void_crypto/

identity.rs

//! Identity management for void collaboration.
//!
//! This module provides:
//! - Ed25519 signing keys for authentication
//! - X25519 recipient keys for ECIES encryption
//! - Secp256k1 keys for Nostr transport (optional)
//! - Identity string format for sharing public keys

use ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};
use rand::RngCore;
use x25519_dalek::{PublicKey, StaticSecret};

use crate::ecies::{perform_dh_and_derive, EciesError};
use crate::kdf::{
    NostrSecretKey, RecipientSecretKey, SigningSecretKey,
};
use crate::keys::{
    NostrPubKey, RecipientPubKey, RepoKey, SigningPubKey, WrappedKey,
};
use crate::seed;
use crate::seed::SeedError;
use crate::{decrypt, encrypt, CryptoError, CryptoResult};

/// ECIES encryption overhead: ephemeral_pubkey (32) + nonce (12) + tag (16)
const ECIES_OVERHEAD: usize = 32 + 12 + 16;

/// AAD for ECIES share message encryption
const AAD_ECIES: &[u8] = b"void:ecies:v1";

/// Errors that can occur in identity operations
#[derive(Debug, thiserror::Error)]
pub enum IdentityError {
    #[error("invalid ciphertext length")]
    InvalidCiphertextLength,

    #[error("decryption failed")]
    DecryptionFailed,

    #[error("encryption failed")]
    EncryptionFailed,

    #[error("invalid identity string format")]
    InvalidIdentityString,

    #[error("invalid hex encoding")]
    InvalidHex,

    #[error("invalid shared secret: possible low-order point attack")]
    InvalidSharedSecret,

    #[error("seed derivation failed: {0}")]
    SeedDerivation(#[from] SeedError),
}

/// An identity containing signing, recipient, and optional Nostr keys
///
/// - `signing`: Ed25519 key for creating digital signatures
/// - `recipient`: X25519 key for receiving encrypted messages via ECIES
/// - `nostr`: Optional secp256k1 key for Nostr transport (Phase 2)
pub struct Identity {
    signing: SigningKey,
    recipient: StaticSecret,
    nostr: Option<NostrSecretKey>,
}

impl Identity {
    /// Generate a new random identity (including Nostr key)
    pub fn generate() -> Self {
        let mut signing_bytes = [0u8; 32];
        let mut recipient_bytes = [0u8; 32];
        let mut nostr_bytes = [0u8; 32];

        let mut rng = rand::thread_rng();
        rng.fill_bytes(&mut signing_bytes);
        rng.fill_bytes(&mut recipient_bytes);
        rng.fill_bytes(&mut nostr_bytes);

        Self {
            signing: SigningKey::from_bytes(&signing_bytes),
            recipient: StaticSecret::from(recipient_bytes),
            nostr: Some(NostrSecretKey::from_bytes(nostr_bytes)),
        }
    }

    /// Create from raw key bytes (backward-compatible: no Nostr key)
    pub fn from_bytes(signing: &SigningSecretKey, recipient: &RecipientSecretKey) -> Self {
        Self {
            signing: SigningKey::from_bytes(signing.as_bytes()),
            recipient: StaticSecret::from(*recipient.as_bytes()),
            nostr: None,
        }
    }

    /// Create from raw key bytes including a Nostr key
    pub fn from_bytes_with_nostr(
        signing: &SigningSecretKey,
        recipient: &RecipientSecretKey,
        nostr: NostrSecretKey,
    ) -> Self {
        Self {
            signing: SigningKey::from_bytes(signing.as_bytes()),
            recipient: StaticSecret::from(*recipient.as_bytes()),
            nostr: Some(nostr),
        }
    }

    /// Create an identity from a BIP-39 seed using deterministic key derivation.
    ///
    /// The same seed always produces the same signing, recipient, and Nostr keys,
    /// enabling identity recovery from a mnemonic phrase.
    pub fn from_seed(
        seed: &crate::kdf::IdentitySeed,
    ) -> Result<Self, IdentityError> {
        let signing_secret = seed::derive_signing_key(seed)?;
        let recipient_secret = seed::derive_recipient_key(seed)?;
        let nostr_secret = seed::derive_nostr_key(seed)?;
        Ok(Self::from_bytes_with_nostr(&signing_secret, &recipient_secret, nostr_secret))
    }

