Sologretto/itsgoin
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
itsgoin/crates/core/src/fof.rs
Scott Reimers 66b78041fc feat(fof-layer3): Mode 1 publish + read + Tauri + UI wiring 
End-to-end FoFClosed (Mode 1: encrypted body + FoF comments):

Node API:
- create_post_fof_closed(content) -> (PostId, Post, cek)
  Builds gating, encrypts body via fof::encrypt_fof_body, base64s it
  into post.content, stores with visibility=FoFClosed +
  intent=Public, propagates via update_neighbor_manifests_as.
- read_fof_closed_body(post_id) -> Option<String>
  Trial-unlocks via find_unlock_for_post, decrypts body, returns
  plaintext. Returns None for non-FoFClosed or non-member readers.

Tauri commands:
- create_post_fof_closed, read_fof_closed_body. Registered in
  generate_handler!.

Feed rendering:
- PostDto.visibility carries the new "fof-closed" string.
- renderPost(): FoFClosed posts render with a locked placeholder
  (data-fof-closed-pending=post_id span). Visual badge added.
- unlockFoFClosedPlaceholders(rootEl): post-render async pass that
  scans for placeholder spans and dispatches read_fof_closed_body
  for each. Fills in body for FoF readers; falls back to a
  "not in this FoF set" notice otherwise.
- Wired into feed-list and my-posts-list render paths.

Compose:
- "Body+Comments: FoF only (Mode 1)" option in comment-perm-select.
  Selected → dispatches to create_post_fof_closed.

CLI feed renderer + Tauri feed-DTO match arms updated to handle
FoFClosed.

New end-to-end test brings total to 146:
- fof_closed_body_end_to_end: Alice authors FoFClosed body; Bob (with
  Alice's V_me in his keyring) unlocks + decrypts; Carol (no
  matching V_x) cannot unlock and sees only ciphertext.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 15:19:42 -06:00

1186 lines
49 KiB
Rust
Raw Blame History

//! FoF Layer 2: post-side construction + verification for FoF-gated
//! comments. See `docs/fof-spec/layer-2-mode2-fof-comments.md` for the
//! wire shape and threat model.
//!
//! This module owns:
//! - **Author publish path** ([`build_fof_comment_gating`]): seal wrap
//! slots, generate per-V_x signing keypairs, bucket-pad, shuffle.
//! - **Reader/commenter unlock path** ([`find_unlock_for_post`],
//! [`build_fof_comment`]): trial-decrypt slots with any held V_x;
//! if a slot opens, derive priv_x + comments-CEK, encrypt the
//! comment body, sign with priv_x, attach pub_x_index.
//!
//! The CDN four-check verification path and revocation handling live
//! in sibling modules (added in subsequent slices).
use anyhow::Result;
use ed25519_dalek::SigningKey;
use rand::seq::SliceRandom;
use rand::RngCore;
use crate::crypto::{seal_wrap_slot, SealedWrapSlot};
use crate::storage::Storage;
use crate::types::{FoFCommentGating, NodeId, WrapSlot};
/// Build the `FoFCommentGating` block for a post about to be published
/// under `CommentPermission::FriendsOfFriends`. The author's keyring
/// (own current `V_me` + every distinct received `V_x`) drives the
/// real-slot set; dummies pad the count to the next bucket.
///
/// Returns `None` if the author has no current `V_me` set — every
/// persona is supposed to have one (auto-generated on creation in
/// Layer 1), but this gracefully no-ops if not.
///
/// Side effect: this function is pure; no storage writes. The caller
/// owns persisting the resulting Post.
pub fn build_fof_comment_gating(
storage: &Storage,
author_persona_id: &NodeId,
) -> Result<Option<FoFCommentGatingBuilt>> {
// Gather the author's keyring: own current V_me + all unique
// received V_x's (deduped at the byte level per Layer 3).
let Some((_own_epoch, own_v_me)) = storage.current_own_vouch_key(author_persona_id)? else {
return Ok(None);
};
let received = storage.list_received_vouch_keys(author_persona_id)?;
// Dedup at the V_x byte level. Keep the highest epoch per (owner, key).
let mut unique_keys: Vec<[u8; 32]> = Vec::with_capacity(1 + received.len());
unique_keys.push(own_v_me);
for (_owner, _epoch, key) in &received {
if !unique_keys.iter().any(|existing| existing == key) {
unique_keys.push(*key);
}
}
// Generate the per-post CEK + slot_binder_nonce.
let mut cek = [0u8; 32];
rand::rng().fill_bytes(&mut cek);
let mut slot_binder_nonce = [0u8; 32];
rand::rng().fill_bytes(&mut slot_binder_nonce);
// Per real V_x: generate (priv_x, pub_x) freshly per spec (Layer 2
// resolved decision — per-post keypair generation). Then seal the
// slot. Build pub_post_set in lockstep with wrap_slots so the
// .len() invariant holds and indices map cleanly.
let mut entries: Vec<([u8; 32], WrapSlot)> = Vec::with_capacity(unique_keys.len());
for v_x in &unique_keys {
let mut seed = [0u8; 32];
rand::rng().fill_bytes(&mut seed);
let signing_key = SigningKey::from_bytes(&seed);
let pub_x = *signing_key.verifying_key().as_bytes();
let sealed: SealedWrapSlot = seal_wrap_slot(v_x, &slot_binder_nonce, &cek, &seed)?;
let slot = WrapSlot {
prefilter_tag: sealed.prefilter_tag,
read_ciphertext: sealed.read_ciphertext,
sign_ciphertext: sealed.sign_ciphertext,
};
entries.push((pub_x, slot));
}
// Pad to bucket with dummies. Dummy pub_x = 32B random bytes (no
// priv_x exists; group_sig verification against it will always
// fail — benign). Dummy slot = 98B random; AEAD-fails on every V_x.
let bucket = crate::profile::next_vouch_batch_bucket(entries.len());
let mut rng = rand::rng();
while entries.len() < bucket {
let mut dummy_pub_x = [0u8; 32];
rng.fill_bytes(&mut dummy_pub_x);
let mut dummy_prefilter = [0u8; 2];
rng.fill_bytes(&mut dummy_prefilter);
let mut dummy_read = vec![0u8; 48];
rng.fill_bytes(&mut dummy_read);
let mut dummy_sign = vec![0u8; 48];
rng.fill_bytes(&mut dummy_sign);
entries.push((
dummy_pub_x,
WrapSlot {
prefilter_tag: dummy_prefilter,
read_ciphertext: dummy_read,
sign_ciphertext: dummy_sign,
},
));
}
// Shuffle so real and dummy positions are indistinguishable.
entries.shuffle(&mut rng);
let (pub_post_set, wrap_slots): (Vec<_>, Vec<_>) = entries.into_iter().unzip();
let gating = FoFCommentGating {
slot_binder_nonce,
pub_post_set,
wrap_slots,
revocation_list: Vec::new(),
};
Ok(Some(FoFCommentGatingBuilt {
gating,
// Returned to the caller because the author needs them locally:
// - cek: to decrypt their own comments later
// - own pub_x: to find their own slot in pub_post_set for
// authoring author-side comments + future access-grants
cek,
slot_binder_nonce,
}))
}
/// Output of [`build_fof_comment_gating`]. The gating block goes into
/// `Post.fof_gating`; the side outputs are author-local state the
/// caller should cache (e.g., in `own_post_slot_provenance` introduced
/// in the cascade-revocation slice later).
