@bsv/sdk 1.2.20 → 1.2.22

package/src/auth/transports/SimplifiedFetchTransport.ts

@@ -0,0 +1,288 @@
+import { AuthMessage, RequestedCertificateSet, Transport } from "../types.js"
+import { Utils } from '../../../mod.js'
+
+const SUCCESS_STATUS_CODES = [200, 402]
+
+/**
+ * Implements an HTTP-specific transport for handling Peer mutual authentication messages.
+ * This class integrates with fetch to send and receive authenticated messages between peers.
+ */
+export class SimplifiedFetchTransport implements Transport {
+  private onDataCallback?: (message: AuthMessage) => void
+  fetchClient: typeof fetch
+  baseUrl: string
+
+  /**
+   * Constructs a new instance of SimplifiedFetchTransport.
+   * @param baseUrl - The base URL for all HTTP requests made by this transport.
+   * @param fetchClient - A fetch implementation to use for HTTP requests (default: global fetch).
+   */
+  constructor(baseUrl: string, fetchClient = fetch) {
+    this.fetchClient = fetchClient
+    this.baseUrl = baseUrl
+  }
+
+  /**
+   * Sends a message to an HTTP server using the transport mechanism.
+   * Handles both general and authenticated message types. For general messages,
+   * the payload is deserialized and sent as an HTTP request. For other message types,
+   * the message is sent as a POST request to the `/auth` endpoint.
+   * 
+   * @param message - The AuthMessage to send.
+   * @returns A promise that resolves when the message is successfully sent.
+   * 
+   * @throws Will throw an error if no listener has been registered via `onData`.
+   */
+  async send(message: AuthMessage): Promise<void> {
+    if (!this.onDataCallback) {
+      throw new Error('Listen before you start speaking. God gave you two ears and one mouth for a reason.')
+    }
+
+    if (message.messageType !== 'general') {
+      const response = await this.fetchClient(`${this.baseUrl}/.well-known/auth`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify(message)
+      })
+      // Handle the response if data is received and callback is set
+      if (response.ok && this.onDataCallback) {
+        const responseMessage = await response.json()
+        if (responseMessage?.status !== 'certificate received') {
+          this.onDataCallback(responseMessage as AuthMessage)
+        }
+      } else {
+        // Server may be a non authenticated server
+        throw new Error('HTTP server failed to authenticate')
+      }
+    } else {
+      // Parse message payload
+      const httpRequest = this.deserializeRequestPayload(message.payload)
+
+      // Send the byte array as the HTTP payload
+      const url = `${this.baseUrl}${httpRequest.urlPostfix}`
+      let httpRequestWithAuthHeaders: any = httpRequest
+      if (typeof httpRequest.headers !== 'object') {
+        httpRequestWithAuthHeaders.headers = {}
+      }
+
+      // Append auth headers in request to server
+      httpRequestWithAuthHeaders.headers['x-bsv-auth-version'] = message.version
+      httpRequestWithAuthHeaders.headers['x-bsv-auth-identity-key'] = message.identityKey
+      httpRequestWithAuthHeaders.headers['x-bsv-auth-nonce'] = message.nonce
+      httpRequestWithAuthHeaders.headers['x-bsv-auth-your-nonce'] = message.yourNonce
+      httpRequestWithAuthHeaders.headers['x-bsv-auth-signature'] = Utils.toHex(message.signature)
+      httpRequestWithAuthHeaders.headers['x-bsv-auth-request-id'] = httpRequest.requestId
+
+      // Ensure Content-Type is set for requests with a body
+      if (httpRequestWithAuthHeaders.body) {
+        const headers = httpRequestWithAuthHeaders.headers;
+        if (!headers['content-type']) {
+          throw new Error('Content-Type header is required for requests with a body.');
+        }
+
+        const contentType = headers['content-type'];
