bsv-sdk 0.20.0 → 0.22.0

data/lib/bsv/transaction/fee_models/live_policy.rb

@@ -16,7 +16,7 @@ module BSV
       #
       # @example
       #   model = BSV::Transaction::FeeModels::LivePolicy.new(
-      #     arc_url: 'https://arcade.gorillapool.io',
+      #     arc_url: 'https://arc.taal.com',
       #     fallback_rate: 50
       #   )
       #   fee = model.compute_fee(transaction)
@@ -34,18 +34,20 @@ module BSV
 
         DEFAULT_FALLBACK_RATE = 100
 
-        # Returns a LivePolicy with sensible defaults (GorillaPool ARC,
-        # 100 sat/kB fallback, 5-minute cache).
+        # TAAL still runs a public ARC instance that serves /v1/policy.
+        # Full policy access may require a TAAL API key.
+        TAAL_ARC_URL = 'https://arc.taal.com'
+
+        # Returns a LivePolicy using TAAL ARC for fee policy, 100 sat/kB fallback,
+        # and a 5-minute cache.
         #
-        # @param api_key [String, nil] optional ARC API key
+        # @param api_key [String, nil] optional TAAL API key for authenticated policy access
         # @return [LivePolicy]
         def self.default(api_key: nil)
-          provider = BSV::Network::Providers::GorillaPool.mainnet
-          arc_protocol = provider.protocol_for(:broadcast)
-          new(arc_url: arc_protocol.base_url, fallback_rate: DEFAULT_FALLBACK_RATE, api_key: api_key)
+          new(arc_url: TAAL_ARC_URL, fallback_rate: DEFAULT_FALLBACK_RATE, api_key: api_key)
         end
 
-        # @param arc_url [String] ARC base URL (e.g. 'https://arcade.gorillapool.io')
+        # @param arc_url [String] ARC base URL (e.g. 'https://arc.taal.com')
         # @param fallback_rate [Integer] sat/kB to use when fetch fails (default: 100)
         # @param cache_ttl [Integer] seconds to cache a fetched rate (default: 300)
         # @param api_key [String, nil] optional Bearer token for ARC authentication

data/lib/bsv/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module BSV
-  VERSION = '0.20.0'
+  VERSION = '0.22.0'
 end

data/lib/bsv/wallet/errors.rb

@@ -3,44 +3,88 @@
 module BSV
   module Wallet
     # Base error for all wallet operations. Carries a machine-readable code
-    # per the BRC-100 error structure.
+    # per the BRC-100 error structure and a wire-protocol stack string.
     class Error < StandardError
-      attr_reader :code
+      attr_reader :code, :wallet_stack
 
-      def initialize(message, code = 1)
+      def initialize(message = nil, code: 1, stack: '')
         @code = code
-        super(message)
+        @wallet_stack = stack
+        super(message || '')
       end
-    end
 
-    # Raised when a required parameter is missing or invalid.
-    class InvalidParameterError < Error
-      attr_reader :parameter
+      # Serialise to a hash suitable for embedding in a wire result frame.
+      # Never leaks Ruby's internal backtrace — only the wallet_stack string.
+      def to_wire
+        { code: code, message: message.to_s, stack: wallet_stack.to_s }
+      end
+    end
 
-      def initialize(parameter, must_be = 'valid')
-        @parameter = parameter
-        super("the #{parameter} parameter must be #{must_be}", 6)
+    # Code 2 — operation not supported by this wallet implementation.
+    class UnsupportedActionError < Error
+      def initialize(message = 'this method is not supported by this wallet implementation', stack: '')
+        super(message, code: 2, stack: stack)
       end
     end
 
-    # Raised when an HMAC fails to verify.
+    # Code 3 — HMAC verification failed.
     class InvalidHmacError < Error
-      def initialize(message = 'the provided HMAC is invalid')
-        super(message, 3)
+      def initialize(message = 'the provided HMAC is invalid', stack: '')
+        super(message, code: 3, stack: stack)
       end
     end
 
-    # Raised when a signature fails to verify.
+    # Code 4 — signature verification failed.
     class InvalidSignatureError < Error
-      def initialize(message = 'the provided signature is invalid')
-        super(message, 4)
+      def initialize(message = 'the provided signature is invalid', stack: '')
+        super(message, code: 4, stack: stack)
       end
     end
 
