added Verifier and Semver (#8)

added Verifier and Semver

---------

Co-authored-by: wasabrot <[email protected]>
Co-authored-by: Dastan <[email protected]>

.github/workflows/docker-build.yml

@@ -2,16 +2,49 @@ name: Docker Build
 
 on:
   push:
-    branches: [ buildfile ]
+    branches: [ main ]
+
   pull_request:
     branches: [ main ]
 
 jobs:
   build:
-    runs-on: ubuntu-latest  # , self-hosted
+    runs-on: ubuntu-latest  # , l5, self-hosted
+    permissions:
+      contents: write
     steps:
     - name: Check out code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
+
+    - name:  Dry-run of Bump version and push tag, Minor version for each merge
+      if: github.event_name == 'pull_request'
+      uses: anothrNick/[email protected]
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        WITH_V: true
+        DEFAULT_BUMP: patch
+        DRY_RUN: true
+        VERBOSE: true
+        INITIAL_VERSION: 0.1.0
+
+    - name:  Bump version and push tag, Minor version for each merge
+      if: github.event_name != 'pull_request'
+      uses: anothrNick/[email protected]
+      id: taggerRun
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        WITH_V: true
+        DEFAULT_BUMP: patch
+
+    - name: echo tag
+      if: github.event_name != 'pull_request'
+      run: |
+        echo "The current tag is: ${{ steps.taggerRun.outputs.new_tag }}"
+
+    - name: echo part
+      if: github.event_name != 'pull_request'
+      run: |
+        echo "The version increment was: ${{ steps.taggerRun.outputs.part }}"
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v2 
@@ -26,41 +59,36 @@ jobs:
     - name: Build Docker image (manual)
       run: |
         docker build --no-cache -t e36io/hyperfridge-r0:${{ github.run_id }} .
-        
-
-    # - name: Build Docker image
-    #   uses: docker/build-push-action@v2
-    #   with:
-    #     no-cache: true
-    #     context: .
-    #     file: ./Dockerfile
-    #     push: false
-    #     load: true
-    #     tags: e36io/hyperfridge-r0:${{ github.run_id }}
 
     - name: Create and Run Temporary Container
       run: |
         docker create --name temp-container e36io/hyperfridge-r0:${{ github.run_id }}
-        docker cp temp-container:/host/out/IMAGE_ID.hex ./IMAGE_ID.hex
+        docker cp temp-container:/app/IMAGE_ID.hex ./IMAGE_ID.hex
+        docker cp temp-container:/app ./app
+        docker cp temp-container:/data ./data
         docker rm temp-container  
 
     - name: Read the Image Tag
       id: read_tag
       run: echo "IMAGE_TAG=$(cat IMAGE_ID.hex)" >> $GITHUB_ENV        
 
+    - name: Zip App and Data Directories to create a release
+      if: github.event_name != 'pull_request'
+      run: |
+        zip -r hyperfridge-${{ env.IMAGE_TAG }}-${{ steps.taggerRun.outputs.new_tag }}.zip ./app ./data
+
     - name: Build and Push Docker image with custom tag
       if: github.event_name != 'pull_request'
       uses: docker/build-push-action@v2
       with:
         context: .
         file: ./Dockerfile
         push: true
-        tags: e36io/hyperfridge-r0:${{ env.IMAGE_TAG }}
+        tags: e36io/hyperfridge-r0:${{ steps.taggerRun.outputs.new_tag }}-${{ env.IMAGE_TAG }}      
 
-    - name: Create GitHub Tag
+    - name: Create GitHub Release with zipped binaries
       if: github.event_name != 'pull_request'
       run: |
-        git config --local user.email "[email protected]"
-        git config --local user.name "GitHub Action"
-        git tag ${{ env.IMAGE_TAG }}
-        git push origin ${{ env.IMAGE_TAG }}        
+          gh release create ${{ steps.taggerRun.outputs.new_tag }}-${{ env.IMAGE_TAG }} hyperfridge-${{ env.IMAGE_TAG }}-${{ steps.taggerRun.outputs.new_tag }}.zip --title "Release Version ${{ steps.taggerRun.outputs.new_tag }} Image ID:${{ env.IMAGE_TAG }}"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -21,8 +21,9 @@ data/*.bin
 data/tmp/*
 data/hello.txt
 data/test.sh
-host/out/IMAGE_ID.binary
-host/out/IMAGE_ID.hex
 data/test2/*
 