+
+        // Transform body based on Content-Type
+        if (contentType.includes('application/json')) {
+          // Convert byte array to JSON string
+          httpRequestWithAuthHeaders.body = Utils.toUTF8(httpRequestWithAuthHeaders.body);
+        } else if (contentType.includes('application/x-www-form-urlencoded')) {
+          // Convert byte array to URL-encoded string
+          httpRequestWithAuthHeaders.body = Utils.toUTF8(httpRequestWithAuthHeaders.body);
+        } else if (contentType.includes('text/plain')) {
+          // Convert byte array to plain UTF-8 string
+          httpRequestWithAuthHeaders.body = Utils.toUTF8(httpRequestWithAuthHeaders.body);
+        } else {
+          // For all other content types, treat as binary data
+          httpRequestWithAuthHeaders.body = new Uint8Array(httpRequestWithAuthHeaders.body);
+        }
+      }
+
+
+      // Send the actual fetch request to the server
+      const response = await this.fetchClient(url, {
+        method: httpRequestWithAuthHeaders.method,
+        headers: httpRequestWithAuthHeaders.headers,
+        body: httpRequestWithAuthHeaders.body
+      })
+
+      // Check for an acceptable status
+      if (!SUCCESS_STATUS_CODES.includes(response.status)) {
+        // Try parsing JSON error
+        let errorInfo;
+        try {
+          errorInfo = await response.json();
+        } catch {
+          // Fallback to text if JSON parse fails
+          const text = await response.text().catch(() => '');
+          throw new Error(`HTTP ${response.status} - ${text || 'Unknown error'}`);
+        }
+
+        // If we find a known { status: 'error', code, description } structure
+        if (errorInfo?.status === 'error' && typeof errorInfo.description === 'string') {
+          const msg = `HTTP ${response.status} - ${errorInfo.description}`;
+          throw new Error(errorInfo.code ? `${msg} (code: ${errorInfo.code})` : msg);
+        }
+
+        // Otherwise just throw whatever we got
+        throw new Error(`HTTP ${response.status} - ${JSON.stringify(errorInfo)}`);
+      }
+
+      const parsedBody = await response.arrayBuffer()
+      const payloadWriter = new Utils.Writer()
+      payloadWriter.write(Utils.toArray(response.headers.get('x-bsv-auth-request-id'), 'base64'))
+      payloadWriter.writeVarIntNum(response.status)
+
+      // Filter out headers the server signed:
+      // - Custom headers prefixed with x-bsv are included, except auth
+      // - x-bsv-auth headers are not allowed
+      // - authorization header is signed by the server
+      const includedHeaders: [string, string][] = []
+      // Collect headers into a raw array for sorting
+      const headersArray: [string, string][] = []
+      response.headers.forEach((value, key) => {
+        const lowerKey = key.toLowerCase()
+        if (lowerKey.startsWith('x-bsv-') || lowerKey === 'authorization') {
+          if (!lowerKey.startsWith('x-bsv-auth')) {
+            headersArray.push([lowerKey, value])
+          }
+        }
+      })
+
+      // Sort headers explicitly to match server-side order
+      headersArray.sort(([keyA], [keyB]) => keyA.localeCompare(keyB))
+      includedHeaders.push(...headersArray)
+
+      // nHeaders
+      payloadWriter.writeVarIntNum(includedHeaders.length)
+      for (let i = 0; i < includedHeaders.length; i++) {
+        // headerKeyLength
+        const headerKeyAsArray = Utils.toArray(includedHeaders[i][0], 'utf8')
+        payloadWriter.writeVarIntNum(headerKeyAsArray.length)
+        // headerKey
+        payloadWriter.write(headerKeyAsArray)
+        // headerValueLength
+        const headerValueAsArray = Utils.toArray(includedHeaders[i][1], 'utf8')
+        payloadWriter.writeVarIntNum(headerValueAsArray.length)
