Skip to content

Module BSV::Wallet::CertificateSignature

BRC-52 identity certificate signature verification.

Certificates carry a signature from the certifier over a canonical binary serialisation of their fields (excluding the signature itself). This module builds that canonical serialisation and delegates verification to a {Client}-compatible verifier.

Every field is included in the preimage in this order:

  • type (base64 → 32 bytes)
  • serial_number (base64 → 32 bytes)
  • subject (hex → 33-byte compressed pubkey)
  • certifier (hex → 33-byte compressed pubkey)
  • revocation_outpoint: txid hex (32 bytes) + output index VarInt
  • fields: VarInt count, then for each field (sorted lexicographically by name): VarInt name length + UTF-8 name bytes + VarInt value length + UTF-8 value bytes

Signing uses BRC-42 key derivation with:

  • protocol ID: +[2, 'certificate signature']+
  • key ID: +"#{type} #{serial_number}"+
  • counterparty on sign: +'anyone'+ (default of +Client#create_signature+ in TS — Ruby consumers should pass it explicitly since Ruby defaults to +'self'+)

  • counterparty on verify: the certifier's public key hex

  • @see https://hub.bsvblockchain.org/brc/wallet/0052 BRC-52

Constants

PROTOCOL_ID

Not documented.

Public Class Methods

serialise_preimage(cert)

Build the BRC-52 canonical preimage for signing or verifying. - @param cert [Hash] certificate fields (see {.verify!}) - @return [String] binary string suitable for +sha256+ (via {Client#verify_signature})

verify!(cert, verifier: = Client.new('anyone', storage: Store::Memory.new, allow_memory_store: true))

Verify a certificate's certifier signature.

Raises {InvalidError} if the signature is missing, malformed, or does not match the expected certifier. - @param cert [Hash] certificate fields. Required keys: +:type+, +:serial_number+, +:subject+, +:certifier+, +:revocation_outpoint+, +:fields+, +:signature+ - @param verifier [#verify_signature] optional verifier; defaults to a fresh +Client.new('anyone', storage: Store::Memory.new)+ - @raise [InvalidError] otherwise - @return [true] when the signature verifies