@bsv/sdk 1.3.9 → 1.3.11

package/src/auth/certificates/MasterCertificate.ts

@@ -12,6 +12,11 @@ import {
 } from '../../../mod.js'
 import Certificate from './Certificate.js'
 
+interface CreateCertificateFieldsResult {
+  certificateFields: Record<CertificateFieldNameUnder50Bytes, Base64String>
+  masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>
+}
+
 /**
  * MasterCertificate extends the base Certificate class to manage a master keyring, enabling the creation of verifiable certificates.
  *
@@ -56,38 +61,42 @@ export class MasterCertificate extends Certificate {
   }
 
   /**
-   * Decrypts all fields in the MasterCertificate using the subject's wallet.
-   * 
-   * This method uses the `masterKeyring` to decrypt each field's encryption key and then
-   * decrypts the field values. The result is a record of plaintext field names and values.
-   * 
-   * @param {WalletInterface} subjectWallet - The wallet of the subject, used to decrypt the master keyring and field values.
-   * @returns {Promise<Record<CertificateFieldNameUnder50Bytes, string>>} - A record of field names and their decrypted values in plaintext.
-   * 
-   * @throws {Error} Throws an error if the `masterKeyring` is invalid or if decryption fails for any field.
+   * Encrypts certificate fields for a subject and generates a master keyring.
+   * This method returns a master keyring tied to a specific certifier or subject who will validate
+   * and sign off on the fields, along with the encrypted certificate fields.
+   *
+   * @param {WalletInterface} creatorWallet - The wallet of the creator responsible for encrypting the fields.
+   * @param {WalletCounterparty} certifierOrSubject - The certifier or subject who will validate the certificate fields.
+   * @param {Record<CertificateFieldNameUnder50Bytes, string>} fields - A record of certificate field names (under 50 bytes) mapped to their values.
+   * @returns {Promise<CreateCertificateFieldsResult>} A promise resolving to an object containing:
+   *   - `certificateFields` {Record<CertificateFieldNameUnder50Bytes, Base64String>}:
+   *     The encrypted certificate fields.
+   *   - `masterKeyring` {Record<CertificateFieldNameUnder50Bytes, Base64String>}:
+   *     The master keyring containing encrypted revelation keys for each field.
    */
-  async decryptFields(subjectWallet: WalletInterface): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
-    // const fields: Record<CertificateFieldNameUnder50Bytes, Base64String> = this.fields
-    const decryptedFields: Record<CertificateFieldNameUnder50Bytes, string> = {}
-    if (!this.masterKeyring || Object.keys(this.masterKeyring).length === 0) {
-      throw new Error('A MasterCertificate must have a valid masterKeyring!')
+  static async createCertificateFields(
+    creatorWallet: WalletInterface,
+    certifierOrSubject: WalletCounterparty,
+    fields: Record<CertificateFieldNameUnder50Bytes, string>
+  ): Promise<CreateCertificateFieldsResult> {
+    const certificateFields: Record<CertificateFieldNameUnder50Bytes, Base64String> = {}
+    const masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String> = {}
+    for (const [fieldName, fieldValue] of Object.entries(fields)) {
+      const fieldSymmetricKey = SymmetricKey.fromRandom()
+      const encryptedFieldValue = fieldSymmetricKey.encrypt(Utils.toArray(fieldValue, 'utf8'))
+      certificateFields[fieldName] = Utils.toBase64(encryptedFieldValue as number[])
+
+      const { ciphertext: encryptedFieldRevelationKey } = await creatorWallet.encrypt({
+        plaintext: fieldSymmetricKey.toArray(),
+        ...Certificate.getCertificateFieldEncryptionDetails(fieldName), // Only fieldName used on MasterCertificate
+        counterparty: certifierOrSubject
+      })
+      masterKeyring[fieldName] = Utils.toBase64(encryptedFieldRevelationKey)
     }
 
