@bsv/sdk 1.3.9 → 1.3.11

package/docs/auth.md

@@ -212,7 +212,7 @@ export default class Certificate {
     subject: PubKeyHex;
     certifier: PubKeyHex;
     revocationOutpoint: OutpointString;
-    fields: Record<CertificateFieldNameUnder50Bytes, string>;
+    fields: Record<CertificateFieldNameUnder50Bytes, Base64String>;
     signature?: HexString;
     constructor(type: Base64String, serialNumber: Base64String, subject: PubKeyHex, certifier: PubKeyHex, revocationOutpoint: OutpointString, fields: Record<CertificateFieldNameUnder50Bytes, string>, signature?: HexString) 
     toBinary(includeSignature: boolean = true): number[] 
@@ -269,12 +269,12 @@ See also: [PubKeyHex](#type-pubkeyhex)
 
 #### Property fields
 
-All the fields present in the certificate, with field names as keys and field values as strings.
+All the fields present in the certificate, with field names as keys and encrypted field values as Base64 strings.
 
 ```ts
-fields: Record<CertificateFieldNameUnder50Bytes, string>
+fields: Record<CertificateFieldNameUnder50Bytes, Base64String>
 ```
-See also: [CertificateFieldNameUnder50Bytes](#type-certificatefieldnameunder50bytes)
+See also: [Base64String](#type-base64string), [CertificateFieldNameUnder50Bytes](#type-certificatefieldnameunder50bytes)
 
 #### Property revocationOutpoint
 
@@ -466,9 +466,10 @@ export class MasterCertificate extends Certificate {
     declare signature?: HexString;
     masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>;
     constructor(type: Base64String, serialNumber: Base64String, subject: PubKeyHex, certifier: PubKeyHex, revocationOutpoint: OutpointString, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, signature?: HexString) 
-    async decryptFields(subjectWallet: WalletInterface): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
-    async createKeyringForVerifier(subjectWallet: WalletInterface, verifier: WalletCounterparty, fieldsToReveal: string[], originator?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
-    static async issueCertificateForSubject(certifierWallet: WalletInterface, subject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>, certificateType: string, getRevocationOutpoint = async (serialNumber: string): Promise<string> => { return "Certificate revocation not tracked."; }): Promise<MasterCertificate> 
+    static async createCertificateFields(creatorWallet: WalletInterface, certifierOrSubject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>): Promise<CreateCertificateFieldsResult> 
+    static async createKeyringForVerifier(subjectWallet: WalletInterface, certifier: WalletCounterparty, verifier: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, fieldsToReveal: string[], masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, serialNumber: Base64String, originator?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+    static async issueCertificateForSubject(certifierWallet: WalletInterface, subject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>, certificateType: string, getRevocationOutpoint = async (serialNumber: string): Promise<string> => { return "Certificate revocation not tracked."; }, serialNumber?: string): Promise<MasterCertificate> 
+    static async decryptFields(subjectOrCertifierWallet: WalletInterface, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, counterparty: WalletCounterparty): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
 }
 ```
 
@@ -478,6 +479,34 @@ See also: [Base64String](#type-base64string), [Certificate](#class-certificate),
 
 <summary>Class MasterCertificate Details</summary>
 
+#### Method createCertificateFields
+
+Encrypts certificate fields for a subject and generates a master keyring.
+This method returns a master keyring tied to a specific certifier or subject who will validate
+and sign off on the fields, along with the encrypted certificate fields.
+
+```ts
+static async createCertificateFields(creatorWallet: WalletInterface, certifierOrSubject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>): Promise<CreateCertificateFieldsResult> 
+```
+See also: [CertificateFieldNameUnder50Bytes](#type-certificatefieldnameunder50bytes), [WalletCounterparty](#type-walletcounterparty), [WalletInterface](#interface-walletinterface)
+
+Returns
+
+A promise resolving to an object containing:
+- `certificateFields` {Record<CertificateFieldNameUnder50Bytes, Base64String>}:
+The encrypted certificate fields.
+- `masterKeyring` {Record<CertificateFieldNameUnder50Bytes, Base64String>}:
+The master keyring containing encrypted revelation keys for each field.
+
+Argument Details
+
++ **creatorWallet**
+  + The wallet of the creator responsible for encrypting the fields.
++ **certifierOrSubject**
+  + The certifier or subject who will validate the certificate fields.
++ **fields**
+  + A record of certificate field names (under 50 bytes) mapped to their values.
+
 #### Method createKeyringForVerifier
 
 Creates a keyring for a verifier, enabling them to decrypt specific certificate fields.
@@ -486,9 +515,9 @@ for the verifier's identity key. The result is a keyring containing the keys nec
 for the verifier to access the designated fields.
 
