@matter/protocol 0.15.0-alpha.0-20250616-4b3754906 → 0.15.0-alpha.0-20250619-df2264f15

package/src/certificate/AttestationCertificateManager.ts

@@ -6,12 +6,13 @@
 
 import { Bytes, Crypto, PrivateKey, Time, toHex } from "#general";
 import { VendorId } from "#types";
-import { CertificateManager, jsToMatterDate } from "./CertificateManager.js";
 import {
     TestCert_PAA_NoVID_PrivateKey,
     TestCert_PAA_NoVID_PublicKey,
     TestCert_PAA_NoVID_SKID,
 } from "./ChipPAAuthorities.js";
+import { Dac, Paa, Pai } from "./kinds/AttestationCertificates.js";
+import { jsToMatterDate } from "./kinds/definitions/asn.js";
 
 function getPaiCommonName(vendorId: VendorId, productId?: number) {
     return `node-matter Dev PAI 0x${vendorId.toString(16).toUpperCase()} ${
@@ -36,7 +37,7 @@ export class AttestationCertificateManager {
     readonly #paaKeyPair = PrivateKey(TestCert_PAA_NoVID_PrivateKey, {
         publicKey: TestCert_PAA_NoVID_PublicKey,
     });
-    readonly #certs: CertificateManager;
+    readonly #crypto: Crypto;
     readonly #vendorId: VendorId;
     readonly #paiKeyPair: PrivateKey;
     readonly #paiKeyIdentifier: Uint8Array;
@@ -46,7 +47,7 @@ export class AttestationCertificateManager {
     #nextCertificateId = 2;
 
     constructor(crypto: Crypto, vendorId: VendorId, paiKeyPair: PrivateKey, paiKeyIdentifier: Uint8Array) {
-        this.#certs = new CertificateManager(crypto);
+        this.#crypto = crypto;
         this.#vendorId = vendorId;
         this.#paiKeyPair = paiKeyPair;
         this.#paiKeyIdentifier = paiKeyIdentifier;
@@ -64,7 +65,7 @@ export class AttestationCertificateManager {
     }
 
     async getDACert(productId: number) {
-        const dacKeyPair = await this.#certs.crypto.createKeyPair();
+        const dacKeyPair = await this.#crypto.createKeyPair();
         return {
             keyPair: dacKeyPair,
             dac: await this.generateDaCert(dacKeyPair.publicKey, this.#vendorId, productId),
@@ -74,9 +75,9 @@ export class AttestationCertificateManager {
     // Method unused for now because we use the official Matter Test PAA, but is functional
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore
-    private generatePAACert(vendorId?: VendorId) {
+    private async generatePAACert(vendorId?: VendorId) {
         const now = Time.get().now();
-        const unsignedCertificate = {
+        const cert = new Paa({
             serialNumber: Bytes.fromHex(toHex(this.paaCertId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
             publicKeyAlgorithm: 1 /* EC */,
@@ -104,13 +105,14 @@ export class AttestationCertificateManager {
                 subjectKeyIdentifier: this.#paaKeyIdentifier,
                 authorityKeyIdentifier: this.#paaKeyIdentifier,
             },
-        };
-        return this.#certs.productAttestationAuthorityCertToAsn1(unsignedCertificate, this.#paaKeyPair);
+        });
+        await cert.sign(this.#crypto, this.#paaKeyPair);
+        return cert.asSignedAsn1();
     }
 
-    private generatePAICert(vendorId: VendorId, productId?: number) {
+    private async generatePAICert(vendorId: VendorId, productId?: number) {
         const now = Time.get().now();
-        const unsignedCertificate = {
+        const cert = new Pai({
             serialNumber: Bytes.fromHex(toHex(this.#paiCertId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
             publicKeyAlgorithm: 1 /* EC */,
@@ -138,14 +140,15 @@ export class AttestationCertificateManager {
                 subjectKeyIdentifier: this.#paiKeyIdentifier,
                 authorityKeyIdentifier: this.#paaKeyIdentifier,
             },
-        };
-        return this.#certs.productAttestationIntermediateCertToAsn1(unsignedCertificate, this.#paaKeyPair);
+        });
+        await cert.sign(this.#crypto, this.#paaKeyPair);
+        return cert.asSignedAsn1();
     }
 