#[derive(Debug, Clone)]
pub struct FoFCommentGatingBuilt {
pub gating: FoFCommentGating,
/// The post's body/comments encryption key. Authors keep this
/// locally keyed by `post_id` so they can read/decrypt without
/// needing to unwrap a slot themselves.
pub cek: [u8; 32],
/// Same nonce as `gating.slot_binder_nonce`; mirrored here for
/// callers who want it without reaching into the gating struct.
pub slot_binder_nonce: [u8; 32],
}
// --- Reader / commenter side ---
/// FoF Layer 2: a persona's successful unlock of a gated post.
/// Carries everything the persona needs to read encrypted comments AND
/// author new ones.
#[derive(Debug, Clone)]
pub struct PostUnlock {
/// Which persona unlocked the post (the V_x that matched belongs to
/// this persona's keyring — owned `V_me` or received).
pub persona_id: NodeId,
/// Index into `pub_post_set` / `wrap_slots` of the slot that
/// unlocked. Comments author by this persona will set
/// `InlineComment.pub_x_index` to this.
pub slot_index: u32,
/// Per-post shared CEK (unwrapped from the slot's read part).
pub cek: [u8; 32],
/// Ed25519 signing seed for the per-V_x keypair admitted to this
/// post (unwrapped from the slot's sign part). Used to sign
/// `group_sig` on FoF comments.
pub priv_x_seed: [u8; 32],
}
/// Trial-decrypt the post's `fof_gating.wrap_slots` against every
/// persona on this device. Returns the first successful unlock found,
/// or `None` if no held V_x matches.
///
/// Iteration order: personas as listed by storage; within each persona,
/// own current `V_me` first, then received V_x's. Slots are scanned in
/// order; the 2B prefilter lets us skip non-matching slots in O(1) per.
pub fn find_unlock_for_post(
storage: &Storage,
post: &crate::types::Post,
) -> Result<Option<PostUnlock>> {
let Some(gating) = post.fof_gating.as_ref() else { return Ok(None); };
let personas = storage.list_posting_identities()?;
for persona in &personas {
// Build this persona's V_x ring: own current + every received.
let mut keys: Vec<[u8; 32]> = Vec::new();
if let Some((_, own_key)) = storage.current_own_vouch_key(&persona.node_id)? {
keys.push(own_key);
}
for (_owner, _epoch, key) in storage.list_received_vouch_keys(&persona.node_id)? {
keys.push(key);
}
for v_x in &keys {
let prefilter = crate::crypto::wrap_slot_prefilter_tag(v_x, &gating.slot_binder_nonce);
for (idx, slot) in gating.wrap_slots.iter().enumerate() {
if slot.prefilter_tag != prefilter {
continue;
}
if let Some(opened) = crate::crypto::open_wrap_slot(
v_x,
&gating.slot_binder_nonce,
&slot.read_ciphertext,
&slot.sign_ciphertext,
) {
return Ok(Some(PostUnlock {
persona_id: persona.node_id,
slot_index: idx as u32,
cek: opened.cek,
priv_x_seed: opened.priv_x_seed,
}));
}
}
}
}
Ok(None)
}
/// FoF Layer 2: inner plaintext encrypted under CEK_comments. Wrapped
/// inside [`crate::types::InlineComment::encrypted_payload`].
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct FoFCommentPayload {
/// User-visible comment body.
pub body: String,
/// Optional reply parent.
#[serde(default)]
pub parent_comment_id: Option<[u8; 32]>,
/// HMAC(V_x, post_id || comment_hash)[:16B] — author-side
/// attribution to a specific voucher-chain. Computed by the
/// commenter; not yet enforced in this commit.
#[serde(default)]
pub vouch_mac: Option<[u8; 16]>,
}
/// Build a Mode 2 / Mode 1 FoF comment on a parent post. The post must
/// have `fof_gating = Some`; the caller must already hold a successful
/// `PostUnlock` for it (typically from [`find_unlock_for_post`]).
///
/// Produces an `InlineComment` with empty `content` (the body lives
/// encrypted in `encrypted_payload`) + `pub_x_index` + `group_sig` +
/// `encrypted_payload`. The conventional `signature` field carries the
/// commenter's identity-key signature over the existing payload (so
/// non-FoF nodes can still verify identity without unwrapping the slot).
pub fn build_fof_comment(
parent_post_id: &[u8; 32],
unlock: &PostUnlock,
slot_binder_nonce: &[u8; 32],
commenter_id: &NodeId,
commenter_secret: &[u8; 32],
body: &str,
parent_comment_id: Option<[u8; 32]>,
now_ms: u64,
) -> Result<crate::types::InlineComment> {
use ed25519_dalek::{Signer, SigningKey};
// Encrypt the comment body under CEK_comments derived from the
// post's CEK + slot_binder_nonce.
let cek_comments = crate::crypto::derive_cek_comments(&unlock.cek, slot_binder_nonce);
let payload = FoFCommentPayload {
body: body.to_string(),
parent_comment_id,
vouch_mac: None,
};
let plaintext = serde_json::to_vec(&payload)
.map_err(|e| anyhow::anyhow!("serialize fof comment payload: {}", e))?;
let encrypted = crate::crypto::encrypt_bytes_with_cek(&plaintext, &cek_comments)?;
// Sign (encrypted || post_id || pub_x_index_le) with priv_x.
let priv_x_signer = SigningKey::from_bytes(&unlock.priv_x_seed);
let mut to_sign = Vec::with_capacity(encrypted.len() + 32 + 4);
to_sign.extend_from_slice(&encrypted);
to_sign.extend_from_slice(parent_post_id);
to_sign.extend_from_slice(&unlock.slot_index.to_le_bytes());
let group_sig = priv_x_signer.sign(&to_sign).to_bytes().to_vec();
// Conventional InlineComment.signature: commenter's identity-key
// signature over the existing comment_signature tuple. We use empty
// content here (the body lives in encrypted_payload). Existing
// non-FoF receivers can still verify the identity sig and tombstone
// logic continues to work.
let identity_signature = crate::crypto::sign_comment(
commenter_secret,
commenter_id,
parent_post_id,
"",
now_ms,
None,
);
Ok(crate::types::InlineComment {
author: *commenter_id,
post_id: *parent_post_id,
content: String::new(),
timestamp_ms: now_ms,
signature: identity_signature,
deleted_at: None,
ref_post_id: None,
pub_x_index: Some(unlock.slot_index),
group_sig: Some(group_sig),
encrypted_payload: Some(encrypted),
})
}
/// Verify the `group_sig` on an incoming FoF comment against the post's
/// `pub_post_set`. Used by the CDN four-check accept rule (next slice).