-    # Raised when an operation is not supported by this wallet implementation.
-    class UnsupportedActionError < Error
-      def initialize(method_name = 'this method')
-        super("#{method_name} is not supported by this wallet implementation", 2)
+    # Code 5 — wallet has insufficient funds for the requested operation.
+    class InsufficientFundsError < Error
+      def initialize(message = 'insufficient funds', stack: '')
+        super(message, code: 5, stack: stack)
+      end
+    end
+
+    # Code 6 — a required parameter is missing or invalid.
+    #
+    # Two calling conventions:
+    #   InvalidParameterError.new('pubkey', 'a hex string')  # raises "the pubkey parameter must be ..."
+    #   InvalidParameterError.new('raw message')              # wire-rehydration path
+    class InvalidParameterError < Error
+      attr_reader :parameter
+
+      def initialize(parameter, must_be = nil, stack: '')
+        @parameter = must_be ? parameter : nil
+        message = must_be ? "the #{parameter} parameter must be #{must_be}" : parameter
+        super(message, code: 6, stack: stack)
+      end
+    end
+
+    # Code 7 — actions require review before they can be processed.
+    class ReviewActionsError < Error
+      def initialize(message = 'actions require review', stack: '')
+        super(message, code: 7, stack: stack)
+      end
+    end
+
+    # Rehydrate a wire error frame into the appropriate subclass.
+    #
+    # @param code [Integer] error code byte from the result frame
+    # @param message [String] error message from the frame
+    # @param stack [String] stack trace from the frame (may be empty)
+    # @return [Error] an instance of the matching subclass
+    def self.error_from_wire(code, message, stack = '')
+      case code
+      when 2 then UnsupportedActionError.new(message, stack: stack)
+      when 3 then InvalidHmacError.new(message, stack: stack)
+      when 4 then InvalidSignatureError.new(message, stack: stack)
+      when 5 then InsufficientFundsError.new(message, stack: stack)
+      when 6 then InvalidParameterError.new(message, nil, stack: stack)
+      when 7 then ReviewActionsError.new(message, stack: stack)
+      else        Error.new(message, code: code, stack: stack)
       end
     end
   end

data/lib/bsv/wallet/proto_wallet/validators.rb

@@ -5,68 +5,26 @@ module BSV
     class ProtoWallet
       # Validation helpers for BRC-100 wallet method parameters.
       #
-      # Provides the subset of validators required by KeyDeriver and ProtoWallet.
-      # Raises +InvalidParameterError+ for any invalid input.
+      # Delegates to Wire::Validation — the single source of truth for all
+      # BRC-100 parameter validation. This module is retained for backwards
+      # compatibility with ProtoWallet's internal call sites.
       module Validators
         module_function
 
-        # Validates a BRC-43 protocol ID.
-        #
-        # Must be an Array of [Integer(0-2), String(5-400 chars)]. The name is
-        # normalized (stripped and downcased) before length/content checks.
-        #
-        # @param protocol_id [Object] the value to validate
-        # @raise [InvalidParameterError]
         def validate_protocol_id!(protocol_id)
-          unless protocol_id.is_a?(Array) && protocol_id.length == 2
-            raise InvalidParameterError.new('protocol_id', 'an Array of [security_level, protocol_name]')
-          end
-
-          level, name = protocol_id
-          raise InvalidParameterError.new('protocol_id security level', '0, 1, or 2') unless [0, 1, 2].include?(level)
-          raise InvalidParameterError.new('protocol_id name', 'a String') unless name.is_a?(String)
-
-          name = name.strip.downcase
-          max_length = name.start_with?('specific linkage revelation') ? 430 : 400
-          raise InvalidParameterError.new('protocol_id name', "between 5 and #{max_length} characters") if name.length < 5 || name.length > max_length
-
-          raise InvalidParameterError.new('protocol_id name', 'lowercase letters, numbers, and spaces only') unless name.match?(/\A[a-z0-9 ]+\z/)
-
-          raise InvalidParameterError.new('protocol_id name', 'free of consecutive spaces') if name.include?('  ')
+          Wire::Validation.wallet_protocol!('protocol_id', protocol_id)
         end
 
-        # Validates a BRC-43 key ID.
-        #
-        # Must be a non-empty String of at most 800 bytes.
-        #
-        # @param key_id [Object] the value to validate
-        # @raise [InvalidParameterError]
         def validate_key_id!(key_id)
-          raise InvalidParameterError.new('key_id', 'a String') unless key_id.is_a?(String)
-
-          byte_length = key_id.bytesize
-          raise InvalidParameterError.new('key_id', 'between 1 and 800 bytes') if byte_length < 1 || byte_length > 800
+          Wire::Validation.key_id_string_1_to_800!('key_id', key_id)
         end
 
