Documentation Index Fetch the complete documentation index at: https://mintlify.com/openmls/openmls/llms.txt
Use this file to discover all available pages before exploring further.
Overview Credentials contain identifying information about clients in MLS groups. Each KeyPackage and leaf node in the group tree contains a credential that authenticates the client’s messages.
Credentials represent client identities and must be validated by an authentication server. The validation process is application-specific and outside the scope of MLS.
Credential The main credential structure containing identity information.
Credential with type and serialized content The type of credential (Basic, X509, etc.)
serialized_credential_content
The serialized credential data (opaque to OpenMLS)
Methods new
fn(CredentialType, Vec<u8>) -> Self
Creates a new credential of the given type pub fn new ( credential_type : CredentialType , serialized_credential : Vec < u8 >) -> Self
The type of credential to create
The serialized credential content
credential_type
fn(&self) -> CredentialType
Returns the credential type pub fn credential_type ( & self ) -> CredentialType
Returns the serialized credential content pub fn serialized_content ( & self ) -> & [ u8 ]
deserialized
fn(&self) -> Result<T, Error>
Deserializes the credential content into the specified type pub fn deserialized < T : tls_codec :: Size + tls_codec :: Deserialize >( & self , ) -> Result < T , tls_codec :: Error >
CredentialType Types of credentials supported by MLS A basic credential containing an identity
An X.509 certificate credential
A GREASE value for ensuring extensibility
Other credential types not in the MLS spec
Methods Returns true if this is a GREASE credential type pub fn is_grease ( & self ) -> bool
GREASE values ensure implementations properly handle unknown credential types. BasicCredential A basic credential containing only an identity. This is the primary credential type supported by OpenMLS.
Basic credential with client identity The client’s identity as a byte vector
Methods Creates a new basic credential with the given identity pub fn new ( identity : Vec < u8 >) -> Self
The client identity as bytes
Returns the identity as a byte slice pub fn identity ( & self ) -> & [ u8 ]
Conversions From<BasicCredential> for Credential
Converts a BasicCredential into a Credential impl From < BasicCredential > for Credential
TryFrom<Credential> for BasicCredential
Attempts to convert a Credential into a BasicCredential impl TryFrom < Credential > for BasicCredential
Returns an error if the credential type is not Basic. CredentialWithKey A wrapper that bundles a credential with its corresponding signature public key.
Credential paired with its signature key The corresponding signature public key
Conversions Creates a CredentialWithKey from a leaf node impl From < & LeafNode > for CredentialWithKey
Creates a CredentialWithKey from a group member impl From < & Member > for CredentialWithKey
NewSignerBundle Bundle used to update the signature key in an MLS group.
Signer and credential bundle for key updates The signer to use after the update
The credential and public key corresponding to the signer
The public key and credential in credential_with_key MUST match the signature key exposed by signer.
Certificate X.509 certificate structure (not yet fully supported by OpenMLS).
X.509 certificates are not yet fully supported by OpenMLS.
Errors CredentialError Errors that occur in credential operations UnsupportedCredentialType
The credential type is not supported
Signature verification failed
BasicCredentialError Errors specific to basic credentials TLS serialization/deserialization error
Attempted to convert a non-basic credential
Usage Examples Creating a Basic Credential use openmls :: prelude ::* ; // Create a basic credential let identity = b"alice@example.com" ; let basic_credential = BasicCredential :: new ( identity . to_vec ()); // Convert to generic Credential let credential : Credential = basic_credential . into (); // Access the identity let basic_cred : BasicCredential = credential . try_into () . unwrap (); assert_eq! ( basic_cred . identity (), identity );
Creating a CredentialWithKey use openmls :: prelude ::* ; use openmls_basic_credential :: SignatureKeyPair ; let ciphersuite = Ciphersuite :: MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519 ; let provider = OpenMlsRustCrypto :: default (); // Create credential let credential = BasicCredential :: new ( b"alice@example.com" . to_vec ()); // Generate signature key pair let signature_keys = SignatureKeyPair :: new ( ciphersuite . signature_algorithm ()) . expect ( "Error generating signature key pair" ); // Create credential with key let credential_with_key = CredentialWithKey { credential : credential . into (), signature_key : signature_keys . public () . into (), };
Custom Credential Types use openmls :: prelude ::* ; use tls_codec ::* ; #[derive( TlsSize , TlsSerialize , TlsDeserialize , TlsDeserializeBytes )] struct CustomCredential { user_id : u32 , domain : Vec < u8 >, } let custom = CustomCredential { user_id : 12345 , domain : b"example.com" . to_vec (), }; let credential = Credential :: new ( CredentialType :: Other ( 1000 ), custom . tls_serialize_detached () . unwrap (), ); // Later, deserialize it let deserialized : CustomCredential = credential . deserialized () . unwrap ();
Security Considerations
Credentials MUST be validated by your application’s authentication service
The MLS protocol does not perform credential validation
When receiving credential updates, verify the new credential with your authentication service
Ensure signature keys match the claimed identity in the credential