@bsv/sdk 1.3.5 → 1.3.7

package/src/auth/certificates/__tests/Certificate.test.ts

@@ -1,5 +1,5 @@
 import { Certificate } from '../../../../dist/cjs/src/auth/index.js'
-import { ProtoWallet } from '../../../../dist/cjs/src/wallet/index.js'
+import { CompletedProtoWallet } from '../../../../dist/cjs/src/auth/certificates/__tests/CompletedProtoWallet.js'
 import { Utils, PrivateKey } from '../../../../dist/cjs/src/primitives/index.js'
 
 describe('Certificate', () => {
@@ -73,7 +73,7 @@ describe('Certificate', () => {
     )
 
     // Sign the certificate
-    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    const certifierWallet = new CompletedProtoWallet(sampleCertifierPrivateKey)
     await certificate.sign(certifierWallet)
 
     const serialized = certificate.toBinary(true) // Include signature
@@ -100,7 +100,7 @@ describe('Certificate', () => {
     )
 
     // Sign the certificate
-    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    const certifierWallet = new CompletedProtoWallet(sampleCertifierPrivateKey)
     await certificate.sign(certifierWallet)
 
     // Verify the signature
@@ -120,7 +120,7 @@ describe('Certificate', () => {
     )
 
     // Sign the certificate
-    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    const certifierWallet = new CompletedProtoWallet(sampleCertifierPrivateKey)
     await certificate.sign(certifierWallet)
 
     // Tamper with the certificate (modify a field)
@@ -172,7 +172,7 @@ describe('Certificate', () => {
     )
 
     // Sign the certificate
-    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    const certifierWallet = new CompletedProtoWallet(sampleCertifierPrivateKey)
     await certificate.sign(certifierWallet)
 
     // Serialize and deserialize
@@ -223,7 +223,7 @@ describe('Certificate', () => {
     )
 
     // Sign the certificate
-    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    const certifierWallet = new CompletedProtoWallet(sampleCertifierPrivateKey)
     await certificate.sign(certifierWallet)
 
     // Serialize and deserialize
@@ -266,7 +266,7 @@ describe('Certificate', () => {
     )
 
     // Sign the certificate
-    const certifierWallet = new ProtoWallet(sampleCertifierPrivateKey)
+    const certifierWallet = new CompletedProtoWallet(sampleCertifierPrivateKey)
     await certificate.sign(certifierWallet)
 
     // Serialize and deserialize
@@ -279,4 +279,42 @@ describe('Certificate', () => {
     const isValid = await deserializedCertificate.verify()
     expect(isValid).toBe(true)
   })
+
+  it('should throw if already signed, and should update the certifier field if it differs from the wallet\'s public key', async () => {
+    // Scenario 1: Certificate already has a signature
+    const preSignedCertificate = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      sampleCertifierPubKey, // We'll pretend this was signed by them
+      sampleRevocationOutpoint,
+      sampleFields,
+      'deadbeef' // Already has a placeholder signature
+    )
+    const certifierWallet = new CompletedProtoWallet(sampleCertifierPrivateKey)
+
+    // Trying to sign again should throw
+    await expect(preSignedCertificate.sign(certifierWallet)).rejects.toThrow(
+      'Certificate has already been signed!'
+    )
+
+    // Scenario 2: The certifier property is set to something different from the wallet's public key
+    const mismatchedCertifierPubKey = PrivateKey.fromRandom().toPublicKey().toString()
+    const certificateWithMismatch = new Certificate(
+      sampleType,
+      sampleSerialNumber,
+      sampleSubjectPubKey,
+      mismatchedCertifierPubKey, // Different from actual wallet key
+      sampleRevocationOutpoint,
+      sampleFields
+    )
+
+    // Sign the certificate; it should automatically update
+    // the certifier field to match the wallet's actual public key
+    const certifierPubKey = ((await certifierWallet.getPublicKey({ identityKey: true })).publicKey)
+    await certificateWithMismatch.sign(certifierWallet)
+    expect(certificateWithMismatch.certifier).toBe(certifierPubKey)
+    expect(await certificateWithMismatch.verify()).toBe(true)
+  })
+
 })

