aries-cloudagent-python icon indicating copy to clipboard operation
aries-cloudagent-python copied to clipboard
verified publisher icon hyperledger

Interoperability 0.12.1 and credo-ts 0.5.3 - OOB connections

Open jamshale opened this issue 1 year ago • 11 comments

It's been reported that credo-ts version 0.5.3 expects the did-rotate attachment to be present oob connections. I'm not sure if credo-ts should not throw an error when the did_rotate~attach attachment is missing or acapy should have the did_rotate~attach.

We need to either let credo-ts know to fix it on their side or fix it on our side because currently the versions don't work for oob connections.

See https://discord.com/channels/905194001349627914/1244928900341960746 for more context.

jamshale avatar Jun 06 '24 16:06 jamshale

I see that did_rotate decorator (did_rotate~attach) is optional in the RFC. https://github.com/hyperledger/aries-rfcs/blob/main/features/0023-did-exchange/README.md

The did_rotate~attach attribute is optional, but SHOULD be included if the did attribute is resolvable and the did_doc~attach is not included. The value is the Base64url encoded DID, and signed with the key used in the invitation.

And i left a message in credo-ts discord channel. see: https://discord.com/channels/1022962884864643214/1179453305856991263/1248455045599727707

kukgini avatar Jun 07 '24 01:06 kukgini

Maybe there's a bug, but it should only require the did_rotate if the did is diferent than did:peer:1. So if the did in the response is did:peer:1 we try to extract it from the did_doc~attach, and otherwise we verify the signature on the did_rotate~attach.

but it is correct that we REQUIRE either one to be present to verify the signature.

Which did method are you using?

TimoGlastra avatar Jun 07 '24 05:06 TimoGlastra

@amanji @dbluhm Do you have any insight into this issue? I don't really have an interop setup atm, to look into this better. I'm not entirely sure what settings is causing the problem, but it's been reported by two separate people.

jamshale avatar Jun 07 '24 16:06 jamshale

@TimoGlastra I captured aca-py log of didexchange response agent message. It seem's like did:peer:4 is used and there is did_rotate~attach. A notable point is that, unlike the example in the specification, the @id attribute is included.

