remove the need for passing issuer's encryption public key at credent…

packages/issuer-sdk-js/README.md

@@ -182,9 +182,6 @@ const credential = {
   // `createCredentialByGrant` will encrypt this for us, using the Issuer's secret encryption key, along with the user's public encryption key.
   content: "VERIFIABLE_CREDENTIAL_CONTENT",
 
-  // The public encryption key of the issuer.
-  encryption_public_key: issuerConfig.issuerPublicEncryptionKey,
-
   // The public encryption key of the user who is creating the credential.
   userEncryptionPublicKey: session.user.userEncryptionPublicKey,
 }
@@ -220,7 +217,7 @@ const credential = {
   issuer: "ISSUER_NAME",
   content: "VERIFIABLE_CREDENTIAL_CONTENT",
   human_id: session.user.humanId,
-  encryption_public_key: issuerConfig.issuerPublicEncryptionKey,
+  userEncryptionPublicKey: session.user.userEncryptionPublicKey,
 }
 
 await createCredentialPermissioned(issuerConfig, credential);

packages/issuer-sdk-js/src/create-issuer-config.test.ts

@@ -1,5 +1,7 @@
 import { KwilSigner, NodeKwil } from "@kwilteam/kwil-js";
+import * as Base64Codec from "@stablelib/base64";
 import { Wallet } from "ethers";
+import nacl from "tweetnacl";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { createIssuerConfig } from "./index";
 
@@ -40,10 +42,12 @@ describe("createIssuerConfig", () => {
     const mockWallet = new Wallet(
       "dcdda6663be8dfa23d0e54a31ff6fddba2fdf8a1f0eae985c59857031e6da169",
     );
+    const mockSecretKey = nacl.box.keyPair().secretKey;
+
     const params = {
       nodeUrl: "http://mock-node-url",
       signer: mockWallet,
-      encryptionSecret: "mock-secret-key",
+      encryptionSecret: Base64Codec.encode(mockSecretKey),
     };
 
     const result = await createIssuerConfig(params);
@@ -70,7 +74,9 @@ describe("createIssuerConfig", () => {
       dbid: "mock-dbid",
       kwilClient: expect.any(Object),
       signer: expect.any(Object),
-      encryptionSecret: params.encryptionSecret,
+      encryptionKeyPair: nacl.box.keyPair.fromSecretKey(
+        Base64Codec.decode(params.encryptionSecret),
+      ),
     });
   });
 });

packages/issuer-sdk-js/src/create-issuer-config.ts

@@ -1,7 +1,9 @@
 import { KwilSigner, NodeKwil } from "@kwilteam/kwil-js";
+import * as Base64Codec from "@stablelib/base64";
 import { Wallet } from "ethers";
 import { KeyPair } from "near-api-js";
 import invariant from "tiny-invariant";
+import nacl from "tweetnacl";
 import { implicitAddressFromPublicKey, kwilNep413Signer } from "../../kwil-nep413-signer/src";
 
 export interface CreateIssuerConfigParams {
@@ -48,8 +50,10 @@ export async function createIssuerConfig(params: CreateIssuerConfigParams) {
   });
 
   const signer = createKwilSigner(params.signer);
+  const encryptionSecretKey = Base64Codec.decode(params.encryptionSecret);
+  const encryptionKeyPair = nacl.box.keyPair.fromSecretKey(encryptionSecretKey);
 
-  return { chainId, dbid, kwilClient, signer, encryptionSecret: params.encryptionSecret };
+  return { chainId, dbid, kwilClient, signer, encryptionKeyPair };
 }
 
 export type IssuerConfig = Awaited<ReturnType<typeof createIssuerConfig>>;

packages/issuer-sdk-js/src/credentials.ts

@@ -4,30 +4,37 @@ import type { idOSCredential } from "../../types";
 import type { IssuerConfig } from "./create-issuer-config";
 import { createActionInput, encryptContent, ensureEntityId } from "./internal";
 
