@bsv/sdk 1.2.20 → 1.2.22

package/src/auth/__tests/SessionManager.test.ts

@@ -0,0 +1,87 @@
+import { SessionManager } from '../SessionManager'
+import { PeerSession } from '../types'
+
+describe('SessionManager', () => {
+  let sessionManager: SessionManager
+  let validSession: PeerSession
+
+  beforeEach(() => {
+    sessionManager = new SessionManager()
+    validSession = {
+      isAuthenticated: false,
+      sessionNonce: 'testSessionNonce',
+      peerIdentityKey: 'testPeerIdentityKey',
+    }
+  })
+
+  describe('addSession', () => {
+    it('should add a session when sessionNonce and peerIdentityKey are present', () => {
+      sessionManager.addSession(validSession)
+
+      expect(sessionManager.getSession(validSession.sessionNonce!)).toBe(validSession)
+      expect(sessionManager.getSession(validSession.peerIdentityKey!)).toBe(validSession)
+    })
+
+    it('should throw an error if sessionNonce and peerIdentityKey are missing', () => {
+      const invalidSession = { ...validSession, sessionNonce: undefined, peerIdentityKey: undefined }
+
+      expect(() => sessionManager.addSession(invalidSession)).toThrow('Invalid session: at least one of sessionNonce or peerIdentityKey is required.')
+    })
+
+    it('should not throw an error if just peerIdentityKey is missing', () => {
+      const invalidSession = { ...validSession, peerIdentityKey: undefined }
+
+      expect(() => sessionManager.addSession(invalidSession)).not.toThrow('Invalid session: peerIdentityKey is required.')
+    })
+  })
+
+  describe('getSession', () => {
+    it('should retrieve a session by sessionNonce', () => {
+      sessionManager.addSession(validSession)
+
+      const retrievedSession = sessionManager.getSession(validSession.sessionNonce!)
+      expect(retrievedSession).toBe(validSession)
+    })
+
+    it('should retrieve a session by peerIdentityKey', () => {
+      sessionManager.addSession(validSession)
+
+      const retrievedSession = sessionManager.getSession(validSession.peerIdentityKey!)
+      expect(retrievedSession).toBe(validSession)
+    })
+
+    it('should return undefined for a non-existent identifier', () => {
+      const retrievedSession = sessionManager.getSession('nonExistentIdentifier')
+      expect(retrievedSession).toBeUndefined()
+    })
+  })
+
+  describe('removeSession', () => {
+    it('should remove a session by both sessionNonce and peerIdentityKey', () => {
+      sessionManager.addSession(validSession)
+
+      sessionManager.removeSession(validSession)
+      expect(sessionManager.getSession(validSession.sessionNonce!)).toBeUndefined()
+      expect(sessionManager.getSession(validSession.peerIdentityKey!)).toBeUndefined()
+    })
+
+    it('should not throw an error when removing a session with undefined identifiers', () => {
+      const sessionWithUndefinedIdentifiers = { ...validSession, sessionNonce: undefined, peerIdentityKey: undefined }
+
+      expect(() => sessionManager.removeSession(sessionWithUndefinedIdentifiers)).not.toThrow()
+    })
+  })
+
+  describe('hasSession', () => {
+    it('should return true if a session exists for the identifier', () => {
+      sessionManager.addSession(validSession)
+
+      expect(sessionManager.hasSession(validSession.sessionNonce!)).toBe(true)
+      expect(sessionManager.hasSession(validSession.peerIdentityKey!)).toBe(true)
+    })
+
+    it('should return false if no session exists for the identifier', () => {
+      expect(sessionManager.hasSession('nonExistentIdentifier')).toBe(false)
+    })
+  })
+})

package/src/auth/{Certificate.ts → certificates/Certificate.ts}

@@ -1,6 +1,13 @@
-import { Utils } from '../primitives/index.js'
-import { Wallet, Base64String, PubKeyHex, HexString, OutpointString, CertificateFieldNameUnder50Bytes } from '../wallet/Wallet.interfaces.js'
-import ProtoWallet from '../wallet/ProtoWallet.js'
+import {
+  Utils,
+  Wallet,
+  Base64String,
+  PubKeyHex,
+  HexString,
+  OutpointString,
+  CertificateFieldNameUnder50Bytes,
+  ProtoWallet
+} from '../../../mod.js'
 
