# Post-Quantum SSI f√ºr KRITIS - Complete Workflow Demonstration

## Summative Evaluation: Self-Sovereign Identity mit Post-Quantum-Kryptographie

Dieses Jupyter Notebook demonstriert einen **vollst√§ndigen Self-Sovereign Identity (SSI) Workflow** f√ºr kritische Infrastrukturen (KRITIS) im Energiesektor. Der Use Case zeigt die Ausstellung, Verwaltung und Verifikation von **Notfall-Wartungszertifikaten** f√ºr den Zugang zu einem Umspannwerk.

### üéØ Use Case: KRITIS-Zutrittskontrolle

**Szenario**: Ein Energienetzbetreiber stellt einem Notfalltechniker ein zeitlich begrenztes Zertifikat aus, das Zugang zu kritischer   Infrastruktur (Umspannwerk Nord-Ost) gew√§hrt. Das Zutrittssystem verifiziert die Berechtigung mittels **Zero-Knowledge-Proofs** ohne   Offenlegung der Identit√§t des Technikers (**Privacy by Design**, DSGVO-konform).

### üîê Post-Quantum-Kryptographie (PQC)

- **ML-DSA-65** (NIST FIPS 204): Digitale Signaturen - quantensicher gegen Shor's Algorithmus
- **ML-KEM-768** (NIST FIPS 203): Key Encapsulation - quantensicher f√ºr Key Agreement
- **did:peer:4**: DID Method mit PQC-Support f√ºr Agent-to-Agent Connections
- **TLS 1.3 PQC**: HTTPS-Verbindungen mit Post-Quantum-Cipher-Suites

### üèóÔ∏è Systemarchitektur

**3-Agenten-Setup** (Hyperledger Aries Cloud Agent Python):
- **Issuer Agent** (Port 8021): Energienetzbetreiber - Stellt KRITIS-Zertifikate aus
- **Holder Agent** (Port 8031): Notfalltechniker - Empf√§ngt und verwaltet Credentials
- **Verifier Agent** (Port 8041): Zutrittssystem Umspannwerk - Verifiziert Zero-Knowledge-Proofs

**Infrastructure Components**:
- **VON-Network**: Hyperledger Indy Blockchain (4 Validator-Nodes + 1 Ledger Browser)
- **Indy Tails Server**: Revocation Registry f√ºr Echtzeit-Credential-Widerruf
- **PQC HTTPS Proxies**: TLS 1.3 mit Post-Quantum-Cipher-Suites

### üìã Voraussetzungen

Vor Ausf√ºhrung dieses Notebooks m√ºssen folgende Systeme laufen:

1. **VON-Network starten** (Hyperledger Indy Blockchain):
    ```bash 
    cd ../von-network && ./manage start --wait
    ```
2. Indy Tails Server starten (Revocation Registry):
    ```bash
    cd ../indy-tails-server/docker && ./manage start
    ```
3. ACA-Py Agents starten (Issuer, Holder, Verifier):
    ```bash
    cd ../hopE && docker-compose up -d
    ```
4. Python-Abh√§ngigkeiten installieren:
    ```bash
    pip install requests time json pandas display datetime warnings
    ```

## Teil 1: Setup & Verbindungstests

In [None]:
# Cell 1: Imports und Konfiguration
import requests
import json
import time
import pandas as pd
import tabulate
from IPython.display import display, Markdown, HTML
from datetime import datetime
import warnings
warnings.filterwarnings('ignore')

# SSL Warnung f√ºr self-signed Zertifikate unterdr√ºcken (PQC Proxy)
# import urllib3
# urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Agent URLs
ISSUER_ADMIN_URL = "https://localhost:8021"
HOLDER_ADMIN_URL = "https://localhost:8031"
VERIFIER_ADMIN_URL = "https://localhost:8041"
VON_NETWORK_URL = "https://localhost:8000"  # PQC HTTPS Reverse Proxy

# Farben f√ºr Visualisierungen
ISSUER_COLOR = "#3498db"  # Blau
HOLDER_COLOR = "#2ecc71"  # Gr√ºn
VERIFIER_COLOR = "#e74c3c"  # Rot

print("‚úÖ Imports erfolgreich")
print(f"üìç Issuer:   {ISSUER_ADMIN_URL}")
print(f"üìç Holder:   {HOLDER_ADMIN_URL}")
print(f"üìç Verifier: {VERIFIER_ADMIN_URL}")
print(f"üìç Ledger:   {VON_NETWORK_URL}")

# ========================================
# Tails-Server Konfiguration (f√ºr Revocation)
# ========================================
TAILS_SERVER_URL = "https://localhost:6543"
TAILS_FILE_COUNT = 100  # Max Credentials per Registry

print(f"üìç Tails:    {TAILS_SERVER_URL}")
print(f"   Max Credentials per Registry: {TAILS_FILE_COUNT}")

# ========================================
# Helper Functions
# ========================================

def api_get(url, path):
    """GET Request an ACA-Py Admin API"""
    try:
        response = requests.get(f"{url}{path}")
        response.raise_for_status()
        return response.json()
    except Exception as e:
        print(f"‚ùå GET Fehler: {e}")
        return None

def api_post(url, path, data=None):
    """POST Request an ACA-Py Admin API"""
    try:
        response = requests.post(
            f"{url}{path}",
            json=data,
            headers={"Content-Type": "application/json"}
        )
        response.raise_for_status()
        return response.json()
    except Exception as e:
        print(f"‚ùå POST Fehler: {e}")
        if hasattr(e, 'response') and e.response:
            print(f"   Response: {e.response.text}")
        return None

def api_delete(url, path):
      """DELETE Request an ACA-Py Admin API"""
      try:
          response = requests.delete(
              f"{url}{path}",
              headers={"Content-Type": "application/json"}
          )
          response.raise_for_status()

          # DELETE kann leeren Body zur√ºckgeben (204 No Content)
          if response.status_code == 204:
              return {}  # Success, aber kein Content

          # Versuche JSON zu parsen, falls vorhanden
          try:
              return response.json()
          except:
              return {}  # Success, aber kein JSON

      except Exception as e:
          print(f"‚ùå DELETE Fehler: {e}")
          if hasattr(e, 'response') and e.response:
              print(f"   Response: {e.response.text}")
          return None

def pretty_print(data, title=""):
    """Formatierte JSON-Ausgabe"""
    if title:
        print(f"\n{'='*60}")
        print(f"  {title}")
        print(f"{'='*60}")
    print(json.dumps(data, indent=2))

def wait_for_status(url, path, field, expected_value, timeout=30, interval=1):
    """Wartet bis ein Feld einen bestimmten Wert hat"""
    start_time = time.time()
    while time.time() - start_time < timeout:
        response = api_get(url, path)
        if response and response.get(field) == expected_value:
            return response
        time.sleep(interval)
    print(f"‚ö†Ô∏è  Timeout: {field} erreichte nicht '{expected_value}' nach {timeout}s")
    return None

def status_badge(status, label="Status"):
    """HTML Badge f√ºr Status"""
    colors = {
        "active": "green",
        "completed": "green",
        "done": "green",
        "ready": "green",
        "pending": "orange",
        "failed": "red",
        "error": "red"
    }
    color = colors.get(status.lower(), "gray")
    return f'<span style="background-color:{color};color:white;padding:3px 8px;border-radius:3px;font-weight:bold">{label}: {status}</span>'

print("\n‚úÖ Setup komplett!")

In [None]:
# Cell 2: Infrastruktur-Status pr√ºfen (Health Check)

def check_agent_status(name, url):
    """Pr√ºft ob ein Agent bereit ist"""
    try:
        response = api_get(url, "/status/ready")
        if response and response.get("ready"):
            return f"‚úÖ {name}: Bereit"
        else:
            return f"‚ö†Ô∏è  {name}: Nicht bereit"
    except:
        return f"‚ùå {name}: Nicht erreichbar"

print("üîç Agenten-Status Check...\n")
print(check_agent_status("Issuer", ISSUER_ADMIN_URL))
print(check_agent_status("Holder", HOLDER_ADMIN_URL))
print(check_agent_status("Verifier", VERIFIER_ADMIN_URL))

# Detaillierte Informationen mit Conductor-Statistiken
print("\nüìä Detaillierte Agent-Informationen:\n")
agents_info = []
for name, url in [("Issuer", ISSUER_ADMIN_URL), ("Holder", HOLDER_ADMIN_URL), ("Verifier", VERIFIER_ADMIN_URL)]:
    status = api_get(url, "/status")
    if status:
        conductor = status.get("conductor", {})
        agents_info.append({
            "Agent": name,
            "Label": status.get("label", "N/A"),
            "Version": status.get("version", "N/A"),
            "In Sessions": conductor.get("in_sessions", 0),
            "Out Encode": conductor.get("out_encode", 0),
            "Out Deliver": conductor.get("out_deliver", 0),
            "Active": conductor.get("task_active", 0),
            "Done": conductor.get("task_done", 0),
            "Failed": conductor.get("task_failed", 0),
            "Pending": conductor.get("task_pending", 0)
        })

df = pd.DataFrame(agents_info)
print(df.to_json(orient='records', indent=2))

print("\nüîó Ledger-Verbindung testen...\n")

try:
    # Ledger-Status abrufen
    status_response = requests.get(f"{VON_NETWORK_URL}/status")
    if status_response.status_code == 200:
        print("‚úÖ Ledger-Status abrufbar")

    # Genesis-Datei abrufen
    genesis_response = requests.get(f"{VON_NETWORK_URL}/genesis")
    if genesis_response.status_code == 200:
        print(f"‚úÖ Ledger Genesis-Datei ({len(genesis_response.text)} Bytes) erreichbar\n")

except Exception as e:
    print(f"‚ùå Ledger nicht erreichbar: {e}")
    print("   Bitte starte VON-Network: cd ../von-network && ./manage start --wait\n")

print(f"üì¶ Tails Server Verbindung testen...\n")

try:
    # Tails Server Root-Endpoint testen (erwartet 404, da kein Root-Handler)
    tails_response = requests.get(f"{TAILS_SERVER_URL}")

    if tails_response.status_code == 404:
        print("‚úÖ Tails Server erreichbar (404 = Normal, kein Root-Endpoint)")
    elif tails_response.status_code == 200:
        print(f"‚úÖ Tails Server erreichbar (200 OK)")
    else:
        print(f"‚ö†Ô∏è  Tails Server antwortet mit Status {tails_response.status_code}")

    # Alternativer Test: Hash-Endpoint (sollte auch 404 geben ohne g√ºltigen Hash)
    test_hash = "0" * 64  # Dummy-Hash f√ºr Test
    hash_response = requests.get(f"{TAILS_SERVER_URL}/{test_hash}")

    if hash_response.status_code in [404, 400]:
        print(f"‚úÖ Tails Server Hash-Endpoint antwortet (Status {hash_response.status_code})")

except requests.exceptions.ConnectionError as e:
    print(f"‚ùå Tails Server nicht erreichbar: {e}")
    print("   Bitte starte Tails Server:")
    print("   cd ../indy-tails-server/docker && ./manage start")
except Exception as e:
    print(f"‚ùå Fehler beim Tails Server Test: {e}")

# ========================================
# Zeige Ledger-Transaktionen
# ========================================
print("\n" + "="*60)
print("üìã LEDGER-TRANSAKTIONEN")
print("="*60)

try:
    # Hole Domain Ledger Transaktionen
    ledger_response = requests.get(f"{VON_NETWORK_URL}/ledger/domain")

    if ledger_response.status_code == 200:
        ledger_data = ledger_response.json()
        ledger_txns = ledger_data.get('results', [])

        # Filtere nach seqNo 1-5
        target_seqnos = [1,2,3,4,5]
        found_txns = []

        for txn in ledger_txns:
            txn_metadata = txn.get('txnMetadata', {})
            seqno = txn_metadata.get('seqNo')

            if seqno in target_seqnos:
               found_txns.append(txn)

        # Sortiere nach seqNo aufsteigend
        found_txns.sort(key=lambda x: x.get('txnMetadata', {}).get('seqNo', 0))

        if found_txns:
            print(f"\n‚úÖ {len(found_txns)} Transaktionen gefunden:\n")

            for txn in found_txns:
                txn_metadata = txn.get('txnMetadata', {})
                txn_data = txn.get('txn', {})
                seqno = txn_metadata.get('seqNo')
                txn_type = txn_data.get('type')
                txn_time = txn_metadata.get('txnTime', 'N/A')

                # Typ-Mapping
                type_names = {
                    '0' : 'NODE (Validator Node Registration)',
                    '1' : 'NYM (DID Registration)',
                    '4' : 'TXN_AUTHOR_AGREEMENT',
                    '5' : 'TXN_AUTHOR_AGREEMENT_AML',
                    '100': 'ATTRIB',
                    '101': 'SCHEMA',
                    '102': 'CRED_DEF',
                    '112': 'CHANGE_KEY',
                    '113': 'REVOC_REG_DEF',
                    '114': 'REVOC_REG_ENTRY',
                    '120': 'AUTH_RULE'
                }
                type_name = type_names.get(str(txn_type), f'Type {txn_type}')

                print(f"============================================================")
                print(f"Seq No: {seqno} | Time: {txn_time}")
                print(f"Transaction Type: {type_name}")
                print(f"============================================================\n")

                # Zeige vollst√§ndige Transaction
                pretty_print(txn, f"Ledger Transaction (seqNo {seqno})")
                print()

        else:
            print(f"\n‚ö†Ô∏è  NYM-Transaktion f√ºr DID {did_short} nicht gefunden")
            print(f"   (M√∂glicherweise noch nicht im Cache)")
    else:
        print(f"\n‚ö†Ô∏è  Konnte Ledger nicht abrufen: {ledger_response.status_code}")

except Exception as e:
    print(f"\n‚ö†Ô∏è  Fehler beim Abrufen der Ledger-Transaktion: {e}")

print("="*60)

## Teil 2: DID Setup & Ledger Registration - KRITIS-Identit√§ten

**Decentralized Identifiers (DIDs)** bilden die kryptographische Grundlage f√ºr alle Akteure im SSI-System.

**DID-Typen**:
- **did:indy (Public DID)**: Issuer - registriert auf VON-Network Ledger als ENDORSER (berechtigt f√ºr Schema/Cred-Def-Erstellung)
- **did:peer:4 (Peer DIDs)**: Alle Akteure - Off-Ledger Connections mit Post-Quantum-Kryptographie (ML-DSA-65, ML-KEM-768)

**Ledger-Registrierung**: Nur der **Issuer** ben√∂tigt eine Public DID auf dem Indy Ledger (NYM Transaction), da nur er Schemas und Credential Definitions erstellen muss. **Holder und Verifier** nutzen ausschlie√ülich Peer-DIDs f√ºr Agent-to-Agent Verbindungen. Der Verifier kann
Ledger-Daten lesen ohne eigene Public DID (read-only access).

In [None]:
# Cell 3: Issuer - DID erstellen

print("üîë Issuer: DID erstellen...\n")

# DID-Erstellungs-Parameter f√ºr did:indy
# API: POST /did/indy/create
did_params = {
    "options": {
        "key_type": "ed25519",  # Kryptografischer Key-Type (EdDSA)
        "seed": "000000000000000000000000Issuer01"  # 32 Zeichen f√ºr reproduzierbare DID
    }
}

print(f"üìã DID-Parameter:")
print(f"   Method:   indy")
print(f"   Endpoint: /did/indy/create")
print(f"   Key Type: {did_params['options']['key_type']}")
print(f"   Seed:     {'(zuf√§llig)' if 'seed' not in did_params['options'] else did_params['options']['seed']}")
print(f"   Format:   did:indy:<identifier>\n")

# DID erstellen mit korrektem Endpunkt
issuer_did_response = api_post(
    ISSUER_ADMIN_URL,
    "/did/indy/create",  # Korrekter Endpunkt f√ºr did:indy
    did_params
)

if issuer_did_response is not None:
    # Response-Format: {"did": "did:indy:...", "verkey": "..."}
    issuer_did = issuer_did_response.get("did")
    issuer_verkey = issuer_did_response.get("verkey")
    
    print(f"‚úÖ Issuer DID erstellt:")
    print(f"   DID:    {issuer_did}")
    print(f"   Verkey: {issuer_verkey}")
    
    # Speichern f√ºr sp√§tere Verwendung
    issuer_info = {
        "did": issuer_did,
        "verkey": issuer_verkey,
        "method": "indy",
        "key_type": did_params["options"]["key_type"],
        "role": "ENDORSER"
    }
    
    print(f"\nüí° Format: {issuer_did} (vollst√§ndige qualified DID)")
else:
    print("‚ùå Fehler beim Erstellen der Issuer DID")

In [None]:
# Cell 4: Issuer DID auf Ledger registrieren

print("üìù Issuer DID auf Ledger registrieren (via VON-Network)...\n")

# Registrierungs-Daten f√ºr VON-Network (DID-Based Registration)
# Nutzt DID+Verkey aus Cell 3 statt Seed
register_data = {
    "did": issuer_did,        # DID aus Cell 3 (ACA-Py Wallet)
    "verkey": issuer_verkey,  # Verkey aus Cell 3 (ACA-Py Wallet)
    "alias": "Energienetzbetreiber (Issuer)",
    "role": "ENDORSER"  # TRUST_ANCHOR oder ENDORSER f√ºr Issuer-Rechte
}

print(f"üìã Registrierungs-Parameter:")
print(f"   Ledger URL: {VON_NETWORK_URL}/register")
print(f"   DID:        {register_data['did']}")
print(f"   Verkey:     {register_data['verkey'][:20]}...")
print(f"   Alias:      {register_data['alias']}")
print(f"   Role:       {register_data['role']}\n")

# Registriere DID auf VON-Network Ledger
print(f"üåê POST {VON_NETWORK_URL}/register")

try:
    response = requests.post(
        f"{VON_NETWORK_URL}/register",
        json=register_data,
        timeout=10
    )

    response.raise_for_status()

    # Response format: {"did": "did:indy:...", "verkey": "..."}
    nym_info = response.json()

    issuer_did = nym_info["did"]
    issuer_verkey = nym_info["verkey"]

    print(f"‚úÖ Issuer DID auf Ledger registriert")
    print(f"   DID:    {issuer_did}")
    print(f"   Verkey: {issuer_verkey}")

    # Zeige vollst√§ndige Ledger-Response
    pretty_print(nym_info, "VON-Network Registration Response (Issuer)")

    # JETZT: Setze DID als Public DID im ACA-Py Wallet
    print(f"\nüîë Setze DID als Public DID im Wallet...")
    public_did_response = api_post(
        ISSUER_ADMIN_URL,
        f"/wallet/did/public?did={issuer_did}"
    )

    if public_did_response is not None:
        print(f"‚úÖ Issuer DID als Public DID gesetzt")
    else:
        print(f"‚ö†Ô∏è  Warnung: Public DID konnte nicht gesetzt werden")

    # Speichern f√ºr sp√§tere Verwendung
    issuer_info = {
        "did": issuer_did,
        "verkey": issuer_verkey,
        "method": "indy",
        "key_type": "ed25519",
        "role": "ENDORSER"
    }

    # Hole NYM Role vom Ledger zur Verifikation
    print(f"\nüîç NYM Role vom Ledger verifizieren...")
    nym_role_response = api_get(
        ISSUER_ADMIN_URL,
        f"/ledger/get-nym-role?did={issuer_did}"
    )

    if nym_role_response is not None:
        print(f"‚úÖ NYM Role vom Ledger abgerufen")
        #pretty_print(nym_role_response, "Ledger NYM Role (Issuer DID)")

        # Extrahiere Role
        role = nym_role_response.get('role', 'N/A')
        print(f"\nüìã Verifizierte Rolle: {role}")
    else:
        print(f"‚ö†Ô∏è  NYM Role konnte nicht abgerufen werden")

    # ========================================
    # Zeige Ledger-Transaktionen
    # ========================================
    print("\n" + "="*60)
    print("üìã LEDGER-TRANSAKTIONEN")
    print("="*60)

    try:
        # Hole Domain Ledger Transaktionen
        ledger_response = requests.get(f"{VON_NETWORK_URL}/ledger/domain")

        if ledger_response.status_code == 200:
            ledger_data = ledger_response.json()
            ledger_txns = ledger_data.get('results', [])

            # Filtere nach seqNo 6 und 7
            target_seqnos = [6, 7]
            found_txns = []

            for txn in ledger_txns:
                txn_metadata = txn.get('txnMetadata', {})
                seqno = txn_metadata.get('seqNo')

                if seqno in target_seqnos:
                    found_txns.append(txn)

            # Sortiere nach seqNo aufsteigend
            found_txns.sort(key=lambda x: x.get('txnMetadata', {}).get('seqNo', 0))

            if found_txns:
                print(f"\n‚úÖ {len(found_txns)} Transaktionen gefunden:\n")

                for txn in found_txns:
                    txn_metadata = txn.get('txnMetadata', {})
                    txn_data = txn.get('txn', {})
                    seqno = txn_metadata.get('seqNo')
                    txn_type = txn_data.get('type')
                    txn_time = txn_metadata.get('txnTime', 'N/A')

                    # Typ-Mapping
                    type_names = {
                        '0' : 'NODE (Validator Node Registration)',
                        '1' : 'NYM (DID Registration)',
                        '4' : 'TXN_AUTHOR_AGREEMENT',
                        '5' : 'TXN_AUTHOR_AGREEMENT_AML',
                        '100': 'ATTRIB',
                        '101': 'SCHEMA',
                        '102': 'CRED_DEF',
                        '112': 'CHANGE_KEY',
                        '113': 'REVOC_REG_DEF',
                        '114': 'REVOC_REG_ENTRY',
                        '120': 'AUTH_RULE'
                    }
                    type_name = type_names.get(str(txn_type), f'Type {txn_type}')

                    print(f"============================================================")
                    print(f"Seq No: {seqno} | Time: {txn_time}")
                    print(f"Transaction Type: {type_name}")
                    print(f"============================================================\n")

                    # Zeige vollst√§ndige Transaction
                    pretty_print(txn, f"Ledger Transaction (seqNo {seqno})")
                    print()

            else:
                print(f"\n‚ö†Ô∏è  NYM-Transaktion f√ºr DID {did_short} nicht gefunden")
                print(f"   (M√∂glicherweise noch nicht im Cache)")
        else:
            print(f"\n‚ö†Ô∏è  Konnte Ledger nicht abrufen: {ledger_response.status_code}")

    except Exception as e:
        print(f"\n‚ö†Ô∏è  Fehler beim Abrufen der Ledger-Transaktion: {e}")

    print("="*60)

except requests.exceptions.RequestException as e:
    print(f"‚ùå POST Fehler: {e}")
    print(f"   Stelle sicher dass VON-Network l√§uft: cd von-network && ./manage start")

In [None]:
# Cell 5: Wallet DID √úbersicht anzeigen

print("üìã Wallet-√úbersicht - Alle DIDs:\n")

# Alle DIDs von allen Agenten abrufen
issuer_dids = api_get(ISSUER_ADMIN_URL, "/wallet/did")
holder_dids = api_get(HOLDER_ADMIN_URL, "/wallet/did")
verifier_dids = api_get(VERIFIER_ADMIN_URL, "/wallet/did")

#Zeige originale Responses
print("üîç Originale /wallet/did Responses:\n")
if issuer_dids:
    pretty_print(issuer_dids, "Issuer Wallet DIDs")
if holder_dids:
    pretty_print(holder_dids, "Holder Wallet DIDs")
if verifier_dids:
    pretty_print(verifier_dids, "Verifier Wallet DIDs")

## Teil 3: Schema & Credential Definition - KRITIS-Notfall-Wartungszertifikat

In diesem Abschnitt wird das **Schema** f√ºr KRITIS-Notfall-Wartungszertifikate auf der Hyperledger Indy Blockchain registriert. Das Schema definiert die Struktur des Credentials mit 9 Attributen:

**Identit√§tsattribute**:
- `first_name`, `name`: Vor- und Nachname des Technikers
- `organisation`: Arbeitgeber/Dienstleister
- `role`: Berufliche Funktion (z.B. "Notfalltechniker")

**Berechtigungsattribute**:
- `cert_type`: Art der Berechtigung (z.B. "Notfall-Wartungsberechtigung")
- `facility_type`: Autorisierte Anlage (z.B. "Umspannwerk Nord-Ost")
- `security_clearance_level`: Deutsche KRITIS Sicherheits√ºberpr√ºfungs-Level (0-3)
   - 0 = Standard-Sicherheits√ºberpr√ºft
   - 1 = √ú1 - Einfache Sicherheits√ºberpr√ºfung
   - 2 = √ú2 - Erweiterte Sicherheits√ºberpr√ºfung (MINIMUM)
   - 3 = √ú3 - Erweiterte S√ú mit Sicherheitsermittlungen

**Zeitliche Attribute**:
- `epoch_valid_from`: G√ºltigkeitsbeginn (Unix Epoch Timestamp)
- `epoch_valid_until`: G√ºltigkeitsende (Unix Epoch Timestamp)

**KRITIS-Konformit√§t**: Das Schema folgt den Anforderungen der EU-Verordnung 2019/881 (Cybersecurity Act) f√ºr kritische Infrastruktur im Energiesektor.

In [None]:
# Cell 6: Schema erstellen (Indy)

print("üìã Schema erstellen...\n")

start_time = time.time()

# Schema-Daten f√ºr KRITIS-Notfall-Wartungszertifikat (Indy API)
# API: POST /schemas
# Format: {"schema_name": "...", "schema_version": "...", "attributes": [...]}
schema_data = {
    "schema_name": "kritis_emergency_maintenance_cert",
    "schema_version": "1.1",  # ‚Üê WICHTIG: Version muss hier angegeben werden!
    "attributes": [
        "first_name",
        "name",
        "organisation",
        "role",
        "cert_type",
        "facility_type",
        "epoch_valid_from",
        "epoch_valid_until",
        "security_clearance_level"
    ]
}

# Schema auf Ledger registrieren (Indy endpoint)
schema_response = api_post(
    ISSUER_ADMIN_URL,
    "/schemas",  # Indy endpoint
    schema_data
)

if schema_response is not None:
    # Response Format: {"schema_id": "...", "schema": {...}}
    schema_id = schema_response.get("schema_id")

    # Korrekte Werte aus Response extrahieren
    schema_obj = schema_response.get("schema", {})
    schema_name = schema_obj.get("name", schema_data["schema_name"])
    schema_version = schema_obj.get("version", schema_data["schema_version"])
    schema_attributes = schema_obj.get("attrNames", schema_data["attributes"])

    print(f"‚úÖ Schema 'kritis_emergency_maintenance_cert' erstellt (Indy)")
    print(f"   Schema ID: {schema_id}")
    print(f"   Endpoint:  /schemas")
    print(f"   Name:      {schema_name}")
    print(f"   Version:   {schema_version}")
    print(f"   Attribute: {', '.join(schema_attributes)}\n")

else:
    print("‚ùå Fehler beim Erstellen des Schemas")

# ========================================
# Zeige Ledger-Transaktionen
# ========================================
print("\n" + "="*60)
print("üìã LEDGER-TRANSAKTIONEN")
print("="*60)

try:
    # Hole Domain Ledger Transaktionen
    ledger_response = requests.get(f"{VON_NETWORK_URL}/ledger/domain")

    if ledger_response.status_code == 200:
        ledger_data = ledger_response.json()
        ledger_txns = ledger_data.get('results', [])

        # Filtere nach seqNo 8
        target_seqnos = [8]
        found_txns = []

        for txn in ledger_txns:
            txn_metadata = txn.get('txnMetadata', {})
            seqno = txn_metadata.get('seqNo')

            if seqno in target_seqnos:
               found_txns.append(txn)

        # Sortiere nach seqNo aufsteigend
        found_txns.sort(key=lambda x: x.get('txnMetadata', {}).get('seqNo', 0))

        if found_txns:
            print(f"\n‚úÖ {len(found_txns)} Transaktionen gefunden:\n")

            for txn in found_txns:
                txn_metadata = txn.get('txnMetadata', {})
                txn_data = txn.get('txn', {})
                seqno = txn_metadata.get('seqNo')
                txn_type = txn_data.get('type')
                txn_time = txn_metadata.get('txnTime', 'N/A')

                # Typ-Mapping
                type_names = {
                    '0' : 'NODE (Validator Node Registration)',
                    '1' : 'NYM (DID Registration)',
                    '4' : 'TXN_AUTHOR_AGREEMENT',
                    '5' : 'TXN_AUTHOR_AGREEMENT_AML',
                    '100': 'ATTRIB',
                    '101': 'SCHEMA',
                    '102': 'CRED_DEF',
                    '112': 'CHANGE_KEY',
                    '113': 'REVOC_REG_DEF',
                    '114': 'REVOC_REG_ENTRY',
                    '120': 'AUTH_RULE'
                }
                type_name = type_names.get(str(txn_type), f'Type {txn_type}')

                print(f"============================================================")
                print(f"Seq No: {seqno} | Time: {txn_time}")
                print(f"Transaction Type: {type_name}")
                print(f"============================================================\n")

                # Zeige vollst√§ndige Transaction
                pretty_print(txn, f"Ledger Transaction (seqNo {seqno})")
                print()

        else:
            print(f"\n‚ö†Ô∏è  NYM-Transaktion f√ºr DID {did_short} nicht gefunden")
            print(f"   (M√∂glicherweise noch nicht im Cache)")
    else:
        print(f"\n‚ö†Ô∏è  Konnte Ledger nicht abrufen: {ledger_response.status_code}")

except Exception as e:
    print(f"\n‚ö†Ô∏è  Fehler beim Abrufen der Ledger-Transaktion: {e}")

print("="*60)

In [None]:
# Cell 7: Credential Definition erstellen (Indy)

print("üìù Credential Definition erstellen...\n")

start_time = time.time()

# Credential Definition Data (Indy API)
# API: POST /credential-definitions
# Format: {"schema_id": "...", "tag": "...", "support_revocation": bool, ...}
cred_def_data = {
    "schema_id": schema_id,  # from Cell 11
    "tag": "default",
    "support_revocation": True,  # Enable revocation
    "revocation_registry_size": TAILS_FILE_COUNT  # from config
}

print(f"üìù Credential Definition Parameter (Indy):")
print(f"   Endpoint:            /credential-definitions")
print(f"   Schema ID:           {cred_def_data['schema_id']}")
print(f"   Tag:                 {cred_def_data['tag']}")
print(f"   Support Revocation:  {cred_def_data['support_revocation']}")
print(f"   RevReg Size:         {cred_def_data['revocation_registry_size']}\n")

# Create Credential Definition on Ledger (Indy endpoint)
cred_def_response = api_post(
    ISSUER_ADMIN_URL,
    "/credential-definitions",  # Indy endpoint
    cred_def_data
)

if cred_def_response is not None:
    # Response Format: {"credential_definition_id": "..."}
    cred_def_id = cred_def_response.get("credential_definition_id")

    print(f"‚úÖ Credential Definition erstellt (Indy)")
    print(f"   Cred Def ID: {cred_def_id}")
    print(f"   f√ºr Schema 'kritis_emergency_maintenance_cert'")

    # Show full Cred Def Response
    # pretty_print(cred_def_response, "Indy Credential Definition Response (KRITIS)")

else:
    print("‚ùå Fehler beim Erstellen der Credential Definition")

# ========================================
# Zeige Ledger-Transaktionen
# ========================================
print("\n" + "="*60)
print("üìã LEDGER-TRANSAKTIONEN")
print("="*60)

try:
    # Hole Domain Ledger Transaktionen
    ledger_response = requests.get(f"{VON_NETWORK_URL}/ledger/domain")

    if ledger_response.status_code == 200:
        ledger_data = ledger_response.json()
        ledger_txns = ledger_data.get('results', [])

        # Filtere nach seqNo 9-13
        target_seqnos = [9,10,11,12,13]
        found_txns = []

        for txn in ledger_txns:
            txn_metadata = txn.get('txnMetadata', {})
            seqno = txn_metadata.get('seqNo')

            if seqno in target_seqnos:
               found_txns.append(txn)

        # Sortiere nach seqNo aufsteigend
        found_txns.sort(key=lambda x: x.get('txnMetadata', {}).get('seqNo', 0))

        if found_txns:
            print(f"\n‚úÖ {len(found_txns)} Transaktionen gefunden:\n")

            for txn in found_txns:
                txn_metadata = txn.get('txnMetadata', {})
                txn_data = txn.get('txn', {})
                seqno = txn_metadata.get('seqNo')
                txn_type = txn_data.get('type')
                txn_time = txn_metadata.get('txnTime', 'N/A')

                # Typ-Mapping
                type_names = {
                    '0' : 'NODE (Validator Node Registration)',
                    '1' : 'NYM (DID Registration)',
                    '4' : 'TXN_AUTHOR_AGREEMENT',
                    '5' : 'TXN_AUTHOR_AGREEMENT_AML',
                    '100': 'ATTRIB',
                    '101': 'SCHEMA',
                    '102': 'CRED_DEF',
                    '112': 'CHANGE_KEY',
                    '113': 'REVOC_REG_DEF',
                    '114': 'REVOC_REG_ENTRY',
                    '120': 'AUTH_RULE'
                }
                type_name = type_names.get(str(txn_type), f'Type {txn_type}')

                print(f"============================================================")
                print(f"Seq No: {seqno} | Time: {txn_time}")
                print(f"Transaction Type: {type_name}")
                print(f"============================================================\n")

                # Zeige vollst√§ndige Transaction
                pretty_print(txn, f"Ledger Transaction (seqNo {seqno})")
                print()

        else:
            print(f"\n‚ö†Ô∏è  NYM-Transaktion f√ºr DID {did_short} nicht gefunden")
            print(f"   (M√∂glicherweise noch nicht im Cache)")
    else:
        print(f"\n‚ö†Ô∏è  Konnte Ledger nicht abrufen: {ledger_response.status_code}")

except Exception as e:
    print(f"\n‚ö†Ô∏è  Fehler beim Abrufen der Ledger-Transaktion: {e}")

print("="*60)

## Teil 4: Agent Connections - KRITIS-Akteure

**Verbindungsaufbau zwischen den Akteuren**:
1. **Issuer ‚Üî Holder**: Energienetzbetreiber ‚Üî Notfalltechniker
2. **Holder ‚Üî Verifier**: Notfalltechniker ‚Üî Zutrittssystem-Umspannwerk (Verifier)

**PQC-Integration**: Alle Verbindungen verwenden did:peer:4 mit Post-Quantum-Kryptographie (ML-DSA-65 f√ºr Signaturen, ML-KEM-768 f√ºr Key Agreement).

In [None]:
# Cell 8: Issuer Discovery - Identifikation via Ledger Identifier

print("üîç Issuer Discovery - Identifikation vertrauensw√ºrdiger Aussteller")
print("="*80)
print("üìñ KRITIS-Anforderung: Identity Holder m√ºssen vertrauensw√ºrdige Issuers")
print("   f√ºr gew√ºnschte Credentials entdecken und deren Identit√§t validieren.\n")

# Phase 1: Ledger-basierte Issuer Discovery
print("üìã Phase 1: Ledger-basierte Issuer Discovery\n")

try:
    # Hole Domain Ledger Transaktionen
    ledger_response = requests.get(f"{VON_NETWORK_URL}/ledger/domain")
    
    if ledger_response.status_code == 200:
        ledger_data = ledger_response.json()
        ledger_txns = ledger_data.get('results', [])
        
        # Filter: Nur NYM-Transaktionen (DID-Registrierungen, Type '1')
        nym_txns = [
            txn for txn in ledger_txns 
            if txn.get('txn', {}).get('type') == '1'
        ]
        
        # Filter: Nur Transaktionen mit TRUST_ANCHOR Role (= Issuers)
        issuer_identities = []
        for txn in nym_txns:
            txn_data = txn.get('txn', {}).get('data', {})
            role = txn_data.get('role')
            
            # Role '101' = TRUST_ANCHOR (berechtigt, Credentials auszustellen)
            if role == '101':
                full_verkey = txn_data.get('verkey', 'N/A')
                issuer_identities.append({
                    'did': txn_data.get('dest'),
                    'verkey_full': full_verkey,
                    'verkey_short': full_verkey[:30] + '...' if len(full_verkey) > 30 else full_verkey,
                    'alias': txn_data.get('alias', 'N/A'),
                    'registered_by': txn.get('txn', {}).get('metadata', {}).get('from', 'N/A'),
                    'txn_time': txn.get('txnMetadata', {}).get('txnTime'),
                    'seq_no': txn.get('txnMetadata', {}).get('seqNo')
                })
        
        print(f"‚úÖ {len(issuer_identities)} TRUST_ANCHOR Issuer(s) auf dem Ledger gefunden:\n")
        
        if issuer_identities:
            # Zeige nur relevante Spalten f√ºr Identifikation
            df_issuers = pd.DataFrame([{
                'Alias': i['alias'],
                'DID': i['did'],
                'Verkey (gek√ºrzt)': i['verkey_short'],
                'Seq No': i['seq_no']
            } for i in issuer_identities])
            print(df_issuers.to_json(orient='records', indent=2))
        else:
            print("‚ö†Ô∏è  Keine TRUST_ANCHOR gefunden (Ledger noch leer?)")
            
except Exception as e:
    print(f"‚ùå Fehler bei Issuer Discovery: {e}")
    import traceback
    traceback.print_exc()

# Phase 2: Issuer Identifier Verification
print(f"\n{'='*80}")
print("üîê Phase 2: Issuer Identifier Verification\n")

def verify_issuer_identity(issuer_did, issuer_data, all_txns):
    """
    Verifiziert die Identit√§t eines Issuers anhand von Ledger-Daten.
    
    Identit√§ts-Eigenschaften:
    1. DID (Decentralized Identifier)
    2. Verkey (Public Key f√ºr Signaturverifikation)
    3. TRUST_ANCHOR Role
    4. Registrierungs-Endorser (Wer hat die Identit√§t best√§tigt?)
    5. On-Ledger Aktivit√§ten (Schemas, CRED_DEFs, etc.)
    """
    identity_info = {
        'verified': True,
        'properties': []
    }
    
    # 1. DID Identifier
    identity_info['properties'].append({
        'property': 'DID (Identifier)',
        'value': issuer_did,
        'verified': True
    })
    
    # 2. Verkey (Public Key)
    verkey = issuer_data.get('verkey_full', 'N/A')
    identity_info['properties'].append({
        'property': 'Verkey (Public Key)',
        'value': verkey,
        'verified': verkey != 'N/A'
    })
    
    # 3. TRUST_ANCHOR Role
    identity_info['properties'].append({
        'property': 'TRUST_ANCHOR Role',
        'value': 'Ja (Role 101)',
        'verified': True
    })
    
    # 4. Endorser (Wer hat registriert?)
    registered_by = issuer_data.get('registered_by', 'N/A')
    identity_info['properties'].append({
        'property': 'Registriert von',
        'value': registered_by,
        'verified': registered_by != 'N/A'
    })
    
    # 5. On-Ledger Aktivit√§ten
    activities = []
    
    # Schemas (Type '101' im Ledger)
    schemas = [
        txn for txn in all_txns 
        if txn.get('txn', {}).get('type') == '101'
        and txn.get('txn', {}).get('metadata', {}).get('from') == issuer_did
    ]
    if schemas:
        activities.append(f"{len(schemas)} Schema(s)")
    
    # Credential Definitions (Type '102')
    cred_defs = [
        txn for txn in all_txns 
        if txn.get('txn', {}).get('type') == '102'
        and txn.get('txn', {}).get('metadata', {}).get('from') == issuer_did
    ]
    if cred_defs:
        activities.append(f"{len(cred_defs)} CRED_DEF(s)")
    
    # Revocation Registries (Type '113' oder '114')
    revoc_regs = [
        txn for txn in all_txns 
        if txn.get('txn', {}).get('type') in ['113', '114']
        and txn.get('txn', {}).get('metadata', {}).get('from') == issuer_did
    ]
    if revoc_regs:
        activities.append(f"{len(revoc_regs)} REVOC_REG(s)")
    
    activity_summary = ', '.join(activities) if activities else 'Keine'
    identity_info['properties'].append({
        'property': 'On-Ledger Aktivit√§ten',
        'value': activity_summary,
        'verified': len(activities) > 0
    })
    
    # 6. Zeitstempel (Registrierungszeitpunkt)
    import datetime
    txn_time = issuer_data.get('txn_time')
    if txn_time:
        registration_date = datetime.datetime.fromtimestamp(txn_time)
        age_days = (datetime.datetime.now() - registration_date).days
        identity_info['properties'].append({
            'property': 'Registriert seit',
            'value': f"{registration_date.strftime('%Y-%m-%d')} ({age_days} Tage)",
            'verified': True
        })
    
    return identity_info

# Zeige Identifier-Details f√ºr alle gefundenen Issuers
if 'issuer_identities' in locals() and issuer_identities:
    for issuer in issuer_identities[:3]:  # Zeige nur erste 3 Issuers
        print(f"{'='*80}")
        print(f"üè¢ Issuer: {issuer['alias']}")
        print(f"{'='*80}")
        
        identity = verify_issuer_identity(issuer['did'], issuer, ledger_txns)
        
        for prop in identity['properties']:
            status = "‚úÖ" if prop['verified'] else "‚ö†Ô∏è "
            value = prop['value']
            # K√ºrze lange Werte (z.B. Verkey)
            if len(str(value)) > 50:
                value = str(value)[:47] + "..."
            print(f"   {status} {prop['property']:25s} {value}")
        
        print()

# Phase 3: Issuer-Suche f√ºr spezifisches Schema
print(f"{'='*80}")
print("üîé Phase 3: Issuer-Identifikation f√ºr Schema\n")

# Suche nach dem Schema aus Cell 11
desired_schema_name = "kritis_emergency_maintenance_cert"

try:
    # Hole alle Schemas vom Ledger (Type '101')
    schemas = [
        txn for txn in ledger_txns 
        if txn.get('txn', {}).get('type') == '101'
    ]
    
    # Filter nach Schema-Namen
    matching_schemas = []
    for schema_txn in schemas:
        schema_data = schema_txn.get('txn', {}).get('data', {}).get('data', {})
        schema_name = schema_data.get('name', '')
        
        if desired_schema_name.lower() in schema_name.lower():
            schema_version = schema_data.get('version', 'N/A')
            created_by = schema_txn.get('txn', {}).get('metadata', {}).get('from', 'N/A')
            
            matching_schemas.append({
                'schema_name': schema_name,
                'schema_version': schema_version,
                'schema_id': f"{created_by}:2:{schema_name}:{schema_version}",
                'created_by_did': created_by
            })
    
    if matching_schemas:
        print(f"‚úÖ {len(matching_schemas)} Schema(s) gefunden f√ºr '{desired_schema_name}':\n")
        df_schemas = pd.DataFrame(matching_schemas)
        print(df_schemas.to_json(orient='records', indent=2))
        
        # Identifiziere die Issuers dieser Schemas
        print(f"\n{'='*80}")
        print("üîê Issuer-Identifikation f√ºr gefundene Schemas:\n")
        
        for schema in matching_schemas:
            schema_issuer_did = schema['created_by_did']
            
            # Finde Issuer-Identit√§t
            issuer_info = next(
                (i for i in issuer_identities if i['did'] == schema_issuer_did), 
                None
            )
            
            print(f"Schema: {schema['schema_name']} v{schema['schema_version']}")
            print(f"{'-'*80}")
            
            if issuer_info:
                # Zeige Issuer-Identifikation
                print(f"‚úÖ Issuer identifiziert:")
                print(f"   Alias:         {issuer_info['alias']}")
                print(f"   DID:           {issuer_info['did']}")
                print(f"   Verkey:        {issuer_info['verkey_short']}")
                print(f"   TRUST_ANCHOR:  Ja (Role 101)")
                print(f"   Ledger Seq No: {issuer_info['seq_no']}")
                
                # Zeige vollst√§ndige Identit√§ts-Verifikation
                print(f"\n   üìã Vollst√§ndige Identit√§ts-Verifikation:")
                identity = verify_issuer_identity(schema_issuer_did, issuer_info, ledger_txns)
                for prop in identity['properties']:
                    status = "‚úÖ" if prop['verified'] else "‚ö†Ô∏è "
                    value = prop['value']
                    if len(str(value)) > 40:
                        value = str(value)[:37] + "..."
                    print(f"   {status} {prop['property']:20s} {value}")
                
                print(f"\n   ‚úÖ Issuer erfolgreich √ºber DID identifiziert und verifiziert")
            else:
                print(f"‚ö†Ô∏è  Issuer NICHT als TRUST_ANCHOR registriert")
                print(f"   DID: {schema_issuer_did}")
                print(f"   Status: Keine TRUST_ANCHOR Role auf dem Ledger")
            
            print(f"\n{'='*80}\n")
    else:
        print(f"‚ö†Ô∏è  Keine Schemas gefunden f√ºr '{desired_schema_name}'")
        print(f"üí° Tipp: Stelle sicher, dass Cell 11 (Schema erstellen) ausgef√ºhrt wurde")
        
except Exception as e:
    print(f"‚ùå Fehler bei Schema-Suche: {e}")
    import traceback
    traceback.print_exc()

print(f"\n{'='*80}")
print("üí° Issuer Identifier-basierte Discovery:")
print("   1. ‚úÖ DID (Decentralized Identifier) - Eindeutiger Identifier")
print("   2. ‚úÖ Verkey (Public Key) - Kryptografische Identit√§t")
print("   3. ‚úÖ TRUST_ANCHOR Role - Berechtigung zum Ausstellen")
print("   4. ‚úÖ Ledger Endorsement - Wer hat die Identit√§t best√§tigt?")
print("   5. ‚úÖ On-Ledger Aktivit√§ten - Schemas, CRED_DEFs, REVOC_REGs")
print(f"{'='*80}")
print("üéØ Identifikations-Methode:")
print("   Der Issuer wird √ºber seinen DID (Decentralized Identifier) eindeutig")
print("   identifiziert. Der DID ist im Schema-Identifier eingebettet:")
print("   Format: <issuer_did>:2:<schema_name>:<version>")
print("   ")
print("   Die Vertrauensw√ºrdigkeit wird durch die TRUST_ANCHOR Role auf dem")
print("   Hyperledger Indy Ledger garantiert (Byzantine Fault Tolerant).")
print(f"{'='*80}")


In [None]:
# Cell 9: Connection Issuer ‚Üí Holder erstellen

print("ü§ù Connection: Issuer ‚Üí Holder erstellen...\n")

start_time = time.time()

# ========================================
# 1. PRE-CHECK: Existierende Connections pr√ºfen
# ========================================
print("üîç Pre-Check: Pr√ºfe existierende Connections...\n")

existing_conn_issuer_holder = None
existing_conn_holder = None

# Pr√ºfe Issuer-Seite: GET /connections
issuer_conns_response = api_get(ISSUER_ADMIN_URL, "/connections")
if issuer_conns_response and "results" in issuer_conns_response:
    print(f"   Issuer: {len(issuer_conns_response['results'])} Connection(s) gefunden")
    for conn in issuer_conns_response["results"]:
        if conn.get("state") == "completed":
            existing_conn_issuer_holder = conn["connection_id"]
            print(f"     ‚Üí Connection {existing_conn_issuer_holder} (State: completed)")
            break
else:
    print("   Issuer: Keine Connections gefunden")

# Pr√ºfe Holder-Seite: GET /connections
holder_conns_response = api_get(HOLDER_ADMIN_URL, "/connections")
if holder_conns_response and "results" in holder_conns_response:
    print(f"   Holder: {len(holder_conns_response['results'])} Connection(s) gefunden")
    for conn in holder_conns_response["results"]:
        if conn.get("state") == "completed":
            existing_conn_holder = conn["connection_id"]
            print(f"     ‚Üí Connection {existing_conn_holder} (State: completed)")
            break
else:
    print("   Holder: Keine Connections gefunden")

if existing_conn_issuer_holder and existing_conn_holder:
    print(f"\n‚úÖ Existierende Connection gefunden!")
    print(f"   Issuer Connection ID: {existing_conn_issuer_holder}")
    print(f"   Holder Connection ID: {existing_conn_holder}")
    print("   √úberspringe Connection-Erstellung\n")
    conn_id_issuer_holder = existing_conn_issuer_holder
    conn_id_holder = existing_conn_holder
else:
    print("\n   Keine vollst√§ndige existierende Connection gefunden")
    print("   Erstelle neue Connection mit did:peer:4...\n")
    
    # ========================================
    # 2. HAUPT-WORKFLOW: Connection mit did:peer erstellen
    # ========================================
    
    # Initialisiere Variablen
    conn_id_issuer_holder = None
    conn_id_holder = None
    invitation_msg_id = None
    invitation_key = None
    
    # Issuer erstellt Out-of-Band Invitation mit did:peer:4
    invitation_data = {
        "handshake_protocols": ["https://didcomm.org/didexchange/1.1"],
        "use_did_method": "did:peer:4",
#        "metadata": {"key_type": "ed25519"},       # ==> Aktivieren f√ºr Kryptoagilit√§tsdemonstration
        "my_label": "Issuer Agent",
        "goal": "Establish connection for credential issuance",
        "goal_code": "issue-vc",
        "accept": [
            "didcomm/aip1",
            "didcomm/aip2;env=rfc19"
        ]
    }
    
    print("üìã Invitation-Modus: did:peer:4 (P2P Connection)")
    
    # API Call mit Query-Parametern f√ºr auto-accept
    invitation_response = api_post(
        ISSUER_ADMIN_URL,
        "/out-of-band/create-invitation?auto_accept=true&multi_use=false",
        invitation_data
    )
    
    if invitation_response and "invitation" in invitation_response:
        invitation = invitation_response["invitation"]
        oob_id = invitation_response.get("oob_id")
        invitation_url = invitation_response.get("invitation_url", "")
        state = invitation_response.get("state")
        
        # WICHTIG: Speichere invitation_msg_id aus der Invitation
        invitation_msg_id = invitation.get("@id")
        
        # Optional: Extrahiere invitation_key aus services (falls vorhanden)
        services = invitation.get("services", [])
        if services and len(services) > 0:
            # Bei did:peer:4 ist der Service oft inline
            service = services[0]
            if isinstance(service, dict):
                recipient_keys = service.get("recipientKeys", [])
                if recipient_keys:
                    invitation_key = recipient_keys[0]
        
        print(f"‚úÖ Issuer: Invitation erstellt")
        print(f"   OOB ID: {oob_id}")
        print(f"   State: {state}")
        print(f"   Invitation Msg ID: {invitation_msg_id}")
        if invitation_key:
            print(f"   Invitation Key: {invitation_key[:30]}...")
        print(f"   Services: {len(invitation.get('services', []))} service(s)")
        print(f"   Label: {invitation_data['my_label']}")
        print(f"   Goal: {invitation_data['goal']}")
        
        # Holder akzeptiert Invitation (mit auto-accept)
        receive_response = api_post(
            HOLDER_ADMIN_URL,
            "/out-of-band/receive-invitation?auto_accept=true",
            invitation
        )
        
        if receive_response is not None:
            conn_id_holder = receive_response.get("connection_id")
            print(f"\n‚úÖ Holder: Invitation akzeptiert")
            print(f"   Connection ID (Holder): {conn_id_holder}")
            
            # Issuer findet seine Connection via invitation_msg_id
            print(f"\n   Issuer sucht Connection via invitation_msg_id...")
            time.sleep(2)  # Kurze Wartezeit f√ºr DIDExchange Protocol
            
            # Hole alle Issuer Connections
            issuer_conns = api_get(ISSUER_ADMIN_URL, "/connections")
            if issuer_conns and "results" in issuer_conns:
                connections = issuer_conns["results"]
                
                print(f"     Pr√ºfe {len(connections)} Connection(s)...")
                
                # Finde Connection anhand invitation_msg_id (exaktes Match!)
                connection_found = False
                for conn in connections:
                    conn_invitation_msg_id = conn.get("invitation_msg_id")
                    conn_invitation_key = conn.get("invitation_key")
                    
                    # Match via invitation_msg_id (bevorzugt)
                    if invitation_msg_id and conn_invitation_msg_id == invitation_msg_id:
                        conn_id_issuer_holder = conn["connection_id"]
                        conn_state = conn.get("state")
                        print(f"\n   ‚úÖ Issuer: Connection gefunden via invitation_msg_id!")
                        print(f"      ‚Ä¢ Connection ID: {conn_id_issuer_holder}")
                        print(f"      ‚Ä¢ State: {conn_state}")
                        print(f"      ‚Ä¢ Invitation Msg ID: {conn_invitation_msg_id}")
                        print(f"      ‚Ä¢ Their Label: {conn.get('their_label', 'N/A')}")
                        print(f"      ‚Ä¢ Updated At: {conn.get('updated_at', 'N/A')}")
                        connection_found = True
                        break
                    
                    # Fallback: Match via invitation_key
                    elif invitation_key and conn_invitation_key == invitation_key:
                        conn_id_issuer_holder = conn["connection_id"]
                        conn_state = conn.get("state")
                        print(f"\n   ‚úÖ Issuer: Connection gefunden via invitation_key!")
                        print(f"      ‚Ä¢ Connection ID: {conn_id_issuer_holder}")
                        print(f"      ‚Ä¢ State: {conn_state}")
                        print(f"      ‚Ä¢ Invitation Key: {conn_invitation_key[:30]}...")
                        print(f"      ‚Ä¢ Their Label: {conn.get('their_label', 'N/A')}")
                        connection_found = True
                        break
                
                if not connection_found:
                    print(f"     ‚ö†Ô∏è  Keine Connection mit matching invitation_msg_id gefunden")
                    print(f"     Gesuchte invitation_msg_id: {invitation_msg_id}")
            else:
                print(f"     ‚ùå Konnte Issuer Connections nicht abrufen")
        else:
            print("‚ùå Holder konnte Invitation nicht akzeptieren")
    else:
        print("‚ùå Fehler beim Erstellen der Invitation")

# ========================================
# 3. POST-VALIDATION: Connection-Status verifizieren
# ========================================
print("\nüîç Post-Validation: Verifiziere Connection-Status...\n")

validation_success = False
issuer_state = None
holder_state = None

if conn_id_issuer_holder:
    # Pr√ºfe Issuer-Seite mit spezifischem Endpoint: GET /connections/{conn_id}
    issuer_conn_detail = api_get(
        ISSUER_ADMIN_URL,
        f"/connections/{conn_id_issuer_holder}"
    )
    
    if issuer_conn_detail:
        issuer_state = issuer_conn_detail.get("state")
        issuer_their_label = issuer_conn_detail.get("their_label")
        issuer_their_role = issuer_conn_detail.get("their_role")
        issuer_invitation_msg_id = issuer_conn_detail.get("invitation_msg_id")
        
        print(f"   üìã Issuer Connection {conn_id_issuer_holder}:")
        print(f"      ‚Ä¢ State: {issuer_state}")
        print(f"      ‚Ä¢ Their Label: {issuer_their_label}")
        print(f"      ‚Ä¢ Their Role: {issuer_their_role}")
        print(f"      ‚Ä¢ Invitation Msg ID: {issuer_invitation_msg_id}")

# Pr√ºfe Holder-Seite (falls conn_id_holder bekannt)
if conn_id_holder:
    # Pr√ºfe Holder-Seite mit spezifischem Endpoint: GET /connections/{conn_id}
    holder_conn_detail = api_get(
        HOLDER_ADMIN_URL,
        f"/connections/{conn_id_holder}"
    )
    
    if holder_conn_detail:
        holder_state = holder_conn_detail.get("state")
        holder_their_label = holder_conn_detail.get("their_label")
        holder_their_role = holder_conn_detail.get("their_role")
        holder_invitation_msg_id = holder_conn_detail.get("invitation_msg_id")
        
        print(f"\n   üìã Holder Connection {conn_id_holder}:")
        print(f"      ‚Ä¢ State: {holder_state}")
        print(f"      ‚Ä¢ Their Label: {holder_their_label}")
        print(f"      ‚Ä¢ Their Role: {holder_their_role}")
        print(f"      ‚Ä¢ Invitation Msg ID: {holder_invitation_msg_id}")
        
        # Verifiziere dass invitation_msg_id √ºbereinstimmt
        if invitation_msg_id and issuer_invitation_msg_id == holder_invitation_msg_id:
            print(f"      ‚úÖ Invitation Msg IDs stimmen √ºberein!")

# Validierung
if issuer_state == "active" and holder_state == "active":
    validation_success = True
elif issuer_state == "active" and not conn_id_holder:
    # Bei existierender Connection nur Issuer-Seite bekannt
    validation_success = True

# Finale Ausgabe
print(f"\n{'='*60}")
if validation_success:
    print(f"‚úÖ CONNECTION ESTABLISHED (did:peer:4): Issuer ‚Üî Holder")
    print(f"   Issuer Connection ID: {conn_id_issuer_holder}")
    if conn_id_holder:
        print(f"   Holder Connection ID: {conn_id_holder}")
    print(f"   Issuer State: {issuer_state}")
    if holder_state:
        print(f"   Holder State: {holder_state}")
    if invitation_msg_id:
        print(f"   Invitation Msg ID: {invitation_msg_id}")
else:
    print(f"‚ö†Ô∏è  CONNECTION STATUS UNCLEAR")
    print(f"   Issuer State: {issuer_state if issuer_state else 'N/A'}")
    print(f"   Holder State: {holder_state if holder_state else 'N/A'}")
    if conn_id_issuer_holder:
        print(f"   Issuer Connection ID: {conn_id_issuer_holder}")
    if conn_id_holder:
        print(f"   Holder Connection ID: {conn_id_holder}")

print(f"{'='*60}")

In [None]:
# Cell 10: Connection Holder ‚Üí Verifier erstellen

print("ü§ù Connection: Holder ‚Üí Verifier erstellen...\n")

start_time = time.time()

# ========================================
# 1. PRE-CHECK: Existierende Connections pr√ºfen
# ========================================
print("üîç Pre-Check: Pr√ºfe existierende Connections...\n")

existing_conn_verifier_holder = None
existing_conn_holder_verifier = None

# Pr√ºfe Verifier-Seite: GET /connections
verifier_conns_response = api_get(VERIFIER_ADMIN_URL, "/connections")
if verifier_conns_response and "results" in verifier_conns_response:
    print(f"   Verifier: {len(verifier_conns_response['results'])} Connection(s) gefunden")
    for conn in verifier_conns_response["results"]:
        if conn.get("state") == "completed":
            existing_conn_verifier_holder = conn["connection_id"]
            print(f"     ‚Üí Connection {existing_conn_verifier_holder} (State: completed)")
            break
else:
    print("   Verifier: Keine Connections gefunden")

# Pr√ºfe Holder-Seite: GET /connections (f√ºr Holder‚ÜíVerifier)
holder_conns_response = api_get(HOLDER_ADMIN_URL, "/connections")
if holder_conns_response and "results" in holder_conns_response:
    print(f"   Holder: {len(holder_conns_response['results'])} Connection(s) gefunden")
    # Finde Connection zum Verifier (basierend auf Label oder neueste)
    holder_verifier_conns = [c for c in holder_conns_response["results"] if c.get("their_label") == "Verifier Agent"]
    if holder_verifier_conns:
        for conn in holder_verifier_conns:
            if conn.get("state") == "completed":
                existing_conn_holder_verifier = conn["connection_id"]
                print(f"     ‚Üí Connection {existing_conn_holder_verifier} (State: completed, Partner: Verifier)")
                break
else:
    print("   Holder: Keine Connections gefunden")

if existing_conn_verifier_holder and existing_conn_holder_verifier:
    print(f"\n‚úÖ Existierende Connection gefunden!")
    print(f"   Verifier Connection ID: {existing_conn_verifier_holder}")
    print(f"   Holder Connection ID: {existing_conn_holder_verifier}")
    print("   √úberspringe Connection-Erstellung\n")
    conn_id_verifier_holder = existing_conn_verifier_holder
    conn_id_holder_verifier = existing_conn_holder_verifier
else:
    print("\n   Keine vollst√§ndige existierende Connection gefunden")
    print("   Erstelle neue Connection mit did:peer:4...\n")
    
    # ========================================
    # 2. HAUPT-WORKFLOW: Connection mit did:peer erstellen
    # ========================================
    
    # Initialisiere Variablen
    conn_id_verifier_holder = None
    conn_id_holder_verifier = None
    invitation_msg_id = None
    invitation_key = None
    
    # Verifier erstellt Out-of-Band Invitation mit did:peer:4
    invitation_data = {
        "handshake_protocols": ["https://didcomm.org/didexchange/1.1"],
        "use_did_method": "did:peer:4",
        "my_label": "Verifier Agent",
        "goal": "Establish connection for credential verification",
        "goal_code": "verify-vc",
        "accept": [
            "didcomm/aip1",
            "didcomm/aip2;env=rfc19"
        ]
    }
    
    print("üìã Invitation-Modus: did:peer:4 (P2P Connection)")
    
    # API Call mit Query-Parametern f√ºr auto-accept
    invitation_response = api_post(
        VERIFIER_ADMIN_URL,
        "/out-of-band/create-invitation?auto_accept=true&multi_use=false",
        invitation_data
    )
    
    if invitation_response and "invitation" in invitation_response:
        invitation = invitation_response["invitation"]
        oob_id = invitation_response.get("oob_id")
        invitation_url = invitation_response.get("invitation_url", "")
        state = invitation_response.get("state")
        
        # WICHTIG: Speichere invitation_msg_id aus der Invitation
        invitation_msg_id = invitation.get("@id")
        
        # Optional: Extrahiere invitation_key aus services (falls vorhanden)
        services = invitation.get("services", [])
        if services and len(services) > 0:
            service = services[0]
            if isinstance(service, dict):
                recipient_keys = service.get("recipientKeys", [])
                if recipient_keys:
                    invitation_key = recipient_keys[0]
        
        print(f"‚úÖ Verifier: Invitation erstellt")
        print(f"   OOB ID: {oob_id}")
        print(f"   State: {state}")
        print(f"   Invitation Msg ID: {invitation_msg_id}")
        if invitation_key:
            print(f"   Invitation Key: {invitation_key}")
        print(f"   Services: {len(invitation.get('services', []))} service(s)")
        print(f"   Label: {invitation_data['my_label']}")
        print(f"   Goal: {invitation_data['goal']}")
        
        # Holder akzeptiert Invitation (mit auto-accept)
        receive_response = api_post(
            HOLDER_ADMIN_URL,
            "/out-of-band/receive-invitation?auto_accept=true",
            invitation
        )
        
        if receive_response is not None:
            conn_id_holder_verifier = receive_response.get("connection_id")
            print(f"\n‚úÖ Holder: Invitation akzeptiert")
            print(f"   Connection ID (Holder): {conn_id_holder_verifier}")
            
            # Verifier findet seine Connection via invitation_msg_id
            print(f"\n   Verifier sucht Connection via invitation_msg_id...")
            time.sleep(2)  # Kurze Wartezeit f√ºr DIDExchange Protocol
            
            # Hole alle Verifier Connections
            verifier_conns = api_get(VERIFIER_ADMIN_URL, "/connections")
            if verifier_conns and "results" in verifier_conns:
                connections = verifier_conns["results"]
                
                print(f"     Pr√ºfe {len(connections)} Connection(s)...")
                
                # Finde Connection anhand invitation_msg_id (exaktes Match!)
                connection_found = False
                for conn in connections:
                    conn_invitation_msg_id = conn.get("invitation_msg_id")
                    conn_invitation_key = conn.get("invitation_key")
                    
                    # Match via invitation_msg_id (bevorzugt)
                    if invitation_msg_id and conn_invitation_msg_id == invitation_msg_id:
                        conn_id_verifier_holder = conn["connection_id"]
                        conn_state = conn.get("state")
                        print(f"\n   ‚úÖ Verifier: Connection gefunden via invitation_msg_id!")
                        print(f"      ‚Ä¢ Connection ID: {conn_id_verifier_holder}")
                        print(f"      ‚Ä¢ State: {conn_state}")
                        print(f"      ‚Ä¢ Invitation Msg ID: {conn_invitation_msg_id}")
                        print(f"      ‚Ä¢ Their Label: {conn.get('their_label', 'N/A')}")
                        print(f"      ‚Ä¢ Updated At: {conn.get('updated_at', 'N/A')}")
                        connection_found = True
                        break
                    
                    # Fallback: Match via invitation_key
                    elif invitation_key and conn_invitation_key == invitation_key:
                        conn_id_verifier_holder = conn["connection_id"]
                        conn_state = conn.get("state")
                        print(f"\n   ‚úÖ Verifier: Connection gefunden via invitation_key!")
                        print(f"      ‚Ä¢ Connection ID: {conn_id_verifier_holder}")
                        print(f"      ‚Ä¢ State: {conn_state}")
                        print(f"      ‚Ä¢ Invitation Key: {conn_invitation_key}...")
                        print(f"      ‚Ä¢ Their Label: {conn.get('their_label', 'N/A')}")
                        connection_found = True
                        break
                
                if not connection_found:
                    print(f"     ‚ö†Ô∏è  Keine Connection mit matching invitation_msg_id gefunden")
                    print(f"     Gesuchte invitation_msg_id: {invitation_msg_id}")
            else:
                print(f"     ‚ùå Konnte Verifier Connections nicht abrufen")
        else:
            print("‚ùå Holder konnte Invitation nicht akzeptieren")
    else:
        print("‚ùå Fehler beim Erstellen der Invitation")

# ========================================
# 3. POST-VALIDATION: Connection-Status verifizieren
# ========================================
print("\nüîç Post-Validation: Verifiziere Connection-Status...\n")

validation_success = False
verifier_state = None
holder_state = None

if conn_id_verifier_holder:
    # Pr√ºfe Verifier-Seite mit spezifischem Endpoint: GET /connections/{conn_id}
    verifier_conn_detail = api_get(
        VERIFIER_ADMIN_URL,
        f"/connections/{conn_id_verifier_holder}"
    )
    
    if verifier_conn_detail:
        verifier_state = verifier_conn_detail.get("state")
        verifier_their_label = verifier_conn_detail.get("their_label")
        verifier_their_role = verifier_conn_detail.get("their_role")
        verifier_invitation_msg_id = verifier_conn_detail.get("invitation_msg_id")
        
        print(f"   üìã Verifier Connection {conn_id_verifier_holder}:")
        print(f"      ‚Ä¢ State: {verifier_state}")
        print(f"      ‚Ä¢ Their Label: {verifier_their_label}")
        print(f"      ‚Ä¢ Their Role: {verifier_their_role}")
        print(f"      ‚Ä¢ Invitation Msg ID: {verifier_invitation_msg_id}")

# Pr√ºfe Holder-Seite (falls conn_id_holder_verifier bekannt)
if conn_id_holder_verifier:
    # Pr√ºfe Holder-Seite mit spezifischem Endpoint: GET /connections/{conn_id}
    holder_conn_detail = api_get(
        HOLDER_ADMIN_URL,
        f"/connections/{conn_id_holder_verifier}"
    )
    
    if holder_conn_detail:
        holder_state = holder_conn_detail.get("state")
        holder_their_label = holder_conn_detail.get("their_label")
        holder_their_role = holder_conn_detail.get("their_role")
        holder_invitation_msg_id = holder_conn_detail.get("invitation_msg_id")
        
        print(f"\n   üìã Holder Connection {conn_id_holder_verifier}:")
        print(f"      ‚Ä¢ State: {holder_state}")
        print(f"      ‚Ä¢ Their Label: {holder_their_label}")
        print(f"      ‚Ä¢ Their Role: {holder_their_role}")
        print(f"      ‚Ä¢ Invitation Msg ID: {holder_invitation_msg_id}")
        
        # Verifiziere dass invitation_msg_id √ºbereinstimmt
        if invitation_msg_id and verifier_invitation_msg_id == holder_invitation_msg_id:
            print(f"      ‚úÖ Invitation Msg IDs stimmen √ºberein!")

# Validierung
if verifier_state == "active" and holder_state == "active":
    validation_success = True
elif verifier_state == "active" and not conn_id_holder_verifier:
    # Bei existierender Connection nur Verifier-Seite bekannt
    validation_success = True

# Finale Ausgabe
print(f"\n{'='*60}")
if validation_success:
    print(f"‚úÖ CONNECTION ESTABLISHED (did:peer:4): Holder ‚Üî Verifier")
    print(f"   Verifier Connection ID: {conn_id_verifier_holder}")
    if conn_id_holder_verifier:
        print(f"   Holder Connection ID: {conn_id_holder_verifier}")
    print(f"   Verifier State: {verifier_state}")
    if holder_state:
        print(f"   Holder State: {holder_state}")
    if invitation_msg_id:
        print(f"   Invitation Msg ID: {invitation_msg_id}")
else:
    print(f"‚ö†Ô∏è  CONNECTION STATUS UNCLEAR")
    print(f"   Verifier State: {verifier_state if verifier_state else 'N/A'}")
    print(f"   Holder State: {holder_state if holder_state else 'N/A'}")
    if conn_id_verifier_holder:
        print(f"   Verifier Connection ID: {conn_id_verifier_holder}")
    if conn_id_holder_verifier:
        print(f"   Holder Connection ID: {conn_id_holder_verifier}")

print(f"{'='*60}")

In [None]:
# Cell 11: Connection-√úbersicht anzeigen

print("üìä Connection-√úbersicht:\n")

connections_overview = []

# Issuer Connections
issuer_conns = api_get(ISSUER_ADMIN_URL, "/connections")
if issuer_conns and "results" in issuer_conns:
    for conn in issuer_conns["results"]:
        connections_overview.append({
            "Agent": "Issuer",
            "Partner": conn.get("their_label", "Unknown"),
            "Connection ID": conn["connection_id"],
            "State": conn["state"],
            "Invitation Msg ID": conn.get("invitation_msg_id", "N/A") if conn.get("invitation_msg_id") else "N/A",
            "Status": "‚úÖ" if conn["state"] == "active" else "‚è≥"
        })

# Holder Connections
holder_conns = api_get(HOLDER_ADMIN_URL, "/connections")
if holder_conns and "results" in holder_conns:
    for conn in holder_conns["results"]:
        partner = conn.get("their_label", "Unknown")
        connections_overview.append({
            "Agent": "Holder",
            "Partner": partner,
            "Connection ID": conn["connection_id"],
            "State": conn["state"],
            "Invitation Msg ID": conn.get("invitation_msg_id", "N/A") if conn.get("invitation_msg_id") else "N/A",
            "Status": "‚úÖ" if conn["state"] == "active" else "‚è≥"
        })

# Verifier Connections
verifier_conns = api_get(VERIFIER_ADMIN_URL, "/connections")
if verifier_conns and "results" in verifier_conns:
    for conn in verifier_conns["results"]:
        connections_overview.append({
            "Agent": "Verifier",
            "Partner": conn.get("their_label", "Unknown"),
            "Connection ID": conn["connection_id"],
            "State": conn["state"],
            "Invitation Msg ID": conn.get("invitation_msg_id", "N/A") if conn.get("invitation_msg_id") else "N/A",
            "Status": "‚úÖ" if conn["state"] == "active" else "‚è≥"
        })

# Gruppiere nach invitation_msg_id um zusammengeh√∂rige Connections zu finden
all_connections = []
if issuer_conns and "results" in issuer_conns:
    for conn in issuer_conns["results"]:
        all_connections.append(("Issuer", conn))
if holder_conns and "results" in holder_conns:
    for conn in holder_conns["results"]:
        all_connections.append(("Holder", conn))
if verifier_conns and "results" in verifier_conns:
    for conn in verifier_conns["results"]:
        all_connections.append(("Verifier", conn))

# Gruppiere nach invitation_msg_id
from collections import defaultdict
connection_groups = defaultdict(list)
for agent, conn in all_connections:
    invitation_msg_id = conn.get("invitation_msg_id")
    if invitation_msg_id:
        connection_groups[invitation_msg_id].append((agent, conn))

# Zeige gruppierte Connections
for idx, (inv_msg_id, group) in enumerate(connection_groups.items(), 1):
    print(f"Connection Group {idx}:")
    print(f"   Invitation Msg ID: {inv_msg_id}")
    for agent, conn in group:
        print(f"   ‚Ä¢ {agent}: {conn['connection_id']} (State: {conn['state']})")
    print()

In [None]:
# Cell 12 Wallet DID √úbersicht anzeigen

print("üìã Wallet-√úbersicht - Alle DIDs:\n")

# Alle DIDs von allen Agenten abrufen
issuer_dids = api_get(ISSUER_ADMIN_URL, "/wallet/did")
holder_dids = api_get(HOLDER_ADMIN_URL, "/wallet/did")
verifier_dids = api_get(VERIFIER_ADMIN_URL, "/wallet/did")

#Zeige originale Responses
print("üîç Originale /wallet/did Responses:\n")
if issuer_dids:
    pretty_print(issuer_dids, "Issuer Wallet DIDs")
if holder_dids:
    pretty_print(holder_dids, "Holder Wallet DIDs")
if verifier_dids:
    pretty_print(verifier_dids, "Verifier Wallet DIDs")

## Teil 5: Credential Issuance - KRITIS-Notfall-Wartungszertifikat

**Szenario**: Ein Energienetzbetreiber (Issuer) stellt einem Notfalltechniker (Holder) ein zeitlich begrenztes **Notfall-Wartungszertifikat** aus, das den Zugang zu kritischer Infrastruktur (Umspannwerk Nord-Ost) autorisiert.

**KRITIS-Kontext**:
- Kritische Infrastruktur gem√§√ü EU-Verordnung 2019/881 (Cybersecurity Act)
- Energiesektor (Stromversorgung) - eine der 9 KRITIS-Branchen
- Zero-Knowledge-Proof-basierte Zutrittskontrolle ohne Preisgabe sensibler Daten
- Post-Quantum-Kryptographie (ML-DSA-65) f√ºr langfristige Sicherheit

**Credential-Attribute**:
- **Identit√§t**: Vorname, Nachname, Organisation, Rolle
- **Berechtigung**: Zertifikatstyp, Anlagentyp, Sicherheitsstufe
- **Zeitfenster**: Epoch-basierte G√ºltigkeitszeitr√§ume (Unix Timestamps)

In [None]:
# Cell 13: Credential Offer senden (Issuer ‚Üí Holder)

print("üì§ Credential Offer senden (Issuer ‚Üí Holder)...\n")

start_time = time.time()

# Credential-Daten vorbereiten
credential_offer_data = {
    "comment": "KRITIS Notfall-Wartungszertifikat",
    "connection_id": conn_id_issuer_holder,
    "filter": {
        "indy": {
            "cred_def_id": cred_def_id
        }
    },
    "credential_preview": {
        "@type": "issue-credential/2.0/credential-preview",
        "attributes": [
            {"name": "first_name", "value": "Max"},
            {"name": "name", "value": "Mustermann"},
            {"name": "organisation", "value": "Musterfirma GmbH"},
            {"name": "role", "value": "Notfalltechniker"},
            {"name": "cert_type", "value": "Notfall-Wartungsberechtigung"},
            {"name": "facility_type", "value": "Umspannwerk Nord-Ost"},
            {"name": "epoch_valid_from", "value": "1765026000"},
            {"name": "epoch_valid_until", "value": "1765033200"},
            {"name": "security_clearance_level", "value": "2"}  # √ú2 - Erweiterte Sicherheits√ºberpr√ºfung
        ]
    },
    "trace": False
}

# Credential Offer senden
cred_offer_response = api_post(
    ISSUER_ADMIN_URL,
    "/issue-credential-2.0/send-offer",
    credential_offer_data
)

if cred_offer_response is not None:
    cred_ex_id = cred_offer_response.get("cred_ex_id")
    cred_ex_state = cred_offer_response.get("state")

    print(f"‚úÖ Credential Offer gesendet")
    print(f"   Exchange ID: {cred_ex_id}")
    print(f"   State:       {cred_ex_state}")

    # ========================================
    # WARTE AUF CREDENTIAL-AUSSTELLUNG
    # ========================================
    print("\n   ‚è∞ Warte auf Credential-Ausstellung (auto-store auf Holder)...")
    time.sleep(5)

    # ========================================
    # STATUS-CHECK AUF BEIDEN SEITEN
    # ========================================
    print("\nüîç Status-Check:\n")

    # 1. Issuer-Seite Status (BEN√ñTIGT f√ºr Revocation IDs!)
    cred_status_issuer = api_get(
        ISSUER_ADMIN_URL,
        f"/issue-credential-2.0/records/{cred_ex_id}"
    )

    preserve_flag_active = False
    issuer_state = None

    if cred_status_issuer:
        preserve_flag_active = True
        issuer_state = cred_status_issuer.get("cred_ex_record", {}).get("state")
        print(f"   üìã Issuer Exchange:")
        print(f"      ‚Ä¢ State: {issuer_state}")
        print(f"      ‚úÖ --preserve-exchange-records aktiv!")
    else:
        print(f"   ‚ö†Ô∏è  Issuer Exchange nicht abrufbar")
        print(f"      ‚ùå --preserve-exchange-records ist NICHT aktiv!")

    # 2. Holder Credentials pr√ºfen
    print("\n   üìã Holder Credentials:")
    holder_creds = api_get(HOLDER_ADMIN_URL, "/credentials")

    credential_stored = False
    credential_referent = None

    if holder_creds and "results" in holder_creds:
        for cred in holder_creds["results"]:
            if cred.get("cred_def_id") == cred_def_id:
                credential_stored = True
                credential_referent = cred.get("referent")
                print(f"      ‚Ä¢ Credential ID: {credential_referent}")
                print(f"      ‚Ä¢ Schema ID: {cred.get('schema_id', 'N/A')[:50]}...")

                # Zeige Attribute
                attrs = cred.get("attrs", {})
                if attrs:
                    print(f"      ‚Ä¢ Attributes:")
                    for key, value in list(attrs.items()):
                        print(f"         - {key}: {value}")
                break

    # ========================================
    # REVOCATION IDs SPEICHERN (KRITISCH!)
    # ========================================
    rev_reg_id = None
    cred_rev_id = None

    if cred_status_issuer:
        indy_data = cred_status_issuer.get("indy", {})
        rev_reg_id = indy_data.get("rev_reg_id")
        cred_rev_id = indy_data.get("cred_rev_id")

        if rev_reg_id and cred_rev_id:
            print("\n" + "="*60)
            print("üîë REVOCATION-INFORMATIONEN")
            print("="*60)
            print(f"   ‚Ä¢ Revocation Registry ID: {rev_reg_id}")
            print(f"   ‚Ä¢ Credential Revocation ID: {cred_rev_id}")
            print("   üíæ IDs gespeichert f√ºr Revocation-Workflow (Cell 19-21)")
            print("="*60 + "\n")

    # ========================================
    # ISSUER CREDENTIAL REGISTRY
    # ========================================
    print("="*60)
    print("üìã ISSUER: Alle ausgestellten Credentials")
    print("="*60)

    all_issuer_records = api_get(ISSUER_ADMIN_URL, "/issue-credential-2.0/records")

    if all_issuer_records and "results" in all_issuer_records:
        results = all_issuer_records["results"]

        if len(results) > 0:
            print(f"\n‚úÖ Issuer hat {len(results)} Credential Exchange Record(s)\n")

            for idx, record in enumerate(results, 1):
                print(f"   Credential #{idx}:")
                print(f"      ‚Ä¢ Exchange ID: {record['cred_ex_record']['cred_ex_id']}")
                print(f"      ‚Ä¢ State: {record['cred_ex_record']['state']}")

                # Cred Def ID
                cred_def_from_record = None
                if "cred_offer" in record:
                    cred_def_from_record = record.get("cred_offer", {}).get("cred_def_id")

                if cred_def_from_record:
                    print(f"      ‚Ä¢ Cred Def ID: {cred_def_from_record[:50]}...")

                # Attributes aus Preview
                if "cred_preview" in record:
                    attrs = record.get("cred_preview", {}).get("attributes", [])
                    if attrs:
                        print(f"      ‚Ä¢ Attributes:")
                        for attr in attrs[:3]:
                            print(f"         - {attr.get('name')}: {attr.get('value')}")
                        if len(attrs) > 3:
                            print(f"         ... und {len(attrs)-3} weitere")
                print()
        else:
            print("\n‚ö†Ô∏è  Registry ist LEER\n")

            if not preserve_flag_active:
                print("   ‚ùå --preserve-exchange-records ist NICHT aktiv!")
                print("   üîß L√∂sung: docker-compose restart issuer")
            else:
                print("   üí° Credential erscheint nach erneutem Ausf√ºhren dieser Cell")
            print()

    # ========================================
    # FINALE SUMMARY
    # ========================================

    print("="*60)
    if credential_stored:
        print(f"‚úÖ KRITIS-NOTFALL-WARTUNGSZERTIFIKAT ERFOLGREICH AUSGESTELLT")
        print(f"   Issuer State: {issuer_state if issuer_state else 'done'}")
        print(f"   Credential im Holder Wallet: ‚úÖ")
        print(f"   Credential Referent: {credential_referent}")

        if rev_reg_id and cred_rev_id:
            print(f"   Revocation IDs gespeichert: ‚úÖ")
        else:
            print(f"   ‚ö†Ô∏è  Revocation IDs nicht gefunden!")

        if preserve_flag_active:
            print(f"   Issuer Registry verf√ºgbar: ‚úÖ")
        else:
            print(f"   Issuer Registry verf√ºgbar: ‚ö†Ô∏è  (restart issuer)")
    else:
        print(f"‚ö†Ô∏è  CREDENTIAL STATUS UNKLAR")
        print(f"   Issuer State: {issuer_state if issuer_state else 'N/A'}")
        print(f"   Credential im Wallet: ‚ùå")

    print(f"{'='*60}")

    # Zeige vollst√§ndige Response
    # pretty_print(cred_status_issuer, "Credential Offer Response (KRITIS)")

else:
    print("‚ùå Fehler beim Senden des Credential Offers")

In [None]:
# Cell 14: Holder Credentials im Detail anzeigen

print("üéì Holder Wallet - Gespeicherte Credentials:\n")

holder_creds = api_get(HOLDER_ADMIN_URL, "/credentials")

if holder_creds and "results" in holder_creds and len(holder_creds["results"]) > 0:
    for idx, cred in enumerate(holder_creds["results"], 1):
        print(f"\n{'='*60}")
        print(f"Credential #{idx}")
        print(f"{'='*60}")
        print(f"Referent: {cred.get('referent', 'N/A')}")
        print(f"Schema ID: {cred.get('schema_id', 'N/A')}")
        print(f"Cred Def ID: {cred.get('cred_def_id', 'N/A')}")
        
        # Credentials Revoked Abfrage gegen /credential/revoked/{credential_id ==> Referent}
        print(f"Revoked Status: {api_get(HOLDER_ADMIN_URL, f'/credential/revoked/{cred.get('referent', 'N/A')}').get('revoked', 'N/A')}")

        if "attrs" in cred:
            print("\nAttribute:")
            for attr_name, attr_value in cred["attrs"].items():
                print(f"  - {attr_name}: {attr_value}")
else:
    print("‚ö†Ô∏è  Holder hat noch keine Credentials")

## Teil 6: Proof Presentation - Zutrittskontrolle am Umspannwerk

**Szenario**: Der Notfalltechniker (Holder) pr√§sentiert sein Credential am Zutrittssystem des Umspannwerks (Verifier). Das System fordert einen Zero-Knowledge-Proof an, der folgende Eigenschaften verifiziert:

1. **Berechtigung (REVEALED)**: Zertifikatstyp, Anlagentyp, Sicherheitsstufe werden offengelegt
2. **G√ºltigkeitszeitraum (REVEALED)**: Epoch-Timestamps (valid_from, valid_until) werden offengelegt
3. **Rolle (REVEALED)**: Berufliche Funktion wird offengelegt (z.B. "Notfalltechniker")
4. **Revocation-Check**: Credential ist NICHT revoked (Revocation Registry Check)
5. **Identit√§t (UNREVEALED)**: Vor- und Nachname bleiben GEHEIM (Selective-Disclosure)
6. **Arbeitgeber (UNREVEALED)**: Organisation bleibt GEHEIM (Selective-Disclosure)

**Datenschutz-Mechanismus (Privacy by Design)**:
- **Selective Disclosure**: Nur 6 von 9 Attributen werden offengelegt (cert_type, facility_type, epoch_valid_from, epoch_valid_until, role)
- **Selective-Disclosure f√ºr Identit√§t**: Das Zutrittssystem erf√§hrt NICHT, WER der Techniker ist (Vor-/Nachname geheim)
- **Selective-Disclosure f√ºr Arbeitgeber**: Das Zutrittssystem erf√§hrt NICHT, f√ºr WELCHE Firma der Techniker arbeitet
- **Zero-Knowledge-Proof**: Der Holder beweist kryptographisch, dass er ein g√ºltiges Credential mit korrekten Berechtigungen besitzt, ohne seine Identit√§t offenzulegen
- **DSGVO-Konformit√§t**: Minimierung personenbezogener Daten (Art. 5 Abs. 1 lit. c DSGVO) - Pseudonymisierung durch ZKP

**KRITIS-Sicherheitsmechanismus**:
- **Revocation Always-ON**: Echtzeit-Pr√ºfung gegen Hyperledger Indy Revocation Registry
- **Non-Revocation Interval**: `{"from": 0, "to": current_timestamp}` - Credential darf zu KEINEM Zeitpunkt revoked worden sein
- **PQC-Signaturen**: Proof wird mit ML-DSA-65 signiert (quantensicher)

In [None]:
# Cell 15: Proof Request senden (Verifier ‚Üí Holder) - mit REVOCATION ALWAYS-ON

print("üîç Proof Request senden (Verifier ‚Üí Holder)...\n")

start_time = time.time()

# Get current timestamp for non-revocation interval
current_timestamp = int(time.time())

# Proof Request Data (ACA-Py API) - Privacy-Preserving ZKP!
# API: POST /present-proof-2.0/send-request
# REVEALED: cert_type, facility_type, epoch_valid_from, epoch_valid_until, role (5 Attribute)
# ZKP PREDICATE: security_clearance_level >= 2 (√ú2) - OHNE Offenlegung der exakten Stufe!
# UNREVEALED: first_name, name, organisation (3 Attribute - ZKP ohne Offenlegung!)
proof_request_data = {
    "connection_id": conn_id_verifier_holder,  # from Cell 15
    "presentation_request": {
        "indy": {
            "name": "Proof of KRITIS Emergency Maintenance Authorization",
            "version": "1.0",
            "requested_attributes": {
                "attr1_referent": {
                    "name": "cert_type",
                    "restrictions": [{"cred_def_id": cred_def_id}],
                    "non_revoked": {"from": 0, "to": current_timestamp}
                },
                "attr2_referent": {
                    "name": "facility_type",
                    "restrictions": [{"cred_def_id": cred_def_id}],
                    "non_revoked": {"from": 0, "to": current_timestamp}
                },
                "attr3_referent": {
                    "name": "epoch_valid_from",
                    "restrictions": [{"cred_def_id": cred_def_id}],
                    "non_revoked": {"from": 0, "to": current_timestamp}
                },
                "attr4_referent": {
                    "name": "epoch_valid_until",
                    "restrictions": [{"cred_def_id": cred_def_id}],
                    "non_revoked": {"from": 0, "to": current_timestamp}
                },
                "attr5_referent": {
                    "name": "role",
                    "restrictions": [{"cred_def_id": cred_def_id}],
                    "non_revoked": {"from": 0, "to": current_timestamp}
                }
            },
            "requested_predicates": {
            "pred1_clearance": {
                "name": "security_clearance_level",
                "p_type": ">=",
                "p_value": 2,
                "restrictions": [{"cred_def_id": cred_def_id}],
                "non_revoked": {"from": 0, "to": current_timestamp}
            }
        }
        }
    }
}

print(f"üîç Proof Request f√ºr KRITIS-Zutrittsberechtigung:")
print(f"   Endpoint:      /present-proof-2.0/send-request")
print(f"   Connection:    {conn_id_verifier_holder}")
print(f"   Cred Def ID:   {cred_def_id}")
print(f"   Proof Name:    Proof of KRITIS Emergency Maintenance Authorization")
print(f"   REVEALED:      Berechtigung, Anlage, Sicherheitsstufe, G√ºltigkeitszeitraum, Rolle (6 Attribute)")
print(f"   ‚ö†Ô∏è  DATENSCHUTZ: Identit√§t (Vor-/Nachname) und Organisation werden NICHT offengelegt (Selective-Disclosure)\n")

# Send Proof Request (ACA-Py endpoint)
proof_request_response = api_post(
    VERIFIER_ADMIN_URL,
    "/present-proof-2.0/send-request",
    proof_request_data
)

if proof_request_response is not None:
    # Response Format: {"pres_ex_id": "...", "state": "...", ...}
    pres_ex_id = proof_request_response.get("pres_ex_id")
    pres_ex_state = proof_request_response.get("state")

    print(f"‚úÖ Proof Request gesendet")
    print(f"   Exchange ID: {pres_ex_id}")
    print(f"   State:       {pres_ex_state}")

    # Show full Proof Request Response
    # pretty_print(proof_request_response, "Proof Request Response (KRITIS)")

else:
    print("‚ùå Fehler beim Senden des Proof Requests")

In [None]:
# Cell 16: Holder - Proof Request empfangen und Credentials ausw√§hlen

print("üì• Holder: Proof Request verarbeiten...\n")

if pres_ex_id:
    # Holder pr√ºft empfangene Proof Requests
    time.sleep(2)
    
    holder_pres_ex = api_get(HOLDER_ADMIN_URL, "/present-proof-2.0/records")
    
    if holder_pres_ex and "results" in holder_pres_ex:
        # Finde den aktuellen Presentation Exchange
        current_pres = None
        for pres in holder_pres_ex["results"]:
            if pres.get("state") == "request-received":
                current_pres = pres
                holder_pres_ex_id = pres["pres_ex_id"]
                break
        
        if current_pres:
            print(f"‚úÖ Holder hat Proof Request empfangen")
            print(f"   Presentation Exchange ID: {holder_pres_ex_id}")
            
            # Credentials f√ºr die Presentation abrufen
            creds_for_pres = api_get(
                HOLDER_ADMIN_URL,
                f"/present-proof-2.0/records/{holder_pres_ex_id}/credentials"
            )
            
            if creds_for_pres:
                print(f"\nüìã Verf√ºgbare Credentials f√ºr Presentation:")
                
                # API kann entweder list oder dict zur√ºckgeben
                total_creds = 0
                
                if isinstance(creds_for_pres, list):
                    # Liste von Credential Records
                    total_creds = len(creds_for_pres)
                    print(f"   Gefunden: {total_creds} Credential(s)")
                    
                    # Zeige Details der ersten paar Credentials
                    for idx, cred in enumerate(creds_for_pres[:3], 1):
                        print(f"\n   Credential #{idx}:")
                        if "cred_info" in cred:
                            cred_info = cred["cred_info"]
                            print(f"      ‚Ä¢ Referent: {cred_info.get('referent', 'N/A')}")
                            print(f"      ‚Ä¢ Schema ID: {cred_info.get('schema_id', 'N/A')}")
                            print(f"      ‚Ä¢ Cred Def ID: {cred_info.get('cred_def_id', 'N/A')}")
                            
                            # Zeige Attribute
                            attrs = cred_info.get("attrs", {})
                            if attrs:
                                print(f"      ‚Ä¢ Attributes:")
                                # Zeige erste 3 Attribute
                                shown = 0
                                for key, value in attrs.items():
                                    print(f"         - {key}: {value}")
                    
                elif isinstance(creds_for_pres, dict):
                    # Dictionary mit referent als key
                    for referent, creds in creds_for_pres.items():
                        if isinstance(creds, list):
                            total_creds += len(creds)
                            print(f"   {referent}: {len(creds)} Credential(s)")
                            
                            # Zeige Details des ersten Credentials
                            if len(creds) > 0:
                                cred = creds[0]
                                if "cred_info" in cred:
                                    cred_info = cred["cred_info"]
                                    print(f"      ‚Ä¢ Cred Def ID: {cred_info.get('cred_def_id', 'N/A')}")
                                    attrs = cred_info.get("attrs", {})
                                    if attrs:
                                        attr_count = len(attrs)
                                        print(f"      ‚Ä¢ {attr_count} Attribute(s) verf√ºgbar")
                else:
                    print(f"   ‚ö†Ô∏è  Unbekanntes Format: {type(creds_for_pres).__name__}")
                    total_creds = 0
                
                print(f"\n‚úÖ Total: {total_creds} passende Credential(s) gefunden")
                
                if total_creds == 0:
                    print(f"\n‚ö†Ô∏è  WARNUNG: Keine passenden Credentials gefunden!")
                    print(f"   ‚Ä¢ Stelle sicher dass Cell 16 erfolgreich war")
                    print(f"   ‚Ä¢ Pr√ºfe ob Credential im Holder Wallet ist (Cell 16 Output)")
                    print(f"   ‚Ä¢ Schema/Cred Def m√ºssen mit Proof Request √ºbereinstimmen")
            else:
                print(f"\n‚ö†Ô∏è  Keine Credentials f√ºr Presentation verf√ºgbar")
                print(f"   API-Antwort war leer oder None")
        else:
            print("‚ö†Ô∏è  Kein Proof Request im Status 'request-received'")
            print("\n   Verf√ºgbare Presentation Exchanges:")
            for pres in holder_pres_ex["results"]:
                print(f"      ‚Ä¢ {pres['pres_ex_id']} State: {pres.get('state')}")
    else:
        print("‚ö†Ô∏è  Keine Presentation Exchanges gefunden")
        print("   F√ºhre Cell 18 aus um Proof Request zu senden")
else:
    print("‚ö†Ô∏è  √úbersprungen: Kein Presentation Exchange vorhanden")
    print("   F√ºhre Cell 18 aus um Proof Request zu erstellen")

In [None]:
# Cell 17: Holder - Presentation senden

print("üì§ Holder: Presentation senden...\n")

if pres_ex_id and holder_pres_ex_id:
    start_time = time.time()
    
    # Hole Credentials nochmal
    creds_for_pres = api_get(
        HOLDER_ADMIN_URL,
        f"/present-proof-2.0/records/{holder_pres_ex_id}/credentials"
    )
    
    if creds_for_pres:
        print(f"üìã Credentials f√ºr Presentation gefunden")
        
        # Baue Presentation Request
        requested_credentials = {
            "indy": {
                "requested_attributes": {},
                "requested_predicates": {},
                "self_attested_attributes": {}
            }
        }
        
        # Handle verschiedene API-Response-Formate
        if isinstance(creds_for_pres, list):
            # Liste von Credential-Objekten
            print(f"   Format: Liste mit {len(creds_for_pres)} Credential(s)\n")
            
            # Jedes Credential-Objekt hat presentation_referents
            for cred_item in creds_for_pres:
                if "cred_info" in cred_item:
                    cred_id = cred_item["cred_info"].get("referent")
                    
                    # Hole presentation_referents (welche Felder dieses Cred erf√ºllen kann)
                    pres_referents = cred_item.get("presentation_referents", [])
                    
                    for ref in pres_referents:
                        # Pr√ºfe ob es Attribute oder Predicate ist
                        if "attr" in ref or "attribute" in ref.lower():
                            requested_credentials["indy"]["requested_attributes"][ref] = {
                                "cred_id": cred_id,
                                "revealed": True
                            }
                            print(f"   ‚úì Mapped attribute '{ref}' ‚Üí Credential {cred_id}")
                        elif "pred" in ref or "predicate" in ref.lower():
                            requested_credentials["indy"]["requested_predicates"][ref] = {
                                "cred_id": cred_id
                            }
                            print(f"   ‚úì Mapped predicate '{ref}' ‚Üí Credential {cred_id}")
        
        elif isinstance(creds_for_pres, dict):
            # Dictionary mit referent als key (Legacy-Format)
            print(f"   Format: Dictionary mit {len(creds_for_pres)} Referent(s)\n")
            
            for referent, creds in creds_for_pres.items():
                if isinstance(creds, list) and len(creds) > 0:
                    first_cred = creds[0]
                    cred_id = first_cred.get("cred_info", {}).get("referent")
                    
                    if "attr" in referent:
                        requested_credentials["indy"]["requested_attributes"][referent] = {
                            "cred_id": cred_id,
                            "revealed": True
                        }
                        print(f"   ‚úì Mapped attribute '{referent}' ‚Üí Credential {cred_id[:20]}...")
                    elif "predicate" in referent:
                        requested_credentials["indy"]["requested_predicates"][referent] = {
                            "cred_id": cred_id
                        }
                        print(f"   ‚úì Mapped predicate '{referent}' ‚Üí Credential {cred_id[:20]}...")
        
        # Pr√ºfe ob wir Credentials gemappt haben
        total_mapped = (
            len(requested_credentials["indy"]["requested_attributes"]) +
            len(requested_credentials["indy"]["requested_predicates"])
        )
        
        if total_mapped == 0:
            print("\n‚ö†Ô∏è  WARNUNG: Keine Credentials gemappt!")
            print("   Versuche automatisches Mapping...\n")
            
            # Fallback: Verwende erstes verf√ºgbares Credential f√ºr alle Requests
            # Hole Proof Request Details
            pres_ex_details = api_get(
                HOLDER_ADMIN_URL,
                f"/present-proof-2.0/records/{holder_pres_ex_id}"
            )
            
            if pres_ex_details and "pres_request" in pres_ex_details:
                pres_request = pres_ex_details["pres_request"]
                
                # Hole erstes verf√ºgbares Credential
                first_cred_id = None
                if isinstance(creds_for_pres, list) and len(creds_for_pres) > 0:
                    first_cred_id = creds_for_pres[0].get("cred_info", {}).get("referent")
                elif isinstance(creds_for_pres, dict):
                    for creds in creds_for_pres.values():
                        if isinstance(creds, list) and len(creds) > 0:
                            first_cred_id = creds[0].get("cred_info", {}).get("referent")
                            break
                
                if first_cred_id:
                    # Map alle requested attributes
                    if "requested_attributes" in pres_request:
                        for attr_ref in pres_request["requested_attributes"].keys():
                            requested_credentials["indy"]["requested_attributes"][attr_ref] = {
                                "cred_id": first_cred_id,
                                "revealed": True
                            }
                            print(f"   ‚úì Auto-mapped attribute '{attr_ref}' ‚Üí {first_cred_id[:20]}...")
                    
                    # Map alle requested predicates
                    if "requested_predicates" in pres_request:
                        for pred_ref in pres_request["requested_predicates"].keys():
                            requested_credentials["indy"]["requested_predicates"][pred_ref] = {
                                "cred_id": first_cred_id
                            }
                            print(f"   ‚úì Auto-mapped predicate '{pred_ref}' ‚Üí {first_cred_id[:20]}...")
                    
                    total_mapped = (
                        len(requested_credentials["indy"]["requested_attributes"]) +
                        len(requested_credentials["indy"]["requested_predicates"])
                    )
        
        print(f"\nüìä Presentation Mapping:")
        print(f"   ‚Ä¢ Requested Attributes: {len(requested_credentials['indy']['requested_attributes'])}")
        print(f"   ‚Ä¢ Requested Predicates: {len(requested_credentials['indy']['requested_predicates'])}")
        print(f"   ‚Ä¢ Total Mapped: {total_mapped}")
        
        if total_mapped > 0:
            # Sende Presentation
            print("\nüì§ Sende Presentation...")
            presentation_response = api_post(
                HOLDER_ADMIN_URL,
                f"/present-proof-2.0/records/{holder_pres_ex_id}/send-presentation",
                requested_credentials
            )
            
            if presentation_response is not None:
                print(f"\n‚úÖ Holder hat Presentation gesendet")
                print(f"   Presentation Exchange ID: {holder_pres_ex_id}")
                print(f"   State: {presentation_response.get('state', 'N/A')}")
                print(f"   Role: {presentation_response.get('role', 'N/A')}")
                
                # Warte auf Verification
                print("\n   Warte auf Verification durch Verifier...")
                time.sleep(3)
                
                # Pr√ºfe finalen Status (kann 404 geben wenn abgeschlossen!)
                final_status = api_get(
                    HOLDER_ADMIN_URL,
                    f"/present-proof-2.0/records/{holder_pres_ex_id}"
                )
                
                if final_status:
                    # Record noch vorhanden (--preserve-exchange-records aktiv)
                    final_state = final_status.get("state")
                    print(f"\n   üìã Finaler Holder Status: {final_state}")
                    
                    if final_state in ["done", "presentation-sent"]:
                        print(f"   ‚úÖ Presentation erfolgreich abgeschlossen!")
                        print(f"   ‚úÖ Record bleibt verf√ºgbar (--preserve-exchange-records aktiv)")
                    elif final_state == "abandoned":
                        print(f"   ‚ö†Ô∏è  Presentation wurde abgebrochen")
                    else:
                        print(f"   ‚è≥ Presentation in Bearbeitung...")
                else:
                    # 404 Error = Record wurde gel√∂scht = erfolgreich abgeschlossen!
                    print(f"\n   üìã Finaler Holder Status: completed/archived (404)")
                    print(f"   ‚úÖ Presentation erfolgreich abgeschlossen!")
                    print(f"   ‚ÑπÔ∏è  Record wurde nach Completion gel√∂scht (--preserve-exchange-records nicht aktiv)")
                    print(f"\n   üí° Hinweis: F√ºr dauerhafte Records, starte Holder neu:")
                    print(f"      docker-compose restart holder")
                
            else:
                print("\n‚ùå Fehler beim Senden der Presentation")
                print("   API-Response war leer oder fehlerhaft")
        else:
            print("\n‚ùå Kann Presentation nicht senden - keine Credentials gemappt")
            print("   ‚Ä¢ Pr√ºfe ob Credentials die Proof Request Anforderungen erf√ºllen")
            print("   ‚Ä¢ Pr√ºfe Schema und Cred Def IDs")
    else:
        print("‚ö†Ô∏è  Keine Credentials f√ºr Presentation gefunden")
        print("   ‚Ä¢ F√ºhre Cell 16 aus um Credential auszustellen")
        print("   ‚Ä¢ Pr√ºfe ob Credential im Holder Wallet ist")
else:
    print("‚ö†Ô∏è  √úbersprungen: Presentation Exchange nicht vorhanden")
    if not pres_ex_id:
        print("   ‚Ä¢ Verifier Presentation Exchange ID fehlt (f√ºhre Cell 18 aus)")
    if not holder_pres_ex_id:
        print("   ‚Ä¢ Holder Presentation Exchange ID fehlt (f√ºhre Cell 19 aus)")

In [None]:
# Cell 18: Verifier - Presentation verifizieren (mit Revocation Detection + Zeitg√ºltigkeit)

print("‚úÖ Presentation verifizieren (Verifier)...\n")

start_time = time.time()

# Wait for presentation to be received
import time as t
t.sleep(5)  # Give Holder time to generate and send proof

# Get presentation exchange record (ACA-Py endpoint)
# API: GET /present-proof-2.0/records/{pres_ex_id}
pres_ex_record = api_get(
    VERIFIER_ADMIN_URL,
    f"/present-proof-2.0/records/{pres_ex_id}"
)

if pres_ex_record is not None:
    # Response Format: {"state": "...", "verified": "...", "pres": {...}, "by_format": {...}, ...}
    pres_state = pres_ex_record.get("state")
    pres_verified = pres_ex_record.get("verified")

    # ========================================
    # ATTRIBUTE MAPPING: referent -> name -> value
    # ========================================
    # Step 1: Get requested_attributes from by_format.pres_request.indy (referent -> name mapping)
    by_format = pres_ex_record.get("by_format", {})
    pres_request_indy = by_format.get("pres_request", {}).get("indy", {})
    requested_attributes = pres_request_indy.get("requested_attributes", {})

    # Step 2: Get revealed_attrs from by_format.pres.indy.requested_proof (referent -> value mapping)
    pres_indy = by_format.get("pres", {}).get("indy", {})
    requested_proof = pres_indy.get("requested_proof", {})
    revealed_attrs_by_referent = requested_proof.get("revealed_attrs", {})

    # Step 3: Build name -> value mapping
    revealed_attrs = {}
    for referent, attr_data in revealed_attrs_by_referent.items():
        # Get the attribute name from requested_attributes
        if referent in requested_attributes:
            attr_name = requested_attributes[referent].get("name")
            attr_value = attr_data.get("raw")
            if attr_name and attr_value:
                revealed_attrs[attr_name] = attr_value

    print(f"‚úÖ Proof erfolgreich verifiziert!")

    print(f"\nVerifizierte Attribute (REVEALED):")
    for name, value in revealed_attrs.items():
        print(f"   - {name}: {value}")

    print(f"\n‚ö†Ô∏è  PER ZKP VERIFIZIERT ABER DURCH DATENSCHUTZ GESCH√úTZT (UNREVEALED):")
    print(f"   - Vorname: NICHT offengelegt (Zero-Knowledge-Proof)")
    print(f"   - Nachname: NICHT offengelegt (Zero-Knowledge-Proof)")
    print(f"   - Organisation: NICHT offengelegt (Zero-Knowledge-Proof)")

    print(f"\n   State:     {pres_state}")
    print(f"   Verified:  {pres_verified}")

    # ========================================
    # REVOCATION CHECK
    # ========================================
    is_revoked = False
    if pres_state == "done" and pres_verified == "true":
        print(f"\n‚úÖ Credential ist NICHT revoked (g√ºltig)")
    else:
        print(f"\n‚ùå Credential ist REVOKED!")
        is_revoked = True

    # ========================================
    # ZEITG√úLTIGKEITS-PR√úFUNG
    # ========================================
    print("\n" + "="*60)
    print("üïê ZEITG√úLTIGKEITS-PR√úFUNG")
    print("="*60)

    current_epoch = 1765029600  # Beispiel: Fester Zeitpunkt f√ºr Test (2024-09-05 12:00:00 UTC)
    epoch_valid_from = None
    epoch_valid_until = None
    is_time_valid = False

    # Extrahiere epoch_valid_from und epoch_valid_until aus revealed_attrs (name -> value mapping)
    if "epoch_valid_from" in revealed_attrs:
        epoch_valid_from = int(revealed_attrs["epoch_valid_from"])

    if "epoch_valid_until" in revealed_attrs:
        epoch_valid_until = int(revealed_attrs["epoch_valid_until"])

    if epoch_valid_from is not None and epoch_valid_until is not None:
        # Konvertiere zu lesbaren Timestamps
        from datetime import datetime
        valid_from_dt = datetime.fromtimestamp(epoch_valid_from)
        valid_until_dt = datetime.fromtimestamp(epoch_valid_until)
        current_dt = datetime.fromtimestamp(current_epoch)

        print(f"   ‚Ä¢ Aktueller Zeitpunkt: {current_dt.strftime('%Y-%m-%d %H:%M:%S')} (Epoch: {current_epoch}) ==> Beispielwert")
        print(f"   ‚Ä¢ G√ºltig ab:            {valid_from_dt.strftime('%Y-%m-%d %H:%M:%S')} (Epoch: {epoch_valid_from})")
        print(f"   ‚Ä¢ G√ºltig bis:           {valid_until_dt.strftime('%Y-%m-%d %H:%M:%S')} (Epoch: {epoch_valid_until})")

        # Pr√ºfe Zeitg√ºltigkeit
        if epoch_valid_from <= current_epoch <= epoch_valid_until:
            is_time_valid = True
            print(f"\n   ‚úÖ Zertifikat ist ZEITLICH G√úLTIG")
        else:
            is_time_valid = False
            if current_epoch < epoch_valid_from:
                print(f"\n   ‚ùå Zertifikat ist NOCH NICHT g√ºltig (zu fr√ºh)")
            else:
                print(f"\n   ‚ùå Zertifikat ist ABGELAUFEN (zu sp√§t)")
    else:
        print(f"   ‚ö†Ô∏è  Zeitg√ºltigkeits-Attribute nicht gefunden!")
        print(f"      ‚Ä¢ epoch_valid_from: {'gefunden' if epoch_valid_from else 'FEHLT'}")
        print(f"      ‚Ä¢ epoch_valid_until: {'gefunden' if epoch_valid_until else 'FEHLT'}")

    print("="*60)


    # ========================================
    # PREDICATE AUSWERTUNG (ZKP)
    # ========================================
    print("\n" + "="*60)
    print("üîê ZERO-KNOWLEDGE-PROOF AUSWERTUNG")
    print("="*60)

    predicates = requested_proof.get("predicates", {})
    has_required_clearance = False

    if predicates:
        for ref, pred_data in predicates.items():
            print(f"   ‚úÖ Predicate erf√ºllt: security_clearance_level >= 2 (√ú2)")
            print(f"   üîí Zero-Knowledge-Proof: Exakte Sicherheitsstufe NICHT offengelegt!")
            print(f"   ‚úì Techniker hat mindestens √ú2 (Erweiterte Sicherheits√ºberpr√ºfung)")
            has_required_clearance = True
    else:
        print(f"   ‚ö†Ô∏è  Keine Predicates im Proof gefunden!")

    print("="*60)

    # ========================================
    # FINALE ZUGRIFFSENTSCHEIDUNG
    # ========================================
    print("\n" + "="*60)
    print("üö¶ FINALE ZUGRIFFSENTSCHEIDUNG")
    print("="*60)

    # Alle drei Bedingungen m√ºssen erf√ºllt sein
    if not is_revoked and is_time_valid and has_required_clearance:
        print(f"\n‚úÖ ZUGANG GEW√ÑHRT")
        print(f"   ‚úì Credential ist g√ºltig (nicht revoked)")
        print(f"   ‚úì Zertifikat ist zeitlich g√ºltig")
        print(f"   ‚úì Sicherheitsfreigabe >= √ú2 (Zero-Knowledge-Proof)")
        print(f"\n   üîì Zugang zum Umspannwerk Nord-Ost GEW√ÑHRT")
    else:
        print(f"\n‚ùå ZUGANG VERWEIGERT")
        if is_revoked:
            print(f"   ‚úó Credential ist REVOKED")
        if not is_time_valid:
            print(f"   ‚úó Zertifikat ist NICHT zeitlich g√ºltig")
        if not has_required_clearance:
            print(f"   ‚úó Sicherheitsfreigabe NICHT ausreichend (< √ú2)")
        print(f"\n   üîí Zugang zum Umspannwerk Nord-Ost VERWEIGERT")

    print("="*60)

    print(f"\n‚úÖ Privacy-Preserving Verification erfolgreich (DSGVO-konform)")

    # Show full Presentation Record
    # pretty_print(pres_ex_record, "Presentation Record (KRITIS)")

else:
    print("‚ùå Fehler beim Abrufen der Presentation")

## Teil 7: Revocation & Deletion- Beendigung der Wartungsberechtigung

**Szenario**: Der Notfall-Wartungseinsatz ist beendet. Der Energienetzbetreiber (Issuer) widerruft das Credential des Technikers, um dessen Zugang zur kritischen Infrastruktur zu beenden. Der Techniker l√∂scht daraufhin seinen Credential aus seinem Wallet.

