Add SHA256withRSA-PSS pair. Add SHA384withECDSA pair. Overhaul hashin…

.github/workflows/actions.yaml

@@ -2,8 +2,10 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - 'master'
-      - 'main'
+      - master
+      - main
+      - feature/*
+      - fix/*
 
 env:
   CI_JOB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -19,20 +21,27 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Install werf
-        uses: werf/actions/[email protected]
-
       - name: Log in to registry
         # This is where you will update the personal access token to GITHUB_TOKEN
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
 
       - name: Run echo
         run: |
-          werf version
           docker version
           echo $GITHUB_REPOSITORY
           echo $GITHUB_SHA
-      - name: Run Build
-        run: |
-          . $(werf ci-env github --as-file)
-          werf export service --tag ghcr.io/rarimo/passport-identity-provider:$GITHUB_SHA
+
+      - name: Cache layers
+        uses: actions/cache@v3
+        with:
+          path: "${{ github.workspace }}/.skaffold/cache"
+          key: skaffold-${{ hashFiles('**/cache') }}
+          restore-keys: |
+            skaffold-
+
+      - name: Run Skaffold pipeline as command
+        uses: hiberbee/github-action-skaffold@latest
+        id: build
+        with:
+          command: build --tag ${{ github.sha }}
+          repository: ghcr.io/${{ github.repository_owner }}

.github/workflows/deploy-gh-pages.yaml

@@ -11,6 +11,7 @@ on:
     #  - v*
     branches:
       - main
+      - feature/*
 
 jobs:
   deploy_pages:

.github/workflows/tag.yaml

@@ -20,20 +20,27 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Install werf
-        uses: werf/actions/[email protected]
-
       - name: Log in to registry
         # This is where you will update the personal access token to GITHUB_TOKEN
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
 
       - name: Run echo
         run: |
-          werf version
           docker version
           echo $GITHUB_REPOSITORY
-          echo $GITHUB_REF_NAME
-      - name: Run Build
-        run: |
-          . $(werf ci-env github --as-file)
-          werf export service --tag ghcr.io/rarimo/passport-identity-provider:$GITHUB_REF_NAME
+          echo $GITHUB_SHA
+
+      - name: Cache layers
+        uses: actions/cache@v3
+        with:
+          path: "${{ github.workspace }}/.skaffold/cache"
+          key: skaffold-${{ hashFiles('**/cache') }}
+          restore-keys: |
+            skaffold-
+
+      - name: Run Skaffold pipeline as command
+        uses: hiberbee/github-action-skaffold@latest
+        id: build
+        with:
+          command: build --tag ${{ github.sha }}
+          repository: ghcr.io/${{ github.repository_owner }}

.gitignore

@@ -6,3 +6,4 @@ config.*.yaml
 docs/node_modules
 docs/web_deploy
 vendor/
+docker-compose.yml

Dockerfile

@@ -1,17 +1,26 @@
-FROM golang:1.21.6-alpine as buildbase
+FROM golang:1.23.4-alpine as buildbase
 
-RUN apk add git build-base
+ARG CI_JOB_TOKEN
 
-WORKDIR /go/src/github.com/rarimo/passport-identity-provider
-COPY vendor .
+RUN apk add git build-base ca-certificates
+WORKDIR /go/src/github.com/rarimo/incognito-light-registrator
 COPY . .
 
-RUN GOOS=linux go build  -o /usr/local/bin/identity-provider-service /go/src/github.com/rarimo/passport-identity-provider
+RUN git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com".insteadOf https://gitlab.com
+RUN git config --global url."https://${CI_JOB_TOKEN}@github.com/".insteadOf https://github.com/
 
+RUN go mod tidy && go mod vendor
+RUN CGO_ENABLED=1 GO111MODULE=on GOOS=linux go build  -o /usr/local/bin/incognito-light-registrator /go/src/github.com/rarimo/incognito-light-registrator
 
-FROM alpine:3.9
+FROM scratch
 
-COPY --from=buildbase /usr/local/bin/identity-provider-service /usr/local/bin/identity-provider-service
-RUN apk add --no-cache ca-certificates
+COPY --from=alpine:3.9 /bin/sh /bin/sh
+COPY --from=alpine:3.9 /usr /usr
+COPY --from=alpine:3.9 /lib /lib
 
-ENTRYPOINT ["identity-provider-service"]
+COPY --from=buildbase /usr/local/bin/incognito-light-registrator /usr/local/bin/incognito-light-registrator
+COPY --from=buildbase /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=buildbase /go/src/github.com/rarimo/incognito-light-registrator/verification_keys/* /verification_keys/
+COPY --from=buildbase /go/src/github.com/rarimo/incognito-light-registrator/masterList.dev.pem /masterList.dev.pem
+
+ENTRYPOINT ["incognito-light-registrator"]

