[pull] main from hyperledger:main

.github/workflows/bdd-integration-tests.yml

@@ -20,7 +20,8 @@ defaults:
 jobs:
   test:
     runs-on: ubuntu-latest
-    if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.repository == 'hyperledger/aries-cloudagent-python') || (github.event_name != 'pull_request')
+    # Run on hyperledger and non-draft PRs or on non-PR events
+    if: (github.repository == 'hyperledger/aries-cloudagent-python') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
     outputs:
       is_release: ${{ steps.check_if_release.outputs.is_release }}
     steps:

.github/workflows/bdd-interop-tests.yml

@@ -20,7 +20,8 @@ defaults:
 jobs:
   test:
     runs-on: ubuntu-latest
-    if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.repository == 'hyperledger/aries-cloudagent-python') || (github.event_name != 'pull_request')
+    # Run on hyperledger and non-draft PRs or on non-PR events
+    if: (github.repository == 'hyperledger/aries-cloudagent-python') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
     outputs:
       is_release: ${{ steps.check_if_release.outputs.is_release }}
     steps:

.github/workflows/scenario-integration-tests.yml

@@ -20,7 +20,8 @@ defaults:
 jobs:
   test:
     runs-on: ubuntu-latest
-    if: (github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.repository == 'hyperledger/aries-cloudagent-python') || (github.event_name != 'pull_request')
+    # Run on hyperledger and non-draft PRs or on non-PR events
+    if: (github.repository == 'hyperledger/aries-cloudagent-python') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request'))
     steps:
       - name: checkout-acapy
         uses: actions/checkout@v4

CHANGELOG.md

@@ -1,8 +1,8 @@
 # Aries Cloud Agent Python Changelog
 
-## 1.0.1rc0
+## 1.0.1rc1
 
-### September 25, 2024
+### October 1, 2024
 
 Release 1.0.1 _might_ be the last release of ACA-Py from the Hyperledger
 organization before the repository moves to the [OpenWallet Foundation] (OWF). As
@@ -17,9 +17,12 @@ For details on what this means for ACA-Py users, including steps for updating de
 [GitHub Issue #3250]: https://github.com/hyperledger/aries-cloudagent-python/issues/3250
 
 The release contains mostly internal clean ups, technical debt elimination, and
-a revision to the integration testing approach, incorporating the [Aries Agent Test Harness] tests in the ACA-Py continuous integration testing process.
+a revision to the integration testing approach, incorporating the [Aries Agent Test Harness] tests in the ACA-Py continuous integration testing process. There are substantial enhancements in the
+management of keys and their use with [VC-DI] proofs, and web-based DID methods like
+`did:web`. See the `Wallet and Key Handling` updates in the categorized PR list below.
 
 [Aries Agent Test Harness]: https://github.com/hyperledger/aries-agent-test-harness
+[VC-DI]: https://www.w3.org/TR/vc-data-integrity/
 
 There are several important **[deprecation notices](#deprecation-notices)**
 in this release in preparation for the next ACA-Py release. Please review these notifications carefully!
@@ -55,13 +58,15 @@ list of those PRs.
 [RFC 0453 Issue Credential v2.0]: https://hyperledger.github.io/aries-rfcs/latest/aip2/0453-issue-credential-v2/
 [RFC 0454 Present Proof v2.0]: https://hyperledger.github.io/aries-rfcs/latest/aip2/0454-present-proof-v2/
 
-### 1.0.1rc0 Breaking Changes
+### 1.0.1rc1 Breaking Changes
 
 There are no breaking changes in ACA-Py Release 1.0.1.
 