 ```ts
-async createKeyringForVerifier(subjectWallet: WalletInterface, verifier: WalletCounterparty, fieldsToReveal: string[], originator?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+static async createKeyringForVerifier(subjectWallet: WalletInterface, certifier: WalletCounterparty, verifier: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, fieldsToReveal: string[], masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, serialNumber: Base64String, originator?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
 ```
-See also: [CertificateFieldNameUnder50Bytes](#type-certificatefieldnameunder50bytes), [WalletCounterparty](#type-walletcounterparty), [WalletInterface](#interface-walletinterface)
+See also: [Base64String](#type-base64string), [CertificateFieldNameUnder50Bytes](#type-certificatefieldnameunder50bytes), [WalletCounterparty](#type-walletcounterparty), [WalletInterface](#interface-walletinterface)
 
 Returns
 
@@ -514,24 +543,33 @@ Throws an error if:
 
 #### Method decryptFields
 
-Decrypts all fields in the MasterCertificate using the subject's wallet.
+Decrypts all fields in the MasterCertificate using the subject's or certifier's wallet.
 
-This method uses the `masterKeyring` to decrypt each field's encryption key and then
-decrypts the field values. The result is a record of plaintext field names and values.
+This method allows the subject or certifier to decrypt the `masterKeyring` and retrieve
+the encryption keys for each field, which are then used to decrypt the corresponding field values.
+The counterparty used for decryption depends on how the certificate fields were created:
+- If the certificate is self-signed, the counterparty should be set to 'self'.
+- Otherwise, the counterparty should always be the other party involved in the certificate issuance process (the subject or certifier).
 
 ```ts
-async decryptFields(subjectWallet: WalletInterface): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+static async decryptFields(subjectOrCertifierWallet: WalletInterface, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, counterparty: WalletCounterparty): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
 ```
-See also: [CertificateFieldNameUnder50Bytes](#type-certificatefieldnameunder50bytes), [WalletInterface](#interface-walletinterface)
+See also: [Base64String](#type-base64string), [CertificateFieldNameUnder50Bytes](#type-certificatefieldnameunder50bytes), [WalletCounterparty](#type-walletcounterparty), [WalletInterface](#interface-walletinterface)
 
 Returns
 
-- A record of field names and their decrypted values in plaintext.
+A promise resolving to a record of field names and their decrypted values in plaintext.
 
 Argument Details
 
-+ **subjectWallet**
-  + The wallet of the subject, used to decrypt the master keyring and field values.
++ **subjectOrCertifierWallet**
+  + The wallet of the subject or certifier, used to decrypt the master keyring and field values.
++ **masterKeyring**
+  + A record containing encrypted keys for each field.
++ **fields**
+  + A record of encrypted field names and their values.
++ **counterparty**
+  + The counterparty responsible for creating or signing the certificate. For self-signed certificates, use 'self'.
 
 Throws
 
@@ -547,7 +585,7 @@ generated symmetric key, which is then encrypted for the subject. The certificat
 can also includes a revocation outpoint to manage potential revocation.
 
