refactor(anoncreds): master secret to link secret (#1415)

Signed-off-by: Ariel Gentile <gentilester@gmail.com>

demo/package.json

@@ -15,7 +15,7 @@
   },
   "dependencies": {
     "@hyperledger/indy-vdr-nodejs": "0.1.0-dev.12",
-    "@hyperledger/anoncreds-nodejs": "^0.1.0-dev.11",
+    "@hyperledger/anoncreds-nodejs": "^0.1.0-dev.13",
     "@hyperledger/aries-askar-nodejs": "^0.1.0-dev.6",
     "inquirer": "^8.2.5"
   },

packages/anoncreds-rs/package.json

@@ -26,14 +26,14 @@
   "dependencies": {
     "@aries-framework/core": "0.3.3",
     "@aries-framework/anoncreds": "0.3.3",
-    "@hyperledger/anoncreds-shared": "^0.1.0-dev.11",
+    "@hyperledger/anoncreds-shared": "^0.1.0-dev.13",
     "class-transformer": "^0.5.1",
     "class-validator": "0.14.0",
     "rxjs": "^7.2.0",
     "tsyringe": "^4.7.0"
   },
   "devDependencies": {
-    "@hyperledger/anoncreds-nodejs": "^0.1.0-dev.11",
+    "@hyperledger/anoncreds-nodejs": "^0.1.0-dev.13",
     "reflect-metadata": "^0.1.13",
     "rimraf": "^4.4.0",
     "typescript": "~4.9.5"

packages/anoncreds-rs/src/services/AnonCredsRsHolderService.ts

@@ -40,7 +40,7 @@ import {
   Credential,
   CredentialRequest,
   CredentialRevocationState,
-  MasterSecret,
+  LinkSecret,
   Presentation,
   RevocationRegistryDefinition,
   RevocationStatusList,
@@ -55,19 +55,9 @@ export class AnonCredsRsHolderService implements AnonCredsHolderService {
     agentContext: AgentContext,
     options?: CreateLinkSecretOptions
   ): Promise<CreateLinkSecretReturn> {
-    let masterSecret: MasterSecret | undefined
-    try {
-      masterSecret = MasterSecret.create()
-
-      // FIXME: This is a very specific format of anoncreds-rs. I think it should be simply a string
-      const linkSecretJson = masterSecret.toJson() as { value: { ms: string } }
-
-      return {
-        linkSecretId: options?.linkSecretId ?? utils.uuid(),
-        linkSecretValue: linkSecretJson.value.ms,
-      }
-    } finally {
-      masterSecret?.handle.clear()
+    return {
+      linkSecretId: options?.linkSecretId ?? utils.uuid(),
+      linkSecretValue: LinkSecret.create(),
     }
   }
 
@@ -184,7 +174,7 @@ export class AnonCredsRsHolderService implements AnonCredsHolderService {
         credentials: credentials.map((entry) => entry.credentialEntry),
         credentialsProve,
         selfAttest: selectedCredentials.selfAttestedAttributes,
-        masterSecret: { value: { ms: linkSecretRecord.value } },
+        linkSecret: linkSecretRecord.value,
       })
 
       return presentation.toJson() as unknown as AnonCredsProof
@@ -216,6 +206,10 @@ export class AnonCredsRsHolderService implements AnonCredsHolderService {
         )
       }
 
+      if (!linkSecretRecord.value) {
+        throw new AnonCredsRsError('Link Secret value not stored')
+      }
+
       const isLegacyIdentifier = credentialOffer.cred_def_id.match(legacyIndyCredentialDefinitionIdRegex)
       if (!isLegacyIdentifier && useLegacyProverDid) {
         throw new AriesFrameworkError('Cannot use legacy prover_did with non-legacy identifiers')
@@ -227,8 +221,8 @@ export class AnonCredsRsHolderService implements AnonCredsHolderService {
           : undefined,
         credentialDefinition: credentialDefinition as unknown as JsonObject,
         credentialOffer: credentialOffer as unknown as JsonObject,
-        masterSecret: { value: { ms: linkSecretRecord.value } },
-        masterSecretId: linkSecretRecord.linkSecretId,
+        linkSecret: linkSecretRecord.value,
+        linkSecretId: linkSecretRecord.linkSecretId,
       })
 
       return {
@@ -247,7 +241,11 @@ export class AnonCredsRsHolderService implements AnonCredsHolderService {
 
     const linkSecretRecord = await agentContext.dependencyManager
       .resolve(AnonCredsLinkSecretRepository)
-      .getByLinkSecretId(agentContext, credentialRequestMetadata.master_secret_name)
+      .getByLinkSecretId(agentContext, credentialRequestMetadata.link_secret_name)
+
+    if (!linkSecretRecord.value) {
+      throw new AnonCredsRsError('Link Secret value not stored')
+    }
 
     const revocationRegistryDefinition = revocationRegistry?.definition as unknown as JsonObject
 
