Merge pull request #1065 from jovfer/feature/key-derivation-type

RC 1.6.2 ver 2

CHANGELOG.md

@@ -7,8 +7,10 @@
     * Updated `indy_build_pool_upgrade_request` API function to accept the additional parameter `package` that allow specify package to be upgraded.* Bugfixes
 * Added `pool restart` command in Indy CLI.
 * Updated Libindy CD pipeline to run iOS tests and to publish artifacts for Libindy and Libnullpay.
-* Bugfixes       
-
+* Updated wallet `credentials` to accept the additional parameter `key_derivation_method`.
+  This parameter provides the ability to use different crypto algorithms for master key derivation.
+* Bugfixes
+
 ## 1.6.1 bugfixes
 * Fix connection performance issue
 * Fix Android publishing

README.md

@@ -166,16 +166,31 @@ If you would like to analyse CPU performance of libindy for your use case, you h
 ## How to start local nodes pool with docker
 To test the SDK codebase with a virtual Indy node network, you can start a pool of local nodes using docker:
 
+### 1) Starting the test pool on localhost
 Start the pool of local nodes on `127.0.0.1:9701-9708` with Docker by running:
 
 ```
 docker build -f ci/indy-pool.dockerfile -t indy_pool .
 docker run -itd -p 9701-9708:9701-9708 indy_pool
 ```
 
+### 2) Starting the test pool on a specific IP address
  Dockerfile `ci/indy-pool.dockerfile` supports an optional pool_ip param that allows
- changing ip of pool nodes in generated pool configuration. The following commands
- allow to start local nodes pool in custom docker network and access this pool
+ changing ip of pool nodes in generated pool configuration. 
+
+ You can start the pool with e.g. with the IP address of your development machine's WIFI interface
+ so that mobile apps in the same network can reach the pool.
+
+ ```
+ # replace 192.168.179.90 with your wifi IP address
+ docker build --build-arg pool_ip=192.168.179.90 -f ci/indy-pool.dockerfile -t indy_pool .
+ docker run -itd -p 192.168.179.90:9701-9708:9701-9708 indy_pool
+ ```
+ To connect to the pool the IP addresses in /var/lib/indy/sandbox/pool_transactions_genesis (in docker) and the
+ pool configuration you use in your mobile app must match.
+
+### 3) Starting the test pool on a docker network
+ The following commands allow to start local nodes pool in custom docker network and access this pool
  by custom ip in docker network:
 
  ```
@@ -245,4 +260,4 @@ to simplify their transition to API of Libindy 1.4.0.
 * You may also want to read this info about [maintainers](MAINTAINERS.md) and our process.
 * We use developer certificate of origin (DCO) in all hyperledger repositories,
   so to get your pull requests accepted, you must certify your commits by signing off on each commit.
-  More information can be found in [Signing Commits](doc/signing-commits.md) article.
+  More information can be found in [Signing Commits](doc/signing-commits.md) article.

doc/getting-started/getting-started.md

@@ -456,6 +456,7 @@ Now Alice has everything to create a Credential Request of the issuance of the *
 **Faber** creates the **Transcript** Credential for Alice.
 ```python
   # Faber Agent
+  # note that encoding is not standardized by Indy except that 32-bit integers are encoded as themselves. IS-786
   transcript_cred_values = json.dumps({
       "first_name": {"raw": "Alice", "encoded": "1139481716457488690172217916278103335"},
       "last_name": {"raw": "Garcia", "encoded": "5321642780241790123587902456789123452"},

doc/how-tos/issue-credential/java/IssueCredential.java

@@ -105,6 +105,7 @@ static void demo() throws Exception {
 		// 16
 		System.out.println("\n16. Issuer (Trust Anchor) creates Claim for Claim Request\n");
 		// Encoded value of non-integer attribute is SHA256 converted to decimal
+		// note that encoding is not standardized by Indy except that 32-bit integers are encoded as themselves. IS-786
                 String credAttribsJson = "{\n" +
                 "               \"sex\":[\"male\",\"5944657099558967239210949258394887428692050081607692519917050011144233115103\"],\n" +
                 "               \"name\":[\"Alex\",\"99262857098057710338306967609588410025648622308394250666849665532448612202874\"],\n" +

doc/how-tos/issue-credential/java/step4.java

@@ -9,6 +9,7 @@
 
 		System.out.println("\n16. Issuer (Trust Anchor) creates Credential for Credential Request\n");
 		// Encoded value of non-integer attribute is SHA256 converted to decimal
+		// note that encoding is not standardized by Indy except that 32-bit integers are encoded as themselves. IS-786
 		String credAttribsJson = "{\n" +
 		"               \"sex\":[\"male\",\"5944657099558967239210949258394887428692050081607692519917050011144233115103\"],\n" +
 		"               \"name\":[\"Alex\",\"99262857098057710338306967609588410025648622308394250666849665532448612202874\"],\n" +

