@fedify/fedify 2.2.0-pr.710.26 → 2.2.0-pr.715.27

package/dist/{proof-CP0GRqWY.cjs → proof-3RPJLWOU.cjs}

@@ -1,7 +1,7 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 const require_chunk = require("./chunk-DDcVe30Y.cjs");
-const require_http = require("./http-Dgit35mk.cjs");
+const require_http = require("./http-R-epZzZQ.cjs");
 let _logtape_logtape = require("@logtape/logtape");
 let _fedify_vocab = require("@fedify/vocab");
 let _opentelemetry_api = require("@opentelemetry/api");
@@ -13,7 +13,7 @@ _fedify_vocab_runtime_jsonld = require_chunk.__toESM(_fedify_vocab_runtime_jsonl
 let json_canon = require("json-canon");
 json_canon = require_chunk.__toESM(json_canon);
 //#region src/sig/ld.ts
-const logger$2 = (0, _logtape_logtape.getLogger)([
+const logger$1 = (0, _logtape_logtape.getLogger)([
 	"fedify",
 	"sig",
 	"ld"
@@ -161,7 +161,7 @@ async function verifySignature(jsonLd, options = {}) {
 	try {
 		signature = (0, byte_encodings_base64.decodeBase64)(sig.signatureValue);
 	} catch (error) {
-		logger$2.debug("Failed to verify; invalid base64 signatureValue: {signatureValue}", {
+		logger$1.debug("Failed to verify; invalid base64 signatureValue: {signatureValue}", {
 			...sig,
 			error
 		});
@@ -180,7 +180,7 @@ async function verifySignature(jsonLd, options = {}) {
 	try {
 		sigOptsHash = await hashJsonLd(sigOpts, options.contextLoader);
 	} catch (error) {
-		logger$2.warn("Failed to verify; failed to hash the signature options: {signatureOptions}\n{error}", {
+		logger$1.warn("Failed to verify; failed to hash the signature options: {signatureOptions}\n{error}", {
 			signatureOptions: sigOpts,
 			error
 		});
@@ -192,7 +192,7 @@ async function verifySignature(jsonLd, options = {}) {
 	try {
 		docHash = await hashJsonLd(document, options.contextLoader);
 	} catch (error) {
-		logger$2.warn("Failed to verify; failed to hash the document: {document}\n{error}", {
+		logger$1.warn("Failed to verify; failed to hash the document: {document}\n{error}", {
 			document,
 			error
 		});
@@ -203,7 +203,7 @@ async function verifySignature(jsonLd, options = {}) {
 	const messageBytes = encoder.encode(message);
 	if (await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes)) return key;
 	if (cached) {
-		logger$2.debug("Failed to verify with the cached key {keyId}; signature {signatureValue} is invalid.  Retrying with the freshly fetched key...", {
+		logger$1.debug("Failed to verify with the cached key {keyId}; signature {signatureValue} is invalid.  Retrying with the freshly fetched key...", {
 			keyId: sig.creator,
 			...sig
 		});
@@ -217,7 +217,7 @@ async function verifySignature(jsonLd, options = {}) {
 		if (key == null) return null;
 		return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes) ? key : null;
 	}
-	logger$2.debug("Failed to verify with the fetched key {keyId}; signature {signatureValue} is invalid.  Check if the key is correct or if the signed message is correct.  The message to sign is:\n{message}", {
+	logger$1.debug("Failed to verify with the fetched key {keyId}; signature {signatureValue} is invalid.  Check if the key is correct or if the signed message is correct.  The message to sign is:\n{message}", {
 		keyId: sig.creator,
 		...sig,
 		message
@@ -249,12 +249,12 @@ async function verifyJsonLd(jsonLd, options = {}) {
 			const key = await verifySignature(jsonLd, options);
 			if (key == null) return false;
 			if (key.ownerId == null) {
-				logger$2.debug("Key {keyId} has no owner.", { keyId: key.id?.href });
+				logger$1.debug("Key {keyId} has no owner.", { keyId: key.id?.href });
 				return false;
 			}
 			attributions.delete(key.ownerId.href);
 			if (attributions.size > 0) {
-				logger$2.debug("Some attributions are not authenticated by the Linked Data Signatures: {attributions}.", { attributions: [...attributions] });
+				logger$1.debug("Some attributions are not authenticated by the Linked Data Signatures: {attributions}.", { attributions: [...attributions] });
 				return false;
 			}
 			return true;