/// Returns `true` iff the comment carries a valid Ed25519 signature
/// under `pub_post_set[pub_x_index]` over
/// (encrypted_payload || post_id || pub_x_index_le).
pub fn verify_fof_group_sig(
comment: &crate::types::InlineComment,
gating: &FoFCommentGating,
) -> bool {
use ed25519_dalek::{Signature, Verifier, VerifyingKey};
let Some(pub_x_index) = comment.pub_x_index else { return false; };
let Some(group_sig) = comment.group_sig.as_ref() else { return false; };
let Some(encrypted_payload) = comment.encrypted_payload.as_ref() else { return false; };
let idx = pub_x_index as usize;
if idx >= gating.pub_post_set.len() { return false; }
if group_sig.len() != 64 { return false; }
let pub_x = &gating.pub_post_set[idx];
let Ok(verifying_key) = VerifyingKey::from_bytes(pub_x) else { return false; };
let sig_bytes: [u8; 64] = match group_sig.as_slice().try_into() {
Ok(b) => b, Err(_) => return false,
};
let sig = Signature::from_bytes(&sig_bytes);
let mut to_verify = Vec::with_capacity(encrypted_payload.len() + 32 + 4);
to_verify.extend_from_slice(encrypted_payload);
to_verify.extend_from_slice(&comment.post_id);
to_verify.extend_from_slice(&pub_x_index.to_le_bytes());
verifying_key.verify(&to_verify, &sig).is_ok()
}
/// Decrypt the `encrypted_payload` of an FoF comment back to its
/// plaintext body / vouch_mac / parent_comment_id, using the CEK
/// recovered via [`find_unlock_for_post`].
pub fn decrypt_fof_comment_payload(
comment: &crate::types::InlineComment,
cek: &[u8; 32],
slot_binder_nonce: &[u8; 32],
) -> Result<FoFCommentPayload> {
let encrypted = comment.encrypted_payload.as_ref()
.ok_or_else(|| anyhow::anyhow!("comment has no encrypted_payload"))?;
let cek_comments = crate::crypto::derive_cek_comments(cek, slot_binder_nonce);
let plaintext = crate::crypto::decrypt_bytes_with_cek(encrypted, &cek_comments)?;
serde_json::from_slice(&plaintext)
.map_err(|e| anyhow::anyhow!("deserialize fof comment payload: {}", e))
}
// --- Mode 1 (FoFClosed) body encryption ---
//
// Mode 1 reuses Layer 2's wrap_slots and CEK. The only addition is
// that the post body is itself encrypted under that CEK before
// publish; readers who can unlock a slot (recovering CEK) decrypt the
// body too. Non-FoF readers see only the ciphertext; they can still
// store + propagate the post as a CDN host without decrypting.
/// FoF Layer 3: encrypt a post body under the gating CEK, padded to a
/// bucket per the spec. Output is `body_bucket_padding_nonce(12) ||
/// real_len_u32_le || ciphertext_with_tag(body+pad+16)` so the reader
/// can recover the original byte length after decryption.
pub fn encrypt_fof_body(
body: &str,
cek: &[u8; 32],
slot_binder_nonce: &[u8; 32],
) -> Result<Vec<u8>> {
use chacha20poly1305::{aead::{Aead, KeyInit}, ChaCha20Poly1305, Nonce};
use rand::RngCore;
let real = body.as_bytes();
// Pre-tag size we want to encrypt = 4-byte length prefix + body + padding.
let prefixed_len = 4 + real.len();
let bucket = next_body_size_bucket(prefixed_len);
let mut plaintext = Vec::with_capacity(bucket);
plaintext.extend_from_slice(&(real.len() as u32).to_le_bytes());
plaintext.extend_from_slice(real);
// Pad with random bytes (NOT zeros — zeros would be a small
// distinguisher under known-plaintext but doesn't matter under
// AEAD; random is defense-in-depth.)
let mut pad = vec![0u8; bucket.saturating_sub(plaintext.len())];
rand::rng().fill_bytes(&mut pad);
plaintext.extend_from_slice(&pad);
// Derive a per-body nonce-context key so we don't reuse the slot
// AEAD nonces. blake3-derive over (cek, slot_binder_nonce) gives
// us a stable seed; we then prepend a fresh random 12B nonce.
let cipher = ChaCha20Poly1305::new_from_slice(cek)
.map_err(|e| anyhow::anyhow!("body cipher init: {}", e))?;
let mut nonce_bytes = [0u8; 12];
rand::rng().fill_bytes(&mut nonce_bytes);
// AAD = slot_binder_nonce. Binds body decrypt to the post's gating
// (an attacker who steals the body ciphertext + CEK can't decrypt
// against a different post's wrap slots).
let ciphertext = cipher
.encrypt(
Nonce::from_slice(&nonce_bytes),
chacha20poly1305::aead::Payload {
msg: &plaintext,
aad: slot_binder_nonce,
},
)
.map_err(|e| anyhow::anyhow!("body encrypt: {}", e))?;
let mut out = Vec::with_capacity(12 + ciphertext.len());
out.extend_from_slice(&nonce_bytes);
out.extend_from_slice(&ciphertext);
Ok(out)
}
/// FoF Layer 3: decrypt a body sealed by [`encrypt_fof_body`]. Returns
/// the original `String` body (padding stripped via the 4-byte length
/// prefix).
pub fn decrypt_fof_body(
encrypted: &[u8],
cek: &[u8; 32],
slot_binder_nonce: &[u8; 32],
) -> Result<String> {
use chacha20poly1305::{aead::{Aead, KeyInit}, ChaCha20Poly1305, Nonce};
if encrypted.len() < 12 + 16 {
anyhow::bail!("encrypted body too short");
}
let nonce = Nonce::from_slice(&encrypted[..12]);
let cipher = ChaCha20Poly1305::new_from_slice(cek)
.map_err(|e| anyhow::anyhow!("body cipher init: {}", e))?;
let plaintext = cipher
.decrypt(
nonce,
chacha20poly1305::aead::Payload {
msg: &encrypted[12..],
aad: slot_binder_nonce,
},
)
.map_err(|e| anyhow::anyhow!("body decrypt: {}", e))?;
if plaintext.len() < 4 {
anyhow::bail!("body plaintext missing length prefix");
}
let real_len = u32::from_le_bytes(plaintext[..4].try_into().unwrap()) as usize;
if 4 + real_len > plaintext.len() {
anyhow::bail!("body length prefix overruns plaintext");
}
let body_bytes = &plaintext[4..4 + real_len];
String::from_utf8(body_bytes.to_vec())
.map_err(|e| anyhow::anyhow!("body not valid UTF-8: {}", e))
}
/// FoF Layer 3 body-size bucket rule.