 ```ts
-static async issueCertificateForSubject(certifierWallet: WalletInterface, subject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>, certificateType: string, getRevocationOutpoint = async (serialNumber: string): Promise<string> => { return "Certificate revocation not tracked."; }): Promise<MasterCertificate> 
+static async issueCertificateForSubject(certifierWallet: WalletInterface, subject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>, certificateType: string, getRevocationOutpoint = async (serialNumber: string): Promise<string> => { return "Certificate revocation not tracked."; }, serialNumber?: string): Promise<MasterCertificate> 
 ```
 See also: [CertificateFieldNameUnder50Bytes](#type-certificatefieldnameunder50bytes), [MasterCertificate](#class-mastercertificate), [WalletCounterparty](#type-walletcounterparty), [WalletInterface](#interface-walletinterface)
 
@@ -1078,7 +1116,7 @@ export class VerifiableCertificate extends Certificate {
     declare signature?: HexString;
     keyring: Record<CertificateFieldNameUnder50Bytes, string>;
     decryptedFields?: Record<CertificateFieldNameUnder50Bytes, Base64String>;
-    constructor(type: Base64String, serialNumber: Base64String, subject: PubKeyHex, certifier: PubKeyHex, revocationOutpoint: OutpointString, fields: Record<CertificateFieldNameUnder50Bytes, string>, signature?: HexString, keyring?: Record<CertificateFieldNameUnder50Bytes, string>, decryptedFields?: Record<CertificateFieldNameUnder50Bytes, Base64String>) 
+    constructor(type: Base64String, serialNumber: Base64String, subject: PubKeyHex, certifier: PubKeyHex, revocationOutpoint: OutpointString, fields: Record<CertificateFieldNameUnder50Bytes, string>, keyring: Record<CertificateFieldNameUnder50Bytes, string>, signature?: HexString, decryptedFields?: Record<CertificateFieldNameUnder50Bytes, Base64String>) 
     async decryptFields(verifierWallet: WalletInterface): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
 }
 ```
@@ -1129,13 +1167,13 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 
 ### Function: createNonce
 
-Creates a nonce derived from a privateKey
+Creates a nonce derived from a wallet
 
 ```ts
-export async function createNonce(wallet: WalletInterface): Promise<string> 
+export async function createNonce(wallet: WalletInterface, counterparty: WalletCounterparty = "self"): Promise<string> 
 ```
 
-See also: [WalletInterface](#interface-walletinterface)
+See also: [WalletCounterparty](#type-walletcounterparty), [WalletInterface](#interface-walletinterface)
 
 <details>
 
@@ -1145,6 +1183,11 @@ Returns
 
 A random nonce derived with a wallet
 
+Argument Details
+
++ **counterparty**
+  + The counterparty to the nonce creation. Defaults to 'self'.
+
 </details>
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Enums](#enums), [Variables](#variables)
@@ -1155,10 +1198,10 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 Verifies a nonce derived from a wallet
 
 ```ts
-export async function verifyNonce(nonce: string, wallet: WalletInterface): Promise<boolean> 
+export async function verifyNonce(nonce: string, wallet: WalletInterface, counterparty: WalletCounterparty = "self"): Promise<boolean> 
 ```
 
-See also: [WalletInterface](#interface-walletinterface)
+See also: [WalletCounterparty](#type-walletcounterparty), [WalletInterface](#interface-walletinterface)
 
 <details>
 
@@ -1172,6 +1215,8 @@ Argument Details
 
 + **nonce**
   + A nonce to verify as a base64 string.
++ **counterparty**
+  + The counterparty to the nonce creation. Defaults to 'self'.
 
