aranya_daemon_api/service/
quic_sync.rs

1#![allow(clippy::disallowed_macros)] // tarpc uses unreachable
2
3use aranya_crypto::{tls::EncryptedPskSeed, Encap, EncryptionPublicKey};
4use serde::{Deserialize, Serialize};
5
6use crate::{Ikm, CS};
7
8pub const SEED_IKM_SIZE: usize = 32;
9
10/// Configuration for creating a new team with QUIC synchronization.
11#[derive(Debug, Serialize, Deserialize)]
12pub struct CreateTeamQuicSyncConfig {
13    pub seed_mode: CreateSeedMode,
14}
15
16/// Configuration for adding members to an existing team with QUIC synchronization.
17#[derive(Debug, Serialize, Deserialize)]
18pub struct AddTeamQuicSyncConfig {
19    pub seed_mode: AddSeedMode,
20}
21
22#[allow(clippy::large_enum_variant)]
23#[derive(Clone, Debug, Serialize, Deserialize)]
24/// Specifies how PSK seeds are provided when creating a new team.
25///
26/// Teams share a single PSK seed that is used to derive Pre-Shared Keys (PSKs)
27/// for QUIC connections between team members.
28///
29/// This type will be removed soon since certificates will be used instead of PSKs in the future.
30pub enum CreateSeedMode {
31    /// Generates a new random seed.
32    ///
33    /// Used by team owners in the `create_team` API when establishing a new team.
34    Generate,
35
36    /// Provides raw input key material to derive a seed.
37    ///
38    /// The IKM must be exactly 32 bytes. This mode is available in both:
39    /// - `create_team`: Allows team owners to specify deterministic seed material
40    /// - `add_team`: Allows non-owners to join using pre-shared key material
41    IKM(Ikm),
42}
43
44impl Default for CreateSeedMode {
45    fn default() -> Self {
46        Self::Generate
47    }
48}
49
50#[allow(clippy::large_enum_variant)]
51#[derive(Clone, Debug, Serialize, Deserialize)]
52/// Specifies how PSK seeds are provided when joining teams.
53///
54/// Teams share a single PSK seed that is used to derive Pre-Shared Keys (PSKs)
55/// for QUIC connections between team members.
56///
57/// This type will be removed soon since certificates will be used instead of PSKs in the future.
58pub enum AddSeedMode {
59    /// Provides raw input key material to derive a seed.
60    ///
61    /// The IKM must be exactly 32 bytes. This mode is available in both:
62    /// - `create_team`: Allows team owners to specify deterministic seed material
63    /// - `add_team`: Allows non-owners to join using pre-shared key material
64    IKM(Ikm),
65
66    /// Provides an encrypted seed for secure distribution.
67    ///
68    /// Used by non-owners in the `add_team` API to join an existing team.
69    /// Seeds are wrapped (encrypted) to prevent plaintext exposure during
70    /// the join process.
71    Wrapped(WrappedSeed),
72}
73
74#[derive(Debug, Serialize, Deserialize)]
75pub struct WrappedSeed {
76    pub sender_pk: EncryptionPublicKey<CS>,
77    pub encap_key: Encap<CS>,
78    pub encrypted_seed: EncryptedPskSeed<CS>,
79}
80
81impl Clone for WrappedSeed {
82    fn clone(&self) -> Self {
83        Self {
84            sender_pk: self.sender_pk.clone(),
85            encap_key: Encap::from_bytes(self.encap_key.as_bytes()).expect("can round trip"),
86            encrypted_seed: self.encrypted_seed.clone(),
87        }
88    }
89}