awslabs / mls-rs

An implementation of Messaging Layer Security (RFC 9420)
Apache License 2.0
104 stars 19 forks source link

Web X509 compatible identity provider #199

Open nicdard opened 1 month ago

nicdard commented 1 month ago

Description of feature:

To allow real usage of the WASM builds, the library should support X509 certificates support.

Use case:

Running an MLS/CGKA client in a browser, and the application is using X.509 certificates to manage the user identities through an internal PKI. The certificate is accessed for example through the file system web api, or loaded through another mechanism.

Implementation discussion (Optional)

I saw there are traits for the identity provider. My initial plan is to implement a new crate, where I add support similarly to what is done in mls-rs-identity-x509, and use some rust crates compatible with WASM builds to perform the parsing of the certificates. During my thesis work I have used x509_parser crate. I was thinking around certificates from an internal CA server, and the use case covered would be that the application has locally a copy of the CA certificate for verification of the other client identities. Any thoughts? :)

mulmarta commented 6 days ago

Is there a reason you don't want to use the X509 identity provider from mls-rs-crypto-rustcrypto? Both the X509 identity provider and the crypto provider from that crate compile to WASM.

The API used below could be improved, but it creates an X509 identity provider that can be compiled to WASM with wasm-bindgen.

use mls_rs_identity_x509::{SubjectIdentityExtractor, X509IdentityProvider};
use mls_rs_crypto_rustcrypto::x509::{X509Reader, X509Validator};

let provider = X509IdentityProvider::new(
    SubjectIdentityExtractor::new(0, X509Reader::new()),
    X509Validator::new(vec![]).unwrap(),
);