 /**
  * Represents an Identity Certificate as per the Wallet interface specifications.
@@ -54,7 +61,7 @@ export default class Certificate {
    * @param {Record<CertificateFieldNameUnder50Bytes, string>} fields - All the fields present in the certificate.
    * @param {HexString} signature - Certificate signature by the certifier's private key, DER encoded hex string.
    */
-  constructor (
+  constructor(
     type: Base64String,
     serialNumber: Base64String,
     subject: PubKeyHex,
@@ -78,7 +85,7 @@ export default class Certificate {
    * @param {boolean} [includeSignature=true] - Whether to include the signature in the serialization.
    * @returns {number[]} - The serialized certificate in binary format.
    */
-  toBin (includeSignature: boolean = true): number[] {
+  toBin(includeSignature: boolean = true): number[] {
     const writer = new Utils.Writer()
 
     // Write type (Base64String, 32 bytes)
@@ -134,7 +141,7 @@ export default class Certificate {
    * @param {number[]} bin - The binary data representing the certificate.
    * @returns {Certificate} - The deserialized Certificate object.
    */
-  static fromBin (bin: number[]): Certificate {
+  static fromBin(bin: number[]): Certificate {
     const reader = new Utils.Reader(bin)
 
     // Read type
@@ -200,7 +207,7 @@ export default class Certificate {
    *
    * @returns {Promise<boolean>} - A promise that resolves to true if the signature is valid.
    */
-  async verify (): Promise<boolean> {
+  async verify(): Promise<boolean> {
     // A verifier can be any wallet capable of verifying signatures
     const verifier = new ProtoWallet('anyone')
     const verificationData = this.toBin(false) // Exclude the signature from the verification data
@@ -221,7 +228,7 @@ export default class Certificate {
    * @param {Wallet} certifier - The wallet representing the certifier.
    * @returns {Promise<void>}
    */
-  async sign (certifier: Wallet): Promise<void> {
+  async sign(certifier: Wallet): Promise<void> {
     const preimage = this.toBin(false) // Exclude the signature when signing
     const { signature } = await certifier.createSignature({
       data: preimage,

package/src/auth/certificates/MasterCertificate.ts

@@ -0,0 +1,106 @@
+import {
+  SymmetricKey,
+  Utils,
+  Base64String,
+  CertificateFieldNameUnder50Bytes,
+  HexString,
+  OutpointString,
+  PubKeyHex,
+  Wallet
+} from '../../../mod.js'
+import Certificate from './Certificate.js'
+
+/**
+ * MasterCertificate extends the base Certificate class to manage a master keyring, enabling the creation of verifiable certificates.
+ *
+ * It allows for the selective disclosure of certificate fields by creating a `VerifiableCertificate` for a specific verifier.
+ * The `MasterCertificate` can securely decrypt each master key and re-encrypt it for a verifier, creating a customized
+ * keyring containing only the keys necessary for the verifier to access designated fields.
+ *
+ */
+export class MasterCertificate extends Certificate {
+  declare type: Base64String
+  declare serialNumber: Base64String
+  declare subject: PubKeyHex
+  declare certifier: PubKeyHex
+  declare revocationOutpoint: OutpointString
+  declare fields: Record<CertificateFieldNameUnder50Bytes, string>
+  declare signature?: HexString
+
+  masterKeyring: Record<CertificateFieldNameUnder50Bytes, string>
+
+  constructor(
+    type: Base64String,
+    serialNumber: Base64String,
+    subject: PubKeyHex,
+    certifier: PubKeyHex,
+    revocationOutpoint: OutpointString,
+    fields: Record<CertificateFieldNameUnder50Bytes, string>,
+    masterKeyring: Record<CertificateFieldNameUnder50Bytes, string>,
+    signature?: HexString
+  ) {
+    super(type, serialNumber, subject, certifier, revocationOutpoint, fields, signature)
+    this.masterKeyring = masterKeyring
+  }
+
+  /**
+   * Creates a verifiable certificate structure for a specific verifier, allowing them access to specified fields.
+   * This method decrypts the master field keys for each field specified in `fieldsToReveal` and re-encrypts them
+   * for the verifier's identity key. The resulting certificate structure includes only the fields intended to be
+   * revealed and a verifier-specific keyring for field decryption.
+   *
+   * @param {Wallet} subjectWallet - The wallet instance of the subject, used to decrypt and re-encrypt field keys.
+   * @param {string} verifierIdentityKey - The public identity key of the verifier who will receive access to the specified fields.
+   * @param {string[]} fieldsToReveal - An array of field names to be revealed to the verifier. Must be a subset of the certificate's fields.
+   * @param {string} [originator] - Optional originator identifier, used if additional context is needed for decryption and encryption operations.
+   * @returns {Promise<Object>} - A new certificate structure containing the original encrypted fields, the verifier-specific field decryption keyring, and essential certificate metadata.
+   * @throws {Error} Throws an error if:
+   *   - fieldsToReveal is empty or a field in `fieldsToReveal` does not exist in the certificate.
+   *   - The decrypted master field key fails to decrypt the corresponding field (indicating an invalid key).
+   */
+  async createKeyringForVerifier(subjectWallet: Wallet, verifierIdentityKey: string, fieldsToReveal: string[], originator?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
+    if (!Array.isArray(fieldsToReveal)) {
+      throw new Error('fieldsToReveal must be an array of strings')
+    }
+    const fieldRevelationKeyring = {}
+    for (const fieldName of fieldsToReveal) {
+      // Make sure that fields to reveal is a subset of the certificate fields
+      if (!this.fields[fieldName]) {
+        throw new Error(`Fields to reveal must be a subset of the certificate fields. Missing the "${fieldName}" field.`)
+      }
+
+      // Create a keyID
+      const keyID = `${this.serialNumber} ${fieldName}`
+      const encryptedMasterFieldKey = this.masterKeyring[fieldName]
+
+      // Decrypt the master field key
+      const { plaintext: masterFieldKey } = await subjectWallet.decrypt({
+        ciphertext: Utils.toArray(encryptedMasterFieldKey, 'base64'),
+        protocolID: [2, 'certificate field encryption'],
+        keyID,
+        counterparty: 'self'
+      }, originator)
+
+      // Verify that derived key actually decrypts requested field
+      try {
+        new SymmetricKey(masterFieldKey).decrypt(Utils.toArray(this.fields[fieldName], 'base64'))
+      } catch (_) {
+        throw new Error(`Decryption of the "${fieldName}" field with its revelation key failed.`)
+      }
+
+      // Encrypt derived fieldRevelationKey for verifier
+      const { ciphertext: encryptedFieldRevelationKey } = await subjectWallet.encrypt({
+        plaintext: masterFieldKey,
+        protocolID: [2, 'certificate field encryption'],
+        keyID: `${this.serialNumber} ${fieldName}`,
+        counterparty: verifierIdentityKey
+      }, originator)
+
+      // Add encryptedFieldRevelationKey to fieldRevelationKeyring
+      fieldRevelationKeyring[fieldName] = Utils.toBase64(encryptedFieldRevelationKey)
+    }
+
+    // Return the field revelation keyring which can be used to create a verifiable certificate for a verifier.
+    return fieldRevelationKeyring
+  }
+}

