search

openwallet-foundation / acapy

ACA-Py is a foundation for building decentralized identity applications and services running in non-mobile environments.
https://aca-py.org
Apache License 2.0
420 stars 513 forks source link

Revocation: Pending publication bugs #3098

Closed cl0ete closed 4 months ago

cl0ete commented 4 months ago

Discovered two bugs with revoked credential that are pending publication.

Detailed example of scenario one

note: removed some of the accum values for readability 

GET  /revocation/registry/WynvEvBNreTHveBQrdUcrW:4:WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic:CL_ACCUM:97aabd41-dedb-401f-ba18-8fe42c7072f9
{
"result": {
"state": "active",
"created_at": "2024-07-11T06:55:48.645864Z",
"updated_at": "2024-07-11T06:56:34.338668Z",
"record_id": "97aabd41-dedb-401f-ba18-8fe42c7072f9",
"cred_def_id": "WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic",
"issuer_did": "WynvEvBNreTHveBQrdUcrW",
"max_cred_num": 32767,
"revoc_def_type": "CL_ACCUM",
"revoc_reg_id": "WynvEvBNreTHveBQrdUcrW:4:WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic:CL_ACCUM:97aabd41-dedb-401f-ba18-8fe42c7072f9",
"revoc_reg_def": {
"ver": "1.0",
"id": "WynvEvBNreTHveBQrdUcrW:4:WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic:CL_ACCUM:97aabd41-dedb-401f-ba18-8fe42c7072f9",
"revocDefType": "CL_ACCUM",
"tag": "97aabd41-dedb-401f-ba18-8fe42c7072f9",
"credDefId": "WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic",
"value": {
"issuanceType": "ISSUANCE_BY_DEFAULT",
"maxCredNum": 32767,
"publicKeys": {
"accumKey": {
"z": "..."
}
},
"tailsHash": "FwAxBafefr6zfczejptPo3FbL3JUooE245NnjB8DTXAT",
"tailsLocation": "http://tails-server:6543/WynvEvBNreTHveBQrdUcrW:4:WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic:CL_ACCUM:97aabd41-dedb-401f-ba18-8fe42c7072f9"
}
},
"revoc_reg_entry": {
"ver": "1.0",
"value": {
"accum": "..."
}
},
"tag": "97aabd41-dedb-401f-ba18-8fe42c7072f9",
"tails_hash": "FwAxBafefr6zfczejptPo3FbL3JUooE245NnjB8DTXAT",
"tails_public_uri": "http://tails-server:6543/WynvEvBNreTHveBQrdUcrW:4:WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic:CL_ACCUM:97aabd41-dedb-401f-ba18-8fe42c7072f9",
"tails_local_path": "/home/aries/.indy_client/tails/WynvEvBNreTHveBQrdUcrW:4:WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic:CL_ACCUM:97aabd41-dedb-401f-ba18-8fe42c7072f9/FwAxBafefr6zfczejptPo3FbL3JUooE245NnjB8DTXAT",
"pending_pub": [
"1",
"2",
"3",
"4",
"5"
]
}
}

Issuer now revokes an other credential and sets publish to true:

POST /revocation/revoke
{
  "cred_ex_id": "b2bae9ba-8bfe-4d92-aa65-655c7883b326",
  "publish": true
}

Response:

