Remove returning private keys (#417)

* remove returning priv keys

* update docs and integration tests

* fix alice priv key

* more int test fixes

* Test fiox

* Refactor credential application logic (#416)

* tmp

* remove side effects; use sdk lib

* update issuance template

* temp

* temp

* pr comments

Author: decentralgabe

integration/common.go

@@ -2,6 +2,7 @@ package integration
 
 import (
 	"bytes"
+	gocrypto "crypto"
 	"embed"
 	"fmt"
 	"io"
@@ -10,10 +11,8 @@ import (
 	"time"
 
 	manifestsdk "github.com/TBD54566975/ssi-sdk/credential/manifest"
-	"github.com/TBD54566975/ssi-sdk/crypto"
 	"github.com/cenkalti/backoff/v4"
 	"github.com/goccy/go-json"
-	"github.com/mr-tron/base58"
 	"github.com/oliveagle/jsonpath"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -196,24 +195,14 @@ type credApplicationParams struct {
 	ManifestID   string
 }
 
-func CreateCredentialApplicationJWT(credApplication credApplicationParams, credentialJWT, aliceDID, aliceKID, aliceDIDPrivateKey string) (string, error) {
+func CreateCredentialApplicationJWT(credApplication credApplicationParams, credentialJWT, aliceDID, aliceKID string, aliceDIDPrivateKey gocrypto.PrivateKey) (string, error) {
 	logrus.Println("\n\nCreate an Application JWT:")
 	applicationJSON, err := resolveTemplate(credApplication, "application-input.json")
 	if err != nil {
 		return "", err
 	}
 
-	alicePrivKeyBytes, err := base58.Decode(aliceDIDPrivateKey)
-	if err != nil {
-		return "", errors.Wrap(err, "base58 decoding")
-	}
-
-	alicePrivKey, err := crypto.BytesToPrivKey(alicePrivKeyBytes, crypto.Ed25519)
-	if err != nil {
-		return "", errors.Wrap(err, "bytes to priv key")
-	}
-
-	signer, err := keyaccess.NewJWKKeyAccess(aliceDID, aliceKID, alicePrivKey)
+	signer, err := keyaccess.NewJWKKeyAccess(aliceDID, aliceKID, aliceDIDPrivateKey)
 	if err != nil {
 		return "", errors.Wrap(err, "creating signer")
 	}
@@ -270,30 +259,20 @@ type submissionJWTParams struct {
 	SubmissionJWT string
 }
 
-func CreateSubmission(params submissionParams, holderPrivateKey string) (string, error) {
+func CreateSubmission(params submissionParams, holderPrivateKey gocrypto.PrivateKey) (string, error) {
 	logrus.Println("\n\nCreate our Submission:")
 	submissionJSON, err := resolveTemplate(params, "presentation-submission-input.json")
 	if err != nil {
 		return "", err
 	}
 
-	pkBytes, err := base58.Decode(holderPrivateKey)
-	if err != nil {
-		return "", errors.Wrap(err, "base58 decoding")
-	}
-
-	pkCrypto, err := crypto.BytesToPrivKey(pkBytes, crypto.Ed25519)
-	if err != nil {
-		return "", errors.Wrap(err, "bytes to priv key")
-	}
-
-	signer, err := keyaccess.NewJWKKeyAccess(params.HolderID, params.HolderKID, pkCrypto)
+	signer, err := keyaccess.NewJWKKeyAccess(params.HolderID, params.HolderKID, holderPrivateKey)
 	if err != nil {
 		return "", errors.Wrap(err, "creating signer")
 	}
 
 	var submission any
-	if err := json.Unmarshal([]byte(submissionJSON), &submission); err != nil {
+	if err = json.Unmarshal([]byte(submissionJSON), &submission); err != nil {
 		return "", err
 	}
 
@@ -303,8 +282,7 @@ func CreateSubmission(params submissionParams, holderPrivateKey string) (string,
 		return "", errors.Wrap(err, "signing json")
 	}
 
-	submissionJSONWrapper, err := resolveTemplate(
-		submissionJWTParams{SubmissionJWT: signed.String()},
+	submissionJSONWrapper, err := resolveTemplate(submissionJWTParams{SubmissionJWT: signed.String()},
 		"presentation-submission-input-jwt.json")
 	if err != nil {
 		return "", err

integration/didion_integration_test.go

@@ -3,6 +3,8 @@ package integration
 import (
 	"testing"
 
+	"github.com/TBD54566975/ssi-sdk/crypto"
+	didsdk "github.com/TBD54566975/ssi-sdk/did"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/tbd54566975/ssi-service/pkg/service/operation/storage"
@@ -29,29 +31,28 @@ func TestCreateIssuerDIDIONIntegration(t *testing.T) {
 	SetValue(didIONContext, "issuerKID", issuerKID)
 }
 