  "@type": "https://didcomm.org/didexchange/1.1/response",
  "@id": "94c5b4ba-4f9d-42e5-a8e4-c5b604c3a210",
  "~thread": {
    "thid": "bd1ca149-7573-42a5-beed-86c47bac81ea",
    "pthid": "d8446259-64f8-4dfd-99c0-31c1bff589b4"
  },
  "did": "did:peer:4zQmQX5tvejbCWxbS9v7Az7UNU4i6GsFnYU5RihLTZJkuTCA:zazckB3cA6SfBTcc5zpr8PRvGgH3hFLjKiWuVTptWAwd3SjcYRQRrkgmDRt4UZiocybMU3nKJW5Nak8YciJcwQNX1gmbkngNzvxQR5ivSsvQpXm1JqX4Ba6GABkRXoQNkvK82MG1HoBuhPqe3RsaN3tR3Q47LGWXXWQT4GGJbJbx8iE667mxcFm4WQEXjrwj8GQQV22nqEysmmD43dDVrBxM4wh5NxPKaDwC89ycDsTs125RjdqfWXa6736yxFjiNKMMJSJfBmPkBrkZpcsS1rMBwxkAdfWNUhP8S8AK8oyimNhCixDyTGK8KijsXt2sm9XzDUidBBSCa6yTjQ89DLLnPNaUFd1KzXAiQ1dTLLthgb2RXANkKS9XPvS5tfg14fB9nzHR1aodtspnKL5Do5n5nt2DQLswr2eMq24HFkbtCcn7vaHFh2o22fw18dmYxMWikyw4rPeAgFGBPiucgBW8LBVxJU84AQq4uGPD1Mt645nhW1bJJk8mT7e5fuB9hXoBJPs9MwdsTWh2aCX2qD9bx1HE5B4Y8igttZKcFwBKQPkKdKDbh5uDTpZbR43mAePe",
  "did_rotate~attach": {
    "@id": "9067458e-66bb-4776-8a86-4c7a995dd1b5",
    "mime-type": "text/string",
    "data": {
      "base64": "ZGlkOnBlZXI6NHpRbVFYNXR2ZWpiQ1d4YlM5djdBejdVTlU0aTZHc0ZuWVU1UmloTFRaSmt1VENBOnphemNrQjNjQTZTZkJUY2M1enByOFBSdkdnSDNoRkxqS2lXdVZUcHRXQXdkM1NqY1lSUVJya2dtRFJ0NFVaaW9jeWJNVTNuS0pXNU5hazhZY2lKY3dRTlgxZ21ia25nTnp2eFFSNWl2U3N2UXBYbTFKcVg0QmE2R0FCa1JYb1FOa3ZLODJNRzFIb0J1aFBxZTNSc2FOM3RSM1E0N0xHV1hYV1FUNEdHSmJKYng4aUU2NjdteGNGbTRXUUVYanJ3ajhHUVFWMjJucUV5c21tRDQzZERWckJ4TTR3aDVOeFBLYUR3Qzg5eWNEc1RzMTI1UmpkcWZXWGE2NzM2eXhGamlOS01NSlNKZkJtUGtCcmtacGNzUzFyTUJ3eGtBZGZXTlVoUDhTOEFLOG95aW1OaENpeER5VEdLOEtpanNYdDJzbTlYekRVaWRCQlNDYTZ5VGpRODlETExuUE5hVUZkMUt6WEFpUTFkVExMdGhnYjJSWEFOa0tTOVhQdlM1dGZnMTRmQjluekhSMWFvZHRzcG5LTDVEbzVuNW50MkRRTHN3cjJlTXEyNEhGa2J0Q2NuN3ZhSEZoMm8yMmZ3MThkbVl4TVdpa3l3NHJQZUFnRkdCUGl1Y2dCVzhMQlZ4SlU4NEFRcTR1R1BEMU10NjQ1bmhXMWJKSms4bVQ3ZTVmdUI5aFhvQkpQczlNd2RzVFdoMmFDWDJxRDlieDFIRTVCNFk4aWd0dFpLY0Z3QktRUGtLZEtEYmg1dURUcFpiUjQzbUFlUGU=",
      "jws": {
        "header": {
          "kid": "did:key:z6Mkrx6PqtdZHDGKztPVcGVtimbPGpePKBKAfDsD5KHfgipW"
        },
        "protected": "eyJhbGciOiAiRWREU0EiLCAiandrIjogeyJrdHkiOiAiT0tQIiwgImNydiI6ICJFZDI1NTE5IiwgIngiOiAidWE4c294VXhRdXpPYktqbHhDQ1Z3eGNKdklRTGFEcmZ6Rnd5eXdHajluOCIsICJraWQiOiAiZGlkOmtleTp6Nk1rcng2UHF0ZFpIREdLenRQVmNHVnRpbWJQR3BlUEtCS0FmRHNENUtIZmdpcFcifX0",
        "signature": "nDW7FA8N5U6UNcRsppt9d7Dxh4nLet1ZPFYrndNov75Jt7XsKJa-O-jMHiF59F9Zj-U734Q26-7BL_MnwMd2AA"
      }
    }
  }

kukgini avatar Jun 10 '24 04:06 kukgini

Okay thanks for looking into this. Maybe there's an inconsistency somewhere resulting in Credo not picking up the attach decorator.

FYI @genaris

TimoGlastra avatar Jun 10 '24 06:06 TimoGlastra

@TimoGlastra , @genaris In other aca-py environment, response could be diffrent like below. Unqualified did is used and did_doc~attach instead of did_rotate~attach. This response comes from Hoang in discoard who tells this issue firstly.