-// Base interface for credential parameters
-interface BaseCredentialParams extends Omit<idOSCredential, "id" | "original_id"> {
+/**
+ * Interface for BaseCredentialParams.
+ *
+ * `id` can be manually provided. If it isn't provided, it will be randomly generated.
+ * `encryption_public_key` is omitted because it is derived internally
+ * from the issuer's encryption secret key.
+ *
+ */
+interface BaseCredentialParams
+  extends Omit<idOSCredential, "id" | "original_id" | "encryption_public_key"> {
   id?: string;
-}
-
-interface HasUserEncryptionPublicKey {
   userEncryptionPublicKey: string;
 }
 
-interface CreateCredentialPermissionedParams
-  extends BaseCredentialParams,
-    HasUserEncryptionPublicKey {}
+interface CreateCredentialPermissionedParams extends BaseCredentialParams {}
 
 export async function createCredentialPermissioned(
-  { dbid, kwilClient, encryptionSecret, signer }: IssuerConfig,
+  { dbid, kwilClient, encryptionKeyPair, signer }: IssuerConfig,
   params: CreateCredentialPermissionedParams,
 ): Promise<idOSCredential> {
   const encryptedContent = await encryptContent(
     Utf8Codec.encode(params.content),
     Base64Codec.decode(params.userEncryptionPublicKey),
-    Base64Codec.decode(encryptionSecret),
+    encryptionKeyPair.secretKey,
   );
 
-  const payload = { ...ensureEntityId(params), content: encryptedContent };
+  const payload = {
+    ...ensureEntityId(params),
+    content: encryptedContent,
+    encryption_public_key: Base64Codec.encode(encryptionKeyPair.publicKey),
+  };
   await kwilClient.execute(
     {
       name: "upsert_credential_as_inserter",
@@ -44,19 +51,23 @@ export async function createCredentialPermissioned(
   };
 }
 
-interface CreateCredentialByGrantParams extends BaseCredentialParams, HasUserEncryptionPublicKey {}
+interface CreateCredentialByGrantParams extends BaseCredentialParams {}
 
 export async function createCredentialByGrant(
-  { dbid, kwilClient, encryptionSecret, signer }: IssuerConfig,
+  { dbid, kwilClient, encryptionKeyPair, signer }: IssuerConfig,
   params: CreateCredentialByGrantParams,
 ): Promise<idOSCredential> {
   const encryptedContent = await encryptContent(
     Utf8Codec.encode(params.content),
     Base64Codec.decode(params.userEncryptionPublicKey),
-    Base64Codec.decode(encryptionSecret),
+    encryptionKeyPair.secretKey,
   );
 
-  const payload = { ...ensureEntityId(params), content: encryptedContent };
+  const payload = {
+    ...ensureEntityId(params),
+    content: encryptedContent,
+    encryption_public_key: Base64Codec.encode(encryptionKeyPair.publicKey),
+  };
   await kwilClient.execute(
     {
       name: "add_credential_by_write_grant",
@@ -73,23 +84,27 @@ export async function createCredentialByGrant(
   };
 }
 
-interface ShareCredentialByGrantParams extends BaseCredentialParams, HasUserEncryptionPublicKey {
+interface ShareCredentialByGrantParams extends BaseCredentialParams {
   grantee: string;
   locked_until: number;
   original_credential_id: string;
 }
 
 export async function shareCredentialByGrant(
-  { dbid, kwilClient, encryptionSecret, signer }: IssuerConfig,
+  { dbid, kwilClient, encryptionKeyPair, signer }: IssuerConfig,
   params: ShareCredentialByGrantParams,
 ): Promise<idOSCredential> {
   const encryptedContent = await encryptContent(
     Utf8Codec.encode(params.content),
     Base64Codec.decode(params.userEncryptionPublicKey),
-    Base64Codec.decode(encryptionSecret),
+    encryptionKeyPair.secretKey,
   );
 
-  const payload = { ...ensureEntityId(params), content: encryptedContent };
+  const payload = {
+    ...ensureEntityId(params),
+    content: encryptedContent,
+    encryption_public_key: Base64Codec.encode(encryptionKeyPair.publicKey),
+  };
   await kwilClient.execute(
     {
       name: "share_credential_by_write_grant",