Possible Askar Key Management issue after migrating to v0.6.1

[Sshovon]

I am trying to migrate my agents to Credo v0.6.1, but I am encountering issues related to Askar key management. On this version, the agent is unable to create new keys or access existing keys to any ops. When attempting to create a new key, the process fails with a KeyManagementError: Error creating key, caused by a TypeError: Cannot read properties of undefined (reading 'keyGetJwkSecret') originating from AskarKeyManagementService.privateJwkFromKey.

KeyManagementError: Error creating key
    at AskarKeyManagementService.createKey (file:///home/frcs/my-zone/temp-credo-agent/node_modules/@credo-ts/askar/src/kms/AskarKeyManagementService.ts:250:13)
    at KeyManagementApi$1.createKey (file:///home/frcs/my-zone/temp-credo-agent/node_modules/@credo-ts/core/src/modules/kms/KeyManagementApi.ts:81:27)
    at Function.build (/home/frcs/my-zone/temp-credo-agent/holder.ts:42:48)
    at main (/home/frcs/my-zone/temp-credo-agent/holder.ts:89:5) {
  [cause]: TypeError: Cannot read properties of undefined (reading 'keyGetJwkSecret')
      at AskarKeyManagementService.privateJwkFromKey (file:///home/frcs/my-zone/temp-credo-agent/node_modules/@credo-ts/askar/src/kms/AskarKeyManagementService.ts:721:13)
      at AskarKeyManagementService.publicJwkFromKey (file:///home/frcs/my-zone/temp-credo-agent/node_modules/@credo-ts/askar/src/kms/AskarKeyManagementService.ts:710:45)
      at AskarKeyManagementService.createKey (file:///home/frcs/my-zone/temp-credo-agent/node_modules/@credo-ts/askar/src/kms/AskarKeyManagementService.ts:235:30)
      at KeyManagementApi$1.createKey (file:///home/frcs/my-zone/temp-credo-agent/node_modules/@credo-ts/core/src/modules/kms/KeyManagementApi.ts:81:27)
      at Function.build (/home/frcs/my-zone/temp-credo-agent/holder.ts:42:48)
      at main (/home/frcs/my-zone/temp-credo-agent/holder.ts:89:5)
}

If I attempt to use any existing key, I instead encounter a TypeError: Cannot read properties of undefined (reading 'sessionFetchKey'). One important observation is that this issue only occurs when installing and running the packages in a separate repository; the demo-openid works as expected with similar agent configuration.

This makes me wonder if I might be missing some initialization step, configuration that demo-openid already includes. The issue can be reproduced by running npm run holder in this repo. I would really appreciate any pointers or guidance on what I might be overlooking, or if there are any known migration steps or changes in v0.6.1.

[Sshovon]

In earlier version of credo it used to set AskarKeyManagementService by default with backend askar (as enableKms is by default true in askar module ) which was responsible for managing the keys..
But in v0.6.1 AskarKeyManagementService is being registered on startup but it seems its missing some configuration in some place..I am not sure what..
But if I additionally add following backend in agent configuration the issue gets resolved temporarily, I guess it does need to use AskarKeyManagementService for data persistence...

kms: new Kms.KeyManagementModule({
            backends: [new NodeKeyManagementService(new NodeInMemoryKeyManagementStorage())],
  }),

The demo-openid holder agent is working fine without adding NodeKeyManagementService..I am getting a bit confused ..can anyone please let me know if what missing in this scenario...

One quick question: If I registered NodeKeyManagementService along with AskarKeyManagementService (by default) , how the agent decides which backend to use? Also in case of NodeKeyManagementService , it loses data if servers are restarted so, does it performs like a in-memory cache along with AskarKeyManagementService which maintains the data persistancy ?

[sairanjit]

@Sshovon, I think the issue is related to the registration of node Askar. We had to do it like this https://github.com/credebl/credo-controller/blob/fix/agent-setup-and-controllers/src/cliAgent.ts#L3.

[TimoGlastra]

Thanks for opening the issue, this should be fixed once we upgrade to the next askar version.

It contains some other breaking changes, thus we can't directly update. We might want to make a patch release for askar.

This is an issue i think with the upgrade to ESM

(But the fix from @sairanjit should work fine for now)

[Sshovon]

Thanks a lot @sairanjit.