-    try {
-      // Note: we want to iterate through all fields, not just masterKeyring keys/value pairs.
-      for (const fieldName of Object.keys(this.fields)) {
-        const { plaintext: fieldRevelationKey } = await subjectWallet.decrypt({
-          ciphertext: Utils.toArray(this.masterKeyring[fieldName], 'base64'),
-          counterparty: this.certifier,
-          ...Certificate.getCertificateFieldEncryptionDetails(this.serialNumber, fieldName)
-        })
-
-        const fieldValue = new SymmetricKey(fieldRevelationKey).decrypt(Utils.toArray(this.fields[fieldName], 'base64'))
-        decryptedFields[fieldName] = Utils.toUTF8(fieldValue as number[])
-      }
-      return decryptedFields
-    } catch (e) {
-      throw new Error('Failed to decrypt all master certificate fields.')
+    return {
+      certificateFields,
+      masterKeyring
     }
   }
 
@@ -107,37 +116,32 @@ export class MasterCertificate extends Certificate {
    *   - A field in `fieldsToReveal` does not exist in the certificate.
    *   - The decrypted master field key fails to decrypt the corresponding field (indicating an invalid key).
    */
-  async createKeyringForVerifier(subjectWallet: WalletInterface, verifier: WalletCounterparty, fieldsToReveal: string[], originator?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
+  static async createKeyringForVerifier(
+    subjectWallet: WalletInterface,
+    certifier: WalletCounterparty,
+    verifier: WalletCounterparty,
+    fields: Record<CertificateFieldNameUnder50Bytes, Base64String>,
+    fieldsToReveal: string[],
+    masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>,
+    serialNumber: Base64String,
+    originator?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
     if (!Array.isArray(fieldsToReveal)) {
       throw new Error('fieldsToReveal must be an array of strings')
     }
     const fieldRevelationKeyring = {}
     for (const fieldName of fieldsToReveal) {
       // Make sure that fields to reveal is a subset of the certificate fields
-      if (!this.fields[fieldName]) {
+      if (!fields[fieldName]) {
         throw new Error(`Fields to reveal must be a subset of the certificate fields. Missing the "${fieldName}" field.`)
       }
 
-      const encryptedMasterFieldKey = this.masterKeyring[fieldName]
-
-      // Decrypt the master field key
-      const { plaintext: masterFieldKey } = await subjectWallet.decrypt({
-        ciphertext: Utils.toArray(encryptedMasterFieldKey, 'base64'),
-        ...Certificate.getCertificateFieldEncryptionDetails(this.serialNumber, fieldName),
-        counterparty: this.certifier
-      }, originator)
-
-      // Verify that derived key actually decrypts requested field
-      try {
-        new SymmetricKey(masterFieldKey).decrypt(Utils.toArray(this.fields[fieldName], 'base64'))
-      } catch (_) {
-        throw new Error(`Decryption of the "${fieldName}" field with its revelation key failed.`)
-      }
+      // Decrypt the master field key and verify that derived key actually decrypts requested field
+      const masterFieldKey = (await this.decryptField(subjectWallet, masterKeyring, fieldName, fields[fieldName], certifier)).fieldRevelationKey
 
       // Encrypt derived fieldRevelationKey for verifier
       const { ciphertext: encryptedFieldRevelationKey } = await subjectWallet.encrypt({
         plaintext: masterFieldKey,
-        ...Certificate.getCertificateFieldEncryptionDetails(this.serialNumber, fieldName),
+        ...Certificate.getCertificateFieldEncryptionDetails(fieldName, serialNumber),
         counterparty: verifier
       }, originator)
 