    /// Generate a new identity with a BIP-39 mnemonic for recovery.
    ///
    /// Returns the identity and the 24-word mnemonic phrase. The mnemonic
    /// must be stored securely by the user — it's the only way to recover
    /// the identity if the encrypted key files are lost.
    pub fn generate_with_mnemonic() -> Result<(Self, String), IdentityError> {
        let mnemonic = seed::generate_mnemonic();
        let seed_val = seed::mnemonic_to_seed(&mnemonic)?;
        let identity = Self::from_seed(&seed_val)?;
        Ok((identity, mnemonic))
    }

    /// Get the Ed25519 signing public key
    pub fn signing_pubkey(&self) -> SigningPubKey {
        SigningPubKey::from_bytes(self.signing.verifying_key().to_bytes())
    }

    /// Get the X25519 recipient public key
    pub fn recipient_pubkey(&self) -> RecipientPubKey {
        RecipientPubKey::from_bytes(PublicKey::from(&self.recipient).to_bytes())
    }

    /// Get the raw signing key bytes (for storage)
    pub fn signing_key_bytes(&self) -> SigningSecretKey {
        SigningSecretKey::from_bytes(self.signing.to_bytes())
    }

    /// Get the Ed25519 signing key (for signing operations)
    pub fn signing_key(&self) -> &SigningKey {
        &self.signing
    }

    /// Get the raw recipient key bytes (for storage)
    pub fn recipient_key_bytes(&self) -> RecipientSecretKey {
        RecipientSecretKey::from_bytes(self.recipient.to_bytes())
    }

    /// Get the Nostr x-only public key (if present)
    pub fn nostr_pubkey(&self) -> Option<NostrPubKey> {
        self.nostr.as_ref().map(|secret| {
            let sk = secp256k1::SecretKey::from_slice(secret.as_bytes())
                .expect("valid 32-byte key from HKDF");
            let kp = secp256k1::Keypair::from_secret_key(secp256k1::SECP256K1, &sk);
            let (xonly, _parity) = kp.x_only_public_key();
            NostrPubKey::from_bytes(xonly.serialize())
        })
    }

    /// Get the raw Nostr secret key bytes (for storage)
    pub fn nostr_key_bytes(&self) -> Option<NostrSecretKey> {
        self.nostr.clone()
    }

    /// Sign a message with Ed25519
    pub fn sign(&self, message: &[u8]) -> [u8; 64] {
        self.signing.sign(message).to_bytes()
    }

    /// Verify a signature (static method, doesn't need identity)
    pub fn verify(pubkey: &SigningPubKey, message: &[u8], signature: &[u8; 64]) -> bool {
        let Ok(verifying_key) = VerifyingKey::from_bytes(pubkey.as_bytes()) else {
            return false;
        };

        let signature = Signature::from_bytes(signature);
        verifying_key.verify(message, &signature).is_ok()
    }

    /// ECIES encrypt for a recipient (static - anyone can encrypt to a pubkey)
    ///
    /// Format: ephemeral_pubkey (32) || nonce (12) || ciphertext || tag (16)
    ///
    /// Uses X25519 DH + HKDF-SHA256 + AES-256-GCM
    pub fn encrypt_for(
        recipient_pubkey: &RecipientPubKey,
        plaintext: &[u8],
    ) -> Result<Vec<u8>, IdentityError> {
        // Generate ephemeral X25519 keypair
        let mut ephemeral_bytes = [0u8; 32];
        rand::thread_rng().fill_bytes(&mut ephemeral_bytes);
        let ephemeral_x25519 = StaticSecret::from(ephemeral_bytes);
        let ephemeral_secret = RecipientSecretKey::from_bytes(ephemeral_bytes);
        let ephemeral_public = RecipientPubKey::from_bytes(
            PublicKey::from(&ephemeral_x25519).to_bytes(),
        );

        // Perform DH and derive encryption key
        let encryption_key = perform_dh_and_derive(&ephemeral_secret, recipient_pubkey)
            .map_err(|e| match e {
                EciesError::InvalidSharedSecret => IdentityError::InvalidSharedSecret,
                EciesError::KeyDerivationFailed => IdentityError::DecryptionFailed,
            })?;

