feat: remove identities module#1756
Merged
SimonThormeyer merged 23 commits intomainfrom Jan 21, 2026
Merged
Conversation
SimonThormeyer
force-pushed
the
simon/remove-ciphersuite-from-mls-init-WPB-21629
branch
from
248d04c to
0f07043
Compare
Bencher Report
SimonThormeyer
force-pushed
the
simon/remove-ciphersuite-from-mls-init-WPB-21629
branch
from
0f07043 to
7475791
Compare
coriolinus
reviewed
Jan 19, 2026
coriolinus
reviewed
Jan 19, 2026
Contributor
|
WDYT of excluding the public key from the credential ref--it might be large--and instead just storing the |
SimonThormeyer
force-pushed
the
simon/remove-ciphersuite-from-mls-init-WPB-21629
branch
from
7475791 to
2d4b6fe
Compare
Member
Author
Sounds good! Would you mind if we did that as a separate item? |
Contributor
That's fine, I was just thinking of it here because it was on my mental queue of things to do once we got rid of the "get most recent commit" functionality, which this PR implements. |
SimonThormeyer
force-pushed
the
simon/remove-ciphersuite-from-mls-init-WPB-21629
branch
5 times, most recently
from
b7a775a to
4a4d932
Compare
SimonThormeyer
force-pushed
the
simon/remove-ciphersuite-from-mls-init-WPB-21629
branch
from
afa8e34 to
d62693e
Compare
coriolinus
approved these changes
Jan 20, 2026
Contributor
coriolinus
left a comment
coriolinus
left a comment
There was a problem hiding this comment.
This is great! A few nits, but I think this is a real improvement.
Now that the identities module is gone, I'm pretty sure that the door is now open to delete all the 1s delays per added credential, because we don't need them to have unique created_at values anymore. I'm agnostic about whether you want to do that in this PR or in a follow-up though.
Comment on lines
-242
to
-243
| /// If no credentials are present in the keystore, then one _must_ be created and added to the | ||
| /// session before it can be used. |
Contributor
There was a problem hiding this comment.
This comment seems relevant still.
Member
Author
There was a problem hiding this comment.
Really? Now that mls_init() doesn't do anything with credentials anymore it seems a little off to mention them here.
SimonThormeyer
force-pushed
the
simon/remove-ciphersuite-from-mls-init-WPB-21629
branch
2 times, most recently
from
d54dcaa to
353d7d5
Compare
Removing this function is the first step to unlock removal of the `identities` module which would allow querying for most recently added credentials. `e2ei_rotate()` would just take the most recent x509 credential from the DB and set it for the given conversation. This removes that implicit behavior. To allow that, we're now returning a credential ref from `save_x509_credential()`. Note: we're taking a shortcut here on the FFI layer - we're not anymore returning the `NewCrlDistributionPoints` from `save_x509_credential()`. However, CRL handling is going to be rewored in WPB-19580, so it's not worth bothering too much.
This is, much like the parent commit, just to produce an intermediate state after this PR that enables passing tests without _recent credential_ logic. This method is going to disappear by the latest in WPB-19579.
No more implicit _most recent_ credential logic
This is the only real use case for the `identities` module
`find_credentials()` does a superset of what this function used to do - except relying on the implicit _most recent_ logic.
In the parent commit, we just replaced all instances of `find_most_recent_credential()` with `Conversation.find_current_credential()` to cause the code to compile. This is good enough in some cases, but in others we have to be smarter than that: When updating credentials, we need to ensure that we're signing with the signature key of the leaf node we're inserting, but `find_current_credential()` gives us the old one. This commit takes care of that.
Also, refactor a test that would fail after this removal due to clumsy setup.
The `Identities` struct was blocking us from removing ciphersuite/signature scheme parameters from session initialization.
Also, stop loading credentials during `mls_init()` - this is not needed anymore since we're not using the identities cache anymore.
Also, this adds `setConversationCredential()`, which was previously missing in the wrapper.
SimonThormeyer
force-pushed
the
simon/remove-ciphersuite-from-mls-init-WPB-21629
branch
from
353d7d5 to
d4ddda1
Compare
SimonThormeyer
deleted the
simon/remove-ciphersuite-from-mls-init-WPB-21629
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's new in this PR
PR Submission Checklist for internal contributors
SQPIT-764feat(conversation-list): Sort conversations by most emojis in the title #SQPIT-764.