Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Anoncreds create credential #3369

Merged
merged 14 commits into from
Dec 20, 2024

Conversation

jamshale
Copy link
Contributor

@jamshale jamshale commented Dec 2, 2024

When cheqd was attempting anoncreds issuance they were getting a entropy required error when using the anoncreds library to create the credential. After some research it looked like we should be using the entropy parameter, but were using the prover_did parameter. https://hyperledger.github.io/anoncreds-spec/#constructing-the-credential-request

I don't know why this works for an indy credential request and not the cheqd. Maybe something internally in the anocnreds library. But it looks like using the holder_did value in the entropy works and I tested with indy and cheqd and issuance succeeds.

Then noticed some indy parsing when storing the credential that shouldn't be in the anoncreds holder. I couldn't figure out why we would need these extra tags so I removed them. If we did need them then the parsing should go into the actual registry.

@swcurran
Copy link
Contributor

swcurran commented Dec 2, 2024

Frustrating — sorry that got messy. The orginal AnonCreds implementation (in Indy) used “holder_did”, but semantically, that was wrong — the “did” had nothing to do with the operation. Clients were using the “DIDComm DID” of the relationship between the holder and issuer — but it was not checked and could be anything. We looked into the code, and it was determined that the purpose of the data was simply to add entropy into the operation. A very minor change, but not everyone got the memo, and all it does is create friction. Likely the best way to handle it is for the issuer to accept either, and pass it on to AnonCreds with what it expects. Painful - sorry about that. The “clarification” of the purpose does not make up for the interop problems this has caused.

@jamshale
Copy link
Contributor Author

jamshale commented Dec 2, 2024

Need to look into failing tests... Thought I had tested this.

(edit) Seems to be some compatibility issues with indy issuer to anoncreds holder. I'll get back to this in a bit.

@jamshale jamshale force-pushed the anoncreds-issuance branch 2 times, most recently from b60f20f to e08c47f Compare December 6, 2024 22:23
@jamshale
Copy link
Contributor Author

I think we can ignore the sonarcloud report. Most of the duplication is because of the extension of the registry base class and there's not really much to cover with unit tests, and it's covered by the scenario test.

@gmulhearn
Copy link
Contributor

gmulhearn commented Dec 11, 2024

FWIW, i also ran into compatibility issues when testing VCX against cheqd's acapy fork/branch. The issue was that VCX (using anoncreds-rs) was creating cred request attachments that had entropy instead of prover_did, but then the ACApy schema/model validation for the cred request was upset at this. My quick fix was to change the model from prover_did to entropy.

Looks like this is the more permanent fix - cheers!

question; is it still necessary to include both prover_did & entropy in the anoncreds cred request attachment model? Would it be too aggressive to make the assumption that if you're using the 0771 attachment format, you're abiding by the anoncreds spec, which i believe means you must be using entropy instead of prover_did?

Maybe that's too aggressive, as i don't think the anoncreds spec explicitly denies usage of prover_did, infact the cred request example uses prover_did: https://hyperledger.github.io/anoncreds-spec/#constructing-the-credential-request 👀. Should this be updated? @swcurran

@gmulhearn
Copy link
Contributor

I don't know why this works for an indy credential request and not the cheqd. Maybe something internally in the anocnreds library. But it looks like using the holder_did value in the entropy works and I tested with indy and cheqd and issuance succeeds

yeah i ran into this too. here's the source where all the validation rules are applied: https://github.com/hyperledger/anoncreds-rs/blob/main/src/data_types/cred_request.rs#L27

different behaviours depending on whether or not the cred-def-id is qualified ("legacy") or not

@dbluhm
Copy link
Contributor

dbluhm commented Dec 12, 2024

These changes will get hit by the anoncreds scenario, right?

@jamshale
Copy link
Contributor Author

jamshale commented Dec 12, 2024

Yes. The anocnreds scenario test is testing askar/indy (issuer) --> askar-anoncreds (holder) and askar-anoncreds (issuer) --> askar/indy (holder). And the verifier scenario.

The anoncreds holder now uses entropy instead of prover_did, and the indy credx holder still uses prover_did.

The only issue would be an old version of an indy issuer, issuing to a new anoncreds holder. In this case it wouldn't know what to do with the entropy attribute.

@swcurran
Copy link
Contributor

swcurran commented Dec 12, 2024

If it helps — the “prover_did” property that would come from an Indy request can be used as the value of “entropy” — they are the same value.

@swcurran
Copy link
Contributor

Updated that last comment to be “prover_did” — not “holder_did”

@DaevMithran
Copy link
Contributor

DaevMithran commented Dec 16, 2024

@jamshale we need to get_schema_info_by_id even in the presentation anoncreds handler to replace the indy parsing. Maybe we also need a get_credential_definition_info_by_id

@jamshale
Copy link
Contributor Author

@jamshale we need to get_schema_info_by_id even in the presentation anoncreds handler to replace the indy parsing. Maybe we also need a get_credential_definition_info_by_id

👍 Ok. Thanks for pointing this out. I had tried to run through the presentation protocol as well with your branch but was having other issues so I never got through it. This looks like an obvious place to apply the method. Let me know if you see any others please.

@jamshale jamshale force-pushed the anoncreds-issuance branch 2 times, most recently from 3e1fc6d to 38c5811 Compare December 17, 2024 19:30
@jamshale jamshale requested a review from dbluhm December 17, 2024 20:26
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Signed-off-by: jamshale <jamiehalebc@gmail.com>
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
20.7% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

Copy link
Member

@esune esune left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻

@jamshale jamshale merged commit 11951ef into openwallet-foundation:main Dec 20, 2024
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants