wireapp · David-Henner · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026
diff --git a/wire-ios-data-model/Source/Model/Account/Account+Keychain.swift b/wire-ios-data-model/Source/Model/Account/Account+Keychain.swift
@@ -27,6 +27,7 @@ public extension Account {
         try? Keychain.deleteItem(item)
 
         try? RemoveCoreCryptoKeysUseCase().invoke(userID: userIdentifier)
+        try? RemoveEARKeysUseCase().invoke(accountID: userIdentifier)
     }
 
 }
diff --git a/wire-ios-data-model/Source/UseCases/RemoveEARKeysUseCase.swift b/wire-ios-data-model/Source/UseCases/RemoveEARKeysUseCase.swift
@@ -0,0 +1,57 @@
+//
+// Wire
+// Copyright (C) 2026 Wire Swiss GmbH
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see http://www.gnu.org/licenses/.
+//
+
+import Foundation
+import WireLogging
+
+// sourcery: AutoMockable
+public protocol RemoveEARKeysUseCaseProtocol {
+
+    /// Removes all encryption at rest keys from the keychain for the given account.
+    func invoke(accountID: UUID) throws
+
+}
+
+public struct RemoveEARKeysUseCase: RemoveEARKeysUseCaseProtocol {
+
+    private let keyRepository: EARKeyRepositoryInterface
+
+    public init() {
+        self.keyRepository = EARKeyRepository()
+    }
+
+    init(keyRepository: EARKeyRepositoryInterface) {
+        self.keyRepository = keyRepository
+    }
+
+    public func invoke(accountID: UUID) throws {
+        do {
+            try keyRepository.deletePublicKey(description: .primaryKeyDescription(accountID: accountID))
+            try keyRepository.deletePrivateKey(description: .primaryKeyDescription(accountID: accountID, context: nil))
+            try keyRepository.deletePublicKey(description: .secondaryKeyDescription(accountID: accountID))
+            try keyRepository.deletePrivateKey(description: .secondaryKeyDescription(accountID: accountID))
+            try keyRepository.deleteDatabaseKey(description: .keyDescription(accountID: accountID))
+        } catch {
+            WireLogger.ear.error(
+                "failed to remove EAR keys for accountID: \(accountID) - error: \(String(describing: error))"
+            )
+            throw error
+        }
+    }
+
+}
diff --git a/wire-ios-data-model/Support/Sourcery/generated/AutoMockable.generated.swift b/wire-ios-data-model/Support/Sourcery/generated/AutoMockable.generated.swift
diff --git a/wire-ios-data-model/Tests/Authentication/EAR/EARKeyRepositoryTests.swift b/wire-ios-data-model/Tests/Authentication/EAR/EARKeyRepositoryTests.swift
@@ -0,0 +1,166 @@
+//
+// Wire
+// Copyright (C) 2026 Wire Swiss GmbH
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see http://www.gnu.org/licenses/.
+//
+
+import Foundation
+import Testing
+@testable import WireDataModel
+
+@Suite
+struct EARKeyRepositoryTests {
+
+    let sut: EARKeyRepository
+    let accountID: UUID
+    let keyGenerator: EARKeyGenerator
+
+    let primaryPublicDesc: PublicEARKeyDescription
+    let secondaryPublicDesc: PublicEARKeyDescription
+    let primaryPrivateDesc: PrivateEARKeyDescription
+    let secondaryPrivateDesc: PrivateEARKeyDescription
+    let databaseKeyDesc: DatabaseEARKeyDescription
+
+    init() {
+        self.sut = EARKeyRepository()
+        self.accountID = UUID()
+        self.keyGenerator = EARKeyGenerator()
+
+        self.primaryPublicDesc = .primaryKeyDescription(accountID: accountID)
+        self.secondaryPublicDesc = .secondaryKeyDescription(accountID: accountID)
+        self.primaryPrivateDesc = .primaryKeyDescription(accountID: accountID, context: nil)
+        self.secondaryPrivateDesc = .secondaryKeyDescription(accountID: accountID)
+        self.databaseKeyDesc = .keyDescription(accountID: accountID)
+    }
+
+    // MARK: - Public Key
+
+    @Test("Stores and fetches a public key")
+    func storeAndFetchPublicKey() throws {
+        // Given
+        let (publicKey, _) = try keyGenerator.generatePrimaryPublicPrivateKeyPair(id: "test-primary-\(accountID)")
+        defer { try? sut.deletePublicKey(description: primaryPublicDesc) }
+
+        // When
+        try sut.storePublicKey(description: primaryPublicDesc, key: publicKey)
+        let fetched = try sut.fetchPublicKey(description: primaryPublicDesc)
+
+        // Then
+        #expect(SecKeyCopyExternalRepresentation(fetched, nil) == SecKeyCopyExternalRepresentation(publicKey, nil))
+    }
+
+    @Test("Returns cached public key without hitting keychain again")
+    func fetchPublicKey_returnsFromCache() throws {
