Merge pull request #197 from freedomofpress/step5

protocol §5 key retrieval

Author: cfm

docs/protocol.md

@@ -375,6 +375,8 @@ the first sender.
 
 ### 5. Sender fetches keys and verifies their authenticity <!-- Figure 3(b) as of b1e4d41 -->
 
+Senders must fetch recipient keys from the server. For each journalist, the server MUST select one key bundle at random and then delete it; a given key bundle MUST NOT be returned more than once.
+
 Given:
 
 |                     | Anyone          |

securedrop-protocol/bench/src/submit.rs

@@ -3,11 +3,11 @@ use rand_chacha::ChaCha20Rng;
 use rand_core::SeedableRng;
 
 use securedrop_protocol_minimal::{
-    journalist::JournalistClient, keys::FPFKeyPair, messages::core::SourceJournalistKeyResponse,
-    server::Server, source::SourceClient,
+    journalist::JournalistClient, keys::FPFKeyPair, messages::core::KeyResponse, server::Server,
+    source::SourceClient,
 };
 
-fn setup_test_environment() -> (SourceClient, Vec<SourceJournalistKeyResponse>) {
+fn setup_test_environment() -> (SourceClient, Vec<KeyResponse>) {
     // 1. Create server with newsroom and journalist
     let mut server = Server::new();
 
@@ -16,9 +16,6 @@ fn setup_test_environment() -> (SourceClient, Vec<SourceJournalistKeyResponse>)
         .create_newsroom_setup_request(ChaCha20Rng::seed_from_u64(666))
         .expect("Can create newsroom setup request");
 
-    // Store the newsroom verifying key before moving the request
-    let newsroom_verifying_key = newsroom_setup_request.newsroom_verifying_key;
-
     // Simulate FPF signing
     let fpf_keypair =
         FPFKeyPair::new(ChaCha20Rng::seed_from_u64(666)).expect("FPF key generation failed");
@@ -51,24 +48,24 @@ fn setup_test_environment() -> (SourceClient, Vec<SourceJournalistKeyResponse>)
     let mut source = SourceClient::from_passphrase(&[1u8; 32]);
 
     // 6. Source fetches newsroom keys
-    let newsroom_key_request = source.fetch_newsroom_keys();
-    let newsroom_key_response = server.handle_source_newsroom_key_request(newsroom_key_request);
+    let newsroom_key_request = source.newsroom_key_request();
+    let newsroom_key_response = server.handle_newsroom_key_request(newsroom_key_request);
 
     // Source handles and verifies the newsroom key response
     source
         .handle_newsroom_key_response(&newsroom_key_response, &fpf_keypair.verifying_key())
         .expect("Newsroom key response should be valid");
 
     // 7. Source fetches journalist keys
-    let journalist_key_request = source.fetch_journalist_keys();
-    let journalist_key_responses = server.handle_source_journalist_key_request(
+    let journalist_key_request = source.request_keys();
+    let journalist_key_responses = server.handle_key_request(
         journalist_key_request,
         &mut ChaCha20Rng::seed_from_u64(666),
     );
 
     // Source handles and verifies the journalist key response
     source
-        .handle_journalist_key_response(&journalist_key_responses[0], &newsroom_verifying_key)
+        .handle_key_response(&journalist_key_responses[0])
         .expect("Journalist key response should be valid");
 
     (source, journalist_key_responses)

securedrop-protocol/protocol-minimal/src/api.rs

@@ -10,7 +10,7 @@
 //!
 //! Key verification follows a chain of trust:
 //! 1. The FPF signing key is a trust anchor (pre-distributed out of band).
-//! 2. The newsroom's verifying key is signed by FPF.  (This is not yet verified by `handle_journalist_key_response()`.)
+//! 2. The newsroom's verifying key is signed by FPF and stored by [`Api::handle_newsroom_key_response`].
 //! 3. Each journalist's signing key is signed by the newsroom.
 //! 4. Each journalist's key bundles are self-signed.
 