 
+data/test/test.xml-Receipt-*
+*.log
+data/test/tmp/*

Cargo.toml

@@ -1,6 +1,6 @@
 [workspace]
 resolver = "2"
-members = ["host", "methods"]
+members = ["host", "methods", "verifier"]
 
 # Always optimize; building and running the guest takes much longer without optimization.
 [profile.dev]

Dockerfile

@@ -6,19 +6,33 @@ RUN cargo risczero install
 
 COPY data data
 COPY host host
+COPY verifier verifier
 COPY methods methods
 COPY Cargo.toml /
 COPY rust-toolchain.toml /
 
+# create directory holding generated Id of Computation which will be proved. 
 WORKDIR /host
-RUN mkdir out; touch out/test.touch
-RUN RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test  -- --nocapture
+RUN mkdir out; touch out/test.touch; rm out/test.touch
 
-WORKDIR /methods/guest
-RUN RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test --features debug_mode -- --nocapture
+WORKDIR /
+RUN RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo build --release 
+# creates fake proof for test data, so that calling "verifier" without parameters works
+RUN RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test  --release -- --nocapture
 
-RUN ls -la /host
+# Final Stage - Alpine Image
+FROM debian:bookworm-slim as runtime
+#FROM alpine:latest as runteim
+# add glibc 
+# RUN apk --no-cache add ca-certificates libgcc gcompat
 
-#COPY host/out host/out
+# Copy the compiled binaries from the build stage
+COPY --from=build /target/release/host /app/host
+COPY --from=build /target/release/verifier /app/verifier
+COPY --from=build /target/riscv-guest/riscv32im-risc0-zkvm-elf/release/hyperfridge /app/hyperfridge
+COPY --from=build /host/out/IMAGE_ID.hex /app/IMAGE_ID.hex
+COPY --from=build /data /data
 
-CMD ["RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo run  -- --nocapture "]
+WORKDIR /app
+
+CMD ["./verifier"]

README2.md

@@ -1,15 +1,32 @@
+# Todos
+
+- check for libs, eg. serde is double
+- use risc0 sha --> check for more
+- Paper: plug-in TradFi assets like Fiat accounts, and portfolios. Sepa, Indian, british
+
 # How to run with test data
 
 ```bash
 cd host
 RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo build  -- 
+RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo build  --release -- 
 RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test  --
 RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test  -- --nocapture
-RUST_BACKTRACE=1 cargo run  -- ../data/test/test.xml ../data/bank_public.pem ../data/client.pem  
+
+RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo run  -- --verbose proveraw -r "../data/test/test.xml" -b "../data/bank_public.pem" -c "../data/client.pem" -i CH4308307000289537312
+
+RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo run  -- --verbose prove-camt -r "./test/test.xml" -b "./bank_public.pem" -c "./client.pem" -i CH4308307000289537312
+
+RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo run  -- --verbose prove-camt53  -r "../data/test/test.xml" -b "../data/bank_public.pem" -c "../data/client.pem" -i CH4308307000289537312 --script "../data/checkResponse.sh"
+
+RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo run  -- --verbose test 
+
+date && RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo run  -- ../data/test/test.xml ../data/bank_public.pem ../data/client.pem CH4308307000289537312 > "create-receipt-$(date).log" && date
 
 ```
 
-Run tests for verifier - need to enable main function with feature flag:
+
+Run tests for verifier - need to enable main function with feature flag, use RUST_LOG="executor=info" as needed.  
 
 ```bash
 cd methods/guest
@@ -18,9 +35,15 @@ RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test --features debug_mode
 RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test --features debug_mode -- --nocapture
 ```
 
-RUST_LOG="executor=info"
+When pushing run clippy and fmt: 
 
+```bash
+cargo fmt --all
+cargo fmt --all -- --check
+RISC0_SKIP_BUILD=true  cargo clippy
 
