@bsv/sdk 1.3.10 → 1.3.12

package/src/auth/certificates/__tests/MasterCertificate.test.ts

@@ -19,11 +19,12 @@ describe('MasterCertificate', () => {
 
   const subjectWallet = new CompletedProtoWallet(subjectPrivateKey)
   const certifierWallet = new CompletedProtoWallet(certifierPrivateKey)
-  let subjectPubKey, certifierPubKey
+  let subjectIdentityKey: string
+  let certifierIdentityKey: string
 
   beforeAll(async () => {
-    subjectPubKey = (await subjectWallet.getPublicKey({ identityKey: true })).publicKey
-    certifierPubKey = (await certifierWallet.getPublicKey({ identityKey: true })).publicKey
+    subjectIdentityKey = (await subjectWallet.getPublicKey({ identityKey: true })).publicKey
+    certifierIdentityKey = (await certifierWallet.getPublicKey({ identityKey: true })).publicKey
   })
 
   describe('constructor', () => {
@@ -42,8 +43,8 @@ describe('MasterCertificate', () => {
       const certificate = new MasterCertificate(
         Utils.toBase64(Random(16)), // type
         Utils.toBase64(Random(16)), // serialNumber
-        subjectPubKey,
-        certifierPubKey,
+        subjectIdentityKey,
+        certifierIdentityKey,
         mockRevocationOutpoint,
         fields,
         masterKeyring
@@ -52,8 +53,8 @@ describe('MasterCertificate', () => {
       expect(certificate).toBeInstanceOf(MasterCertificate)
       expect(certificate.fields).toEqual(fields)
       expect(certificate.masterKeyring).toEqual(masterKeyring)
-      expect(certificate.subject).toEqual(subjectPubKey)
-      expect(certificate.certifier).toEqual(certifierPubKey)
+      expect(certificate.subject).toEqual(subjectIdentityKey)
+      expect(certificate.certifier).toEqual(certifierIdentityKey)
     })
 
     it('should throw if masterKeyring is missing a key for any field', () => {
@@ -64,8 +65,8 @@ describe('MasterCertificate', () => {
         new MasterCertificate(
           Utils.toBase64(Random(16)), // type
           Utils.toBase64(Random(16)), // serialNumber
-          subjectPubKey,
-          certifierPubKey,
+          subjectIdentityKey,
+          certifierIdentityKey,
           mockRevocationOutpoint,
           fields,
           masterKeyring
@@ -74,18 +75,23 @@ describe('MasterCertificate', () => {
     })
   })
 
-  describe('decryptFields', () => {
+  describe('decryptFields (static)', () => {
     it('should decrypt all fields correctly using subject wallet', async () => {
       // Issue a certificate for the subject, which includes a valid masterKeyring
       const certificate = await MasterCertificate.issueCertificateForSubject(
         certifierWallet,
-        subjectPubKey,
+        subjectIdentityKey,
         plaintextFields,
         'TEST_CERT'
       )
 
-      // Now subject should be able to decrypt all fields
-      const decrypted = await certificate.decryptFields(subjectWallet)
+      // Now subject should be able to decrypt all fields via static method
+      const decrypted = await MasterCertificate.decryptFields(
+        subjectWallet,
+        certificate.masterKeyring,
+        certificate.fields,
+        certificate.certifier // because certifier was the encryption counterparty
+      )
       expect(decrypted).toEqual(plaintextFields)
     })
 
@@ -94,8 +100,8 @@ describe('MasterCertificate', () => {
       expect(() => new MasterCertificate(
         Utils.toBase64(Random(16)),
         Utils.toBase64(Random(16)),
-        subjectPubKey,
-        certifierPubKey,
+        subjectIdentityKey,
+        certifierIdentityKey,
         mockRevocationOutpoint,
         { name: Utils.toBase64([1, 2, 3]) },
         {}
@@ -108,8 +114,8 @@ describe('MasterCertificate', () => {
       const badKeyCertificate = new MasterCertificate(
         Utils.toBase64(Random(16)),
         Utils.toBase64(Random(16)),
-        subjectPubKey,
-        certifierPubKey,
+        subjectIdentityKey,
+        certifierIdentityKey,
         mockRevocationOutpoint,
         {
           name: Utils.toBase64(SymmetricKey.fromRandom().encrypt(Utils.toArray('Alice', 'utf8')) as number[])
@@ -117,24 +123,30 @@ describe('MasterCertificate', () => {
         { name: badKeyMasterKeyring }
       )
 