**KRITIS-Sicherheitsaspekt**:
- **Just-in-Time Access**: Berechtigungen nur f√ºr die Dauer des Einsatzes
- **Sofortige Revocation**: Credential wird in Revocation Registry als "revoked" markiert
- **Ledger-Publikation**: Revocation wird auf Hyperledger Indy Blockchain ver√∂ffentlicht
- **Echtzeit-Validierung**: Zutrittssysteme pr√ºfen Revocation-Status bei jeder Authentifizierung

**Demonstration**:
1. Credential wird vom Betreiber revoked (Cell 19-21)
2. Techniker versucht erneut Zugang (Cell 14-18)
3. Zutrittssystem VERWEIGERT Zugang (Revocation erkannt)

In [None]:
# Cell 19: Revocation Registries anzeigen

print("="*60)
print("üìã ISSUER: Revocation Registries")
print("="*60 + "\n")

registries = api_get(
    ISSUER_ADMIN_URL,
    "/revocation/registries/created?state=active"
)

if registries and "rev_reg_ids" in registries:
    reg_ids = registries["rev_reg_ids"]
    print(f"‚úÖ Aktive Revocation Registries: {len(reg_ids)}\n")
    
    for idx, reg_id in enumerate(reg_ids, 1):
        print(f"Registry #{idx}: {reg_id}")
        
        # Registry Details abrufen
        reg_info = api_get(ISSUER_ADMIN_URL, f"/revocation/registry/{reg_id}").get('result', 'N/A')
        if reg_info:
            print(f"   ‚Ä¢ State: {reg_info.get('state')}")
            print(f"   ‚Ä¢ Max Credentials: {reg_info.get('max_cred_num')}")
            print(f"   ‚Ä¢ Issuer DID: {reg_info.get('issuer_did', 'N/A')}")
            print(f"   ‚Ä¢ Tails Hash: {reg_info.get('tails_hash', 'N/A')}")
            print(f"   ‚Ä¢ Tails Location: {reg_info.get('tails_local_path', 'N/A')}")
            print(f"   ‚Ä¢ Created: {reg_info.get('created_at', 'N/A')}\n")
else:
    print("‚ö†Ô∏è  Keine aktiven Revocation Registries gefunden")
    print("   ‚Ä¢ Stelle sicher dass Cell 7 mit support_revocation: True l√§uft")
    print("   ‚Ä¢ F√ºhre Cell 13 aus um Credential mit Revocation auszustellen")

print("="*60)

In [None]:
# Cell 20: Credential REVOKEN (staged)

print("="*60)
print("üö´ Credential REVOKEN (staged)")
print("="*60 + "\n")

# Verwende gespeicherte Werte aus Cell 13
if 'rev_reg_id' in locals() and 'cred_rev_id' in locals():
    print(f"üìã Zu revokendes Credential:")
    print(f"   ‚Ä¢ Rev Reg ID: {rev_reg_id}")
    print(f"   ‚Ä¢ Cred Rev ID: {cred_rev_id}\n")
    
    revoke_request = {
        "rev_reg_id": rev_reg_id,
        "cred_rev_id": cred_rev_id,
        "notify": False,  # Kein Notification-Webhook
        "publish": False,  # Staging only, publishe sp√§ter in Cell 21
        "comment": "Revoked for testing purposes"
    }
    
    print("üì§ Sende Revocation Request (staging)...")
    start_time = time.time()
    
    revoke_response = api_post(
        ISSUER_ADMIN_URL,
        "/revocation/revoke",
        revoke_request
    )
    
    if revoke_response is not None:
        print(f"\n‚úÖ Credential erfolgreich REVOKED (staged)")
        print(f"   ‚Ä¢ Status: Pending (noch nicht auf Ledger)")
        print(f"\nüí° N√§chster Schritt: F√ºhre Cell 21 aus um auf Ledger zu publishen!")
    else:
        print(f"\n‚ùå Revocation fehlgeschlagen")
        print(f"   Pr√ºfe ob die IDs korrekt sind")
else:
    print("‚ö†Ô∏è  Keine Revocation IDs gefunden!")
    print("   ‚Ä¢ F√ºhre Cell 13 aus um Credential auszustellen")
    print("   ‚Ä¢ Die IDs werden automatisch in rev_reg_id und cred_rev_id gespeichert")

print("\n" + "="*60)

In [None]:
# Cell 21: Revocations auf Ledger PUBLISHEN

print("="*60)
print("üì§ PUBLISH Revocations auf Ledger")
print("="*60 + "\n")

print("Publishing alle pending Revocations auf Ledger...")

publish_response = api_post(
    ISSUER_ADMIN_URL,
    "/revocation/publish-revocations",
    {}
)

if publish_response and "rrid2crid" in publish_response:
    revoked_regs = publish_response["rrid2crid"]
    total_revoked = sum(len(creds) for creds in revoked_regs.values())
    
    print(f"\n‚úÖ ERFOLGREICH auf Ledger published:")
    print(f"   ‚Ä¢ Revocation Registries: {len(revoked_regs)}")
    print(f"   ‚Ä¢ Total revoked Credentials: {total_revoked}")
    
    for reg_id, cred_ids in revoked_regs.items():
        print(f"   üìã Registry: {reg_id}")
        print(f"      Revoked Credential IDs: {cred_ids}")
        print()
    
    print("="*60)
    print("‚úÖ Revocations sind jetzt auf dem VON Ledger!")
    print("   üí° Holder kann nun KEINEN Non-Revocation-Proof mehr erstellen")
    print("="*60)
elif publish_response:
    print(f"\n‚ö†Ô∏è  Keine pending Revocations zum Publishen")
    print(f"   Response: {publish_response}")
else:
    print(f"\n‚ùå Publish fehlgeschlagen")

print("Jetzt erneut Cell 14 - 18 ausf√ºhren um Revocation zu testen!")

# ========================================
# Zeige Ledger-Transaktionen
# ========================================
print("\n" + "="*60)
print("üìã LEDGER-TRANSAKTIONEN")
print("="*60)

try:
    # Hole Domain Ledger Transaktionen
    ledger_response = requests.get(f"{VON_NETWORK_URL}/ledger/domain")

    if ledger_response.status_code == 200:
        ledger_data = ledger_response.json()
        ledger_txns = ledger_data.get('results', [])

        # Filtere nach seqNo 14
        target_seqnos = [14]
        found_txns = []

        for txn in ledger_txns:
            txn_metadata = txn.get('txnMetadata', {})
            seqno = txn_metadata.get('seqNo')

            if seqno in target_seqnos:
               found_txns.append(txn)

        # Sortiere nach seqNo aufsteigend
        found_txns.sort(key=lambda x: x.get('txnMetadata', {}).get('seqNo', 0))

        if found_txns:
            print(f"\n‚úÖ {len(found_txns)} Transaktionen gefunden:\n")

            for txn in found_txns:
                txn_metadata = txn.get('txnMetadata', {})
                txn_data = txn.get('txn', {})
                seqno = txn_metadata.get('seqNo')
                txn_type = txn_data.get('type')
                txn_time = txn_metadata.get('txnTime', 'N/A')

                # Typ-Mapping
                type_names = {
                    '0' : 'NODE (Validator Node Registration)',
                    '1' : 'NYM (DID Registration)',
                    '4' : 'TXN_AUTHOR_AGREEMENT',
                    '5' : 'TXN_AUTHOR_AGREEMENT_AML',
                    '100': 'ATTRIB',
                    '101': 'SCHEMA',
                    '102': 'CRED_DEF',
                    '112': 'CHANGE_KEY',
                    '113': 'REVOC_REG_DEF',
                    '114': 'REVOC_REG_ENTRY',
                    '120': 'AUTH_RULE'
                }
                type_name = type_names.get(str(txn_type), f'Type {txn_type}')

                print(f"============================================================")
                print(f"Seq No: {seqno} | Time: {txn_time}")
                print(f"Transaction Type: {type_name}")
                print(f"============================================================\n")

                # Zeige vollst√§ndige Transaction
                pretty_print(txn, f"Ledger Transaction (seqNo {seqno})")
                print()

        else:
            print(f"\n‚ö†Ô∏è  NYM-Transaktion f√ºr DID {did_short} nicht gefunden")
            print(f"   (M√∂glicherweise noch nicht im Cache)")
    else:
        print(f"\n‚ö†Ô∏è  Konnte Ledger nicht abrufen: {ledger_response.status_code}")

except Exception as e:
    print(f"\n‚ö†Ô∏è  Fehler beim Abrufen der Ledger-Transaktion: {e}")

print("="*60)

In [None]:
# Cell 22: Erst Zelle 14-18 ausf√ºhren... Credential Deletion - Holder l√∂scht Credential aus Wallet

print("üóëÔ∏è  Credential Deletion - Holder l√∂scht Credential aus Wallet\n")

# ========================================
# VORHER: Zeige alle Credentials
# ========================================
print("="*60)
print("üéì HOLDER WALLET - CREDENTIALS VORHER")
print("="*60)

holder_creds_before = api_get(HOLDER_ADMIN_URL, "/credentials")

credentials_to_delete = []

if holder_creds_before and "results" in holder_creds_before and len(holder_creds_before["results"]) > 0:
    print(f"\n‚úÖ Holder hat {len(holder_creds_before['results'])} Credential(s)\n")

    for idx, cred in enumerate(holder_creds_before["results"], 1):
      referent = cred.get('referent', 'N/A')
      schema_id = cred.get('schema_id', 'N/A')
      cred_def_id = cred.get('cred_def_id', 'N/A')

      print(f"Credential #{idx}:")
      print(f"   Referent:    {referent}")
      print(f"   Schema ID:   {schema_id[:50]}...")
      print(f"   Cred Def ID: {cred_def_id[:50]}...")

      # Revoked Status pr√ºfen
      revoked_response = api_get(HOLDER_ADMIN_URL, f'/credential/revoked/{referent}')
      revoked_status = revoked_response.get('revoked', 'N/A') if revoked_response else 'N/A'
      print(f"   Revoked:     {revoked_status}")

      # Attribute anzeigen
      if "attrs" in cred:
          print(f"   Attribute:")
          for attr_name, attr_value in list(cred["attrs"].items()):
              print(f"      - {attr_name}: {attr_value}")

      # Speichere Referent f√ºr Deletion
      credentials_to_delete.append(referent)
      print()
else:
    print("‚ö†Ô∏è  Holder hat noch keine Credentials im Wallet")
    print("   F√ºhre zuerst Cell 14-18 aus (Schema ‚Üí Cred Def ‚Üí Issuance)")

print("="*60)

# ========================================
# DELETION: L√∂sche alle Credentials
# ========================================
if len(credentials_to_delete) > 0:
    print("\nüóëÔ∏è  CREDENTIAL DELETION STARTEN\n")

    deleted_count = 0
    failed_count = 0

    for idx, credential_id in enumerate(credentials_to_delete, 1):
        print(f"üóëÔ∏è  L√∂sche Credential #{idx} (Referent: {credential_id[:30]}...)")

        # API: DELETE /credential/{credential_id}
        delete_response = api_delete(
            HOLDER_ADMIN_URL,
            f"/credential/{credential_id}"
        )

        if delete_response is not None or delete_response == {}:
            print(f"   ‚úÖ Credential gel√∂scht")
            deleted_count += 1
        else:
            print(f"   ‚ùå Fehler beim L√∂schen")
            failed_count += 1
        print()

    print("="*60)
    print(f"üìä DELETION SUMMARY")
    print("="*60)
    print(f"   Gel√∂scht: {deleted_count}/{len(credentials_to_delete)}")
    if failed_count > 0:
        print(f"   Fehler:   {failed_count}")
    print("="*60)
else:
    print("\n‚ö†Ô∏è  Keine Credentials zum L√∂schen vorhanden")

# ========================================
# NACHHER: Zeige verbleibende Credentials
# ========================================
print("\n" + "="*60)
print("üéì HOLDER WALLET - CREDENTIALS NACHHER")
print("="*60)

holder_creds_after = api_get(HOLDER_ADMIN_URL, "/credentials")

if holder_creds_after and "results" in holder_creds_after and len(holder_creds_after["results"]) > 0:
    print(f"\n‚úÖ Holder hat noch {len(holder_creds_after['results'])} Credential(s)\n")

    for idx, cred in enumerate(holder_creds_after["results"], 1):
        referent = cred.get('referent', 'N/A')
        schema_id = cred.get('schema_id', 'N/A')
        cred_def_id = cred.get('cred_def_id', 'N/A')

        print(f"Credential #{idx}:")
        print(f"   Referent:    {referent}")
        print(f"   Schema ID:   {schema_id[:50]}...")
        print(f"   Cred Def ID: {cred_def_id[:50]}...")

        # Revoked Status pr√ºfen
        revoked_response = api_get(HOLDER_ADMIN_URL, f'/credential/revoked/{referent}')
        revoked_status = revoked_response.get('revoked', 'N/A') if revoked_response else 'N/A'
        print(f"   Revoked:     {revoked_status}")

        # Attribute anzeigen
        if "attrs" in cred:
            print(f"   Attribute:")
            for attr_name, attr_value in list(cred["attrs"].items()):
                print(f"      - {attr_name}: {attr_value}")
        print()
else:
    print("\n‚úÖ Holder Wallet ist jetzt LEER (alle Credentials gel√∂scht)")

print("="*60)

print("\nüí° Hinweis:")
print("   Das L√∂schen eines Credentials aus dem Holder Wallet bedeutet:")
print("   - ‚úÖ Credential ist LOKAL im Wallet gel√∂scht")
print("   - ‚ùå Credential ist NICHT auf dem Ledger revoked")
print("   - ‚ö†Ô∏è  Issuer kann das Credential weiterhin sehen (--preserve-exchange-records)")
print("   - ‚ö†Ô∏è  F√ºr echte Revocation: Siehe Cell 32-34 (Revocation Workflow)")

In [None]:
# Cell 23: Revocation Registry ROTATION (Optional)

print("="*60)
print("üîÑ Revocation Registry ROTATION")
print("="*60 + "\n")

print("üí° Registry Rotation ist n√∂tig wenn:")
print("   ‚Ä¢ Registry voll ist (100 Credentials mit TAILS_FILE_COUNT=100)")
print("   ‚Ä¢ Neue Registry f√ºr weitere Credentials ben√∂tigt wird\n")

if 'cred_def_id' in locals() and cred_def_id:
    print(f"Rotiere Registry f√ºr Cred Def: {cred_def_id[:50]}...\n")
    
    start_time = time.time()
    
    rotate_response = api_post(
        ISSUER_ADMIN_URL,
        f"/revocation/active-registry/{cred_def_id}/rotate",
        {}
    )
    
    duration = time.time() - start_time
    
    if rotate_response and "rev_reg_ids" in rotate_response:
        decom = rotate_response["rev_reg_ids"]
        print(f"‚úÖ Registry erfolgreich rotiert!")
        print(f"   ‚Ä¢ Decommissioned Registries: {len(decom)}")
        for reg_id in decom:
            print(f"      - {reg_id[:50]}...")
        print(f"   ‚Ä¢ Zeit: {duration:.3f}s")
        print(f"\n   üí° Neue aktive Registry wurde erstellt")
        print(f"   üí° Weitere Credentials k√∂nnen jetzt ausgestellt werden")
    else:
        print(f"‚ö†Ô∏è  Rotation nicht m√∂glich")
        print(f"   ‚Ä¢ M√∂glicherweise ist die Registry noch nicht voll")
        print(f"   ‚Ä¢ Oder es gibt keine aktive Registry f√ºr diese Cred Def")
        if rotate_response:
            print(f"   Response: {rotate_response}")
else:
    print("‚ö†Ô∏è  Keine Credential Definition ID gefunden")
    print("   F√ºhre Cell 7 aus um Cred Def zu erstellen")

# ========================================
# Zeige Ledger-Transaktionen
# ========================================
print("\n" + "="*60)
print("üìã LEDGER-TRANSAKTIONEN")
print("="*60)

try:
    # Hole Domain Ledger Transaktionen
    ledger_response = requests.get(f"{VON_NETWORK_URL}/ledger/domain")

    if ledger_response.status_code == 200:
        ledger_data = ledger_response.json()
        ledger_txns = ledger_data.get('results', [])

        # Filtere nach seqNo 15-18
        target_seqnos = [15,16,17,18]
        found_txns = []

        for txn in ledger_txns:
            txn_metadata = txn.get('txnMetadata', {})
            seqno = txn_metadata.get('seqNo')

            if seqno in target_seqnos:
               found_txns.append(txn)

        # Sortiere nach seqNo aufsteigend
        found_txns.sort(key=lambda x: x.get('txnMetadata', {}).get('seqNo', 0))

        if found_txns:
            print(f"\n‚úÖ {len(found_txns)} Transaktionen gefunden:\n")

            for txn in found_txns:
                txn_metadata = txn.get('txnMetadata', {})
                txn_data = txn.get('txn', {})
                seqno = txn_metadata.get('seqNo')
                txn_type = txn_data.get('type')
                txn_time = txn_metadata.get('txnTime', 'N/A')

                # Typ-Mapping
                type_names = {
                    '0' : 'NODE (Validator Node Registration)',
                    '1' : 'NYM (DID Registration)',
                    '4' : 'TXN_AUTHOR_AGREEMENT',
                    '5' : 'TXN_AUTHOR_AGREEMENT_AML',
                    '100': 'ATTRIB',
                    '101': 'SCHEMA',
                    '102': 'CRED_DEF',
                    '112': 'CHANGE_KEY',
                    '113': 'REVOC_REG_DEF',
                    '114': 'REVOC_REG_ENTRY',
                    '120': 'AUTH_RULE'
                }
                type_name = type_names.get(str(txn_type), f'Type {txn_type}')

                print(f"============================================================")
                print(f"Seq No: {seqno} | Time: {txn_time}")
                print(f"Transaction Type: {type_name}")
                print(f"============================================================\n")

                # Zeige vollst√§ndige Transaction
                pretty_print(txn, f"Ledger Transaction (seqNo {seqno})")
                print()

        else:
            print(f"\n‚ö†Ô∏è  NYM-Transaktion f√ºr DID {did_short} nicht gefunden")
            print(f"   (M√∂glicherweise noch nicht im Cache)")
    else:
        print(f"\n‚ö†Ô∏è  Konnte Ledger nicht abrufen: {ledger_response.status_code}")

except Exception as e:
    print(f"\n‚ö†Ô∏è  Fehler beim Abrufen der Ledger-Transaktion: {e}")

print("="*60)