 </details>
 
@@ -1207,7 +1252,7 @@ getVerifiableCertificates = async (wallet: WalletInterface, requestedCertificate
             fieldsToReveal: requestedCertificates.types[certificate.type],
             verifier: verifierIdentityKey
         });
-        return new VerifiableCertificate(certificate.type, certificate.serialNumber, certificate.subject, certificate.certifier, certificate.revocationOutpoint, certificate.fields, certificate.signature, keyringForVerifier);
+        return new VerifiableCertificate(certificate.type, certificate.serialNumber, certificate.subject, certificate.certifier, certificate.revocationOutpoint, certificate.fields, keyringForVerifier, certificate.signature);
     }));
 }
 ```
@@ -1225,7 +1270,7 @@ validateCertificates = async (verifierWallet: WalletInterface, message: AuthMess
         if (incomingCert.subject !== message.identityKey) {
             throw new Error(`The subject of one of your certificates ("${incomingCert.subject}") is not the same as the request sender ("${message.identityKey}").`);
         }
-        const certToVerify = new VerifiableCertificate(incomingCert.type, incomingCert.serialNumber, incomingCert.subject, incomingCert.certifier, incomingCert.revocationOutpoint, incomingCert.fields, incomingCert.signature, incomingCert.keyring);
+        const certToVerify = new VerifiableCertificate(incomingCert.type, incomingCert.serialNumber, incomingCert.subject, incomingCert.certifier, incomingCert.revocationOutpoint, incomingCert.fields, incomingCert.keyring, incomingCert.signature);
         const isValidCert = await certToVerify.verify();
         if (!isValidCert) {
             throw new Error(`The signature for the certificate with serial number ${certToVerify.serialNumber} is invalid!`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.3.9",
+  "version": "1.3.11",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",

package/src/auth/Peer.ts

@@ -39,7 +39,7 @@ export class Peer {
    * @param {SessionManager} [sessionManager] - Optional SessionManager to be used for managing peer sessions.
    * @param {boolean} [autoPersistLastSession] - Whether to auto-persist the session with the last-interacted-with peer. Defaults to true.
    */
-  constructor(
+  constructor (
     wallet: WalletInterface,
     transport: Transport,
     certificatesToRequest?: RequestedCertificateSet,
@@ -66,7 +66,7 @@ export class Peer {
    * @returns {Promise<void>}
    * @throws Will throw an error if the message fails to send.
    */
-  async toPeer(message: number[], identityKey?: string, maxWaitTime?: number): Promise<void> {
+  async toPeer (message: number[], identityKey?: string, maxWaitTime?: number): Promise<void> {
     if (this.autoPersistLastSession && this.lastInteractedWithPeer && typeof identityKey !== 'string') {
       identityKey = this.lastInteractedWithPeer
     }
@@ -111,7 +111,7 @@ export class Peer {
   * @returns {Promise<void>} Resolves if the certificate request message is successfully sent.
   * @throws Will throw an error if the peer session is not authenticated or if sending the request fails.
   */
-  async requestCertificates(certificatesToRequest: RequestedCertificateSet, identityKey?: string, maxWaitTime = 10000): Promise<void> {
+  async requestCertificates (certificatesToRequest: RequestedCertificateSet, identityKey?: string, maxWaitTime = 10000): Promise<void> {
     const peerSession = await this.getAuthenticatedSession(identityKey, maxWaitTime)
 
     // Prepare the general message
@@ -152,7 +152,7 @@ export class Peer {
    * @returns {Promise<PeerSession>} - A promise that resolves with an authenticated `PeerSession`.
    * @throws {Error} - Throws an error if the transport is not connected or if the handshake fails.
    */
-  async getAuthenticatedSession(identityKey?: string, maxWaitTime?: number): Promise<PeerSession> {
+  async getAuthenticatedSession (identityKey?: string, maxWaitTime?: number): Promise<PeerSession> {
     if (!this.transport) {
       throw new Error('Peer transport is not connected!')
     }
@@ -175,7 +175,7 @@ export class Peer {
    * @param {(senderPublicKey: string, payload: number[]) => void} callback - The function to call when a general message is received.
    * @returns {number} The ID of the callback listener.
    */
