# Module BSV::Auth::ValidateCertificates <a id="module-BSV-Auth-ValidateCertificates"></a>

Utility module for validating certificates received in an authenticated
message.

Exposes a single module method, {.call}, which is also available as
<code>BSV::Auth.validate_certificates</code> via `extend`.

Algorithm:
1.  Raise `AuthError` if <code>message[:certificates]</code> is nil or empty.
2.  For each certificate in the array:
    1.  Verify cert subject == message identity key.
    2.  Construct a `VerifiableCertificate` if the input is a plain Hash.
    3.  Call <code>cert.verify</code> — raise if signature is invalid.
    4.  If `requested_certificates` is provided, check certifier and type.
    5.  Call +cert.decrypt_fields(wallet)+ — wrap any error in `AuthError`.

Wallet is duck-typed — any object responding to `verify_signature` and
`decrypt` is accepted.

## Public Class Methods
### `validate_certificates(wallet, message, requested_certificates = nil)` <a id="method-c-validate_certificates"></a> <a id="validate_certificates-class_method"></a>
Validates certificates attached to an incoming authenticated message.
- **@param** `wallet` [#verify_signature, #decrypt] the verifier's wallet
- **@param** `message` [Hash] incoming authenticated message; must contain
+:certificates+ and +:identity_key+ (symbol or string keys accepted)
- **@param** `requested_certificates` [Hash, nil] optional filter with keys
+:certifiers+ (Array of pubkey hex strings) and +:types+
(Hash of type string => fields)
- **@raise** [AuthError] on any validation failure
