fix several askar crypto issues

Signed-off-by: gmulhearn <[email protected]>

.github/workflows/main.yml

@@ -101,7 +101,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        wallet: ["vdrtools_wallet", "askar_wallet"]
+        wallet: ["askar_wallet"]
     steps:
       - name: "Git checkout"
         uses: actions/checkout@v3
@@ -123,7 +123,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        backend: ["credx,vdrtools_wallet", "vdr_proxy_ledger,vdrtools_wallet"]
+        backend: ["anoncreds,askar_wallet", "vdr_proxy_ledger,askar_wallet"]
     steps:
       - name: "Git checkout"
         uses: actions/checkout@v3
@@ -332,7 +332,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        wallet: ["vdrtools_wallet,credx", "askar_wallet,credx"]
+        wallet: ["askar_wallet,anoncreds"]
     steps:
       - name: "Git checkout"
         uses: actions/checkout@v3

aries/aries_vcx/src/utils/encryption_envelope.rs

@@ -336,25 +336,24 @@ pub mod unit_tests {
             .await
             .unwrap();
 
+        let sender_vk = sender_data.verkey().base58();
+        let recipient_vk = recipient_data.verkey().base58();
+
         let data_original = "foobar";
 
         let envelope = EncryptionEnvelope::create_from_keys(
             &setup.wallet,
             data_original.as_bytes(),
-            Some(&sender_data.verkey().base58()),
-            recipient_data.verkey().base58(),
+            Some(&sender_vk),
+            recipient_vk.clone(),
             [].to_vec(),
         )
         .await
         .unwrap();
 
-        let data_unpacked = EncryptionEnvelope::auth_unpack(
-            &setup.wallet,
-            envelope.0,
-            &sender_data.verkey().base58(),
-        )
-        .await
-        .unwrap();
+        let data_unpacked = EncryptionEnvelope::auth_unpack(&setup.wallet, envelope.0, &sender_vk)
+            .await
+            .unwrap();
 
         assert_eq!(data_original, data_unpacked);
     }

aries/aries_vcx_wallet/src/wallet/askar/askar_did_wallet.rs

@@ -6,7 +6,7 @@ use async_trait::async_trait;
 use public_key::Key;
 
 use super::{
-    askar_utils::{local_key_to_public_key, seed_from_opt},
+    askar_utils::{local_key_to_public_key, public_key_to_local_key, seed_from_opt},
     pack::Pack,
     rng_method::RngMethod,
     sig_type::SigType,
@@ -38,7 +38,7 @@ impl DidWallet for AskarWallet {
         _did_method_name: Option<&str>,
     ) -> VcxWalletResult<DidData> {
         let mut tx = self.transaction().await?;
-        let (did, local_key) = self
+        let (_vk, local_key) = self
             .insert_key(
                 &mut tx,
                 KeyAlg::Ed25519,
@@ -48,16 +48,29 @@ impl DidWallet for AskarWallet {
             .await?;
 
         let verkey = local_key_to_public_key(&local_key)?;
+
+        // construct NYM from first half of verkey as expected output from this method
+        let nym = {
+            let pk = verkey.key();
+            if pk.len() != 32 {
+                return Err(VcxWalletError::InvalidInput(format!(
+                    "Invalid key length: {}",
+                    pk.len()
+                )));
+            }
+            bs58::encode(&pk[0..16]).into_string()
+        };
+
         self.insert_did(
             &mut tx,
-            &did,
+            &nym,
             &RecordCategory::Did.to_string(),
             &verkey,
             None,
         )
         .await?;
         tx.commit().await?;
-        Ok(DidData::new(&did, &verkey))
+        Ok(DidData::new(&nym, &verkey))
     }
 
     async fn key_for_did(&self, did: &str) -> VcxWalletResult<Key> {
@@ -131,36 +144,28 @@ impl DidWallet for AskarWallet {
     }
 
     async fn sign(&self, key: &Key, msg: &[u8]) -> VcxWalletResult<Vec<u8>> {
-        if let Some(key) = self
+        let Some(key) = self
             .session()
             .await?
             .fetch_key(&key.base58(), false)
             .await?
-        {
-            let local_key = key.load_local_key()?;
-            let key_alg = SigType::try_from_key_alg(local_key.algorithm())?;
-            Ok(local_key.sign_message(msg, Some(key_alg.into()))?)
-        } else {
-            Err(VcxWalletError::record_not_found_from_details(
+        else {
+            return Err(VcxWalletError::record_not_found_from_details(
                 RecordCategory::Key,
                 &key.base58(),
-            ))
-        }
+            ));
+        };
+
+        let local_key = key.load_local_key()?;
+        let key_alg = SigType::try_from_key_alg(local_key.algorithm())?;
+        Ok(local_key.sign_message(msg, Some(key_alg.into()))?)
     }
 