        // Encrypt with AES-256-GCM using AAD for integrity
        let encrypted = encrypt(encryption_key.as_bytes(), plaintext, AAD_ECIES)
            .map_err(|_| IdentityError::EncryptionFailed)?;

        // Output: ephemeral_pubkey || nonce || ciphertext || tag
        let mut output = Vec::with_capacity(32 + encrypted.len());
        output.extend_from_slice(ephemeral_public.as_bytes());
        output.extend_from_slice(&encrypted);

        Ok(output)
    }

    /// ECIES decrypt with our recipient key
    pub fn decrypt(&self, ciphertext: &[u8]) -> Result<Vec<u8>, IdentityError> {
        // Minimum size: ephemeral_pubkey (32) + nonce (12) + tag (16)
        if ciphertext.len() < ECIES_OVERHEAD {
            return Err(IdentityError::InvalidCiphertextLength);
        }

        // Parse ephemeral public key
        let ephemeral_pubkey_bytes: [u8; 32] = ciphertext[..32]
            .try_into()
            .map_err(|_| IdentityError::InvalidCiphertextLength)?;
        let ephemeral_public = RecipientPubKey::from_bytes(ephemeral_pubkey_bytes);

        // Perform DH and derive decryption key
        let our_secret = RecipientSecretKey::from_bytes(self.recipient.to_bytes());
        let decryption_key = perform_dh_and_derive(&our_secret, &ephemeral_public)
            .map_err(|e| match e {
                EciesError::InvalidSharedSecret => IdentityError::InvalidSharedSecret,
                EciesError::KeyDerivationFailed => IdentityError::DecryptionFailed,
            })?;

        // Decrypt with AES-256-GCM using AAD for integrity
        let encrypted = &ciphertext[32..];
        decrypt(decryption_key.as_bytes(), encrypted, AAD_ECIES)
            .map_err(|_| IdentityError::DecryptionFailed)
    }

    /// Format identity pubkeys as shareable string
    ///
    /// Format: `void://ed25519:<hex>/x25519:<hex>[/nostr:<hex>]`
    pub fn to_identity_string(&self) -> String {
        let signing_hex = self.signing_pubkey().to_hex();
        let recipient_hex = self.recipient_pubkey().to_hex();
        let mut s = format!("void://ed25519:{signing_hex}/x25519:{recipient_hex}");
        if let Some(nostr) = self.nostr_pubkey() {
            s.push_str(&format!("/nostr:{}", nostr.to_hex()));
        }
        s
    }

    /// Format identity pubkeys with username as shareable string
    ///
    /// Format: `void://alice@ed25519:<hex>/x25519:<hex>[/nostr:<hex>]`
    pub fn to_identity_string_with_username(&self, username: &str) -> String {
        let signing_hex = self.signing_pubkey().to_hex();
        let recipient_hex = self.recipient_pubkey().to_hex();
        let mut s = format!("void://{username}@ed25519:{signing_hex}/x25519:{recipient_hex}");
        if let Some(nostr) = self.nostr_pubkey() {
            s.push_str(&format!("/nostr:{}", nostr.to_hex()));
        }
        s
    }

    /// Parse identity string into a `ParsedIdentity` with optional username.
    ///
    /// Supports formats (all backward-compatible):
    /// - `void://ed25519:<hex>/x25519:<hex>` (legacy, no nostr)
    /// - `void://ed25519:<hex>/x25519:<hex>/nostr:<hex>` (with nostr)
    /// - `void://alice@ed25519:<hex>/x25519:<hex>[/nostr:<hex>]` (with username)
    pub fn parse_identity_string(s: &str) -> Result<ParsedIdentity, IdentityError> {
        let s = s
            .strip_prefix("void://")
            .ok_or(IdentityError::InvalidIdentityString)?;