@@ -175,27 +179,21 @@ export class MasterCertificate extends Certificate {
     certificateType: string,
     getRevocationOutpoint = async (
       serialNumber: string
-    ): Promise<string> => { return 'Certificate revocation not tracked.' }
+    ): Promise<string> => { return 'Certificate revocation not tracked.' },
+    serialNumber?: string
   ): Promise<MasterCertificate> {
-    // 1. Generate serialNumber
-    const serialNumber = Utils.toBase64(Random(32))
-
-    const encryptedCertificateFields: Record<CertificateFieldNameUnder50Bytes, Base64String> = {}
-    const masterKeyringForSubject: Record<CertificateFieldNameUnder50Bytes, Base64String> = {}
-
-    // 2. For each field, generate a random key -> encrypt field -> encrypt key
-    for (const [fieldName, fieldValue] of Object.entries(fields)) {
-      const fieldSymmetricKey = SymmetricKey.fromRandom()
-      const encryptedFieldValue = fieldSymmetricKey.encrypt(Utils.toArray(fieldValue, 'utf8'))
-      encryptedCertificateFields[fieldName] = Utils.toBase64(encryptedFieldValue as number[])
-      const { ciphertext: encryptedFieldRevelationKey } = await certifierWallet.encrypt({
-        plaintext: fieldSymmetricKey.toArray(),
-        ...Certificate.getCertificateFieldEncryptionDetails(serialNumber, fieldName),
-        counterparty: subject
-      })
-      masterKeyringForSubject[fieldName] = Utils.toBase64(encryptedFieldRevelationKey)
+    // 1. Generate a random serialNumber if not provided
+    if (!serialNumber) {
+      serialNumber = Utils.toBase64(Random(32))
     }
 
+    // 2. Create encrypted certificate fields and associated master keyring
+    const { certificateFields, masterKeyring } = await this.createCertificateFields(
+      certifierWallet,
+      subject,
+      fields,
+    )
+
     // 3. Obtain a revocation outpoint (ex. certifier can call wallet.createAction())
     const revocationOutpoint = await getRevocationOutpoint(serialNumber)
     // TODO: Validate revocation outpoint format
@@ -207,12 +205,78 @@ export class MasterCertificate extends Certificate {
       subject,
       (await certifierWallet.getPublicKey({ identityKey: true })).publicKey,
       revocationOutpoint,
-      encryptedCertificateFields,
-      masterKeyringForSubject
+      certificateFields,
+      masterKeyring
     )
 
     // 5. Sign and return the new MasterCertificate certifying the subject.
     await certificate.sign(certifierWallet)
     return certificate
   }
+
+
+  /**
+   * Decrypts all fields in the MasterCertificate using the subject's or certifier's wallet.
+   *
+   * This method allows the subject or certifier to decrypt the `masterKeyring` and retrieve
+   * the encryption keys for each field, which are then used to decrypt the corresponding field values.
+   * The counterparty used for decryption depends on how the certificate fields were created:
+   * - If the certificate is self-signed, the counterparty should be set to 'self'.
+   * - Otherwise, the counterparty should always be the other party involved in the certificate issuance process (the subject or certifier).
+   *
+   * @param {WalletInterface} subjectOrCertifierWallet - The wallet of the subject or certifier, used to decrypt the master keyring and field values.
+   * @param {Record<CertificateFieldNameUnder50Bytes, Base64String>} masterKeyring - A record containing encrypted keys for each field.
+   * @param {Record<CertificateFieldNameUnder50Bytes, Base64String>} fields - A record of encrypted field names and their values.
+   * @param {WalletCounterparty} counterparty - The counterparty responsible for creating or signing the certificate. For self-signed certificates, use 'self'.
+   * @returns {Promise<Record<CertificateFieldNameUnder50Bytes, string>>} A promise resolving to a record of field names and their decrypted values in plaintext.
+   *
+   * @throws {Error} Throws an error if the `masterKeyring` is invalid or if decryption fails for any field.
+   */
+  static async decryptFields(
+    subjectOrCertifierWallet: WalletInterface,
+    masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>,
+    fields: Record<CertificateFieldNameUnder50Bytes, Base64String>,
+    counterparty: WalletCounterparty
+  ): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
+    if (!masterKeyring || Object.keys(masterKeyring).length === 0) {
+      throw new Error('A MasterCertificate must have a valid masterKeyring!')
+    }
+    try {
+      const decryptedFields: Record<CertificateFieldNameUnder50Bytes, string> = {}
+      // Note: we want to iterate through all fields, not just masterKeyring keys/value pairs.
+      for (const fieldName of Object.keys(fields)) {
+        decryptedFields[fieldName] = (await this.decryptField(subjectOrCertifierWallet, masterKeyring, fieldName, fields[fieldName], counterparty)).decryptedFieldValue
+      }
+      return decryptedFields
+    } catch (e) {
+      throw new Error('Failed to decrypt all master certificate fields.')
+    }
+  }
+
+  static async decryptField(
+    subjectOrCertifierWallet: WalletInterface,
+    masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>,
+    fieldName: Base64String,
+    fieldValue: Base64String,
+    counterparty: WalletCounterparty
+  ): Promise<{ fieldRevelationKey: number[], decryptedFieldValue: string }> {
+    if (!masterKeyring || Object.keys(masterKeyring).length === 0) {
+      throw new Error('A MasterCertificate must have a valid masterKeyring!')
+    }
+    try {
+      const { plaintext: fieldRevelationKey } = await subjectOrCertifierWallet.decrypt({
+        ciphertext: Utils.toArray(masterKeyring[fieldName], 'base64'),
+        ...Certificate.getCertificateFieldEncryptionDetails(fieldName), // Only fieldName used on MasterCertificate
+        counterparty
+      })
+
+      const decryptedFieldValue = new SymmetricKey(fieldRevelationKey).decrypt(Utils.toArray(fieldValue, 'base64'))
+      return {
+        fieldRevelationKey,
+        decryptedFieldValue: Utils.toUTF8(decryptedFieldValue as number[])
+      }
+    } catch (e) {
+      throw new Error('Failed to decrypt certificate field!')
+    }
+  }
 }