@@ -389,179 +389,6 @@ async function getKeyOwner(keyId, options) {
 	return null;
 }
 //#endregion
-//#region src/compat/public-audience.ts
-const logger$1 = (0, _logtape_logtape.getLogger)([
-	"fedify",
-	"compat",
-	"public-audience"
-]);
-const PUBLIC_ADDRESSING_FIELDS = new Set([
-	"to",
-	"cc",
-	"bto",
-	"bcc",
-	"audience"
-]);
-const preloadedOnlyDocumentLoader = (url) => {
-	if (Object.hasOwn(_fedify_vocab_runtime.preloadedContexts, url)) return Promise.resolve({
-		contextUrl: null,
-		documentUrl: url,
-		document: _fedify_vocab_runtime.preloadedContexts[url]
-	});
-	return Promise.reject(/* @__PURE__ */ new Error("Refusing to fetch a non-preloaded JSON-LD context: " + url));
-};
-const AS_CONTEXT_URL = "https://www.w3.org/ns/activitystreams";
-const MAX_TRAVERSAL_DEPTH = 64;
-const KNOWN_SAFE_CONTEXT_URLS = new Set(Object.keys(_fedify_vocab_runtime.preloadedContexts));
-function hasPublicCurieInAddressing(value, parentKey, depth = 0) {
-	if (typeof value === "string") return parentKey != null && PUBLIC_ADDRESSING_FIELDS.has(parentKey) && (value === "as:Public" || value === "Public");
-	if (depth >= MAX_TRAVERSAL_DEPTH) return false;
-	if (Array.isArray(value)) return value.some((item) => hasPublicCurieInAddressing(item, parentKey, depth + 1));
-	if (typeof value !== "object" || value == null) return false;
-	const record = value;
-	for (const key of Object.keys(record)) {
-		if (key === "@context") continue;
-		if (hasPublicCurieInAddressing(record[key], key, depth + 1)) return true;
-	}
-	return false;
-}
-function rewritePublicAudience(value, parentKey, depth = 0) {
-	if (typeof value === "string" && parentKey != null && PUBLIC_ADDRESSING_FIELDS.has(parentKey) && (value === "as:Public" || value === "Public")) return _fedify_vocab.PUBLIC_COLLECTION.href;
-	if (depth >= MAX_TRAVERSAL_DEPTH) return value;
-	if (Array.isArray(value)) {
-		let changed = false;
-		const mapped = value.map((item) => {
-			const rewritten = rewritePublicAudience(item, parentKey, depth + 1);
-			if (rewritten !== item) changed = true;
-			return rewritten;
-		});
-		return changed ? mapped : value;
-	}
-	if (typeof value !== "object" || value == null) return value;
-	const record = value;
-	let changed = false;
-	const normalized = Object.create(null);
-	for (const key of Object.keys(record)) {
-		const rewritten = key === "@context" ? record[key] : rewritePublicAudience(record[key], key, depth + 1);
-		if (rewritten !== record[key]) changed = true;
-		normalized[key] = rewritten;
-	}
-	return changed ? normalized : value;
-}
-/**
-* Reports whether `value` carries an `@context` property anywhere inside
-* its subtree (not counting the value itself).  A nested `@context` can
-* introduce a local term-definition scope that redefines `as:` or `Public`
-* even when the top-level `@context` is safe, so the fast path must defer
-* to the URDNA2015 equivalence check whenever one is present.
-*/
-function hasNestedContext(value, depth = 0) {
-	if (depth >= MAX_TRAVERSAL_DEPTH) return true;
-	if (Array.isArray(value)) return value.some((item) => hasNestedContext(item, depth + 1));
-	if (typeof value !== "object" || value == null) return false;
-	const record = value;
-	for (const key of Object.keys(record)) {
-		if (key === "@context") return true;
-		if (hasNestedContext(record[key], depth + 1)) return true;
-	}
-	return false;
-}
-/**
-* Checks whether the `@context` of a JSON-LD document is guaranteed not
-* to redefine the `as:` prefix or the bare `Public` term.  Only documents
-* whose `@context` is a string, or an array of strings, drawn from Fedify's
-* preloaded context set AND including the ActivityStreams URL qualify,
-* AND no nested subtree carries its own `@context` that might redefine
-* those terms within a local scope.  When all of that holds the rewrite
-* is provably semantics-preserving and the URDNA2015 equivalence check
-* can be skipped.  Any other shape (unknown external URLs, inline
-* objects at the top level, nested `@context` blocks) is treated as
-* potentially unsafe.
