need to be online and available to interactively verify each other. Despite the convenience, interactive verifications should be generally preferred. Manually verifying a device won’t notify the other device, the one being verified, that they should also verify us. This means that device A will consider device B to be verified, but not the other way around.

§Examples
let device =
    client.encryption().get_device(alice, device_id!("DEVICEID")).await?;

if let Some(device) = device {
    device.verify().await?;
}
Source

pub fn is_verified(&self) -> bool

Is the device considered to be verified.

A device is considered to be verified, either if it’s locally marked as such, or if it’s signed by the appropriate cross signing key. Our own device, is always implicitly verified.

§Local trust

Local trust can be established using the Device::set_local_trust() method or it will be established if we interactively verify the device using Device::request_verification().

Note: The concept of local trust is largely deprecated because it can’t be shared with other devices. Every device needs to verify all the other devices it communicates to. Because this becomes quickly unsustainable verification has migrated to cross signing verification.

§Cross signing verification

Cross signing verification uses signatures over devices and user identities to check if a device is considered to be verified. The signatures can be uploaded to the homeserver, this allows us to share the verification state with other devices. Devices only need to verify a user identity, if the user identity has verified and signed the device we can consider the device to be verified as well.

Devices are usually cross signing verified using interactive verification, which can be started using the Device::request_verification() method.

A Device can also be manually signed using the Device::verify() method, this works only for devices belonging to our own user.

Do note that the device that is being manually signed will not trust our own user identity like it would if we interactively verify the device. Such a device can mark our own user as verified using the UserIdentity::verify() method.

§Verification of devices belonging to our own user.

If the device belongs to our own user, the device will be considered to be verified if:

  • The device has been signed by our self-signing key
  • Our own user identity is considered to be verified

In other words we need to find a valid signature chain from our user identity to the device:

         ┌─────────────────────────────────────┐    ┌─────────────┐
         │           Own User Identity         │    │   Device    │
         ├──────────────────┬──────────────────┤───►├─────────────┤
         │    Master Key    │ Self-signing Key │    │ Device Keys │
         └──────────────────┴──────────────────┘    └─────────────┘
§Verification of devices belonging to other users.

If the device belongs to some other user it will be considered to be verified if:

  • The device has been signed by the user’s self-signing key
  • The user’s master-signing key has been signed by our own user-signing key, i.e. our own identity trusts the other users identity.
  • Our own user identity is considered to be verified
            ┌─────────────────────────────────────┐
            │           Own User Identity         │
            ├──────────────────┬──────────────────┤─────┐
            │    Master Key    │ User-signing Key │     │
            └──────────────────┴──────────────────┘     │
    ┌───────────────────────────────────────────────────┘
    │
    │       ┌─────────────────────────────────────┐    ┌─────────────┐
    │       │             User Identity           │    │   Device    │
    └──────►├──────────────────┬──────────────────┤───►│─────────────│
            │    Master Key    │ Self-signing Key │    │ Device Keys │
            └──────────────────┴──────────────────┘    └─────────────┘
§Examples

Let’s check if a device is verified:

let device =
    client.encryption().get_device(alice, device_id!("DEVICEID")).await?;

if let Some(device) = device {
    if device.is_verified() {
        println!(
            "Device {} of user {} is verified",
            device.device_id(),
            device.user_id(),
        );
    } else {
        println!(
            "Device {} of user {} is not verified",
            device.device_id(),
            device.user_id(),
        );
    }
}
Source

pub fn is_verified_with_cross_signing(&self) -> bool

Is the device considered to be verified with cross-signing.

A device is considered to be verified if it’s signed by the appropriate cross-signing key.

§Cross-signing verification

Cross-signing verification uses signatures over devices and user identities to check if a device is considered to be verified. The signatures can be uploaded to the homeserver, this allows us to share the verification state with other devices. Devices only need to verify a user identity, if the user identity has verified and signed the device we can consider the device to be verified as well.

Devices are usually cross-signing verified using interactive verification, which can be started using the Device::request_verification() method.

A Device can also be manually signed using the Device::verify() method, this works only for devices belonging to our own user.

Do note that the device that is being manually signed will not trust our own user identity like it would if we interactively verify the device. Such a device can mark our own user as verified using the UserIdentity::verify() method.

§Verification of devices belonging to our own user.

If the device belongs to our own user, the device will be considered to be verified if:

  • The device has been signed by our self-signing key
  • Our own user identity is considered to be verified

In other words we need to find a valid signature chain from our user identity to the device:

         ┌─────────────────────────────────────┐    ┌─────────────┐
         │           Own User Identity         │    │   Device    │
         ├──────────────────┬──────────────────┤───►├─────────────┤
         │    Master Key    │ Self-signing Key │    │ Device Keys │
         └──────────────────┴──────────────────┘    └─────────────┘
§Verification of devices belonging to other users.