+        // headerValue
+        payloadWriter.write(headerValueAsArray)
+      }
+
+      // Handle body
+      if (parsedBody) {
+        const bodyAsArray = Array.from(new Uint8Array(parsedBody))
+        payloadWriter.writeVarIntNum(bodyAsArray.length)
+        payloadWriter.write(bodyAsArray)
+      } else {
+        payloadWriter.writeVarIntNum(-1)
+      }
+
+      // Build the correct AuthMessage for the response
+      const responseMessage: AuthMessage = {
+        version: response.headers.get('x-bsv-auth-version'),
+        messageType: response.headers.get('x-bsv-auth-message-type') === 'certificateRequest' ? 'certificateRequest' : 'general',
+        identityKey: response.headers.get('x-bsv-auth-identity-key'),
+        nonce: response.headers.get('x-bsv-auth-nonce'),
+        yourNonce: response.headers.get('x-bsv-auth-your-nonce'),
+        requestedCertificates: JSON.parse(response.headers.get('x-bsv-auth-requested-certificates')) as RequestedCertificateSet,
+        payload: payloadWriter.toArray(),
+        signature: Utils.toArray(response.headers.get('x-bsv-auth-signature'), 'hex'),
+      }
+
+      // If the server didn't provide the correct authentication headers, throw an error
+      if (!responseMessage.version) {
+        throw new Error('HTTP server failed to authenticate')
+      }
+
+      // Handle the response if data is received and callback is set
+      this.onDataCallback(responseMessage)
+    }
+  }
+
+  /**
+   * Registers a callback to handle incoming messages. 
+   * This must be called before sending any messages to ensure responses can be processed.
+   * 
+   * @param callback - A function to invoke when an incoming AuthMessage is received.
+   * @returns A promise that resolves once the callback is set.
+   */
+  async onData(callback: (message: AuthMessage) => Promise<void>): Promise<void> {
+    this.onDataCallback = (m) => {
+      callback(m)
+    }
+  }
+
+  /**
+   * Deserializes a request payload from a byte array into an HTTP request-like structure.
+   * 
+   * @param payload - The serialized payload to deserialize.
+   * @returns An object representing the deserialized request, including the method,
+   *          URL postfix (path and query string), headers, body, and request ID.
+   */
+  deserializeRequestPayload(payload: number[]): {
+    method: string,
+    urlPostfix: string,
+    headers: Record<string, string>,
+    body: number[],
+    requestId: string
+  } {
+    // Create a reader
+    const requestReader = new Utils.Reader(payload)
+    // The first 32 bytes is the requestId
+    const requestId = Utils.toBase64(requestReader.read(32))
+
+    // Method
+    const methodLength = requestReader.readVarIntNum()
+    let method = 'GET'
+    if (methodLength > 0) {
+      method = Utils.toUTF8(requestReader.read(methodLength))
+    }
+
+    // Path
+    const pathLength = requestReader.readVarIntNum()
+    let path = ''
+    if (pathLength > 0) {
+      path = Utils.toUTF8(requestReader.read(pathLength))
+    }
+
+    // Search
+    const searchLength = requestReader.readVarIntNum()
+    let search = ''
+    if (searchLength > 0) {
+      search = Utils.toUTF8(requestReader.read(searchLength))
+    }
+
+    // Read headers
+    const requestHeaders = {}
+    const nHeaders = requestReader.readVarIntNum()
+    if (nHeaders > 0) {
+      for (let i = 0; i < nHeaders; i++) {
+        const nHeaderKeyBytes = requestReader.readVarIntNum()
+        const headerKeyBytes = requestReader.read(nHeaderKeyBytes)
+        const headerKey = Utils.toUTF8(headerKeyBytes)
+        const nHeaderValueBytes = requestReader.readVarIntNum()
+        const headerValueBytes = requestReader.read(nHeaderValueBytes)
+        const headerValue = Utils.toUTF8(headerValueBytes)
