Skip to main content

Quickstart

Get up and running with CoreCrypto in minutes across any platform.

Architecture

Understand how CoreCrypto’s components fit together.

Platform Guides

Integration guides for TypeScript/WASM, Kotlin/Android, and Swift/iOS.

API Reference

Full API reference for all CoreCrypto types and methods.

What is Wire CoreCrypto?

Wire CoreCrypto is a cryptographic library written in Rust that provides a unified, ergonomic API for the Messaging Layer Security (MLS) and Proteus end-to-end encryption protocols. It is the cryptographic backbone of Wire’s secure messaging platform. CoreCrypto abstracts protocol-level complexity and exposes a consistent interface across all supported platforms:
  • Rust — native library with full API access
  • TypeScript/JavaScript — compiled to WebAssembly via wasm-bindgen
  • Kotlin/Android — native bindings via UniFFI
  • Swift/iOS — native bindings via UniFFI as an XCFramework

MLS Protocol

Group messaging with forward secrecy and post-compromise security.

Proteus Protocol

Signal-based double ratchet for one-to-one and legacy messaging.

Encrypted Keystore

SQLCipher-backed storage on native, AES256-GCM over IndexedDB on WASM.

End-to-End Identity

ACME-based certificate enrollment for verifiable user identity.

Key features

CoreCrypto wraps both MLS (via a Wire fork of OpenMLS) and Proteus (via a Wire fork of the Proteus library) behind a single CoreCrypto struct and TransactionContext. You initialize once, and the same transaction-based API handles both protocols consistently.
All state-mutating operations must go through a TransactionContext. Changes are buffered in memory and atomically flushed to the encrypted keystore when the transaction is committed. This prevents partial writes and ensures consistency.
The crypto-ffi crate wraps the core library with UniFFI annotations (for Kotlin/Swift) and wasm-bindgen annotations (for TypeScript). A single Rust codebase powers all platform bindings.
CoreCrypto implements Wire’s E2EI protocol: devices acquire X.509 certificates from an ACME server using DPoP (device identity) and OIDC (user identity) challenges. Certificates are bound to MLS credentials, enabling verifiable sender identity in group conversations.
Supports MLS ciphersuites including MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519, MLS_256_DHKEMP384_AES256GCM_SHA384_P384, MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519, and others. Configurable per-conversation.

License

Wire CoreCrypto is released under the GPL-3.0 License. This repository is part of the Wire open-source platform. For licensing information, see wire.com/legal/licenses/.

Build docs developers (and LLMs) love

Get started for freeTalk to us