package/src/auth/certificates/VerifiableCertificate.ts

@@ -0,0 +1,73 @@
+import {
+  SymmetricKey,
+  Utils,
+  Base64String,
+  CertificateFieldNameUnder50Bytes,
+  HexString,
+  OutpointString,
+  PubKeyHex,
+  Wallet
+} from '../../../mod.js'
+import Certificate from './Certificate.js'
+
+/**
+ * VerifiableCertificate extends the Certificate class, adding functionality to manage a verifier-specific keyring.
+ * This keyring allows selective decryption of certificate fields for authorized verifiers.
+ */
+export class VerifiableCertificate extends Certificate {
+  declare type: Base64String
+  declare serialNumber: Base64String
+  declare subject: PubKeyHex
+  declare certifier: PubKeyHex
+  declare revocationOutpoint: OutpointString
+  declare fields: Record<CertificateFieldNameUnder50Bytes, string>
+  declare signature?: HexString
+
+  keyring: Record<CertificateFieldNameUnder50Bytes, string>
+  decryptedFields?: Record<CertificateFieldNameUnder50Bytes, Base64String>
+
+  constructor(
+    type: Base64String,
+    serialNumber: Base64String,
+    subject: PubKeyHex,
+    certifier: PubKeyHex,
+    revocationOutpoint: OutpointString,
+    fields: Record<CertificateFieldNameUnder50Bytes, string>,
+    signature?: HexString,
+    keyring?: Record<CertificateFieldNameUnder50Bytes, string>,
+    decryptedFields?: Record<CertificateFieldNameUnder50Bytes, Base64String>
+  ) {
+    super(type, serialNumber, subject, certifier, revocationOutpoint, fields, signature)
+    this.keyring = keyring
+    this.decryptedFields = decryptedFields
+  }
+
+  /**
+   * Decrypts certificate fields using the provided keyring and verifier wallet
+   * @param {Wallet} verifierWallet - The wallet instance of the certificate's verifier, used to decrypt field keys.
+   * @returns {Promise<Record<CertificateFieldNameUnder50Bytes, string>>} - A promise that resolves to an object where each key is a field name and each value is the decrypted field value as a string.
+   * @throws {Error} Throws an error if any of the decryption operations fail, with a message indicating the failure context.
+   */
+  async decryptFields(verifierWallet: Wallet): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
+    if (!this.keyring || Object.keys(this.keyring).length === 0) {
+      throw new Error('A keyring is required to decrypt certificate fields for the verifier.')
+    }
+    try {
+      const decryptedFields = {}
+      for (const fieldName in this.keyring) {
+        const { plaintext: fieldRevelationKey } = await verifierWallet.decrypt({
+          ciphertext: Utils.toArray(this.keyring[fieldName], 'base64'),
+          protocolID: [2, 'certificate field encryption'],
+          keyID: `${this.serialNumber} ${fieldName}`,
+          counterparty: this.subject
+        })
+
+        const fieldValue = new SymmetricKey(fieldRevelationKey).decrypt(Utils.toArray(this.fields[fieldName], 'base64'))
+        decryptedFields[fieldName] = Utils.toUTF8(fieldValue as number[])
+      }
+      return decryptedFields
+    } catch (error) {
+      throw new Error(`Failed to decrypt certificate fields using keyring: ${error instanceof Error ? error.message : error}`)
+    }
+  }
+}