package/src/auth/certificates/__tests/CompletedProtoWallet.ts

@@ -0,0 +1,101 @@
+import { PrivateKey } from "mod.js"
+import { ProtoWallet, Wallet, CreateActionArgs, OriginatorDomainNameStringUnder250Bytes, CreateActionResult, SignActionArgs, SignActionResult, AbortActionArgs, AbortActionResult, ListActionsArgs, ListActionsResult, InternalizeActionArgs, InternalizeActionResult, ListOutputsArgs, ListOutputsResult, RelinquishOutputArgs, RelinquishOutputResult, AcquireCertificateArgs, AcquireCertificateResult, ListCertificatesArgs, ListCertificatesResult, ProveCertificateArgs, ProveCertificateResult, RelinquishCertificateArgs, RelinquishCertificateResult, DiscoverByIdentityKeyArgs, DiscoverCertificatesResult, DiscoverByAttributesArgs, GetHeightResult, GetHeaderArgs, GetHeaderResult, KeyDeriverApi, KeyDeriver, GetPublicKeyArgs, GetPublicKeyResult, PubKeyHex } from "../../../wallet/index.js"
+
+// Test Mock wallet which extends ProtoWallet but still implements Wallet interface
+// Unsupported methods throw
+export class CompletedProtoWallet extends ProtoWallet implements Wallet {
+  constructor(rootKeyOrKeyDeriver: PrivateKey | 'anyone' | KeyDeriverApi) {
+    super(rootKeyOrKeyDeriver)
+    if (typeof rootKeyOrKeyDeriver['identityKey'] !== 'string') {
+      rootKeyOrKeyDeriver = new KeyDeriver(rootKeyOrKeyDeriver as PrivateKey | 'anyone')
+    }
+    this.keyDeriver = rootKeyOrKeyDeriver as KeyDeriver
+  }
+
+  async getPublicKey(
+    args: GetPublicKeyArgs,
+    originator?: OriginatorDomainNameStringUnder250Bytes
+  ): Promise<{ publicKey: PubKeyHex }> {
+    if (args.privileged) {
+      throw new Error('no privilege support')
+    }
+    if (args.identityKey) {
+      return { publicKey: this.keyDeriver.rootKey.toPublicKey().toString() }
+    } else {
+      if (!args.protocolID || !args.keyID) {
+        throw new Error('protocolID and keyID are required if identityKey is false or undefined.')
+      }
+      return {
+        publicKey: this.keyDeriver
+          .derivePublicKey(
+            args.protocolID,
+            args.keyID,
+            args.counterparty || 'self',
+            args.forSelf
+          )
+          .toString()
+      }
+    }
+  }
+
+  async createAction(args: CreateActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<CreateActionResult> {
+    throw new Error("not implemented")
+  }
+  async signAction(args: SignActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<SignActionResult> {
+    throw new Error("not implemented")
+  }
+  async abortAction(args: AbortActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<AbortActionResult> {
+    throw new Error("not implemented")
+  }
+  async listActions(args: ListActionsArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<ListActionsResult> {
+    throw new Error("not implemented")
+  }
+  async internalizeAction(args: InternalizeActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<InternalizeActionResult> {
+    throw new Error("not implemented")
+  }
+  async listOutputs(args: ListOutputsArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<ListOutputsResult> {
+    throw new Error("not implemented")
+  }
+  async relinquishOutput(args: RelinquishOutputArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<RelinquishOutputResult> {
+    throw new Error("not implemented")
+  }
+  async acquireCertificate(args: AcquireCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<AcquireCertificateResult> {
+    throw new Error("not implemented")
+  }
+  async listCertificates(args: ListCertificatesArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<ListCertificatesResult> {
+    throw new Error("not implemented")
+  }
+  async proveCertificate(args: ProveCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<ProveCertificateResult> {
+    throw new Error("not implemented")
+  }
+  async relinquishCertificate(args: RelinquishCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<RelinquishCertificateResult> {
+    throw new Error("not implemented")
+  }
+  async discoverByIdentityKey(args: DiscoverByIdentityKeyArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<DiscoverCertificatesResult> {
+    throw new Error("not implemented")
+  }
+  async discoverByAttributes(args: DiscoverByAttributesArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<DiscoverCertificatesResult> {
+    throw new Error("not implemented")
+  }
+  async getHeight(args: {}, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<GetHeightResult> {
+    throw new Error("not implemented")
+  }
+  async getHeaderForHeight(args: GetHeaderArgs, originator?: OriginatorDomainNameStringUnder250Bytes)
+    : Promise<GetHeaderResult> {
+    throw new Error("not implemented")
+  }
+}