{
  "@type": "https://didcomm.org/didexchange/1.1/response",
  "@id": "d921e62d-4715-4d92-acdb-a1f224c1f908",
  "~thread": {
    "thid": "522411a3-f6f4-408f-8ba5-2c80eb9d581c",
    "pthid": "b4c24792-f317-4dfb-8ab8-f77600be5475"
  },
  "did": "4Yaom1ZW2VM37VR366gXj3",
  "did_doc~attach": {
    "@id": "f874ea8d-d69f-433a-9463-c09676282907",
    "mime-type": "application/json",
    "data": {
      "base64": "eyJAY29udGV4dCI6ICJodHRwczovL3czaWQub3JnL2RpZC92MSIsICJpZCI6ICJkaWQ6c292OjRZYW9tMVpXMlZNMzdWUjM2NmdYajMiLCAicHVibGljS2V5IjogW3siaWQiOiAiZGlkOnNvdjo0WWFvbTFaVzJWTTM3VlIzNjZnWGozIzEiLCAidHlwZSI6ICJFZDI1NTE5VmVyaWZpY2F0aW9uS2V5MjAxOCIsICJjb250cm9sbGVyIjogImRpZDpzb3Y6NFlhb20xWlcyVk0zN1ZSMzY2Z1hqMyIsICJwdWJsaWNLZXlCYXNlNTgiOiAiMnczdDJBQldGMWZNNGU1d2VwQTZDd0ZQVG9udFdBQ1FGNUVhNFFCR3QxaXkifV0sICJhdXRoZW50aWNhdGlvbiI6IFt7InR5cGUiOiAiRWQyNTUxOVNpZ25hdHVyZUF1dGhlbnRpY2F0aW9uMjAxOCIsICJwdWJsaWNLZXkiOiAiZGlkOnNvdjo0WWFvbTFaVzJWTTM3VlIzNjZnWGozIzEifV0sICJzZXJ2aWNlIjogW3siaWQiOiAiZGlkOnNvdjo0WWFvbTFaVzJWTTM3VlIzNjZnWGozO2luZHkiLCAidHlwZSI6ICJJbmR5QWdlbnQiLCAicHJpb3JpdHkiOiAwLCAicmVjaXBpZW50S2V5cyI6IFsiMnczdDJBQldGMWZNNGU1d2VwQTZDd0ZQVG9udFdBQ1FGNUVhNFFCR3QxaXkiXSwgInNlcnZpY2VFbmRwb2ludCI6ICJodHRwOi8vMTAuMi40OC4xNjk6ODAwMSJ9XX0=",
      "jws": {
        "header": {
          "kid": "did:key:z6Mkg4UrctEw4Cd8TsTMN9GBH47eVHNM5BH4ADpJRwkvnUCM"
        },
        "protected": "eyJhbGciOiAiRWREU0EiLCAiandrIjogeyJrdHkiOiAiT0tQIiwgImNydiI6ICJFZDI1NTE5IiwgIngiOiAiRi1HQUlKdGY2bDdtZUdmX3daVHpHbFZOVmZ6SXhZUnRyRnpqM1V1LUlSWSIsICJraWQiOiAiZGlkOmtleTp6Nk1rZzRVcmN0RXc0Q2Q4VHNUTU45R0JINDdlVkhOTTVCSDRBRHBKUndrdm5VQ00ifX0",
        "signature": "LZJ-yznf8HNP2nFTJfpijDmQ5_gYThmu13kZ-kPJkh_ceNQp-2r1zVwkPbHYsHh7Oyawq4KeREXlIoURX0ZlAw"
      }
    }
  }
}

kukgini avatar Jun 11 '24 03:06 kukgini

Unqualified did is used and did_doc~attach instead of did_rotate~attach.