@@ -260,7 +258,7 @@ export class AnonCredsRsHolderService implements AnonCredsHolderService {
       processedCredential = credentialObj.process({
         credentialDefinition: credentialDefinition as unknown as JsonObject,
         credentialRequestMetadata: credentialRequestMetadata as unknown as JsonObject,
-        masterSecret: { value: { ms: linkSecretRecord.value } },
+        linkSecret: linkSecretRecord.value,
         revocationRegistryDefinition,
       })
 

packages/anoncreds-rs/src/services/__tests__/helpers.ts

@@ -13,7 +13,7 @@ import {
   CredentialOffer,
   CredentialRequest,
   CredentialRevocationConfig,
-  MasterSecret,
+  LinkSecret,
   RevocationRegistryDefinition,
   RevocationRegistryDefinitionPrivate,
   RevocationStatusList,
@@ -77,10 +77,7 @@ export function createCredentialOffer(keyCorrectnessProof: Record<string, unknow
  * @returns Creates a valid link secret value for anoncreds-rs
  */
 export function createLinkSecret() {
-  const masterSecret = MasterSecret.create()
-  const ms = (masterSecret.toJson() as { value: { ms: string } }).value.ms as string
-  masterSecret.handle.clear()
-  return ms
+  return LinkSecret.create()
 }
 
 export function createCredentialForHolder(options: {
@@ -118,8 +115,8 @@ export function createCredentialForHolder(options: {
     entropy: 'some-entropy',
     credentialDefinition,
     credentialOffer,
-    masterSecret: { value: { ms: linkSecret } },
-    masterSecretId: linkSecretId,
+    linkSecret,
+    linkSecretId: linkSecretId,
   })
 
   const { revocationRegistryDefinition, revocationRegistryDefinitionPrivate, tailsPath } =

packages/anoncreds-rs/tests/anoncreds-flow.test.ts

@@ -279,8 +279,8 @@ describeRunInNodeVersion([18], 'AnonCreds format services using anoncreds-rs', (
         credentialDefinitionId: credentialDefinitionState.credentialDefinitionId,
       },
       '_anoncreds/credentialRequest': {
-        master_secret_blinding_data: expect.any(Object),
-        master_secret_name: expect.any(String),
+        link_secret_blinding_data: expect.any(Object),
+        link_secret_name: expect.any(String),
         nonce: expect.any(String),
       },
     })

packages/anoncreds-rs/tests/indy-flow.test.ts

@@ -279,8 +279,8 @@ describeRunInNodeVersion([18], 'Legacy indy format services using anoncreds-rs',
         credentialDefinitionId: credentialDefinitionState.credentialDefinitionId,
       },
       '_anoncreds/credentialRequest': {
-        master_secret_blinding_data: expect.any(Object),
-        master_secret_name: expect.any(String),
+        link_secret_blinding_data: expect.any(Object),
+        link_secret_name: expect.any(String),
         nonce: expect.any(String),
       },
     })

packages/anoncreds/package.json

@@ -32,7 +32,7 @@
   },
   "devDependencies": {
     "@aries-framework/node": "0.3.3",
-    "@hyperledger/anoncreds-nodejs": "^0.1.0-dev.11",
+    "@hyperledger/anoncreds-nodejs": "^0.1.0-dev.13",
     "indy-sdk": "^1.16.0-dev-1636",
     "rimraf": "^4.4.0",
     "rxjs": "^7.8.0",

packages/anoncreds/src/formats/__tests__/legacy-indy-format-services.test.ts

@@ -251,8 +251,8 @@ describe('Legacy indy format services', () => {
         credentialDefinitionId: legacyCredentialDefinitionId,
       },
       '_anoncreds/credentialRequest': {
-        master_secret_blinding_data: expect.any(Object),
-        master_secret_name: expect.any(String),
+        link_secret_blinding_data: expect.any(Object),
+        link_secret_name: expect.any(String),
         nonce: expect.any(String),
       },
     })

packages/anoncreds/src/models/internal.ts

@@ -31,11 +31,13 @@ export interface AnonCredsSelectedCredentials {
   selfAttestedAttributes: Record<string, string>
 }
 