+        requestHeaders[headerKey] = headerValue
+      }
+    }
+
+    // Read body
+    let requestBody
+    const requestBodyBytes = requestReader.readVarIntNum()
+    if (requestBodyBytes > 0) {
+      requestBody = requestReader.read(requestBodyBytes)
+    }
+
+    // Return the deserialized RequestInit
+    return {
+      urlPostfix: path + search,
+      method,
+      headers: requestHeaders,
+      body: requestBody,
+      requestId
+    }
+  }
+}

package/src/auth/transports/index.ts

@@ -0,0 +1 @@
+export * from './SimplifiedFetchTransport.js'

package/src/auth/types.ts

@@ -0,0 +1,41 @@
+import { VerifiableCertificate } from './certificates/VerifiableCertificate.js'
+
+export interface RequestedCertificateTypeIDAndFieldList {
+  [certificateTypeID: string]: string[]
+}
+
+// Define the structure for the requested certificates set
+export interface RequestedCertificateSet {
+  certifiers: string[]
+  types: RequestedCertificateTypeIDAndFieldList
+}
+
+export interface AuthMessage {
+  version: string
+  messageType:
+  | 'initialRequest'
+  | 'initialResponse'
+  | 'certificateRequest'
+  | 'certificateResponse'
+  | 'general'
+  identityKey: string // Sender's public key (used for identity verification)
+  nonce?: string // Sender's nonce (256-bit random value)
+  initialNonce?: string
+  yourNonce?: string // The recipient's nonce from a previous message (if applicable)
+  certificates?: VerifiableCertificate[] // Optional: List of certificates (if required/requested)
+  requestedCertificates?: RequestedCertificateSet // Optional: List of requested certificates
+  payload?: number[] // The actual message data (optional, could be a string or an object)
+  signature?: number[] // Digital signature covering the entire message
+}
+
+export interface Transport {
+  send: (message: AuthMessage) => Promise<void>
+  onData: (callback: (message: AuthMessage) => Promise<void>) => Promise<void>
+}
+
+export interface PeerSession {
+  isAuthenticated: boolean
+  sessionNonce?: string
+  peerNonce?: string
+  peerIdentityKey?: string
+}

package/src/auth/utils/__tests/cryptononce.test.ts

@@ -0,0 +1,84 @@
+import { PrivateKey } from '../../../../dist/cjs/src/primitives/index.js'
+import { ProtoWallet } from '../../../../dist/cjs/src/wallet/index.js'
+import { Wallet } from '../../../../dist/cjs/src/wallet/Wallet.interfaces.js'
+import { createNonce } from '../../../../dist/cjs/src/auth/utils/createNonce.js'
+import { verifyNonce } from '../../../../dist/cjs/src/auth/utils/verifyNonce.js'
+
+describe('createNonce', () => {
+  let mockWallet: Wallet
+
+  beforeEach(() => {
+    mockWallet = {
+      createHmac: jest.fn().mockResolvedValue({ hmac: new Uint8Array(16) }),
+    } as unknown as Wallet
+  })
+
+  afterEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('throws an error if wallet fails to create HMAC', async () => {
+    // Mock failure of HMAC creation
+    (mockWallet.createHmac as jest.Mock).mockRejectedValue(new Error('Failed to create HMAC'))
+
+    await expect(createNonce(mockWallet)).rejects.toThrow('Failed to create HMAC')
+  })
+
+  it('creates a 256-bit nonce', async () => {
+    const nonce = await createNonce(mockWallet)
+    expect(Buffer.from(nonce, 'base64').byteLength).toEqual(32)
+  })
+})
+
+describe('verifyNonce', () => {
+  let mockWallet: Wallet
+
+  beforeEach(() => {
+    mockWallet = {
+      createHmac: jest.fn().mockResolvedValue({ hmac: new Uint8Array(16) }),
+      verifyHmac: jest.fn().mockResolvedValue({ valid: true }),
+    } as unknown as Wallet
+  })
+
+  afterEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('does not verify an invalid nonce', async () => {
+    (mockWallet.verifyHmac as jest.Mock).mockResolvedValue({ valid: false })