-*/
-function hasKnownSafeContext(jsonLd) {
-	if (typeof jsonLd !== "object" || jsonLd == null) return false;
-	const record = jsonLd;
-	if (!Object.hasOwn(record, "@context")) return false;
-	const ctx = record["@context"];
-	const entries = typeof ctx === "string" ? [ctx] : Array.isArray(ctx) ? ctx : null;
-	if (entries == null || entries.length === 0) return false;
-	let hasAs = false;
-	for (const entry of entries) {
-		if (typeof entry !== "string") return false;
-		if (!KNOWN_SAFE_CONTEXT_URLS.has(entry)) return false;
-		if (entry === AS_CONTEXT_URL) hasAs = true;
-	}
-	if (!hasAs) return false;
-	for (const key of Object.keys(record)) {
-		if (key === "@context") continue;
-		if (hasNestedContext(record[key])) return false;
-	}
-	return true;
-}
-/**
-* Rewrites the compact `as:Public` / `Public` CURIE appearing in activity
-* addressing fields (`to`, `cc`, `bto`, `bcc`, `audience`) to the fully
-* expanded `https://www.w3.org/ns/activitystreams#Public` URI.
-*
-* Several ActivityPub implementations, Lemmy among them, match these
-* fields as plain URLs without running JSON-LD expansion, and silently
-* drop activities whose public addressing appears in CURIE form.  This
-* helper works around that gap.
-*
-* For documents whose `@context` is drawn entirely from Fedify's
-* preloaded context set and includes the ActivityStreams URL, the
-* rewrite is applied directly: the content of every preloaded non-AS
-* context is known not to redefine the `as:` prefix or the bare `Public`
-* term, so the semantics are preserved by construction.  Any other
-* shape (an inline object, an unknown external URL, and so on) is
-* treated as potentially unsafe and gated on a JSON-LD equivalence
-* check; both forms are canonicalized with URDNA2015 and the resulting
-* N-Quads are compared.  When they differ, the original document is
-* returned unchanged.  Canonicalization failures also fall back to the
-* original document.
-*
-* When no `contextLoader` is supplied the helper falls back to an
-* internal loader that resolves only the URLs in Fedify's
-* preloaded-contexts set and rejects every other URL without issuing a
-* network request.  That behaviour is deliberately narrower than
-* `@fedify/vocab-runtime`'s `getDocumentLoader()`, which after its
-* `validatePublicUrl` check will happily fetch non-preloaded URLs: the
-* helper is reached from verification paths (`verifyProof()` /
-* `verifyObject()`) that operate on inbound, potentially adversarial
-* JSON-LD, and a default loader that fetches attacker-supplied
-* `@context` URLs on the caller's behalf would be an SSRF vector.
-* Canonicalization failures against the restricted loader fall back to
-* the original document, same as any other canonicalization error.
-* Callers that genuinely need the remote-fetch loader (for example
-* applications that sign local JSON-LD against a custom vocabulary)
-* should pass a `contextLoader` explicitly.
-*
-* Must be called before any signing step that canonicalizes the
-* compact form byte-for-byte (for example, Object Integrity Proofs
-* using the `eddsa-jcs-2022` cryptosuite), so the signed payload
-* matches what is sent on the wire.