+        // Given
+        let (publicKey, _) = try keyGenerator.generatePrimaryPublicPrivateKeyPair(id: "test-cache-\(accountID)")
+        try sut.storePublicKey(description: primaryPublicDesc, key: publicKey)
+
+        // populate cache
+        _ = try sut.fetchPublicKey(description: primaryPublicDesc)
+        // remove from keychain, only cache remains
+        try KeychainManager.deleteItem(primaryPublicDesc)
+
+        // When
+        let fetched = try sut.fetchPublicKey(description: primaryPublicDesc)
+
+        // Then
+        #expect(SecKeyCopyExternalRepresentation(fetched, nil) == SecKeyCopyExternalRepresentation(publicKey, nil))
+    }
+
+    @Test("Throws keyNotFound when public key is absent")
+    func fetchPublicKey_throwsKeyNotFound_whenAbsent() {
+        #expect(throws: EARKeyRepositoryFailure.keyNotFound) {
+            try sut.fetchPublicKey(description: primaryPublicDesc)
+        }
+    }
+
+    @Test("Deletes public key from keychain and cache")
+    func deletePublicKey_removesFromKeychainAndCache() throws {
+        // Given
+        let (publicKey, _) = try keyGenerator.generatePrimaryPublicPrivateKeyPair(id: "test-delete-\(accountID)")
+        try sut.storePublicKey(description: primaryPublicDesc, key: publicKey)
+
+        // populate cache
+        _ = try sut.fetchPublicKey(description: primaryPublicDesc)
+
+        // When
+        try sut.deletePublicKey(description: primaryPublicDesc)
+
+        // Then — cache cleared, keychain cleared
+        #expect(throws: EARKeyRepositoryFailure.keyNotFound) {
+            try sut.fetchPublicKey(description: primaryPublicDesc)
+        }
+    }
+
+    // MARK: - Database Key
+
+    @Test("Stores and fetches a database key")
+    func storeAndFetchDatabaseKey() throws {
+        // Given
+        let databaseKey = Data.randomEncryptionKey()
+        defer { try? sut.deleteDatabaseKey(description: databaseKeyDesc) }
+
+        // When
+        try sut.storeDatabaseKey(description: databaseKeyDesc, key: databaseKey)
+        let fetched = try sut.fetchDatabaseKey(description: databaseKeyDesc)
+
+        // Then
+        #expect(fetched == databaseKey)
+    }
+
+    @Test("Throws keyNotFound when database key is absent")
+    func fetchDatabaseKey_throwsKeyNotFound_whenAbsent() {
+        #expect(throws: EARKeyRepositoryFailure.keyNotFound) {
+            try sut.fetchDatabaseKey(description: databaseKeyDesc)
+        }
+    }
+
+    @Test("Deletes database key from keychain")
+    func deleteDatabaseKey_removesFromKeychain() throws {
+        // Given
+        try sut.storeDatabaseKey(description: databaseKeyDesc, key: .randomEncryptionKey())
+
+        // When
+        try sut.deleteDatabaseKey(description: databaseKeyDesc)
+
+        // Then
+        #expect(throws: EARKeyRepositoryFailure.keyNotFound) {
+            try sut.fetchDatabaseKey(description: databaseKeyDesc)
+        }
+    }
+
+    // MARK: - Cache
+
+    @Test("clearCache forces a keychain refetch on next access")
+    func clearCache_forcesRefetchFromKeychain() throws {
+        // Given
+        let (publicKey, _) = try keyGenerator.generatePrimaryPublicPrivateKeyPair(id: "test-clear-\(accountID)")
+        try sut.storePublicKey(description: primaryPublicDesc, key: publicKey)
+
+        // populate cache
+        _ = try sut.fetchPublicKey(description: primaryPublicDesc)
+        // remove from keychain
+        try KeychainManager.deleteItem(primaryPublicDesc)
+
+        // When
+        sut.clearCache()
+
+        // Then — cache is gone, keychain miss propagates
+        #expect(throws: EARKeyRepositoryFailure.keyNotFound) {
+            try sut.fetchPublicKey(description: primaryPublicDesc)
+        }
+    }
+
+}
diff --git a/wire-ios-data-model/Tests/Source/Model/AccountTests.swift b/wire-ios-data-model/Tests/Source/Model/AccountTests.swift
@@ -63,4 +63,37 @@
         XCTAssertThrowsError(try Keychain.fetchItem(item))
     }
 
+    func test_deleteKeychainItems_removesEARKeysFromKeychain() throws {
+        // Given
+        let accountID = UUID()
+        let account = Account(userName: "", userIdentifier: accountID)
+        let keyGenerator = EARKeyGenerator()
+        let keyRepository = EARKeyRepository()
+
+        let primaryPublicDesc = PublicEARKeyDescription.primaryKeyDescription(accountID: accountID)
+        let secondaryPublicDesc = PublicEARKeyDescription.secondaryKeyDescription(accountID: accountID)