package/src/auth/certificates/__tests/MasterCertificate.test.ts

@@ -0,0 +1,273 @@
+import { MasterCertificate } from '../../../../dist/cjs/src/auth/certificates/MasterCertificate.js'
+import { VerifiableCertificate } from '../../../../dist/cjs/src/auth/certificates/VerifiableCertificate.js'
+import { PrivateKey, SymmetricKey, Utils, Random } from '../../../../dist/cjs/src/primitives/index.js'
+import { CompletedProtoWallet } from '../../../../dist/cjs/src/auth/certificates/__tests/CompletedProtoWallet.js'
+
+describe('MasterCertificate', () => {
+  const subjectPrivateKey = PrivateKey.fromRandom()
+  const certifierPrivateKey = PrivateKey.fromRandom()
+
+  // A mock revocation outpoint for testing
+  const mockRevocationOutpoint = 'deadbeefdeadbeefdeadbeefdeadbeef00000000000000000000000000000000.1'
+
+  // Arbitrary certificate data (in plaintext)
+  const plaintextFields = {
+    name: 'Alice',
+    email: 'alice@example.com',
+    department: 'Engineering'
+  }
+
+  const subjectWallet = new CompletedProtoWallet(subjectPrivateKey)
+  const certifierWallet = new CompletedProtoWallet(certifierPrivateKey)
+  let subjectPubKey, certifierPubKey
+
+  beforeAll(async () => {
+    subjectPubKey = (await subjectWallet.getPublicKey({ identityKey: true })).publicKey
+    certifierPubKey = (await certifierWallet.getPublicKey({ identityKey: true })).publicKey
+  })
+
+  describe('constructor', () => {
+    it('should construct a MasterCertificate successfully when masterKeyring is valid', () => {
+      // Prepare a minimal valid MasterCertificate
+      const fieldSymKey = SymmetricKey.fromRandom()
+      const encryptedFieldValue = Utils.toBase64(
+        fieldSymKey.encrypt(Utils.toArray('Alice', 'utf8')) as number[]
+      )
+
+      const encryptedKeyForSubject = Utils.toBase64([0, 1, 2, 3])
+      // We assume we have the same fieldName in both `fields` and `masterKeyring`.
+      const fields = { name: encryptedFieldValue }
+      const masterKeyring = { name: encryptedKeyForSubject }
+
+      const certificate = new MasterCertificate(
+        Utils.toBase64(Random(16)), // type
+        Utils.toBase64(Random(16)), // serialNumber
+        subjectPubKey,
+        certifierPubKey,
+        mockRevocationOutpoint,
+        fields,
+        masterKeyring
+      )
+
+      expect(certificate).toBeInstanceOf(MasterCertificate)
+      expect(certificate.fields).toEqual(fields)
+      expect(certificate.masterKeyring).toEqual(masterKeyring)
+      expect(certificate.subject).toEqual(subjectPubKey)
+      expect(certificate.certifier).toEqual(certifierPubKey)
+    })
+
+    it('should throw if masterKeyring is missing a key for any field', () => {
+      const fields = { name: 'encrypted_value' }
+      const masterKeyring = {} // intentionally empty
+
+      expect(() => {
+        new MasterCertificate(
+          Utils.toBase64(Random(16)), // type
+          Utils.toBase64(Random(16)), // serialNumber
+          subjectPubKey,
+          certifierPubKey,
+          mockRevocationOutpoint,
+          fields,
+          masterKeyring
+        )
+      }).toThrowError(/Master keyring must contain a value for every field/)
+    })
+  })
+
+  describe('decryptFields', () => {
+    it('should decrypt all fields correctly using subject wallet', async () => {
+      // Issue a certificate for the subject, which includes a valid masterKeyring
+      const certificate = await MasterCertificate.issueCertificateForSubject(
+        certifierWallet,