-  listenForGeneralMessages(callback: (senderPublicKey: string, payload: number[]) => void): number {
+  listenForGeneralMessages (callback: (senderPublicKey: string, payload: number[]) => void): number {
     const callbackID = this.callbackIdCounter++
     this.onGeneralMessageReceivedCallbacks.set(callbackID, callback)
     return callbackID
@@ -186,7 +186,7 @@ export class Peer {
    *
    * @param {number} callbackID - The ID of the callback to remove.
    */
-  stopListeningForGeneralMessages(callbackID: number): void {
+  stopListeningForGeneralMessages (callbackID: number): void {
     this.onGeneralMessageReceivedCallbacks.delete(callbackID)
   }
 
@@ -196,7 +196,7 @@ export class Peer {
    * @param {(certs: VerifiableCertificate[]) => void} callback - The function to call when certificates are received.
    * @returns {number} The ID of the callback listener.
    */
-  listenForCertificatesReceived(callback: (senderPublicKey: string, certs: VerifiableCertificate[]) => void): number {
+  listenForCertificatesReceived (callback: (senderPublicKey: string, certs: VerifiableCertificate[]) => void): number {
     const callbackID = this.callbackIdCounter++
     this.onCertificatesReceivedCallbacks.set(callbackID, callback)
     return callbackID
@@ -207,7 +207,7 @@ export class Peer {
    *
    * @param {number} callbackID - The ID of the certificates received callback to cancel.
    */
-  stopListeningForCertificatesReceived(callbackID: number): void {
+  stopListeningForCertificatesReceived (callbackID: number): void {
     this.onCertificatesReceivedCallbacks.delete(callbackID)
   }
 
@@ -217,7 +217,7 @@ export class Peer {
    * @param {(requestedCertificates: RequestedCertificateSet) => void} callback - The function to call when a certificate request is received
    * @returns {number} The ID of the callback listener.
    */
-  listenForCertificatesRequested(callback: (senderPublicKey: string, requestedCertificates: RequestedCertificateSet) => void): number {
+  listenForCertificatesRequested (callback: (senderPublicKey: string, requestedCertificates: RequestedCertificateSet) => void): number {
     const callbackID = this.callbackIdCounter++
     this.onCertificateRequestReceivedCallbacks.set(callbackID, callback)
     return callbackID
@@ -228,7 +228,7 @@ export class Peer {
    *
    * @param {number} callbackID - The ID of the requested certificates callback to cancel.
    */
-  stopListeningForCertificatesRequested(callbackID: number): void {
+  stopListeningForCertificatesRequested (callbackID: number): void {
     this.onCertificateRequestReceivedCallbacks.delete(callbackID)
   }
 
@@ -239,7 +239,7 @@ export class Peer {
    * @param {string} [identityKey] - The identity public key of the peer.
    * @returns {Promise<string>} A promise that resolves to the session nonce.
    */
-  private async initiateHandshake(identityKey?: string, maxWaitTime = 10000): Promise<string> {
+  private async initiateHandshake (identityKey?: string, maxWaitTime = 10000): Promise<string> {
     const sessionNonce = await createNonce(this.wallet) // Initial request nonce
     this.sessionManager.addSession({
       isAuthenticated: false,
@@ -265,7 +265,7 @@ export class Peer {
    * @param {string} sessionNonce - The session nonce created in the initial request.
    * @returns {Promise<string>} A promise that resolves with the session nonce when the initial response is received.
    */
-  private async waitForInitialResponse(sessionNonce: string, maxWaitTime = 10000): Promise<string> {
+  private async waitForInitialResponse (sessionNonce: string, maxWaitTime = 10000): Promise<string> {
     return await new Promise((resolve, reject) => {
       const callbackID = this.listenForInitialResponse(sessionNonce, (sessionNonce) => {
         clearTimeout(timeoutHandle)
@@ -288,7 +288,7 @@ export class Peer {
    * @param {(sessionNonce: string) => void} callback - The callback to invoke when the initial response is received.
    * @returns {number} The ID of the callback listener.
    */
-  private listenForInitialResponse(sessionNonce: string, callback: (sessionNonce: string) => void) {
+  private listenForInitialResponse (sessionNonce: string, callback: (sessionNonce: string) => void) {
     const callbackID = this.callbackIdCounter++
     this.onInitialResponseReceivedCallbacks.set(callbackID, { callback, sessionNonce })