+        let databaseKeyDesc = DatabaseEARKeyDescription.keyDescription(accountID: accountID)
+
+        let (primaryPublicKey, _) = try keyGenerator.generatePrimaryPublicPrivateKeyPair(id: "test-account-primary")
+        let (secondaryPublicKey, _) = try keyGenerator
+            .generateSecondaryPublicPrivateKeyPair(id: "test-account-secondary")
+        try keyRepository.storePublicKey(description: primaryPublicDesc, key: primaryPublicKey)
+        try keyRepository.storePublicKey(description: secondaryPublicDesc, key: secondaryPublicKey)
+        try keyRepository.storeDatabaseKey(description: databaseKeyDesc, key: .randomEncryptionKey())
+
+        // When
+        account.deleteKeychainItems()
+
+        // Then — all EAR keys are gone
+        XCTAssertThrowsError(try keyRepository.fetchPublicKey(description: primaryPublicDesc)) { error in
+            XCTAssertEqual(error as? EARKeyRepositoryFailure, .keyNotFound)
+        }
+        XCTAssertThrowsError(try keyRepository.fetchPublicKey(description: secondaryPublicDesc)) { error in
+            XCTAssertEqual(error as? EARKeyRepositoryFailure, .keyNotFound)
+        }
+        XCTAssertThrowsError(try keyRepository.fetchDatabaseKey(description: databaseKeyDesc)) { error in
+            XCTAssertEqual(error as? EARKeyRepositoryFailure, .keyNotFound)
+        }
+    }
+
 }
diff --git a/wire-ios-data-model/Tests/UseCases/RemoveEARKeysUseCaseTests.swift b/wire-ios-data-model/Tests/UseCases/RemoveEARKeysUseCaseTests.swift
@@ -0,0 +1,87 @@
+//
+// Wire
+// Copyright (C) 2026 Wire Swiss GmbH
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see http://www.gnu.org/licenses/.
+//
+
+import Foundation
+import Testing
+@testable import WireDataModel
+@testable import WireDataModelSupport
+
+@Suite
+struct RemoveEARKeysUseCaseTests {
+
+    let sut: RemoveEARKeysUseCase
+    let mockKeyRepository: MockEARKeyRepositoryInterface
+    let accountID: UUID
+
+    init() {
+        self.accountID = UUID()
+        self.mockKeyRepository = MockEARKeyRepositoryInterface()
+        mockKeyRepository.deletePublicKeyDescription_MockMethod = { _ in }
+        mockKeyRepository.deletePrivateKeyDescription_MockMethod = { _ in }
+        mockKeyRepository.deleteDatabaseKeyDescription_MockMethod = { _ in }
+        self.sut = RemoveEARKeysUseCase(keyRepository: mockKeyRepository)
+    }
+
+    @Test("Deletes all five EAR keys with correct descriptions")
+    func invoke_deletesAllExpectedKeys() throws {
+        // When
+        try sut.invoke(accountID: accountID)
+
+        // Then
+        let deletedPublicIDs = mockKeyRepository.deletePublicKeyDescription_Invocations.map(\.id)
+        let deletedPrivateIDs = mockKeyRepository.deletePrivateKeyDescription_Invocations.map(\.id)
+        let deletedDatabaseIDs = mockKeyRepository.deleteDatabaseKeyDescription_Invocations.map(\.id)
+
+        #expect(deletedPublicIDs.contains(PublicEARKeyDescription.primaryKeyDescription(accountID: accountID).id))
+        #expect(deletedPublicIDs.contains(PublicEARKeyDescription.secondaryKeyDescription(accountID: accountID).id))
+        #expect(deletedPrivateIDs.contains(PrivateEARKeyDescription.primaryKeyDescription(
+            accountID: accountID,
+            context: nil
+        ).id))
+        #expect(deletedPrivateIDs.contains(PrivateEARKeyDescription.secondaryKeyDescription(accountID: accountID).id))
+        #expect(deletedDatabaseIDs.contains(DatabaseEARKeyDescription.keyDescription(accountID: accountID).id))
+    }
+
+    @Test("Does not delete keys belonging to a different account")
+    func invoke_doesNotDeleteOtherAccountKeys() throws {
+        // Given
+        let otherAccountID = UUID()
+
+        // When
+        try sut.invoke(accountID: accountID)
+
+        // Then
+        let deletedPublicIDs = mockKeyRepository.deletePublicKeyDescription_Invocations.map(\.id)
+        #expect(!deletedPublicIDs.contains(PublicEARKeyDescription.primaryKeyDescription(accountID: otherAccountID).id))
+        #expect(!deletedPublicIDs
+            .contains(PublicEARKeyDescription.secondaryKeyDescription(accountID: otherAccountID).id))
+    }
+
+    @Test("Propagates repository error")
+    func invoke_propagatesRepositoryError() {
+        // Given
+        struct DeletionError: Error {}
+        mockKeyRepository.deletePublicKeyDescription_MockError = DeletionError()
+
+        // When / Then
+        #expect(throws: DeletionError.self) {
+            try sut.invoke(accountID: accountID)
+        }
+    }
+
+}