-#### 1.0.1rc0 Categorized List of Pull Requests
+#### 1.0.1rc1 Categorized List of Pull Requests
 
 - Wallet and Key Handling Updates
+  - Data integrity routes [\#3261](https://github.com/hyperledger/aries-cloudagent-python/pull/3261) [PatStLouis](https://github.com/PatStLouis)
+  - [BUG] Handle get key operation when no tag has been set [\#3256](https://github.com/hyperledger/aries-cloudagent-python/pull/3256) [PatStLouis](https://github.com/PatStLouis)
   - Feature multikey management [\#3246](https://github.com/hyperledger/aries-cloudagent-python/pull/3246) [PatStLouis](https://github.com/PatStLouis)
   - chore: delete unused keypair storage manager [\#3245](https://github.com/hyperledger/aries-cloudagent-python/pull/3245) [dbluhm](https://github.com/dbluhm)
 
@@ -85,6 +90,8 @@ There are no breaking changes in ACA-Py Release 1.0.1.
   - Change integration testing [\#3194](https://github.com/hyperledger/aries-cloudagent-python/pull/3194) [jamshale](https://github.com/jamshale)
 
 - Dependencies and Internal Fixes/Updates:
+  - Adjust sonarcloud and integration test workflows [\#3259](https://github.com/hyperledger/aries-cloudagent-python/pull/3259) [jamshale](https://github.com/jamshale)
+  - fix: enable refreshing did endpoint using mediator info [\#3260](https://github.com/hyperledger/aries-cloudagent-python/pull/3260) [dbluhm](https://github.com/dbluhm)
   - Removing padding from url invitations [\#3238](https://github.com/hyperledger/aries-cloudagent-python/pull/3238) [jamshale](https://github.com/jamshale)
   - Ensure that DAP_PORT is always an int [\#3241](https://github.com/hyperledger/aries-cloudagent-python/pull/3241) [Gavinok](https://github.com/Gavinok)
   - Fix logic to send verbose webhooks [\#3193](https://github.com/hyperledger/aries-cloudagent-python/pull/3193) [ianco](https://github.com/ianco)
@@ -94,10 +101,11 @@ There are no breaking changes in ACA-Py Release 1.0.1.
   - [ POST v1.0.0 ] Adjust message queue error handling [\#3170](https://github.com/hyperledger/aries-cloudagent-python/pull/3170) [jamshale](https://github.com/jamshale)
 
 - Release management pull requests:
+  - 1.0.1rc1 [\#3268](https://github.com/hyperledger/aries-cloudagent-python/pull/3268) [swcurran](https://github.com/swcurran)
   - 1.0.1rc0 [\#3254](https://github.com/hyperledger/aries-cloudagent-python/pull/3254) [swcurran](https://github.com/swcurran)
 
 - Dependabot PRs
-  - [Link to list of Dependabot PRs in this release](https://github.com/hyperledger/aries-cloudagent-python/pulls?q=is%3Apr+is%3Amerged+merged%3A2024-08-15..2024-09-25+author%3Aapp%2Fdependabot+)
+  - [Link to list of Dependabot PRs in this release](https://github.com/hyperledger/aries-cloudagent-python/pulls?q=is%3Apr+is%3Amerged+merged%3A2024-08-15..2024-10-01+author%3Aapp%2Fdependabot+)
 
 ## 1.0.0
 

Managing-ACA-Py-Doc-Site.md

@@ -20,7 +20,7 @@ and mkdocs configuration.
 
 When the GitHub Action fires, it runs a container that carries out the following steps:
 
-- Checks out the triggering branch, either `main` or `docs-v<version>` (e.g `docs-v1.0.1rc0`).
+- Checks out the triggering branch, either `main` or `docs-v<version>` (e.g `docs-v1.0.1rc1`).
 - Runs the script [scripts/prepmkdocs.sh], which moves and updates some of the
   markdown files so that they fit into the generated site. See the comments in
   the scripts for details about the copying and editing done via the script. In
@@ -97,7 +97,7 @@ To delete the documentation version, do the following:
 - Check your `git status` and make sure there are no changes in the branch --
   e.g., new files that shouldn't be added to the `gh-pages` branch. If there are
   any -- delete the files so they are not added.
-- Remove the folder for the RC.  For example `rm -rf 1.0.1rc0`
+- Remove the folder for the RC.  For example `rm -rf 1.0.1rc1`
 - Edit the `versions.json` file and remove the reference to the RC release in
   the file.
 - Push the changes via a PR to the ACA-Py `gh-pages` branch (don't PR them into

PUBLISHING.md

@@ -6,7 +6,7 @@ a major, minor or patch release, per [semver](https://semver.org/) rules.
 