README.md

@@ -1,99 +1,76 @@
-# identity-provider-service
+# incognito-light-registrator
 
 ## Description
 
-This service is responsible for verifying a user-provided ZKP, real-world identity certificate and issuing voting permission claim.
+This service is responsible for verifying a user-provided ZKP and real-world identity certificate
 
 ## Endpoints
 
 ### create_identity
 
-`create_identity` verifies a user-provided ZKP that proves the real-world identity ownership, validates this real-world identity certificate and issues a PollsCredential claim.<br><br>
-Path: `POST /integrations/identity-provider-service/v1/create-identity`<br>
+`register` verifies a user-provided ZKP that proves the real-world identity ownership, validates this real-world 
+identity certificate and return poseidon hash of truncated signed attributes by 252 bits along with ECDSA signature of
+dg1 and poseidon hash.
+Path: `POST /integrations/incognito-light-registrator/v1/register`<br>
 Payload example (proof is provided as an example and actually does not prove anything):
 ```json
 {
   "data": {
-    "id": "did:iden3:readonly:tJWarsbwqiUxHm8BPi4aYSnnj54AbuR4D2RrhkykQ",
-    "document_sod": {
-      "signed_attributes": "hex_string",
-      "algorithm": "SHA256withRSA",
-      "signature": "hex_string",
-      "pem_file": "-----BEGIN CERTIFICATE-----\n{...}\n-----END CERTIFICATE-----",
-      "encapsulated_content": "hex_string"
-    },
-    "zkproof": {
-      "proof": {
-        "pi_a": [
-          "4486400337619062702179111506341517111494111681111222111137338836157671763417",
-          "4486400337619062702179111506341517111494111681111222111137338836157671763417",
-          "1"
+    "attributes": {
+      "document_sod": {
+        "hash_algorithm": "SHA256",
+        "signature_algorithm": "ECDSA",
+        "signed_attributes": "0x303030303030303030303030303030303030303030303030303030303030",
+        "encapsulated_content": "0x303030303030303030303030303030303030303030303030303030303030",
+        "signature": "0x303030303030303030303030303030303030303030303030303030303030",
+        "aa_signature": "0x303030303030303030303030303030303030303030303030303030303030",
+        "pem_file": "-----BEGIN CERTIFICATE-----\nbase64_pem...\n-----END CERTIFICATE-----",
+        "dg15": "No dg15 sorry :D"
+      },
+      "zk_proof": {
+        "pub_signals": [
+          "303030303030303030303030303030303030303030303030303030303030",
+          "303030303030303030303030303030303030303030303030303030303030",
+          "303030303030303030303030303030303030303030303030303030303030"
         ],
-        "pi_b": [
-          [
-            "4486400337619062702179111506341517111494111681111222111137338836157671763417",
-            "4486400337619062702179111506341517111494111681111222111137338836157671763417"
+        "proof": {
+          "pi_a": [
+            "303030303030303030303030303030303030303030303030303030303030",
+            "303030303030303030303030303030303030303030303030303030303030",
+            "1"
           ],
-          [
-            "4486400337619062702179111506341517111494111681111222111137338836157671763417",
-            "4486400337619062702179111506341517111494111681111222111137338836157671763417"
+          "protocol": "groth16",
+          "pi_c": [
+            "303030303030303030303030303030303030303030303030303030303030",
+            "303030303030303030303030303030303030303030303030303030303030",
+            "1"
           ],
-          [
-            "1",
-            "0"
+          "pi_b": [
+            [
+              "303030303030303030303030303030303030303030303030303030303030",
+              "303030303030303030303030303030303030303030303030303030303030"
+            ],
+            [
+              "303030303030303030303030303030303030303030303030303030303030",
+              "303030303030303030303030303030303030303030303030303030303030"
+            ],
+            [
+              "1",
+              "0"
+            ]
           ]
-        ],
-        "pi_c": [
-          "44864003376190627021791115063415171114941116811112221111373388361576717634171",
-          "4486400337619062702179111506341517111494111681111222111137338836157671763417",
-          "1"
-        ],
-        "protocol": "groth16",
-        "curve": "bn128"
-      },
-      "pub_signals": [
-        "311829949927574718572524671081106490489",
-        "311829949927574718572524671081106490489",
-        "4903111",
-        "24",
-        "1",
-        "25",
-        "25",
-        "1",
-        "25",
-        "18"
-      ]
+        }
+      }
     }
   }
 }
 ```
 
