feat(kt): add key revocation and Merkle-log audit support

Add RevocationLog with domain-separated leaf hashes (0x02 prefix) for tracking revoked identity keys alongside the KT MerkleLog. Includes: - RevocationLog with O(1) lookup, serialization, and double-revoke guard - MerkleLog.append_raw() for pre-computed hashes - MerkleLog.audit_log(start, end) for paginated log retrieval - RevokeKey (510), CheckRevocation (511), AuditKeyTransparency (520) RPCs - Server domain logic + v2 handlers + FileBackedStore/SqlStore persistence - 4 new revocation tests + all 21 KT tests + 65 server tests passing
2026-03-04 20:53:41 +01:00
parent f667281831
commit 1768f85258
11 changed files with 657 additions and 11 deletions
--- a/crates/quicproquo-server/src/v2_handlers/mod.rs
+++ b/crates/quicproquo-server/src/v2_handlers/mod.rs
@@ -44,6 +44,7 @@ pub struct ServerState {
    pub hooks: Arc<dyn ServerHooks>,
    pub signing_key: Arc<quicproquo_core::IdentityKeypair>,
    pub kt_log: Arc<std::sync::Mutex<quicproquo_kt::MerkleLog>>,
+    pub revocation_log: Arc<std::sync::Mutex<quicproquo_kt::RevocationLog>>,
    pub data_dir: PathBuf,
    pub redact_logs: bool,
    /// Structured audit logger for security-relevant events.
@@ -281,6 +282,23 @@ pub fn build_registry(default_rpc_timeout: std::time::Duration) -> MethodRegistr
        user::handle_resolve_identity,
    );

+    // Key Transparency (510-520)
+    reg.register(
+        method_ids::REVOKE_KEY,
+        "RevokeKey",
+        user::handle_revoke_key,
+    );
+    reg.register(
+        method_ids::CHECK_REVOCATION,
+        "CheckRevocation",
+        user::handle_check_revocation,
+    );
+    reg.register(
+        method_ids::AUDIT_KEY_TRANSPARENCY,
+        "AuditKeyTransparency",
+        user::handle_audit_key_transparency,
+    );
+
    // Blob (600-601) — longer timeout for file transfers.
    reg.register_with_timeout(
        method_ids::UPLOAD_BLOB,