package/src/auth/certificates/__tests/Certificate.test.ts

@@ -0,0 +1,282 @@
+import { Certificate } from '../../../../dist/cjs/src/auth/index.js'
+import { ProtoWallet } from '../../../../dist/cjs/src/wallet/index.js'
+import { Utils, PrivateKey } from '../../../../dist/cjs/src/primitives/index.js'
+
+describe('Certificate', () => {
+  // Sample data for testing
+  const sampleType = Utils.toBase64(new Array(32).fill(1))
+  const sampleSerialNumber = Utils.toBase64(new Array(32).fill(2))
+  const sampleSubjectPrivateKey = PrivateKey.fromRandom()
+  const sampleSubjectPubKey = sampleSubjectPrivateKey.toPublicKey().toString()
+  const sampleCertifierPrivateKey = PrivateKey.fromRandom()
+  const sampleCertifierPubKey = sampleCertifierPrivateKey.toPublicKey().toString()
+  const sampleRevocationOutpoint = 'deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef.1'
+  const sampleFields = {
+    name: 'Alice',
+    email: 'alice@example.com',
+    organization: 'Example Corp'
+  }
+  const sampleFieldsEmpty = {}
+
+  it('should construct a Certificate with valid data', () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      undefined // No signature
+    )
+
+    expect(certificate.type).toEqual(sampleType)
+    expect(certificate.serialNumber).toEqual(sampleSerialNumber)
+    expect(certificate.subject).toEqual(sampleSubjectPubKey)
+    expect(certificate.certifier).toEqual(sampleCertifierPubKey)
+    expect(certificate.revocationOutpoint).toEqual(sampleRevocationOutpoint)
+    expect(certificate.signature).toBeUndefined()
+    expect(certificate.fields).toEqual(sampleFields)
+  })
+
+  it('should serialize and deserialize the Certificate without signature', () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      undefined // No signature
+    )
+
+    const serialized = certificate.toBin(false) // Exclude signature
+    const deserializedCertificate = Certificate.fromBin(serialized)
+
+    expect(deserializedCertificate.type).toEqual(sampleType)
+    expect(deserializedCertificate.serialNumber).toEqual(sampleSerialNumber)
+    expect(deserializedCertificate.subject).toEqual(sampleSubjectPubKey)
+    expect(deserializedCertificate.certifier).toEqual(sampleCertifierPubKey)
+    expect(deserializedCertificate.revocationOutpoint).toEqual(sampleRevocationOutpoint)
+    expect(deserializedCertificate.signature).toBeUndefined()
+    expect(deserializedCertificate.fields).toEqual(sampleFields)
+  })
+
+  it('should serialize and deserialize the Certificate with signature', async () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      undefined // No signature
+    )
+
+    // Sign the certificate
+    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    await certificate.sign(certifierWallet)
+
+    const serialized = certificate.toBin(true) // Include signature
+    const deserializedCertificate = Certificate.fromBin(serialized)
+
+    expect(deserializedCertificate.type).toEqual(sampleType)
+    expect(deserializedCertificate.serialNumber).toEqual(sampleSerialNumber)
+    expect(deserializedCertificate.subject).toEqual(sampleSubjectPubKey)
+    expect(deserializedCertificate.certifier).toEqual(sampleCertifierPubKey)
+    expect(deserializedCertificate.revocationOutpoint).toEqual(sampleRevocationOutpoint)
+    expect(deserializedCertificate.signature).toEqual(certificate.signature)
+    expect(deserializedCertificate.fields).toEqual(sampleFields)
+  })
+
+  it('should sign the Certificate and verify the signature successfully', async () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      undefined // No signature
+    )
+
+    // Sign the certificate
+    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    await certificate.sign(certifierWallet)
+
+    // Verify the signature
+    const isValid = await certificate.verify()
+    expect(isValid).toBe(true)
+  })
+
+  it('should fail verification if the Certificate is tampered with', async () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      undefined // No signature
+    )
+
+    // Sign the certificate
+    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    await certificate.sign(certifierWallet)
+
+    // Tamper with the certificate (modify a field)
+    certificate.fields.email = 'attacker@example.com'
