@nuggetslife/vc 0.0.21 → 0.0.23

package/src/jose.rs

@@ -0,0 +1,415 @@
+use serde_json::Value;
+
+use vc::jose::{
+    functions::{
+        jose_compact_sign_json, jose_compact_verify_json, jose_decrypt, jose_decrypt_json,
+        jose_encrypt, jose_flattened_sign_json, jose_general_encrypt_json, jose_general_sign_json,
+        jose_generate_key_pair, jose_generate_key_pair_jwk, jose_verify_json,
+    },
+    types::{
+        TOKEN_TYPE_DIDCOM_ENCRYPTED, TOKEN_TYPE_DIDCOM_SIGNED, TOKEN_TYPE_JWT,
+    },
+};
+
+// ---------------------------------------------------------------------------
+// Enums — numeric values match @nuggetslife/ffi-jose exactly
+// ---------------------------------------------------------------------------
+
+#[napi]
+pub enum JoseNamedCurve {
+    P256 = 0,
+    P384 = 1,
+    P521 = 2,
+    Secp256k1 = 3,
+    Ed25519 = 4,
+    Ed448 = 5,
+    X25519 = 6,
+    X448 = 7,
+}
+
+impl JoseNamedCurve {
+    fn to_rust_string(&self) -> &'static str {
+        match self {
+            JoseNamedCurve::P256 => "P-256",
+            JoseNamedCurve::P384 => "P-384",
+            JoseNamedCurve::P521 => "P-521",
+            JoseNamedCurve::Secp256k1 => "SECP256K1",
+            JoseNamedCurve::Ed25519 => "ED25519",
+            JoseNamedCurve::Ed448 => "ED448",
+            JoseNamedCurve::X25519 => "X25519",
+            JoseNamedCurve::X448 => "X448",
+        }
+    }
+}
+
+#[napi]
+pub enum JoseContentEncryption {
+    A128gcm = 0,
+    A192gcm = 1,
+    A256gcm = 2,
+    A128cbcHs256 = 3,
+    A192cbcHs384 = 4,
+    A256cbcHs512 = 5,
+}
+
+impl JoseContentEncryption {
+    fn to_rust_string(&self) -> &'static str {
+        match self {
+            JoseContentEncryption::A128gcm => "A128GCM",
+            JoseContentEncryption::A192gcm => "A192GCM",
+            JoseContentEncryption::A256gcm => "A256GCM",
+            JoseContentEncryption::A128cbcHs256 => "A128CBC-HS256",
+            JoseContentEncryption::A192cbcHs384 => "A192CBC-HS384",
+            JoseContentEncryption::A256cbcHs512 => "A256CBC-HS512",
+        }
+    }
+}
+
+#[napi]
+pub enum JoseKeyEncryption {
+    Dir = 0,
+    EcdhEs = 1,
+    EcdhEsA128kw = 2,
+    EcdhEsA192kw = 3,
+    EcdhEsA256kw = 4,
+    Rsa1_5 = 5,
+    RsaOaep = 6,
+    RsaOaep256 = 7,
+    RsaOaep384 = 8,
+    RsaOaep512 = 9,
+    Pbes2Hs256A128kw = 10,
+    Pbes2Hs384A192kw = 11,
+    Pbes2Hs512A256kw = 12,
+    A128kw = 13,
+    A192kw = 14,
+    A256kw = 15,
+    A128gcmkw = 16,
+    A192gcmkw = 17,
+    A256gcmkw = 18,
+}
+
+impl JoseKeyEncryption {
+    fn to_rust_string(&self) -> &'static str {
+        match self {
+            JoseKeyEncryption::Dir => "dir",
+            JoseKeyEncryption::EcdhEs => "ECDH-ES",
+            JoseKeyEncryption::EcdhEsA128kw => "ECDH-ES+A128KW",
+            JoseKeyEncryption::EcdhEsA192kw => "ECDH-ES+A192KW",
+            JoseKeyEncryption::EcdhEsA256kw => "ECDH-ES+A256KW",
+            JoseKeyEncryption::Rsa1_5 => "RSA1_5",
+            JoseKeyEncryption::RsaOaep => "RSA-OAEP",
+            JoseKeyEncryption::RsaOaep256 => "RSA-OAEP-256",
+            JoseKeyEncryption::RsaOaep384 => "RSA-OAEP-384",
+            JoseKeyEncryption::RsaOaep512 => "RSA-OAEP-512",
+            JoseKeyEncryption::Pbes2Hs256A128kw => "PBES2-HS256+A128KW",
+            JoseKeyEncryption::Pbes2Hs384A192kw => "PBES2-HS384+A192KW",
+            JoseKeyEncryption::Pbes2Hs512A256kw => "PBES2-HS512+A256KW",