-      await expect(badKeyCertificate.decryptFields(subjectWallet))
-        .rejects
-        .toThrow('Failed to decrypt all master certificate fields.')
+      await expect(
+        MasterCertificate.decryptFields(
+          subjectWallet,
+          badKeyCertificate.masterKeyring,
+          badKeyCertificate.fields,
+          badKeyCertificate.certifier
+        )
+      ).rejects.toThrow('Failed to decrypt all master certificate fields.')
     })
   })
 
-  describe('createKeyringForVerifier', () => {
+  describe('createKeyringForVerifier (static)', () => {
     const verifierPrivateKey = PrivateKey.fromRandom()
     const verifierWallet = new CompletedProtoWallet(verifierPrivateKey)
-    let verifierPubKey
+    let verifierIdentityKey: string
 
     let issuedCert: MasterCertificate
 
     beforeAll(async () => {
-      verifierPubKey = (await verifierWallet.getPublicKey({ identityKey: true })).publicKey
+      verifierIdentityKey = (await verifierWallet.getPublicKey({ identityKey: true })).publicKey
+      // Issue a certificate to reuse in tests
       issuedCert = await MasterCertificate.issueCertificateForSubject(
         certifierWallet,
-        subjectPubKey,
+        subjectIdentityKey,
         plaintextFields,
         'TEST_CERT'
       )
@@ -143,10 +155,15 @@ describe('MasterCertificate', () => {
     it('should create a verifier keyring for specified fields', async () => {
       // We only want to share "name" with the verifier
       const fieldsToReveal = ['name']
-      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+
+      const keyringForVerifier = await MasterCertificate.createKeyringForVerifier(
         subjectWallet,
-        verifierPubKey,
-        fieldsToReveal
+        issuedCert.certifier, // the original certifier
+        verifierIdentityKey,       // the new verifier
+        issuedCert.fields,    // encrypted fields
+        fieldsToReveal,
+        issuedCert.masterKeyring,
+        issuedCert.serialNumber
       )
 
       // The new keyring should only contain "name"
@@ -161,8 +178,8 @@ describe('MasterCertificate', () => {
         issuedCert.certifier,
         issuedCert.revocationOutpoint,
         issuedCert.fields,
-        issuedCert.signature,
-        keyringForVerifier
+        keyringForVerifier,
+        issuedCert.signature
       )
 
       // The verifier should successfully decrypt the "name" field
@@ -170,16 +187,23 @@ describe('MasterCertificate', () => {
       expect(decrypted).toEqual({ name: plaintextFields.name })
     })
 
-    it('should throw if fields to reveal are not subset of the certificate fields', async () => {
+    it('should throw if fields to reveal are not a subset of the certificate fields', async () => {
       await expect(
-        issuedCert.createKeyringForVerifier(subjectWallet, verifierPubKey, ['nonexistent_field'])
+        MasterCertificate.createKeyringForVerifier(
+          subjectWallet,
+          issuedCert.certifier,
+          verifierIdentityKey,
+          issuedCert.fields,
+          ['nonexistent_field'],
+          issuedCert.masterKeyring
+        )
       ).rejects.toThrow(
         /Fields to reveal must be a subset of the certificate fields\. Missing the "nonexistent_field" field\./
       )
     })
 
     it('should throw if the master key fails to decrypt the corresponding field', async () => {
-      // We'll tamper the certificate's masterKeyring so that a field key is invalid
+      // We'll tamper with the certificate's masterKeyring so that a field key is invalid
       const tamperedCert = new MasterCertificate(
         issuedCert.type,
         issuedCert.serialNumber,
@@ -197,46 +221,65 @@ describe('MasterCertificate', () => {
       )
 
