WIP: add OPAQUE password-authenticated key exchange

Add opaque-ke (v4, ristretto255) for password-based registration and login. Extend NodeService schema with opaqueRegisterStart/Finish and opaqueLoginStart/Finish RPCs. Add Store trait methods for OPAQUE server setup and user records. Initial e2e integration test scaffolding. Note: FileBackedStore does not yet implement the new Store trait methods — server compilation is temporarily broken. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 08:25:34 +01:00
parent 9fdb37876a
commit 8d5c1b3b9b
11 changed files with 557 additions and 31 deletions
--- a/crates/quicnprotochat-server/src/storage.rs
+++ b/crates/quicnprotochat-server/src/storage.rs
@@ -50,6 +50,18 @@ pub trait Store: Send + Sync {
    ) -> Result<(), StorageError>;

    fn fetch_hybrid_key(&self, identity_key: &[u8]) -> Result<Option<Vec<u8>>, StorageError>;
+
+    /// Store the OPAQUE `ServerSetup` (generated once, loaded on restart).
+    fn store_server_setup(&self, setup: Vec<u8>) -> Result<(), StorageError>;
+
+    /// Load the persisted `ServerSetup`, if any.
+    fn get_server_setup(&self) -> Result<Option<Vec<u8>>, StorageError>;
+
+    /// Store an OPAQUE user record (serialized `ServerRegistration`).
+    fn store_user_record(&self, username: &str, record: Vec<u8>) -> Result<(), StorageError>;
+
+    /// Retrieve an OPAQUE user record by username.
+    fn get_user_record(&self, username: &str) -> Result<Option<Vec<u8>>, StorageError>;
 }

 // ── ChannelKey ───────────────────────────────────────────────────────────────
@@ -86,9 +98,12 @@ pub struct FileBackedStore {
    kp_path: PathBuf,
    ds_path: PathBuf,
    hk_path: PathBuf,
+    setup_path: PathBuf,
+    users_path: PathBuf,
    key_packages: Mutex<HashMap<Vec<u8>, VecDeque<Vec<u8>>>>,
    deliveries: Mutex<HashMap<ChannelKey, VecDeque<Vec<u8>>>>,
    hybrid_keys: Mutex<HashMap<Vec<u8>, Vec<u8>>>,
+    users: Mutex<HashMap<String, Vec<u8>>>,
 }

 impl FileBackedStore {
@@ -100,18 +115,24 @@ impl FileBackedStore {
        let kp_path = dir.join("keypackages.bin");
        let ds_path = dir.join("deliveries.bin");
        let hk_path = dir.join("hybridkeys.bin");
+        let setup_path = dir.join("server_setup.bin");
+        let users_path = dir.join("users.bin");

        let key_packages = Mutex::new(Self::load_kp_map(&kp_path)?);
        let deliveries = Mutex::new(Self::load_delivery_map(&ds_path)?);
        let hybrid_keys = Mutex::new(Self::load_hybrid_keys(&hk_path)?);
+        let users = Mutex::new(Self::load_users(&users_path)?);

        Ok(Self {
            kp_path,
            ds_path,
            hk_path,
+            setup_path,
+            users_path,
            key_packages,
            deliveries,
            hybrid_keys,
+            users,
        })
    }

@@ -201,6 +222,29 @@ impl FileBackedStore {
        }
        fs::write(path, bytes).map_err(|e| StorageError::Io(e.to_string()))
    }
+
+    fn load_users(path: &Path) -> Result<HashMap<String, Vec<u8>>, StorageError> {
+        if !path.exists() {
+            return Ok(HashMap::new());
+        }
+        let bytes = fs::read(path).map_err(|e| StorageError::Io(e.to_string()))?;
+        if bytes.is_empty() {
+            return Ok(HashMap::new());
+        }
+        bincode::deserialize(&bytes).map_err(|_| StorageError::Serde)
+    }
+
+    fn flush_users(
+        &self,
+        path: &Path,
+        map: &HashMap<String, Vec<u8>>,
+    ) -> Result<(), StorageError> {
+        let bytes = bincode::serialize(map).map_err(|_| StorageError::Serde)?;
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent).map_err(|e| StorageError::Io(e.to_string()))?;
+        }
+        fs::write(path, bytes).map_err(|e| StorageError::Io(e.to_string()))
+    }
 }

 impl Store for FileBackedStore {
@@ -272,4 +316,33 @@ impl Store for FileBackedStore {
        let map = self.hybrid_keys.lock().unwrap();
        Ok(map.get(identity_key).cloned())
    }
+
+    fn store_server_setup(&self, setup: Vec<u8>) -> Result<(), StorageError> {
+        if let Some(parent) = self.setup_path.parent() {
+            fs::create_dir_all(parent).map_err(|e| StorageError::Io(e.to_string()))?;
+        }
+        fs::write(&self.setup_path, setup).map_err(|e| StorageError::Io(e.to_string()))
+    }
+
+    fn get_server_setup(&self) -> Result<Option<Vec<u8>>, StorageError> {
+        if !self.setup_path.exists() {
+            return Ok(None);
+        }
+        let bytes = fs::read(&self.setup_path).map_err(|e| StorageError::Io(e.to_string()))?;
+        if bytes.is_empty() {
+            return Ok(None);
+        }
+        Ok(Some(bytes))
+    }
+
+    fn store_user_record(&self, username: &str, record: Vec<u8>) -> Result<(), StorageError> {
+        let mut map = self.users.lock().unwrap();
+        map.insert(username.to_string(), record);
+        self.flush_users(&self.users_path, &*map)
+    }
+
+    fn get_user_record(&self, username: &str) -> Result<Option<Vec<u8>>, StorageError> {
+        let map = self.users.lock().unwrap();
+        Ok(map.get(username).cloned())
+    }
 }