+cargo doc --no-deps --open
+```
 
 Generate coverage data
 
@@ -31,6 +54,20 @@ RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo tarpaulin --features debug_mode
 RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test --features debug_mode -- --nocapture
 ```
 
+## gernate documentation
+
+```bash
+
+(cd host && \
+     cargo run -- --markdown-help > ../docs/verifier-cli.md && \
+     cargo doc --no-deps --document-private-items --open
+)
+
+# with output 
+RUST_BACKTRACE=1 RISC0_DEV_MODE=true cargo test --features debug_mode -- --nocapture
+```
+
+
 # Unstructured notes
 
 cd /host

data/checkResponse.sh

@@ -20,12 +20,20 @@ if [ -z "${xml_file}" ]; then
     echo "xml_file variable is not set. Set to default."
     xml_file="response_template.xml"
 fi
-dir_name="${xml_file%.xml}"
+xml_file_stem=$(basename "$xml_file")
 
-if [ ! -d "$dir_name" ]; then
-    mkdir "$dir_name"
+if [ -z "${dir_name}" ]; then
+    echo "xml_dir variable is not set. Set to default."
+    dir_name="${xml_file%.xml}"
 fi
 
+echo "....xxxxxx$dir_name"
+
+mkdir -p "$dir_name"
+mkdir -p "${dir_name}/tmp" 
+
+ls -la "${dir_name}/tmp" 
+
 if [ -z "${pem_file}" ]; then
     echo "pem_file variable for bank public key X002 is not set. Set to default."
     pem_file="productive_bank_x002.pem"
@@ -36,17 +44,17 @@ if [ -z "${private_pem_file}" ]; then
     private_pem_file="../secrets/e002_private_key.pem"
 fi
 
-decrypted_file="$dir_name/orderdata_decrypted.zip"
+decrypted_file="$dir_name/tmp/${xml_file_stem}_payload_camt53_decrypted.zip"
 
 openssl rsa -in $private_pem_file -check -noout
-openssl rsa -pubin -in $pem_file -text -noout > ./tmp/${pem_file}.txt
+#openssl rsa -pubin -in $pem_file -text -noout > ${dir_name}/tmp/${pem_file}.txt
 
 # Generate timestamp
 timestamp=$(date +%Y%m%d%H%M%S)
 
 # Assign parameters to variables
-header_file=$dir_name/$xml_file-authenticated
-signedinfo_file=$dir_name/$xml_file-c14n-signedinfo
+header_file=$dir_name/${xml_file_stem}-authenticated
+signedinfo_file=$dir_name/${xml_file_stem}-c14n-signedinfo
 
 echo xml_file: $xml_file public key bank: $pem_file  private key client: $private_pem_file 
 
@@ -55,7 +63,7 @@ echo xml_file: $xml_file public key bank: $pem_file  private key client: $privat
 # which is in the case of ebics <header authenticate="true">
 # digest is base64 string in DigestValue. 
 expected_digest=$(awk '/<ds:DigestValue>/,/<\/ds:DigestValue>/' "$xml_file" | sed 's/.*<ds:DigestValue>//' | sed 's/<\/ds:DigestValue>.*$//' | tr -d '\n')
-echo "$expected_digest" > $dir_name/$xml_file-DigestInfo-value
+echo "$expected_digest" > $dir_name/tmp/$xml_file_stem-DigestInfo-value
 # Base64 --> binary --> hex
 expected_digest_hex=$(echo $expected_digest | openssl enc -d -a -A | xxd -p -c256)
 
@@ -99,17 +107,17 @@ fi
 export add_namespaces=" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\""
 # need to be 2 steps, because xmllint would remove this unneeded one but the standard sais all top-level need to be included 
 export add_namespaces2=" xmlns=\"http://www.ebics.org/H003\""
-perl -ne 'print $1 if /(<ds:SignedInfo.*<\/ds:SignedInfo>)/' "$xml_file" | sed "s+<ds:SignedInfo+<ds:SignedInfo${add_namespaces}+" | xmllint -exc-c14n - | sed "s+<ds:SignedInfo+<ds:SignedInfo${add_namespaces2}+" > "$dir_name/${xml_file}-SignedInfo"
-signedinfo_digest_file="./tmp/signedinfo_digest_$timestamp.bin"
-openssl dgst -sha256 -binary  "$dir_name/${xml_file}-SignedInfo" > "$signedinfo_digest_file"