     async generateDaCert(publicKey: Uint8Array, vendorId: VendorId, productId: number) {
         const now = Time.get().now();
         const certId = this.#nextCertificateId++;
-        const unsignedCertificate = {
+        const cert = new Dac({
             serialNumber: Bytes.fromHex(toHex(certId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
             publicKeyAlgorithm: 1 /* EC */,
@@ -169,10 +172,11 @@ export class AttestationCertificateManager {
                 keyUsage: {
                     digitalSignature: true,
                 },
-                subjectKeyIdentifier: (await this.#certs.crypto.computeSha256(publicKey)).slice(0, 20),
+                subjectKeyIdentifier: (await this.#crypto.computeSha256(publicKey)).slice(0, 20),
                 authorityKeyIdentifier: this.#paiKeyIdentifier,
             },
-        };
-        return this.#certs.deviceAttestationCertToAsn1(unsignedCertificate, this.#paiKeyPair);
+        });
+        await cert.sign(this.#crypto, this.#paiKeyPair);
+        return cert.asSignedAsn1();
     }
 }

package/src/certificate/CertificateAuthority.ts

@@ -21,15 +21,9 @@ import {
     toHex,
 } from "#general";
 import { CaseAuthenticatedTag, FabricId, NodeId } from "#types";
-import {
-    CertificateManager,
-    OperationalCertificate,
-    RootCertificate,
-    TlvOperationalCertificate,
-    TlvRootCertificate,
-    Unsigned,
-    jsToMatterDate,
-} from "./CertificateManager.js";
+import { jsToMatterDate } from "./kinds/definitions/asn.js";
+import { Noc } from "./kinds/Noc.js";
+import { Rcac } from "./kinds/Rcac.js";
 
 const logger = Logger.get("CertificateAuthority");
 
@@ -38,7 +32,7 @@ const logger = Logger.get("CertificateAuthority");
  * TODO: Add support for (optional) ICACs
  */
 export class CertificateAuthority {
-    #certs: CertificateManager;
+    #crypto: Crypto;
     #rootCertId = BigInt(0);
     #rootKeyPair?: PrivateKey;
     #rootKeyIdentifier?: Uint8Array<ArrayBufferLike>;
@@ -46,8 +40,8 @@ export class CertificateAuthority {
     #nextCertificateId = BigInt(1);
     #construction: Construction<CertificateAuthority>;
 
-    get certs() {
-        return this.#certs;
+    get crypto() {
+        return this.#crypto;
     }
 
     get construction() {
@@ -59,16 +53,13 @@ export class CertificateAuthority {
     }
 
     constructor(crypto: Crypto, options?: StorageContext | CertificateAuthority.Configuration) {
-        this.#certs = new CertificateManager(crypto);
+        this.#crypto = crypto;
         this.#construction = Construction(this, async () => {
             // Use provided CA config or read from storage, otherwise initialize and store
             const certValues = options instanceof StorageContext ? await options.values() : (options ?? {});
 
-            this.#rootKeyPair = await this.#certs.crypto.createKeyPair();
-            this.#rootKeyIdentifier = (await this.#certs.crypto.computeSha256(this.#rootKeyPair.publicKey)).slice(
-                0,
-                20,
-            );
+            this.#rootKeyPair = await this.#crypto.createKeyPair();
+            this.#rootKeyIdentifier = (await this.#crypto.computeSha256(this.#rootKeyPair.publicKey)).slice(0, 20);
             this.#rootCertBytes = await this.#generateRootCert();
 
             if (
@@ -124,7 +115,7 @@ export class CertificateAuthority {
 
     async #generateRootCert() {
         const now = Time.get().now();
-        const unsignedCertificate: Unsigned<RootCertificate> = {
+        const cert = new Rcac({
             serialNumber: Bytes.fromHex(toHex(this.#rootCertId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
             publicKeyAlgorithm: 1 /* EC */,
@@ -143,12 +134,9 @@ export class CertificateAuthority {
                 subjectKeyIdentifier: this.#initializedRootKeyIdentifier,
                 authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
-        };
-        const signature = await this.#certs.crypto.signEcdsa(
-            this.#initializedRootKeyPair,
-            this.#certs.rootCertToAsn1(unsignedCertificate),
-        );
-        return TlvRootCertificate.encode({ ...unsignedCertificate, signature });
+        });
+        await cert.sign(this.#crypto, this.#initializedRootKeyPair);
+        return cert.asSignedTlv();
     }
 