        // Check for username@... prefix
        let (username, key_part) = if let Some(at_pos) = s.find('@') {
            let name = &s[..at_pos];
            if name.is_empty() {
                return Err(IdentityError::InvalidIdentityString);
            }
            (Some(name.to_string()), &s[at_pos + 1..])
        } else {
            (None, s)
        };

        let parts: Vec<&str> = key_part.split('/').collect();
        if parts.len() < 2 || parts.len() > 3 {
            return Err(IdentityError::InvalidIdentityString);
        }

        let signing = parse_prefixed_key(parts[0], "ed25519:")?;
        let recipient = parse_prefixed_key(parts[1], "x25519:")?;

        let nostr_pubkey = if parts.len() == 3 {
            let nostr = parse_prefixed_key(parts[2], "nostr:")?;
            Some(NostrPubKey::from_bytes(nostr))
        } else {
            None
        };

        Ok(ParsedIdentity {
            username,
            signing_pubkey: SigningPubKey::from_bytes(signing),
            recipient_pubkey: RecipientPubKey::from_bytes(recipient),
            nostr_pubkey,
        })
    }

    /// Backward-compatible alias for `parse_identity_string()`.
    pub fn parse_identity_string_full(s: &str) -> Result<ParsedIdentity, IdentityError> {
        Self::parse_identity_string(s)
    }
}

/// Derive a per-repo owner Ed25519 signing key from an identity seed and repo ID.
///
/// The repo owner key is used for governance actions (policy updates,
/// contributor management, ownership transfer). It is NOT used for
/// commit signing — that remains the identity key's job.
///
/// This is a convenience wrapper around `seed::derive_repo_owner_key()` that
/// returns an `ed25519_dalek::SigningKey` ready for use.
pub fn derive_repo_owner_signing_key(
    seed_val: &crate::kdf::IdentitySeed,
    repo_id: &str,
) -> Result<SigningKey, IdentityError> {
    let secret = seed::derive_repo_owner_key(seed_val, repo_id)?;
    Ok(SigningKey::from_bytes(secret.as_bytes()))
}

// ============================================================================
// ECIES Key Wrapping
// ============================================================================

/// Wrap a repository key using ECIES for a recipient's X25519 public key.
///
/// This encrypts the 32-byte repo key so only the holder of the corresponding
/// X25519 private key can decrypt it. Used to distribute repo access keys to
/// individual contributors.
pub fn ecies_wrap_key(
    key: &RepoKey,
    recipient_pubkey: &RecipientPubKey,
) -> CryptoResult<WrappedKey> {
    let ciphertext = Identity::encrypt_for(recipient_pubkey, key.as_bytes())
        .map_err(|e| CryptoError::Encryption(format!("failed to wrap key: {}", e)))?;
    Ok(WrappedKey::from_bytes(ciphertext))
}

/// Unwrap a repository key using the identity's X25519 private key.
///
/// Decrypts an ECIES-wrapped key blob to recover the original 32-byte repo key.
pub fn ecies_unwrap_key(
    wrapped: &WrappedKey,
    identity: &Identity,
) -> CryptoResult<RepoKey> {
    let plaintext = identity
        .decrypt(wrapped.as_bytes())
        .map_err(|e| CryptoError::Decryption(format!("failed to unwrap key: {}", e)))?;

    let arr: [u8; 32] = plaintext
        .try_into()
        .map_err(|_| CryptoError::Decryption("unwrapped key is not 32 bytes".into()))?;
    Ok(RepoKey::from_bytes(arr))
}

/// Parsed identity containing public keys and optional username.
///
/// Returned by `Identity::parse_identity_string_full()`.
#[derive(Debug, Clone)]
pub struct ParsedIdentity {
    /// Optional username (present in `void://alice@...` format).
    pub username: Option<String>,
    /// Ed25519 public key for signature verification.
    pub signing_pubkey: SigningPubKey,
    /// X25519 public key for ECIES encryption.
    pub recipient_pubkey: RecipientPubKey,
    /// Optional secp256k1 x-only public key for Nostr transport.
    pub nostr_pubkey: Option<NostrPubKey>,
}

fn parse_prefixed_key(s: &str, prefix: &str) -> Result<[u8; 32], IdentityError> {
    let hex_str = s
        .strip_prefix(prefix)
        .ok_or(IdentityError::InvalidIdentityString)?;
    let bytes = hex::decode(hex_str).map_err(|_| IdentityError::InvalidHex)?;
    bytes
        .try_into()
        .map_err(|_| IdentityError::InvalidIdentityString)
}