migrate to jose v4; draft authcrypt

.github/workflows/ci-lint.yaml

@@ -19,4 +19,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.60.3
+          version: v1.62.2

.github/workflows/ci-test.yaml

@@ -13,7 +13,7 @@ jobs:
   test:
     strategy:
       matrix:
-        containers: [ 1.20.4, 1.19, 1.18 ]
+        containers: [ 1.22, 1.21, 1.20 ]
     runs-on: ubuntu-latest
     container: golang:${{ matrix.containers }}
     steps:

go.mod

@@ -1,9 +1,13 @@
 module github.com/iden3/iden3comm/v2
 
-go 1.18
+go 1.21
+
+toolchain go1.22.5
 
 require (
+	github.com/ProtonMail/go-crypto v1.1.3
 	github.com/dustinxie/ecc v0.0.0-20210511000915-959544187564
+	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/google/uuid v1.6.0
 	github.com/iden3/driver-did-iden3 v0.0.5
 	github.com/iden3/go-circuits/v2 v2.4.0
@@ -16,7 +20,7 @@ require (
 	github.com/mr-tron/base58 v1.2.0
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.9.0
-	gopkg.in/go-jose/go-jose.v2 v2.6.1
+	golang.org/x/crypto v0.25.0
 )
 
 require (
@@ -31,7 +35,6 @@ require (
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-stack/stack v1.8.1 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/holiman/uint256 v1.2.0 // indirect
 	github.com/iden3/contracts-abi/state/go/abi v1.0.1 // indirect
@@ -55,10 +58,9 @@ require (
 	github.com/tklauser/go-sysconf v0.3.11 // indirect
 	github.com/tklauser/numcpus v0.6.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	golang.org/x/crypto v0.12.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	gopkg.in/natefinch/npipe.v2 v2.0.0-20160621034901-c1b8fa8bdcce // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

mock/proving.go

@@ -10,12 +10,12 @@ import (
 	"encoding/json"
 	"math/big"
 
+	"github.com/go-jose/go-jose/v4"
 	"github.com/iden3/go-circuits/v2"
 	"github.com/iden3/go-iden3-core/v2/w3c"
 	"github.com/iden3/go-iden3-crypto/babyjub"
 	"github.com/iden3/go-jwz/v2"
 	"github.com/iden3/go-rapidsnark/types"
-	"gopkg.in/go-jose/go-jose.v2"
 )
 
 // ProvingMethodGroth16AuthV2 proving method to avoid using of proving key and wasm files

packers/anoncrypt.go

@@ -4,9 +4,9 @@ package packers
 import (
 	"encoding/json"
 
+	"github.com/go-jose/go-jose/v4"
 	"github.com/iden3/iden3comm/v2"
 	"github.com/pkg/errors"
-	"gopkg.in/go-jose/go-jose.v2"
 )
 
 // MediaTypeEncryptedMessage is media type for ecnrypted message
@@ -67,7 +67,8 @@ func (p *AnoncryptPacker) Pack(payload []byte, params iden3comm.PackerParams) ([
 // Unpack returns unpacked message from transport envelope
 func (p *AnoncryptPacker) Unpack(envelope []byte) (*iden3comm.BasicMessage, error) {
 
-	jwe, err := jose.ParseEncrypted(string(envelope))
+	jwe, err := jose.ParseEncrypted(
+		string(envelope), []jose.KeyAlgorithm{jose.ECDH_ES_A256KW}, []jose.ContentEncryption{jose.A256CBC_HS512})
 	if err != nil {
 		return nil, err
 	}

packers/anoncrypt_test.go

@@ -4,9 +4,9 @@ import (
 	"encoding/json"
 	"testing"
 
+	"github.com/go-jose/go-jose/v4"
 	"github.com/iden3/iden3comm/v2/mock"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/go-jose/go-jose.v2"
 )
 
 func TestAnoncryptPacker_Pack(t *testing.T) {
@@ -26,7 +26,8 @@ func TestAnoncryptPacker_Pack(t *testing.T) {
 	require.NotEqual(t, 0, len(ciphertext))
 
 	// decrypt in user side.
-	jwe, err := jose.ParseEncrypted(string(ciphertext))
+	jwe, err := jose.ParseEncrypted(
+		string(ciphertext), []jose.KeyAlgorithm{jose.ECDH_ES_A256KW}, []jose.ContentEncryption{jose.A256CBC_HS512})
 	require.NoError(t, err)
 	require.EqualValues(t, jwe.Header.ExtraHeaders[jose.HeaderType], MediaTypeEncryptedMessage)
 

packers/authcrypt.go

@@ -0,0 +1,10 @@
+package packers
+
+import (
+	"github.com/iden3/iden3comm/v2/packers/internal/authcrypt"
+)
+
+type Authcrypt = authcrypt.Authcrypt
+
+var NewAuthcrypt = authcrypt.NewAuthcrypt
+var echdToECDSA = authcrypt.ECHDToECDSA

packers/authcrypt_test.go

@@ -0,0 +1,48 @@
+package packers
+
+import (
+	"crypto/ecdh"
+	"crypto/rand"
+	"testing"
+
+	jose "github.com/go-jose/go-jose/v4"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	messageToEncode = `{"id":"123","type":"https://iden3-communication.io/authorization/1.0/response","from":"119tqceWdRd2F6WnAyVuFQRFjK3WUXq2LorSPyG9LJ","body":{"scope":[{"type":"zeroknowledge","circuitId":"auth","pub_signals":["1","18311560525383319719311394957064820091354976310599818797157189568621466950811","323416925264666217617288569742564703632850816035761084002720090377353297920"],"proof_data":{"pi_a":["11130843150540789299458990586020000719280246153797882843214290541980522375072","1300841912943781723022032355836893831132920783788455531838254465784605762713","1"],"pi_b":[["20615768536988438336537777909042352056392862251785722796637590212160561351656","10371144806107778890538857700855108667622042215096971747203105997454625814080"],["19598541350804478549141207835028671111063915635580679694907635914279928677812","15264553045517065669171584943964322117397645147006909167427809837929458012913"],["1","0"]],"pi_c":["16443309279825508893086251290003936935077348754097470818523558082502364822049","2984180227766048100510120407150752052334571876681304999595544138155611963273","1"],"protocol":""}}]}}`
+)
+
+var (
+	senderKey, _    = ecdh.P256().GenerateKey(rand.Reader)
+	recipientKey, _ = ecdh.P256().GenerateKey(rand.Reader)
+)
+
+func TestAuthCry(t *testing.T) {
+	a := NewAuthcrypt(func(kid string) (interface{}, error) {
+		return senderKey, nil
+	})
+
+	recipient, err := echdToECDSA(recipientKey.PublicKey())
+	if err != nil {
+		t.Fatalf("failed to convert recipient key to ECDH: %s", err)
+	}
+
+	jwetoken, err := a.Encrypt(jose.JSONWebKey{
+		Key: recipient,
+	}, "sender", []byte(messageToEncode))
+	if err != nil {
+		t.Fatalf("failed to encrypt message: %s", err)
+	}
+
+	a = NewAuthcrypt(func(kid string) (interface{}, error) {
+		return recipientKey, nil
+	})
+
+	payload, err := a.Decrypt(jwetoken, senderKey.PublicKey())
+	if err != nil {
+		t.Fatalf("failed to decrypt message: %s", err)
+	}
+
+	require.Equal(t, messageToEncode, string(payload))
+}