package/src/auth/certificates/VerifiableCertificate.ts

@@ -6,8 +6,7 @@ import {
   HexString,
   OutpointString,
   PubKeyHex,
-  WalletInterface,
-  WalletError
+  WalletInterface
 } from '../../../mod.js'
 import Certificate from './Certificate.js'
 
@@ -34,8 +33,8 @@ export class VerifiableCertificate extends Certificate {
     certifier: PubKeyHex,
     revocationOutpoint: OutpointString,
     fields: Record<CertificateFieldNameUnder50Bytes, string>,
+    keyring: Record<CertificateFieldNameUnder50Bytes, string>,
     signature?: HexString,
-    keyring?: Record<CertificateFieldNameUnder50Bytes, string>,
     decryptedFields?: Record<CertificateFieldNameUnder50Bytes, Base64String>
   ) {
     super(type, serialNumber, subject, certifier, revocationOutpoint, fields, signature)
@@ -58,7 +57,7 @@ export class VerifiableCertificate extends Certificate {
       for (const fieldName in this.keyring) {
         const { plaintext: fieldRevelationKey } = await verifierWallet.decrypt({
           ciphertext: Utils.toArray(this.keyring[fieldName], 'base64'),
-          ...Certificate.getCertificateFieldEncryptionDetails(this.serialNumber, fieldName),
+          ...Certificate.getCertificateFieldEncryptionDetails(fieldName, this.serialNumber),
           counterparty: this.subject
         })
 

package/src/auth/certificates/__tests/MasterCertificate.test.ts

@@ -19,11 +19,12 @@ describe('MasterCertificate', () => {
 
   const subjectWallet = new CompletedProtoWallet(subjectPrivateKey)
   const certifierWallet = new CompletedProtoWallet(certifierPrivateKey)
-  let subjectPubKey, certifierPubKey
+  let subjectIdentityKey: string
+  let certifierIdentityKey: string
 
   beforeAll(async () => {
-    subjectPubKey = (await subjectWallet.getPublicKey({ identityKey: true })).publicKey
-    certifierPubKey = (await certifierWallet.getPublicKey({ identityKey: true })).publicKey
+    subjectIdentityKey = (await subjectWallet.getPublicKey({ identityKey: true })).publicKey
+    certifierIdentityKey = (await certifierWallet.getPublicKey({ identityKey: true })).publicKey
   })
 
   describe('constructor', () => {
@@ -42,8 +43,8 @@ describe('MasterCertificate', () => {
       const certificate = new MasterCertificate(
         Utils.toBase64(Random(16)), // type
         Utils.toBase64(Random(16)), // serialNumber
-        subjectPubKey,
-        certifierPubKey,
+        subjectIdentityKey,
+        certifierIdentityKey,
         mockRevocationOutpoint,
         fields,
         masterKeyring
@@ -52,8 +53,8 @@ describe('MasterCertificate', () => {
       expect(certificate).toBeInstanceOf(MasterCertificate)
       expect(certificate.fields).toEqual(fields)
       expect(certificate.masterKeyring).toEqual(masterKeyring)
-      expect(certificate.subject).toEqual(subjectPubKey)
-      expect(certificate.certifier).toEqual(certifierPubKey)
+      expect(certificate.subject).toEqual(subjectIdentityKey)
+      expect(certificate.certifier).toEqual(certifierIdentityKey)
     })
 