/// Power-of-2 from a minimum of 1 KiB up to 256 KiB, then linear
/// +256 KiB steps above. Hides body length within meaningful brackets.
pub(crate) fn next_body_size_bucket(real: usize) -> usize {
const MIN_BUCKET: usize = 1024;
const POW2_CEIL: usize = 256 * 1024;
const LINEAR_STEP: usize = 256 * 1024;
if real <= MIN_BUCKET { return MIN_BUCKET; }
if real <= POW2_CEIL {
let mut b = MIN_BUCKET;
while b < real { b *= 2; }
return b;
}
// 256K, 512K, 768K, ...
let above = real - POW2_CEIL;
let steps = (above + LINEAR_STEP - 1) / LINEAR_STEP;
POW2_CEIL + steps * LINEAR_STEP
}
// --- Revocation: sign + verify + apply ---
/// Bytes covered by a `BlobHeaderDiffOp::FoFRevocation.author_sig`.
/// Constructed identically on both ends so the verify is deterministic.
fn fof_revocation_signing_bytes(
post_id: &[u8; 32],
revoked_pub_x: &[u8; 32],
revoked_at_ms: u64,
reason_code: u8,
) -> [u8; 32 + 32 + 8 + 1] {
let mut out = [0u8; 32 + 32 + 8 + 1];
out[..32].copy_from_slice(post_id);
out[32..64].copy_from_slice(revoked_pub_x);
out[64..72].copy_from_slice(&revoked_at_ms.to_le_bytes());
out[72] = reason_code;
out
}
/// Author-side: sign a revocation entry with the post author's
/// identity secret. Returns the 64-byte Ed25519 signature.
pub fn sign_fof_revocation(
author_secret: &[u8; 32],
post_id: &[u8; 32],
revoked_pub_x: &[u8; 32],
revoked_at_ms: u64,
reason_code: u8,
) -> Vec<u8> {
use ed25519_dalek::{Signer, SigningKey};
let signing_key = SigningKey::from_bytes(author_secret);
let bytes = fof_revocation_signing_bytes(post_id, revoked_pub_x, revoked_at_ms, reason_code);
signing_key.sign(&bytes).to_bytes().to_vec()
}
/// CDN-side: verify a revocation entry's author_sig against the post
/// author's public key. Returns `false` on any shape/key/signature
/// failure.
pub fn verify_fof_revocation(
post_author: &NodeId,
post_id: &[u8; 32],
revoked_pub_x: &[u8; 32],
revoked_at_ms: u64,
reason_code: u8,
author_sig: &[u8],
) -> bool {
use ed25519_dalek::{Signature, Verifier, VerifyingKey};
if author_sig.len() != 64 { return false; }
let sig_bytes: [u8; 64] = match author_sig.try_into() {
Ok(b) => b, Err(_) => return false,
};
let sig = Signature::from_bytes(&sig_bytes);
let Ok(verifying_key) = VerifyingKey::from_bytes(post_author) else { return false; };
let bytes = fof_revocation_signing_bytes(post_id, revoked_pub_x, revoked_at_ms, reason_code);
verifying_key.verify(&bytes, &sig).is_ok()
}
// --- Access-grant: sign + verify + apply ---
/// Bytes covered by a `BlobHeaderDiffOp::FoFAccessGrant.author_sig`.
/// Wrap-slot is canonicalized by serializing its three fields in order:
/// prefilter_tag || read_ciphertext || sign_ciphertext.
fn fof_access_grant_signing_bytes(
post_id: &[u8; 32],
new_pub_x: &[u8; 32],
new_wrap_slot: &crate::types::WrapSlot,
granted_at_ms: u64,
) -> Vec<u8> {
let mut out = Vec::with_capacity(32 + 32 + 2 + 48 + 48 + 8);
out.extend_from_slice(post_id);
out.extend_from_slice(new_pub_x);
out.extend_from_slice(&new_wrap_slot.prefilter_tag);
out.extend_from_slice(&new_wrap_slot.read_ciphertext);
out.extend_from_slice(&new_wrap_slot.sign_ciphertext);
out.extend_from_slice(&granted_at_ms.to_le_bytes());
out
}
/// Author-side: sign an access-grant entry.
pub fn sign_fof_access_grant(
author_secret: &[u8; 32],
post_id: &[u8; 32],
new_pub_x: &[u8; 32],
new_wrap_slot: &crate::types::WrapSlot,
granted_at_ms: u64,
) -> Vec<u8> {
use ed25519_dalek::{Signer, SigningKey};
let signing_key = SigningKey::from_bytes(author_secret);
let bytes = fof_access_grant_signing_bytes(post_id, new_pub_x, new_wrap_slot, granted_at_ms);
signing_key.sign(&bytes).to_bytes().to_vec()
}
/// CDN-side: verify an access-grant entry's author_sig.
pub fn verify_fof_access_grant(
post_author: &NodeId,
post_id: &[u8; 32],
new_pub_x: &[u8; 32],
new_wrap_slot: &crate::types::WrapSlot,
granted_at_ms: u64,
author_sig: &[u8],
) -> bool {
use ed25519_dalek::{Signature, Verifier, VerifyingKey};
if author_sig.len() != 64 { return false; }
let sig_bytes: [u8; 64] = match author_sig.try_into() {
Ok(b) => b, Err(_) => return false,
};
let sig = Signature::from_bytes(&sig_bytes);
let Ok(verifying_key) = VerifyingKey::from_bytes(post_author) else { return false; };
let bytes = fof_access_grant_signing_bytes(post_id, new_pub_x, new_wrap_slot, granted_at_ms);
verifying_key.verify(&bytes, &sig).is_ok()
}
/// Apply a verified access-grant to local storage. Appends the new
/// (pub_x, wrap_slot) at the tail of the stored post's fof_gating.
/// Idempotent on `(post_id, new_pub_x)`. Must only be called after
/// `verify_fof_access_grant` returns true.
