# Class BSV::Auth::VerifiableCertificate <a id="class-BSV-Auth-VerifiableCertificate"></a>

**Inherits:** `BSV::Auth::Certificate`

A Certificate subclass for selective field revelation on the verifier side.

VerifiableCertificate holds a verifier-specific keyring — a map from field
names to Base64-encoded symmetric keys encrypted for the verifier. Calling
{#decrypt_fields} decrypts each entry in the keyring using the verifier's
wallet and then uses the recovered key to decrypt the corresponding field
value from the base certificate.

## Protocol details

Each keyring entry is decrypted via BRC-42 key derivation:

*   Protocol:    +[2, 'certificate field encryption']+
*   Key ID:      +"#{serial_number} #{field_name}"+
*   Counterparty: the certificate `subject` public key

Wallet parameters are duck-typed — any object responding to
<code>:decrypt</code> is accepted. No direct dependency on
<code>BSV::Wallet::Client</code> is introduced here.

- **@see** `BSV::Auth::Certificate` base class
- **@see** `BSV::Auth::MasterCertificate` for creating certificates and keyrings

## Attributes
### `decrypted_fields` [R] <a id="attribute-i-decrypted_fields"></a> <a id="decrypted_fields-instance_method"></a>
- **@return** [Hash, nil] field name → decrypted plaintext string, or nil before decryption

### `keyring` [R] <a id="attribute-i-keyring"></a> <a id="keyring-instance_method"></a>
- **@return** [Hash] field name → Base64-encoded verifier-specific encrypted key

## Public Class Methods
### `from_certificate(certificate, keyring)` <a id="method-c-from_certificate"></a> <a id="from_certificate-class_method"></a>
Construct a VerifiableCertificate from a base Certificate and a keyring.
- **@param** `certificate` [Certificate] any Certificate instance (or duck-typed object
responding to +type+, +serial_number+, +subject+, +certifier+,
+revocation_outpoint+, +fields+, +signature+)
- **@param** `keyring` [Hash] field name → Base64-encoded verifier-specific encrypted key
- **@return** [VerifiableCertificate]

### `from_hash(hash)` <a id="method-c-from_hash"></a> <a id="from_hash-class_method"></a>
Construct a VerifiableCertificate from a plain Hash.

Accepts both snake_case and camelCase key variants.
- **@param** `hash` [Hash] certificate data including +keyring+ and optional +decrypted_fields+
- **@return** [VerifiableCertificate]

## Public Instance Methods
### `decrypt_fields(verifier_wallet, privileged: = false, privileged_reason: = nil)` <a id="method-i-decrypt_fields"></a> <a id="decrypt_fields-instance_method"></a>
Decrypt selectively revealed certificate fields using the verifier's wallet.

Algorithm:
1.  Raises if `keyring` is nil or empty.
2.  For each field in `keyring`:
    1.  Decrypts the encrypted revelation key via
        <code>verifier_wallet.decrypt</code>, using protocol +[2, 'certificate
        field encryption']+ and key_id +"#{serial_number} #{field_name}"+,
        counterparty = subject.
    2.  Uses the recovered bytes as a {BSV::Primitives::SymmetricKey}.
    3.  Decrypts the corresponding encrypted field value.
    4.  Stores the UTF-8 plaintext.
3.  Caches and returns the decrypted fields hash.
- **@param** `verifier_wallet` [#decrypt] wallet belonging to the verifier
- **@param** `privileged` [Boolean] whether this is a privileged operation
- **@param** `privileged_reason` [String, nil] reason for privileged access
- **@raise** [ArgumentError] if +keyring+ is nil or empty
- **@raise** [RuntimeError] if decryption fails for any field
- **@return** [Hash] field name → decrypted plaintext string

### `initialize(type:, serial_number:, subject:, certifier:, revocation_outpoint:, fields:, keyring:, signature: = nil, decrypted_fields: = nil)` <a id="method-i-initialize"></a> <a id="initialize-instance_method"></a>
- **@param** `type` [String] Base64 string (32 bytes decoded)
- **@param** `serial_number` [String] Base64 string (32 bytes decoded)
- **@param** `subject` [String] compressed public key hex
- **@param** `certifier` [String] compressed public key hex
- **@param** `revocation_outpoint` [String] +"<txid_hex>.<output_index>"+
- **@param** `fields` [Hash] field name strings to encrypted value strings (Base64)
- **@param** `keyring` [Hash] field name strings to Base64-encoded verifier-specific encrypted keys
- **@param** `signature` [String, nil] DER-encoded signature hex, or nil
- **@param** `decrypted_fields` [Hash, nil] pre-populated decrypted fields, or nil
- **@return** [VerifiableCertificate] a new instance of VerifiableCertificate

### `to_h()` <a id="method-i-to_h"></a> <a id="to_h-instance_method"></a>
Return the certificate as a plain Hash with snake_case keys, including
`keyring` and `decrypted_fields` (if present).
- **@return** [Hash]
