openwallet-foundation · berendsliedrecht · Nov 30, 2024 · Dec 6, 2024 · Feb 19, 2025 · Feb 19, 2025
@@ -0,0 +1,9 @@
+---
+"@credo-ts/core": minor
+---
+
+refactor!: remove support for BBS+ signatures.
+
+The underlying implementation of BBS+ of which Credo is based is outdated, has not been maintained, and not recommended to use.
+
+A new version is being worked on by standard development organizations, for which support may be added at a later time. If you still require support for the old/legacy BBS+ Signatures, you can look at the latest version of Credo and extract the required code and create a custom BBS+ module.
@@ -0,0 +1,5 @@
+---
+"@credo-ts/core": minor
+---
+
+When signing with dids in Credo, it is now required that all DIDs have an associated `DidRecord` with the created role. With the new KMS API we now need to keep track of key ids for keys within a did document, and these are stored on the did document. You can import a did using `agent.dids.import` and provide the `keys` array to define the mapping between verification method and key id. If a verification method mapping to key id is not provided in the did record, we will assume the legacy key id format is used (the base58 encoded public key)
@@ -0,0 +1,5 @@
+---
+"@credo-ts/core": minor
+---
+
+the BBS module has been deprecated and removed. It was based on an old implementation and the underlying library was not maintained anymore. If you still need the BBS functionlity you can extract the code from and older commit of the Credo repo and create your own custom module. Contributions for the new BBS specification are welcome
@@ -0,0 +1,20 @@
+---
+"@credo-ts/indy-sdk-to-askar-migration": minor
+"@credo-ts/question-answer": minor
+"@credo-ts/react-native": minor
+"@credo-ts/action-menu": minor
+"@credo-ts/anoncreds": minor
+"@credo-ts/openid4vc": minor
+"@credo-ts/indy-vdr": minor
+"@credo-ts/didcomm": minor
+"@credo-ts/tenants": minor
+"@credo-ts/askar": minor
+"@credo-ts/cheqd": minor
+"@credo-ts/core": minor
+"@credo-ts/drpc": minor
+"@credo-ts/node": minor
+---
+
+when signing in Credo, it is now required to always reference a key id. For DIDs this is extracted from the DidRecord, and for JWKs (e.g. in holder binding) this is extracted form the `kid` of the JWK. For X509 certificates you need to make sure there is a key id attached to the certificate manually for now, since we don't have a X509 record like we have a DidRecord. For x509 certificates created before 0.6 you can use the legacy key id (`certificate.keyId = certificate.publicJwk.legacyKeyId`), for certificates created after 0.6 you need to manually store the key id and set it on the certificate after decoding.
+
+For this reason, we now require instances of X509 certificates where we used to require encoded certificates, to allow you to set the keyId on the certificate beforehand.
@@ -0,0 +1,18 @@
+---
+"@credo-ts/indy-sdk-to-askar-migration": minor
+"@credo-ts/question-answer": minor
+"@credo-ts/react-native": minor
+"@credo-ts/action-menu": minor
+"@credo-ts/anoncreds": minor
+"@credo-ts/openid4vc": minor
+"@credo-ts/indy-vdr": minor
+"@credo-ts/didcomm": minor
+"@credo-ts/tenants": minor
+"@credo-ts/askar": minor
+"@credo-ts/cheqd": minor
+"@credo-ts/core": minor
+"@credo-ts/drpc": minor
+"@credo-ts/node": minor
+---
+
+The `Key` and `Jwk` classes have been removed in favour of a new `PublicJwk` class, and all APIs in Credo have been updated to use the new `PublicJwk` class. Leveraging Jwk as the base for all APIs provides more flexility and makes it easier to support key types where it's not always so easy to extract the raw public key bytes. In addition all the previous Jwk relatedfunctionality has been replaced with the new KMS jwk functionalty. For example `JwaSignatureAlgorithm` is now `Kms.KnownJwaSignatureAlgorithms`.
@@ -0,0 +1,18 @@
+---
+"@credo-ts/indy-sdk-to-askar-migration": minor
+"@credo-ts/question-answer": minor
+"@credo-ts/react-native": minor
+"@credo-ts/action-menu": minor
+"@credo-ts/anoncreds": minor
+"@credo-ts/openid4vc": minor
+"@credo-ts/indy-vdr": minor
+"@credo-ts/didcomm": minor
+"@credo-ts/tenants": minor
+"@credo-ts/askar": minor
+"@credo-ts/cheqd": minor
+"@credo-ts/core": minor
+"@credo-ts/drpc": minor
+"@credo-ts/node": minor
+---
+
+The wallet API has been completely rewritten to be more generic, support multiple backends at the same time, support generic encrypting and decryption, support symmetric keys, and enable backends that use key ids rather than the public key to identify a key. This has resulted in significant breaking changes, and all usages of the wallet api should be updated to use the new `agent.kms` APIs. In addition the wallet is not available anymore on the agentContext. If you used this, instead inject the KMS API using `agentContext.resolve(Kms.KeyManagementApi)`.
@@ -0,0 +1,5 @@
+---
+"@credo-ts/core": minor
+---
+
+the automatic backup functionality has been removed from Credo. With the generalization of the KMS API, and with moving away from assuming Askar is used for storage, providing a generic backup API is not feasible, especially for large deployments. From now on, you are expected to create a backup yourself before performing any updates. For askar you can export a store on the Askar api, or you can directly create a backup of your Postgres database.
@@ -0,0 +1,6 @@
+---
+"@credo-ts/askar": minor
+"@credo-ts/core": minor
+---
+
+The wallet config has been removed from the main agent config, to allow for more flexibility. Instead, each module can now define their own config for the storage and kms. For askar there is a new `store` property which must be provided on the askar module config where you can set the wallet id and key. It is also possible to disable the kms or storage for askar using `enableKms` and `enableStorage`.
@@ -71,6 +71,8 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
 