If the device belongs to some other user it will be considered to be verified if:

  • The device has been signed by the user’s self-signing key
  • The user’s master-signing key has been signed by our own user-signing key, i.e. our own identity trusts the other users identity.
  • Our own user identity is considered to be verified
            ┌─────────────────────────────────────┐
            │           Own User Identity         │
            ├──────────────────┬──────────────────┤─────┐
            │    Master Key    │ User-signing Key │     │
            └──────────────────┴──────────────────┘     │
    ┌───────────────────────────────────────────────────┘
    │
    │       ┌─────────────────────────────────────┐    ┌─────────────┐
    │       │             User Identity           │    │   Device    │
    └──────►├──────────────────┬──────────────────┤───►│─────────────│
            │    Master Key    │ Self-signing Key │    │ Device Keys │
            └──────────────────┴──────────────────┘    └─────────────┘
§Examples

Let’s check if a device is verified:

let device =
    client.encryption().get_device(alice, device_id!("DEVICEID")).await?;

if let Some(device) = device {
    if device.is_verified_with_cross_signing() {
        println!(
            "Device {} of user {} is verified with cross-signing",
            device.device_id(),
            device.user_id()
        );
    } else {
        println!(
            "Device {} of user {} is not verified with cross-signing",
            device.device_id(),
            device.user_id()
        );
    }
}
Source

pub async fn set_local_trust( &self, trust_state: LocalTrust, ) -> Result<(), CryptoStoreError>

Set the local trust state of the device to the given state.

This won’t affect any cross signing verification state, this only sets a flag marking to have the given trust state.

§Arguments
  • trust_state - The new trust state that should be set for the device.
Source

pub fn is_cross_signed_by_owner(&self) -> bool

Is the device cross-signed by its own user.

Methods from Deref<Target = DeviceData>§

Source

pub fn user_id(&self) -> &UserId

The user id of the device owner.

Source

pub fn device_id(&self) -> &DeviceId

The unique ID of the device.

Source

pub fn display_name(&self) -> Option<&str>

Get the human readable name of the device.

Source

pub fn get_key(&self, algorithm: DeviceKeyAlgorithm) -> Option<&DeviceKey>

Get the key of the given key algorithm belonging to this device.

Source

pub fn curve25519_key(&self) -> Option<Curve25519PublicKey>

Get the Curve25519 key of the given device.

Source

pub fn ed25519_key(&self) -> Option<Ed25519PublicKey>

Get the Ed25519 key of the given device.

Source

pub fn keys( &self, ) -> &BTreeMap<OwnedKeyId<DeviceKeyAlgorithm, DeviceId>, DeviceKey>

Get a map containing all the device keys.

Source

pub fn signatures(&self) -> &Signatures

Get a map containing all the device signatures.

Source

pub fn local_trust_state(&self) -> LocalTrust

Get the trust state of the device.

Source

pub fn is_locally_trusted(&self) -> bool

Is the device locally marked as trusted.

Source

pub fn is_blacklisted(&self) -> bool

Is the device locally marked as blacklisted.

Blacklisted devices won’t receive any group sessions.

Source

pub fn was_withheld_code_sent(&self) -> bool

Returns true if the m.no_olm withheld code was already sent to this device.

Source

pub fn algorithms(&self) -> &[EventEncryptionAlgorithm]

Get the list of algorithms this device supports.

Source

pub fn supports_olm(&self) -> bool

Does this device support any of our known Olm encryption algorithms.

Source

pub fn olm_session_config(&self) -> SessionConfig

Get the optimal SessionConfig for this device.

Source

pub fn is_deleted(&self) -> bool

Is the device deleted.

Source

pub fn as_device_keys(&self) -> &DeviceKeys

Return the device keys

Source

pub fn first_time_seen_ts(&self) -> MilliSecondsSinceUnixEpoch

Get the local timestamp of when this device was first persisted, in milliseconds since epoch (client local time).

Trait Implementations§

Source§

impl Clone for Device

Source§

fn clone(&self) -> Device

Returns a copy of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Device

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Deref for Device

Source§

type Target = DeviceData

The resulting type after dereferencing.
Source§

fn deref(&self) -> &Self::Target

Dereferences the value.

Auto Trait Implementations§

§

impl Freeze for Device

§

impl !RefUnwindSafe for Device

§

impl Send for Device

§

impl Sync for Device

§

impl Unpin for Device

§

impl !UnwindSafe for Device

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dst: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, W> HasTypeWitness<W> for T
where W: MakeTypeWitness<Arg = T>, T: ?Sized,

Source§

const WITNESS: W = W::MAKE

A constant of the type witness
Source§

impl<T> Identity for T
where T: ?Sized,

Source§

const TYPE_EQ: TypeEq<T, <T as Identity>::Type> = TypeEq::NEW

Proof that Self is the same type as Self::Type, provides methods for casting between Self and Self::Type.
Source§

type Type = T

The same type as Self, used to emulate type equality bounds (T == U) with associated type equality constraints (T: Identity<Type = U>).
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<P, T> Receiver for P
where P: Deref<Target = T> + ?Sized, T: ?Sized,

Source§

type Target = T

🔬This is a nightly-only experimental API. (arbitrary_self_types)
The target type on which the method may be called.
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> Any for T
where T: Any,

Source§

impl<T> AsyncTraitDeps for T

Source§

impl<T> CloneAny for T
where T: Any + Clone,

Source§

impl<T> CloneAnySend for T
where T: Any + Send + Clone,

Source§

impl<T> CloneAnySendSync for T
where T: Any + Send + Sync + Clone,

Source§

impl<T> CloneAnySync for T
where T: Any + Sync + Clone,

Source§

impl<T> ErasedDestructor for T
where T: 'static,

Source§

impl<T> MaybeSendSync for T

Source§

impl<T> SendOutsideWasm for T
where T: Send,

Source§

impl<T> SyncOutsideWasm for T
where T: Sync,