+perl -ne 'print $1 if /(<ds:SignedInfo.*<\/ds:SignedInfo>)/' "$xml_file" | sed "s+<ds:SignedInfo+<ds:SignedInfo${add_namespaces}+" | xmllint -exc-c14n - | sed "s+<ds:SignedInfo+<ds:SignedInfo${add_namespaces2}+" > "$dir_name/${xml_file_stem}-SignedInfo"
+signedinfo_digest_file="${dir_name}/tmp/signedinfo_digest_$timestamp.bin"
+openssl dgst -sha256 -binary  "$dir_name/${xml_file_stem}-SignedInfo" > "$signedinfo_digest_file"
 echo "created digest for SignedInfo from XML, now checking Signature"
 
-perl -ne 'print $1 if /(<ds:SignatureValue.*<\/ds:SignatureValue>)/' "$xml_file" > $dir_name/$xml_file-SignatureValue
+perl -ne 'print $1 if /(<ds:SignatureValue.*<\/ds:SignatureValue>)/' "$xml_file" > $dir_name/$xml_file_stem-SignatureValue
 # Create file names with timestamp
-awk '/<ds:SignatureValue>/,/<\/ds:SignatureValue>/' $xml_file | sed 's/.*<ds:SignatureValue>//' | sed 's/<\/ds:SignatureValue>.*$//' | tr -d '\n' > "$dir_name/${xml_file}-SignatureValue-value"
+awk '/<ds:SignatureValue>/,/<\/ds:SignatureValue>/' $xml_file | sed 's/.*<ds:SignatureValue>//' | sed 's/<\/ds:SignatureValue>.*$//' | tr -d '\n' > "$dir_name/tmp/${xml_file_stem}-SignatureValue-value"
 #echo signature value from xml as base64: $signature_base64
-signature_file="./tmp/signature_$timestamp.bin"
-cat $dir_name/${xml_file}-SignatureValue-value   | openssl enc -d -a -A -out $signature_file
+signature_file="${dir_name}/tmp/signature_$timestamp.bin"
+cat $dir_name/tmp/${xml_file_stem}-SignatureValue-value   | openssl enc -d -a -A -out $signature_file
 
 echo "check signature with public key from bank $pem_file"
 # needs X002 from bank
@@ -124,16 +132,16 @@ echo "hash of signature bin file:" $(openssl dgst -r -sha256 "$signature_file")
 
 # decript and unzip base64 data
 # Base64 decoding, Decrypting, Decompressing, Verifying the signature
-awk '/<TransactionKey>/,/<\/TransactionKey>/' $xml_file | sed 's/.*<TransactionKey>//' | sed 's/<\/TransactionKey>.*$//' | tr -d '\n' > "$dir_name/${xml_file}-TransactionKey"
-awk '/<OrderData>/,/<\/OrderData>/' $xml_file | sed 's/.*<OrderData>//' | sed 's/<\/OrderData>.*$//' | tr -d '\n' > "$dir_name/${xml_file}-OrderData-value"
-perl -ne 'print $1 if /(<OrderData.*<\/OrderData>)/' $xml_file > "$dir_name/${xml_file}-OrderData"
+awk '/<TransactionKey>/,/<\/TransactionKey>/' $xml_file | sed 's/.*<TransactionKey>//' | sed 's/<\/TransactionKey>.*$//' | tr -d '\n' > "$dir_name/${xml_file_stem}-TransactionKey"
+awk '/<OrderData>/,/<\/OrderData>/' $xml_file | sed 's/.*<OrderData>//' | sed 's/<\/OrderData>.*$//' | tr -d '\n' > "$dir_name/tmp/${xml_file_stem}-OrderData-value"
+perl -ne 'print $1 if /(<OrderData.*<\/OrderData>)/' $xml_file > "$dir_name/${xml_file_stem}-OrderData"
 
 # the transaction key is ecrypted with the clients public key - so first we have to decrypt the 
 # tx key before we can use it for decrypting the payload. 
-encrypted_txkey_file_bin="./tmp/${timestamp}_encrypted_transaction_key.bin"
-cat "$dir_name/${xml_file}-TransactionKey" | base64 --decode > ${encrypted_txkey_file_bin}
+encrypted_txkey_file_bin="${dir_name}/tmp/${timestamp}_encrypted_transaction_key.bin"
+cat "$dir_name/${xml_file_stem}-TransactionKey" | base64 --decode > ${encrypted_txkey_file_bin}
 
-decrypted_txkey_file_bin="./tmp/${timestamp}_transaction_key.bin"
+decrypted_txkey_file_bin="${dir_name}/tmp/${timestamp}_transaction_key.bin"
 # PKCS#1 page 265, process for asymmetrical encryption of the transaction key
 [ $(stat --format=%s "$encrypted_txkey_file_bin") -eq 256 ] || { echo "Wrong filesize of encrypted tx key"; exit 1; }
