securedrop_protocol_minimal/

server.rs

//! Server-side protocol implementation
//!
//! This module implements the server-side handling of SecureDrop protocol steps 5-10.

use alloc::vec::Vec;
use anyhow::Error;
use rand_core::{CryptoRng, RngCore};
use uuid::Uuid;

use crate::encrypt_decrypt::compute_fetch_challenges;
use crate::keys::NewsroomKeyPair;
use crate::primitives;
use crate::sign::{FpfOnNewsroom, NewsroomOnJournalist, Signature, VerifyingKey};
use crate::storage::ServerStorage;
use crate::wire::core::{
    MessageChallengeFetchRequest, MessageChallengeFetchResponse, MessageFetchRequest,
    SourceJournalistKeyRequest, SourceJournalistKeyResponse, SourceNewsroomKeyRequest,
    SourceNewsroomKeyResponse,
};
use crate::wire::setup::{
    JournalistEphemeralKeyRequest, JournalistSetupRequest, JournalistSetupResponse,
    NewsroomSetupRequest,
};
use crate::{Envelope, JournalistPublicView};

/// Server session for handling source requests
#[derive(Default)]
pub struct Server {
    storage: ServerStorage,
    newsroom_keys: Option<NewsroomKeyPair>,
    /// Signature from FPF over the newsroom keys
    signature: Option<Signature<FpfOnNewsroom>>,
}

impl Server {
    /// Create a new server session
    ///
    /// TODO: Load newsroom keys from storage if they exist.
    pub fn new() -> Self {
        Self::default()
    }

    /// Generate a new newsroom setup request.
    ///
    /// This creates a newsroom key pair, stores it in the server storage,
    /// and returns a setup request that can be sent to FPF for signing.
    ///
    /// TODO: The caller should persist these keys to disk.
    pub fn create_newsroom_setup_request<R: RngCore + CryptoRng>(
        &mut self,
        mut rng: R,
    ) -> Result<NewsroomSetupRequest, Error> {
        let newsroom_keys = NewsroomKeyPair::new(&mut rng)?;
        let newsroom_vk = newsroom_keys.verifying_key();

        // Store the newsroom keys in the session for later use (e.g., signing journalist keys)
        self.newsroom_keys = Some(newsroom_keys);

        Ok(NewsroomSetupRequest {
            newsroom_verifying_key: newsroom_vk,
        })
    }

    /// Setup a journalist. This corresponds to step 3.1 in the spec.
    ///
    /// The newsroom then signs the bundle of journalist public keys.
    ///
    /// TODO: There is a manual verification step here, so the caller should
    /// instruct the user to stop, verify the fingerprint out of band, and
    /// then proceed. The caller should also persist the fingerprint and signature
    /// in its local data store.
    ///
    /// TODO(later): How to handle signing when offline? (Not relevant for benchmarking)
    pub fn setup_journalist(
        &mut self,
        request: JournalistSetupRequest,
    ) -> Result<JournalistSetupResponse, Error> {
        // Get enrollment key from the request
        let journalist_signing_key = request.enrollment.keys.0;

        // Verify journalist self-signature over their own pubkeys.
        journalist_signing_key
            .verify(
                request.enrollment.bundle.as_bytes(),
                &request.enrollment.selfsig,
            )
            .map_err(|_| anyhow::anyhow!("Invalid signature on longterm keys"))?;

        // Sign the journalist's verifying key.
        let verifying_key_bytes = request.enrollment.keys.0.into_bytes();
        let newsroom_keys = self
            .newsroom_keys
            .as_ref()
            .ok_or_else(|| anyhow::anyhow!("Newsroom keys not found in session"))?;
        let newsroom_signature: Signature<NewsroomOnJournalist> =
            newsroom_keys.sign(&verifying_key_bytes);

        // Insert journalist keys into storage
        let _journalist_id = self
            .storage
            .add_journalist(request.enrollment, newsroom_signature.clone());

        Ok(JournalistSetupResponse {
            sig: newsroom_signature,
        })
    }

    /// Handle journalist ephemeral key replenishment. This corresponds to step 3.2 in the spec.
    ///
    /// The journalist sends ephemeral keys signed by their signing key, and the server
    /// verifies the signature and stores the ephemeral keys.
    ///
    /// # Errors
    ///
    /// Returns an error if the journalist is not found in storage, or if any bundle
    /// signature fails verification.
    pub fn handle_ephemeral_key_request(
        &mut self,
        request: JournalistEphemeralKeyRequest,
    ) -> Result<(), Error> {
        // Look up the journalist by their verifying key
        let journalist_id = self
            .storage
            .find_journalist_by_verifying_key(&request.verifying_key)
            .ok_or_else(|| anyhow::anyhow!("Journalist not found in storage"))?;