     return callbackID
@@ -300,7 +300,7 @@ export class Peer {
    * @private
    * @param {number} callbackID - The ID of the callback to remove.
    */
-  private stopListeningForInitialResponses(callbackID: number) {
+  private stopListeningForInitialResponses (callbackID: number) {
     this.onInitialResponseReceivedCallbacks.delete(callbackID)
   }
 
@@ -310,7 +310,7 @@ export class Peer {
    * @param {AuthMessage} message - The incoming message to process.
    * @returns {Promise<void>}
    */
-  private async handleIncomingMessage(message: AuthMessage): Promise<void> {
+  private async handleIncomingMessage (message: AuthMessage): Promise<void> {
     if (!message.version || message.version !== AUTH_VERSION) {
       console.error(`Invalid message auth version! Received: ${message.version}, expected: ${AUTH_VERSION}`)
       return
@@ -343,7 +343,7 @@ export class Peer {
    * @param {AuthMessage} message - The incoming initial request message.
    * @returns {Promise<void>}
    */
-  async processInitialRequest(message: AuthMessage) {
+  async processInitialRequest (message: AuthMessage) {
     if (!message.identityKey || !message.initialNonce) {
       throw new Error('Missing required fields in initialResponse message.')
     }
@@ -406,7 +406,7 @@ export class Peer {
    * @returns {Promise<void>}
    * @throws Will throw an error if nonce verification or signature verification fails.
    */
-  private async processInitialResponse(message: AuthMessage) {
+  private async processInitialResponse (message: AuthMessage) {
     const validNonce = await verifyNonce(message.yourNonce, this.wallet)
     if (!validNonce) {
       throw new Error(`Initial response nonce verification failed from peer: ${message.identityKey}`)
@@ -478,7 +478,7 @@ export class Peer {
    * @param {AuthMessage} message - The certificate request message received from the peer.
    * @throws {Error} Throws an error if nonce verification fails, or the message signature is invalid.
    */
-  private async processCertificateRequest(message: AuthMessage) {
+  private async processCertificateRequest (message: AuthMessage) {
     const validNonce = await verifyNonce(message.yourNonce, this.wallet)
     if (!validNonce) {
       throw new Error(`Unable to verify nonce for certificate request message from: ${message.identityKey}`)
@@ -520,7 +520,7 @@ export class Peer {
    *
    * @throws {Error} Throws an error if the peer session could not be authenticated or if message signing fails.
    */
-  async sendCertificateResponse(
+  async sendCertificateResponse (
     verifierIdentityKey: string,
     certificates: VerifiableCertificate[]
   ) {
@@ -559,7 +559,7 @@ export class Peer {
    * @returns {Promise<void>}
    * @throws Will throw an error if nonce verification or signature verification fails.
    */
-  private async processCertificateResponse(
+  private async processCertificateResponse (
     message: AuthMessage
   ) {
     const validNonce = await verifyNonce(message.yourNonce, this.wallet)
@@ -597,7 +597,7 @@ export class Peer {
    * @returns {Promise<void>}
    * @throws Will throw an error if nonce verification or signature verification fails.
    */
-  private async processGeneralMessage(message: AuthMessage) {
+  private async processGeneralMessage (message: AuthMessage) {
     const validNonce = await verifyNonce(message.yourNonce, this.wallet)
     if (!validNonce) {
       throw new Error(`Unable to verify nonce for general message from: ${message.identityKey}`)

package/src/auth/__tests/Peer.test.ts

@@ -7,44 +7,8 @@ import { Utils, PrivateKey, SymmetricKey } from '../../../dist/cjs/src/primitive
 import { VerifiableCertificate, } from "../../../dist/cjs/src/auth/certificates/VerifiableCertificate.js"
 import { MasterCertificate } from '../../../dist/cjs/src/auth/certificates/MasterCertificate.js'
 import { getVerifiableCertificates } from '../../../dist/cjs/src/auth/utils/getVerifiableCertificates.js'
-import { Certificate } from "../../../dist/cjs/src/auth/certificates/index.js"
 jest.mock('../../../dist/cjs/src/auth/utils/getVerifiableCertificates.js')
 
-/**
- * A helper function to decrypt a VerifiableCertificate's fields using the provided wallets.
- */
-async function decryptCertificateFields(
-  cert: VerifiableCertificate,