     it('should throw if masterKeyring is missing a key for any field', () => {
@@ -64,8 +65,8 @@ describe('MasterCertificate', () => {
         new MasterCertificate(
           Utils.toBase64(Random(16)), // type
           Utils.toBase64(Random(16)), // serialNumber
-          subjectPubKey,
-          certifierPubKey,
+          subjectIdentityKey,
+          certifierIdentityKey,
           mockRevocationOutpoint,
           fields,
           masterKeyring
@@ -74,18 +75,23 @@ describe('MasterCertificate', () => {
     })
   })
 
-  describe('decryptFields', () => {
+  describe('decryptFields (static)', () => {
     it('should decrypt all fields correctly using subject wallet', async () => {
       // Issue a certificate for the subject, which includes a valid masterKeyring
       const certificate = await MasterCertificate.issueCertificateForSubject(
         certifierWallet,
-        subjectPubKey,
+        subjectIdentityKey,
         plaintextFields,
         'TEST_CERT'
       )
 
-      // Now subject should be able to decrypt all fields
-      const decrypted = await certificate.decryptFields(subjectWallet)
+      // Now subject should be able to decrypt all fields via static method
+      const decrypted = await MasterCertificate.decryptFields(
+        subjectWallet,
+        certificate.masterKeyring,
+        certificate.fields,
+        certificate.certifier // because certifier was the encryption counterparty
+      )
       expect(decrypted).toEqual(plaintextFields)
     })
 
@@ -94,8 +100,8 @@ describe('MasterCertificate', () => {
       expect(() => new MasterCertificate(
         Utils.toBase64(Random(16)),
         Utils.toBase64(Random(16)),
-        subjectPubKey,
-        certifierPubKey,
+        subjectIdentityKey,
+        certifierIdentityKey,
         mockRevocationOutpoint,
         { name: Utils.toBase64([1, 2, 3]) },
         {}
@@ -108,8 +114,8 @@ describe('MasterCertificate', () => {
       const badKeyCertificate = new MasterCertificate(
         Utils.toBase64(Random(16)),
         Utils.toBase64(Random(16)),
-        subjectPubKey,
-        certifierPubKey,
+        subjectIdentityKey,
+        certifierIdentityKey,
         mockRevocationOutpoint,
         {
           name: Utils.toBase64(SymmetricKey.fromRandom().encrypt(Utils.toArray('Alice', 'utf8')) as number[])
@@ -117,24 +123,30 @@ describe('MasterCertificate', () => {
         { name: badKeyMasterKeyring }
       )
 
-      await expect(badKeyCertificate.decryptFields(subjectWallet))
-        .rejects
-        .toThrow('Failed to decrypt all master certificate fields.')
+      await expect(
+        MasterCertificate.decryptFields(
+          subjectWallet,
+          badKeyCertificate.masterKeyring,
+          badKeyCertificate.fields,
+          badKeyCertificate.certifier
+        )
+      ).rejects.toThrow('Failed to decrypt all master certificate fields.')
     })
   })
 
-  describe('createKeyringForVerifier', () => {
+  describe('createKeyringForVerifier (static)', () => {
     const verifierPrivateKey = PrivateKey.fromRandom()
     const verifierWallet = new CompletedProtoWallet(verifierPrivateKey)
-    let verifierPubKey
+    let verifierIdentityKey: string
 
