@Test
  public void testGetPublicCertificates() throws Exception {
    Collection<PublicCertificate> certs = appIdentity.getPublicCertificatesForApp();
    Assert.assertTrue("No certificates returned.", !certs.isEmpty());

    for (PublicCertificate publicCert : certs) {
      Assert.assertTrue(
          "No name for certificate.", !publicCert.getCertificateName().trim().isEmpty());

      String pemFormat = publicCert.getX509CertificateInPemFormat();
      String errMsg = "getX509CertificateInPemFormat():" + pemFormat;
      // TODO better check?
      Assert.assertTrue(errMsg, pemFormat.startsWith("-----BEGIN"));
      Assert.assertTrue(errMsg, pemFormat.contains("-----END"));

      InputStream stream =
          new ByteArrayInputStream(publicCert.getX509CertificateInPemFormat().getBytes("UTF-8"));
      CertificateFactory cf = CertificateFactory.getInstance("X.509");
      Certificate cert = cf.generateCertificate(stream);

      PublicKey pk = cert.getPublicKey();
      Assert.assertNotNull(pk.getEncoded());
    }
  }
  /*
   * Try all certificates with the signed blob.  Any cert throws an exception is a test Error.
   * Any cert is valid with no exceptions, then pass.
   *
   * Debugging this can be a pain, so being extra verbose and explicit with logging.
   */
  private boolean verifySignatureWithAllCertsForApp(
      byte[] blob, byte[] signedBlob, Collection<PublicCertificate> certsForApp) {

    if (certsForApp.isEmpty()) {
      throw new IllegalStateException("No certificates to validate.  Must have at least 1.");
    }
    int currentCertNum = 0;
    int totalValid = 0;
    int totalInvalid = 0;
    List<Exception> allExceptions = new ArrayList<>();

    for (PublicCertificate publicCert : certsForApp) {
      Signature signature;
      Certificate cert = null;
      currentCertNum++;

      log.info("Processing certNum:" + currentCertNum);
      try {
        byte[] certBytes = publicCert.getX509CertificateInPemFormat().getBytes("UTF-8");
        InputStream stream = new ByteArrayInputStream(certBytes);
        signature = Signature.getInstance("SHA256withRSA"); // Make this configurable?
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        cert = cf.generateCertificate(stream);
        log.info(cert.toString());

        PublicKey pk = cert.getPublicKey();
        signature.initVerify(pk);
        signature.update(blob);
        boolean isValidSignature = signature.verify(signedBlob);

        if (isValidSignature) {
          totalValid++;
        } else {
          totalInvalid++;
        }
        log.info("certNum:" + currentCertNum + ": is valid:" + isValidSignature);

        // These can be thrown:
        // UnsupportedEncodingException, NoSuchAlgorithmException, CertificateException,
        // SignatureException, InvalidKeyException
      } catch (Exception e) {
        Exception logException = createExceptionForLog(e, currentCertNum, cert);
        allExceptions.add(logException);
        log.info(e.toString());
      }
    }
    String summary =
        "totalCerts:"
            + certsForApp.size()
            + ": totalValid:"
            + totalValid
            + " totalInvalid:"
            + totalInvalid
            + " totalExceptions:"
            + allExceptions.size();
    log.info(summary);

    // At least one certificate caused an exception so make test Error.
    if (allExceptions.size() > 0) {
      throw new IllegalStateException(summary + "\n\n" + exceptionListToString(allExceptions));
    }

    // At least one signature was valid and no exceptions thrown.
    return (totalValid > 0);
  }