doc/migration-guide-1.5.0-1.6.0.md

@@ -65,6 +65,20 @@ This wallet configuration json has the following format:
    }
  }
 ```
+* Updated wallet `credentials` to accept the additional parameter `key_derivation_method`.
+  This parameter provides the ability to use different crypto algorithms for master key derivation.
+Wallet credentials json has the following format:
+```
+ {
+   "key": string, Passphrase used to derive wallet master key
+   "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
+                          Can be optional if storage supports default configuration.
+                          For 'default' storage type should be empty.
+   "key_derivation_method": optional<string> algorithm to use for master key derivation:
+                          ARAGON2I_MOD (used by default)
+                          ARAGON2I_INT - less secured but faster 
+ }
+```
 
 *WARNING* Wallet format of libindy v1.6 isn't compatible with a wallet format of libindy v1.5.
 
@@ -100,6 +114,7 @@ indy_create_wallet(command_handle: i32,
                                         err: ErrorCode)>)
       </pre>
       <b>Note:</b> Format of <i>config</i> parameter was changed. Current format is described above.
+      <b>Note:</b> Format of <i>credentials</i> parameter was changed. Current format is described above.
     </td>
   </tr>
   </tr>

libindy/debian/changelog

@@ -6,5 +6,7 @@ libindy (1.6.2) unstable; urgency=medium
     * Performed the following changes related to Libindy Ledger API:
         * Added `indy_submit_action` endpoint that provides the ability to send either GET_VALIDATOR_INFO or
           POOL_RESTART request to specific nodes and to specify custom timeout for a response from a node.
-        * Updated `indy_build_pool_upgrade_request` API function to accept the additional parameter `package` that allow specify package to be upgraded.* Bugfixes
+        * Updated `indy_build_pool_upgrade_request` API function to accept the additional parameter `package` that allow specify package to be upgraded.
+    * Updated wallet `credentials` to accept the additional parameter `key_derivation_method`.
+      This parameter provides the ability to use different crypto algorithms for master key derivation.
     * Bugfixes

libindy/include/indy_wallet.h

@@ -168,8 +168,10 @@ extern "C" {
     ///   "key": string, Passphrase used to derive wallet master key
     ///   "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
     ///                          Can be optional if storage supports default configuration.
-    //                           For 'default' storage type should be empty.
-    ///
+    ///                          For 'default' storage type should be empty.
+    ///   "key_derivation_method": optional<string> algorithm to use for master key derivation:
+    ///                          ARAGON2I_MOD (used by default)
+    ///                          ARAGON2I_INT - less secured but faster
     /// }
     ///
     /// #Returns
@@ -199,7 +201,7 @@ extern "C" {
     ///                       Custom storage types can be registered with indy_register_wallet_storage call.
     ///       "storage_config": optional<object>, Storage configuration json. Storage type defines set of supported keys.
     ///                         Can be optional if storage supports default configuration.
-    //                          For 'default' storage type configuration is:
+    ///                         For 'default' storage type configuration is:
     ///           {
     ///              "path": optional<string>, Path to the directory with wallet files.
     ///                      Defaults to $HOME/.indy_client/wallets.
@@ -214,8 +216,13 @@ extern "C" {
     ///                                  derived from this passphrase.
     ///       "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
     ///                              Can be optional if storage supports default configuration.
-    //                               For 'default' storage type should be empty.
-    ///
+    ///                              For 'default' storage type should be empty.
+    ///       "key_derivation_method": optional<string> algorithm to use for master key derivation:
+    ///                             ARAGON2I_MOD (used by default)
+    ///                             ARAGON2I_INT - less secured but faster
+    ///       "rekey_derivation_method": optional<string> algorithm to use for master rekey derivation:
+    ///                             ARAGON2I_MOD (used by default)
+    ///                             ARAGON2I_INT - less secured but faster
     ///   }
     ///
     /// #Returns
@@ -232,14 +239,17 @@ extern "C" {
                                          void           (*fn)(indy_handle_t xcommand_handle, indy_error_t err, indy_handle_t handle)
                                         );
 
-    /// Exports opened wallet's content using key and path provided in export_config_json
+    /// Exports opened wallet
     ///
-    /// #Params
-    /// wallet_handle: wallet handle returned by indy_open_wallet.
-    /// export_config_json: JSON containing settings for input operation.
