WIP: add OPAQUE password-authenticated key exchange

Add opaque-ke (v4, ristretto255) for password-based registration and login. Extend NodeService schema with opaqueRegisterStart/Finish and opaqueLoginStart/Finish RPCs. Add Store trait methods for OPAQUE server setup and user records. Initial e2e integration test scaffolding. Note: FileBackedStore does not yet implement the new Store trait methods — server compilation is temporarily broken. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 08:25:34 +01:00
parent 9fdb37876a
commit 8d5c1b3b9b
11 changed files with 557 additions and 31 deletions
--- a/schemas/node.capnp
+++ b/schemas/node.capnp
@@ -37,6 +37,22 @@ interface NodeService {

  # Fetch a peer's hybrid public key (for post-quantum envelope encryption).
  fetchHybridKey  @7 (identityKey :Data) -> (hybridPublicKey :Data);
+
+  # ── OPAQUE password-authenticated registration ──────────────────────────
+
+  # Start OPAQUE registration: client sends blinded password element.
+  opaqueRegisterStart  @8 (username :Text, request :Data) -> (response :Data);
+
+  # Finish OPAQUE registration: client uploads sealed credential envelope.
+  opaqueRegisterFinish @9 (username :Text, upload :Data)  -> (success :Bool);
+
+  # ── OPAQUE password-authenticated login ─────────────────────────────────
+
+  # Start OPAQUE login: client sends credential request.
+  opaqueLoginStart  @10 (username :Text, request :Data)     -> (response :Data);
+
+  # Finish OPAQUE login: client sends credential finalization, receives session token.
+  opaqueLoginFinish @11 (username :Text, finalization :Data) -> (sessionToken :Data);
 }

 struct Auth {