     async generateNoc(
@@ -159,7 +147,7 @@ export class CertificateAuthority {
     ) {
         const now = Time.get().now();
         const certId = this.#nextCertificateId++;
-        const unsignedCertificate: Unsigned<OperationalCertificate> = {
+        const cert = new Noc({
             serialNumber: Bytes.fromHex(toHex(certId)),
             signatureAlgorithm: 1 /* EcdsaWithSHA256 */,
             publicKeyAlgorithm: 1 /* EC */,
@@ -175,17 +163,12 @@ export class CertificateAuthority {
                     digitalSignature: true,
                 },
                 extendedKeyUsage: [2, 1],
-                subjectKeyIdentifier: (await this.#certs.crypto.computeSha256(publicKey)).slice(0, 20),
+                subjectKeyIdentifier: (await this.#crypto.computeSha256(publicKey)).slice(0, 20),
                 authorityKeyIdentifier: this.#initializedRootKeyIdentifier,
             },
-        };
-
-        const signature = await this.#certs.crypto.signEcdsa(
-            this.#initializedRootKeyPair,
-            this.#certs.nodeOperationalCertToAsn1(unsignedCertificate),
-        );
-
-        return TlvOperationalCertificate.encode({ ...unsignedCertificate, signature });
+        });
+        await cert.sign(this.#crypto, this.#initializedRootKeyPair);
+        return cert.asSignedTlv();
     }
 
     get #initializedRootKeyPair() {

package/src/certificate/DeviceCertification.ts

@@ -4,11 +4,11 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+import { CertificationDeclaration } from "#certificate/kinds/CertificationDeclaration.js";
 import { Construction, Crypto, ImplementationError, InternalError, PrivateKey } from "#general";
 import { NodeSession } from "#session/NodeSession.js";
 import { ProductDescription } from "#types";
 import { AttestationCertificateManager } from "./AttestationCertificateManager.js";
-import { CertificationDeclarationManager } from "./CertificationDeclarationManager.js";
 
 /**
  * Device certification used by the OperationalCredentials cluster.
@@ -57,11 +57,7 @@ export class DeviceCertification {
                     privateKey: PrivateKey(dacKeyPair.privateKey),
                     certificate: dac,
                     intermediateCertificate: await paa.getPAICert(),
-                    declaration: await CertificationDeclarationManager.generate(
-                        crypto,
-                        product.vendorId,
-                        product.productId,
-                    ),
+                    declaration: await CertificationDeclaration.generate(crypto, product.vendorId, product.productId),
                 };
             };
         }

package/src/certificate/index.ts

@@ -6,7 +6,12 @@
 
 export * from "./AttestationCertificateManager.js";
 export * from "./CertificateAuthority.js";
-export * from "./CertificateManager.js";
-export * from "./CertificationDeclarationManager.js";
 export * from "./ChipPAAuthorities.js";
 export * from "./DeviceCertification.js";
+export * from "./kinds/AttestationCertificates.js";
+export * from "./kinds/CertificationDeclaration.js";
+export { CertificateError } from "./kinds/common.js";
+export * from "./kinds/Icac.js";
+export * from "./kinds/Noc.js";
+export * from "./kinds/Rcac.js";
+export * from "./kinds/X509Base.js";