Credo does not support unqualified dids for Didexchange, and probably never will. We purposely went for qualified dids with didexchange, and still fully support the connection protocol for unqualified dids

TimoGlastra avatar Jun 11 '24 06:06 TimoGlastra

Hi, Maybe my case could provide more clues... I'm just trying to establish a connection using DIDexchange 1.1 between ACA-Py (responder) and Credo (requester). So, my flow:

1.- ACA-Py create invitation OOB did:peer:4

{
  "handshake_protocols": [
    "https://didcomm.org/didexchange/1.1"
  ],
  "protocol_version": "1.1",
  "use_did_method": "did:peer:4"
}

The generated invitation:

  "state": "initial",
  "trace": false,
  "invi_msg_id": "7450cdb0-937c-4b13-8c3c-3abaa6106aa7",
  "oob_id": "c9dc467b-334b-40d1-8554-1e0c55a09833",
  "invitation": {
    "@type": "https://didcomm.org/out-of-band/1.1/invitation",
    "@id": "7450cdb0-937c-4b13-8c3c-3abaa6106aa7",
    "label": "faber.agent",
    "handshake_protocols": [
      "https://didcomm.org/didexchange/1.1"
    ],
    "services": [
      "did:peer:4zQmfNR7Kup4ruKY2LfmC3R9WDc8kMNAHWyumYKKP1XKnK6P:z4qSZb8snD4VaDaxRgpjMzdbX7kUNGQoSvbff5n2qvSgXEEXpsC7NtPjVMk8sd2rU6unVAVTEiBD7p7mioDUVnDRY13UeTh2HYtmnNkDpcjShjGhpMV5S3CryVhPT6uQbgV7nSv6cYVQFcEzMDaStJmCSBrfj2bLdz2Y3MgLf8veXVigUQiJqLgmo8A5Q7VEtJGbpvj97cHmd44kMu9PK9QcTa2gTgXWKysS28JZXSioU54XnFjwJhiMmyTQRv8xu4J8Tjy3uzK5Y14PezjoAL4pPPacutw6srrY7nPVnVjEUZLyjALhCa4Q65cpyyCCDcruf2Y33TmVZ7Lbvm37SKHpTHrejACBKNZm11ChMcqQgoxNKfV58KMRZEmzpTtnaJAbeErdH3K7eDRgu3eYCCiNFdwfLkVV9HuJpWR1FaxKkLMPfcxcjGsgtdoQqNmzhzBqGvHeMEGTwgRArnAwMJLHRZAJETHb5kdTbqmrSDURBhuNnu1hCNf5RAYniWe28V2hK42q2QhpPjAaNPocuXTMK4yFuCuBCqGTPWBXL2sXexWtsKvJRcw1Fg1JzWpt3K6bVLs8zQ"
    ]
  },
  "invitation_url": "http://localhost:8020?oob=eyJAdHlwZSI6ICJodHRwczovL2RpZGNvbW0ub3JnL291dC1vZi1iYW5kLzEuMS9pbnZpdGF0aW9uIiwgIkBpZCI6ICI3NDUwY2RiMC05MzdjLTRiMTMtOGMzYy0zYWJhYTYxMDZhYTciLCAibGFiZWwiOiAiZmFiZXIuYWdlbnQiLCAiaGFuZHNoYWtlX3Byb3RvY29scyI6IFsiaHR0cHM6Ly9kaWRjb21tLm9yZy9kaWRleGNoYW5nZS8xLjEiXSwgInNlcnZpY2VzIjogWyJkaWQ6cGVlcjo0elFtZk5SN0t1cDRydUtZMkxmbUMzUjlXRGM4a01OQUhXeXVtWUtLUDFYS25LNlA6ejRxU1piOHNuRDRWYURheFJncGpNemRiWDdrVU5HUW9TdmJmZjVuMnF2U2dYRUVYcHNDN050UGpWTWs4c2QyclU2dW5WQVZURWlCRDdwN21pb0RVVm5EUlkxM1VlVGgySFl0bW5Oa0RwY2pTaGpHaHBNVjVTM0NyeVZoUFQ2dVFiZ1Y3blN2NmNZVlFGY0V6TURhU3RKbUNTQnJmajJiTGR6MlkzTWdMZjh2ZVhWaWdVUWlKcUxnbW84QTVRN1ZFdEpHYnB2ajk3Y0htZDQ0a011OVBLOVFjVGEyZ1RnWFdLeXNTMjhKWlhTaW9VNTRYbkZqd0poaU1teVRRUnY4eHU0SjhUankzdXpLNVkxNFBlempvQUw0cFBQYWN1dHc2c3JyWTduUFZuVmpFVVpMeWpBTGhDYTRRNjVjcHl5Q0NEY3J1ZjJZMzNUbVZaN0xidm0zN1NLSHBUSHJlakFDQktOWm0xMUNoTWNxUWdveE5LZlY1OEtNUlpFbXpwVHRuYUpBYmVFcmRIM0s3ZURSZ3UzZVlDQ2lORmR3ZkxrVlY5SHVKcFdSMUZheEtrTE1QZmN4Y2pHc2d0ZG9RcU5temh6QnFHdkhlTUVHVHdnUkFybkF3TUpMSFJaQUpFVEhiNWtkVGJxbXJTRFVSQmh1Tm51MWhDTmY1UkFZbmlXZTI4VjJoSzQycTJRaHBQakFhTlBvY3VYVE1LNHlGdUN1QkNxR1RQV0JYTDJzWGV4V3RzS3ZKUmN3MUZnMUp6V3B0M0s2YlZMczh6USJdfQ=="
}