///
/// Refuses to apply if `new_pub_x` is already in the post's
/// revocation_list (prevents accidental re-admission of a previously-
/// revoked signer; spec-resolved).
pub fn apply_fof_access_grant_locally(
storage: &Storage,
post_id: &[u8; 32],
new_pub_x: &[u8; 32],
new_wrap_slot: &crate::types::WrapSlot,
) -> Result<bool> {
if storage.is_fof_pub_x_revoked(post_id, new_pub_x)? {
return Ok(false);
}
let appended = storage.append_fof_access_grant(post_id, new_pub_x, new_wrap_slot)?;
Ok(appended)
}
/// Apply a verified revocation to local storage + cascade delete
/// already-stored comments. Idempotent on `(post_id, revoked_pub_x)`.
/// Returns the count of comments deleted.
///
/// Must only be called after `verify_fof_revocation` returns true.
/// The caller (CDN receive path) is responsible for that gate.
pub fn apply_fof_revocation_locally(
storage: &Storage,
post_id: &[u8; 32],
revoked_pub_x: &[u8; 32],
revoked_at_ms: u64,
reason_code: u8,
author_sig: &[u8],
) -> Result<usize> {
storage.add_fof_revocation(post_id, revoked_pub_x, revoked_at_ms, reason_code, author_sig)?;
// Resolve pub_x -> pub_x_index via the post's pub_post_set, then
// cascade-delete locally-stored comments matching that index.
let Some(post) = storage.get_post(post_id)? else { return Ok(0); };
let Some(gating) = post.fof_gating.as_ref() else { return Ok(0); };
let mut deleted = 0;
for (idx, pub_x) in gating.pub_post_set.iter().enumerate() {
if pub_x == revoked_pub_x {
deleted += storage.delete_fof_comments_by_pub_x_index(post_id, idx as u32)?;
}
}
Ok(deleted)
}
#[cfg(test)]
mod tests {
use super::*;
use crate::storage::Storage;
use crate::crypto::{ed25519_seed_to_x25519_private, open_wrap_slot};
use ed25519_dalek::SigningKey;
use rand::RngCore;
fn temp_storage() -> Storage {
Storage::open(":memory:").unwrap()
}
fn make_persona(seed_byte: u8) -> (NodeId, [u8; 32]) {
let mut seed = [0u8; 32];
seed[0] = seed_byte;
let signing_key = SigningKey::from_bytes(&seed);
(*signing_key.verifying_key().as_bytes(), seed)
}
/// Author has a V_me + one received V_x → build_fof_comment_gating
/// produces a real-slot-count of 2 (own + received), padded to
/// bucket 8.
#[test]
fn build_gating_realcount_and_padding() {
let s = temp_storage();
let (alice_id, _alice_seed) = make_persona(1);
let (bob_id, _bob_seed) = make_persona(2);
// Alice has her own V_me
let mut v_me_alice = [0u8; 32];
rand::rng().fill_bytes(&mut v_me_alice);
s.insert_own_vouch_key(&alice_id, 1, &v_me_alice, 1000).unwrap();
// Alice received a V_x from Bob
let mut v_x_bob = [0u8; 32];
rand::rng().fill_bytes(&mut v_x_bob);
s.insert_received_vouch_key(&alice_id, &bob_id, 1, &v_x_bob, 2000, None).unwrap();
let built = build_fof_comment_gating(&s, &alice_id).unwrap().expect("gating built");
// Real count = 2 (own + Bob). Bucket = 8 (minimum floor).
assert_eq!(built.gating.pub_post_set.len(), 8);
assert_eq!(built.gating.wrap_slots.len(), 8);
assert_eq!(built.gating.revocation_list.len(), 0);
// Every slot is exactly 48+48 bytes; prefilter is 2 bytes.
for slot in &built.gating.wrap_slots {
assert_eq!(slot.read_ciphertext.len(), 48);
assert_eq!(slot.sign_ciphertext.len(), 48);
}
// Alice can find HER OWN slot by trial-unwrap with her V_me.
let mut own_hit = None;
for (idx, slot) in built.gating.wrap_slots.iter().enumerate() {
if let Some(opened) = open_wrap_slot(
&v_me_alice, &built.slot_binder_nonce,
&slot.read_ciphertext, &slot.sign_ciphertext,
) {
assert_eq!(opened.cek, built.cek);
own_hit = Some((idx, opened));
break;
}
}
let (own_idx, opened) = own_hit.expect("author's own V_me must unlock one slot");
// The pub_x in pub_post_set at the same index must match the
// ed25519 pubkey derived from the unwrapped priv_x seed.
let signing_key = SigningKey::from_bytes(&opened.priv_x_seed);
let derived_pub_x = signing_key.verifying_key().to_bytes();
assert_eq!(built.gating.pub_post_set[own_idx], derived_pub_x);
// A holder of V_x_bob can also unlock exactly one slot (Bob's
// chain to Alice's post).
let mut bob_hit = None;
for (idx, slot) in built.gating.wrap_slots.iter().enumerate() {
if let Some(opened) = open_wrap_slot(
&v_x_bob, &built.slot_binder_nonce,
&slot.read_ciphertext, &slot.sign_ciphertext,
) {
bob_hit = Some((idx, opened));
break;
}
}
let (bob_idx, bob_opened) = bob_hit.expect("Bob's V_x must unlock one slot");
assert_ne!(bob_idx, own_idx, "different V_x's must hit different slots");
assert_eq!(bob_opened.cek, built.cek, "same CEK across all real slots");
}
#[test]
fn build_gating_returns_none_without_vme() {
let s = temp_storage();
let (alice_id, _) = make_persona(5);
// No V_me inserted.
let built = build_fof_comment_gating(&s, &alice_id).unwrap();
assert!(built.is_none(), "no V_me → no gating block");
}
#[test]
fn build_gating_deduplicates_repeated_v_x() {
let s = temp_storage();
let (alice_id, _) = make_persona(7);
let (bob_id, _) = make_persona(8);
let (carol_id, _) = make_persona(9);
let mut v_me_alice = [0u8; 32];
rand::rng().fill_bytes(&mut v_me_alice);
s.insert_own_vouch_key(&alice_id, 1, &v_me_alice, 1000).unwrap();
// Two different vouchers happened to issue the SAME key bytes
// (contrived but tests dedup). Real probability is 2^-256;
// here we force it for the test.
let same_key = [0xCC; 32];
s.insert_received_vouch_key(&alice_id, &bob_id, 1, &same_key, 2000, None).unwrap();
s.insert_received_vouch_key(&alice_id, &carol_id, 1, &same_key, 3000, None).unwrap();
let built = build_fof_comment_gating(&s, &alice_id).unwrap().expect("built");
// Unique-key count = 2 (V_me_alice + same_key). Bucket = 8.
