DukeInc/Kez
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Kez/rust-sig-server/src/store.rs
Tudisco d0db6f00f1 Initial implementation of KEZ — protocol, two impls, and storage server 
KEZ is a portable, decentralized identity graph: a person signs claims
linking their many accounts, publishes those claims in places only the
claimed account can publish to, and anyone can verify the connections
without trusting a central server.

Layout
------
- SPEC.md            Language-agnostic protocol spec (v0.2)
- rust/              Rust implementation: kez-core, kez-channels, kez-cli
- nodejs/            TypeScript port at full parity
- rust-sig-server/   Optional axum + SQLite storage server for sigchains
- crosstest.sh       Cross-implementation interop harness

Capabilities (both implementations, byte-compatible)
----------------------------------------------------
- Two primary-key algorithms: nostr/secp256k1 Schnorr (BIP-340) and
  Ed25519 (RFC 8032). Identifiers: nostr:npub1... and ed25519:<hex>.
- JCS (RFC 8785) canonicalization for everything signed.
- Four proof encodings: JSON envelope, compact (kez:z1:<base64url(zstd(json))>),
  Markdown fence, DNS TXT.
- Five channel plugins (no API keys, no auth needed for any of them):
    dns:        system resolver, _kez.<domain> TXT records
    github:     public gist scan + <user>/<user> profile README fallback
    nostr:      kind-30078 events from default relays
    bluesky:    public AppView author feed
    ap:         WebFinger + actor JSON (alias mastodon:)
- Identical CLI surface:
    kez identity new [--key-type nostr|ed25519]
    kez claim create <subject> (--nsec | --ed25519-seed) [--format ...] [--out ...]
    kez claim dns <domain>     (--nsec | --ed25519-seed)
    kez verify file <path>
    kez verify id <identifier>
    kez sigchain add|revoke|show|export|publish
- Sigchains: append-only signed log per primary, hash-chained per spec §6,
  stored locally at ~/.kez/sigchains/, exportable as JSONL or kez:zc1: bundle.
- Sigchain publish destinations: chain server, web (file dump), DNS (zone
  record print), nostr (kind-30078 wrapping event).

kez-sig-server
--------------
Optional storage tier. Axum + SQLite, single binary, no external deps.

- No auth — the cryptography is the access control. The server validates
  every signature, every seq, every prev hash before storing.
- REST API: POST /v1/sigchains/{scheme}/{id}/events (append signed event,
  201 with new head hash or 4xx); GET /{scheme}/{id} (full chain as JSONL);
  GET /head; GET /healthz.
- Designed for one central instance for now; the design doesn't preclude
  running more later (clients gain a configurable list, verifiers
  reconcile per spec §6.2).
- Channel-based publishing remains the always-available fallback if the
  server is unavailable.

Tests
-----
- rust/                 99 tests
- rust-sig-server/      10 integration tests (real HTTP, real SQLite)
- nodejs/               91 tests (vitest)
- crosstest.sh          19 cross-impl scenarios — proves JCS bytes,
                        Schnorr + Ed25519 sigs, all four claim encodings,
                        and the sigchain JSONL bundle are byte-compatible
                        between Rust and Node in both directions.

What's not done yet
-------------------
- verify id consulting the sigchain for revocations (data path exists,
  just not wired into the verifier output).
- rotate and add_device sigchain ops (types reserved).
- expires_at enforcement during claim verification.
- Typed VerificationStatus.status reflecting the five failure modes.
- Auth-required publishers (GitHub gist, Bluesky, ActivityPub).
2026-05-24 14:41:00 -06:00

