MarketTakers/arbiter
5
0
Fork 0
Code Issues 27 Pull Requests 4 Packages Projects Releases Wiki Activity

feat(server): UserAgent seal/unseal

Browse Source
This commit is contained in:
hdbg
2026-02-15 14:26:48 +01:00
parent a55221573b
commit 281fbcb31d
19 changed files with 1735 additions and 442 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
View File

@@ -1,22 +1,34 @@
create table if not exists aead_encrypted (
id INTEGER not null PRIMARY KEY,
current_nonce integer not null default(1), -- if re-encrypted, this should be incremented
current_nonce blob not null default(1), -- if re-encrypted, this should be incremented
ciphertext blob not null,
tag blob not null,
schema_version integer not null default(1) -- server would need to reencrypt, because this means that we have changed algorithm
schema_version integer not null default(1), -- server would need to reencrypt, because this means that we have changed algorithm
created_at integer not null default(unixepoch ('now'))
) STRICT;
create table if not exists root_key_history (
id INTEGER not null PRIMARY KEY,
-- root key stored as aead encrypted artifact, with only difference that it's decrypted by unseal key (derived from user password)
root_key_encryption_nonce blob not null default(1), -- if re-encrypted, this should be incremented. Used for encrypting root key
data_encryption_nonce blob not null default(1), -- nonce used for encrypting with key itself
ciphertext blob not null,
tag blob not null,
schema_version integer not null default(1), -- server would need to reencrypt, because this means that we have changed algorithm
salt blob not null -- for key deriviation
) STRICT;
-- This is a singleton
create table if not exists arbiter_settings (
id INTEGER not null PRIMARY KEY CHECK (id = 1), -- singleton row, id must be 1
root_key_id integer references aead_encrypted (id) on delete RESTRICT, -- if null, means wasn't bootstrapped yet
root_key_id integer references root_key_history (id) on delete RESTRICT, -- if null, means wasn't bootstrapped yet
cert_key blob not null,
cert blob not null
) STRICT;
create table if not exists useragent_client (
id integer not null primary key,
nonce integer not null default (1), -- used for auth challenge
nonce integer not null default(1), -- used for auth challenge
public_key blob not null,
created_at integer not null default(unixepoch ('now')),
updated_at integer not null default(unixepoch ('now'))
@@ -24,7 +36,7 @@ create table if not exists useragent_client (
create table if not exists program_client (
id integer not null primary key,
nonce integer not null default (1), -- used for auth challenge
nonce integer not null default(1), -- used for auth challenge
public_key blob not null,
created_at integer not null default(unixepoch ('now')),
updated_at integer not null default(unixepoch ('now'))