       await expect(
-        tamperedCert.createKeyringForVerifier(subjectWallet, verifierPubKey, ['name'])
-      ).rejects.toThrow('Decryption failed!')
+        MasterCertificate.createKeyringForVerifier(
+          subjectWallet,
+          tamperedCert.certifier,
+          verifierIdentityKey,
+          tamperedCert.fields,
+          ['name'],
+          tamperedCert.masterKeyring,
+          tamperedCert.serialNumber
+        )
+      ).rejects.toThrow('Failed to decrypt certificate field!')
     })
 
     it('should support optional originator parameter', async () => {
-      // Just to ensure coverage for the originator-based flows
       const fieldsToReveal = ['name']
-      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+      const keyringForVerifier = await MasterCertificate.createKeyringForVerifier(
         subjectWallet,
-        verifierPubKey,
+        issuedCert.certifier,
+        verifierIdentityKey,
+        issuedCert.fields,
         fieldsToReveal,
+        issuedCert.masterKeyring,
+        issuedCert.serialNumber,
         'my-originator'
       )
       expect(keyringForVerifier).toHaveProperty('name')
     })
 
-    it('should support counterparty of "anyone"', async () => {
-      // Create a keyring for public disclosure of selected fields.
+    it('should support counterparty of "anyone" or "self"', async () => {
       const fieldsToReveal = ['name']
-      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+
+      // "anyone"
+      const anyoneKeyring = await MasterCertificate.createKeyringForVerifier(
         subjectWallet,
+        issuedCert.certifier,
         'anyone',
+        issuedCert.fields,
         fieldsToReveal,
+        issuedCert.masterKeyring,
+        issuedCert.serialNumber,
         'my-originator'
       )
-      expect(keyringForVerifier).toHaveProperty('name')
-    })
-    it('should support counterparty of "self"', async () => {
-      const fieldsToReveal = ['name']
-      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+      expect(anyoneKeyring).toHaveProperty('name')
+
+      // "self"
+      const selfKeyring = await MasterCertificate.createKeyringForVerifier(
         subjectWallet,
+        issuedCert.certifier,
         'self',
+        issuedCert.fields,
         fieldsToReveal,
+        issuedCert.masterKeyring,
+        issuedCert.serialNumber,
         'my-originator'
       )
-      expect(keyringForVerifier).toHaveProperty('name')
+      expect(selfKeyring).toHaveProperty('name')
     })
   })
 
-  describe('issueCertificateForSubject', () => {
+  describe('issueCertificateForSubject (static)', () => {
     it('should issue a valid MasterCertificate for the given subject', async () => {
       const newPlaintextFields = {
         project: 'Top Secret',
@@ -247,16 +290,16 @@ describe('MasterCertificate', () => {
 
       const newCert = await MasterCertificate.issueCertificateForSubject(
         certifierWallet,
-        subjectPubKey,
+        subjectIdentityKey,
         newPlaintextFields,
         'TEST_CERT',
-        revocationFn,
+        revocationFn
       )
 