2.- CREDO Request

{
    "@type": "https://didcomm.org/didexchange/1.1/request",
    "@id": "51b9fa90-5cbe-4391-a0f3-618072b890e5",
    "label": "alice",
    "did": "did:peer:1zQmaxK6xfcSpG5FRbAcvWTTpMzxX9GgsaY97JMKxtXndn8E",
    "~thread": {
      "pthid": "7450cdb0-937c-4b13-8c3c-3abaa6106aa7"
    },
    "did_doc~attach": {
      "@id": "124ffbf3-be89-4de0-af18-6324ba4b2119",
      "mime-type": "application/json",
      "data": {
        "base64": "eyJAY29udGV4dCI6....FZiJ9XX0=",
        "jws": {
          "protected": "eyJhbGciOiJFZERTQ...cifX0",
          "signature": "zWdQAdfOk1j5hZqwwd-LnaZlu6pTA_P6AFNFYIl9fTyqo89vNjt-7M-Pk6t4UhAY6qbtqjMYC-V8KEIEQUPLBA",
          "header": {
            "kid": "did:key:z6MkkiXiV48UDkpquUDZJppzG31XJMdZK8eY4h4Yj1qzWDno"
          }
        }
      }
    }
  }

3.- ACA-Py Response

{
    "@type": "https://didcomm.org/didexchange/1.1/response",
    "@id": "67b6cebf-6ed9-4291-b67d-b5d04f8b36c3",
    "~thread": {
      "thid": "51b9fa90-5cbe-4391-a0f3-618072b890e5",
      "pthid": "7450cdb0-937c-4b13-8c3c-3abaa6106aa7"
    },
    "did": "2Fjmh9QaDURfnSoc3tu9VP",
    "did_doc~attach": {
      "@id": "02d562e0-ddaf-408e-96cf-f5841f903bd5",
      "mime-type": "application/json",
      "data": {
        "base64": "eyJAY29udGV4dCI6ICJodHRwczovL3czaWQub3JnL2RpZC92MSIsICJpZCI6ICJkaWQ6c292OjJGam1oOVFhRFVSZm5Tb2MzdHU5VlAiLCAicHVibGljS2V5IjogW3siaWQiOiAiZGlkOnNvdjoyRmptaDlRYURVUmZuU29jM3R1OVZQIzEiLCAidHlwZSI6ICJFZDI1NTE5VmVyaWZpY2F0aW9uS2V5MjAxOCIsICJjb250cm9sbGVyIjogImRpZDpzb3Y6MkZqbWg5UWFEVVJmblNvYzN0dTlWUCIsICJwdWJsaWNLZXlCYXNlNTgiOiAiZ2VOZXdFTDFXcW1jNlZSaEF5dzN1NkVSSEFUcGZXOW5LbWVjTlJIdlB5byJ9XSwgImF1dGhlbnRpY2F0aW9uIjogW3sidHlwZSI6ICJFZDI1NTE5U2lnbmF0dXJlQXV0aGVudGljYXRpb24yMDE4IiwgInB1YmxpY0tleSI6ICJkaWQ6c292OjJGam1oOVFhRFVSZm5Tb2MzdHU5VlAjMSJ9XSwgInNlcnZpY2UiOiBbeyJpZCI6ICJkaWQ6c292OjJGam1oOVFhRFVSZm5Tb2MzdHU5VlA7aW5keSIsICJ0eXBlIjogIkluZHlBZ2VudCIsICJwcmlvcml0eSI6IDAsICJyZWNpcGllbnRLZXlzIjogWyJnZU5ld0VMMVdxbWM2VlJoQXl3M3U2RVJIQVRwZlc5bkttZWNOUkh2UHlvIl0sICJzZXJ2aWNlRW5kcG9pbnQiOiAiaHR0cDovL2xvY2FsaG9zdDo4MDIwIn1dfQ==",
