Christian Nennemann
8d5c1b3b9b
Add opaque-ke (v4, ristretto255) for password-based registration and login. Extend NodeService schema with opaqueRegisterStart/Finish and opaqueLoginStart/Finish RPCs. Add Store trait methods for OPAQUE server setup and user records. Initial e2e integration test scaffolding. Note: FileBackedStore does not yet implement the new Store trait methods — server compilation is temporarily broken. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
63 lines
2.9 KiB
Cap'n Proto
63 lines
2.9 KiB
Cap'n Proto
# node.capnp — Unified quicnprotochat node RPC interface.
|
|
#
|
|
# Combines Authentication and Delivery operations into a single service.
|
|
#
|
|
# ID generated with: capnp id
|
|
@0xd5ca5648a9cc1c28;
|
|
|
|
interface NodeService {
|
|
# Upload a single-use KeyPackage for later retrieval by peers.
|
|
# identityKey : Ed25519 public key bytes (32 bytes)
|
|
# package : TLS-encoded openmls KeyPackage
|
|
# auth : Auth context (versioned). For legacy clients, pass an empty
|
|
# struct or version=0.
|
|
uploadKeyPackage @0 (identityKey :Data, package :Data, auth :Auth) -> (fingerprint :Data);
|
|
|
|
# Fetch and atomically remove one KeyPackage for a given identity key.
|
|
# Returns empty Data if none are stored.
|
|
fetchKeyPackage @1 (identityKey :Data, auth :Auth) -> (package :Data);
|
|
|
|
# Enqueue an opaque payload for delivery to a recipient.
|
|
# channelId : Optional channel identifier (empty for legacy). A 16-byte UUID
|
|
# is recommended for 1:1 channels.
|
|
# version : Schema/wire version. Must be 0 (legacy) or 1 (this spec).
|
|
enqueue @2 (recipientKey :Data, payload :Data, channelId :Data, version :UInt16, auth :Auth) -> ();
|
|
|
|
# Fetch and drain all queued payloads for the recipient.
|
|
fetch @3 (recipientKey :Data, channelId :Data, version :UInt16, auth :Auth) -> (payloads :List(Data));
|
|
|
|
# Long-poll: wait up to timeoutMs for new payloads, then drain queue.
|
|
fetchWait @4 (recipientKey :Data, channelId :Data, version :UInt16, timeoutMs :UInt64, auth :Auth) -> (payloads :List(Data));
|
|
|
|
# Health probe for readiness/liveness.
|
|
health @5 () -> (status :Text);
|
|
|
|
# Upload the hybrid (X25519 + ML-KEM-768) public key for sealed envelope encryption.
|
|
uploadHybridKey @6 (identityKey :Data, hybridPublicKey :Data) -> ();
|
|
|
|
# Fetch a peer's hybrid public key (for post-quantum envelope encryption).
|
|
fetchHybridKey @7 (identityKey :Data) -> (hybridPublicKey :Data);
|
|
|
|
# ── OPAQUE password-authenticated registration ──────────────────────────
|
|
|
|
# Start OPAQUE registration: client sends blinded password element.
|
|
opaqueRegisterStart @8 (username :Text, request :Data) -> (response :Data);
|
|
|
|
# Finish OPAQUE registration: client uploads sealed credential envelope.
|
|
opaqueRegisterFinish @9 (username :Text, upload :Data) -> (success :Bool);
|
|
|
|
# ── OPAQUE password-authenticated login ─────────────────────────────────
|
|
|
|
# Start OPAQUE login: client sends credential request.
|
|
opaqueLoginStart @10 (username :Text, request :Data) -> (response :Data);
|
|
|
|
# Finish OPAQUE login: client sends credential finalization, receives session token.
|
|
opaqueLoginFinish @11 (username :Text, finalization :Data) -> (sessionToken :Data);
|
|
}
|
|
|
|
struct Auth {
|
|
version @0 :UInt16; # 0 = legacy/none, 1 = token-based auth
|
|
accessToken @1 :Data; # opaque bearer token issued at login
|
|
deviceId @2 :Data; # optional UUID bytes for auditing/rate limiting
|
|
}
|