// We can't assert real count directly without exposing internals,
// but we can confirm exactly two distinct successful unwraps:
let mut alice_hits = 0;
let mut same_key_hits = 0;
for slot in &built.gating.wrap_slots {
if open_wrap_slot(&v_me_alice, &built.slot_binder_nonce,
&slot.read_ciphertext, &slot.sign_ciphertext).is_some() {
alice_hits += 1;
}
if open_wrap_slot(&same_key, &built.slot_binder_nonce,
&slot.read_ciphertext, &slot.sign_ciphertext).is_some() {
same_key_hits += 1;
}
}
assert_eq!(alice_hits, 1, "exactly one slot for V_me_alice");
assert_eq!(same_key_hits, 1, "exactly one slot for the duplicated key (dedup'd)");
}
// Silences the unused-import warning when the X25519 derivation is
// only exercised in future slices.
#[test]
fn x25519_derivation_helper_compiles() {
let mut seed = [0u8; 32];
rand::rng().fill_bytes(&mut seed);
let _ = ed25519_seed_to_x25519_private(&seed);
}
/// End-to-end FoF comment roundtrip:
/// 1. Alice authors a Mode 2 FoF post (her keyring: own V_me + Bob's V_x).
/// 2. A "receiver device" (Bob's) holds Bob's V_x. It finds the unlock.
/// 3. Bob authors a comment on Alice's post.
/// 4. The comment's group_sig verifies against the post's pub_post_set.
/// 5. Alice (using her cached cek) decrypts Bob's comment plaintext.
#[test]
fn fof_comment_authoring_roundtrip() {
use crate::types::PostingIdentity;
use ed25519_dalek::SigningKey;
// Alice's device: has her V_me and Bob's V_x (received from Bob).
let alice_storage = temp_storage();
let (alice_id, alice_seed) = make_persona(1);
alice_storage.upsert_posting_identity(&PostingIdentity {
node_id: alice_id, secret_seed: alice_seed,
display_name: "Alice".into(), created_at: 1000,
}).unwrap();
let mut v_me_alice = [0u8; 32];
rand::rng().fill_bytes(&mut v_me_alice);
alice_storage.insert_own_vouch_key(&alice_id, 1, &v_me_alice, 1000).unwrap();
let (bob_id, _) = make_persona(2);
let mut v_x_bob = [0u8; 32];
rand::rng().fill_bytes(&mut v_x_bob);
alice_storage.insert_received_vouch_key(&alice_id, &bob_id, 1, &v_x_bob, 2000, None).unwrap();
// Alice publishes the gating block.
let built = build_fof_comment_gating(&alice_storage, &alice_id).unwrap().expect("built");
let parent_post_id = [0xCC; 32];
// Bob's device: has his V_me (which is v_x_bob since he handed it out).
let bob_storage = temp_storage();
let (bob_id_, bob_seed) = make_persona(2);
assert_eq!(bob_id, bob_id_);
bob_storage.upsert_posting_identity(&PostingIdentity {
node_id: bob_id, secret_seed: bob_seed,
display_name: "Bob".into(), created_at: 1500,
}).unwrap();
bob_storage.insert_own_vouch_key(&bob_id, 1, &v_x_bob, 1500).unwrap();
// Wrap Alice's published gating into a Post struct as it would
// appear on the wire.
let post = crate::types::Post {
author: alice_id,
content: "alice's public post".into(),
attachments: vec![],
timestamp_ms: 3000,
fof_gating: Some(built.gating.clone()),
};
// Bob's device unlocks the post via his V_me (= v_x_bob).
let unlock = find_unlock_for_post(&bob_storage, &post).unwrap()
.expect("Bob's persona must unlock the post");
assert_eq!(unlock.persona_id, bob_id);
assert_eq!(unlock.cek, built.cek, "Bob recovers Alice's CEK");
// Bob authors a comment.
let comment = build_fof_comment(
&parent_post_id,
&unlock,
&built.slot_binder_nonce,
&bob_id,
&bob_seed,
"great post alice",
None,
4000,
).unwrap();
assert!(comment.content.is_empty(), "FoF comment body is encrypted, not in content");
assert!(comment.pub_x_index.is_some());
assert!(comment.group_sig.is_some());
assert!(comment.encrypted_payload.is_some());
// CDN-level verification: group_sig validates against pub_post_set.
assert!(verify_fof_group_sig(&comment, &built.gating),
"valid FoF comment must pass CDN four-check (group_sig leg)");
// Tamper detection: flip a byte in encrypted_payload and re-verify.
let mut tampered = comment.clone();
let mut payload = tampered.encrypted_payload.clone().unwrap();
payload[0] ^= 0x01;
tampered.encrypted_payload = Some(payload);
assert!(!verify_fof_group_sig(&tampered, &built.gating),
"tampered encrypted_payload must invalidate group_sig");
// Tamper detection: claim a different pub_x_index.
let mut wrong_idx = comment.clone();
let bad_idx = (comment.pub_x_index.unwrap() + 1) % (built.gating.pub_post_set.len() as u32);
wrong_idx.pub_x_index = Some(bad_idx);
assert!(!verify_fof_group_sig(&wrong_idx, &built.gating),
"wrong pub_x_index must invalidate group_sig");
// Alice (using her cached CEK) decrypts Bob's comment payload.
let plaintext = decrypt_fof_comment_payload(&comment, &built.cek, &built.slot_binder_nonce)
.expect("Alice decrypts FoF comment");
assert_eq!(plaintext.body, "great post alice");
let _signing_key = SigningKey::from_bytes(&unlock.priv_x_seed); // exercise the import
}
/// Revocation roundtrip: author publishes a Mode 2 FoF post, Bob
/// comments, author signs a revocation, apply_fof_revocation_locally
/// records it + cascade-deletes Bob's comment.
#[test]
fn fof_revocation_cascades() {
use crate::types::PostingIdentity;
let s = temp_storage();
let (alice_id, alice_seed) = make_persona(33);
s.upsert_posting_identity(&PostingIdentity {
node_id: alice_id, secret_seed: alice_seed,
display_name: "Alice".into(), created_at: 1000,
}).unwrap();
let mut v_me_alice = [0u8; 32];
rand::rng().fill_bytes(&mut v_me_alice);
s.insert_own_vouch_key(&alice_id, 1, &v_me_alice, 1000).unwrap();
let (bob_id, bob_seed) = make_persona(44);
let mut v_x_bob = [0u8; 32];
rand::rng().fill_bytes(&mut v_x_bob);
s.insert_received_vouch_key(&alice_id, &bob_id, 1, &v_x_bob, 2000, None).unwrap();
let built = build_fof_comment_gating(&s, &alice_id).unwrap().expect("built");
let post_id = [0xDE; 32];
// Persist the post so apply_fof_revocation_locally can resolve
// pub_x → pub_x_index via the post's pub_post_set.