       expect(newCert).toBeInstanceOf(MasterCertificate)
       // The certificate's fields should be encrypted base64
       for (const fieldName in newPlaintextFields) {
-        expect(newCert.fields[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/) // base64 check
+        expect(newCert.fields[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/) // quick base64 check
       }
       // The masterKeyring should also contain base64 strings
       for (const fieldName in newPlaintextFields) {
@@ -266,8 +309,56 @@ describe('MasterCertificate', () => {
       expect(newCert.revocationOutpoint).toEqual(mockRevocationOutpoint)
       // Check we have a signature
       expect(newCert.signature).toBeDefined()
-      // Check that the revocationFn were called
+      // Check that the revocationFn was called
       expect(revocationFn).toHaveBeenCalledWith(newCert.serialNumber)
     })
+
+    it('should allow passing a custom serial number when issuing the certificate', async () => {
+      const customSerialNumber = Utils.toBase64(Random(32))
+      const newPlaintextFields = { status: 'Approved' }
+      const newCert = await MasterCertificate.issueCertificateForSubject(
+        certifierWallet,
+        subjectIdentityKey,
+        newPlaintextFields,
+        'TEST_CERT',
+        undefined,     // No custom revocation function
+        customSerialNumber   // Pass our custom serial number
+      )
+
+      expect(newCert).toBeInstanceOf(MasterCertificate)
+      expect(newCert.serialNumber).toEqual(customSerialNumber) // Must match exactly
+      // Check encryption
+      for (const fieldName in newPlaintextFields) {
+        expect(newCert.fields[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/)
+      }
+    })
+    it('should allow issuing a self-signed certificate and decrypt it with the same wallet', async () => {
+      // In a self-signed scenario, the subject and certifier are the same
+      const subjectWallet = new CompletedProtoWallet(PrivateKey.fromRandom())
+
+      // Some sample fields
+      const selfSignedFields = {
+        owner: 'Bob',
+        organization: 'SelfCo'
+      }
+
+      // Issue the certificate for "self"
+      const selfSignedCert = await MasterCertificate.issueCertificateForSubject(
+        subjectWallet,   // act as certifier
+        'self',
+        selfSignedFields,
+        'SELF_SIGNED_TEST'
+      )
+
+      // Now we attempt to decrypt the fields with the same wallet
+      const decrypted = await MasterCertificate.decryptFields(
+        subjectWallet,
+        selfSignedCert.masterKeyring,
+        selfSignedCert.fields,
+        'self'
+      )
+
+      expect(decrypted).toEqual(selfSignedFields)
+    })
   })
 })

package/src/auth/certificates/__tests/VerifiableCertificate.test.ts

@@ -2,14 +2,16 @@ import { VerifiableCertificate } from '../../../../dist/cjs/src/auth/certificate
 import { PrivateKey, SymmetricKey, Utils } from '../../../../dist/cjs/src/primitives/index.js'
 import { CompletedProtoWallet } from '../../../../dist/cjs/src/auth/certificates/__tests/CompletedProtoWallet.js'
 import { Certificate } from '../../../../dist/cjs/src/auth/certificates/index.js'
+import { MasterCertificate } from '../../../../dist/cjs/src/auth/certificates/MasterCertificate.js'
+import { ProtoWallet } from '../../../../dist/cjs/src/wallet/index.js'
 
 describe('VerifiableCertificate', () => {
   const subjectPrivateKey = PrivateKey.fromRandom()
-  const subjectPubKey = subjectPrivateKey.toPublicKey().toString()
+  const subjectIdentityKey = subjectPrivateKey.toPublicKey().toString()
   const certifierPrivateKey = PrivateKey.fromRandom()
-  const certifierPubKey = certifierPrivateKey.toPublicKey().toString()
+  const certifierIdentityKey = certifierPrivateKey.toPublicKey().toString()
   const verifierPrivateKey = PrivateKey.fromRandom()
-  const verifierPubKey = verifierPrivateKey.toPublicKey().toString()
+  const verifierIdentityKey = verifierPrivateKey.toPublicKey().toString()
 
   const subjectWallet = new CompletedProtoWallet(subjectPrivateKey)
   const verifierWallet = new CompletedProtoWallet(verifierPrivateKey)
@@ -28,34 +30,28 @@ describe('VerifiableCertificate', () => {
 