+
+    // Verify the signature
+    await expect(certificate.verify()).rejects.toThrow()
+  })
+
+  it('should fail verification if the signature is missing', async () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      undefined // No signature
+    )
+
+    // Verify the signature
+    await expect(certificate.verify()).rejects.toThrow()
+  })
+
+  it('should fail verification if the signature is incorrect', async () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      '3045022100cde229279465bb91992ccbc30bf6ed4eb8cdd9d517f31b30ff778d500d5400010220134f0e4065984f8668a642a5ad7a80886265f6aaa56d215d6400c216a4802177' // Incorrect signature
+    )
+
+    // Verify the signature
+    await expect(certificate.verify()).rejects.toThrowErrorMatchingInlineSnapshot(`"Signature is not valid"`)
+  })
+
+  it('should handle certificates with empty fields', async () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFieldsEmpty,
+      undefined // No signature
+    )
+
+    // Sign the certificate
+    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    await certificate.sign(certifierWallet)
+
+    // Serialize and deserialize
+    const serialized = certificate.toBin(true)
+    const deserializedCertificate = Certificate.fromBin(serialized)
+
+    expect(deserializedCertificate.fields).toEqual(sampleFieldsEmpty)
+
+    // Verify the signature
+    const isValid = await deserializedCertificate.verify()
+    expect(isValid).toBe(true)
+  })
+
+  it('should correctly handle serialization/deserialization when signature is excluded', () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      'deadbeef1234', // Placeholder signature
+    )
+
+    // Serialize without signature
+    const serialized = certificate.toBin(false)
+    const deserializedCertificate = Certificate.fromBin(serialized)
+
+    expect(deserializedCertificate.signature).toBeUndefined() // Signature should be empty
+    expect(deserializedCertificate.fields).toEqual(sampleFields)
+  })
+
+  it('should correctly handle certificates with long field names and values', async () => {
+    const longFieldName = 'longFieldName_'.repeat(10) as any // Exceeding typical lengths
+    const longFieldValue = 'longFieldValue_'.repeat(20)
+    const fields = {
+      [longFieldName]: longFieldValue
+    }
+
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      fields,
+      undefined // No signature
+    )
+
+    // Sign the certificate
+    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    await certificate.sign(certifierWallet)
+
+    // Serialize and deserialize
+    const serialized = certificate.toBin(true)
+    const deserializedCertificate = Certificate.fromBin(serialized)
+
+    expect(deserializedCertificate.fields).toEqual(fields)
+
+    // Verify the signature
+    const isValid = await deserializedCertificate.verify()
+    expect(isValid).toBe(true)
+  })
+
+  it('should correctly serialize and deserialize the revocationOutpoint', () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      sampleFields,
+      undefined // No signature
+    )
+
+    const serialized = certificate.toBin(false)
+    const deserializedCertificate = Certificate.fromBin(serialized)
+
+    expect(deserializedCertificate.revocationOutpoint).toEqual(sampleRevocationOutpoint)
+  })
+
+  it('should correctly handle certificates with no fields', async () => {
+    const certificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey,
+      sampleRevocationOutpoint,
+      {}, // No fields
+      undefined // No signature
+    )
+
+    // Sign the certificate
+    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    await certificate.sign(certifierWallet)
+
+    // Serialize and deserialize
+    const serialized = certificate.toBin(true)
+    const deserializedCertificate = Certificate.fromBin(serialized)
+
+    expect(deserializedCertificate.fields).toEqual({})
+
+    // Verify the signature
+    const isValid = await deserializedCertificate.verify()
+    expect(isValid).toBe(true)
+  })
+})

package/src/auth/certificates/index.ts

@@ -0,0 +1,3 @@
+export { default as Certificate } from './Certificate.js'
+export * from './MasterCertificate.js'
+export * from './VerifiableCertificate.js'