Enc/pass through cred salts

src/keri/app/cli/commands/escrow/list.py

@@ -63,7 +63,7 @@ def escrows(tymth, tock=0.0, **opts):
                 pses = list()
                 key = ekey = b''  # both start same. when not same means escrows found
                 while True:  # break when done
-                    for ekey, edig in hby.db.getPseItemIter(key=key):
+                    for ekey, edig in hby.db.getPseItemsNextIter(key=key):
                         pre, sn = dbing.splitSnKey(ekey)  # get pre and sn from escrow item
 
                         try:
@@ -138,7 +138,7 @@ def escrows(tymth, tock=0.0, **opts):
                 escrows["query-not-found"] = sum(1 for key, _ in hby.db.getQnfItemsNextIter())
 
             if (not escrow) or escrow == "partially-delegated-events":
-                escrows["partially-delegated-events"] = sum(1 for key, _ in hby.db.getPdesItemsNextIter())
+                escrows["partially-delegated-events"] = sum(1 for key, _ in hby.db.getPdeItemsNextIter())
 
             if (not escrow) or escrow == "reply":
                 escrows["reply"] = sum(1 for key, _ in hby.db.rpes.getItemIter())

src/keri/app/cli/commands/vc/create.py

@@ -1,5 +1,6 @@
 import argparse
 import json
+from typing import Optional
 
 from hio import help
 from hio.base import doing
@@ -36,6 +37,10 @@
 parser.add_argument('--alias', '-a', help='human readable alias for the new identifier prefix', required=True)
 parser.add_argument("--private", help="flag to indicate if this credential needs privacy preserving features",
                     action="store_true")
+parser.add_argument("--private-credential-nonce", help="nonce for vc",
+                    action="store_true")
+parser.add_argument("--private-subject-nonce", help="nonce for subject",
+                    action="store_true")
 parser.add_argument('--passcode', '-p', help='22 character encryption passcode for keystore (is not saved)',
                     dest="bran", default=None)  # passcode => bran
 parser.add_argument("--time", help="timestamp for the credential creation", required=False, default=None)
@@ -99,7 +104,10 @@ def issueCredential(args):
                                  rules=rules,
                                  credential=credential,
                                  timestamp=args.time,
-                                 private=args.private)
+                                 private=args.private,
+                                 private_credential_nonce=args.private_credential_nonce,
+                                 private_subject_nonce=args.private_subject_nonce,
+                                 )
 
     doers = [issueDoer]
     return doers
@@ -112,7 +120,8 @@ class CredentialIssuer(doing.DoDoer):
     """
 
     def __init__(self, name, alias, base, bran, registryName=None, schema=None, edges=None, recipient=None, data=None,
-                 rules=None, credential=None, timestamp=None, private=False):
+                 rules=None, credential=None, timestamp=None, private:bool=False, private_credential_nonce:Optional[str]=None,
+                 private_subject_nonce:Optional[str]=None,):
         """ Create DoDoer for issuing a credential and managing the processes needed to complete issuance
 
         Parameters:
@@ -124,7 +133,9 @@ def __init__(self, name, alias, base, bran, registryName=None, schema=None, edge
              data: (dict) credential data dict
              credential: (dict) full credential to issue when joining a multisig issuance
              out (str): Filename for credential output
-             private: (bool) privacy preserving
+             private (bool): apply nonce used for privacy preserving ACDC
+             private_credential_nonce (Optional[str]): nonce used for privacy vc
+             private_subject_nonce (Optional[str]): nonce used for subject
 
         """
         self.name = name
@@ -173,7 +184,9 @@ def __init__(self, name, alias, base, bran, registryName=None, schema=None, edge
                                                        source=edges,
                                                        rules=rules,
                                                        data=data,
-                                                       private=private)
+                                                       private=private,
+                                                       private_credential_nonce=private_credential_nonce,
+                                                       private_subject_nonce=private_subject_nonce)
             else:
                 self.creder = serdering.SerderACDC(sad=credential) # proving.Creder(ked=credential)
                 self.credentialer.validate(creder=self.creder)

src/keri/db/basing.py

@@ -1173,7 +1173,7 @@ def clearEscrows(self):
         logger.info(f"KEL: Cleared {count} verified receipt escrows")
 
         count = 0
-        for (k, _) in self.getPseItemIter():
+        for (k, _) in self.getPseItemsNextIter():
             count += 1
             self.delPses(key=k)
         logger.info(f"KEL: Cleared {count} partially signed escrows")
@@ -1203,14 +1203,12 @@ def clearEscrows(self):
         logger.info(f"KEL: Cleared {count} likely duplicitous escrows")
 
         count = 0
-        for ekey, edig in self.getQnfItemsNextIter():
-            count += 1
-            pre, _ = splitKey(ekey)
-            self.delQnf(dgKey(pre, edig), edig)
+        for k, _ in self.getQnfItemsNextIter():
+            self.delQnfs(key=k)
         logger.info(f"KEL: Cleared {count} query not found escrows")
 
         count = 0
-        for (key, on, val) in self.getPdesItemsNextIter():
+        for (key, _) in self.getPdeItemsNextIter():
             count += 1
             self.delPde(key=key)
         logger.info(f"KEL: Cleared {count} partially delegated key event escrows")
@@ -1228,8 +1226,8 @@ def clearEscrows(self):
             for (k, _) in escrow.getItemIter():
                 count += 1
             escrow.trim()
-            # logger.info(f"KEL: Cleared {count} escrows from ({name.ljust(5)}): {desc}")
-        logger.info(f"Cleared all escrows")
+            logger.info(f"KEL: Cleared {count} escrows from ({name.ljust(5)}): {desc}")
+        logger.info("Cleared KEL escrows")
 
     @property
     def current(self):
@@ -2640,18 +2638,6 @@ def getPseLast(self, key):
         """
         return self.getIoValLast(self.pses, key)
 
-    def getPseItemIter(self, key=b''):
-        """
-        Use sgKey()
-        Return iterator of partial signed escrowed event dig items at next key after key.
-        Items is (key, val) where proem has already been stripped from val
-        If key is b'' empty then returns dup items at first key.
-        If skip is False and key is not b'' empty then returns dup items at key
-        Raises StopIteration Error when empty
-        Duplicates are retrieved in insertion order.
-        """
-        return self.getTopIoDupItemIter(self.pses, key)
-
     def getPseItemsNext(self, key=b'', skip=True):
         """
         Use snKey()
@@ -2731,6 +2717,24 @@ def getPde(self, key):
         """
         return self.getVal(self.pdes, key)
 
+    def getPdes(self, key):
+        """
+        Use dgKey()
+        Return list of out of order escrow event dig vals at key
+        Returns empty list if no entry at key
+        Duplicates are retrieved in insertion order.
+        """
+        return self.getIoVals(self.pdes, key)
+
+    def getPdeItemsNextIter(self, key=b'', skip=True):
+        """
+        Use dgKey()
+        Return list of witnessed signed escrowed event dig vals at key
+        Returns empty list if no entry at key
+        Duplicates are retrieved in insertion order.
+        """
+        return self.getIoItemsNextIter(self.pdes, key, skip)
+
     def delPde(self, key):
         """
         Use dgKey()
@@ -3137,9 +3141,6 @@ def getQnfItemsNextIter(self, key=b'', skip=True):
         """
         return self.getIoItemsNextIter(self.qnfs, key, skip)
 
-    def getPdesItemsNextIter(self, key=b'', skip=True):
-        return self.getOnIoDupItemIter(self.pdes, key, skip)
-
     def cntQnfs(self, key):
         """
         Use snKey()

src/keri/vc/proving.py

@@ -4,15 +4,13 @@
 
 """
 
-from collections.abc import Iterable
-from typing import Union
+from typing import Optional
 
 from .. import help
 from ..core import coring, serdering
 from ..core.coring import (Serials, versify)
-from ..db import subing
-from ..kering import Version
 from ..help import helping
+from ..kering import Version
 
 KERI_REGISTRY_TYPE = "KERICredentialRegistry"
 
@@ -23,8 +21,9 @@ def credential(schema,
                issuer,
                data,
                recipient=None,
-               private=False,
-               salt=None,
+               private:bool=False,
+               private_credential_nonce:Optional[str]=None,
+               private_subject_nonce:Optional[str]=None,
                status=None,
                source=None,
                rules=None,
@@ -40,7 +39,8 @@ def credential(schema,
         recipient (Option[str|None]): qb64 identifier prefix of the recipient
         data (dict): of the values being assigned to the subject of this credential
         private (bool): apply nonce used for privacy preserving ACDC
-        salt (string): salt for nonce
+        private_credential_nonce (Optional[str]): nonce used for privacy vc
+        private_subject_nonce (Optional[str]): nonce used for subject
         source (dict | list): of source credentials to which this credential is chained
         rules (dict | list): ACDC rules section for credential
         version (Version): version instance
@@ -62,8 +62,8 @@ def credential(schema,
     )
 
     if private:
-        vc["u"] = salt if salt is not None else coring.Salter().qb64
-        subject["u"] = salt if salt is not None else coring.Salter().qb64
+        vc["u"] = private_credential_nonce if private_credential_nonce is not None else coring.Salter().qb64
+        subject["u"] = private_subject_nonce if private_subject_nonce is not None else coring.Salter().qb64
 
     if recipient is not None:
         subject['i'] = recipient