package/src/certificate/kinds/AttestationCertificates.ts

@@ -0,0 +1,48 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { Crypto, DerBitString, DerCodec, X962 } from "#general";
+import { assertCertificateDerSize } from "./common.js";
+import { AttestationCertificate } from "./definitions/attestation.js";
+import { X509Certificate } from "./definitions/base.js";
+import { X509Base } from "./X509Base.js";
+
+/**
+ * Base class for Attestation Certificates (PAA, PAI, DAC).
+ */
+export abstract class AttestationBaseCertificate<CT extends X509Certificate> extends X509Base<CT> {
+    /**
+     * Sign the certificate using the provided crypto and key.
+     * If the certificate is already signed, it throws a CertificateError.
+     */
+    override async sign(crypto: Crypto, key: JsonWebKey) {
+        this.signature = await crypto.signEcdsa(key, this.asUnsignedAsn1(), "der");
+    }
+
+    /**
+     * Returns the signed certificate in ASN.1 DER format.
+     * If the certificate is not signed, it throws a CertificateError.
+     */
+    asSignedAsn1(): Uint8Array<ArrayBufferLike> {
+        const certificate = this.genericBuildAsn1Structure(this.cert);
+        const certBytes = DerCodec.encode({
+            certificate,
+            signAlgorithm: X962.EcdsaWithSHA256,
+            signature: DerBitString(this.signature),
+        });
+        assertCertificateDerSize(certBytes);
+        return certBytes;
+    }
+}
+
+/** PAA (Product Attestation Authority) Certificate. */
+export class Paa extends AttestationBaseCertificate<AttestationCertificate.Paa> {}
+
+/** PAI (Product Attestation Intermediate) Certificate. */
+export class Pai extends AttestationBaseCertificate<AttestationCertificate.Pai> {}
+
+/** DAC (Device Attestation Certificate) Certificate. */
+export class Dac extends AttestationBaseCertificate<AttestationCertificate.Dac> {}

package/src/certificate/kinds/CertificationDeclaration.ts

@@ -0,0 +1,91 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Bytes, ContextTaggedBytes, Crypto, DerCodec, Pkcs7, PrivateKey, SHA256_CMS, X962 } from "#general";
+import { TypeFromBitmapSchema, VendorId } from "#types";
+import { assertCertificateDerSize } from "./common.js";
+import { CertificationDeclaration as CertificationDeclarationDef } from "./definitions/certification-declaration.js";
+
+// This is the private key from Appendix F of the Matter 1.1 Core Specification.
+// The specification specifies it in PEM format:
+//
+// -----BEGIN EC PRIVATE KEY-----
+// MHcCAQEEIK7zSEEW6UgexXvgRy30G/SZBk5QJK2GnspeiJgC1IB1oAoGCCqGSM49
+// AwEHoUQDQgAEPDmJIkUrVcrzicJb0bykZWlSzLkOiGkkmthHRlMBTL+V1oeWXgNr
+// UhxRA35rjO3vyh60QEZpT6CIgu7WUZ3sug==
+// -----END EC PRIVATE KEY-----
+//
+// You can extract the key using openssl:
+//
+// openssl asn1parse -in key.txt
+const TestCMS_SignerPrivateKey = Bytes.fromHex("AEF3484116E9481EC57BE0472DF41BF499064E5024AD869ECA5E889802D48075");
+
+// You can extract the subject key identifier from the certificate in the same
+// section.  The x509 command is best for that:
+//
+// openssl x509 -in cert.txt -text
+//
+// Look for the line under "X509v3 Subject Key Identifier:"
+const TestCMS_SignerSubjectKeyIdentifier = Bytes.fromHex("62FA823359ACFAA9963E1CFA140ADDF504F37160");
+
+/** A Matter Certification Declaration */
+export class CertificationDeclaration {
+    #eContent: Uint8Array;
+    #subjectKeyIdentifier: Uint8Array;
+
+    /**
+     * Generator which is the main usage for the class from outside.
+     * It constructs the class with the relevant details and returns a signed ASN.1 DER version of the CD.
+     */
+    static generate(crypto: Crypto, vendorId: VendorId, productId: number, provisional = false) {
+        const cd = new CertificationDeclaration(
+            {
+                formatVersion: 1,
+                vendorId,
+                produceIdArray: [productId],
+                deviceTypeId: 22,
+                certificateId: "CSA00000SWC00000-00",
+                securityLevel: 0,
+                securityInformation: 0,
+                versionNumber: 1,
+                certificationType: provisional ? 1 : 0, // 0 = Test, 1 = Provisional/In certification, 2 = official
+            },
+            TestCMS_SignerSubjectKeyIdentifier,
+        );
+
+        return cd.asSignedAsn1(crypto, PrivateKey(TestCMS_SignerPrivateKey));
+    }
+
+    constructor(
+        content: TypeFromBitmapSchema<typeof CertificationDeclarationDef.TlvDc>,
+        subjectKeyIdentifier: Uint8Array,
+    ) {
+        this.#eContent = CertificationDeclarationDef.TlvDc.encode(content);
+        this.#subjectKeyIdentifier = subjectKeyIdentifier;
+    }
+
+    /**
+     * Returns the signed certificate in ASN.1 DER format.
+     */
+    async asSignedAsn1(crypto: Crypto, privateKey: JsonWebKey) {
+        const cert = {
+            version: 3,
+            digestAlgorithm: [SHA256_CMS],
+            encapContentInfo: Pkcs7.Data(this.#eContent),
+            signerInfo: [
+                {
+                    version: 3,
+                    subjectKeyIdentifier: ContextTaggedBytes(0, this.#subjectKeyIdentifier),
+                    digestAlgorithm: SHA256_CMS,
+                    signatureAlgorithm: X962.EcdsaWithSHA256,
+                    signature: await crypto.signEcdsa(privateKey, this.#eContent, "der"),
+                },
+            ],
+        };
+        const certBytes = DerCodec.encode(Pkcs7.SignedData(cert));
+        assertCertificateDerSize(certBytes);
+        return certBytes;
+    }
+}