-*/
-async function normalizePublicAudience(jsonLd, contextLoader) {
-	if (!hasPublicCurieInAddressing(jsonLd)) return jsonLd;
-	const normalized = rewritePublicAudience(jsonLd);
-	if (hasKnownSafeContext(jsonLd)) return normalized;
-	const loader = contextLoader ?? preloadedOnlyDocumentLoader;
-	try {
-		const [before, after] = await Promise.all([_fedify_vocab_runtime_jsonld.default.canonize(jsonLd, {
-			format: "application/n-quads",
-			documentLoader: loader
-		}), _fedify_vocab_runtime_jsonld.default.canonize(normalized, {
-			format: "application/n-quads",
-			documentLoader: loader
-		})]);
-		if (before === after) return normalized;
-		logger$1.warn("Expanding the public audience CURIE to its full URI would change the canonical form of the activity; sending the activity as is.  This usually means the active JSON-LD context redefines the `as:` prefix or the bare `Public` term.");
-	} catch (error) {
-		logger$1.debug("Failed to verify public audience normalization equivalence via JSON-LD canonicalization; sending the activity as is.\n{error}", { error });
-	}
-	return jsonLd;
-}
-//#endregion
 //#region src/sig/proof.ts
 const logger = (0, _logtape_logtape.getLogger)([
 	"fedify",
@@ -610,12 +437,11 @@ function hasProofLike(jsonLd) {
 async function createProof(object, privateKey, keyId, { contextLoader, context, created } = {}) {
 	require_http.validateCryptoKey(privateKey, "private");
 	if (privateKey.algorithm.name !== "Ed25519") throw new TypeError("Unsupported algorithm: " + privateKey.algorithm.name);
-	let compactMsg = await object.clone({ proofs: [] }).toJsonLd({
+	const compactMsg = await object.clone({ proofs: [] }).toJsonLd({
 		format: "compact",
 		contextLoader,
 		context
 	});
-	compactMsg = await normalizePublicAudience(compactMsg, contextLoader);
 	const msgCanon = (0, json_canon.default)(compactMsg);
 	const encoder = new TextEncoder();
 	const msgBytes = encoder.encode(msgCanon);
@@ -710,25 +536,27 @@ async function verifyProof(jsonLd, proof, options = {}) {
 	});
 }
 async function verifyProofInternal(jsonLd, proof, options) {
-	if (typeof jsonLd !== "object" || jsonLd == null || Array.isArray(jsonLd) || proof.cryptosuite !== "eddsa-jcs-2022" || proof.verificationMethodId == null || proof.proofPurpose !== "assertionMethod" || proof.proofValue == null || proof.created == null) return null;
+	if (typeof jsonLd !== "object" || proof.cryptosuite !== "eddsa-jcs-2022" || proof.verificationMethodId == null || proof.proofPurpose !== "assertionMethod" || proof.proofValue == null || proof.created == null) return null;
 	const publicKeyPromise = require_http.fetchKey(proof.verificationMethodId, _fedify_vocab.Multikey, options);
-	const proofConfig = {
+	const proofCanon = (0, json_canon.default)({
 		"@context": jsonLd["@context"],
 		type: "DataIntegrityProof",
 		cryptosuite: proof.cryptosuite,
 		verificationMethod: proof.verificationMethodId.href,
 		proofPurpose: proof.proofPurpose,
 		created: proof.created.toString()
-	};
+	});
 	const encoder = new TextEncoder();
-	const proofBytes = encoder.encode((0, json_canon.default)(proofConfig));
+	const proofBytes = encoder.encode(proofCanon);
 	const proofDigest = await crypto.subtle.digest("SHA-256", proofBytes);
 	const msg = { ...jsonLd };
 	if ("proof" in msg) delete msg.proof;
-	if ("https://w3id.org/security#proof" in msg) delete msg["https://w3id.org/security#proof"];
-	const candidates = [msg];
-	const normalized = await normalizePublicAudience(msg, options.contextLoader);
-	if (normalized !== msg) candidates.push(normalized);
+	const msgCanon = (0, json_canon.default)(msg);
+	const msgBytes = encoder.encode(msgCanon);
+	const msgDigest = await crypto.subtle.digest("SHA-256", msgBytes);
+	const digest = new Uint8Array(proofDigest.byteLength + msgDigest.byteLength);
+	digest.set(new Uint8Array(proofDigest), 0);
+	digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
 	let fetchedKey;
 	try {
 		fetchedKey = await publicKeyPromise;
@@ -757,7 +585,7 @@ async function verifyProofInternal(jsonLd, proof, options) {
