-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: query for qualified/unqualified forms in revocation notification #1866
fix: query for qualified/unqualified forms in revocation notification #1866
Conversation
Signed-off-by: Ariel Gentile <gentilester@gmail.com>
could we also do this for credentials and proofs? |
Still getting no records with the updated query. Here's what the query ends up looking like:
I thought maybe the values passed were incorrect so I tried switching them, but still retrieved no records. Here's what that query looked like:
Not sure if I mentioned this already but it appears to be using the 'V1' revocation notification process, if that's helpful. Let me know what further info I could provide that might help. |
@TimoGlastra please let me know if you see anything odd about the above that could cause no records to be found |
Signed-off-by: Ariel Gentile <gentilester@gmail.com>
Yeah the query parameters were mixed up in previous commit. Sad that once you updated the query it is still not finding any record. Looking here, it seems that Credo is not storing legacy identifiers because the issuer is not a qualified did:indy. I think this should be done either if it is a qualified or an unqualified did:indy. @auer-martin can you confirm? |
@@ -51,7 +51,21 @@ export class RevocationNotificationService { | |||
comment?: string | |||
) { | |||
// TODO: can we extract support for this revocation notification handler to the anoncreds module? | |||
const query = { anonCredsRevocationRegistryId, anonCredsCredentialRevocationId, connectionId: connection.id } | |||
// Search for the revocation registry in both qualified and unqualified forms | |||
const query = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we already store it in both formats? We MIGHT have to query the credential itself first and based on that find the exchange record (as we definitely store both qualified and unqualified on the w3c record)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the idea in 0.5 was to store both in the w3c record, but up to now it is doing so only in case the issuer is a qualified did:indy, which is not the case in BCGov demo for example, so unqualified form is not being recorded there.
But something I'm thinking while inspectic the code is the following: LegacyIndyCredentialFormatService
is supposed to work only with unqualified identifiers, right? In that case, to fix this particular issue shouldn't it suffice to simply store anonCredsRevocationRegistryId
tag and metadata in unqualified format?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But something I'm thinking while inspectic the code is the following: LegacyIndyCredentialFormatService is supposed to work only with unqualified identifiers, right? In that case, to fix this particular issue shouldn't it suffice to simply store anonCredsRevocationRegistryId tag and metadata in unqualified format?
I think for the migration it's easier if we can store as much as possible as qualified identifiers. It's very simple to go from qualified -> unqualified, not the other way around. In the future it would be nice if you could send a revocation notification with a qualified identifier for a credential that was issued as unqualified.
Yeah, I think that's a mistake. |
Just tried one of the approaches suggested; removing the It still unfortunately did not find the record, not sure why. Here's what my resulting
and here's what my query looked like:
Let me know if anything here stands out. |
Signed-off-by: Ariel Gentile <gentilester@gmail.com>
The issue is that in So for the moment I've updated |
@@ -399,6 +399,7 @@ export class LegacyIndyCredentialFormatService implements CredentialFormatServic | |||
}) | |||
credentialRecord.setTags({ | |||
anonCredsRevocationRegistryId: credential.revocationRegistryId, | |||
anonCredsUnqualifiedRevocationRegistryId: anonCredsCredential.rev_reg_id, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this addition also needed in the acceptRequest
method? (Line 277)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's for the issuer part, but yes, it should be added also here if we follow this approach.
I have one comment above just asking if we need an extra addition but as it is currently revocation works! Thank you all for your help this far. Safe to create a patch with these changes? |
Oh one other question. Will this only solve the problem for newly issued credentials, credentials issued with AFJ 0.4.2 will still fail revocation, no? |
From my understanding, credentials issued with 0.4.2 should work, since at the moment we are not touching any tag in CredentialExchangeRecord during record migration. So I guess it will have BTW for consistency, I think if we follow this |
I can confirm that revocation in 0.5.2 for credentials issued in 0.4.2 work with these changes. |
Signed-off-by: Ariel Gentile <gentilester@gmail.com>
Signed-off-by: Ariel Gentile <gentilester@gmail.com>
credentialOffer, | ||
credentialRequest, | ||
credentialValues: convertAttributesToCredentialValues(credentialAttributes), | ||
}) | ||
|
||
if (credential.rev_reg_id) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed it from here because we don't actually support revocation with legacy indy credentials (but we do in AnonCreds, so tags are added to issued credentials there)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WDYM? A credential with legacy identifiers can't use revocation? Is that because it's not implemented in the legacy credential format service?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we do not currently support issuing revocable legacy indy credentials, so I don't see how this if statement can be true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do you mean by "legacy indy credentials"? is there a short documentation about what is considered legacy? Was revocation notification supported before for "legacy indy credentials"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@genaris I know this is already merged but could I get a bit of clarification here; is this method only for issuing credentials? The name acceptRequest
implies it could be accepting a credential issued by another agent that does support issuing legacy creds, no? Currently our ecosystem uses revocation with credentials that don't start with did:indy
etc. ie. "legacy" credentials as I understand it, so it seems like we would need to keep this if
block. Let me know what you think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The naming here is mainly based on DIDComm Issue Credential protocols, where the steps are propose -> offer -> request -> issue (see here). This acceptRequest
is about responding to the request-credential
message, which is sent from the holder to the issuer to ask for the actual credential issuance.
So this method is only called in issuer side. As you can see some lines before, we are calling anoncredsIssuerService.createCredential
without any revocation-related CreateCredentialOptions
parameter (revocationRegistryDefinitionId, revocationRegistryIndex, revocationStatusList), like we do in AnonCredsCredentialFormatService.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok. Got it. Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good 👍 but it's also complex logic with all this qualified vs unqualified so I might miss things 😅
// If using unqualified dids, store both qualified/unqualified revRegId forms | ||
// to allow retrieving it from revocation notification service | ||
if (qualifiedRevocationRegistryId && indyNamespace) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment indicates we're using unqualified, but the parameter you're checking is for the qualified id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was mostly to optimize a bit the code but I'll change it, since it is not clear
@@ -199,7 +200,7 @@ export function getW3cRecordAnonCredsTags(options: { | |||
anonCredsMethodName: methodName, | |||
anonCredsRevocationRegistryId: revocationRegistryId, | |||
anonCredsCredentialRevocationId: credentialRevocationId, | |||
...(isIndyDid(issuerId) && { | |||
...((isIndyDid(issuerId) || isUnqualifiedIndyDid(issuerId)) && { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the non unqualified tags now always using qualified identifiers? Even if the credential was issued as unqualified?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've understood from a previous comment that it was better to store the qualified form because it was not possible to go the other way around. Now I'm confused!
Signed-off-by: Ariel Gentile <gentilester@gmail.com>
@wadeking98 do you still want this? @genaris see any issue doing this? |
Now querying in both qualified and unqualified forms for revocation registry id. Didn't add any specific test for this yet.
@bryce-mcmath it would be great if by chance you can verify that this properly solves your issue with legacy indy credentals.
Fixes #1864