+    /// #Params:
+    /// wallet_handle: wallet handle returned by indy_open_wallet
+    /// export_config: JSON containing settings for input operation.
     ///   {
-    ///     "path": path of the file that contains exported wallet content
-    ///     "key": passphrase used to derive export key
+    ///     "path": <string>, Path of the file that contains exported wallet content
+    ///     "key": <string>, Passphrase used to derive export key
+    ///     "key_derivation_method": optional<string> algorithm to use for export key derivation:
+    ///                              ARAGON2I_MOD (used by default)
+    ///                              ARAGON2I_INT - less secured but faster
     ///   }
     ///
     /// #Returns
@@ -270,7 +280,7 @@ extern "C" {
     ///                  Custom storage types can be registered with indy_register_wallet_storage call.
     ///   "storage_config": optional<object>, Storage configuration json. Storage type defines set of supported keys.
     ///                     Can be optional if storage supports default configuration.
-    //                      For 'default' storage type configuration is:
+    ///                     For 'default' storage type configuration is:
     ///   {
     ///     "path": optional<string>, Path to the directory with wallet files.
     ///             Defaults to $HOME/.indy_client/wallets.
@@ -282,8 +292,10 @@ extern "C" {
     ///   "key": string, Passphrase used to derive wallet master key
     ///   "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
     ///                          Can be optional if storage supports default configuration.
-    //                           For 'default' storage type should be empty.
-    ///
+    ///                          For 'default' storage type should be empty.
+    ///   "key_derivation_method": optional<string> algorithm to use for master key derivation:
+    ///                            ARAGON2I_MOD (used by default)
+    ///                            ARAGON2I_INT - less secured but faster
     /// }
     /// import_config: Import settings json.
     /// {
@@ -334,7 +346,7 @@ extern "C" {
     ///                  Custom storage types can be registered with indy_register_wallet_storage call.
     ///   "storage_config": optional<object>, Storage configuration json. Storage type defines set of supported keys.
     ///                     Can be optional if storage supports default configuration.
-    //                      For 'default' storage type configuration is:
+    ///                     For 'default' storage type configuration is:
     ///   {
     ///     "path": optional<string>, Path to the directory with wallet files.
     ///             Defaults to $HOME/.indy_client/wallets.
@@ -346,8 +358,10 @@ extern "C" {
     ///   "key": string, Passphrase used to derive wallet master key
     ///   "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
     ///                          Can be optional if storage supports default configuration.
-    //                           For 'default' storage type should be empty.
-    ///
+    ///                          For 'default' storage type should be empty.
+    ///   "key_derivation_method": optional<string> algorithm to use for master key derivation:
+    ///                            ARAGON2I_MOD (used by default)
+    ///                            ARAGON2I_INT - less secured but faster
     /// }
     ///
     /// #Returns

libindy/src/api/wallet.rs

@@ -164,7 +164,9 @@ pub extern fn indy_register_wallet_storage(command_handle: i32,
 ///   "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
 ///                          Can be optional if storage supports default configuration.
 ///                          For 'default' storage type should be empty.
-///
+///   "key_derivation_method": optional<string> algorithm to use for master key derivation:
+///                          ARAGON2I_MOD (used by default)
+///                          ARAGON2I_INT - less secured but faster
 /// }
 ///
 /// #Returns
@@ -235,7 +237,12 @@ pub extern fn indy_create_wallet(command_handle: i32,
 ///       "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
 ///                              Can be optional if storage supports default configuration.
 ///                              For 'default' storage type should be empty.
-///
+///       "key_derivation_method": optional<string> algorithm to use for master key derivation:
+///                             ARAGON2I_MOD (used by default)
+///                             ARAGON2I_INT - less secured but faster
+///       "rekey_derivation_method": optional<string> algorithm to use for master rekey derivation:
+///                             ARAGON2I_MOD (used by default)
+///                             ARAGON2I_INT - less secured but faster
 ///   }
 ///
 /// #Returns
@@ -287,6 +294,9 @@ pub extern fn indy_open_wallet(command_handle: i32,
 ///   {
 ///     "path": <string>, Path of the file that contains exported wallet content
 ///     "key": <string>, Passphrase used to derive export key