 Once ready to do a release, create a local branch that includes the following updates:
 
-1. Create a local PR branch from an updated `main` branch, e.g. "1.0.1rc0".
+1. Create a local PR branch from an updated `main` branch, e.g. "1.0.1rc1".
 
 2. See if there are any Document Site `mkdocs` changes needed. Run the script
    `./scripts/prepmkdocs.sh; mkdocs`. Watch the log, noting particularly if
@@ -68,7 +68,7 @@ Once you have the list of PRs:
 - Organize the list into suitable categories in the [CHANGELOG.md](CHANGELOG.md) file, update (if necessary) the PR title and add notes to clarify the changes. See previous release entries to understand the style -- a format that should help developers.
 - Add a narrative about the release above the PR that highlights what has gone into the release.
 - To cover the `dependabot` PRs without listing them all, add to the end of the
-  categorized list of PRs the lat two lines of the script output. Make sure the dates are right! The text will look like this:
+  categorized list of PRs the last two lines of the script output. Make sure the dates are right! The text will look like this:
 
 ```text
 - Dependabot PRs
@@ -133,13 +133,13 @@ Include a PR for this soon-to-be PR. You can guess at the number of the PR by us
    found in the document [Container Images and Github Actions](docs/deploying/ContainerImagesAndGithubActions.md).
 
    In addition, the published documentation site [https://aca-py.org] should be automatically updated to include the new release via the [publish-docs] GitHub Action.
-   Additional information about that process and some related maintainance activities that are needed from time to time can be found in the [Updating the ACA-Py Documentation Site] document.
+   Additional information about that process and some related maintenance activities that are needed from time to time can be found in the [Updating the ACA-Py Documentation Site] document.
 
 [publish.yml]: https://github.com/hyperledger/aries-cloudagent-python/blob/main/.github/workflows/publish.yml
 [publish-indy.yml]: https://github.com/hyperledger/aries-cloudagent-python/blob/main/.github/workflows/publish-indy.yml
 
 12.  When a new release is tagged, create a new branch at the same commit with
-    the branch name in the format `docs-v<version>`, for example, `docs-v1.0.1rc0`.
+    the branch name in the format `docs-v<version>`, for example, `docs-v1.0.1rc1`.
     The creation of the branch triggers the execution of the [publish-docs]
     GitHub Action which generates the documentation for the new release,
     publishing it at [https://aca-py.org]. The GitHub Action also executes when

aries_cloudagent/config/default_context.py

@@ -139,6 +139,7 @@ async def load_plugins(self, context: InjectionContext):
         plugin_registry.register_plugin("aries_cloudagent.resolver")
         plugin_registry.register_plugin("aries_cloudagent.settings")
         plugin_registry.register_plugin("aries_cloudagent.vc")
+        plugin_registry.register_plugin("aries_cloudagent.vc.data_integrity")
         plugin_registry.register_plugin("aries_cloudagent.wallet")
         plugin_registry.register_plugin("aries_cloudagent.wallet.keys")
 

aries_cloudagent/vc/data_integrity/cryptosuites/__init__.py

@@ -0,0 +1,9 @@
+from .eddsa_jcs_2022 import EddsaJcs2022
+
+CRYPTOSUITES = {
+    "eddsa-jcs-2022": EddsaJcs2022,
+}
+
+__all__ = [
+    "EddsaJcs2022",
+]

aries_cloudagent/vc/data_integrity/cryptosuites/eddsa_jcs_2022.py

@@ -0,0 +1,204 @@
+"""EddsaJcs2022 cryptosuite."""
+
+from hashlib import sha256
+import canonicaljson
+
+from ....wallet.base import BaseWallet
+from ....wallet.keys.manager import (
+    MultikeyManager,
+    multikey_to_verkey,
+    key_type_from_multikey,
+)
+from ....utils.multiformats import multibase
+from ....core.profile import ProfileSession
+from ....core.error import BaseError
+from ..models.options import DataIntegrityProofOptions