@@ -20,8 +20,8 @@ use crate::{
     encrypt_decrypt::{encrypt, solve_fetch_challenges},
     messages::{
         core::{
-            MessageChallengeFetchRequest, MessageFetchRequest, SourceJournalistKeyRequest,
-            SourceJournalistKeyResponse, SourceNewsroomKeyRequest, SourceNewsroomKeyResponse,
+            KeyRequest, KeyResponse, MessageChallengeFetchRequest, MessageFetchRequest,
+            NewsroomKeyRequest, NewsroomKeyResponse,
         },
         setup::{JournalistEphemeralKeyRequest, JournalistSetupRequest},
     },
@@ -38,26 +38,29 @@ use uuid::Uuid;
 /// [`set_newsroom_verifying_key`](Api::set_newsroom_verifying_key).
 /// All other methods have default implementations.
 pub trait Api {
-    /// Returns the stored newsroom verifying key, if one has been verified.
+    /// Returns the stored newsroom verifying key.
     fn newsroom_verifying_key(&self) -> Option<&VerifyingKey>;
 
-    /// Stores a verified newsroom verifying key.
+    /// Stores a newsroom verifying key.
+    ///
+    /// The caller is responsible for ensuring the key has been verified before
+    /// storing it. Prefer [`handle_newsroom_key_response`](Api::handle_newsroom_key_response),
+    /// which verifies the FPF signature before storing.
     fn set_newsroom_verifying_key(&mut self, key: VerifyingKey);
 
-    /// Creates a request to fetch the newsroom's public keys from the server.
+    /// Creates a `NewsroomKeyRequest` to fetch the newsroom's public keys from the server.
     ///
     /// This is the first part of step 5 in the protocol spec.
-    fn fetch_newsroom_keys(&self) -> SourceNewsroomKeyRequest {
-        SourceNewsroomKeyRequest {}
+    fn newsroom_key_request(&self) -> NewsroomKeyRequest {
+        NewsroomKeyRequest {}
     }
 
-    /// Creates a request to fetch journalist public keys from the server.
+    /// Creates a `RequestKeys` request (step 5 in the spec).
     ///
-    /// This is the second part of step 5 in the protocol spec. The server
-    /// responds with long-term keys and a one-time ephemeral key bundle
-    /// for each available journalist.
-    fn fetch_journalist_keys(&self) -> SourceJournalistKeyRequest {
-        SourceJournalistKeyRequest {}
+    /// The server responds with long-term keys and a one-time ephemeral key
+    /// bundle for each available journalist.
+    fn request_keys(&self) -> KeyRequest {
+        KeyRequest {}
     }
 
     /// Creates a request to fetch encrypted message IDs from the server.
@@ -133,15 +136,15 @@ pub trait Api {
     /// Returns an error if the FPF signature is invalid.
     fn handle_newsroom_key_response(
         &mut self,
-        response: &SourceNewsroomKeyResponse,
+        response: &NewsroomKeyResponse,
         fpf_verifying_key: &VerifyingKey,
     ) -> Result<(), Error> {
-        let newsroom_vk_bytes = response.newsroom_verifying_key.into_bytes();
+        let newsroom_vk_bytes = response.newsroom_verifying_key().into_bytes();
         fpf_verifying_key
-            .verify(&newsroom_vk_bytes, &response.fpf_sig)
+            .verify(&newsroom_vk_bytes, response.fpf_sig())
             .map_err(|_| anyhow::anyhow!("invalid FPF signature on newsroom verifying key"))?;
 
-        self.set_newsroom_verifying_key(response.newsroom_verifying_key);
+        self.set_newsroom_verifying_key(*response.newsroom_verifying_key());
         Ok(())
     }
 
@@ -154,32 +157,36 @@ pub trait Api {
     ///
     /// # Errors
     ///
-    /// Returns an error if any signature check fails.
-    fn handle_journalist_key_response(
-        &self,
-        response: &SourceJournalistKeyResponse,
-        newsroom_verifying_key: &VerifyingKey,
-    ) -> Result<(), Error> {
+    /// Returns an error if:
+    /// - The newsroom verifying key has not been set (call [`handle_newsroom_key_response`](Api::handle_newsroom_key_response) first).
+    /// - Any of the three signature checks fail.
+    fn handle_key_response(&self, response: &KeyResponse) -> Result<(), Error> {
+        let newsroom_verifying_key = self.newsroom_verifying_key().ok_or_else(|| {
+            anyhow::anyhow!(
+                "newsroom verifying key not set; call handle_newsroom_key_response first"
+            )
+        })?;
+
         // 1. Verify newsroom signature on journalist's verifying key.
         newsroom_verifying_key
             .verify(
-                &response.journalist.verifying_key().into_bytes(),
-                &response.nr_signature,
+                &response.journalist().verifying_key().into_bytes(),
+                response.nr_signature(),
             )
             .map_err(|_| anyhow::anyhow!("invalid newsroom signature on journalist signing key"))?;
 
