1 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 // Copyright by contributors to this project.
3 // SPDX-License-Identifier: (Apache-2.0 OR MIT)
4
5 use mls_rs_core::{crypto::CipherSuiteProvider, protocol_version::ProtocolVersion};
6
7 use crate::{client::MlsError, signer::Signable, KeyPackage};
8
9 #[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
validate_key_package_properties<CSP: CipherSuiteProvider>( package: &KeyPackage, version: ProtocolVersion, cs: &CSP, ) -> Result<(), MlsError>10 pub(crate) async fn validate_key_package_properties<CSP: CipherSuiteProvider>(
11 package: &KeyPackage,
12 version: ProtocolVersion,
13 cs: &CSP,
14 ) -> Result<(), MlsError> {
15 package
16 .verify(cs, &package.leaf_node.signing_identity.signature_key, &())
17 .await?;
18
19 // Verify that the protocol version matches
20 if package.version != version {
21 return Err(MlsError::ProtocolVersionMismatch);
22 }
23
24 // Verify that the cipher suite matches
25 if package.cipher_suite != cs.cipher_suite() {
26 return Err(MlsError::CipherSuiteMismatch);
27 }
28
29 // Verify that the public init key is a valid format for this cipher suite
30 cs.kem_public_key_validate(&package.hpke_init_key)
31 .map_err(|_| MlsError::InvalidInitKey)?;
32
33 // Verify that the init key and the leaf node public key are different
34 if package.hpke_init_key.as_ref() == package.leaf_node.public_key.as_ref() {
35 return Err(MlsError::InitLeafKeyEquality);
36 }
37
38 Ok(())
39 }
40