   beforeEach(async () => {
     // For each test, we'll build a fresh VerifiableCertificate with valid encryption
-    const certificateFields = {}
-    const keyring = {}
-
-    for (const fieldName in plaintextFields) {
-      // Generate a random field symmetric key
-      const fieldSymKey = SymmetricKey.fromRandom()
-      // Encrypt the field's plaintext
-      const encryptedFieldValue = fieldSymKey.encrypt(Utils.toArray(plaintextFields[fieldName], 'utf8'))
-      certificateFields[fieldName] = Utils.toBase64(encryptedFieldValue as number[])
-
-      // Now encrypt the fieldSymKey for the verifier
-      const { ciphertext: encryptedRevelationKey } = await subjectWallet.encrypt({
-        plaintext: fieldSymKey.toArray(),
-        ...Certificate.getCertificateFieldEncryptionDetails(sampleSerialNumber, fieldName),
-        counterparty: verifierPubKey
-      })
-      keyring[fieldName] = Utils.toBase64(encryptedRevelationKey)
-    }
-
+    const { certificateFields, masterKeyring } = await MasterCertificate.createCertificateFields(
+      subjectWallet,
+      certifierIdentityKey,
+      plaintextFields
+    )
+    const keyringForVerifier = await MasterCertificate.createKeyringForVerifier(
+      subjectWallet,
+      certifierIdentityKey,
+      verifierIdentityKey,
+      certificateFields,
+      Object.keys(certificateFields),
+      masterKeyring,
+      sampleSerialNumber
+    )
     verifiableCert = new VerifiableCertificate(
       sampleType,
       sampleSerialNumber,
-      subjectPubKey,
-      certifierPubKey,
+      subjectIdentityKey,
+      certifierIdentityKey,
       sampleRevocationOutpoint,
       certificateFields,
-      undefined, // signature
-      keyring
+      keyringForVerifier
     )
   })
 
@@ -64,8 +60,8 @@ describe('VerifiableCertificate', () => {
       expect(verifiableCert).toBeInstanceOf(VerifiableCertificate)
       expect(verifiableCert.type).toEqual(sampleType)
       expect(verifiableCert.serialNumber).toEqual(sampleSerialNumber)
-      expect(verifiableCert.subject).toEqual(subjectPubKey)
-      expect(verifiableCert.certifier).toEqual(certifierPubKey)
+      expect(verifiableCert.subject).toEqual(subjectIdentityKey)
+      expect(verifiableCert.certifier).toEqual(certifierIdentityKey)
       expect(verifiableCert.revocationOutpoint).toEqual(sampleRevocationOutpoint)
       expect(verifiableCert.fields).toBeDefined()
       expect(verifiableCert.keyring).toBeDefined()
@@ -97,8 +93,8 @@ describe('VerifiableCertificate', () => {
         verifiableCert.certifier,
         verifiableCert.revocationOutpoint,
         fields,
-        verifiableCert.signature,
-        {} // empty
+        {}, // empty
+        verifiableCert.signature
       )
 
       await expect(emptyKeyringCert.decryptFields(verifierWallet)).rejects.toThrow(
@@ -113,5 +109,33 @@ describe('VerifiableCertificate', () => {
         /Failed to decrypt selectively revealed certificate fields using keyring/
       )
     })
+
+    it('should be able to decrypt fields using the anyone wallet', async () => {
+      const { certificateFields, masterKeyring } = await MasterCertificate.createCertificateFields(
+        subjectWallet,
+        certifierIdentityKey,
+        plaintextFields
+      )
+      const keyringForVerifier = await MasterCertificate.createKeyringForVerifier(
+        subjectWallet,
+        certifierIdentityKey,
+        'anyone',
+        certificateFields,
+        Object.keys(certificateFields),
+        masterKeyring,
+        sampleSerialNumber
+      )
+      verifiableCert = new VerifiableCertificate(
+        sampleType,
+        sampleSerialNumber,
+        subjectIdentityKey,
+        'anyone',
+        sampleRevocationOutpoint,
+        certificateFields,
+        keyringForVerifier
+      )
+      const decrypted = await verifiableCert.decryptFields(new ProtoWallet('anyone'))
+      expect(decrypted).toEqual(plaintextFields)
+    })
   })
 })

package/src/auth/utils/getVerifiableCertificates.ts

@@ -33,8 +33,8 @@ export const getVerifiableCertificates = async (wallet: WalletInterface, request
         certificate.certifier,
         certificate.revocationOutpoint,
         certificate.fields,
-        certificate.signature,
-        keyringForVerifier
+        keyringForVerifier,
+        certificate.signature
       )
     }))
 }

package/src/auth/utils/validateCertificates.ts

@@ -24,8 +24,8 @@ export const validateCertificates = async (verifierWallet: WalletInterface, mess
       incomingCert.certifier,
       incomingCert.revocationOutpoint,
       incomingCert.fields,
-      incomingCert.signature,
-      incomingCert.keyring
+      incomingCert.keyring,
+      incomingCert.signature
     )
     const isValidCert = await certToVerify.verify()
     if (!isValidCert) {

package/src/wallet/ProtoWallet.ts

@@ -33,9 +33,9 @@ import {
  * enable the management of identity certificates, or store any data. It is also not concerned with privileged keys.
  */
 export class ProtoWallet {
-  keyDeriver: KeyDeriverApi
+  keyDeriver?: KeyDeriverApi
 