        // TODO: more efficient way than verifying each signature!
        // Verify each ephemeral bundle signature.
        request
            .bundles
            .iter()
            .try_for_each(|k| request.verifying_key.verify(&k.0.as_bytes(), &k.1))
            .map_err(|_| anyhow::anyhow!("Invalid signature on ephemeral keys"))?;

        // Store the ephemeral keys for the journalist
        self.storage
            .add_ephemeral_keys(journalist_id, request.bundles);

        Ok(())
    }

    /// Returns the newsroom verifying key, if one has been generated.
    pub fn newsroom_verifying_key(&self) -> Option<VerifyingKey> {
        self.newsroom_keys.as_ref().map(|keys| keys.verifying_key())
    }

    /// Set the FPF signature for the newsroom
    pub fn set_fpf_signature(&mut self, signature: Signature<FpfOnNewsroom>) {
        self.signature = Some(signature);
    }

    /// Get the ephemeral key count for a journalist
    pub fn ephemeral_keys_count(&self, journalist_id: Uuid) -> usize {
        self.storage.ephemeral_keys_count(journalist_id)
    }

    /// Check if a journalist has ephemeral keys available
    pub fn has_ephemeral_keys(&self, journalist_id: Uuid) -> bool {
        self.storage.has_ephemeral_keys(journalist_id)
    }

    /// Find journalist ID by verifying key
    pub fn find_journalist_id(&self, verifying_key: &VerifyingKey) -> Option<Uuid> {
        self.storage.find_journalist_by_verifying_key(verifying_key)
    }

    /// Check if a message exists with the given ID
    pub fn has_message(&self, message_id: &Uuid) -> bool {
        self.storage.get_messages().contains_key(message_id)
    }

    /// Handle source newsroom key request (step 5)
    pub fn handle_source_newsroom_key_request(
        &self,
        _request: SourceNewsroomKeyRequest,
    ) -> SourceNewsroomKeyResponse {
        SourceNewsroomKeyResponse {
            newsroom_verifying_key: self
                .newsroom_keys
                .as_ref()
                .expect("Newsroom keys not found")
                .verifying_key(),
            fpf_sig: self
                .signature
                .as_ref()
                .expect("FPF signature not found")
                .clone(),
        }
    }

    /// Handle source journalist key request (step 5)
    pub fn handle_source_journalist_key_request<R: RngCore + CryptoRng>(
        &mut self,
        _request: SourceJournalistKeyRequest,
        rng: &mut R,
    ) -> Vec<SourceJournalistKeyResponse> {
        let mut responses = Vec::new();

        // Get all journalists and their ephemeral keys
        let journalist_ephemeral_keys = self.storage.get_all_ephemeral_keys(rng);

        for (journalist_id, ephemeral_bundle) in journalist_ephemeral_keys {
            // Get the journalist's long-term keys
            // TODO: Do something better than expect here
            let (
                signing_key,
                fetching_key,
                reply_apke_pk,
                journalist_self_sig,
                signed_pubkey_bytes,
                newsroom_sig,
            ) = self
                .storage
                .get_journalists()
                .get(&journalist_id)
                .expect("Journalist should exist in storage")
                .clone();

            let journo_public = JournalistPublicView::new(
                signing_key,
                fetching_key,
                reply_apke_pk,
                journalist_self_sig,
                signed_pubkey_bytes,
                ephemeral_bundle,
            );

            // Create response for this journalist
            let response = SourceJournalistKeyResponse {
                journalist: journo_public,
                nr_signature: newsroom_sig,
            };

            responses.push(response);
        }

        responses
    }

    /// Handle message submission (step 6 for sources, step 9 for journalists)
    pub fn handle_message_submit<R: RngCore + CryptoRng>(
        &mut self,
        message: Envelope,
        rng: &mut R,
    ) -> Result<Uuid, Error> {
        // Generate a random message ID
        let message_id = self.storage.deterministic_uuid(rng);

        // Store the message with the generated ID
        self.storage.add_message(message_id, message);

        Ok(message_id)
    }

    /// Compute "hints"/challenges for message id fetch request (step 7)
    pub fn handle_request_challenges<R: RngCore + CryptoRng>(
        &self,
        _request: MessageChallengeFetchRequest,
        rng: &mut R,
    ) -> Result<MessageChallengeFetchResponse, Error> {
        let total_challenges: usize = primitives::MESSAGE_ID_FETCH_SIZE;
        let store = self.storage.get_messages();
        let chall = compute_fetch_challenges(rng, store, total_challenges);

        Ok(MessageChallengeFetchResponse {
            count: total_challenges,
            messages: chall,
        })
    }