 			return await verifyProof(jsonLd, proof, {
 				...options,
 				keyCache: {
-					get: () => Promise.resolve(void 0),
+					get: () => Promise.resolve(null),
 					set: async (keyId, key) => await options.keyCache?.set(keyId, key)
 				}
 			});
@@ -768,32 +596,27 @@ async function verifyProofInternal(jsonLd, proof, options) {
 		});
 		return null;
 	}
-	const digest = new Uint8Array(proofDigest.byteLength + 32);
-	digest.set(new Uint8Array(proofDigest), 0);
-	for (const candidate of candidates) {
-		const msgBytes = encoder.encode((0, json_canon.default)(candidate));
-		const msgDigest = await crypto.subtle.digest("SHA-256", msgBytes);
-		digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
-		if (await crypto.subtle.verify("Ed25519", publicKey.publicKey, proof.proofValue.slice(), digest)) return publicKey;
-	}
-	if (fetchedKey.cached) {
-		logger.debug("Failed to verify the proof with the cached key {keyId}; retrying with the freshly fetched key...", {
+	if (!await crypto.subtle.verify("Ed25519", publicKey.publicKey, proof.proofValue.slice(), digest)) {
+		if (fetchedKey.cached) {
+			logger.debug("Failed to verify the proof with the cached key {keyId}; retrying with the freshly fetched key...", {
+				keyId: proof.verificationMethodId.href,
+				proof
+			});
+			return await verifyProof(jsonLd, proof, {
+				...options,
+				keyCache: {
+					get: () => Promise.resolve(void 0),
+					set: async (keyId, key) => await options.keyCache?.set(keyId, key)
+				}
+			});
+		}
+		logger.debug("Failed to verify the proof with the fetched key {keyId}:\n{proof}", {
 			keyId: proof.verificationMethodId.href,
 			proof
 		});
-		return await verifyProof(jsonLd, proof, {
-			...options,
-			keyCache: {
-				get: () => Promise.resolve(void 0),
-				set: async (keyId, key) => await options.keyCache?.set(keyId, key)
-			}
-		});
+		return null;
 	}
-	logger.debug("Failed to verify the proof with the fetched key {keyId}:\n{proof}", {
-		keyId: proof.verificationMethodId.href,
-		proof
-	});
-	return null;
+	return publicKey;
 }
 /**
 * Verifies the given object.  It will verify all the proofs in the object,
@@ -882,12 +705,6 @@ Object.defineProperty(exports, "hasSignatureLike", {
 		return hasSignatureLike;
 	}
 });
-Object.defineProperty(exports, "normalizePublicAudience", {
-	enumerable: true,
-	get: function() {
-		return normalizePublicAudience;
-	}
-});
 Object.defineProperty(exports, "signJsonLd", {
 	enumerable: true,
 	get: function() {

package/dist/{proof-BbfBQytm.mjs → proof-UdlPVu_P.mjs}

@@ -1,9 +1,8 @@
 import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-Bg4eBr2D.mjs";
-import { n as fetchKey, o as validateCryptoKey } from "./key-DkuUQiqs.mjs";
-import { t as normalizePublicAudience } from "./public-audience-eovWqzOF.mjs";
+import { n as version, t as name } from "./deno-_fgAC2zJ.mjs";
+import { n as fetchKey, o as validateCryptoKey } from "./key-Ce0SDXK2.mjs";
 import { Activity, DataIntegrityProof, Multikey, getTypeId } from "@fedify/vocab";
 import { SpanStatusCode, trace } from "@opentelemetry/api";
 import { getLogger } from "@logtape/logtape";
@@ -57,12 +56,11 @@ function hasProofLike(jsonLd) {
 async function createProof(object, privateKey, keyId, { contextLoader, context, created } = {}) {
 	validateCryptoKey(privateKey, "private");
 	if (privateKey.algorithm.name !== "Ed25519") throw new TypeError("Unsupported algorithm: " + privateKey.algorithm.name);
-	let compactMsg = await object.clone({ proofs: [] }).toJsonLd({
+	const compactMsg = await object.clone({ proofs: [] }).toJsonLd({
 		format: "compact",
 		contextLoader,
 		context
 	});
-	compactMsg = await normalizePublicAudience(compactMsg, contextLoader);
 	const msgCanon = serialize(compactMsg);
 	const encoder = new TextEncoder();
 	const msgBytes = encoder.encode(msgCanon);
@@ -157,25 +155,27 @@ async function verifyProof(jsonLd, proof, options = {}) {
 	});
 }
 async function verifyProofInternal(jsonLd, proof, options) {