+        subjectPubKey,
+        plaintextFields,
+        'TEST_CERT'
+      )
+
+      // Now subject should be able to decrypt all fields
+      const decrypted = await certificate.decryptFields(subjectWallet)
+      expect(decrypted).toEqual(plaintextFields)
+    })
+
+    it('should throw if masterKeyring is empty or invalid', async () => {
+      // Manually create a MasterCertificate with an empty masterKeyring
+      expect(() => new MasterCertificate(
+        Utils.toBase64(Random(16)),
+        Utils.toBase64(Random(16)),
+        subjectPubKey,
+        certifierPubKey,
+        mockRevocationOutpoint,
+        { name: Utils.toBase64([1, 2, 3]) },
+        {}
+      )).toThrow("Master keyring must contain a value for every field. Missing key for field: \"name\"");
+    })
+
+    it('should throw if decryption fails for any field', async () => {
+      // Manually craft a scenario where the key is incorrect
+      const badKeyMasterKeyring = Utils.toBase64([9, 9, 9, 9]) // Not the correct key
+      const badKeyCertificate = new MasterCertificate(
+        Utils.toBase64(Random(16)),
+        Utils.toBase64(Random(16)),
+        subjectPubKey,
+        certifierPubKey,
+        mockRevocationOutpoint,
+        {
+          name: Utils.toBase64(SymmetricKey.fromRandom().encrypt(Utils.toArray('Alice', 'utf8')) as number[])
+        },
+        { name: badKeyMasterKeyring }
+      )
+
+      await expect(badKeyCertificate.decryptFields(subjectWallet))
+        .rejects
+        .toThrow('Failed to decrypt all master certificate fields.')
+    })
+  })
+
+  describe('createKeyringForVerifier', () => {
+    const verifierPrivateKey = PrivateKey.fromRandom()
+    const verifierWallet = new CompletedProtoWallet(verifierPrivateKey)
+    let verifierPubKey
+
+    let issuedCert: MasterCertificate
+
+    beforeAll(async () => {
+      verifierPubKey = (await verifierWallet.getPublicKey({ identityKey: true })).publicKey
+      issuedCert = await MasterCertificate.issueCertificateForSubject(
+        certifierWallet,
+        subjectPubKey,
+        plaintextFields,
+        'TEST_CERT'
+      )
+    })
+
+    it('should create a verifier keyring for specified fields', async () => {
+      // We only want to share "name" with the verifier
+      const fieldsToReveal = ['name']
+      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+        subjectWallet,
+        verifierPubKey,
+        fieldsToReveal
+      )
+
+      // The new keyring should only contain "name"
+      expect(Object.keys(keyringForVerifier)).toHaveLength(1)
+      expect(keyringForVerifier).toHaveProperty('name')
+
+      // Now let's create a VerifiableCertificate for the verifier
+      const verifiableCert = new VerifiableCertificate(
+        issuedCert.type,
+        issuedCert.serialNumber,
+        issuedCert.subject,
+        issuedCert.certifier,
+        issuedCert.revocationOutpoint,
+        issuedCert.fields,
+        issuedCert.signature,
+        keyringForVerifier
+      )
+
+      // The verifier should successfully decrypt the "name" field
+      const decrypted = await verifiableCert.decryptFields(verifierWallet)
+      expect(decrypted).toEqual({ name: plaintextFields.name })
+    })
+
+    it('should throw if fields to reveal are not subset of the certificate fields', async () => {
+      await expect(
+        issuedCert.createKeyringForVerifier(subjectWallet, verifierPubKey, ['nonexistent_field'])
+      ).rejects.toThrow(