+
+    const nonce = await createNonce(mockWallet)
+    await expect(verifyNonce(nonce + 'ABC', mockWallet)).resolves.toEqual(false)
+    await expect(verifyNonce(nonce + '=', mockWallet)).resolves.toEqual(false)
+    await expect(verifyNonce(Buffer.from(nonce + Buffer.from('extra').toString('base64'), 'base64').toString('base64'), mockWallet)).resolves.toEqual(false)
+  })
+
+  it('returns false for an invalid HMAC verification', async () => {
+    (mockWallet.verifyHmac as jest.Mock).mockResolvedValue({ valid: false })
+
+    const nonce = await createNonce(mockWallet)
+    await expect(verifyNonce(nonce, mockWallet)).resolves.toEqual(false)
+  })
+
+  it('verifies a 256-bit nonce', async () => {
+    (mockWallet.verifyHmac as jest.Mock).mockResolvedValue({ valid: true })
+
+    const nonce1 = await createNonce(mockWallet)
+    const nonce2 = await createNonce(mockWallet)
+
+    expect(Buffer.from(nonce1, 'base64').byteLength).toEqual(32)
+    expect(Buffer.from(nonce2, 'base64').byteLength).toEqual(32)
+
+    await expect(verifyNonce(nonce1, mockWallet)).resolves.toEqual(true)
+    await expect(verifyNonce(nonce2, mockWallet)).resolves.toEqual(true)
+  })
+
+  it('verifies nonce using real createHmac and verifyHmac', async () => {
+    const realWallet = new ProtoWallet(PrivateKey.fromRandom())
+
+    const nonce = await createNonce(realWallet)
+    const isValid = await verifyNonce(nonce, realWallet)
+
+    expect(isValid).toEqual(true)
+  })
+})

package/src/auth/utils/__tests/getVerifiableCertificates.test.ts

@@ -0,0 +1,126 @@
+import { Wallet } from '../../../../dist/cjs/src/wallet/Wallet.interfaces.js'
+import { getVerifiableCertificates } from '../../../../dist/cjs/src/auth/utils/getVerifiableCertificates'
+import { RequestedCertificateSet } from '../../../../dist/cjs/src/auth/types.js'
+import { VerifiableCertificate } from '../../../../dist/cjs/src/auth/certificates/VerifiableCertificate.js'
+
+describe('getVerifiableCertificates', () => {
+  let mockWallet: Wallet
+  let requestedCertificates: RequestedCertificateSet
+  let verifierIdentityKey: string
+
+  beforeEach(() => {
+    mockWallet = {
+      listCertificates: jest.fn(),
+      proveCertificate: jest.fn(),
+    } as unknown as Wallet
+
+    requestedCertificates = {
+      certifiers: ['certifier1', 'certifier2'],
+      types: {
+        certType1: ['field1', 'field2'],
+        certType2: ['field3'],
+      },
+    }
+
+    verifierIdentityKey = 'verifier_public_key'
+  })
+
+  it('retrieves matching certificates based on requested set', async () => {
+    const mockCertificate = {
+      type: 'certType1',
+      serialNumber: 'serial1',
+      subject: 'subject1',
+      certifier: 'certifier1',
+      revocationOutpoint: 'outpoint1',
+      fields: { field1: 'encryptedData1', field2: 'encryptedData2' },
+      signature: 'signature1',
+    };
+
+    (mockWallet.listCertificates as jest.Mock).mockResolvedValue({
+      certificates: [mockCertificate]
+    });
+    (mockWallet.proveCertificate as jest.Mock).mockResolvedValue({
+      keyringForVerifier: { field1: 'key1', field2: 'key2' }
+    })
+
+    const result = await getVerifiableCertificates(mockWallet, requestedCertificates, verifierIdentityKey)
+
+    expect(mockWallet.listCertificates).toHaveBeenCalledWith({
+      certifiers: requestedCertificates.certifiers,
+      types: Object.keys(requestedCertificates.types),
+    })
+
+    expect(mockWallet.proveCertificate).toHaveBeenCalledWith({
+      certificate: mockCertificate,
+      fieldsToReveal: requestedCertificates.types[mockCertificate.type],
+      verifier: verifierIdentityKey,
+    })
+
+    expect(result).toHaveLength(1)
+    expect(result[0]).toBeInstanceOf(VerifiableCertificate)
+    expect(result[0]).toMatchObject({