let post = crate::types::Post {
author: alice_id, content: "alice".into(), attachments: vec![],
timestamp_ms: 3000, fof_gating: Some(built.gating.clone()),
};
s.store_post_with_intent(
&post_id, &post,
&crate::types::PostVisibility::Public,
&crate::types::VisibilityIntent::Public,
).unwrap();
// Bob unlocks via his V_x and authors a comment. Persist it
// through the public store_comment path so the cascade-delete
// has something to clean up.
let bob_unlock = PostUnlock {
persona_id: bob_id,
slot_index: built.gating.pub_post_set.iter().position(|p| {
// Find a slot Bob's V_x unlocks.
let opened = crate::crypto::open_wrap_slot(
&v_x_bob, &built.slot_binder_nonce,
&built.gating.wrap_slots[built.gating.pub_post_set.iter().position(|x| x == p).unwrap()].read_ciphertext,
&built.gating.wrap_slots[built.gating.pub_post_set.iter().position(|x| x == p).unwrap()].sign_ciphertext,
);
opened.is_some()
}).expect("Bob's slot exists") as u32,
cek: built.cek,
priv_x_seed: {
// Re-derive by re-unwrapping.
let mut seed = [0u8; 32];
for slot in &built.gating.wrap_slots {
if let Some(o) = crate::crypto::open_wrap_slot(
&v_x_bob, &built.slot_binder_nonce,
&slot.read_ciphertext, &slot.sign_ciphertext,
) { seed = o.priv_x_seed; break; }
}
seed
},
};
let comment = build_fof_comment(
&post_id, &bob_unlock, &built.slot_binder_nonce,
&bob_id, &bob_seed, "hello", None, 4000,
).unwrap();
s.store_comment(&comment).unwrap();
assert_eq!(s.get_comments(&post_id).unwrap().len(), 1, "Bob's comment stored");
// Resolve Bob's pub_x bytes from the gating's pub_post_set.
let bob_pub_x = built.gating.pub_post_set[bob_unlock.slot_index as usize];
// Author signs + applies revocation.
let revoked_at = 5000;
let sig = sign_fof_revocation(&alice_seed, &post_id, &bob_pub_x, revoked_at, 0);
assert!(verify_fof_revocation(&alice_id, &post_id, &bob_pub_x, revoked_at, 0, &sig));
let deleted = apply_fof_revocation_locally(
&s, &post_id, &bob_pub_x, revoked_at, 0, &sig,
).unwrap();
assert_eq!(deleted, 1, "Bob's comment retroactively deleted");
assert!(s.get_comments(&post_id).unwrap().is_empty(),
"no live comments remain on the post");
// Verify revocation is recorded for future CDN-verify lookups.
assert!(s.is_fof_pub_x_revoked(&post_id, &bob_pub_x).unwrap());
// Idempotent: re-apply is a no-op (returns 0 because comment already gone).
let re_deleted = apply_fof_revocation_locally(
&s, &post_id, &bob_pub_x, revoked_at, 0, &sig,
).unwrap();
assert_eq!(re_deleted, 0);
}
/// Access-grant roundtrip: Alice publishes a Mode 2 FoF post, then
/// later vouches for Carol. Alice signs an access-grant adding
/// Carol's V_x to the post. apply_fof_access_grant_locally appends
/// the new slot; Carol's device can now unlock the post.
#[test]
fn fof_access_grant_appends_and_unlocks() {
use crate::types::PostingIdentity;
let s = temp_storage();
let (alice_id, alice_seed) = make_persona(60);
s.upsert_posting_identity(&PostingIdentity {
node_id: alice_id, secret_seed: alice_seed,
display_name: "Alice".into(), created_at: 1000,
}).unwrap();
let mut v_me_alice = [0u8; 32];
rand::rng().fill_bytes(&mut v_me_alice);
s.insert_own_vouch_key(&alice_id, 1, &v_me_alice, 1000).unwrap();
// Initial gating: Alice only.
let built = build_fof_comment_gating(&s, &alice_id).unwrap().expect("built");
let post_id = [0xBC; 32];
let post = crate::types::Post {
author: alice_id, content: "alice".into(), attachments: vec![],
timestamp_ms: 3000, fof_gating: Some(built.gating.clone()),
};
s.store_post_with_intent(
&post_id, &post,
&crate::types::PostVisibility::Public,
&crate::types::VisibilityIntent::Public,
).unwrap();
// Carol's V_x (Carol vouches for herself or is granted access).
let mut v_x_carol = [0u8; 32];
rand::rng().fill_bytes(&mut v_x_carol);
// Pre-grant: Carol can NOT unlock the post via her V_x.
let pre_post = s.get_post(&post_id).unwrap().unwrap();
let pre_unlock = pre_post.fof_gating.as_ref()
.map(|g| g.wrap_slots.iter().any(|slot| {
crate::crypto::open_wrap_slot(
&v_x_carol, &g.slot_binder_nonce,
&slot.read_ciphertext, &slot.sign_ciphertext,
).is_some()
}))
.unwrap_or(false);
assert!(!pre_unlock, "Carol cannot unlock pre-grant");
// Alice authors an access-grant: seal a new slot under Carol's V_x.
let mut new_priv_x_seed = [0u8; 32];
rand::rng().fill_bytes(&mut new_priv_x_seed);
let new_pub_x = SigningKey::from_bytes(&new_priv_x_seed)
.verifying_key().to_bytes();
let sealed = crate::crypto::seal_wrap_slot(
&v_x_carol, &built.slot_binder_nonce, &built.cek, &new_priv_x_seed,
).unwrap();
let new_wrap_slot = crate::types::WrapSlot {
prefilter_tag: sealed.prefilter_tag,
read_ciphertext: sealed.read_ciphertext,
sign_ciphertext: sealed.sign_ciphertext,
};
let granted_at = 5000;
let sig = sign_fof_access_grant(
&alice_seed, &post_id, &new_pub_x, &new_wrap_slot, granted_at,
);
assert!(verify_fof_access_grant(
&alice_id, &post_id, &new_pub_x, &new_wrap_slot, granted_at, &sig,
));
let applied = apply_fof_access_grant_locally(
&s, &post_id, &new_pub_x, &new_wrap_slot,
).unwrap();
assert!(applied, "access-grant appended");
// Post-grant: stored post's gating now includes Carol's slot.
let post = s.get_post(&post_id).unwrap().unwrap();
let g = post.fof_gating.as_ref().unwrap();
let unlocked = g.wrap_slots.iter().any(|slot| {
crate::crypto::open_wrap_slot(
&v_x_carol, &g.slot_binder_nonce,
&slot.read_ciphertext, &slot.sign_ciphertext,
).map(|o| o.cek == built.cek).unwrap_or(false)
});
assert!(unlocked, "Carol can now unlock the post and recover Alice's CEK");
// Idempotent: re-applying the same grant is a no-op.
