Unable to create anoncreds schema on issuer configured with a qualified did:sov public did #3540
Comments
|
Here is the DEBUG log of the issuer agent when posting a schema with scenario similar to the one described above (different did since different agent in different environment but otherwise same procedure) |
|
Try replace |
|
@ff137 400: Error creating schema. Failed to register schema. Exception when building get-schema request. Validation error: SchemaId validation failed: "did:sov:QvZ4hHw63DNrgdf6azXnUj:2:test_fqdid:1.0", doesn't match pattern. And on the other hand, using unqualified did works with (or without) spaces. API then returns a 200 with following body : |
|
Worth noting here that the issuer (author) is behind an endorser. So options |
|
Strange, I could've sworn that the schema name must be without spaces - perhaps true in some cases, but not relevant to this validation error. When I looked into it, it seemed like the validation error is coming from the indy_vdr package. And the public did + schema is stripped of the did prefix before that call is made, so I presume that's not the issue class IndyVdrLedger(BaseLedger):
...
async def fetch_schema_by_id(self, schema_id: str) -> dict:
"""Get schema from ledger.
Args:
schema_id: The schema id (or stringified sequence number) to retrieve
Returns:
Indy schema dict
"""
public_info = await self.get_wallet_public_did()
public_did = public_info.did if public_info else None
try:
schema_req = ledger.build_get_schema_request(
strip_did_prefix(public_did), strip_did_prefix(schema_id)
)
except VdrError as err:
raise LedgerError("Exception when building get-schema request") from err^ The exception is ultimately coming from there. And there's some C library call being made in the indy_vdr package, so I can't quickly see what the validation error is. |
|
^ Looks like the strip_did_prefix was added recently. So the code I'm viewing is probably not what you're running with version 1.2.0. Meaning that the qualified did is causing the issue ( @zoblazo Is it possible for you to try this again with the latest nightly build? |
|
I couldn't replicate this but maybe I'm creating the qualified did differently. Could you provide the steps you took to generate the fully qualified did:sov? |
I'm pretty sure if this was the issue, it would be a different type of error. When the stripped nym is invalid it gets an indy_vdr error saying it doesn't have the required signatures. That's why the validation error is confusing to me. I can create the exact same pattern. |
|
Here is how we create and provision the qualified did:sov :
(seed x'ed out for obvious reason)
Still working on reproducing this scenario with the latest nightly build. |
|
I'm still not able to re-produce with this type of did. I have been able to get the same behavior by altering the did record in the local wallet. Did this involve an upgrade from askar --> askar anoncreds wallet type? |
|
No, wallet-type has been askar-anoncreds from inception. No upgrade involved. On a not-so-related note, we did update aca-py from 1.0.0 to 1.2.0 a few weeks ago but I was able to reproduce same behavior on 1.2.0 agents that had their database/wallet wiped out. |
|
So... I should have tried to do this earlier but I confirmed this error happens on version 1.2.0, but does not happen on main. I predict that running your test on nightly will succeed. I think it was probably fixed by the recent PR #3253 that has some qualified did stuff in it. I'd still like to actually understand what the issue was and why it seems to be fixed. |
|
It's presumably the indy_vdr library that expects schema_id to be prefixed without did:sov |
|
The error message is:
"Exception when building get-schema request" reveals that it occurs here: # acapy_agent/ledger/indy_vdr.py:467
try:
schema_req = ledger.build_get_schema_request(
strip_did_prefix(public_did), strip_did_prefix(schema_id)
)
except VdrError as err:
raise LedgerError("Exception when building get-schema request") from errThis ends up calling some rust code in indy-vdr: pub extern "C" fn indy_vdr_build_get_schema_request(
submitter_did: FfiStr, // optional
schema_id: FfiStr,
handle_p: *mut RequestHandle,
) -> ErrorCode {
catch_err! {
trace!("Build GET_SCHEMA request");
check_useful_c_ptr!(handle_p);
let builder = get_request_builder()?;
let identifier = submitter_did.as_opt_str().map(DidValue::from_str).transpose()?;