+        /Fields to reveal must be a subset of the certificate fields\. Missing the "nonexistent_field" field\./
+      )
+    })
+
+    it('should throw if the master key fails to decrypt the corresponding field', async () => {
+      // We'll tamper the certificate's masterKeyring so that a field key is invalid
+      const tamperedCert = new MasterCertificate(
+        issuedCert.type,
+        issuedCert.serialNumber,
+        issuedCert.subject,
+        issuedCert.certifier,
+        issuedCert.revocationOutpoint,
+        issuedCert.fields,
+        {
+          // Tamper: replace 'name' field with nonsense
+          name: Utils.toBase64([66, 66, 66]),
+          email: issuedCert.masterKeyring.email,
+          department: issuedCert.masterKeyring.department
+        },
+        issuedCert.signature
+      )
+
+      await expect(
+        tamperedCert.createKeyringForVerifier(subjectWallet, verifierPubKey, ['name'])
+      ).rejects.toThrow('Decryption failed!')
+    })
+
+    it('should support optional originator parameter', async () => {
+      // Just to ensure coverage for the originator-based flows
+      const fieldsToReveal = ['name']
+      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+        subjectWallet,
+        verifierPubKey,
+        fieldsToReveal,
+        'my-originator'
+      )
+      expect(keyringForVerifier).toHaveProperty('name')
+    })
+
+    it('should support counterparty of "anyone"', async () => {
+      // Create a keyring for public disclosure of selected fields.
+      const fieldsToReveal = ['name']
+      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+        subjectWallet,
+        'anyone',
+        fieldsToReveal,
+        'my-originator'
+      )
+      expect(keyringForVerifier).toHaveProperty('name')
+    })
+    it('should support counterparty of "self"', async () => {
+      const fieldsToReveal = ['name']
+      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+        subjectWallet,
+        'self',
+        fieldsToReveal,
+        'my-originator'
+      )
+      expect(keyringForVerifier).toHaveProperty('name')
+    })
+  })
+
+  describe('issueCertificateForSubject', () => {
+    it('should issue a valid MasterCertificate for the given subject', async () => {
+      const newPlaintextFields = {
+        project: 'Top Secret',
+        clearanceLevel: 'High'
+      }
+
+      const revocationFn = jest.fn().mockResolvedValue(mockRevocationOutpoint)
+
+      const newCert = await MasterCertificate.issueCertificateForSubject(
+        certifierWallet,
+        subjectPubKey,
+        newPlaintextFields,
+        'TEST_CERT',
+        revocationFn,
+      )
+
+      expect(newCert).toBeInstanceOf(MasterCertificate)
+      // The certificate's fields should be encrypted base64
+      for (const fieldName in newPlaintextFields) {
+        expect(newCert.fields[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/) // base64 check
+      }
+      // The masterKeyring should also contain base64 strings
+      for (const fieldName in newPlaintextFields) {
+        expect(newCert.masterKeyring[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/)
+      }
+      // Check revocation outpoint is from mock
+      expect(newCert.revocationOutpoint).toEqual(mockRevocationOutpoint)
+      // Check we have a signature
+      expect(newCert.signature).toBeDefined()
+      // Check that the revocationFn were called
+      expect(revocationFn).toHaveBeenCalledWith(newCert.serialNumber)
+    })
+  })
+})

