fix(wallet): use correct protocol ID and key ID in prove_certificate (#424)

sgbett · claude · sgbett · commit 22370d2e05da · 2026-04-15T20:29:10.000+01:00
prove_certificate was using 'certificate field revelation' and prefixing the cert type to key_id, diverging from the TS/Go reference SDKs. This made Ruby-issued verifier keyrings cryptographically incompatible with other SDKs. Now uses 'certificate field encryption' and "#{serial_number} #{field_name}" to match cross-SDK behaviour. Closes #424 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/gem/bsv-sdk/lib/bsv/auth/get_verifiable_certificates.rb b/gem/bsv-sdk/lib/bsv/auth/get_verifiable_certificates.rb
@@ -9,10 +9,6 @@ module Auth
     # +prove_certificate+ for each to obtain a verifier-specific keyring for
     # selective field revelation.
     #
-    # NOTE: Issue #424 documents a known bug in +WalletClient#prove_certificate+ — it
-    # uses the wrong protocol ID (+certificate field revelation+ vs +certificate field
-    # encryption+) and an incorrect key ID format. Until that bug is fixed, the keyring
-    # produced here will be cryptographically incompatible with the TS/Go SDKs.
     module GetVerifiableCertificates
       module_function
 
diff --git a/gem/bsv-wallet/lib/bsv/wallet_interface/wallet_client.rb b/gem/bsv-wallet/lib/bsv/wallet_interface/wallet_client.rb
@@ -569,8 +569,8 @@ def prove_certificate(args, originator: nil)
           # Encrypt the keyring entry for the verifier
           encrypted = encrypt({
                                 plaintext: key_value.bytes,
-                                protocol_id: [2, 'certificate field revelation'],
-                                key_id: "#{cert_arg[:type]} #{cert_arg[:serial_number]} #{field_name}",
+                                protocol_id: [2, 'certificate field encryption'],
+                                key_id: "#{cert_arg[:serial_number]} #{field_name}",
                                 counterparty: verifier
                               })
           keyring_for_verifier[field_name] = encrypted[:ciphertext]
diff --git a/gem/bsv-wallet/spec/bsv/wallet_interface/certificate_spec.rb b/gem/bsv-wallet/spec/bsv/wallet_interface/certificate_spec.rb
@@ -462,8 +462,8 @@
 
       decrypted = verifier_wallet.decrypt({
                                             ciphertext: result[:keyring_for_verifier]['name'],
-                                            protocol_id: [2, 'certificate field revelation'],
-                                            key_id: "#{cert_type} #{serial_number} name",
+                                            protocol_id: [2, 'certificate field encryption'],
+                                            key_id: "#{serial_number} name",
                                             counterparty: prover_identity
                                           })
       expect(decrypted[:plaintext].pack('C*')).to eq(keyring['name'])