-  constructor (rootKeyOrKeyDeriver: PrivateKey | 'anyone' | KeyDeriverApi) {
+  constructor (rootKeyOrKeyDeriver?: PrivateKey | 'anyone' | KeyDeriverApi) {
     if (typeof (rootKeyOrKeyDeriver as KeyDeriver).identityKey !== 'string') {
       rootKeyOrKeyDeriver = new KeyDeriver(rootKeyOrKeyDeriver as PrivateKey | 'anyone')
     }
@@ -43,7 +43,8 @@ export class ProtoWallet {
   }
 
   async getPublicKey (
-    args: GetPublicKeyArgs
+    args: GetPublicKeyArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<{ publicKey: PubKeyHex }> {
     if (args.identityKey) {
       return { publicKey: this.keyDeriver.rootKey.toPublicKey().toString() }
@@ -65,7 +66,8 @@ export class ProtoWallet {
   }
 
   async revealCounterpartyKeyLinkage (
-    args: RevealCounterpartyKeyLinkageArgs
+    args: RevealCounterpartyKeyLinkageArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<RevealCounterpartyKeyLinkageResult> {
     const { publicKey: identityKey } = await this.getPublicKey({ identityKey: true })
     const linkage = this.keyDeriver.revealCounterpartySecret(args.counterparty)
@@ -99,7 +101,8 @@ export class ProtoWallet {
   }
 
   async revealSpecificKeyLinkage (
-    args: RevealSpecificKeyLinkageArgs
+    args: RevealSpecificKeyLinkageArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<RevealSpecificKeyLinkageResult> {
     const { publicKey: identityKey } = await this.getPublicKey({ identityKey: true })
     const linkage = this.keyDeriver.revealSpecificSecret(
@@ -132,7 +135,8 @@ export class ProtoWallet {
   }
 
   async encrypt (
-    args: WalletEncryptArgs
+    args: WalletEncryptArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<WalletEncryptResult> {
     const key = this.keyDeriver.deriveSymmetricKey(
       args.protocolID,
@@ -143,7 +147,8 @@ export class ProtoWallet {
   }
 
   async decrypt (
-    args: WalletDecryptArgs
+    args: WalletDecryptArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<WalletDecryptResult> {
     const key = this.keyDeriver.deriveSymmetricKey(
       args.protocolID,
@@ -154,7 +159,8 @@ export class ProtoWallet {
   }
 
   async createHmac (
-    args: CreateHmacArgs
+    args: CreateHmacArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<CreateHmacResult> {
     const key = this.keyDeriver.deriveSymmetricKey(
       args.protocolID,
@@ -165,7 +171,8 @@ export class ProtoWallet {
   }
 
   async verifyHmac (
-    args: VerifyHmacArgs
+    args: VerifyHmacArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<VerifyHmacResult> {
     const key = this.keyDeriver.deriveSymmetricKey(
       args.protocolID,
@@ -182,7 +189,8 @@ export class ProtoWallet {
   }
 
   async createSignature (
-    args: CreateSignatureArgs
+    args: CreateSignatureArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<CreateSignatureResult> {
     if (!args.hashToDirectlySign && !args.data) {
       throw new Error('args.data or args.hashToDirectlySign must be valid')
@@ -197,7 +205,8 @@ export class ProtoWallet {
   }
 
   async verifySignature (
-    args: VerifySignatureArgs
+    args: VerifySignatureArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
   ): Promise<VerifySignatureResult> {
     if (!args.hashToDirectlyVerify && !args.data) {
       throw new Error('args.data or args.hashToDirectlyVerify must be valid')