-        # Validates a counterparty: 'self', 'anyone', or a 66-char hex pubkey.
-        #
-        # @param counterparty [Object] the value to validate
-        # @raise [InvalidParameterError]
         def validate_counterparty!(counterparty)
-          return if %w[self anyone].include?(counterparty)
-
-          validate_pub_key_hex!(counterparty, 'counterparty')
+          Wire::Validation.wallet_counterparty!('counterparty', counterparty)
         end
 
-        # Validates a compressed public key in hex form (66 chars, 02/03/04 prefix).
-        #
-        # @param value [Object] the value to validate
-        # @param name [String] parameter name for error messages
-        # @raise [InvalidParameterError]
         def validate_pub_key_hex!(value, name = 'public_key')
-          raise InvalidParameterError.new(name, 'a String') unless value.is_a?(String)
-
-          raise InvalidParameterError.new(name, 'a 66-character hex string (compressed public key)') unless value.match?(/\A[0-9a-f]{66}\z/)
+          Wire::Validation.pub_key_hex!(name, value)
         end
       end
     end

data/lib/bsv/wallet/proto_wallet.rb

@@ -226,6 +226,8 @@ module BSV
       def reveal_counterparty_key_linkage(counterparty:, verifier:,
                                           privileged: false, privileged_reason: nil,
                                           originator: nil)
+        counterparty = normalise_pubkey_hex(counterparty)
+        verifier     = normalise_pubkey_hex(verifier)
         raise InvalidParameterError.new('counterparty', 'a specific public key hex, not "anyone"') if counterparty == 'anyone'
 
         Validators.validate_pub_key_hex!(verifier, 'verifier')
@@ -281,6 +283,8 @@ module BSV
       def reveal_specific_key_linkage(counterparty:, verifier:, protocol_id:, key_id:,
                                       privileged: false, privileged_reason: nil,
                                       originator: nil)
+        counterparty = normalise_pubkey_hex(counterparty)
+        verifier     = normalise_pubkey_hex(verifier)
         raise InvalidParameterError.new('counterparty', 'a specific public key hex, not "anyone"') if counterparty == 'anyone'
 
         Validators.validate_pub_key_hex!(verifier, 'verifier')
@@ -340,7 +344,16 @@ module BSV
       end
 
       def bytes_to_string(bytes)
-        bytes.pack('C*')
+        bytes.is_a?(String) ? bytes.b : bytes.pack('C*')
+      end
+
+      # Normalise a public key argument to a 66-character compressed hex string.
+      # Accepts either a 33-byte binary string or a 66-character hex string.
+      def normalise_pubkey_hex(value)
+        return value if value.is_a?(String) && value.length == 66
+        return value.unpack1('H*') if value.is_a?(String) && value.bytesize == 33
+
+        value
       end
 
       def string_to_bytes(str)

data/lib/bsv/wallet/serializer/abort_action.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module BSV
+  module Wallet
+    module Serializer
+      # BRC-103 wire codec for the +abort_action+ call (call byte 3).
+      #
+      # Args wire layout:
+      #   [remaining bytes: reference (raw binary)]
+      #
+      # Result wire layout:
+      #   [empty — success is implicit from the frame error byte]
+      module AbortAction
+        module_function
+
+        def serialize_args(args)
+          ref = args[:reference]
+          return ''.b if ref.nil? || ref.empty?
+
+          ref.b
+        end
+
+        def deserialize_args(bytes)
+          ref = bytes.b
+          { reference: ref.empty? ? nil : ref }
+        end
+
+        def serialize_result(_result)
+          ''.b
+        end
+
+        def deserialize_result(_bytes)
+          { aborted: true }
+        end
+      end
+    end
+  end
+end