package/src/certificate/kinds/Icac.ts

@@ -0,0 +1,156 @@
+/**
+ * @license
+ * Copyright 2022-2025 Matter.js Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { Bytes, Crypto, Diagnostic, PublicKey } from "#general";
+import { FabricId } from "#types";
+import { CertificateError } from "./common.js";
+import { ExtensionKeyUsageSchema } from "./definitions/base.js";
+import { OperationalCertificate } from "./definitions/operational.js";
+import { OperationalBase } from "./OperationalBase.js";
+import { Rcac } from "./Rcac.js";
+
+/**
+ * Represents an Intermediate Certificate
+ */
+export class Icac extends OperationalBase<OperationalCertificate.Icac> {
+    /** Construct the class from a Tlv version of the certificate */
+    static fromTlv(tlv: Uint8Array): Icac {
+        return new Icac(OperationalCertificate.TlvIcac.decode(tlv));
+    }
+
+    /** Validates all basic certificate fields on construction. */
+    protected validateFields() {
+        const {
+            extensions: {
+                basicConstraints: { isCa },
+            },
+        } = this.cert;
+        if (!isCa) {
+            throw new CertificateError("Intermediate certificate must be a CA.");
+        }
+    }
+
+    /**
+     * Encodes the certificate with the signature as Matter Tlv.
+     * If the certificate is not signed, it throws a CertificateError.
+     */
+    asSignedTlv() {
+        return OperationalCertificate.TlvIcac.encode({ ...this.cert, signature: this.signature });
+    }
+
+    /**
+     * Verify requirements a Matter Intermediate CA certificate must fulfill.
+     * Rules for this are listed in @see {@link MatterSpecification.v12.Core} §6.5.x
+     */
+    async verify(crypto: Crypto, root: Rcac) {
+        this.generalVerify();
+
+        const {
+            subject,
+            issuer: { rcacId },
+            extensions,
+        } = this.cert;
+        const { fabricId, icacId } = subject;
+        const { basicConstraints, extendedKeyUsage, subjectKeyIdentifier, authorityKeyIdentifier } = extensions;
+
+        const { fabricId: rootFabricId } = root.cert.subject;
+        // The subject DN SHALL NOT encode any matter-node-id attribute.
+        if ("nodeId" in subject) {
+            throw new CertificateError(`Ica certificate must not contain a nodeId.`);
+        }
+
+        // The subject DN MAY encode at most one matter-fabric-id attribute.
+        if (fabricId !== undefined) {
+            if (Array.isArray(fabricId)) {
+                throw new CertificateError(`Invalid fabricId in NoC certificate: ${Diagnostic.json(fabricId)}`);
+            }
+            // If present, the matter-fabric-id attribute’s value SHALL NOT be 0
+            if (fabricId === FabricId(0)) {
+                throw new CertificateError(`Invalid fabricId in NoC certificate: ${Diagnostic.json(fabricId)}`);
+            }
+        }
+
+        // The subject DN SHALL encode exactly one matter-icac-id attribute.
+        if (icacId === undefined || Array.isArray(icacId)) {
+            throw new CertificateError(`Invalid icacId in Ica certificate: ${Diagnostic.json(icacId)}`);
+        }
+
+        // The subject DN SHALL NOT encode any matter-rcac-id attribute.
+        if ("rcacId" in subject) {
+            throw new CertificateError(`Ica certificate must not contain an rcacId.`);
+        }
+
+        // The subject DN SHALL NOT encode any matter-noc-cat attribute.
+        if ("caseAuthenticatedTags" in subject) {