+      - uses: shogo82148/actions-setup-redis@v1
+
       # See https://github.com/actions/setup-node/issues/641#issuecomment-1358859686
       - name: pnpm cache path
         id: pnpm-cache-path

@@ -2,10 +2,11 @@ import type { Server } from 'http'
 import type { InitConfig, KeyDidCreateOptions, ModulesMap, VerificationMethod } from '@credo-ts/core'
 import type { Express } from 'express'
 
-import { Agent, ConsoleLogger, DidKey, KeyType, LogLevel, TypedArrayEncoder } from '@credo-ts/core'
+import { Agent, Buffer, ConsoleLogger, DidKey, LogLevel } from '@credo-ts/core'
 import { agentDependencies } from '@credo-ts/node'
 import express from 'express'
 
+import { transformPrivateKeyToPrivateJwk } from '@credo-ts/askar'
 import { greenText } from './OutputClass'
 
 export class BaseAgent<AgentModules extends ModulesMap> {
@@ -20,37 +21,61 @@ export class BaseAgent<AgentModules extends ModulesMap> {
   public kid!: string
   public verificationMethod!: VerificationMethod
 
-  public constructor({ port, name, modules }: { port: number; name: string; modules: AgentModules }) {
+  public constructor({
+    port,
+    name,
+    modules,
+  }: {
+    port: number
+    name: string
+    modules: AgentModules
+  }) {
     this.name = name
     this.port = port
     this.app = express()
 
     const config = {
       label: name,
-      walletConfig: { id: name, key: name },
       allowInsecureHttpUrls: true,
       logger: new ConsoleLogger(LogLevel.off),
     } satisfies InitConfig
 
     this.config = config
 
-    this.agent = new Agent({ config, dependencies: agentDependencies, modules })
+    this.agent = new Agent({
+      config,
+      dependencies: agentDependencies,
+      modules,
+    })
   }
 
   public async initializeAgent(secretPrivateKey: string) {
     await this.agent.initialize()
 
     this.server = this.app.listen(this.port)
 
+    const { privateJwk } = transformPrivateKeyToPrivateJwk({
+      type: {
+        crv: 'Ed25519',
+        kty: 'OKP',
+      },
+      privateKey: Buffer.from(secretPrivateKey),
+    })
+
+    const { keyId } = await this.agent.kms.importKey({
+      privateJwk,
+    })
+
     const didCreateResult = await this.agent.dids.create<KeyDidCreateOptions>({
       method: 'key',
-      options: { keyType: KeyType.Ed25519 },
-      secret: { privateKey: TypedArrayEncoder.fromString(secretPrivateKey) },
+      options: {
+        keyId,
+      },
     })
 
     this.did = didCreateResult.didState.did as string
     this.didKey = DidKey.fromDid(this.did)
-    this.kid = `${this.did}#${this.didKey.key.fingerprint}`
+    this.kid = `${this.did}#${this.didKey.publicJwk.fingerprint}`
 
     const verificationMethod = didCreateResult.didState.didDocument?.dereferenceKey(this.kid, ['authentication'])
     if (!verificationMethod) throw new Error('No verification method found')