+            JoseKeyEncryption::A128kw => "A128KW",
+            JoseKeyEncryption::A192kw => "A192KW",
+            JoseKeyEncryption::A256kw => "A256KW",
+            JoseKeyEncryption::A128gcmkw => "A128GCMKW",
+            JoseKeyEncryption::A192gcmkw => "A192GCMKW",
+            JoseKeyEncryption::A256gcmkw => "A256GCMKW",
+        }
+    }
+}
+
+#[napi]
+pub enum JoseSigningAlgorithm {
+    Es256 = 0,
+    Es384 = 1,
+    Es512 = 2,
+    Es256k = 3,
+    Eddsa = 4,
+    Hs256 = 5,
+    Hs384 = 6,
+    Hs512 = 7,
+    Rs256 = 8,
+    Rs384 = 9,
+    Rs512 = 10,
+    Ps256 = 11,
+    Ps384 = 12,
+    Ps512 = 13,
+}
+
+impl JoseSigningAlgorithm {
+    fn to_rust_string(&self) -> &'static str {
+        match self {
+            JoseSigningAlgorithm::Es256 => "ES256",
+            JoseSigningAlgorithm::Es384 => "ES384",
+            JoseSigningAlgorithm::Es512 => "ES512",
+            JoseSigningAlgorithm::Es256k => "ES256K",
+            JoseSigningAlgorithm::Eddsa => "EDDSA",
+            JoseSigningAlgorithm::Hs256 => "HS256",
+            JoseSigningAlgorithm::Hs384 => "HS384",
+            JoseSigningAlgorithm::Hs512 => "HS512",
+            JoseSigningAlgorithm::Rs256 => "RS256",
+            JoseSigningAlgorithm::Rs384 => "RS384",
+            JoseSigningAlgorithm::Rs512 => "RS512",
+            JoseSigningAlgorithm::Ps256 => "PS256",
+            JoseSigningAlgorithm::Ps384 => "PS384",
+            JoseSigningAlgorithm::Ps512 => "PS512",
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Result types
+// ---------------------------------------------------------------------------
+
+#[napi(object)]
+pub struct JoseEncryptResult {
+    pub ciphertext: String,
+    pub tag: Option<String>,
+}
+
+// ---------------------------------------------------------------------------
+// Key Generation (Task 9)
+// ---------------------------------------------------------------------------
+
+/// Generate a JWK key pair and return the JWK (public + private) as a JSON object.
+/// Matches ffi-jose `generateJWK({ namedCurve })`.
+#[napi]
+pub fn generate_jwk(named_curve: JoseNamedCurve) -> napi::Result<Value> {
+    let curve = named_curve.to_rust_string().to_string();
+    let jwk_str = jose_generate_key_pair_jwk(curve)
+        .map_err(|e| napi::Error::from_reason(format!("generateJWK failed: {e}")))?;
+    serde_json::from_str(&jwk_str)
+        .map_err(|e| napi::Error::from_reason(format!("generateJWK parse failed: {e}")))
+}
+
+/// Generate a full key pair (JWK, PEM, DER formats) and return as a JSON object.
+/// Matches ffi-jose `generateKeyPair(type, { namedCurve })`.
+#[napi]
+pub fn generate_key_pair(named_curve: JoseNamedCurve) -> napi::Result<Value> {
+    let curve = named_curve.to_rust_string().to_string();
+    let kp_str = jose_generate_key_pair(curve)
+        .map_err(|e| napi::Error::from_reason(format!("generateKeyPair failed: {e}")))?;
+    serde_json::from_str(&kp_str)
+        .map_err(|e| napi::Error::from_reason(format!("generateKeyPair parse failed: {e}")))
+}
+
+// ---------------------------------------------------------------------------
+// Symmetric Encrypt/Decrypt (Task 10)
+// ---------------------------------------------------------------------------
+
+/// Low-level symmetric encryption. Key and IV as hex strings, plaintext as base64.
+/// Matches ffi-jose `encrypt(enc, plaintext, cek, iv, aad, didcomm)`.