 openssl pkeyutl -decrypt -in "${encrypted_txkey_file_bin}" -out "${decrypted_txkey_file_bin}" -inkey $private_pem_file -pkeyopt rsa_padding_mode:pkcs1 
@@ -162,8 +170,8 @@ fi
 # openssl enc -d -aes-128-cbc -nopad -in orderdata_decoded.bin -out $decrypted_file -K ${transaction_key_hex} -iv 00000000000000000000000000000000
 # but openssl does not handle ISO10126Padding, so use -nopad and do the padding manually
 
-orderdata_bin_file="./tmp/${timestamp}_orderdata_decoded.bin"
-cat  "$dir_name/${xml_file}-OrderData-value" | tr -d '\n' | base64 --decode > $orderdata_bin_file 
+orderdata_bin_file="${dir_name}/tmp/${timestamp}_orderdata_decoded.bin"
+cat  "$dir_name/tmp/${xml_file_stem}-OrderData-value" | tr -d '\n' | base64 --decode > $orderdata_bin_file 
 
 openssl enc -d -aes-128-cbc -nopad -in $orderdata_bin_file -out $decrypted_file -K ${transaction_key_hex} -iv 00000000000000000000000000000000
 # openssl enc -d -aes-128-cbc -nopad -in orderdata_decoded.bin -out $decrypted_file -pass file:transaction_key.bin -iv 00000000000000000000000000000000
@@ -195,25 +203,26 @@ else
 fi
 # check Signature
 # First we need need order data digest in binary format
-orderdata_signature_output_file="./tmp/orderdata_signaturecheck_$timestamp.bin"
-orderdata_digest_file="./tmp/orderdata_digescheck_$timestamp.bin"
+orderdata_signature_output_file="${dir_name}/tmp/orderdata_signaturecheck_$timestamp.bin"
+orderdata_digest_file="${dir_name}/tmp/orderdata_digescheck_$timestamp.bin"
 # we need the digest as a digest file; digest again with -binary 
 openssl dgst -sha256 -binary -r $orderdata_bin_file > "$orderdata_digest_file"
-orderdata_signature_file="./tmp/orderdata_signature_$timestamp.bin"
+orderdata_signature_file="${dir_name}/tmp/orderdata_signature_$timestamp.bin"
 # signature value from xml 
 orderdata_signature_value=$(awk '/<SignatureData authenticate="true">/,/<\/SignatureData>/' "$xml_file" | sed 's/.*<SignatureData authenticate="true">//' | sed 's/<\/SignatureData>.*$//' | tr -d '\n')
 # convert from base64 to binary openssl format
 echo "$orderdata_signature_value"  | openssl enc -d -a -A -out $orderdata_signature_file
 echo "Verify Signature of OrderData (Payload):"
 openssl pkeyutl  -verify -in "$orderdata_digest_file" -sigfile "$orderdata_signature_file" -pkeyopt rsa_padding_mode:pk1 -pkeyopt digest:sha256 -pubin -keyform PEM -inkey "$pem_file"
 # extract DataDigest 
-perl -ne 'print $1 if /(<DataDigest.*<\/DataDigest>)/' $xml_file > "$dir_name/${xml_file}-DataDigest"
+perl -ne 'print $1 if /(<DataDigest.*<\/DataDigest>)/' $xml_file > "$dir_name/${xml_file_stem}-DataDigest"
 
 # the result is a compressed binary using standard RFC 1951 which is just (de)compressing a stream
-zlib-flate -uncompress  < $decrypted_file > $dir_name/$xml_file.zip
-echo "size $(stat -c %s "$dir_name/$xml_file.zip") hash of zip file:" $(openssl dgst -sha256 -r "$dir_name/$xml_file.zip")
+payload_file="${dir_name}/tmp/${xml_file_stem}_payload_camt53.zip"
+zlib-flate -uncompress  < $decrypted_file > $payload_file
+echo "size $(stat -c %s "$dir_name/$xml_file_stem.zip") hash of zip file:" $(openssl dgst -sha256 -r "$payload_file")
 # The uncompressed stream is then a zip file which holds the filenames.. so its actually compressed twice. 
-unzip -o $dir_name/$xml_file.zip -d  ./$dir_name/camt53/
+unzip -o $payload_file -d  ./$dir_name/camt53/
 
 # For speeding up development - copy decrypted transation key
-cp  -v ${decrypted_txkey_file_bin}-raw ./$dir_name/$xml_file-decrypted_tx_key.binary
+cp  -v ${decrypted_txkey_file_bin}-raw ./$dir_name/$xml_file_stem-decrypted_tx_key.binary