+///     "key_derivation_method": optional<string> algorithm to use for export key derivation:
+///                              ARAGON2I_MOD (used by default)
+///                              ARAGON2I_INT - less secured but faster
 ///   }
 ///
 /// #Returns
@@ -352,7 +362,9 @@ pub extern fn indy_export_wallet(command_handle: i32,
 ///   "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
 ///                          Can be optional if storage supports default configuration.
 ///                          For 'default' storage type should be empty.
-///
+///   "key_derivation_method": optional<string> algorithm to use for master key derivation:
+///                            ARAGON2I_MOD (used by default)
+///                            ARAGON2I_INT - less secured but faster
 /// }
 /// import_config: Import settings json.
 /// {
@@ -465,7 +477,9 @@ pub extern fn indy_close_wallet(command_handle: i32,
 ///   "storage_credentials": optional<object> Credentials for wallet storage. Storage type defines set of supported keys.
 ///                          Can be optional if storage supports default configuration.
 ///                          For 'default' storage type should be empty.
-///
+///   "key_derivation_method": optional<string> algorithm to use for master key derivation:
+///                            ARAGON2I_MOD (used by default)
+///                            ARAGON2I_INT - less secured but faster
 /// }
 ///
 /// #Returns

libindy/src/domain/wallet/export_import.rs

@@ -2,18 +2,34 @@ use std::collections::HashMap;
 
 #[derive(Debug, Serialize, Deserialize)]
 pub enum EncryptionMethod {
-    ChaCha20Poly1305IETF { // **ChaCha20-Poly1305-IETF** cypher in blocks per chunk_size bytes
-    salt: Vec<u8>,  // pwhash_argon2i13::Salt as bytes. Random salt used for deriving of key from passphrase
-    nonce: Vec<u8>, // chacha20poly1305_ietf::Nonce as bytes. Random start nonce. We increment nonce for each chunk to be sure in export file consistency
-    chunk_size: usize, // size of encrypted chunk
+    // **ChaCha20-Poly1305-IETF** cypher in blocks per chunk_size bytes
+    ChaCha20Poly1305IETF {
+        // pwhash_argon2i13::Salt as bytes. Random salt used for deriving of key from passphrase
+        salt: Vec<u8>,
+        // chacha20poly1305_ietf::Nonce as bytes. Random start nonce. We increment nonce for each chunk to be sure in export file consistency
+        nonce: Vec<u8>,
+        // size of encrypted chunk
+        chunk_size: usize,
+    },
+    // **ChaCha20-Poly1305-IETF interactive key derivation** cypher in blocks per chunk_size bytes
+    ChaCha20Poly1305IETFInteractive {
+        // pwhash_argon2i13::Salt as bytes. Random salt used for deriving of key from passphrase
+        salt: Vec<u8>,
+        // chacha20poly1305_ietf::Nonce as bytes. Random start nonce. We increment nonce for each chunk to be sure in export file consistency
+        nonce: Vec<u8>,
+        // size of encrypted chunk
+        chunk_size: usize,
     },
 }
 
 #[derive(Debug, Serialize, Deserialize)]
 pub struct Header {
-    pub encryption_method: EncryptionMethod, // Method of encryption for encrypted stream
-    pub time: u64, // Export time in seconds from UNIX Epoch
-    pub version: u32, // Version of header
+    // Method of encryption for encrypted stream
+    pub encryption_method: EncryptionMethod,
+    // Export time in seconds from UNIX Epoch
+    pub time: u64,
+    // Version of header
+    pub version: u32
 }
 
 // Note that we use externally tagged enum serialization and header will be represented as:
@@ -32,9 +48,13 @@ pub struct Header {
 
 #[derive(Debug, Serialize, Deserialize)]
 pub struct Record {
+    // Wallet record type
     #[serde(rename = "type")]
-    pub type_: String, // Wallet record type
-    pub id: String, // Wallet record id
-    pub value: String, // Wallet record value
-    pub tags: HashMap<String, String>, // Wallet record tags
+    pub type_: String,
+    // Wallet record id
+    pub id: String,
+    // Wallet record value
+    pub value: String,
+    // Wallet record tags
+    pub tags: HashMap<String, String>,
 }

libindy/src/domain/wallet/mod.rs

@@ -14,16 +14,33 @@ pub struct Credentials {
     pub key: String,
     pub rekey: Option<String>,
     pub storage_credentials: Option<Value>,
+    #[serde(default = "default_key_derivation_method")]
+    pub key_derivation_method: KeyDerivationMethod,
+    #[serde(default = "default_key_derivation_method")]
+    pub rekey_key_derivation_method: KeyDerivationMethod
+}
+
+#[allow(non_camel_case_types)]
+#[derive(Debug, Serialize, Deserialize)]
+pub enum KeyDerivationMethod {
+    ARAGON2I_MOD,
+    ARAGON2I_INT
+}
+
+fn default_key_derivation_method() -> KeyDerivationMethod {
+    KeyDerivationMethod::ARAGON2I_MOD
 }
 
 #[derive(Debug, Serialize, Deserialize)]
 pub struct ExportConfig {
     pub key: String,
     pub path: String,
+    #[serde(default = "default_key_derivation_method")]
+    pub key_derivation_method: KeyDerivationMethod
 }
 
 #[derive(Debug, Serialize, Deserialize)]
 pub struct Metadata {
     pub keys: Vec<u8>,
     pub master_key_salt: Vec<u8>,
-}
+}