+export interface AnonCredsLinkSecretBlindingData {
+  v_prime: string
+  vr_prime: string | null
+}
+
 export interface AnonCredsCredentialRequestMetadata {
-  master_secret_blinding_data: {
-    v_prime: string
-    vr_prime: string | null
-  }
-  master_secret_name: string
+  link_secret_blinding_data: AnonCredsLinkSecretBlindingData
+  link_secret_name: string
   nonce: string
 }

packages/anoncreds/src/updates/0.3.1-0.4/__tests__/credentialExchangeRecord.test.ts

@@ -45,7 +45,7 @@ describe('0.3.1-0.4.0 | AnonCreds Migration | Credential Exchange Record', () =>
         getCredentialRecord({
           metadata: {
             '_internal/indyCredential': { some: 'value' },
-            '_internal/indyRequest': { another: 'value' },
+            '_internal/indyRequest': { nonce: 'nonce', master_secret_name: 'ms', master_secret_blinding_data: 'msbd' },
           },
           credentials: [
             {
@@ -71,7 +71,7 @@ describe('0.3.1-0.4.0 | AnonCreds Migration | Credential Exchange Record', () =>
       expect(credentialRecord.toJSON()).toMatchObject({
         metadata: {
           '_anoncreds/credential': { some: 'value' },
-          '_anoncreds/credentialRequest': { another: 'value' },
+          '_anoncreds/credentialRequest': { nonce: 'nonce', link_secret_name: 'ms', link_secret_blinding_data: 'msbd' },
         },
         credentials: [
           {
@@ -92,7 +92,7 @@ describe('0.3.1-0.4.0 | AnonCreds Migration | Credential Exchange Record', () =>
       const record = getCredentialRecord({
         metadata: {
           '_internal/indyCredential': { some: 'value' },
-          '_internal/indyRequest': { another: 'value' },
+          '_internal/indyRequest': { nonce: 'nonce', master_secret_name: 'ms', master_secret_blinding_data: 'msbd' },
         },
       })
 
@@ -101,7 +101,7 @@ describe('0.3.1-0.4.0 | AnonCreds Migration | Credential Exchange Record', () =>
       expect(record.toJSON()).toMatchObject({
         metadata: {
           '_anoncreds/credential': { some: 'value' },
-          '_anoncreds/credentialRequest': { another: 'value' },
+          '_anoncreds/credentialRequest': { nonce: 'nonce', link_secret_name: 'ms', link_secret_blinding_data: 'msbd' },
         },
       })
     })

packages/anoncreds/src/updates/0.3.1-0.4/credentialExchangeRecord.ts

@@ -131,8 +131,11 @@ export function migrateIndyCredentialMetadataToAnonCredsMetadata<Agent extends B
 
   const indyCredentialRequestMetadata = credentialRecord.metadata.get(indyCredentialRequestMetadataKey)
   if (indyCredentialRequestMetadata) {
-    // TODO: we if we choose to rename master secret to link secret in anoncreds-rs we should also rename it in the request
-    credentialRecord.metadata.set(ANONCREDS_CREDENTIAL_REQUEST_METADATA, indyCredentialRequestMetadata)
+    credentialRecord.metadata.set(ANONCREDS_CREDENTIAL_REQUEST_METADATA, {
+      link_secret_blinding_data: indyCredentialRequestMetadata.master_secret_blinding_data,
+      link_secret_name: indyCredentialRequestMetadata.master_secret_name,
+      nonce: indyCredentialRequestMetadata.nonce,
+    })
     credentialRecord.metadata.delete(indyCredentialRequestMetadataKey)
   }
 