        "jws": {
          "header": {
            "kid": "did:key:z6MkoFQVs9kP3n6MXk1en5aNw4vazHECLEZjvNvAydNZ11i4"
          },
          "protected": "eyJhbGciOiAiRWREU0EiLCAiandrIjogeyJrdHkiOiAiT0tQIiwgImNydiI6ICJFZDI1NTE5IiwgIngiOiAiZ3FfRlBZb0l1dVUxUHlXdmE4MFJGbXY4Qmw5NHZKazVjaERTZ0JaaXhXMCIsICJraWQiOiAiZGlkOmtleTp6Nk1rb0ZRVnM5a1AzbjZNWGsxZW41YU53NHZhekhFQ0xFWmp2TnZBeWROWjExaTQifX0",
          "signature": "jcjRDUrvMZdm9vIBRImbewyy5-priD8KoQAKHJrQhOyRCXBQy9aDkqN3Fj7V6qjpw9k1OoMtPiokTtRGqzbKCg"
        }
      }
    }
  }

There is no did_rotate~attach .

The behavior is similar when I use did:peer:2 or when I omit the use_did_method: while creating the OOB invitation. Should ACA-Py add the did_rotate~attach to its response ?

JoLuPuma avatar Jun 11 '24 12:06 JoLuPuma

They key used for the invitation is the same as for the response right (e.g. no key rotation is used)?. In that case I think looking at the sender of the response message should be enough to match the invitation against the respones and verify it's authenticity.

TimoGlastra avatar Jun 11 '24 13:06 TimoGlastra

If you refer to the "kid": "did:key:z6MkoFQVs9kP3n6MXk1en5aNw4vazHECLEZjvNvAydNZ11i4" in the response and the key from the invitation, after resolving the did:peer:4, "publicKeyMultibase": "z6MkoFQVs9kP3n6MXk1en5aNw4vazHECLEZjvNvAydNZ11i4", the answer is Yes.

JoLuPuma avatar Jun 11 '24 14:06 JoLuPuma

ACA-Py is defaulting to using unqualified DIDs when a did:peer:1 is received from the requester. This is probably the wrong default. While testing interop between ACA-Py and Credo, I had configured Credo to use did:peer:4 by default, which I suspect is why this wasn't seen before.

dbluhm avatar Jun 11 '24 17:06 dbluhm

Closing due to the fix being merged from our end via https://github.com/hyperledger/aries-cloudagent-python/pull/3050

jamshale avatar Jul 03 '24 15:07 jamshale