-func TestCreateAliceDIDIONIntegration(t *testing.T) {
+func TestCreateAliceDIDKeyForDIDIONIntegration(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
 	}
 
-	didIONOutput, err := CreateDIDION()
+	applicantPrivKey, applicantDIDKey, err := didsdk.GenerateDIDKey(crypto.Ed25519)
 	assert.NoError(t, err)
-	assert.NotEmpty(t, didIONOutput)
+	assert.NotEmpty(t, applicantPrivKey)
+	assert.NotEmpty(t, applicantDIDKey)
 
-	aliceDID, err := getJSONElement(didIONOutput, "$.did.id")
+	applicantDID, err := applicantDIDKey.Expand()
 	assert.NoError(t, err)
-	assert.NotEmpty(t, aliceDID)
+	assert.NotEmpty(t, applicantDID)
+
+	aliceDID := applicantDID.ID
+	assert.Contains(t, aliceDID, "did:key")
 	SetValue(didIONContext, "aliceDID", aliceDID)
 
-	aliceKID, err := getJSONElement(didIONOutput, "$.did.verificationMethod[0].id")
-	assert.NoError(t, err)
+	aliceKID := applicantDID.VerificationMethod[0].ID
 	assert.NotEmpty(t, aliceKID)
 	SetValue(didIONContext, "aliceKID", aliceKID)
-
-	aliceDIDPrivateKey, err := getJSONElement(didIONOutput, "$.privateKeyBase58")
-	assert.NoError(t, err)
-	assert.NotEmpty(t, aliceDIDPrivateKey)
-	SetValue(didIONContext, "aliceDIDPrivateKey", aliceDIDPrivateKey)
+	SetValue(didIONContext, "aliceDIDPrivateKey", applicantPrivKey)
 }
 
 func TestDIDIONCreateSchemaIntegration(t *testing.T) {
@@ -168,7 +169,7 @@ func TestDIDIONSubmitAndReviewApplicationIntegration(t *testing.T) {
 	credAppJWT, err := CreateCredentialApplicationJWT(credApplicationParams{
 		DefinitionID: presentationDefinitionID.(string),
 		ManifestID:   manifestID.(string),
-	}, credentialJWT.(string), aliceDID.(string), aliceKID.(string), aliceDIDPrivateKey.(string))
+	}, credentialJWT.(string), aliceDID.(string), aliceKID.(string), aliceDIDPrivateKey)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, credAppJWT)
 

integration/didweb_integration_test.go

@@ -3,6 +3,8 @@ package integration
 import (
 	"testing"
 
+	"github.com/TBD54566975/ssi-sdk/crypto"
+	didsdk "github.com/TBD54566975/ssi-sdk/did"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/tbd54566975/ssi-service/pkg/service/operation/storage"
@@ -29,29 +31,28 @@ func TestCreateIssuerDIDWebIntegration(t *testing.T) {
 	SetValue(didWebContext, "issuerKID", issuerKID)
 }
 
-func TestCreateAliceDIDWebIntegration(t *testing.T) {
+func TestCreateAliceDIDKeyForDIDWebIntegration(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
 	}
 
-	didWebOutput, err := CreateDIDWeb()
+	applicantPrivKey, applicantDIDKey, err := didsdk.GenerateDIDKey(crypto.Ed25519)
 	assert.NoError(t, err)
-	assert.NotEmpty(t, didWebOutput)
+	assert.NotEmpty(t, applicantPrivKey)
+	assert.NotEmpty(t, applicantDIDKey)
 
-	aliceDID, err := getJSONElement(didWebOutput, "$.did.id")
+	applicantDID, err := applicantDIDKey.Expand()
 	assert.NoError(t, err)
-	assert.Contains(t, aliceDID, "did:web")
+	assert.NotEmpty(t, applicantDID)
+
+	aliceDID := applicantDID.ID
+	assert.Contains(t, aliceDID, "did:key")
 	SetValue(didWebContext, "aliceDID", aliceDID)
 