         // 2. Verify journalist's self-signature on long-term key bundle.
-        let vk = response.journalist.verifying_key();
+        let vk = response.journalist().verifying_key();
         vk.verify(
-            response.journalist.signed_keybytes().as_bytes(),
-            response.journalist.self_signature(),
+            response.journalist().signed_keybytes().as_bytes(),
+            response.journalist().self_signature(),
         )
         .map_err(|_| anyhow::anyhow!("invalid journalist self-signature on long-term keys"))?;
 
         // 3. Verify journalist's self-signature on one-time ephemeral key bundle.
         vk.verify(
-            &response.journalist.ephemeral_bundle().as_bytes(),
-            response.journalist.ephemeral_signature(),
+            &response.journalist().ephemeral_bundle().as_bytes(),
+            response.journalist().ephemeral_signature(),
         )
         .map_err(|_| anyhow::anyhow!("invalid journalist self-signature on one-time keys"))?;
 

securedrop-protocol/protocol-minimal/src/journalist.rs

@@ -30,17 +30,20 @@ pub struct Journalist {
     fetch_key: DhFetchKeyPair,
     message_keys: Vec<SignedMessageKeyBundle>,
     reply_key: DhAkemKeyPair,
+    reply_mlkem: MlKem768KeyPair,
     self_signature: Signature<JournalistLongTermKey>,
     signed_longterm_key_bytes: SignedLongtermPubKeyBytes,
     session_storage: SessionStorage,
 }
 
 // Public-facing representation of a journalist
 // used to send them a message
+#[derive(Debug)]
 pub struct JournalistPublicView {
     vk: VerifyingKey,
     fetch_pk: DHPublicKey,
     dhakem_pk_reply: DhAkemPublicKey,
+    mlkem_pk_reply: MLKEM768PublicKey,
     signed_longterm_key_bytes: SignedLongtermPubKeyBytes,
     selfsig: Signature<JournalistLongTermKey>,
     kb: SignedKeyBundlePublic,
@@ -51,6 +54,7 @@ impl JournalistPublicView {
         vk: VerifyingKey,
         fetch: DHPublicKey,
         dhakem: DhAkemPublicKey,
+        mlkem: MLKEM768PublicKey,
         selfsig: Signature<JournalistLongTermKey>,
         signed_longterm_key_bytes: SignedLongtermPubKeyBytes,
         kb: SignedKeyBundlePublic,
@@ -59,6 +63,7 @@ impl JournalistPublicView {
             vk,
             fetch_pk: fetch,
             dhakem_pk_reply: dhakem,
+            mlkem_pk_reply: mlkem,
             selfsig,
             signed_longterm_key_bytes,
             kb,
@@ -166,6 +171,7 @@ impl Enrollable for Journalist {
                 self.signing_key.pk,
                 self.fetch_key.pk.clone(),
                 self.reply_key.pk.clone(),
+                self.reply_mlkem.pk.clone(),
             ),
         }
     }
@@ -194,8 +200,13 @@ impl Journalist {
         let (sk_reply, pk_reply) =
             generate_dh_akem_keypair(&mut *rng).expect("DH-AKEM Keygen (Reply) failed");
 
