keria icon indicating copy to clipboard operation
keria copied to clipboard
Published 1 month ago verified publisher icon WebOfTrust

What's the recovery method if an incorrect SN is provided during key refresh causing identity and contact queries to fail?

Open eminoda opened this issue 4 months ago • 1 comments

reference:https://github.com/GLEIF-IT/qvi-software/issues/43

When I use client!.keyStates().query(prefix, sn) to refresh the key for a prefix, if the sn is accidentally passed incorrectly (for example, the initial sn is 0, after rotation it should be 1, but I mistakenly passed in 2), it will cause exceptions in both identity queries and contact queries.

keria version: 0.3.0

// get QAR1 state
const memberAid =  await client!.identifiers().get('QAR1')

GET: /api/identifiers/QAR1 response:
{
    "name": "QAR1",
    "prefix": "EO6DnwxZhraMCkw0FMb05o9F2BCwHramx5ZVrSJ2rAHb",
    "salty": {
        "sxlt": "1AAHStwHb1NPw5-ENKkssBvNHorWmq3t752qV4o9ziBadwrWqkgdjfjibVptOtCLhLi960ye5lPyLRD4PAfT5yf02HJf8UmGimoK",
        "pidx": 0,
        "kidx": 1,
        "stem": "signify:aid",
        "tier": "low",
        "dcode": "E",
        "icodes": [
            "A"
        ],
        "ncodes": [
            "A"
        ],
        "transferable": true
    },
    "icp_dt": "2025-08-26T03:06:54.241486+00:00",
    "transferable": true,
    "state": {
        "vn": [
            1,
            0
        ],
        "i": "EO6DnwxZhraMCkw0FMb05o9F2BCwHramx5ZVrSJ2rAHb",
        "s": "1",
        "p": "EO6DnwxZhraMCkw0FMb05o9F2BCwHramx5ZVrSJ2rAHb",
        "d": "EAsuFH0zcBEXCgl0r6VcL-xGhJr57U5EII_ikG9aYByo",
        "f": "1",
        "dt": "2025-08-26T03:12:21.709615+00:00",
        "et": "rot",
        "kt": "1",
        "k": [
            "DIrfiv3UnJKEUsI8IeZ4PD0hEgodb6rc4RnghkOVD8Wz"
        ],
        "nt": "1",
        "n": [
            "EJqEpPnkaLOlZnhG1qDZch6njP3B2_mq3t6DZdDnafdk"
        ],
        "bt": "3",
        "b": [
            "BP0bEOQF03AG6yS6byFZC970K6l-yf7I0sMlgYy0Z-oW",
            "BLKXCCM_o-k-QnLpD2jygPRqO10ROXP_L9ESxuErHENW",
            "BE61WVWl6OMA3JRqRJZ_04x1qZkbAkN9HQK_1hXrcflk"
        ],
        "c": [],
        "ee": {
            "s": "1",
            "d": "EAsuFH0zcBEXCgl0r6VcL-xGhJr57U5EII_ikG9aYByo",
            "br": [],
            "ba": []
        },
        "di": ""
    },
    "windexes": [
        0,
        1,
        2
    ]
}

pass wrong sn(should be 1, but pass 2):

client!.keyStates().query(memberAid.prefix, values.keystate) // values.keystate pass 2

POST: /api/queries response:
{"title": "500 Internal Server Error"}

then, query identifiers or contacts is oops

GET /api/identifiers
401 Unauthorized

GET /api/contacts
401 Unauthorized

eminoda avatar Aug 26 '25 03:08 eminoda

@eminoda Do you have a reproduction script for this? And some log output from KERIA.

I quickly adjusted singlesig-ixn.test.ts to pass the wrong key state and the operation just times out, but no 500 or 401s.

iFergal avatar Sep 09 '25 19:09 iFergal