-	aliceKID, err := getJSONElement(didWebOutput, "$.did.verificationMethod[0].id")
-	assert.NoError(t, err)
+	aliceKID := applicantDID.VerificationMethod[0].ID
 	assert.NotEmpty(t, aliceKID)
 	SetValue(didWebContext, "aliceKID", aliceKID)
-
-	aliceDIDPrivateKey, err := getJSONElement(didWebOutput, "$.privateKeyBase58")
-	assert.NoError(t, err)
-	assert.NotEmpty(t, aliceDID)
-	SetValue(didWebContext, "aliceDIDPrivateKey", aliceDIDPrivateKey)
+	SetValue(didWebContext, "aliceDIDPrivateKey", applicantPrivKey)
 }
 
 func TestDIDWebCreateSchemaIntegration(t *testing.T) {
@@ -167,7 +168,7 @@ func TestDIDWebSubmitAndReviewApplicationIntegration(t *testing.T) {
 	credAppJWT, err := CreateCredentialApplicationJWT(credApplicationParams{
 		DefinitionID: presentationDefinitionID.(string),
 		ManifestID:   manifestID.(string),
-	}, credentialJWT.(string), aliceDID.(string), aliceKID.(string), aliceDIDPrivateKey.(string))
+	}, credentialJWT.(string), aliceDID.(string), aliceKID.(string), aliceDIDPrivateKey)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, credAppJWT)
 

integration/presentation_exchange_integration_test.go

@@ -3,6 +3,8 @@ package integration
 import (
 	"testing"
 
+	"github.com/TBD54566975/ssi-sdk/crypto"
+	didsdk "github.com/TBD54566975/ssi-sdk/did"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 
@@ -29,29 +31,27 @@ func TestCreateParticipants(t *testing.T) {
 	assert.NotEmpty(t, issuerKID)
 	SetValue(presentationExchangeContext, "issuerKID", issuerKID)
 
-	holderOutput, err := CreateDIDKey()
+	holderPrivateKey, holderDIDKey, err := didsdk.GenerateDIDKey(crypto.Ed25519)
 	assert.NoError(t, err)
+	assert.NotEmpty(t, holderPrivateKey)
+	assert.NotEmpty(t, holderDIDKey)
 
-	holderDID, err := getJSONElement(holderOutput, "$.did.id")
+	holderDID, err := holderDIDKey.Expand()
 	assert.NoError(t, err)
-	assert.Contains(t, holderDID, "did:key")
-	SetValue(presentationExchangeContext, "holderDID", holderDID)
+	assert.NotEmpty(t, holderDID)
+	SetValue(presentationExchangeContext, "holderDID", holderDID.ID)
 
-	holderKID, err := getJSONElement(holderOutput, "$.did.verificationMethod[0].id")
-	assert.NoError(t, err)
+	holderKID := holderDID.VerificationMethod[0].ID
 	assert.NotEmpty(t, holderKID)
 	SetValue(presentationExchangeContext, "holderKID", holderKID)
-
-	holderPrivateKey, err := getJSONElement(holderOutput, "$.privateKeyBase58")
-	assert.NoError(t, err)
 	SetValue(presentationExchangeContext, "holderPrivateKey", holderPrivateKey)
 
 	verifierOutput, err := CreateDIDKey()
 	assert.NoError(t, err)
 
 	verifierDID, err := getJSONElement(verifierOutput, "$.did.id")
 	assert.NoError(t, err)
-	assert.Contains(t, holderDID, "did:key")
+	assert.Contains(t, verifierDID, "did:key")
 	SetValue(presentationExchangeContext, "verifierDID", verifierDID)
 
 	verifierKID, err := getJSONElement(verifierOutput, "$.did.verificationMethod[0].id")
@@ -121,7 +121,7 @@ func TestSubmissionFlow(t *testing.T) {
 		DefinitionID:  definitionID.(string),
 		CredentialJWT: credentialJWT,
 		SubmissionID:  uuid.NewString(),
-	}, holderPrivateKey.(string))
+	}, holderPrivateKey)
 	assert.NoError(t, err)
 
 	cancelOpID, err := getJSONElement(toBeCancelledOp, "$.id")
@@ -138,7 +138,7 @@ func TestSubmissionFlow(t *testing.T) {
 		DefinitionID:  definitionID.(string),
 		CredentialJWT: credentialJWT,
 		SubmissionID:  uuid.NewString(),
-	}, holderPrivateKey.(string))
+	}, holderPrivateKey)
 	assert.NoError(t, err)
 
 	opID, err := getJSONElement(submissionOpOutput, "$.id")

integration/steelthread_integration_test.go

@@ -4,6 +4,8 @@ import (
 	"testing"
 
 	credsdk "github.com/TBD54566975/ssi-sdk/credential"
+	"github.com/TBD54566975/ssi-sdk/crypto"
+	didsdk "github.com/TBD54566975/ssi-sdk/did"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/tbd54566975/ssi-service/pkg/service/operation/storage"
@@ -49,24 +51,23 @@ func TestCreateAliceDIDKeyIntegration(t *testing.T) {
 		t.Skip("skipping integration test")
 	}
 