-## Issuer Node Integration
-
-The only Issuer Node that is used is CreateCredential that issues claim. This claim is always stored in the issuer's Claims Tree (considering that the CreateCredential payload field `mtProof` is always `true`) that is automatically transited on-chain.<br><br>
-`CreateCredential` payload example:
-```json
-{
-  "credentialSchema": "https://bafybeif5xytac5352no62kalpdin3vbwp3pknijmzwd5dqgsi72jnnss6y.ipfs.w3s.link/PollsCredential.json",
-  "credentialSubject": {
-    "id": "did:iden3:readonly:tMF5BykcV7fiDSRi3HQSH8VHjTR24fqz2BhJHHzuY",
-    "isAdult": true,
-    "issuingAuthority": 4903594,
-    "documentNullifier": "18586133768512220936620570745912940619677854269274689475585506675881198879027",
-    "credentialHash": "8645981980787649023086883978738420856660271013038108762834452721572614684349"
-  },
-  "type": "PollsCredential",
-  "mtProof": true,
-  "signatureProof": true,
-  "expiration": "2023-10-26T10:59:08Z"
-}
-```
-
 ## Install
 
   ```
-  git clone github.com/rarimo/passport-identity-provider
-  cd identity-provider-service
+  git clone github.com/rarimo/incognito-light-registrator
+  cd incognito-light-registrator
   go build main.go
   export KV_VIPER_FILE=./config.yaml
   ./main migrate up
@@ -126,8 +103,8 @@ Make sure that docker installed.
 use `docker run ` with `-p 8080:80` to expose port 80 to 8080
 
   ```
-  docker build -t github.com/rarimo/passport-identity-provider .
-  docker run -e KV_VIPER_FILE=/config.yaml github.com/rarimo/passport-identity-provider
+  docker build -t github.com/rarimo/incognito-light-registrator .
+  docker run -e KV_VIPER_FILE=/config.yaml github.com/rarimo/incognito-light-registrator
   ```
 
 ## Running from Source

config.yaml

@@ -1,33 +1,29 @@
-vault:
-  address: "http://127.0.0.1:8200"
-  mount_path: "secret_data"
-
-network:
-  eth_rpc:
-  state_contract:
-
 verifier:
   verification_keys_paths:
-    sha1: "./sha1_verification_key.json"
-    sha256: "./sha256_verification_key.json"
+    sha1: "./verification_keys/registerIdentityLight160.json"
+    sha224: "./verification_keys/registerIdentityLight224.json"
+    sha256: "./verification_keys/registerIdentityLight256.json"
+    sha384: "./verification_keys/registerIdentityLight384.json"
+    sha512: "./verification_keys/registerIdentityLight512.json"
   master_certs_path: "./masterList.dev.pem"
-  allowed_age: 18
-  multi_acc_min_limit: 10
-  multi_acc_max_limit: 30
-  registration_timeout: 1h
+  disableTimeChecks: false
+  disableNameChecks: false
 
-issuer:
-  base_url: "http://localhost:3002/v1"
-  did: ""
-  claim_type: "VotingCredential"
-  credential_schema: "https://bafybeibbniic63etdbcn5rs5ir5bhelym6ogv46afj35keatzhn2eqnioi.ipfs.w3s.link/VotingCredential.json"
+addresses:
+  registration_contract: 8B8b14B6bD955eCc96bee1D83a3Eba21B80A0E91
+  verifiers:
+    sha1: 50f07F4E66Cc7A09186120B6e0152602768923ac
+    sha224: b83D5fd8A498482b123EE1837B86B82CCd33240D
+    sha256: 91E3d9ef73afC08E083719e8CF052c1d810aF191
+    sha384: Abf2Fef1aF4ca7cB7EB3F4F2169D55C502E086aD
+    sha512: b7609357EAEA80C8a064Aa7B9Ff1D7E7b76fDB98
 
 log:
   level: debug
   disable_sentry: true
 
 db:
-  url: postgres://voting:voting@localhost:35432/voting?sslmode=disable
+  url: postgres://ilr:ilr@localhost:5432/ilr?sslmode=disable
 
 listener:
   addr: :8000

docs/spec/components/schemas/DocumentSod.yaml

@@ -0,0 +1,36 @@
+type: object
+required:
+  - hash_algorithm
+  - signature_algorithm
+  - signed_attributes
+  - signature
+  - encapsulated_content
+  - pem_file
+properties:
+  hash_algorithm:
+    type: string
+    description: The hash algorithm used to hash the content
+  signature_algorithm:
+    type: string
+    description: The signature algorithm used to sign the content
+  signed_attributes:
+    type: string
+    description: The signed attributes, for e.g. 104 bytes-long hex string
+  signature:
+    type: string
+    description: Signature corresponding to the algorithm
+  aa_signature:
+    type: string
+    description: The active authentication signature
+  encapsulated_content:
+    type: string
+    description: The encapsulated content, for e.g. 186 bytes-long hex string
+  pem_file:
+    type: string
+    description: The PEM file containing the public key
+  dg15:
+    type: string
+    description: The Data Group 15, hex string
+
+
+