@@ -8,12 +8,13 @@ import { AskarModule } from '@credo-ts/askar'
 import {
   DidJwk,
   DidKey,
-  KeyType,
+  JwkDidCreateOptions,
+  KeyDidCreateOptions,
+  Kms,
   Mdoc,
   W3cJsonLdVerifiableCredential,
   W3cJwtVerifiableCredential,
   X509Module,
-  getJwkFromKey,
 } from '@credo-ts/core'
 import {
   OpenId4VcHolderModule,
@@ -23,12 +24,13 @@ import {
 } from '@credo-ts/openid4vc'
 import { askar } from '@openwallet-foundation/askar-nodejs'
 
+import { AskarModuleConfigStoreOptions } from '../../packages/askar/src/AskarModuleConfig'
 import { BaseAgent } from './BaseAgent'
 import { Output, greenText } from './OutputClass'
 
-function getOpenIdHolderModules() {
+function getOpenIdHolderModules(askarStorageConfig: AskarModuleConfigStoreOptions) {
   return {
-    askar: new AskarModule({ askar }),
+    askar: new AskarModule({ askar, store: askarStorageConfig }),
     openId4VcHolder: new OpenId4VcHolderModule(),
     x509: new X509Module({
       getTrustedCertificatesForVerification: (_agentContext, { certificateChain, verification }) => {
@@ -54,7 +56,14 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
   }
 
   public constructor(port: number, name: string) {
-    super({ port, name, modules: getOpenIdHolderModules() })
+    super({
+      port,
+      name,
+      modules: getOpenIdHolderModules({
+        id: name,
+        key: name,
+      }),
+    })
   }
 
   public static async build(): Promise<Holder> {
@@ -140,20 +149,33 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
       clientId: options.clientId,
       credentialConfigurationIds: options.credentialsToRequest,
       credentialBindingResolver: async ({ supportedDidMethods, supportsAllDidMethods, proofTypes }) => {
-        const key = await this.agent.wallet.createKey({
-          keyType: proofTypes.jwt?.supportedKeyTypes[0] ?? KeyType.Ed25519,
+        const key = await this.agent.kms.createKeyForSignatureAlgorithm({
+          algorithm: proofTypes.jwt?.supportedSignatureAlgorithms[0] ?? 'EdDSA',
         })
+        const publicJwk = Kms.PublicJwk.fromPublicJwk(key.publicJwk)
 
         if (supportsAllDidMethods || supportedDidMethods?.includes('did:key')) {
-          const didKey = new DidKey(key)
+          await this.agent.dids.create<KeyDidCreateOptions>({
+            method: 'key',
+            options: {
+              keyId: key.keyId,
+            },
+          })
+          const didKey = new DidKey(publicJwk)
 
           return {
             method: 'did',
-            didUrls: [`${didKey.did}#${didKey.key.fingerprint}`],
+            didUrls: [`${didKey.did}#${didKey.publicJwk.fingerprint}`],
           }
         }
         if (supportedDidMethods?.includes('did:jwk')) {
-          const didJwk = DidJwk.fromJwk(getJwkFromKey(key))
+          const didJwk = DidJwk.fromPublicJwk(publicJwk)
+          await this.agent.dids.create<JwkDidCreateOptions>({
+            method: 'jwk',
+            options: {
+              keyId: key.keyId,
+            },
+          })
 
           return {
             method: 'did',
@@ -164,7 +186,7 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
         // We fall back on jwk binding
         return {
           method: 'jwk',
-          keys: [getJwkFromKey(key)],
+          keys: [publicJwk],
         }
       },
       ...tokenResponse,

@@ -135,7 +135,7 @@ export class HolderInquirer extends BaseInquirer {
 
   public async addTrustedCertificate() {
     const trustedCertificate = await this.inquireInput('Enter trusted certificate: ')
-    await this.holder.agent.x509.addTrustedCertificate(trustedCertificate)
+    this.holder.agent.x509.config.addTrustedCertificate(trustedCertificate)
 
     console.log(greenText('Added trusted certificate'))
   }