    /// Handle message ID fetch request (step 7)
    ///
    /// TODO: Nothing here prevents someone from requesting messages
    /// that aren't theirs? Should request messages have a signature?
    // #[deprecated] // "use compute_fetch_challenges"
    // pub fn handle_message_id_fetch<R: RngCore + CryptoRng>(
    //     &self,
    //     _request: MessageChallengeFetchRequest,
    //     rng: &mut R,
    // ) -> Result<MessageChallengeFetchResponse, Error> {
    //     let messages = self.storage.get_messages();
    //     let message_count = messages.len();
    //     // Fixed response size to prevent traffic analysis

    //     let mut q_entries = Vec::new();
    //     let mut cid_entries = Vec::new();

    //     // Process real messages
    //     for (message_id, message) in messages.iter() {
    //         let y = generate_random_scalar(rng).expect("Failed to generate random scalar");

    //         // k_i = DH(Z_i, y)
    //         let z_public_key = dh_public_key_from_scalar(
    //             message.dh_share_z.clone().try_into().unwrap_or([0u8; 32]),
    //         );
    //         let k_i = dh_shared_secret(&z_public_key, y)?.into_bytes();

    //         // Q_i = DH(X_i, y)
    //         let x_public_key = dh_public_key_from_scalar(
    //             message.dh_share_x.clone().try_into().unwrap_or([0u8; 32]),
    //         );
    //         let q_i = dh_shared_secret(&x_public_key, y)?.into_bytes();

    //         // ID: cid_i = Enc(k_i, id_i)
    //         let message_id_bytes = message_id.as_bytes().to_vec();
    //         let cid_i =
    //             encrypt_message_id(&k_i, &message_id_bytes).expect("Failed to encrypt message ID");

    //         q_entries.push(q_i.to_vec());
    //         cid_entries.push(cid_i);
    //     }

    //     // Fill remaining slots with random data
    //     while q_entries.len() < MESSAGE_ID_FETCH_SIZE {
    //         // Generate random Q_i that matches the structure of real Q_i
    //         // Real Q_i = DH(X_i, y), so random Q_i should also be a DH shared secret
    //         let random_y = generate_random_scalar(rng).expect("Failed to generate random scalar");
    //         let random_x = generate_random_scalar(rng).expect("Failed to generate random scalar");
    //         let random_x_pub = dh_public_key_from_scalar(random_x);
    //         let random_q = dh_shared_secret(&random_x_pub, random_y)
    //             .map_err(|_| anyhow!("failed to construct shared secret"))?
    //             .into_bytes();

    //         // Generate random cid by encrypting a random UUID
    //         // This ensures indistinguishability from real cid_i
    //         let random_uuid = Uuid::new_v4();
    //         let random_key = generate_random_scalar(rng).expect("Failed to generate random key");
    //         let random_cid =
    //             crate::primitives::encrypt_message_id(&random_key, random_uuid.as_bytes())
    //                 .expect("Failed to encrypt random UUID");

    //         q_entries.push(random_q.to_vec());
    //         cid_entries.push(random_cid);
    //     }

    //     // Shuffle the entries to hide which are real vs random
    //     // Zip the arrays together, shuffle, then unzip
    //     let mut pairs: Vec<_> = q_entries.into_iter().zip(cid_entries).collect();

    //     let shuffled = Self::shuffle_not_for_prod(&mut pairs)
    //         .expect("Need shuffled list")
    //         .to_vec();

    //     // Unzip back into separate arrays
    //     let (q_entries, cid_entries): (Vec<_>, Vec<_>) = shuffled.into_iter().unzip();

    //     Ok(MessageChallengeFetchResponse {
    //         count: MESSAGE_ID_FETCH_SIZE,
    //         messages: q_entries.into_iter().zip(cid_entries).collect(),
    //     })
    // }

    // /// Shuffle challenges so that real and decoys are interspersed.
    // /// Note: not a true random shuffle, toybox impl only
    // pub fn shuffle_not_for_prod<'a>(
    //     vec: &'a mut Vec<(Vec<u8>, Vec<u8>)>,
    // ) -> Option<&'a mut [(Vec<u8>, Vec<u8>)]> {
    //     if vec.is_empty() {
    //         return None;
    //     }

    //     let len = vec.len();

    //     // https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle
    //     for i in (0..len - 1).rev() {
    //         // not for prod: modulo bias
    //         let new_index = getrandom::u32().unwrap() as usize % i;
    //         vec.swap(i, new_index);
    //     }

    //     Some(vec.as_mut_slice())
    // }

    /// Handle message fetch request (step 8/10)
    pub fn handle_message_fetch(&self, request: MessageFetchRequest) -> Option<Envelope> {
        self.storage
            .get_messages()
            .get(&request.message_id)
            .cloned()
    }
}