+        let (sk_reply_mlkem, pk_reply_mlkem) =
+            generate_mlkem768_keypair(&mut *rng).expect("ML-KEM Keygen (Reply) failed");
+
         // Self-sign long-term pubkeys (for enrollment).
-        let selfsigned_pubkeys = SignedLongtermPubKeyBytes::from_keys(&pk_reply, &pk_fetch);
+        // pk_J^APKE = pk_J^APKE(DHKEM) || pk_J^APKE(ML-KEM) per spec key table.
+        let selfsigned_pubkeys =
+            SignedLongtermPubKeyBytes::from_keys(&pk_reply, &pk_reply_mlkem, &pk_fetch);
         let self_signature: Signature<JournalistLongTermKey> =
             signing_key.sign(selfsigned_pubkeys.as_bytes());
 
@@ -250,6 +261,10 @@ impl Journalist {
                 sk: sk_reply,
                 pk: pk_reply,
             },
+            reply_mlkem: KeyPair {
+                sk: sk_reply_mlkem,
+                pk: pk_reply_mlkem,
+            },
             message_keys: key_bundles,
             self_signature,
             signed_longterm_key_bytes: selfsigned_pubkeys,
@@ -263,6 +278,7 @@ impl Journalist {
             self.signing_key.pk,
             self.fetch_key.pk.clone(),
             self.reply_key.pk.clone(),
+            self.reply_mlkem.pk.clone(),
             self.self_signature,
             self.signed_longterm_key_bytes.clone(),
             (kb.bundle.public(), kb.selfsig),

securedrop-protocol/protocol-minimal/src/keys.rs

@@ -107,16 +107,25 @@ pub(crate) struct SignedMessageKeyBundle {
 }
 
 #[derive(Debug, Clone)]
-pub struct SignedLongtermPubKeyBytes(pub [u8; LEN_DHKEM_ENCAPS_KEY + LEN_DH_ITEM]);
+pub struct SignedLongtermPubKeyBytes(
+    pub [u8; LEN_DHKEM_ENCAPS_KEY + LEN_MLKEM_ENCAPS_KEY + LEN_DH_ITEM],
+);
 
 impl SignedLongtermPubKeyBytes {
     /// Serialize long-term public keys into the canonical byte encoding.
     ///
-    /// Byte layout (per spec §3.1): `pk_J^APKE || pk_J^fetch`
-    pub(crate) fn from_keys(reply_dhakem: &DhAkemPublicKey, fetch_pk: &DHPublicKey) -> Self {
-        let mut pubkey_bytes = [0u8; LEN_DHKEM_ENCAPS_KEY + LEN_DH_ITEM];
+    /// Byte layout (per spec §3.1): `pk_J^APKE(DHKEM) || pk_J^APKE(ML-KEM) || pk_J^fetch`
+    pub(crate) fn from_keys(
+        reply_dhakem: &DhAkemPublicKey,
+        reply_mlkem: &MLKEM768PublicKey,
+        fetch_pk: &DHPublicKey,
+    ) -> Self {
+        let mut pubkey_bytes = [0u8; LEN_DHKEM_ENCAPS_KEY + LEN_MLKEM_ENCAPS_KEY + LEN_DH_ITEM];
         pubkey_bytes[0..LEN_DHKEM_ENCAPS_KEY].copy_from_slice(reply_dhakem.as_bytes());
-        pubkey_bytes[LEN_DHKEM_ENCAPS_KEY..].copy_from_slice(&fetch_pk.into_bytes());
+        pubkey_bytes[LEN_DHKEM_ENCAPS_KEY..LEN_DHKEM_ENCAPS_KEY + LEN_MLKEM_ENCAPS_KEY]
+            .copy_from_slice(reply_mlkem.as_bytes());
+        pubkey_bytes[LEN_DHKEM_ENCAPS_KEY + LEN_MLKEM_ENCAPS_KEY..]
+            .copy_from_slice(&fetch_pk.into_bytes());
 
         Self(pubkey_bytes)
     }
@@ -131,7 +140,12 @@ impl SignedLongtermPubKeyBytes {
 pub struct Enrollment {
     pub bundle: SignedLongtermPubKeyBytes,
     pub selfsig: Signature<JournalistLongTermKey>,
-    pub keys: (VerifyingKey, DHPublicKey, DhAkemPublicKey),
+    pub keys: (
+        VerifyingKey,
+        DHPublicKey,
+        DhAkemPublicKey,
+        MLKEM768PublicKey,
+    ),
 }
 
 // in memory session storage