let schema_id = SchemaId::from_str(schema_id.as_str())?; // <-- "SchemaId validation failed" means it's this line
let req = builder.build_get_schema_request(identifier.as_ref(), &schema_id)?;
let handle = add_request(req)?;
unsafe {
*handle_p = handle;
}
Ok(ErrorCode::Success)
}
}Schema_id has the following validation checks: impl SchemaId {
pub const PREFIX: &'static str = "schema";
pub const MARKER: &'static str = "2";
pub fn new(did: &DidValue, name: &str, version: &str) -> SchemaId {
let id = format!(
"{}{}{}{}{}{}{}",
did.0,
DELIMITER,
Self::MARKER,
DELIMITER,
name,
DELIMITER,
version
);
Self::from(qualifiable::combine(
Self::PREFIX,
did.get_method(),
id.as_str(),
))
}
pub fn parts(&self) -> Option<(Option<&str>, DidValue, String, String)> {
let parts = self.0.split_terminator(DELIMITER).collect::<Vec<&str>>();
if parts.len() == 1 {
// 1
return None;
}
if parts.len() == 4 {
// NcYxiDXkpYi6ov5FcYDi1e:2:gvt:1.0
let did = parts[0].to_string();
let name = parts[2].to_string();
let version = parts[3].to_string();
return Some((None, DidValue(did), name, version));
}
if parts.len() == 8 {
// schema:sov:did:sov:NcYxiDXkpYi6ov5FcYDi1e:2:gvt:1.0
let method = parts[1];
let did = parts[2..5].join(DELIMITER);
let name = parts[6].to_string();
let version = parts[7].to_string();
return Some((Some(method), DidValue(did), name, version));
}
None
}
}As far as I can tell, So This SchemaId type is defined in indy-data-types cc: @andrewwhitehead |
|
Thus I am able to create a schema with a qualified did:sov with latest nightly build (and no endorser) BUT the resulting schema id is did:sov:... So problem still (differently) exists. indy-vdr validation doesn't happen anymore ? |
|
I've been thinking about this and I don't think qualified did:sov`s are currently supported by anoncreds. The implementation was for legacy indy which considered the unqualified version only. I'm sure you could get it working by providing the unqualified version of the did. Supporting both unqualified and qualified did:sov dids as the issuer id would need to be a new feature. |
@zoblazo A change between 1.2.0 and latest nightly build is that the did-prefix is now stripped from the did and the schema id: schema_req = ledger.build_get_schema_request(
strip_did_prefix(public_did), strip_did_prefix(schema_id)
)so the indy-vdr validation should be passing. What's the current problem that, as you mentioned, still exists, but differently? |
|
I think it allows you to create the schema but then the schema_id has did:sov at the front and if you try and use this when creating a cred_def or during issuance it won't be able to use the ledger to resolve it. I think the solution is to support both forms by striping it from the anoncreds object id's wherever they need to use the ledger. I've been looking at this for ticket #3493. It may be worth doing separately so it's done sooner. I'm not a fan of having to do this special unqualified did:sov stuff. It would be better if did:sov's were qualified in acapy. That's partly what that ticket is trying to fix. |
|
Exactly. Schema is created with a schema_id perfixed did:sov in acapy but the schema id on blockchain is stripped of that did:sov prefix. Then when I get to create a cred def, I receive a ''400: No resolver available for identifier did:sov:.....:1.0"' |
|
We'll need to do this as a feature. Support qualified did sov's in anoncreds legacy_indy registry. I can probably try and get to it, I'm currently studying all the required changes. Right now it would be not available status. You'd need to use unqualified did sov representation in anoncreds. |
Given I have an issuer agent deployed with acapy 1.2.0 with wallet-type askar-anoncreds
Given I provision on that agent a fully qualified did:sov such as
Given I assign that DID as public for the issuer agent
When I try to create an anoncreds schema (POST /anoncreds/schema with following body)
Then I get error :
400: Error creating schema. Failed to register schema. Exception when building get-schema request. Validation error: SchemaId validation failed: "did:sov:AecTm5kThinYH3oXj4d9xd:2:test fqdid:1.0", doesn't match pattern.
Then Schema is not created in agent's wallet and not published on blockchain.
Expected result : schema is created and published to configured blockchain.
The text was updated successfully, but these errors were encountered: