feat(prism-agent): implement AnonCreds issuance flow

build.sbt

@@ -1,5 +1,5 @@
-import sbtbuildinfo.BuildInfoPlugin.autoImport.*
 import org.scoverage.coveralls.Imports.CoverallsKeys.*
+import sbtbuildinfo.BuildInfoPlugin.autoImport.*
 
 inThisBuild(
   Seq(
@@ -302,6 +302,10 @@ lazy val D_EventNotification = new {
   val baseDependencies: Seq[ModuleID] = zioDependencies
 }
 
+lazy val D_Pollux_AnonCreds = new {
+  val baseDependencies: Seq[ModuleID] = Seq(D.zio, D.zioJson)
+}
+
 lazy val D_PrismAgent = new {
 
   // Added here to make prism-crypto works.
@@ -508,6 +512,11 @@ lazy val protocolPresentProof = project
   .settings(libraryDependencies += D.munitZio)
   .dependsOn(models)
 
+lazy val vc = project
+  .in(file("mercury/mercury-library/vc"))
+  .settings(name := "mercury-verifiable-credentials")
+  .dependsOn(protocolIssueCredential, protocolPresentProof) //TODO merge those two modules into this one
+
 lazy val protocolTrustPing = project
   .in(file("mercury/mercury-library/protocol-trust-ping"))
   .settings(name := "mercury-protocol-trust-ping")
@@ -554,6 +563,7 @@ lazy val agent = project // maybe merge into models
     protocolLogin,
     protocolIssueCredential,
     protocolPresentProof,
+    vc,
     protocolConnection,
     protocolReportProblem,
     protocolTrustPing,
@@ -664,7 +674,7 @@ lazy val polluxCore = project
   .dependsOn(irisClient)
   .dependsOn(prismAgentWalletAPI)
   .dependsOn(polluxVcJWT)
-  .dependsOn(protocolIssueCredential, protocolPresentProof, resolver, agentDidcommx, eventNotification, polluxAnoncreds)
+  .dependsOn(vc, resolver, agentDidcommx, eventNotification, polluxAnoncreds)
 
 lazy val polluxDoobie = project
   .in(file("pollux/lib/sql-doobie"))
@@ -687,20 +697,16 @@ lazy val polluxAnoncreds = project
   .enablePlugins(JavaAppPackaging)
   .settings(
     name := "pollux-anoncreds",
-    Compile / unmanagedJars += baseDirectory.value / "anoncreds-java-1.0-SNAPSHOT.jar",
+    Compile / unmanagedJars += baseDirectory.value / "anoncreds-jvm-1.0-SNAPSHOT.jar",
     Compile / unmanagedResourceDirectories ++= Seq(
       baseDirectory.value / "native-lib" / "NATIVE"
     ),
+    libraryDependencies ++= D_Pollux_AnonCreds.baseDependencies
   )
 
 lazy val polluxAnoncredsTest = project
   .in(file("pollux/lib/anoncredsTest"))
-  .settings(
-    libraryDependencies ++= Seq(
-      "org.scalatest" %% "scalatest" % "3.2.15" % Test,
-      ("me.vican.jorge" %% "dijon" % "0.6.0" % Test).cross(CrossVersion.for3Use2_13)
-    ),
-  )
+  .settings(libraryDependencies ++= Seq("org.scalatest" %% "scalatest" % "3.2.15" % Test))
   .dependsOn(polluxAnoncreds % "compile->test")
 
 // #####################
@@ -752,7 +758,9 @@ lazy val prismAgentWalletAPI = project
   .settings(prismAgentConnectCommonSettings)
   .settings(
     name := "prism-agent-wallet-api",
-    libraryDependencies ++= D_PrismAgent.keyManagementDependencies ++ D_PrismAgent.postgresDependencies ++ Seq(D.zioMock)
+    libraryDependencies ++= D_PrismAgent.keyManagementDependencies ++ D_PrismAgent.postgresDependencies ++ Seq(
+      D.zioMock
+    )
   )
   .dependsOn(
     agentDidcommx,
@@ -818,6 +826,7 @@ lazy val aggregatedProjects: Seq[ProjectReference] = Seq(
   protocolRouting,
   protocolIssueCredential,
   protocolPresentProof,
+  vc,
   protocolTrustPing,
   resolver,
   agent,
@@ -828,7 +837,7 @@ lazy val aggregatedProjects: Seq[ProjectReference] = Seq(
   polluxCore,
   polluxDoobie,
   polluxAnoncreds,
-  // polluxAnoncredsTest, REMOVE THIS FOR NOW
+  polluxAnoncredsTest,
   connectCore,
   connectDoobie,
   prismAgentWalletAPI,

connect/lib/core/src/test/scala/io/iohk/atala/connect/core/repository/ConnectionRepositorySpecSuite.scala

@@ -19,7 +19,7 @@ object ConnectionRepositorySpecSuite {
 
   private def connectionRecord = ConnectionRecord(
     UUID.randomUUID,
-    Instant.ofEpochSecond(Instant.now.getEpochSecond),
+    Instant.now,
     None,
     UUID.randomUUID().toString,
     None,

docs/docusaurus/credentials/anoncreds-issue-flow.puml

@@ -2,79 +2,75 @@
 title Issue flow - AnonCreds
 
 actor Holder as holder
-participant VDR
 participant "Holder PRISM Agent" as holderAgent
+participant VDR
 participant "Issuer PRISM Agent" as issuerAgent
 actor Issuer as issuer
 
 note over holderAgent, issuerAgent #aqua
-    It is assumed that a connection already exists between the holder and the issuer, and that they both have an existing Prism DID.
-    It is also assumed that AnonCreds related setup is completed (credential definition object published and holder has link secret generated).
+    It is assumed that a connection already exists between the holder and the issuer.
+    It is also assumed that the AnonCreds related setup is completed (Link Secret + Schema + Credential Definition created).
 end note
 |||
 == Create and send credential offer ==
 |||
-issuer -> issuerAgent: Create new credential offer\n""POST /issue-credentials/credential-offers""\n""{connectionId, claims, <s:red>issuingDID</s>}""\n<color:green>""{schemaId, credDefId, key_correctness_proof, nonce}""</color>
-note right: AnonCreds specific inputs could be \nprovided externally by the \nIssuer's App, or we can add some \nhiger level abstraction either to \nagent or manage.
+issuer -> issuerAgent: Create new credential offer\n""POST /issue-credentials/credential-offers""\n""{format, connectionId, claims, credDefId}""
+issuerAgent -> VDR: Fetch JSON Schema
+issuerAgent -> issuerAgent: Verify provided claims against schema
 issuerAgent -> issuerAgent: Create issue credential state record
 issuerAgent --> issuer: Issue credential record {id, state}
 note over issuerAgent: state=OfferPending
 |||
 
 == Send credential offer over DIDComm ==
 |||
-issuerAgent -> holderAgent: ""CredentialOffer"" message (includes domain/challenge)
+issuerAgent -> holderAgent: ""CredentialOffer"" message
 holderAgent -> holderAgent: Create issue credential state record
 holderAgent --> issuerAgent: OK
 note over holderAgent: state=OfferReceived
 / note over issuerAgent: state=OfferSent
 |||
 
-== Verify received credential offer (AC) ==
-|||
-holderAgent -> VDR: Retrieve Schema
-holderAgent -> VDR: Retrieve Credential Definition
-holderAgent -> holderAgent: Verify received credential offer
-|||
-
 == Review and accept credential offer ==
 |||
 holder -> holderAgent: Retrieve credential records\n""GET /issue-credentials/records""
 holderAgent --> holder: record list
 |||
-holder -> holderAgent: Accept credential offer\n""POST /issue-credentials/records/{id}/accept-offer""\n""{subjectId=did:prism:xxx}""
-note right #pink: Here the holder specifies the subject DID\nto which the credential should be issued \n**IS THIS RELEVANT TO AC???**\n(could be used as entropy/prover_did field)
+holder -> holderAgent: Accept credential offer\n""POST /issue-credentials/records/{id}/accept-offer""\n""{}""
 holderAgent --> holder: OK
 note over holderAgent: state=RequestPending
 |||
 
 == Generate and send credential request ==
 |||
-holderAgent -[#red]> holderAgent: <color:red>Sign the domain/challenge received from</color>\n<color:red>the issuer with subject Prism DID</color> (**not used in AnonCreds**)
-holderAgent -> holderAgent: Create credential request <color:green>(input: offer, CD, link secret, entropy/did)</color>
+holderAgent -> VDR: Fetch Credential Definition
+holderAgent -> holderAgent: Load Link Secret
+holderAgent -> holderAgent: Create credential request (input: link secret, cred def, offer)
+holderAgent -> holderAgent: Store request metadata
 note over holderAgent: state=RequestGenerated
 |||
-holderAgent -> issuerAgent: RequestCredential message (with DID ownership proof)
+holderAgent -> issuerAgent: RequestCredential message (includes blinded link secret)
 issuerAgent --> holderAgent: OK
 note over holderAgent: state=RequestSent
 / note over issuerAgent: state=RequestReceived
 |||
 
 == Generate and send credential ==
 |||
-issuerAgent -[#green]>issuerAgent: <color:green>Verify credential request</color>
 alt automaticIssuance=true
 issuerAgent -> issuerAgent: Automatically approve credential request
 else automaticIssuance=false
 issuer -> issuerAgent: Explicitly approve credential request\n""POST /issue-credentials/records/{id}/issue-credential""
 end
 note over issuerAgent: state=CredentialPending
 |||
-issuerAgent -> issuerAgent: Generate credential signed with <s:red>Issuing Prism DID and issued to Subject Prism DID</s>\n<color:green>CredDef keys and issued to the Holder's link_secret</color>
+issuerAgent -> issuerAgent: Generate credential signed with credential definition keys\nand issued to the Holder's blinded link secret
 note over issuerAgent: state=CredentialGenerated
 |||
-issuerAgent -> holderAgent: ""IssueCredential"" message (includes <s:red>JWT</s><color:green>AnonCreds</color> credential)
-holderAgent -> holderAgent: Verify and store credential
+issuerAgent -> holderAgent: ""IssueCredential"" message (includes AnonCreds credential)
+holderAgent -> VDR: Fetch Credential Definition
+holderAgent -> holderAgent: process/verify credential (input: credential, request metadata, link secret, cred def)
+holderAgent -> holderAgent: Store credential
 holderAgent --> issuerAgent: OK
 note over issuerAgent: state=CredentialSent
 / note over holderAgent: state=CredentialReceived

docs/docusaurus/credentials/issue-flow.puml

@@ -3,16 +3,20 @@ title Issue flow
 
 actor Holder as holder
 participant "Holder PRISM Agent" as holderAgent
+participant VDR
 participant "Issuer PRISM Agent" as issuerAgent
 actor Issuer as issuer
 
 note over holderAgent, issuerAgent #aqua
-    It is assumed that a connection already exists between the holder and the issuer, and that they both have an existing Prism DID.
+    It is assumed that a connection already exists between the holder and the issuer.
+    It is also assumed that they both have an existing Prism DID.
 end note
 |||
 == Create and send credential offer ==
 |||
-issuer -> issuerAgent: Create new credential offer\n""POST /issue-credentials/credential-offers""\n""{connectionId, claims, issuingDID}""
+issuer -> issuerAgent: Create new credential offer\n""POST /issue-credentials/credential-offers""\n""{format, connectionId, claims, issuingDID, schemaId?}""
+issuerAgent -> VDR: Fetch JSON Schema
+issuerAgent -> issuerAgent: Verify provided claims against schema
 issuerAgent -> issuerAgent: Create issue credential state record
 issuerAgent --> issuer: Issue credential record {id, state}
 note over issuerAgent: state=OfferPending

docs/docusaurus/credentials/issue.md

@@ -1,3 +1,6 @@
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
 # Issue Credentials
 
 In Atala PRISM, the [Issue Credentials Protocol](/docs/concepts/glossary#issue-credentials-protocol) allows you to create, retrieve, and manage issued [verifiable credentials (VCs)](/docs/concepts/glossary#verifiable-credentials) between a VC issuer and a VC holder.
@@ -16,11 +19,24 @@ The Issuer and Holder interact with the PRISM Agent API to perform the operation
 