packages/anoncreds/src/updates/__tests__/__snapshots__/0.3.test.ts.snap

@@ -58,11 +58,11 @@ exports[`UpdateAssistant | AnonCreds | v0.3.1 - v0.4 should correctly update the
           "schemaId": "A4CYPASJYRZRt98YWrac3H:2:Test Schema:5.0",
         },
         "_anoncreds/credentialRequest": {
-          "master_secret_blinding_data": {
+          "link_secret_blinding_data": {
             "v_prime": "6088566065720309491695644944398283228337587174153857313170975821102428665682789111613194763354086540665993822078019981371868225077833338619179176775427438467982451441607103798898879602785159234518625137830139620180247716943526165654371269235270542103763086097868993123576876140373079243750364373248313759006451117374448224809216784667062369066076812328680472952148248732117690061334364498707450807760707599232005951883007442927332478453073050250159545354197772368724822531644722135760544102661829321297308144745035201971564171469931191452967102169235498946760810509797149446495254099095221645804379785022515460071863075055785600423275733199",
             "vr_prime": null,
           },
-          "master_secret_name": "walletId28c602347-3f6e-429f-93cd-d5aa7856ef3f",
+          "link_secret_name": "walletId28c602347-3f6e-429f-93cd-d5aa7856ef3f",
           "nonce": "131502096406868204437821",
         },
       },

packages/indy-sdk/src/anoncreds/services/IndySdkHolderService.ts

@@ -10,7 +10,6 @@ import type {
   GetCredentialsForProofRequestOptions,
   GetCredentialsForProofRequestReturn,
   AnonCredsSelectedCredentials,
-  AnonCredsCredentialRequestMetadata,
   CreateLinkSecretOptions,
   CreateLinkSecretReturn,
   GetCredentialsOptions,
@@ -22,7 +21,6 @@ import type {
   RevStates,
   Schemas,
   IndyCredential as IndySdkCredential,
-  CredReqMetadata,
   IndyProofRequest,
 } from 'indy-sdk'
 
@@ -34,7 +32,9 @@ import { IndySdk, IndySdkSymbol } from '../../types'
 import { assertIndySdkWallet } from '../../utils/assertIndySdkWallet'
 import { parseCredentialDefinitionId } from '../utils/identifiers'
 import {
+  anonCredsCredentialRequestMetadataFromIndySdk,
   indySdkCredentialDefinitionFromAnonCreds,
+  indySdkCredentialRequestMetadataFromAnonCreds,
   indySdkRevocationRegistryDefinitionFromAnonCreds,
   indySdkSchemaFromAnonCreds,
 } from '../utils/transform'
@@ -165,8 +165,7 @@ export class IndySdkHolderService implements AnonCredsHolderService {
       return await this.indySdk.proverStoreCredential(
         agentContext.wallet.handle,
         options.credentialId ?? null,
-        // The type is typed as a Record<string, unknown> in the indy-sdk, but the anoncreds package contains the correct type
-        options.credentialRequestMetadata as unknown as CredReqMetadata,
+        indySdkCredentialRequestMetadataFromAnonCreds(options.credentialRequestMetadata),
         options.credential,
         indySdkCredentialDefinitionFromAnonCreds(options.credentialDefinitionId, options.credentialDefinition),
         indyRevocationRegistryDefinition
@@ -277,7 +276,7 @@ export class IndySdkHolderService implements AnonCredsHolderService {
       return {
         credentialRequest: result[0],
         // The type is typed as a Record<string, unknown> in the indy-sdk, but the anoncreds package contains the correct type
-        credentialRequestMetadata: result[1] as unknown as AnonCredsCredentialRequestMetadata,
+        credentialRequestMetadata: anonCredsCredentialRequestMetadataFromIndySdk(result[1]),
       }
     } catch (error) {
       agentContext.config.logger.error(`Error creating Indy Credential Request`, {

packages/indy-sdk/src/anoncreds/utils/transform.ts

@@ -3,8 +3,10 @@ import type {
   AnonCredsRevocationStatusList,
   AnonCredsRevocationRegistryDefinition,
   AnonCredsSchema,
+  AnonCredsCredentialRequestMetadata,
+  AnonCredsLinkSecretBlindingData,
 } from '@aries-framework/anoncreds'
-import type { CredDef, RevocReg, RevocRegDef, RevocRegDelta, Schema } from 'indy-sdk'
+import type { CredDef, CredReqMetadata, RevocReg, RevocRegDef, RevocRegDelta, Schema } from 'indy-sdk'
 
 import { parseCredentialDefinitionId, parseSchemaId } from './identifiers'
 
