Class Crypto

Bootstrap cross-signing by creating keys if needed. If everything is already set up, then no changes are made, so this is safe to run to ensure cross-signing is ready for use.

This function:

• creates new cross-signing keys if they are not found locally cached nor in secret storage (if it has been setup)

The cross-signing API is currently UNSTABLE and may change without notice.

Bootstrap Secure Secret Storage if needed by creating a default key. If everything is already set up, then no changes are made, so this is safe to run to ensure secret storage is ready for use.

This function

• creates a new Secure Secret Storage key if no default key exists
  • if a key backup exists, it is migrated to store the key in the Secret Storage
• creates a backup if none exists, and one is requested
• migrates Secure Secret Storage to use the latest algorithm, if an outdated algorithm is found

The Secure Secret Storage API is currently UNSTABLE and may change without notice.

Re-send any outgoing key requests, eg after verification

Returns

Cancel any earlier room key request

Checks that a given cross-signing private key matches a given public key. This can be used by the getCrossSigningKey callback to verify that the private key it is about to supply is the one that was requested.

Returns

true if the key matches, otherwise false

Check whether a given deviceinfo is trusted.

Returns

Check whether a given device is trusted.

Returns

Check whether one of our own devices is cross-signed by our user's stored keys, regardless of whether we trust those keys yet.

Returns

true if the device is cross-signed

Check the copy of our cross-signing key that we have in the device list and see if we can get the private key. If so, mark it as trusted.

Checks that a given secret storage private key matches a given public key. This can be used by the getSecretStorageKey callback to verify that the private key it is about to supply is the one that was requested.

Returns

true if the key matches, otherwise false

Check whether a given user is trusted.

Returns

Counts the number of end to end session keys that are waiting to be backed up

Returns

Promise which resolves to the number of sessions requiring backup

Create a recovery key from a user-supplied passphrase.

Returns

Object with public key metadata, encoded private recovery key which should be disposed of after displaying to the user, and raw private key to avoid round tripping if needed.

Decrypt a received event

Returns

resolves once we have finished decrypting. Rejects with an algorithms.DecryptionError if there is a problem decrypting the event.

Download the keys for a list of users and stores the keys in the session store.

Returns

A promise which resolves to a map userId->deviceId->{@link DeviceInfo}.

Encrypts and sends a given object via Olm to-device messages to a given set of devices.

Returns

Promise which resolves once the message has been encrypted and sent to the given userDeviceMap, and returns the { contentMap, deviceInfoByDeviceId } of the successfully sent messages.

Encrypt an event according to the configuration of the room.

Returns

Promise which resolves when the event has been encrypted, or null if nothing was needed

Try to make sure we have established olm sessions for all known devices for the given users.

Returns

resolves once the sessions are complete, to an Object mapping from userId to deviceId to OlmSessionResult

Get a list containing all of the room keys

Returns

a list of session export objects

Forces the current outbound group session to be discarded such that another one will be created next time an event is sent.

Get the user's cross-signing key ID.

Returns

the key ID

Whether to trust a others users signatures of their devices. If false, devices will only be considered 'verified' if we have verified that device individually (effectively disabling cross-signing).

Default: true

Returns

True if trusting cross-signed devices

Get the Curve25519 key for this device

Returns

base64-encoded curve25519 key.

Get the Ed25519 key for this device

Returns

base64-encoded ed25519 key.

Get information about the encryption of an event

Returns

An object with the fields:

• encrypted: whether the event is encrypted (if not encrypted, some of the other properties may not be set)
• senderKey: the sender's key
• algorithm: the algorithm used to encrypt the event
• authenticated: whether we can be sure that the owner of the senderKey sent the event
• sender: the sender's device information, if available
• mismatchedSender: if the event's ed25519 and curve25519 keys don't match (only meaningful if sender is set)

Get the device which sent an event

Returns

whether to blacklist all unverified devices by default

Deprecated

For external code, use getGlobalBlacklistUnverifiedDevices. For internal code, reference MatrixClient#globalBlacklistUnverifiedDevices directly.