data/lib/bsv/wallet/serializer/acquire_certificate.rb

@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module BSV
+  module Wallet
+    module Serializer
+      # BRC-103 wire codec for the +acquire_certificate+ call (call byte 17).
+      #
+      # Args wire layout:
+      #   [32 bytes: type]
+      #   [33 bytes: certifier pubkey]
+      #   [varint: field_count] per field: [varint-str key][varint-str value]
+      #   [privileged params]
+      #   [1 byte: acquisition_protocol]  1=direct, 2=issuance
+      #   If direct:
+      #     [32 bytes: serial_number]
+      #     [36 bytes: revocation_outpoint]
+      #     [varint: sig_len][sig bytes]
+      #     [keyring_revealer: 0x0B or 33-byte pubkey]
+      #     [varint: keyring_count] per entry: [varint-str key][varint-int base64_value]
+      #   If issuance:
+      #     [varint-str: certifier_url]
+      #
+      # Result wire layout:
+      #   [inline Certificate bytes (type+serial+subject+certifier+outpoint+fields+sig)]
+      module AcquireCertificate
+        ACQUISITION_DIRECT   = 1
+        ACQUISITION_ISSUANCE = 2
+        KEYRING_REVEALER_CERTIFIER = 11 # 0x0B — matches Go keyRingRevealerCertifier
+
+        CERT_TYPE_SIZE = 32
+        SERIAL_SIZE    = 32
+        PUBKEY_SIZE    = 33
+
+        module_function
+
+        def serialize_args(args)
+          w = Wire::Writer.new
+
+          type_bytes = Base64.strict_decode64(args[:type].to_s)
+          w.write_bytes(type_bytes.ljust(CERT_TYPE_SIZE, "\x00").byteslice(0, CERT_TYPE_SIZE))
+          w.write_bytes([args[:certifier].to_s].pack('H*'))
+
+          fields = args[:fields] || {}
+          w.write_varint(fields.length)
+          fields.keys.sort.each do |k|
+            w.write_str_with_varint_len(k)
+            w.write_str_with_varint_len(fields[k].to_s)
+          end
+
+          Common.write_privileged_params(w, args[:privileged], args[:privileged_reason])
+
+          case args[:acquisition_protocol]
+          when :direct
+            w.write_byte(ACQUISITION_DIRECT)
+            serial_bytes = Base64.strict_decode64(args[:serial_number].to_s)
+            w.write_bytes(serial_bytes.ljust(SERIAL_SIZE, "\x00").byteslice(0, SERIAL_SIZE))
+
+            outpoint_str = args[:revocation_outpoint].to_s
+            txid_hex, vout = outpoint_str.split('.', 2)
+            w.write_outpoint(txid_hex.to_s, vout.to_i)
+
+            sig = args[:signature]
+            if sig && !sig.to_s.empty?
+              sig_bytes = [sig.to_s].pack('H*')
+              w.write_int_bytes(sig_bytes)
+            else
+              w.write_varint(0)
+            end
+
+            revealer = args[:keyring_revealer]
+            if revealer == :certifier || (revealer.is_a?(Hash) && revealer[:certifier])
+              w.write_byte(KEYRING_REVEALER_CERTIFIER)
+            else
+              pubkey_hex = revealer.is_a?(Hash) ? revealer[:pub_key].to_s : revealer.to_s
+              w.write_bytes([pubkey_hex].pack('H*'))
+            end
+
+            keyring = args[:keyring_for_subject] || {}
+            w.write_varint(keyring.length)
+            keyring.keys.sort.each do |k|
+              w.write_str_with_varint_len(k)
+              w.write_int_from_base64(keyring[k].to_s)
+            end
+          when :issuance
+            w.write_byte(ACQUISITION_ISSUANCE)
+            w.write_str_with_varint_len(args[:certifier_url].to_s)
+          else
+            raise ArgumentError, "invalid acquisition_protocol: #{args[:acquisition_protocol].inspect}"
+          end
+
+          w.buf
+        end
+
+        def deserialize_args(bytes)
+          r = Wire::Reader.new(bytes)
+
+          type_raw  = r.read_bytes(CERT_TYPE_SIZE)
+          certifier = r.read_bytes(PUBKEY_SIZE).unpack1('H*')
+
+          field_count = r.read_varint
+          fields = {}
+          field_count.times do
+            k = r.read_str_with_varint_len
+            v = r.read_str_with_varint_len
+            fields[k] = v
+          end
+
+          privileged, privileged_reason = Common.read_privileged_params(r)
+
+          protocol_byte = r.read_byte
+          acquisition_protocol = case protocol_byte
+                                 when ACQUISITION_DIRECT   then :direct
+                                 when ACQUISITION_ISSUANCE then :issuance
+                                 else raise ArgumentError, "invalid acquisition protocol byte: #{protocol_byte}"
+                                 end
+
+          result = {
+            type: Base64.strict_encode64(type_raw),
+            certifier: certifier,
+            fields: fields,
+            privileged: privileged,
+            privileged_reason: privileged_reason,
+            acquisition_protocol: acquisition_protocol
+          }
+
+          if acquisition_protocol == :direct
+            serial_raw = r.read_bytes(SERIAL_SIZE)
+            result[:serial_number] = Base64.strict_encode64(serial_raw)
+
+            outpoint_data = r.read_outpoint
+            result[:revocation_outpoint] = "#{outpoint_data[:txid_hex]}.#{outpoint_data[:vout]}"
+
+            sig_len = r.read_varint
+            result[:signature] = sig_len.positive? ? r.read_bytes(sig_len).unpack1('H*') : nil
+
+            revealer_byte = r.read_byte
+            if revealer_byte == KEYRING_REVEALER_CERTIFIER
+              result[:keyring_revealer] = { certifier: true }
+            else
+              rest = r.read_bytes(PUBKEY_SIZE - 1)
+              result[:keyring_revealer] = { pub_key: ([revealer_byte].pack('C') + rest).unpack1('H*') }
+            end
+
+            keyring_count = r.read_varint
+            keyring = {}
+            keyring_count.times do
+              k = r.read_str_with_varint_len
+              keyring[k] = r.read_base64_int
+            end
+            result[:keyring_for_subject] = keyring
+          else
+            result[:certifier_url] = r.read_str_with_varint_len
+          end
+
+          result
+        end
+
+        def serialize_result(result)
+          Certificate.serialize_certificate(result[:certificate] || result, include_signature: true)
+        end
+
+        def deserialize_result(bytes)
+          cert = Certificate.deserialize_certificate(bytes)
+          { certificate: cert }
+        end
+      end
+    end
+  end
+end