 Before using the Issuing Credentials protocol, the following conditions must be present:
 
+<Tabs groupId="vc-formats">
+<TabItem value="jwt" label="JWT">
+
 1. Issuer and Holder PRISM Agents up and running
 2. A connection must be established between the Issuer and Holder PRISM Agents (see [Connections](../connections/connection.md))
 3. The Issuer must have a published PRISM DID, and the [DID document](/docs/concepts/glossary#did-document) must have at least one `assertionMethod` key for issuing credentials (see [Create DID](../dids/create.md) and [Publish DID](../dids/publish.md))
 4. The Holder must have a PRISM DID, and the DID document must have at least one `authentication` key for presenting the proof.
 
+</TabItem>
+<TabItem value="anoncreds" label="AnonCreds">
+
+1. Issuer and Holder PRISM Agents up and running
+2. A connection must be established between the Issuer and Holder PRISM Agents (see [Connections](../connections/connection.md))
+3. The Issuer must have created an AnonCreds Credential Definition as described [here](../credential-definitions/credential-definitions.md).
+
+</TabItem>
+</Tabs>
+
 ## Overview
 
 The protocol described is a VC issuance process between two Atala PRISM Agents, the Issuer and the Holder.
@@ -61,18 +77,21 @@ This section describes the Issuer role's available interactions with the PRISM A
 To start the process, the issuer needs to create a credential offer.
 To do this, make a `POST` request to the [`/issue-credentials/credential-offers`](/agent-api/#tag/Issue-Credentials-Protocol/operation/createCredentialOffer) endpoint with a JSON payload that includes the following information:
 
+<Tabs groupId="vc-formats">
+<TabItem value="jwt" label="JWT">
+
 1. `claims`: The data stored in a verifiable credential. Claims get expressed in a key-value format. The claims contain the data that the issuer attests to, such as name, address, date of birth, and so on.
 2. `issuingDID`: The DID referring to the issuer to issue this credential from
 3. `connectionId`: The unique ID of the connection between the holder and the issuer to offer this credential over.
-4. `schemaId`: An optional field that, if specified, contains a valid URL to an existing VC schema. 
-The PRISM agent must be able to dereference the specified URL (i.e. fetch the VC schema content from it), in order to validate the provided claims against it.
-When not specified, the claims fields is not validated and can be any valid JSON object.
-Please refer to the [Create VC schema](../schemas/create.md) doc for details on how to create a VC schema.     
-
-:::note
+4. `schemaId`: An optional field that, if specified, contains a valid URL to an existing VC schema.
+   The PRISM agent must be able to dereference the specified URL (i.e. fetch the VC schema content from it), in order to validate the provided claims against it.
+   When not specified, the claims fields is not validated and can be any valid JSON object.
+   Please refer to the [Create VC schema](../schemas/create.md) doc for details on how to create a VC schema.
+5. `credentialFormat`: The format of the credential that will be issued - `JWT` in this case. When not specified, the default value is `JWT`. 
 
-The issuingDID and connectionId properties come from completing the pre-requisite steps of listed above
 
+:::note
+The `issuingDID` and `connectionId` properties come from completing the pre-requisite steps listed above
 :::
 