+#[napi(js_name = "joseEncrypt")]
+pub fn jose_encrypt_napi(
+    enc: JoseContentEncryption,
+    key: String,
+    iv: String,
+    message: String,
+    aad: Option<String>,
+) -> napi::Result<JoseEncryptResult> {
+    let result = jose_encrypt(
+        enc.to_rust_string().to_string(),
+        key,
+        iv,
+        message,
+        aad.unwrap_or_default(),
+    )
+    .map_err(|e| napi::Error::from_reason(format!("joseEncrypt failed: {e}")))?;
+
+    Ok(JoseEncryptResult {
+        ciphertext: result.ciphertext,
+        tag: result.tag,
+    })
+}
+
+/// Low-level symmetric decryption. Returns base64-encoded plaintext.
+/// Matches ffi-jose `decrypt(enc, cek, ciphertext, iv, tag, aad)`.
+#[napi(js_name = "joseDecrypt")]
+pub fn jose_decrypt_napi(
+    enc: JoseContentEncryption,
+    key: String,
+    iv: String,
+    ciphertext: String,
+    aad: Option<String>,
+    tag: Option<String>,
+) -> napi::Result<String> {
+    jose_decrypt(
+        enc.to_rust_string().to_string(),
+        key,
+        iv,
+        ciphertext,
+        aad.unwrap_or_default(),
+        tag,
+    )
+    .map_err(|e| napi::Error::from_reason(format!("joseDecrypt failed: {e}")))
+}
+
+// ---------------------------------------------------------------------------
+// JWE — JSON Web Encryption (Task 11)
+// ---------------------------------------------------------------------------
+
+/// Resolve the `typ` header from the `didcomm` flag.
+fn resolve_typ_encrypted(didcomm: Option<bool>) -> &'static str {
+    if didcomm.unwrap_or(false) {
+        TOKEN_TYPE_DIDCOM_ENCRYPTED
+    } else {
+        TOKEN_TYPE_JWT
+    }
+}
+
+/// Resolve the `typ` header from the `didcomm` flag for signed tokens.
+fn resolve_typ_signed(didcomm: Option<bool>) -> &'static str {
+    if didcomm.unwrap_or(false) {
+        TOKEN_TYPE_DIDCOM_SIGNED
+    } else {
+        TOKEN_TYPE_JWT
+    }
+}
+
+/// Encrypt a JSON payload for one or more recipients using JWE General JSON serialization.
+/// Matches ffi-jose `generalEncryptJson(alg, enc, payload, recipients, didcomm)`.
+#[napi]
+pub fn general_encrypt_json(
+    alg: JoseKeyEncryption,
+    enc: JoseContentEncryption,
+    payload: Value,
+    recipients: Vec<Value>,
+    didcomm: Option<bool>,
+) -> napi::Result<Value> {
+    let typ = resolve_typ_encrypted(didcomm);
+    let payload_str = serde_json::to_string(&payload)
+        .map_err(|e| napi::Error::from_reason(format!("generalEncryptJson serialize payload: {e}")))?;
+    let recipients_str = serde_json::to_string(&recipients)
+        .map_err(|e| napi::Error::from_reason(format!("generalEncryptJson serialize recipients: {e}")))?;
+
+    let result = jose_general_encrypt_json(
+        alg.to_rust_string().to_string(),
+        enc.to_rust_string().to_string(),
+        typ.to_string(),
+        payload_str,
+        recipients_str,
+        None,
+    )
+    .map_err(|e| napi::Error::from_reason(format!("generalEncryptJson failed: {e}")))?;
+
+    serde_json::from_str(&result)
+        .map_err(|e| napi::Error::from_reason(format!("generalEncryptJson parse result: {e}")))
+}
+
+/// Decrypt a JWE JSON object using a JWK private key.
+/// Matches ffi-jose `decryptJson(jwe, jwk)`.
+#[napi]
+pub fn decrypt_json(jwe: Value, jwk: Value) -> napi::Result<Value> {
+    let jwe_str = serde_json::to_string(&jwe)
+        .map_err(|e| napi::Error::from_reason(format!("decryptJson serialize jwe: {e}")))?;
+    let jwk_str = serde_json::to_string(&jwk)
+        .map_err(|e| napi::Error::from_reason(format!("decryptJson serialize jwk: {e}")))?;
+
+    let result = jose_decrypt_json(jwe_str, jwk_str)
+        .map_err(|e| napi::Error::from_reason(format!("decryptJson failed: {e}")))?;
+
+    serde_json::from_str(&result)
+        .map_err(|e| napi::Error::from_reason(format!("decryptJson parse result: {e}")))
+}
+
+// ---------------------------------------------------------------------------
+// JWS — JSON Web Signature (Task 12)
+// ---------------------------------------------------------------------------
+
+/// Sign a JSON payload using JWS Compact serialization.