138 lines
4.7 KiB
Rust
Raw Blame History

//! SQLite-backed sigchain store. One table, one row per event.
//!
//! Concurrency: a single `tokio::sync::Mutex<Connection>` serializes all
//! writes. This is fine at any realistic single-instance scale — sigchain
//! writes are rare events (one per identity change) and read paths can be
//! served from the same lock without contention worth optimizing.
use std::path::Path;
use std::sync::Arc;
use kez_core::{Identity, Sigchain, SignedSigchainEvent};
use rusqlite::{Connection, OptionalExtension, params};
use tokio::sync::Mutex;
use crate::error::ApiError;
/// Shared store handle. Cheap to clone — wraps an `Arc`.
#[derive(Clone)]
pub struct Store {
inner: Arc<Mutex<Connection>>,
}
impl Store {
pub fn open(path: &Path) -> Result<Self, rusqlite::Error> {
let conn = Connection::open(path)?;
init_schema(&conn)?;
Ok(Self {
inner: Arc::new(Mutex::new(conn)),
})
}
pub fn open_in_memory() -> Result<Self, rusqlite::Error> {
let conn = Connection::open_in_memory()?;
init_schema(&conn)?;
Ok(Self {
inner: Arc::new(Mutex::new(conn)),
})
}
/// Load all events for `primary` and return them as a validated `Sigchain`.
/// Returns an empty `Sigchain` if no events exist for this primary.
pub async fn load_chain(&self, primary: &Identity) -> Result<Sigchain, ApiError> {
let conn = self.inner.lock().await;
let mut stmt = conn.prepare(
"SELECT envelope_json FROM sigchain_events
WHERE primary_scheme = ?1 AND primary_id = ?2
ORDER BY seq ASC",
)?;
let rows = stmt
.query_map(params![primary.scheme(), primary.value()], |row| {
row.get::<_, String>(0)
})?
.collect::<Result<Vec<_>, _>>()?;
let mut chain = Sigchain::new(primary.clone());
for json in rows {
let event: SignedSigchainEvent = serde_json::from_str(&json)?;
chain.append(event)?;
}
Ok(chain)
}
/// Append a pre-validated event. Caller must have already passed it
/// through `Sigchain::append`. We re-do the write transactionally to
/// guard against a racing writer (INSERT OR ABORT on the (primary, seq)
/// PK provides this).
pub async fn append(
&self,
primary: &Identity,
event: &SignedSigchainEvent,
) -> Result<(), ApiError> {
let envelope_json = serde_json::to_string(event)?;
let envelope_hash = event
.hash()
.map_err(|e| ApiError::Internal(format!("hash: {e}")))?;
let seq = event.payload.seq as i64;
let created_at = event.payload.created_at.to_rfc3339();
let conn = self.inner.lock().await;
conn.execute(
"INSERT INTO sigchain_events
(primary_scheme, primary_id, seq, envelope_json, envelope_hash, created_at)
VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
params![
primary.scheme(),
primary.value(),
seq,
envelope_json,
envelope_hash,
created_at,
],
)
.map_err(|e| match e {
rusqlite::Error::SqliteFailure(err, _)
if err.code == rusqlite::ErrorCode::ConstraintViolation =>
{
ApiError::Conflict(format!("seq {} already exists for this primary", seq))
}
other => ApiError::Internal(format!("db: {other}")),
})?;
Ok(())
}
/// Just the head event, if any.
pub async fn head(&self, primary: &Identity) -> Result<Option<SignedSigchainEvent>, ApiError> {
let conn = self.inner.lock().await;
let row = conn
.query_row(
"SELECT envelope_json FROM sigchain_events
WHERE primary_scheme = ?1 AND primary_id = ?2
ORDER BY seq DESC LIMIT 1",
params![primary.scheme(), primary.value()],
|row| row.get::<_, String>(0),
)
.optional()?;
match row {
None => Ok(None),
Some(json) => Ok(Some(serde_json::from_str(&json)?)),
}
}
}
fn init_schema(conn: &Connection) -> Result<(), rusqlite::Error> {
conn.execute_batch(
"CREATE TABLE IF NOT EXISTS sigchain_events (
primary_scheme TEXT NOT NULL,
primary_id TEXT NOT NULL,
seq INTEGER NOT NULL,
envelope_json TEXT NOT NULL,
envelope_hash TEXT NOT NULL,
created_at TEXT NOT NULL,
PRIMARY KEY (primary_scheme, primary_id, seq)
);
CREATE INDEX IF NOT EXISTS idx_primary
ON sigchain_events (primary_scheme, primary_id);",
)
}
Reference in New Issue View Git Blame Copy Permalink