data/lib/bsv/wallet/serializer/certificate.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module BSV
+  module Wallet
+    module Serializer
+      # Shared BRC-103 wire codec for Certificate and IdentityCertificate.
+      #
+      # Certificate wire layout (matches go-sdk serializeCertificate):
+      #   [32 bytes: type (raw bytes decoded from Base64)]
+      #   [32 bytes: serial_number (raw bytes decoded from Base64)]
+      #   [33 bytes: subject compressed pubkey]
+      #   [33 bytes: certifier compressed pubkey]
+      #   [32 bytes + varint: revocation_outpoint (display-order txid + varint vout)]
+      #   [varint: field_count]
+      #   per field: [varint-len name][varint-len value]
+      #   [remaining: DER signature bytes (absent if no signature)]
+      #
+      # IdentityCertificate additionally appends:
+      #   [varint-int: serialised Certificate bytes (int-prefixed)]
+      #   [varint-str: certifier_info.name]
+      #   [varint-str: certifier_info.icon_url]
+      #   [varint-str: certifier_info.description]
+      #   [1 byte: certifier_info.trust]
+      #   [varint: keyring_count] per entry: [varint-str key][varint-int raw_bytes]
+      #   [varint: decrypted_fields_count] per entry: [varint-str key][varint-str value]
+      module Certificate
+        CERT_TYPE_SIZE   = 32
+        SERIAL_SIZE      = 32
+        PUBKEY_SIZE      = 33
+
+        # NULL outpoint used when revocation_outpoint is nil.
+        NULL_TXID_HEX = '00' * 32
+
+        module_function
+
+        # Serialise a certificate Hash to binary.
+        #
+        # @param cert [Hash] with keys: :type (Base64), :serial_number (Base64),
+        #   :subject (hex pubkey), :certifier (hex pubkey),
+        #   :revocation_outpoint (String "txid.vout" or nil),
+        #   :fields (Hash<String,String>), :signature (hex bytes or nil)
+        # @param include_signature [Boolean] whether to append signature bytes
+        # @return [String] binary
+        def serialize_certificate(cert, include_signature: true)
+          w = Wire::Writer.new
+
+          type_bytes   = Base64.strict_decode64(cert[:type].to_s)
+          serial_bytes = Base64.strict_decode64(cert[:serial_number].to_s)
+
+          w.write_bytes(type_bytes.ljust(CERT_TYPE_SIZE, "\x00").byteslice(0, CERT_TYPE_SIZE))
+          w.write_bytes(serial_bytes.ljust(SERIAL_SIZE, "\x00").byteslice(0, SERIAL_SIZE))
+          w.write_bytes([cert[:subject].to_s].pack('H*'))
+          w.write_bytes([cert[:certifier].to_s].pack('H*'))
+
+          outpoint_str = cert[:revocation_outpoint].to_s
+          if outpoint_str.empty? || outpoint_str == '.'
+            w.write_outpoint(NULL_TXID_HEX, 0)
+          else
+            txid_hex, vout = outpoint_str.split('.', 2)
+            w.write_outpoint(txid_hex.to_s, vout.to_i)
+          end
+
+          fields = cert[:fields] || {}
+          w.write_varint(fields.length)
+          fields.keys.sort.each do |name|
+            w.write_str_with_varint_len(name)
+            w.write_str_with_varint_len(fields[name].to_s)
+          end
+
+          w.write_bytes([cert[:signature].to_s].pack('H*')) if include_signature && cert[:signature] && !cert[:signature].empty?
+
+          w.buf
+        end
+
+        # Deserialise a certificate from binary.
+        #
+        # @param bytes [String] binary
+        # @return [Hash]
+        def deserialize_certificate(bytes)
+          r = Wire::Reader.new(bytes)
+          type_raw   = r.read_bytes(CERT_TYPE_SIZE)
+          serial_raw = r.read_bytes(SERIAL_SIZE)