-  localWallet: Wallet,
-  counterpartyWallet: Wallet
-): Promise<Record<string, string>> {
-  const entries = await Promise.all(
-    Object.entries(cert.keyring).map(async ([fieldName, encryptedKey]) => {
-      // Decrypt the per-field symmetric key
-      const { plaintext: masterFieldKey } = await localWallet.decrypt({
-        ciphertext: Utils.toArray(encryptedKey, 'base64'),
-        ...Certificate.getCertificateFieldEncryptionDetails(cert.serialNumber, fieldName),
-        counterparty: (await counterpartyWallet.getPublicKey({ identityKey: true })).publicKey,
-      })
-
-      // Decrypt the actual field contents using the decrypted symmetric key
-      try {
-        const decryptedData = new SymmetricKey(masterFieldKey).decrypt(
-          Utils.toArray(cert.fields[fieldName], 'base64')
-        )
-        return { key: fieldName, value: Utils.toUTF8(decryptedData as number[]) }
-      } catch (_) {
-        throw new Error(`Decryption of the "${fieldName}" field with its revelation key failed.`)
-      }
-    })
-  )
-
-  return entries.reduce((acc, { key, value }) => {
-    acc[key] = value
-    return acc
-  }, {} as Record<string, string>)
-}
-
 class LocalTransport implements Transport {
   private peerTransport?: LocalTransport
   private onDataCallback?: (message: AuthMessage) => void
@@ -117,7 +81,15 @@ describe('Peer class mutual authentication and certificate exchange', () => {
   ): Promise<VerifiableCertificate> {
     const certifierWallet = new ProtoWallet(certifierPrivateKey)
 
-    const keyringForVerifier = await masterCertificate.createKeyringForVerifier(wallet, verifierIdentityKey, fieldsToReveal)
+    const keyringForVerifier = await MasterCertificate.createKeyringForVerifier(
+      wallet,
+      certifierWallet.keyDeriver.identityKey,
+      verifierIdentityKey,
+      masterCertificate.fields,
+      fieldsToReveal,
+      masterCertificate.masterKeyring,
+      masterCertificate.serialNumber
+    )
     return new VerifiableCertificate(
       masterCertificate.type,
       masterCertificate.serialNumber,
@@ -125,8 +97,8 @@ describe('Peer class mutual authentication and certificate exchange', () => {
       masterCertificate.certifier,
       masterCertificate.revocationOutpoint,
       masterCertificate.fields,
-      masterCertificate.signature,
-      keyringForVerifier
+      keyringForVerifier,
+      masterCertificate.signature
     )
   }
 
@@ -234,7 +206,7 @@ describe('Peer class mutual authentication and certificate exchange', () => {
         if (certificatesReceivedByBob?.length !== 0) {
           certificatesReceivedByBob?.forEach(async cert => {
             // Decrypt to ensure it has the correct fields
-            const decryptedFields = await decryptCertificateFields(cert, walletB, walletA)
+            const decryptedFields = await cert.decryptFields(walletB)
             if (cert.certifier !== 'bob') {
               console.log('Bob accepted the message:', Utils.toUTF8(payload))
               console.log('Decrypted fields:', decryptedFields)
@@ -279,7 +251,7 @@ describe('Peer class mutual authentication and certificate exchange', () => {
     alice.listenForCertificatesReceived(async (senderPublicKey, certificates) => {
       for (const cert of certificates) {
         // Decrypt Bob's certificate fields
-        const decryptedFields = await decryptCertificateFields(cert, walletA, walletB)
+        const decryptedFields = await cert.decryptFields(walletA)
 
         // Check and use the decrypted fields
         if (Object.keys(decryptedFields).length !== 0 && decryptedFields.libraryCardNumber) {
@@ -342,7 +314,7 @@ describe('Peer class mutual authentication and certificate exchange', () => {
         if (certificates.length > 0) {
           // Decrypt to confirm
           for (const cert of certificates) {
-            const decrypted = await decryptCertificateFields(cert, walletB, walletA)
+            const decrypted = await cert.decryptFields(walletB)
             console.log('Bob received additional certificates from Alice:', cert)
             console.log('Decrypted fields:', decrypted)
           }
@@ -384,7 +356,7 @@ describe('Peer class mutual authentication and certificate exchange', () => {
       bob.listenForCertificatesReceived(async (senderPublicKey, certificates) => {
