WIP: add OPAQUE password-authenticated key exchange

Add opaque-ke (v4, ristretto255) for password-based registration and login. Extend NodeService schema with opaqueRegisterStart/Finish and opaqueLoginStart/Finish RPCs. Add Store trait methods for OPAQUE server setup and user records. Initial e2e integration test scaffolding. Note: FileBackedStore does not yet implement the new Store trait methods — server compilation is temporarily broken. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 08:25:34 +01:00
parent 9fdb37876a
commit 8d5c1b3b9b
11 changed files with 557 additions and 31 deletions
--- a/crates/quicnprotochat-server/src/sql_store.rs
+++ b/crates/quicnprotochat-server/src/sql_store.rs
@@ -75,7 +75,18 @@ impl SqlStore {
                ON key_packages(identity_key);

            CREATE INDEX IF NOT EXISTS idx_del_recipient_channel
-                ON deliveries(recipient_key, channel_id);",
+                ON deliveries(recipient_key, channel_id);
+
+            CREATE TABLE IF NOT EXISTS server_setup (
+                id         INTEGER PRIMARY KEY CHECK (id = 1),
+                setup_data BLOB NOT NULL
+            );
+
+            CREATE TABLE IF NOT EXISTS users (
+                username      TEXT PRIMARY KEY,
+                opaque_record BLOB NOT NULL,
+                created_at    INTEGER DEFAULT (strftime('%s','now'))
+            );",
        )
        .map_err(|e| StorageError::Db(e.to_string()))?;
        Ok(())
@@ -203,6 +214,48 @@ impl Store for SqlStore {
            .optional()
            .map_err(|e| StorageError::Db(e.to_string()))
    }
+
+    fn store_server_setup(&self, setup: Vec<u8>) -> Result<(), StorageError> {
+        let conn = self.conn.lock().unwrap();
+        conn.execute(
+            "INSERT OR REPLACE INTO server_setup (id, setup_data) VALUES (1, ?1)",
+            params![setup],
+        )
+        .map_err(|e| StorageError::Db(e.to_string()))?;
+        Ok(())
+    }
+
+    fn get_server_setup(&self) -> Result<Option<Vec<u8>>, StorageError> {
+        let conn = self.conn.lock().unwrap();
+        let mut stmt = conn
+            .prepare("SELECT setup_data FROM server_setup WHERE id = 1")
+            .map_err(|e| StorageError::Db(e.to_string()))?;
+
+        stmt.query_row([], |row| row.get(0))
+            .optional()
+            .map_err(|e| StorageError::Db(e.to_string()))
+    }
+
+    fn store_user_record(&self, username: &str, record: Vec<u8>) -> Result<(), StorageError> {
+        let conn = self.conn.lock().unwrap();
+        conn.execute(
+            "INSERT OR REPLACE INTO users (username, opaque_record) VALUES (?1, ?2)",
+            params![username, record],
+        )
+        .map_err(|e| StorageError::Db(e.to_string()))?;
+        Ok(())
+    }
+
+    fn get_user_record(&self, username: &str) -> Result<Option<Vec<u8>>, StorageError> {
+        let conn = self.conn.lock().unwrap();
+        let mut stmt = conn
+            .prepare("SELECT opaque_record FROM users WHERE username = ?1")
+            .map_err(|e| StorageError::Db(e.to_string()))?;
+
+        stmt.query_row(params![username], |row| row.get(0))
+            .optional()
+            .map_err(|e| StorageError::Db(e.to_string()))
+    }
 }

 /// Convenience extension for `rusqlite::OptionalExtension`.