-	didKeyOutput, err := CreateDIDKey()
+	applicantPrivKey, applicantDIDKey, err := didsdk.GenerateDIDKey(crypto.Ed25519)
 	assert.NoError(t, err)
-	assert.NotEmpty(t, didKeyOutput)
+	assert.NotEmpty(t, applicantPrivKey)
+	assert.NotEmpty(t, applicantDIDKey)
 
-	aliceDID, err := getJSONElement(didKeyOutput, "$.did.id")
+	applicantDID, err := applicantDIDKey.Expand()
 	assert.NoError(t, err)
+	assert.NotEmpty(t, applicantDID)
+
+	aliceDID := applicantDID.ID
 	assert.Contains(t, aliceDID, "did:key")
 	SetValue(steelThreadContext, "aliceDID", aliceDID)
 
-	aliceKID, err := getJSONElement(didKeyOutput, "$.did.verificationMethod[0].id")
-	assert.NoError(t, err)
+	aliceKID := applicantDID.VerificationMethod[0].ID
 	assert.NotEmpty(t, aliceKID)
 	SetValue(steelThreadContext, "aliceKID", aliceKID)
-
-	aliceDIDPrivateKey, err := getJSONElement(didKeyOutput, "$.privateKeyBase58")
-	assert.NoError(t, err)
-	assert.NotEmpty(t, aliceDID)
-	SetValue(steelThreadContext, "aliceDIDPrivateKey", aliceDIDPrivateKey)
+	SetValue(steelThreadContext, "aliceDIDPrivateKey", applicantPrivKey)
 }
 
 func TestCreateSchemaIntegration(t *testing.T) {
@@ -230,7 +231,7 @@ func TestSubmitApplicationWithIssuanceTemplateIntegration(t *testing.T) {
 	credAppJWT, err := CreateCredentialApplicationJWT(credApplicationParams{
 		DefinitionID: presentationDefinitionID.(string),
 		ManifestID:   manifestID.(string),
-	}, credentialJWT.(string), aliceDID.(string), aliceKID.(string), aliceDIDPrivateKey.(string))
+	}, credentialJWT.(string), aliceDID.(string), aliceKID.(string), aliceDIDPrivateKey)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, credAppJWT)
 
@@ -287,7 +288,7 @@ func TestSubmitAndReviewApplicationIntegration(t *testing.T) {
 	credAppJWT, err := CreateCredentialApplicationJWT(credApplicationParams{
 		DefinitionID: presentationDefinitionID.(string),
 		ManifestID:   manifestID.(string),
-	}, credentialJWT.(string), aliceDID.(string), aliceKID.(string), aliceDIDPrivateKey.(string))
+	}, credentialJWT.(string), aliceDID.(string), aliceKID.(string), aliceDIDPrivateKey)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, credAppJWT)
 

pkg/server/router/did.go

@@ -68,17 +68,16 @@ type CreateDIDByMethodRequest struct {
 }
 
 type CreateDIDByMethodResponse struct {
-	DID              didsdk.Document `json:"did,omitempty"`
-	PrivateKeyBase58 string          `json:"privateKeyBase58,omitempty"`
-	KeyType          crypto.KeyType  `json:"keyType,omitempty"`
+	DID didsdk.Document `json:"did,omitempty"`
 }
 
 // CreateDIDByMethod godoc
 //
 // @Summary     Create DID Document
-// @Description Creates a DID document with the given method. The document created is stored internally and can be
-// @Description retrieved using the GetOperation. Method dependent registration (for example, DID web registration)
-// @Description is left up to the clients of this API.
+// @Description Creates a fully custodial DID document with the given method. The document created is stored internally
+// @Description and can be retrieved using the GetOperation. Method dependent registration (for example, DID web
+// @Description registration) is left up to the clients of this API. The private key(s) created by the method are stored
+// @Description internally never leave the service boundary.
 // @Tags        DecentralizedIdentityAPI
 // @Accept      json
 // @Produce     json
@@ -124,12 +123,7 @@ func (dr DIDRouter) CreateDIDByMethod(ctx context.Context, w http.ResponseWriter
 		return framework.NewRequestError(errors.Wrap(err, errMsg), http.StatusInternalServerError)
 	}
 
-	resp := CreateDIDByMethodResponse{
-		DID:              createDIDResponse.DID,
-		PrivateKeyBase58: createDIDResponse.PrivateKeyBase58,
-		KeyType:          createDIDResponse.KeyType,
-	}
-
+	resp := CreateDIDByMethodResponse{DID: createDIDResponse.DID}
 	return framework.Respond(ctx, w, resp, http.StatusCreated)
 }