         for (const cert of certificates) {
           // Decrypt Alice's certificate fields
-          const decryptedFields = await decryptCertificateFields(cert, walletB, walletA)
+          const decryptedFields = await cert.decryptFields(walletB)
           if (decryptedFields.membershipStatus) {
             console.log(`Bob received Alice's membership status: ${decryptedFields.membershipStatus}`)
             bobAcceptedMembershipStatus()
@@ -451,7 +423,7 @@ describe('Peer class mutual authentication and certificate exchange', () => {
     const waitForAliceToAcceptBobDL = new Promise<void>((resolve) => {
       alice.listenForCertificatesReceived(async (senderPublicKey, certificates) => {
         for (const cert of certificates) {
-          const decryptedFields = await decryptCertificateFields(cert, walletA, walletB)
+          const decryptedFields = await cert.decryptFields(walletA)
           if (decryptedFields.driversLicenseNumber) {
             console.log(`Alice received Bob's driver's license number: ${decryptedFields.driversLicenseNumber}`)
             aliceAcceptedBobDL()
@@ -464,7 +436,7 @@ describe('Peer class mutual authentication and certificate exchange', () => {
     const waitForBobToAcceptAliceDL = new Promise<void>((resolve) => {
       bob.listenForCertificatesReceived(async (senderPublicKey, certificates) => {
         for (const cert of certificates) {
-          const decryptedFields = await decryptCertificateFields(cert, walletB, walletA)
+          const decryptedFields = await cert.decryptFields(walletB)
           if (decryptedFields.driversLicenseNumber) {
             console.log(`Bob received Alice's driver's license number: ${decryptedFields.driversLicenseNumber}`)
             bobAcceptedAliceDL()
@@ -544,7 +516,7 @@ describe('Peer class mutual authentication and certificate exchange', () => {
     const waitForAlicePartialCert = new Promise<void>((resolve) => {
       alice.listenForCertificatesReceived(async (senderPublicKey, certificates) => {
         for (const cert of certificates) {
-          const decryptedFields = await decryptCertificateFields(cert, walletA, walletB)
+          const decryptedFields = await cert.decryptFields(walletA)
           if (decryptedFields.email || decryptedFields.name) {
             console.log(`Alice received Bob's certificate with fields: ${Object.keys(decryptedFields).join(', ')}`)
             aliceAcceptedPartialCert()
@@ -557,7 +529,7 @@ describe('Peer class mutual authentication and certificate exchange', () => {
     const waitForBobPartialCert = new Promise<void>((resolve) => {
       bob.listenForCertificatesReceived(async (senderPublicKey, certificates) => {
         for (const cert of certificates) {
-          const decryptedFields = await decryptCertificateFields(cert, walletB, walletA)
+          const decryptedFields = await cert.decryptFields(walletB)
           if (decryptedFields.email || decryptedFields.name) {
             console.log(`Bob received Alice's certificate with fields: ${Object.keys(decryptedFields).join(', ')}`)
             bobAcceptedPartialCert()

package/src/auth/certificates/Certificate.ts

@@ -43,9 +43,9 @@ export default class Certificate {
   revocationOutpoint: OutpointString
 
   /**
-   * All the fields present in the certificate, with field names as keys and field values as strings.
+   * All the fields present in the certificate, with field names as keys and encrypted field values as Base64 strings.
    */
-  fields: Record<CertificateFieldNameUnder50Bytes, string>
+  fields: Record<CertificateFieldNameUnder50Bytes, Base64String>
 
   /**
    * Certificate signature by the certifier's private key, DER encoded hex string.
@@ -258,7 +258,7 @@ export default class Certificate {
    *   - `protocolID` (WalletProtocol): The protocol ID for certificate field encryption.
    *   - `keyID` (string): A unique key identifier derived from the serial number and field name.
    */
-  static getCertificateFieldEncryptionDetails(serialNumber: string, fieldName: string): { protocolID: WalletProtocol, keyID: string } {
+  static getCertificateFieldEncryptionDetails(fieldName: string, serialNumber?: string): { protocolID: WalletProtocol, keyID: string } {
     return { protocolID: [2, 'certificate field encryption'], keyID: `${serialNumber} ${fieldName}` }
   }
 }