+from ..models.proof import DataIntegrityProof
+from ..models.verification_response import ProblemDetails, DataIntegrityVerificationResult
+from ..errors import PROBLEM_DETAILS
+from datetime import datetime
+
+
+class CryptosuiteError(BaseError):
+    """Generic Cryptosuite Error."""
+
+
+class EddsaJcs2022:
+    """EddsaJcs2022 cryptosuite.
+
+    https://www.w3.org/TR/vc-di-eddsa/#eddsa-jcs-2022.
+    """
+
+    def __init__(self, *, session: ProfileSession):
+        """Create new EddsaJcs2022 Cryptosuite instance.
+
+        Args:
+            session: ProfileSession to use during crypto operations.
+
+        """
+        super().__init__()
+        self.session = session
+        self.wallet = session.inject(BaseWallet)
+        self.key_manager = MultikeyManager(session)
+
+    async def create_proof(
+        self, unsecured_data_document: dict, options: DataIntegrityProofOptions
+    ):
+        """Create proof algorithm.
+
+        https://www.w3.org/TR/vc-di-eddsa/#create-proof-eddsa-jcs-2022.
+        """
+        proof = DataIntegrityProof.deserialize(options.serialize().copy())
+
+        # Spec says to copy document context to the proof but it's unecessary IMO,
+        # commenting out for the time being...
+
+        # if '@context' in unsecured_data_document:
+        #     proof['@context'] = unsecured_data_document['@context']
+
+        proof_config = self.proof_configuration(proof)
+        transformed_data = self.transformation(unsecured_data_document, options)
+        hash_data = self.hashing(transformed_data, proof_config)
+        proof_bytes = await self.proof_serialization(hash_data, options)
+
+        proof.proof_value = multibase.encode(proof_bytes, "base58btc")
+
+        return proof
+
+    def proof_configuration(self, options: DataIntegrityProofOptions):
+        """Proof configuration algorithm.
+
+        https://www.w3.org/TR/vc-di-eddsa/#proof-configuration-eddsa-jcs-2022.
+        """
+        proof_config = options
+        assert (
+            proof_config.type == "DataIntegrityProof"
+        ), 'Expected proof.type to be "DataIntegrityProof'
+        assert (
+            proof_config.cryptosuite == "eddsa-jcs-2022"
+        ), 'Expected proof.cryptosuite to be "eddsa-jcs-2022'
+
+        if proof_config.created:
+            assert datetime.fromisoformat(proof_config.created)
+
+        if proof_config.expires:
+            assert datetime.fromisoformat(proof_config.expires)
+
+        return self._canonicalize(proof_config.serialize())
+
+    def transformation(
+        self, unsecured_document: dict, options: DataIntegrityProofOptions
+    ):
+        """Transformation algorithm.
+
+        https://www.w3.org/TR/vc-di-eddsa/#transformation-eddsa-jcs-2022.
+        """
+        assert (
+            options.type == "DataIntegrityProof"
+        ), "Expected proof.type to be `DataIntegrityProof`"
+        assert (
+            options.cryptosuite == "eddsa-jcs-2022"
+        ), "Expected proof.cryptosuite to be `eddsa-jcs-2022`"
+
+        return self._canonicalize(unsecured_document)
+
+    def hashing(self, transformed_document: bytes, canonical_proof_config: bytes):
+        """Hashing algorithm.
+
+        https://www.w3.org/TR/vc-di-eddsa/#hashing-eddsa-jcs-2022.
+        """
+        return (
+            sha256(canonical_proof_config).digest()
+            + sha256(transformed_document).digest()
+        )
+
+    async def proof_serialization(
+        self, hash_data: bytes, options: DataIntegrityProofOptions
+    ):
+        """Proof Serialization Algorithm.
+
+        https://www.w3.org/TR/vc-di-eddsa/#proof-serialization-eddsa-jcs-2022.
+        """
+        # TODO encapsulate in a key manager method
+        if options.verification_method.startswith("did:key:"):
+            multikey = options.verification_method.split("#")[-1]
+            key_info = await self.key_manager.from_multikey(multikey)
+