@@ -136,3 +138,23 @@ export function indySdkRevocationDeltaFromAnonCreds(
     ver: '1.0',
   }
 }
+
+export function anonCredsCredentialRequestMetadataFromIndySdk(
+  credentialRequestMetadata: CredReqMetadata
+): AnonCredsCredentialRequestMetadata {
+  return {
+    link_secret_blinding_data: credentialRequestMetadata.master_secret_blinding_data as AnonCredsLinkSecretBlindingData,
+    link_secret_name: credentialRequestMetadata.master_secret_name as string,
+    nonce: credentialRequestMetadata.nonce as string,
+  }
+}
+
+export function indySdkCredentialRequestMetadataFromAnonCreds(
+  credentialRequestMetadata: AnonCredsCredentialRequestMetadata
+): CredReqMetadata {
+  return {
+    master_secret_blinding_data: credentialRequestMetadata.link_secret_blinding_data,
+    master_secret_name: credentialRequestMetadata.link_secret_name,
+    nonce: credentialRequestMetadata.nonce,
+  }
+}

yarn.lock

@@ -881,23 +881,23 @@
   resolved "https://registry.yarnpkg.com/@hutson/parse-repository-url/-/parse-repository-url-3.0.2.tgz#98c23c950a3d9b6c8f0daed06da6c3af06981340"
   integrity sha512-H9XAx3hc0BQHY6l+IFSWHDySypcXsvsuLhgYLUGywmJ5pswRVQJUHpOsobnLYp2ZUaUlKiKDrgWWhosOwAEM8Q==
 
-"@hyperledger/anoncreds-nodejs@^0.1.0-dev.11":
-  version "0.1.0-dev.11"
-  resolved "https://registry.yarnpkg.com/@hyperledger/anoncreds-nodejs/-/anoncreds-nodejs-0.1.0-dev.11.tgz#301b9bc5a4bb0235212ac48da2bf41118b407cdd"
-  integrity sha512-4BSHOGOdXjF4pyJuEjwk0iaSHeqt5UdXRXNv+u9VJ7yYhqM/aJZNhtUAgHXu8KGZwimFcFsp2e0FoLqwO0vLHQ==
+"@hyperledger/anoncreds-nodejs@^0.1.0-dev.13":
+  version "0.1.0-dev.13"
+  resolved "https://registry.yarnpkg.com/@hyperledger/anoncreds-nodejs/-/anoncreds-nodejs-0.1.0-dev.13.tgz#65b60be1c5ff077457ccd2f8298e71f198a8984f"
+  integrity sha512-W6Hoxp4lzcdv6yIQruK0CJDH52n79yQ8XCekFNmkUsXxpycB8Ts2M1o3KKRPa68AYM3CzmcN2Nw8pE7XqqEMyQ==
   dependencies:
-    "@hyperledger/anoncreds-shared" "0.1.0-dev.11"
+    "@hyperledger/anoncreds-shared" "0.1.0-dev.13"
     "@mapbox/node-pre-gyp" "^1.0.10"
     ffi-napi "4.0.3"
     node-cache "5.1.2"
     ref-array-di "1.2.2"
     ref-napi "3.0.3"
     ref-struct-di "1.1.1"
 
-"@hyperledger/anoncreds-shared@0.1.0-dev.11", "@hyperledger/anoncreds-shared@^0.1.0-dev.11":
-  version "0.1.0-dev.11"
-  resolved "https://registry.yarnpkg.com/@hyperledger/anoncreds-shared/-/anoncreds-shared-0.1.0-dev.11.tgz#206328cabcd855ef20c863ab5c2615a3a4c2502c"
-  integrity sha512-nK05y/qNtI3P+hnkVZW/d5oduMa7slZfEh2gQ+ZmAEmwHEcSU8iJ+QTkKS3nRE+6igXUvVAztlGS7JZHf21KKw==
+"@hyperledger/anoncreds-shared@0.1.0-dev.13", "@hyperledger/anoncreds-shared@^0.1.0-dev.13":
+  version "0.1.0-dev.13"
+  resolved "https://registry.yarnpkg.com/@hyperledger/anoncreds-shared/-/anoncreds-shared-0.1.0-dev.13.tgz#e78768366e6d7dd6e65839b769b857fbd828bce7"
+  integrity sha512-UtR2zCrugTa/Mu6LqAiEX1NJw1bdaf65wqcdS/k9efcq0iY1slQb+qg/KWEf+pZZFVa6NmkjAwmdyrzVbu9WTQ==
 
 "@hyperledger/aries-askar-nodejs@^0.1.0-dev.6":
   version "0.1.0-dev.6"