{
  "txn": {
    "state": "request_sent",
    "created_at": "2024-07-11T07:15:35.092481Z",
    "updated_at": "2024-07-11T07:15:35.096133Z",
    "trace": false,
    "transaction_id": "36a832f6-8ae0-42b5-a2cb-ba02a72a619c",
    "_type": "https://didcomm.org/sign-attachment/1.0/signature-request",
    "signature_request": [
      {
        "context": "did:sov",
        "method": "add-signature",
        "signature_type": "default",
        "signer_goal_code": "aries.transaction.endorse",
        "author_goal_code": "aries.transaction.ledger.write"
      }
    ],
    "signature_response": [],
    "timing": {
      "expires_time": null
    },
    "formats": [
      {
        "attach_id": "4c84a805-e70b-4669-b2ba-cb21b4d1b07d",
        "format": "dif/endorse-transaction/request@v1.0"
      }
    ],
    "messages_attach": [
      {
        "@id": "4c84a805-e70b-4669-b2ba-cb21b4d1b07d",
        "mime-type": "application/json",
        "data": {
          "json": {
            "endorser": "9ZUAGULVSppBV92CpBiQgc",
            "identifier": "WynvEvBNreTHveBQrdUcrW",
            "operation": {
              "revocDefType": "CL_ACCUM",
              "revocRegDefId": "WynvEvBNreTHveBQrdUcrW:4:WynvEvBNreTHveBQrdUcrW:3:CL:8:Epic:CL_ACCUM:97aabd41-dedb-401f-ba18-8fe42c7072f9",
              "type": "114",
              "value": {
                "accum": "...",
                "prevAccum": "...",
                "revoked": [
                  2,
                  3,
                  1,
                  4,
                  6,
                  5
                ]
              }
            },
            "protocolVersion": 2,
            "reqId": 1720682135088181000,
            "signature": "5YavsnRiCM7F3kdT6qC5GYu8riZQZGrfeRbu9AfZ6T7y1LAn1Ww8vAV6mCa9NxZFxPXd5FKXQPwxZPricfCvgz4A",
            "taaAcceptance": {
              "mechanism": "service_agreement",
              "taaDigest": "0be4d87dec17a7901cb8ba8bb4239ee34d4f6e08906f3dad81d1d052dccc078f",
              "time": 1720656000
            }
          }
        }
      }
    ],
    "meta_data": {
      "context": {},
      "processing": {}
    },
    "connection_id": "6c2ea3dd-c2e8-41ec-b789-d4970c618d4c",
    "endorser_write_txn": false
  }
}

All credential revocations are published. Would expect just one to be published cred_rev_id: 6 in this case. See one revoc_reg_entry on ledger with all credential revocations ids 1-6

Detailed example of scenario two

NOTE removed some of the accum values for readability

Two revocation registries with pending publications:

GET  /revocation/registry/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656
{
  "result": {
    "state": "active",
    "created_at": "2024-07-11T07:37:09.176319Z",
    "updated_at": "2024-07-11T07:53:09.029758Z",
    "record_id": "578b4e1b-5d66-40e1-a186-c2070a6f4656",
    "cred_def_id": "KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo",
    "issuer_did": "KoZueTeK3jcjZHFZXFPtow",
    "max_cred_num": 32767,
    "revoc_def_type": "CL_ACCUM",
    "revoc_reg_id": "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656",
    "revoc_reg_def": {
      "ver": "1.0",
      "id": "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656",
      "revocDefType": "CL_ACCUM",
      "tag": "578b4e1b-5d66-40e1-a186-c2070a6f4656",
      "credDefId": "KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo",
      "value": {
        "issuanceType": "ISSUANCE_BY_DEFAULT",
        "maxCredNum": 32767,
        "publicKeys": {
          "accumKey": {
            "z": "..."
          }
        },
        "tailsHash": "4w8dTaLum5xUBn3A932i4h7c2SJVu1KW3WVAjpPyYte8",
        "tailsLocation": "http://tails-server:6543/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656"
      }
    },
    "revoc_reg_entry": {
      "ver": "1.0",
      "value": {
        "accum": "..."
      }
    },
    "tag": "578b4e1b-5d66-40e1-a186-c2070a6f4656",
    "tails_hash": "4w8dTaLum5xUBn3A932i4h7c2SJVu1KW3WVAjpPyYte8",
    "tails_public_uri": "http://tails-server:6543/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656",
    "tails_local_path": "/home/aries/.indy_client/tails/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656/4w8dTaLum5xUBn3A932i4h7c2SJVu1KW3WVAjpPyYte8",
    "pending_pub": [
      "1"
    ]
  }
}
GET  /revocation/registry/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810
{
  "result": {
    "state": "active",
    "created_at": "2024-07-11T07:30:45.748532Z",
    "updated_at": "2024-07-11T07:31:23.838921Z",
    "record_id": "c559d295-e0ab-48c0-9913-f63cabff0810",
    "cred_def_id": "KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic",
    "issuer_did": "KoZueTeK3jcjZHFZXFPtow",
    "max_cred_num": 32767,
    "revoc_def_type": "CL_ACCUM",
    "revoc_reg_id": "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810",
    "revoc_reg_def": {
      "ver": "1.0",
      "id": "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810",
      "revocDefType": "CL_ACCUM",
      "tag": "c559d295-e0ab-48c0-9913-f63cabff0810",
      "credDefId": "KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic",
      "value": {
        "issuanceType": "ISSUANCE_BY_DEFAULT",
        "maxCredNum": 32767,
        "publicKeys": {
          "accumKey": {
            "z": "..."
          }
        },
        "tailsHash": "5h9UxaAgCFosctR5dpmga98RaYiVs6eiwZipE4gZCwPb",
        "tailsLocation": "http://tails-server:6543/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810"
      }
    },
    "revoc_reg_entry": {
      "ver": "1.0",
      "value": {
        "accum": "..."
      }
    },
    "tag": "c559d295-e0ab-48c0-9913-f63cabff0810",
    "tails_hash": "5h9UxaAgCFosctR5dpmga98RaYiVs6eiwZipE4gZCwPb",
    "tails_public_uri": "http://tails-server:6543/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810",
    "tails_local_path": "/home/aries/.indy_client/tails/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810/5h9UxaAgCFosctR5dpmga98RaYiVs6eiwZipE4gZCwPb",
    "pending_pub": [
      "1",
      "2",
      "3",
      "4",
      "5"
    ]
  }
}