-	if (typeof jsonLd !== "object" || jsonLd == null || Array.isArray(jsonLd) || proof.cryptosuite !== "eddsa-jcs-2022" || proof.verificationMethodId == null || proof.proofPurpose !== "assertionMethod" || proof.proofValue == null || proof.created == null) return null;
+	if (typeof jsonLd !== "object" || proof.cryptosuite !== "eddsa-jcs-2022" || proof.verificationMethodId == null || proof.proofPurpose !== "assertionMethod" || proof.proofValue == null || proof.created == null) return null;
 	const publicKeyPromise = fetchKey(proof.verificationMethodId, Multikey, options);
-	const proofConfig = {
+	const proofCanon = serialize({
 		"@context": jsonLd["@context"],
 		type: "DataIntegrityProof",
 		cryptosuite: proof.cryptosuite,
 		verificationMethod: proof.verificationMethodId.href,
 		proofPurpose: proof.proofPurpose,
 		created: proof.created.toString()
-	};
+	});
 	const encoder = new TextEncoder();
-	const proofBytes = encoder.encode(serialize(proofConfig));
+	const proofBytes = encoder.encode(proofCanon);
 	const proofDigest = await crypto.subtle.digest("SHA-256", proofBytes);
 	const msg = { ...jsonLd };
 	if ("proof" in msg) delete msg.proof;
-	if ("https://w3id.org/security#proof" in msg) delete msg["https://w3id.org/security#proof"];
-	const candidates = [msg];
-	const normalized = await normalizePublicAudience(msg, options.contextLoader);
-	if (normalized !== msg) candidates.push(normalized);
+	const msgCanon = serialize(msg);
+	const msgBytes = encoder.encode(msgCanon);
+	const msgDigest = await crypto.subtle.digest("SHA-256", msgBytes);
+	const digest = new Uint8Array(proofDigest.byteLength + msgDigest.byteLength);
+	digest.set(new Uint8Array(proofDigest), 0);
+	digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
 	let fetchedKey;
 	try {
 		fetchedKey = await publicKeyPromise;
@@ -204,7 +204,7 @@ async function verifyProofInternal(jsonLd, proof, options) {
 			return await verifyProof(jsonLd, proof, {
 				...options,
 				keyCache: {
-					get: () => Promise.resolve(void 0),
+					get: () => Promise.resolve(null),
 					set: async (keyId, key) => await options.keyCache?.set(keyId, key)
 				}
 			});
@@ -215,32 +215,27 @@ async function verifyProofInternal(jsonLd, proof, options) {
 		});
 		return null;
 	}
-	const digest = new Uint8Array(proofDigest.byteLength + 32);
-	digest.set(new Uint8Array(proofDigest), 0);
-	for (const candidate of candidates) {
-		const msgBytes = encoder.encode(serialize(candidate));
-		const msgDigest = await crypto.subtle.digest("SHA-256", msgBytes);
-		digest.set(new Uint8Array(msgDigest), proofDigest.byteLength);
-		if (await crypto.subtle.verify("Ed25519", publicKey.publicKey, proof.proofValue.slice(), digest)) return publicKey;
-	}
-	if (fetchedKey.cached) {
-		logger.debug("Failed to verify the proof with the cached key {keyId}; retrying with the freshly fetched key...", {
+	if (!await crypto.subtle.verify("Ed25519", publicKey.publicKey, proof.proofValue.slice(), digest)) {
+		if (fetchedKey.cached) {
+			logger.debug("Failed to verify the proof with the cached key {keyId}; retrying with the freshly fetched key...", {
+				keyId: proof.verificationMethodId.href,
+				proof
+			});
+			return await verifyProof(jsonLd, proof, {
+				...options,
+				keyCache: {
+					get: () => Promise.resolve(void 0),
+					set: async (keyId, key) => await options.keyCache?.set(keyId, key)
+				}
+			});
+		}
+		logger.debug("Failed to verify the proof with the fetched key {keyId}:\n{proof}", {
 			keyId: proof.verificationMethodId.href,
 			proof
 		});
-		return await verifyProof(jsonLd, proof, {
-			...options,
-			keyCache: {
-				get: () => Promise.resolve(void 0),
-				set: async (keyId, key) => await options.keyCache?.set(keyId, key)
-			}
-		});
+		return null;
 	}
-	logger.debug("Failed to verify the proof with the fetched key {keyId}:\n{proof}", {
-		keyId: proof.verificationMethodId.href,
-		proof
-	});
-	return null;
+	return publicKey;
 }
 /**
 * Verifies the given object.  It will verify all the proofs in the object,