 Once the request initiates, a new credential record for the issuer gets created with a unique ID. The state of this record is now `OfferPending`.
@@ -93,12 +112,53 @@ curl -X 'POST' \
             "drivingLicenseID": "12345",
             "drivingClass": 3
           },
+          "credentialFormat": "JWT",
           "issuingDID": "did:prism:9f847f8bbb66c112f71d08ab39930d468ccbfe1e0e1d002be53d46c431212c26",
           "connectionId": "9d075518-f97e-4f11-9d10-d7348a7a0fda",
           "schemaId": "http://localhost:8080/prism-agent/schema-registry/schemas/3f86a73f-5b78-39c7-af77-0c16123fa9c2"
         }'
 ```
 
+</TabItem>
+<TabItem value="anoncreds" label="AnonCreds">
+
+1. `claims`: The data stored in a verifiable credential. AnonCreds claims get expressed in a flat, "string -> string", key-value pair format. The claims contain the data that the issuer attests to, such as name, address, date of birth, and so on.
+2. `connectionId`: The unique ID of the connection between the holder and the issuer to offer this credential over.
+3. `credentialDefinitionId`: The unique ID of the [credential definition](../credential-definitions/credential-definitions.md) that has been created by the issuer as a prerequisite. Please refer to the [Create AnonCreds Credential Definition](../credential-definitions/credential-definitions.md) doc for details on how to create a credential definition.
+4. `credentialFormat`: The format of the credential that will be issued - `AnonCreds` in this case.  
+
+:::note
+The `connectionId` and `credentialDefinitionId` properties come from completing the pre-requisite steps listed above
+:::
+
+Once the request initiates, a new credential record for the issuer gets created with a unique ID. The state of this record is now `OfferPending`.
+
+```shell
+# Issuer POST request to create a new credential offer
+curl -X 'POST' \
+  'http://localhost:8080/prism-agent/issue-credentials/credential-offers' \
+    -H 'accept: application/json' \
+    -H 'Content-Type: application/json' \
+    -H "apikey: $API_KEY" \
+    -d '{
+          "claims": {
+            "emailAddress": "[email protected]",
+            "givenName": "Alice",
+            "familyName": "Wonderland",
+            "dateOfIssuance": "2020-11-13T20:20:39+00:00",
+            "drivingLicenseID": "12345",
+            "drivingClass": "3"
+          },
+          "credentialFormat": "AnonCreds",
+          "connectionId": "9d075518-f97e-4f11-9d10-d7348a7a0fda",
+          "credentialDefinitionId": "5d737816-8fe8-3492-bfe3-1b3e2b67220b"
+        }'
+```
+
+</TabItem>
+</Tabs>
+
+
 ### Sending the Offer to the Holder
 
 The next step for the Issuer is to send the offer to the holder using DIDComm.
@@ -165,6 +225,9 @@ curl "http://localhost:8090/prism-agent/issue-credentials/records" \
 
 To accept the offer, the Holder can make a `POST` request to the [`/issue-credentials/records/{recordId}/accept-offer`](/agent-api/#tag/Issue-Credentials-Protocol/operation/acceptCredentialOffer) endpoint with a JSON payload that includes the following information:
 
+<Tabs groupId="vc-formats">
+<TabItem value="jwt" label="JWT">
+
 1. `holder_record_id`: The unique identifier of the issue credential record known by the holder PRISM Agent.
 2. `subjectId`: This field represents the unique identifier for the subject of the verifiable credential. It is a short-form PRISM [DID](/docs/concepts/glossary#decentralized-identifier) string, such as `did:prism:subjectIdentifier`.
 
@@ -179,6 +242,23 @@ curl -X POST "http://localhost:8090/prism-agent/issue-credentials/records/$holde
      }'
 ```
 
+</TabItem>
+<TabItem value="anoncreds" labal="AnonCreds">
+
+1. `holder_record_id`: The unique identifier of the issue credential record known by the holder PRISM Agent.
+
+```shell
+# Holder POST request to accept the credential offer
+curl -X POST "http://localhost:8090/prism-agent/issue-credentials/records/$holder_record_id/accept-offer" \
+    -H 'accept: application/json' \
+    -H 'Content-Type: application/json' \
+    -H "apikey: $API_KEY" \
+    -d '{}'
+```
+
+</TabItem>
+</Tabs>
+
 This request will change the state of the record to `RequestPending`.
 
 ### Receiving the VC Credential
@@ -206,4 +286,15 @@ stateDiagram-v2
 
 The following diagram shows the end-to-end flow for an issuer to issue a VC to a holder.
 
+<Tabs groupId="vc-formats">
+<TabItem value="jwt" label="JWT">
+
 ![](issue-flow.png)
+
+</TabItem>
+<TabItem value="anoncreds" label="AnonCreds">
+
+![](anoncreds-issue-flow.png)
+
+</TabItem>
+</Tabs>