Get information on the active olm sessions with a user

Returns a map from device id to an object with keys 'deviceIdKey' (the device's curve25519 identity key) and 'sessions' (an array of objects in the same format as that returned by getSessionInfoForDevice).

This method is provided for debugging purposes.

Get a decryptor for a given room and algorithm.

If we already have a decryptor for the given room and algorithm, return it. Otherwise try to instantiate it.

Throws

DecryptionError if the algorithm is unknown

Fetches the backup private key, if cached

Returns

the key, if any, or null

Get the cross signing information for a given user.

Returns

the cross signing information for the user.

Get the stored keys for a single device

Returns

device, or undefined if we don't know about this device

Get the stored device keys for a user id

Returns

list of devices, or null if we haven't managed to get a list of devices for this user yet.

Import a list of room keys previously exported by exportRoomKeys

Returns

a promise which resolves once the keys have been imported

Initialise the crypto module so that it is ready for use

Returns a promise which resolves once the crypto module is ready for use.

Checks whether cross signing:

• is enabled on this account and trusted by this device
• has private keys either cached locally or stored in secret storage

If this function returns false, bootstrapCrossSigning() can be used to fix things such that it returns true. That is to say, after bootstrapCrossSigning() completes successfully, this function should return true.

The cross-signing API is currently UNSTABLE and may change without notice.

Returns

True if cross-signing is ready to be used on this device

Checks whether secret storage:

• is enabled on this account
• is storing cross-signing private keys
• is storing session backup key (if enabled)

If this function returns false, bootstrapSecretStorage() can be used to fix things such that it returns true. That is to say, after bootstrapSecretStorage() completes successfully, this function should return true.

The Secure Secret Storage API is currently UNSTABLE and may change without notice.

Returns

True if secret storage is ready to be used on this device

handle an m.room.encryption event

handle the completion of a /sync

This is called after the processing of each successful /sync response. It is an opportunity to do a batch process on the information received.

Called before the result of a sync is processed

Perform any background tasks that can be done before a message is ready to send, in order to speed up sending of the message.

Called by the /sync loop whenever there are incoming to-device messages.

The implementation may preprocess the received messages (eg, decrypt them) and return an updated list of messages for dispatch to the rest of the system.

Note that, unlike ToDeviceEvent events, this is called on the raw to-device messages, rather than the results of any decryption attempts.

Returns

A list of preprocessed to-device messages.

Handle the notification from /sync that device lists have been changed.

Called by the /sync loop when one time key counts and unused fallback key details are received.

Tell the crypto module to register for MatrixClient events which it needs to listen for

Send a request for some room keys, if we have not already done so

Returns

a promise that resolves when the key request is queued

Save the device list, if necessary

Returns

true if the data was saved, false if it was not (eg. because no changes were pending). The promise will only resolve once the data is saved, so may take some time to resolve.

See getCryptoTrustCrossSignedDevices

This may be set before initCrypto() is called to ensure no races occur.

Update the blocked/verified state of the given device

Returns

updated DeviceInfo

Set the global override for whether the client should ever send encrypted messages to unverified devices. This provides the default for rooms which do not specify a value.

Deprecated

For external code, use setGlobalBlacklistUnverifiedDevices. For internal code, set MatrixClient#globalBlacklistUnverifiedDevices directly.

Configure a room to use encryption (ie, save a flag in the cryptoStore).

Deprecated

It is normally incorrect to call this method directly. Encryption is enabled by receiving an m.room.encryption event (which we may have sent previously).

sign the given object with our ed25519 key

Deprecated

this does nothing and will be removed in a future version

Stop background processes related to crypto

Stores the session backup key to the cache

Returns

a promise so you can catch failures

Make sure we are tracking the device lists for all users in this room.

Returns

when all devices for the room have been fetched and marked to track

Deprecated

there's normally no need to call this function: device list tracking will be enabled as soon as we have the full membership list.

Upload the device keys to the homeserver.

Returns

A promise that will resolve when the keys are uploaded.