     async fn verify(&self, key: &Key, msg: &[u8], signature: &[u8]) -> VcxWalletResult<bool> {
-        if let Some(key) = self
-            .session()
-            .await?
-            .fetch_key(&key.base58(), false)
-            .await?
-        {
-            let local_key = key.load_local_key()?;
-            let key_alg = SigType::try_from_key_alg(local_key.algorithm())?;
-            Ok(local_key.verify_signature(msg, signature, Some(key_alg.into()))?)
-        } else {
-            Ok(false)
-        }
+        let local_key = public_key_to_local_key(&key)?;
+
+        let sig_alg = SigType::try_from_key_alg(local_key.algorithm())?;
+        Ok(local_key.verify_signature(msg, signature, Some(sig_alg.into()))?)
     }
 
     async fn pack_message(

aries/aries_vcx_wallet/src/wallet/askar/askar_utils.rs

@@ -1,12 +1,13 @@
 use aries_askar::{
+    crypto::alg::{BlsCurves, EcCurves, KeyAlg},
     entry::Entry,
-    kms::{KeyAlg, LocalKey},
+    kms::LocalKey,
 };
 use public_key::{Key, KeyType};
 use serde::Deserialize;
 
 use crate::{
-    errors::error::VcxWalletResult,
+    errors::error::{VcxWalletError, VcxWalletResult},
     wallet::{base_wallet::base58_string::Base58String, utils::random_seed},
 };
 
@@ -25,6 +26,29 @@ pub fn local_key_to_public_key(local_key: &LocalKey) -> VcxWalletResult<Key> {
     )?)
 }
 
+pub fn public_key_to_local_key(key: &Key) -> VcxWalletResult<LocalKey> {
+    let alg = public_key_type_to_askar_key_alg(key.key_type())?;
+    Ok(LocalKey::from_public_bytes(alg, key.key())?)
+}
+
+pub fn public_key_type_to_askar_key_alg(value: &KeyType) -> VcxWalletResult<KeyAlg> {
+    let alg = match value {
+        KeyType::Ed25519 => KeyAlg::Ed25519,
+        KeyType::X25519 => KeyAlg::X25519,
+        KeyType::Bls12381g1g2 => KeyAlg::Bls12_381(BlsCurves::G1G2),
+        KeyType::Bls12381g1 => KeyAlg::Bls12_381(BlsCurves::G1),
+        KeyType::Bls12381g2 => KeyAlg::Bls12_381(BlsCurves::G2),
+        KeyType::P256 => KeyAlg::EcCurve(EcCurves::Secp256r1),
+        KeyType::P384 => KeyAlg::EcCurve(EcCurves::Secp384r1),
+        _ => {
+            return Err(VcxWalletError::Unimplemented(format!(
+                "Unsupported key type: {value:?}"
+            )))
+        }
+    };
+    Ok(alg)
+}
+
 pub fn ed25519_to_x25519(local_key: &LocalKey) -> VcxWalletResult<LocalKey> {
     Ok(local_key.convert_key(KeyAlg::X25519)?)
 }

aries/aries_vcx_wallet/src/wallet/askar/pack.rs

@@ -72,9 +72,10 @@ fn pack_authcrypt_recipients(
             &nonce,
         )?;
 
+        let sender_ed25519_pk = sender_local_key.to_public_bytes()?;
         let enc_sender = crypto_box_seal(
             &recipient_converted_key,
-            bytes_to_bs58(&sender_local_key.to_public_bytes()?).as_bytes(),
+            bytes_to_bs58(&sender_ed25519_pk).as_bytes(),
         )?;
 
         encrypted_recipients.push(Recipient::new_authcrypt(

aries/aries_vcx_wallet/src/wallet/askar/unpack.rs

@@ -43,6 +43,7 @@ pub async fn unpack(jwe: Jwe, session: &mut Session) -> VcxWalletResult<UnpackMe
     local_key.unpack(recipient, jwe)
 }
 
+/// Returns the shared encryption key, and the sender key (if any)
 fn unpack_recipient(
     recipient: &Recipient,
     local_key: &LocalKey,
@@ -72,28 +73,32 @@ fn unpack_msg(jwe: &Jwe, enc_key: LocalKey) -> VcxWalletResult<String> {
     )
 }
 
+/// Returns the shared encryption key, and the sender key
 fn unpack_authcrypt(
     local_key: &LocalKey,
     recipient: &AuthcryptRecipient,
 ) -> VcxWalletResult<(LocalKey, Option<Key>)> {
-    let recipient_key = ed25519_to_x25519(local_key)?;
-    let sender_vk = crypto_box_seal_open(&recipient_key, &recipient.header.sender.decode()?)?;
-    let sender_key = ed25519_to_x25519(&LocalKey::from_public_bytes(
-        Ed25519,
-        &bs58_to_bytes(&sender_vk.clone())?,
+    let recipient_x25519_key = ed25519_to_x25519(local_key)?;
+
+    // "sender" : base64URLencode(libsodium.crypto_box_seal(their_vk, base58encode(sender_vk)),
+    let encrypted_sender_vk = recipient.header.sender.decode()?;
+    let sender_vk = bs58_to_bytes(&crypto_box_seal_open(
+        &recipient_x25519_key,
+        &encrypted_sender_vk,
     )?)?;
+    let sender_x25519_key = ed25519_to_x25519(&LocalKey::from_public_bytes(Ed25519, &sender_vk)?)?;
 
     let secret = crypto_box_open(
-        &recipient_key,
-        &sender_key,
+        &recipient_x25519_key,
+        &sender_x25519_key,
         &recipient.encrypted_key.decode()?,
         &recipient.header.iv.decode()?,
     )?;
 