package/src/auth/certificates/__tests/VerifiableCertificate.test.ts

@@ -0,0 +1,117 @@
+import { VerifiableCertificate } from '../../../../dist/cjs/src/auth/certificates/VerifiableCertificate.js'
+import { PrivateKey, SymmetricKey, Utils } from '../../../../dist/cjs/src/primitives/index.js'
+import { CompletedProtoWallet } from '../../../../dist/cjs/src/auth/certificates/__tests/CompletedProtoWallet.js'
+import { Certificate } from '../../../../dist/cjs/src/auth/certificates/index.js'
+
+describe('VerifiableCertificate', () => {
+  const subjectPrivateKey = PrivateKey.fromRandom()
+  const subjectPubKey = subjectPrivateKey.toPublicKey().toString()
+  const certifierPrivateKey = PrivateKey.fromRandom()
+  const certifierPubKey = certifierPrivateKey.toPublicKey().toString()
+  const verifierPrivateKey = PrivateKey.fromRandom()
+  const verifierPubKey = verifierPrivateKey.toPublicKey().toString()
+
+  const subjectWallet = new CompletedProtoWallet(subjectPrivateKey)
+  const verifierWallet = new CompletedProtoWallet(verifierPrivateKey)
+
+  const sampleType = Utils.toBase64(new Array(32).fill(1))
+  const sampleSerialNumber = Utils.toBase64(new Array(32).fill(2))
+  const sampleRevocationOutpoint = 'deadbeefdeadbeefdeadbeefdeadbeef00000000000000000000000000000000.1'
+
+  const plaintextFields = {
+    name: 'Alice',
+    email: 'alice@example.com',
+    organization: 'Example Corp'
+  }
+
+  let verifiableCert: VerifiableCertificate
+
+  beforeEach(async () => {
+    // For each test, we'll build a fresh VerifiableCertificate with valid encryption
+    const certificateFields = {}
+    const keyring = {}
+
+    for (const fieldName in plaintextFields) {
+      // Generate a random field symmetric key
+      const fieldSymKey = SymmetricKey.fromRandom()
+      // Encrypt the field's plaintext
+      const encryptedFieldValue = fieldSymKey.encrypt(Utils.toArray(plaintextFields[fieldName], 'utf8'))
+      certificateFields[fieldName] = Utils.toBase64(encryptedFieldValue as number[])
+
+      // Now encrypt the fieldSymKey for the verifier
+      const { ciphertext: encryptedRevelationKey } = await subjectWallet.encrypt({
+        plaintext: fieldSymKey.toArray(),
+        ...Certificate.getCertificateFieldEncryptionDetails(sampleSerialNumber, fieldName),
+        counterparty: verifierPubKey
+      })
+      keyring[fieldName] = Utils.toBase64(encryptedRevelationKey)
+    }
+
+    verifiableCert = new VerifiableCertificate(
+      sampleType,
+      sampleSerialNumber,
+      subjectPubKey,
+      certifierPubKey,
+      sampleRevocationOutpoint,
+      certificateFields,
+      undefined, // signature
+      keyring
+    )
+  })
+
+  describe('constructor', () => {
+    it('should create a VerifiableCertificate with all required properties', () => {
+      expect(verifiableCert).toBeInstanceOf(VerifiableCertificate)
+      expect(verifiableCert.type).toEqual(sampleType)
+      expect(verifiableCert.serialNumber).toEqual(sampleSerialNumber)
+      expect(verifiableCert.subject).toEqual(subjectPubKey)
+      expect(verifiableCert.certifier).toEqual(certifierPubKey)
+      expect(verifiableCert.revocationOutpoint).toEqual(sampleRevocationOutpoint)
+      expect(verifiableCert.fields).toBeDefined()
+      expect(verifiableCert.keyring).toBeDefined()
+    })
+  })
+
+  describe('decryptFields', () => {
+    it('should decrypt fields successfully when provided the correct verifier wallet and keyring', async () => {
+      const decrypted = await verifiableCert.decryptFields(verifierWallet)
+      expect(decrypted).toEqual(plaintextFields)
+    })
+
+    it('should fail if the verifier wallet does not have the correct private key (wrong key)', async () => {
+      const wrongPrivateKey = PrivateKey.fromRandom()
+      const wrongWallet = new CompletedProtoWallet(wrongPrivateKey)
+
+      await expect(verifiableCert.decryptFields(wrongWallet)).rejects.toThrow(
+        /Failed to decrypt selectively revealed certificate fields using keyring/
+      )
+    })
+
+    it('should fail if the keyring is empty or missing keys', async () => {
+      // Create a new VerifiableCertificate but with an empty keyring
+      const fields = verifiableCert.fields
+      const emptyKeyringCert = new VerifiableCertificate(
+        verifiableCert.type,
+        verifiableCert.serialNumber,
+        verifiableCert.subject,
+        verifiableCert.certifier,
+        verifiableCert.revocationOutpoint,
+        fields,
+        verifiableCert.signature,
+        {} // empty
+      )
+
+      await expect(emptyKeyringCert.decryptFields(verifierWallet)).rejects.toThrow(
+        'A keyring is required to decrypt certificate fields for the verifier.'
+      )
+    })
+
+    it('should fail if the encrypted field or its key is tampered', async () => {
+      // Tamper the keyring so it doesn't match the field encryption
+      verifiableCert.keyring.name = Utils.toBase64([9, 9, 9, 9])
+      await expect(verifiableCert.decryptFields(verifierWallet)).rejects.toThrow(
+        /Failed to decrypt selectively revealed certificate fields using keyring/
+      )
+    })
+  })
+})