     let issuedCert: MasterCertificate
 
     beforeAll(async () => {
-      verifierPubKey = (await verifierWallet.getPublicKey({ identityKey: true })).publicKey
+      verifierIdentityKey = (await verifierWallet.getPublicKey({ identityKey: true })).publicKey
+      // Issue a certificate to reuse in tests
       issuedCert = await MasterCertificate.issueCertificateForSubject(
         certifierWallet,
-        subjectPubKey,
+        subjectIdentityKey,
         plaintextFields,
         'TEST_CERT'
       )
@@ -143,10 +155,15 @@ describe('MasterCertificate', () => {
     it('should create a verifier keyring for specified fields', async () => {
       // We only want to share "name" with the verifier
       const fieldsToReveal = ['name']
-      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+
+      const keyringForVerifier = await MasterCertificate.createKeyringForVerifier(
         subjectWallet,
-        verifierPubKey,
-        fieldsToReveal
+        issuedCert.certifier, // the original certifier
+        verifierIdentityKey,       // the new verifier
+        issuedCert.fields,    // encrypted fields
+        fieldsToReveal,
+        issuedCert.masterKeyring,
+        issuedCert.serialNumber
       )
 
       // The new keyring should only contain "name"
@@ -161,8 +178,8 @@ describe('MasterCertificate', () => {
         issuedCert.certifier,
         issuedCert.revocationOutpoint,
         issuedCert.fields,
-        issuedCert.signature,
-        keyringForVerifier
+        keyringForVerifier,
+        issuedCert.signature
       )
 
       // The verifier should successfully decrypt the "name" field
@@ -170,16 +187,23 @@ describe('MasterCertificate', () => {
       expect(decrypted).toEqual({ name: plaintextFields.name })
     })
 
-    it('should throw if fields to reveal are not subset of the certificate fields', async () => {
+    it('should throw if fields to reveal are not a subset of the certificate fields', async () => {
       await expect(
-        issuedCert.createKeyringForVerifier(subjectWallet, verifierPubKey, ['nonexistent_field'])
+        MasterCertificate.createKeyringForVerifier(
+          subjectWallet,
+          issuedCert.certifier,
+          verifierIdentityKey,
+          issuedCert.fields,
+          ['nonexistent_field'],
+          issuedCert.masterKeyring
+        )
       ).rejects.toThrow(
         /Fields to reveal must be a subset of the certificate fields\. Missing the "nonexistent_field" field\./
       )
     })
 
     it('should throw if the master key fails to decrypt the corresponding field', async () => {
-      // We'll tamper the certificate's masterKeyring so that a field key is invalid
+      // We'll tamper with the certificate's masterKeyring so that a field key is invalid
       const tamperedCert = new MasterCertificate(
         issuedCert.type,
         issuedCert.serialNumber,
@@ -197,46 +221,65 @@ describe('MasterCertificate', () => {
       )
 
       await expect(
-        tamperedCert.createKeyringForVerifier(subjectWallet, verifierPubKey, ['name'])
-      ).rejects.toThrow('Decryption failed!')
+        MasterCertificate.createKeyringForVerifier(
+          subjectWallet,
+          tamperedCert.certifier,
+          verifierIdentityKey,
+          tamperedCert.fields,
+          ['name'],
+          tamperedCert.masterKeyring,
+          tamperedCert.serialNumber
+        )
+      ).rejects.toThrow('Failed to decrypt certificate field!')
     })
 
     it('should support optional originator parameter', async () => {
-      // Just to ensure coverage for the originator-based flows
       const fieldsToReveal = ['name']
-      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+      const keyringForVerifier = await MasterCertificate.createKeyringForVerifier(
         subjectWallet,
-        verifierPubKey,
+        issuedCert.certifier,
+        verifierIdentityKey,
+        issuedCert.fields,
         fieldsToReveal,
+        issuedCert.masterKeyring,
+        issuedCert.serialNumber,
         'my-originator'
       )
       expect(keyringForVerifier).toHaveProperty('name')
     })
 