+        else:
+            key_info = await self.key_manager.from_kid(options.verification_method)
+
+        return await self.wallet.sign_message(
+            message=hash_data,
+            from_verkey=multikey_to_verkey(key_info["multikey"]),
+        )
+
+    def _canonicalize(self, data: dict):
+        """Json canonicalization."""
+        return canonicaljson.encode_canonical_json(data)
+
+    async def verify_proof(self, secured_document: dict):
+        """Verify proof algorithm.
+
+        https://www.w3.org/TR/vc-di-eddsa/#verify-proof-eddsa-jcs-2022.
+        """
+        unsecured_document = secured_document.copy()
+        proof = unsecured_document.pop("proof")
+        proof_options = proof.copy()
+        proof_bytes = multibase.decode(proof_options.pop("proofValue"))
+
+        try:
+            # Currently leaving context processing out of scope,
+            # leaving code commented as it's technically an algorithm step.
+            # Due to the cryptosuite being based on JSON canonicalization,
+            # the integrity of the document is protected without RDF processing.
+
+            # https://www.w3.org/TR/vc-data-integrity/#validating-contexts
+
+            # assert secured_document['@context'] == proof_options['@context']
+            # unsecured_document['@context'] = proof_options['@context']
+
+            proof_options = DataIntegrityProofOptions.deserialize(proof_options)
+            transformed_data = self.transformation(unsecured_document, proof_options)
+            proof_config = self.proof_configuration(proof_options)
+            hash_data = self.hashing(transformed_data, proof_config)
+            verified = await self.proof_verification(
+                hash_data, proof_bytes, proof_options
+            )
+            if not verified:
+                raise CryptosuiteError("Invalid signature.")
+
+        except CryptosuiteError as err:
+            problem_detail = ProblemDetails.deserialize(
+                PROBLEM_DETAILS["PROOF_VERIFICATION_ERROR"]
+            )
+            problem_detail.detail = str(err)
+            return DataIntegrityVerificationResult(
+                verified=False,
+                proof=DataIntegrityProof.deserialize(proof),
+                problem_details=[problem_detail],
+            )
+
+        return DataIntegrityVerificationResult(
+            verified=True,
+            proof=DataIntegrityProof.deserialize(proof),
+            problem_details=[],
+        )
+
+    async def proof_verification(
+        self, hash_data: bytes, proof_bytes: bytes, options: DataIntegrityProofOptions
+    ):
+        """Proof verification algorithm.
+
+        https://www.w3.org/TR/vc-di-eddsa/#proof-verification-eddsa-jcs-2022.
+        """
+        multikey = await MultikeyManager(
+            self.session
+        ).resolve_multikey_from_verification_method(options.verification_method)
+        verkey = multikey_to_verkey(multikey)
+        key_type = key_type_from_multikey(multikey)
+        return await self.wallet.verify_message(
+            message=hash_data,
+            signature=proof_bytes,
+            from_verkey=verkey,
+            key_type=key_type,
+        )

aries_cloudagent/vc/data_integrity/errors.py

@@ -0,0 +1,18 @@
+"""Problem Details objects for error handling."""
+
+# https://www.w3.org/TR/vc-data-integrity/#processing-errors
+PROBLEM_DETAILS = {
+    "PROOF_GENERATION_ERROR": {
+        "type": "https://w3id.org/security#PROOF_GENERATION_ERROR"
+    },
+    "PROOF_VERIFICATION_ERROR": {
+        "type": "https://w3id.org/security#PROOF_VERIFICATION_ERROR"
+    },
+    "PROOF_TRANSFORMATION_ERROR": {
+        "type": "https://w3id.org/security#PROOF_TRANSFORMATION_ERROR"
+    },
+    "INVALID_DOMAIN_ERROR": {"type": "https://w3id.org/security#INVALID_DOMAIN_ERROR"},
+    "INVALID_CHALLENGE_ERROR": {
+        "type": "https://w3id.org/security#INVALID_CHALLENGE_ERROR"
+    },
+}