+          subject    = r.read_bytes(PUBKEY_SIZE).unpack1('H*')
+          certifier  = r.read_bytes(PUBKEY_SIZE).unpack1('H*')
+
+          outpoint_data       = r.read_outpoint
+          revocation_outpoint = "#{outpoint_data[:txid_hex]}.#{outpoint_data[:vout]}"
+
+          field_count = r.read_varint
+          fields = {}
+          field_count.times do
+            name  = r.read_str_with_varint_len
+            value = r.read_str_with_varint_len
+            fields[name] = value
+          end
+
+          sig_bytes = r.read_remaining
+          signature = sig_bytes.empty? ? nil : sig_bytes.unpack1('H*')
+
+          {
+            type: Base64.strict_encode64(type_raw),
+            serial_number: Base64.strict_encode64(serial_raw),
+            subject: subject,
+            certifier: certifier,
+            revocation_outpoint: revocation_outpoint,
+            fields: fields,
+            signature: signature
+          }
+        end
+
+        # Serialise an IdentityCertificate (used by discover_* result).
+        #
+        # @param cert [Hash] all Certificate fields plus:
+        #   :certifier_info ({ name:, icon_url:, description:, trust: })
+        #   :publicly_revealed_keyring (Hash<String,Base64>)
+        #   :decrypted_fields (Hash<String,String>)
+        def serialize_identity_certificate(cert)
+          w = Wire::Writer.new
+
+          cert_bytes = serialize_certificate(cert, include_signature: true)
+          w.write_int_bytes(cert_bytes)
+
+          info = cert[:certifier_info] || {}
+          w.write_str_with_varint_len(info[:name].to_s)
+          w.write_str_with_varint_len(info[:icon_url].to_s)
+          w.write_str_with_varint_len(info[:description].to_s)
+          w.write_byte((info[:trust] || 0).to_i & 0xFF)
+
+          keyring = cert[:publicly_revealed_keyring] || {}
+          w.write_varint(keyring.length)
+          keyring.keys.sort.each do |k|
+            w.write_str_with_varint_len(k)
+            w.write_int_from_base64(keyring[k].to_s)
+          end
+
+          dec_fields = cert[:decrypted_fields] || {}
+          w.write_varint(dec_fields.length)
+          dec_fields.keys.sort.each do |k|
+            w.write_str_with_varint_len(k)
+            w.write_str_with_varint_len(dec_fields[k].to_s)
+          end
+
+          w.buf
+        end
+
+        # Deserialise an IdentityCertificate from a Reader (reads inline, not length-prefixed).
+        #
+        # @param reader [Wire::Reader]
+        # @return [Hash]
+        def deserialize_identity_certificate(reader)
+          cert_bytes = reader.read_int_bytes
+          cert = deserialize_certificate(cert_bytes)
+
+          cert[:certifier_info] = {
+            name: reader.read_str_with_varint_len,
+            icon_url: reader.read_str_with_varint_len,
+            description: reader.read_str_with_varint_len,
+            trust: reader.read_byte
+          }
+
+          keyring_len = reader.read_varint
+          keyring = {}
+          keyring_len.times do
+            k = reader.read_str_with_varint_len
+            keyring[k] = reader.read_base64_int
+          end
+          cert[:publicly_revealed_keyring] = keyring
+
+          dec_len = reader.read_varint
+          dec_fields = {}
+          dec_len.times do
+            k = reader.read_str_with_varint_len
+            dec_fields[k] = reader.read_str_with_varint_len
+          end
+          cert[:decrypted_fields] = dec_fields
+
+          cert
+        end
+      end
+    end
+  end
+end