-    Ok((
-        LocalKey::from_secret_bytes(KeyAlg::Chacha20(Chacha20Types::C20P), &secret)?,
-        Some(Key::new(sender_vk.to_vec(), KeyType::Ed25519)?),
-    ))
+    let shared_enc_key =
+        LocalKey::from_secret_bytes(KeyAlg::Chacha20(Chacha20Types::C20P), &secret)?;
+    let sender_ed25519_pk = Key::new(sender_vk, KeyType::Ed25519)?;
+    Ok((shared_enc_key, Some(sender_ed25519_pk)))
 }
 
 fn unpack_anoncrypt(
@@ -103,10 +108,8 @@ fn unpack_anoncrypt(
     let recipient_key = ed25519_to_x25519(local_key)?;
     let key = crypto_box_seal_open(&recipient_key, &recipient.encrypted_key.decode()?)?;
 
-    Ok((
-        LocalKey::from_secret_bytes(KeyAlg::Chacha20(Chacha20Types::C20P), &key)?,
-        None,
-    ))
+    let shared_enc_key = LocalKey::from_secret_bytes(KeyAlg::Chacha20(Chacha20Types::C20P), &key)?;
+    Ok((shared_enc_key, None))
 }
 
 async fn find_recipient_key<'a>(

justfile

@@ -8,40 +8,26 @@ fmt-check:
     cargo +nightly-2023-05-08 fmt --check
 
 clippy-workspace wallet:
-    cargo clippy --examples --tests --no-default-features -F credx,anoncreds,vdr_proxy_ledger,legacy_proof,{{wallet}}
+    cargo clippy --examples --tests --no-default-features -F anoncreds,vdr_proxy_ledger,legacy_proof,{{wallet}}
 
 clippy-aries-vcx features:
     cargo clippy -p aries_vcx --features legacy_proof --features {{features}} --no-default-features
 
 check-workspace:
     cargo check --tests --all-features
 
+# TODO - this is failing
 check-aries-vcx-anoncreds:
-    cargo test --manifest-path="aries/aries_vcx/Cargo.toml" -F vdrtools_wallet,anoncreds --tests
-
-check-aries-vcx-credx:
-    cargo test --manifest-path="aries/aries_vcx/Cargo.toml" -F vdrtools_wallet,credx --tests
+    cargo test --manifest-path="aries/aries_vcx/Cargo.toml" -F askar_wallet,anoncreds --tests
 
 test-unit test_name="":
-    RUST_TEST_THREADS=1 cargo test --workspace --lib --exclude aries-vcx-agent --exclude libvdrtools --exclude wallet_migrator --exclude mediator {{test_name}} -F did_doc/jwk -F public_key/jwk
-
-test-compatibility-aries-vcx-wallet:
-    cargo test --manifest-path="aries/aries_vcx_wallet/Cargo.toml" -F vdrtools_wallet,askar_wallet wallet_compatibility_
-
-test-wallet-migrator:
-    cargo test --manifest-path="aries/misc/wallet_migrator/Cargo.toml" -F vdrtools_wallet,askar_wallet
+    RUST_TEST_THREADS=1 cargo test --workspace --lib --exclude aries-vcx-agent --exclude mediator {{test_name}} -F did_doc/jwk -F public_key/jwk
 
 test-integration-aries-vcx features test_name="":
     cargo test --manifest-path="aries/aries_vcx/Cargo.toml" -F {{features}} -- --ignored {{test_name}}
 
-test-integration-aries-vcx-anoncreds-rs test_name="":
-    cargo test --manifest-path="aries/aries_vcx/Cargo.toml" -F anoncreds --test test_revocations --test test_proof_presentation --test test_anoncreds --test test_verifier -- --ignored {{test_name}}
-
-test-integration-aries-vcx-mysql test_name="":
-    cargo test --manifest-path="aries/aries_vcx/Cargo.toml" -F vdrtools_wallet test_mysql -- --include-ignored {{test_name}}
-
 test-integration-aries-vcx-vdrproxy test_name="":
-    cargo test --manifest-path="aries/aries_vcx/Cargo.toml" -F vdr_proxy_ledger,credx -- --ignored {{test_name}}
+    cargo test --manifest-path="aries/aries_vcx/Cargo.toml" -F vdr_proxy_ledger,anoncreds -- --ignored {{test_name}}
 
 test-integration-did-crate test_name="":
     cargo test --examples -p did_doc -p did_parser_nom -p did_resolver -p did_resolver_registry -p did_resolver_sov -p did_resolver_web -p did_key -p did_peer -F did_doc/jwk --test "*"