Issuer publishes all pending revocations:

POST /revocation/publish-revocations
{
  "rrid2crid": {
    "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656": [],
    "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810": []
  }
}

Response:

{
  "txn": {
    "state": "request_sent",
    "created_at": "2024-07-11T07:59:12.907790Z",
    "updated_at": "2024-07-11T07:59:12.912297Z",
    "trace": false,
    "transaction_id": "3f73c810-cc24-4221-8a4c-71c570fad3c0",
    "_type": "https://didcomm.org/sign-attachment/1.0/signature-request",
    "signature_request": [
      {
        "context": "did:sov",
        "method": "add-signature",
        "signature_type": "default",
        "signer_goal_code": "aries.transaction.endorse",
        "author_goal_code": "aries.transaction.ledger.write"
      }
    ],
    "signature_response": [],
    "timing": {
      "expires_time": null
    },
    "formats": [
      {
        "attach_id": "957e15bd-6fe1-40d3-a3cd-193167a58c3b",
        "format": "dif/endorse-transaction/request@v1.0"
      }
    ],
    "messages_attach": [
      {
        "@id": "957e15bd-6fe1-40d3-a3cd-193167a58c3b",
        "mime-type": "application/json",
        "data": {
          "json": {
            "endorser": "QhNuTPMo5QD2S8qZukUZ6n",
            "identifier": "KoZueTeK3jcjZHFZXFPtow",
            "operation": {
              "revocDefType": "CL_ACCUM",
              "revocRegDefId": "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656",
              "type": "114",
              "value": {
                "accum": "...",
                "prevAccum": "...",
                "revoked": [
                  1
                ]
              }
            },
            "protocolVersion": 2,
            "reqId": 1720684752904473600,
            "signature": "dtEN2WjenQVxbVr1q2M9DFnvedgTfHcRkBVjpC5Xg53zbZfhCCocnWQ1PRM9fNeYuqeXCLPBBTYhP75BisfxJmr",
            "taaAcceptance": {
              "mechanism": "service_agreement",
              "taaDigest": "0be4d87dec17a7901cb8ba8bb4239ee34d4f6e08906f3dad81d1d052dccc078f",
              "time": 1720656000
            }
          }
        }
      }
    ],
    "meta_data": {
      "context": {},
      "processing": {}
    },
    "connection_id": "c51bad93-d8a9-4231-8ddc-548678e02448",
    "endorser_write_txn": false
  }
}

Only see one revoc_reg_entry on ledger:

{
  "auditPath": [
    "4fUdzxjfw89ocWeHne9CQ5qVBk6Nke29zXpLYZ4XDmTb",
    "3cwcoVw2NeVeNLKcpqXB9xmDsZEjGtqZRmYfHXLguwV7",
    "Ej8n37o3Dt1jACxt4BCKHXF4D8kyAFTYytzxcoC2Zo9s"
  ],
  "ledgerSize": 22,
  "reqSignature": {
    "type": "ED25519",
    "values": [
      {
        "from": "KoZueTeK3jcjZHFZXFPtow",
        "value": "dtEN2WjenQVxbVr1q2M9DFnvedgTfHcRkBVjpC5Xg53zbZfhCCocnWQ1PRM9fNeYuqeXCLPBBTYhP75BisfxJmr"
      },
      {
        "from": "QhNuTPMo5QD2S8qZukUZ6n",
        "value": "62mk3kWQkV6BTyuER6b2xk8qb9RdrWpa7HonadB6ZpZLnyBSouUt1z8RdJB7mcotViqDZc9xxDTZSdEzsQ1Tv3zf"
      }
    ]
  },
  "rootHash": "3LueQdkzF8cHCPZ3DTsqHqyHPcDaMr8w9pFsYYeBgmQy",
  "txn": {
    "data": {
      "revocDefType": "CL_ACCUM",
      "revocRegDefId": "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656",
      "value": {
        "accum": "...",
        "prevAccum": "...",
        "revoked": [
          1
        ]
      }
    },
    "metadata": {
      "digest": "93142dc2e663ee15c5357ed352179d1f1782dd985ec30aee078233664b7eeafc",
      "endorser": "QhNuTPMo5QD2S8qZukUZ6n",
      "from": "KoZueTeK3jcjZHFZXFPtow",
      "payloadDigest": "e0f4a28e2c3dc2ed0e36af274d9734bc0f7e28e787ad7fa876e06bfc2d508815",
      "reqId": 1720684752904473600,
      "taaAcceptance": {
        "mechanism": "service_agreement",
        "taaDigest": "0be4d87dec17a7901cb8ba8bb4239ee34d4f6e08906f3dad81d1d052dccc078f",
        "time": 1720656000
      }
    },
    "protocolVersion": 2,
    "type": "114"
  },
  "txnMetadata": {
    "seqNo": 22,
    "txnId": "5:KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:16:demo:CL_ACCUM:578b4e1b-5d66-40e1-a186-c2070a6f4656",
    "txnTime": 1720684753
  },
  "ver": "1"
}

When issuer gets revocation registry of one not written to ledger we see this:

{
  "result": {
    "state": "active",
    "created_at": "2024-07-11T07:30:45.748532Z",
    "updated_at": "2024-07-11T07:59:12.649633Z",
    "record_id": "c559d295-e0ab-48c0-9913-f63cabff0810",
    "cred_def_id": "KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic",
    "issuer_did": "KoZueTeK3jcjZHFZXFPtow",
    "max_cred_num": 32767,
    "revoc_def_type": "CL_ACCUM",
    "revoc_reg_id": "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810",
    "revoc_reg_def": {
      "ver": "1.0",
      "id": "KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810",
      "revocDefType": "CL_ACCUM",
      "tag": "c559d295-e0ab-48c0-9913-f63cabff0810",
      "credDefId": "KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic",
      "value": {
        "issuanceType": "ISSUANCE_BY_DEFAULT",
        "maxCredNum": 32767,
        "publicKeys": {
          "accumKey": {
            "z": "..."
          }
        },
        "tailsHash": "5h9UxaAgCFosctR5dpmga98RaYiVs6eiwZipE4gZCwPb",
        "tailsLocation": "http://tails-server:6543/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810"
      }
    },
    "revoc_reg_entry": {
      "ver": "1.0",
      "value": {
        "prevAccum": "...",
        "accum": "...",
        "revoked": [
          5,
          1,
          3,
          4,
          2
        ]
      }
    },
    "tag": "c559d295-e0ab-48c0-9913-f63cabff0810",
    "tails_hash": "5h9UxaAgCFosctR5dpmga98RaYiVs6eiwZipE4gZCwPb",
    "tails_public_uri": "http://tails-server:6543/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810",
    "tails_local_path": "/home/aries/.indy_client/tails/KoZueTeK3jcjZHFZXFPtow:4:KoZueTeK3jcjZHFZXFPtow:3:CL:8:Epic:CL_ACCUM:c559d295-e0ab-48c0-9913-f63cabff0810/5h9UxaAgCFosctR5dpmga98RaYiVs6eiwZipE4gZCwPb",
    "pending_pub": []
  }
}

From issuers point of view the credentials are revoked but from holders side its not "revoked": false Holder can also still pass a proof exchange.

Looks like the agents local records gets updated but the ledger write never happens or is interrupted (not sure)

swcurran commented 4 months ago

This first one is not a bug. The semantics of the “publish” operation is that when called it publishes the pending revocations. There is not a pick and choose feature. So I think that one is OK. If the documentation needs to be updated to clarify that, we should look at that.

The second one looks like a bug though. If the issuer has said to publish the revocations and indicates both cred_defs, then both should be published to the ledger. We’ll need to investigate that one.

swcurran commented 4 months ago

Awesome report by the way. Thanks @cl0ete !

jamshale commented 4 months ago

Hmm. Looks like scenario 2 is a problem with endorsement scenarios only. I'm looking into it.