+            throw new CertificateError(`Ica certificate must not contain a caseAuthenticatedTags.`);
+        }
+
+        // When any matter-fabric-id attributes are present in either the Matter Root CA Certificate or the Matter ICA
+        // Certificate, the value SHALL match the one present in the Matter Node Operational Certificate (NOC) within
+        // the same certificate chain.
+        // Here means: When both are set, they must match
+        if (rootFabricId !== undefined && fabricId !== undefined && rootFabricId !== fabricId) {
+            throw new CertificateError(
+                `FabricId in Ica certificate does not match the fabricId in the parent certificate. ${Diagnostic.json(
+                    rootFabricId,
+                )} !== ${Diagnostic.json(fabricId)}`,
+            );
+        }
+
+        // Verify the certificate chain by checking rcac ids in subject and issuer
+        if (root.cert.subject.rcacId !== rcacId) {
+            throw new CertificateError(
+                `RcacId in Ica certificate does not match the rcacId in the parent certificate. ${Diagnostic.json(
+                    root.cert.subject.rcacId,
+                )} !== ${Diagnostic.json(rcacId)}`,
+            );
+        }
+
+        // The basic constraints extension SHALL be encoded with is-ca set to true.
+        if (!basicConstraints.isCa) {
+            throw new CertificateError(`Ica certificate must have isCa set to true.`);
+        }
+
+        // The key usage extension SHALL be encoded with at least two flags: keyCertSign (0x0020) and CRLSign (0x0040)
+        // and optionally with digitalSignature (0x0001).
+        const keyUsage = ExtensionKeyUsageSchema.encode(extensions.keyUsage);
+        if (keyUsage !== 0x0060 && keyUsage !== 0x0061) {
+            throw new CertificateError(
+                `Ica certificate keyUsage must have keyCertSign and CRLSign and optionally digitalSignature set.`,
+            );
+        }
+
+        // The extended key usage extension SHALL NOT be present.
+        if (extendedKeyUsage !== undefined) {
+            throw new CertificateError(`Ica certificate must not have extendedKeyUsage set.`);
+        }
+
+        // The subject key identifier extension SHALL be present and 160 bit long.
+        if (subjectKeyIdentifier === undefined) {
+            throw new CertificateError(`Ica certificate must have subjectKeyIdentifier set.`);
+        }
+        if (subjectKeyIdentifier.length !== 20) {
+            throw new CertificateError(`Ica certificate subjectKeyIdentifier must be 160 bit.`);
+        }
+
+        // The authority key identifier extension SHALL be present and 160 bit long.
+        if (authorityKeyIdentifier === undefined) {
+            throw new CertificateError(`Ica certificate must have authorityKeyIdentifier set.`);
+        }
+        if (authorityKeyIdentifier.length !== 20) {
+            throw new CertificateError(`Ica certificate authorityKeyIdentifier must be 160 bit.`);
+        }
+
+        // Validate authority key identifier against subject key identifier
+        if (!Bytes.areEqual(authorityKeyIdentifier, root.cert.extensions.subjectKeyIdentifier)) {
+            throw new CertificateError(
+                `Ica certificate authorityKeyIdentifier must be equal to root cert subjectKeyIdentifier.`,
+            );
+        }
+
+        await crypto.verifyEcdsa(PublicKey(root.cert.ellipticCurvePublicKey), this.asUnsignedAsn1(), this.signature);
+    }
+}