-    it('should support counterparty of "anyone"', async () => {
-      // Create a keyring for public disclosure of selected fields.
+    it('should support counterparty of "anyone" or "self"', async () => {
       const fieldsToReveal = ['name']
-      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+
+      // "anyone"
+      const anyoneKeyring = await MasterCertificate.createKeyringForVerifier(
         subjectWallet,
+        issuedCert.certifier,
         'anyone',
+        issuedCert.fields,
         fieldsToReveal,
+        issuedCert.masterKeyring,
+        issuedCert.serialNumber,
         'my-originator'
       )
-      expect(keyringForVerifier).toHaveProperty('name')
-    })
-    it('should support counterparty of "self"', async () => {
-      const fieldsToReveal = ['name']
-      const keyringForVerifier = await issuedCert.createKeyringForVerifier(
+      expect(anyoneKeyring).toHaveProperty('name')
+
+      // "self"
+      const selfKeyring = await MasterCertificate.createKeyringForVerifier(
         subjectWallet,
+        issuedCert.certifier,
         'self',
+        issuedCert.fields,
         fieldsToReveal,
+        issuedCert.masterKeyring,
+        issuedCert.serialNumber,
         'my-originator'
       )
-      expect(keyringForVerifier).toHaveProperty('name')
+      expect(selfKeyring).toHaveProperty('name')
     })
   })
 
-  describe('issueCertificateForSubject', () => {
+  describe('issueCertificateForSubject (static)', () => {
     it('should issue a valid MasterCertificate for the given subject', async () => {
       const newPlaintextFields = {
         project: 'Top Secret',
@@ -247,16 +290,16 @@ describe('MasterCertificate', () => {
 
       const newCert = await MasterCertificate.issueCertificateForSubject(
         certifierWallet,
-        subjectPubKey,
+        subjectIdentityKey,
         newPlaintextFields,
         'TEST_CERT',
-        revocationFn,
+        revocationFn
       )
 
       expect(newCert).toBeInstanceOf(MasterCertificate)
       // The certificate's fields should be encrypted base64
       for (const fieldName in newPlaintextFields) {
-        expect(newCert.fields[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/) // base64 check
+        expect(newCert.fields[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/) // quick base64 check
       }
       // The masterKeyring should also contain base64 strings
       for (const fieldName in newPlaintextFields) {
@@ -266,8 +309,56 @@ describe('MasterCertificate', () => {
       expect(newCert.revocationOutpoint).toEqual(mockRevocationOutpoint)
       // Check we have a signature
       expect(newCert.signature).toBeDefined()
-      // Check that the revocationFn were called
+      // Check that the revocationFn was called
       expect(revocationFn).toHaveBeenCalledWith(newCert.serialNumber)
     })
+
+    it('should allow passing a custom serial number when issuing the certificate', async () => {
+      const customSerialNumber = Utils.toBase64(Random(32))
+      const newPlaintextFields = { status: 'Approved' }
+      const newCert = await MasterCertificate.issueCertificateForSubject(
+        certifierWallet,
+        subjectIdentityKey,
+        newPlaintextFields,
+        'TEST_CERT',
+        undefined,     // No custom revocation function
+        customSerialNumber   // Pass our custom serial number
+      )
+
+      expect(newCert).toBeInstanceOf(MasterCertificate)
+      expect(newCert.serialNumber).toEqual(customSerialNumber) // Must match exactly
+      // Check encryption
+      for (const fieldName in newPlaintextFields) {
+        expect(newCert.fields[fieldName]).toMatch(/^[A-Za-z0-9+/]+=*$/)
+      }
+    })
+    it('should allow issuing a self-signed certificate and decrypt it with the same wallet', async () => {
+      // In a self-signed scenario, the subject and certifier are the same
+      const subjectWallet = new CompletedProtoWallet(PrivateKey.fromRandom())
+
+      // Some sample fields
+      const selfSignedFields = {
+        owner: 'Bob',
+        organization: 'SelfCo'
+      }
+
+      // Issue the certificate for "self"
+      const selfSignedCert = await MasterCertificate.issueCertificateForSubject(
+        subjectWallet,   // act as certifier
+        'self',
+        selfSignedFields,
+        'SELF_SIGNED_TEST'
+      )
+
+      // Now we attempt to decrypt the fields with the same wallet
+      const decrypted = await MasterCertificate.decryptFields(
+        subjectWallet,
+        selfSignedCert.masterKeyring,
+        selfSignedCert.fields,
+        'self'
+      )
+
+      expect(decrypted).toEqual(selfSignedFields)
+    })
   })
 })