Currently, there is no way to validate that an application's saved public key is still valid. If not we cannot tell whether the decrypted secret key is valid or not either until it is used to decrypt the certificate. If it fails, we currently get a NumberFormatException.

We need to do two things:

1. For the current (version 1) Trusted Application implementation add a simple decrypted SecretKey validation that checks that the key data length is 16 bytes.
2. For version 2, add a new header that is a constant encrypted with the client's private key. If we can successfully decrypt that, the client's public key is valid.

It is important that the transition to a version 2 of the protocol is fully backwards compatible with version 1.