let again = apply_fof_access_grant_locally(
&s, &post_id, &new_pub_x, &new_wrap_slot,
).unwrap();
assert!(!again, "duplicate grant skipped");
// Revocation blocks re-admission.
s.add_fof_revocation(&post_id, &new_pub_x, 6000, 0, &[0u8; 64]).unwrap();
let blocked = apply_fof_access_grant_locally(
&s, &post_id, &new_pub_x, &new_wrap_slot,
).unwrap();
assert!(!blocked, "revoked pub_x must not be re-granted access");
}
#[test]
fn body_bucket_rule_boundaries() {
// Sub-1KB.
assert_eq!(next_body_size_bucket(0), 1024);
assert_eq!(next_body_size_bucket(1024), 1024);
// Power-of-2 progression sub-256KB.
assert_eq!(next_body_size_bucket(1025), 2048);
assert_eq!(next_body_size_bucket(2048), 2048);
assert_eq!(next_body_size_bucket(100_000), 131_072); // 128KB
assert_eq!(next_body_size_bucket(200_000), 262_144); // 256KB
// Linear +256KB above.
assert_eq!(next_body_size_bucket(262_145), 524_288); // 512KB
assert_eq!(next_body_size_bucket(500_000), 524_288);
assert_eq!(next_body_size_bucket(524_289), 786_432); // 768KB
}
#[test]
fn fof_body_roundtrip() {
let cek = [0x55; 32];
let slot_binder_nonce = [0xCC; 32];
let body = "Hello, this is a Mode 1 FoFClosed body that nobody outside the FoF set should be able to read on the wire.";
let encrypted = encrypt_fof_body(body, &cek, &slot_binder_nonce).unwrap();
// Encryption pads to bucket: small body → 1KB ciphertext-ish.
assert!(encrypted.len() >= 1024, "body padded to >= 1KB bucket");
let decrypted = decrypt_fof_body(&encrypted, &cek, &slot_binder_nonce).unwrap();
assert_eq!(decrypted, body);
// Wrong CEK fails AEAD.
let wrong_cek = [0x11; 32];
assert!(decrypt_fof_body(&encrypted, &wrong_cek, &slot_binder_nonce).is_err());
// Wrong AAD (slot_binder_nonce) fails too.
let wrong_nonce = [0xFF; 32];
assert!(decrypt_fof_body(&encrypted, &cek, &wrong_nonce).is_err());
}
/// End-to-end FoFClosed roundtrip at the helper level: Alice
/// encrypts a body; Bob (with Alice's V_me as a received V_x)
/// trial-unlocks the gating + decrypts the body. Carol (no
/// matching V_x) cannot unlock and the body stays opaque.
#[test]
fn fof_closed_body_end_to_end() {
use crate::types::PostingIdentity;
let s = temp_storage();
// Alice has V_me; she'll author a FoFClosed post.
let (alice_id, alice_seed) = make_persona(70);
s.upsert_posting_identity(&PostingIdentity {
node_id: alice_id, secret_seed: alice_seed,
display_name: "Alice".into(), created_at: 1000,
}).unwrap();
let mut v_me_alice = [0u8; 32];
rand::rng().fill_bytes(&mut v_me_alice);
s.insert_own_vouch_key(&alice_id, 1, &v_me_alice, 1000).unwrap();
// Alice received Bob's V_x — so the gating includes Bob's slot.
let (bob_id, _bob_seed) = make_persona(71);
let mut v_x_bob = [0u8; 32];
rand::rng().fill_bytes(&mut v_x_bob);
s.insert_received_vouch_key(&alice_id, &bob_id, 1, &v_x_bob, 2000, None).unwrap();
let built = build_fof_comment_gating(&s, &alice_id).unwrap().expect("built");
let body_plaintext = "secret to the FoF set only";
let body_ct = encrypt_fof_body(body_plaintext, &built.cek, &built.slot_binder_nonce).unwrap();
// Bob's device (with his V_me == v_x_bob) sees the gating block
// and trial-unlocks via his V_me.
let bob_storage = temp_storage();
bob_storage.upsert_posting_identity(&PostingIdentity {
node_id: bob_id, secret_seed: _bob_seed,
display_name: "Bob".into(), created_at: 1500,
}).unwrap();
bob_storage.insert_own_vouch_key(&bob_id, 1, &v_x_bob, 1500).unwrap();
let alice_post = crate::types::Post {
author: alice_id, content: String::new(), attachments: vec![],
timestamp_ms: 3000, fof_gating: Some(built.gating.clone()),
};
let bob_unlock = find_unlock_for_post(&bob_storage, &alice_post).unwrap()
.expect("Bob can unlock");
let bob_decrypted = decrypt_fof_body(&body_ct, &bob_unlock.cek, &built.slot_binder_nonce).unwrap();
assert_eq!(bob_decrypted, body_plaintext);
// Carol has no matching V_x — cannot unlock.
let carol_storage = temp_storage();
let (carol_id, carol_seed) = make_persona(72);
carol_storage.upsert_posting_identity(&PostingIdentity {
node_id: carol_id, secret_seed: carol_seed,
display_name: "Carol".into(), created_at: 1500,
}).unwrap();
let mut v_me_carol = [0u8; 32];
rand::rng().fill_bytes(&mut v_me_carol);
carol_storage.insert_own_vouch_key(&carol_id, 1, &v_me_carol, 1500).unwrap();
let carol_unlock = find_unlock_for_post(&carol_storage, &alice_post).unwrap();
assert!(carol_unlock.is_none(),
"Carol has no matching V_x and cannot unlock the FoFClosed gating");
}
#[test]
fn fof_body_padding_hides_real_length() {
let cek = [0x55; 32];
let nonce = [0xCC; 32];
// A 5-byte body and a 500-byte body should both produce the
// same on-wire size (1KB bucket).
let small = encrypt_fof_body("short", &cek, &nonce).unwrap();
let medium = encrypt_fof_body(&"x".repeat(500), &cek, &nonce).unwrap();
assert_eq!(small.len(), medium.len(),
"different bodies in the same bucket produce same-sized ciphertexts");
}
#[test]
fn fof_revocation_wrong_author_rejected() {
let post_id = [0x01; 32];
let revoked_pub_x = [0x02; 32];
let (alice_id, alice_seed) = make_persona(50);
let (mallory_id, mallory_seed) = make_persona(51);
let sig = sign_fof_revocation(&mallory_seed, &post_id, &revoked_pub_x, 1000, 0);
// Mallory signed but claims Alice authored → reject.
assert!(!verify_fof_revocation(&alice_id, &post_id, &revoked_pub_x, 1000, 0, &sig));
// Self-signed → accept.
assert!(verify_fof_revocation(&mallory_id, &post_id, &revoked_pub_x, 1000, 0, &sig));
let _ = alice_seed;
}
}
Reference in a new issue View git blame Copy permalink