package/src/auth/certificates/index.ts

@@ -1,3 +1,4 @@
 export { default as Certificate } from './Certificate.js'
 export * from './MasterCertificate.js'
-export * from './VerifiableCertificate.js'
+export * from './VerifiableCertificate.js'
+export * from './__tests/CompletedProtoWallet.js'

package/src/auth/utils/index.ts

@@ -2,4 +2,3 @@ export * from './verifyNonce.js'
 export * from './createNonce.js'
 export * from './getVerifiableCertificates.js'
 export * from './validateCertificates.js'
-export * from './certificateHelpers.js'

package/src/transaction/Beef.ts

@@ -716,5 +716,3 @@ export class Beef {
     }
   }
 }
-
-export default Beef

package/src/transaction/__tests/Beef.test.ts

@@ -1,7 +1,7 @@
 // The following imports allow flag a large number type checking errors by the VsCode editor due to missing type information:
 import BeefTx from "../../../dist/cjs/src/transaction/BeefTx"
 import BeefParty from "../../../dist/cjs/src/transaction/BeefParty"
-import Beef, { BEEF_V1, BEEF_V2 } from "../../../dist/cjs/src/transaction/Beef"
+import { Beef, BEEF_V1, BEEF_V2 } from "../../../dist/cjs/src/transaction/Beef"
 import Transaction from "../../../dist/cjs/src/transaction/Transaction"
 import { fromBase58 } from '../../../dist/cjs/src/primitives/utils'
 

package/src/transaction/index.ts

@@ -6,5 +6,5 @@ export type { Broadcaster, BroadcastFailure, BroadcastResponse } from './Broadca
 export { isBroadcastResponse, isBroadcastFailure } from './Broadcaster.js'
 export type { default as ChainTracker } from './ChainTracker.js'
 export { default as BeefTx } from './BeefTx.js'
-export { default as Beef } from './Beef.js'
+export * from './Beef.js'
 export { default as BeefParty } from './BeefParty.js'

package/src/wallet/CachedKeyDeriver.ts

@@ -24,7 +24,6 @@ export default class CachedKeyDeriver {
     this.maxCacheSize = options?.maxCacheSize || 1000
   }
 
-
   /**
      * Derives a public key based on protocol ID, key ID, and counterparty.
      * Caches the result for future calls with the same parameters.
@@ -188,7 +187,7 @@ export default class CachedKeyDeriver {
     if (this.cache.size >= this.maxCacheSize) {
       // Evict the least recently used item (first item in Map)
       const firstKey = this.cache.keys().next().value
-      this.cache.delete(firstKey!)
+      this.cache.delete(firstKey)
     }
     this.cache.set(cacheKey, value)
   }