+      type: 'certType1',
+      serialNumber: 'serial1',
+      subject: 'subject1',
+      certifier: 'certifier1',
+      revocationOutpoint: 'outpoint1',
+      fields: { field1: 'encryptedData1', field2: 'encryptedData2' },
+      signature: 'signature1',
+      keyring: { field1: 'key1', field2: 'key2' }
+    })
+  })
+
+
+  it('returns an empty array when no matching certificates are found', async () => {
+    (mockWallet.listCertificates as jest.Mock).mockResolvedValue({ certificates: [] })
+
+    const result = await getVerifiableCertificates(mockWallet, requestedCertificates, verifierIdentityKey)
+
+    expect(result).toEqual([])
+    expect(mockWallet.listCertificates).toHaveBeenCalled()
+    expect(mockWallet.proveCertificate).not.toHaveBeenCalled()
+  })
+
+  it('propagates errors from listCertificates', async () => {
+    (mockWallet.listCertificates as jest.Mock).mockRejectedValue(new Error('listCertificates failed'))
+
+    await expect(getVerifiableCertificates(mockWallet, requestedCertificates, verifierIdentityKey)).rejects.toThrow(
+      'listCertificates failed'
+    )
+  })
+
+  it('propagates errors from proveCertificate', async () => {
+    const mockCertificate = {
+      type: 'certType1',
+      serialNumber: 'serial1',
+      subject: 'subject1',
+      certifier: 'certifier1',
+      revocationOutpoint: 'outpoint1',
+      fields: { field1: 'encryptedData1', field2: 'encryptedData2' },
+      signature: 'signature1',
+    };
+
+    (mockWallet.listCertificates as jest.Mock).mockResolvedValue({
+      certificates: [mockCertificate],
+    });
+    (mockWallet.proveCertificate as jest.Mock).mockRejectedValue(new Error('proveCertificate failed'))
+
+    await expect(getVerifiableCertificates(mockWallet, requestedCertificates, verifierIdentityKey)).rejects.toThrow(
+      'proveCertificate failed'
+    )
+  })
+
+  it('handles empty requested certificates gracefully', async () => {
+    requestedCertificates = { certifiers: [], types: {} };
+
+    (mockWallet.listCertificates as jest.Mock).mockResolvedValue({ certificates: [] })
+
+    const result = await getVerifiableCertificates(mockWallet, requestedCertificates, verifierIdentityKey)
+
+    expect(result).toEqual([])
+    expect(mockWallet.listCertificates).toHaveBeenCalledWith({
+      certifiers: [],
+      types: [],
+    })
+  })
+})

package/src/auth/utils/__tests/validateCertificates.test.ts

@@ -0,0 +1,142 @@
+import { validateCertificates } from '../../../../dist/cjs/src/auth/utils/validateCertificates.js'
+import { VerifiableCertificate } from '../../../../dist/cjs/src/auth/certificates/VerifiableCertificate.js'
+import { ProtoWallet } from '../../../../dist/cjs/src/wallet/index.js'
+import { PrivateKey } from '../../../../dist/cjs/src/primitives/index.js'
+
+let mockVerify = jest.fn(() => Promise.resolve(true))
+let mockDecryptFields = jest.fn(() => Promise.resolve({ field1: 'decryptedValue1' }))
+const mockInstances = []
+
+jest.mock('../../../../dist/cjs/src/auth/certificates/VerifiableCertificate.js', () => {
+  return {
+    VerifiableCertificate: jest.fn().mockImplementation(() => {
+      const instance = {
+        type: 'requested_type',
+        serialNumber: 'valid_serial',
+        subject: 'valid_subject',
+        certifier: 'valid_certifier',
+        revocationOutpoint: 'outpoint',
+        fields: { field1: 'encryptedData1' },
+        decryptedFields: {},
+        verify: mockVerify,
+        decryptFields: mockDecryptFields,
+      }
+      mockInstances.push(instance)
+      return instance
+    }),
+  }
+})
+
+describe('validateCertificates', () => {
+  let verifierWallet
+  let message
+
+  beforeEach(() => {
+    jest.clearAllMocks()
+    mockInstances.length = 0 // Clear tracked instances
+
+    // Reset state
+    mockVerify = jest.fn(() => Promise.resolve(true))
+    mockDecryptFields = jest.fn(() => Promise.resolve({ field1: 'decryptedValue1' }))
+
+    verifierWallet = new ProtoWallet(new PrivateKey(1))
+    message = {
+      identityKey: 'valid_subject',
+      certificates: [
+        {
+          type: 'requested_type',
+          serialNumber: 'valid_serial',
+          subject: 'valid_subject',
+          certifier: 'valid_certifier',
+          revocationOutpoint: 'outpoint',
+          fields: { field1: 'encryptedData1' },
+          decryptedFields: {},
+        },
+      ],
+    }
+  })
+
+  it('completes without errors for valid input', async () => {
+    await expect(validateCertificates(verifierWallet, message)).resolves.not.toThrow()
+
+    expect(VerifiableCertificate).toHaveBeenCalledTimes(message.certificates.length)
+    expect(mockVerify).toHaveBeenCalledTimes(message.certificates.length)
+    expect(mockDecryptFields).toHaveBeenCalledWith(verifierWallet)
+  })
+
+  it('throws an error for mismatched identity key', async () => {
+    message.identityKey = 'different_subject'
+
+    await expect(validateCertificates(verifierWallet, message)).rejects.toThrow(
+      `The subject of one of your certificates ("valid_subject") is not the same as the request sender ("different_subject").`
+    )
+  })
+
+  it('throws an error if certificate signature is invalid', async () => {
+    mockVerify.mockResolvedValueOnce(false)
+
+    await expect(validateCertificates(verifierWallet, message)).rejects.toThrow(
+      `The signature for the certificate with serial number valid_serial is invalid!`
+    )
+  })
+
+  it('throws an error for unrequested certifier', async () => {
+    const certificatesRequested = {
+      certifiers: ['another_certifier'],
+      types: { requested_type: ['field1'] },
+    }
+
+    await expect(
+      validateCertificates(verifierWallet, message, certificatesRequested)
+    ).rejects.toThrow(
+      `Certificate with serial number valid_serial has an unrequested certifier: valid_certifier`
+    )
+  })
+
+  it('throws an error for unrequested certificate type', async () => {
+    const certificatesRequested = {
+      certifiers: ['valid_certifier'],
+      types: { another_type: ['field1'] },
+    }
+
+    await expect(
+      validateCertificates(verifierWallet, message, certificatesRequested)
+    ).rejects.toThrow(
+      `Certificate with type requested_type was not requested`
+    )
+  })
+
+  it('decrypts fields without throwing errors', async () => {
+    await expect(validateCertificates(verifierWallet, message)).resolves.not.toThrow()
+    for (const instance of mockInstances) {
+      expect(instance.decryptFields).toHaveBeenCalledWith(verifierWallet)
+    }
+  })
+
+  it('throws an error if a field decryption fails', async () => {
+    mockDecryptFields.mockRejectedValue(new Error('Decryption failed'))
+    await expect(validateCertificates(verifierWallet, message)).rejects.toThrow('Decryption failed')
+  })
+
+  it('handles multiple certificates properly', async () => {
+    const anotherCertificate = {
+      type: 'requested_type',
+      serialNumber: 'another_serial',
+      subject: 'valid_subject',
+      certifier: 'valid_certifier',
+      revocationOutpoint: 'outpoint',
+      fields: { field1: 'encryptedData1' },
+      decryptedFields: {},
+    }
+
+    message.certificates.push(anotherCertificate)
+
+    await expect(validateCertificates(verifierWallet, message)).resolves.not.toThrow()
+
+    expect(VerifiableCertificate).toHaveBeenCalledTimes(2)
+    expect(mockVerify).toHaveBeenCalledTimes(2)
+    for (const instance of mockInstances) {
+      expect(instance.decryptFields).toHaveBeenCalledWith(verifierWallet)
+    }
+  })
+})