+/// Matches ffi-jose `compactSignJson(alg, payload, jwk, didcomm)`.
+#[napi]
+pub fn compact_sign_json(
+    alg: JoseSigningAlgorithm,
+    payload: Value,
+    jwk: Value,
+    didcomm: Option<bool>,
+) -> napi::Result<String> {
+    let typ = resolve_typ_signed(didcomm);
+    let payload_str = serde_json::to_string(&payload)
+        .map_err(|e| napi::Error::from_reason(format!("compactSignJson serialize payload: {e}")))?;
+    let jwk_str = serde_json::to_string(&jwk)
+        .map_err(|e| napi::Error::from_reason(format!("compactSignJson serialize jwk: {e}")))?;
+
+    jose_compact_sign_json(
+        alg.to_rust_string().to_string(),
+        typ.to_string(),
+        payload_str,
+        jwk_str,
+    )
+    .map_err(|e| napi::Error::from_reason(format!("compactSignJson failed: {e}")))
+}
+
+/// Verify a JWS Compact serialization and return the payload.
+/// Matches ffi-jose `compactJsonVerify(jws, jwk)`.
+#[napi]
+pub fn compact_json_verify(jws: String, jwk: Value) -> napi::Result<Value> {
+    let jwk_str = serde_json::to_string(&jwk)
+        .map_err(|e| napi::Error::from_reason(format!("compactJsonVerify serialize jwk: {e}")))?;
+
+    let result = jose_compact_verify_json(jws, jwk_str)
+        .map_err(|e| napi::Error::from_reason(format!("compactJsonVerify failed: {e}")))?;
+
+    serde_json::from_str(&result)
+        .map_err(|e| napi::Error::from_reason(format!("compactJsonVerify parse result: {e}")))
+}
+
+/// Sign a JSON payload using JWS Flattened JSON serialization.
+/// Matches ffi-jose `flattenedSignJson(alg, payload, jwk, didcomm)`.
+#[napi]
+pub fn flattened_sign_json(
+    alg: JoseSigningAlgorithm,
+    payload: Value,
+    jwk: Value,
+    didcomm: Option<bool>,
+) -> napi::Result<Value> {
+    let typ = resolve_typ_signed(didcomm);
+    let payload_str = serde_json::to_string(&payload)
+        .map_err(|e| napi::Error::from_reason(format!("flattenedSignJson serialize payload: {e}")))?;
+    let jwk_str = serde_json::to_string(&jwk)
+        .map_err(|e| napi::Error::from_reason(format!("flattenedSignJson serialize jwk: {e}")))?;
+
+    let result = jose_flattened_sign_json(
+        alg.to_rust_string().to_string(),
+        typ.to_string(),
+        payload_str,
+        jwk_str,
+    )
+    .map_err(|e| napi::Error::from_reason(format!("flattenedSignJson failed: {e}")))?;
+
+    serde_json::from_str(&result)
+        .map_err(|e| napi::Error::from_reason(format!("flattenedSignJson parse result: {e}")))
+}
+
+/// Verify a JWS Flattened or General JSON serialization and return the payload.
+/// Matches ffi-jose `jsonVerify(jws, jwk)`.
+#[napi]
+pub fn json_verify(jws: Value, jwk: Value) -> napi::Result<Value> {
+    let jws_str = serde_json::to_string(&jws)
+        .map_err(|e| napi::Error::from_reason(format!("jsonVerify serialize jws: {e}")))?;
+    let jwk_str = serde_json::to_string(&jwk)
+        .map_err(|e| napi::Error::from_reason(format!("jsonVerify serialize jwk: {e}")))?;
+
+    let result = jose_verify_json(jws_str, jwk_str)
+        .map_err(|e| napi::Error::from_reason(format!("jsonVerify failed: {e}")))?;
+
+    serde_json::from_str(&result)
+        .map_err(|e| napi::Error::from_reason(format!("jsonVerify parse result: {e}")))
+}
+
+/// Sign a JSON payload using JWS General JSON serialization with multiple signers.
+/// Matches ffi-jose `generalSignJson(payload, jwks, didcomm)`.
+#[napi]
+pub fn general_sign_json(
+    payload: Value,
+    jwks: Vec<Value>,
+    didcomm: Option<bool>,
+) -> napi::Result<Value> {
+    let typ = resolve_typ_signed(didcomm);
+    let payload_str = serde_json::to_string(&payload)
+        .map_err(|e| napi::Error::from_reason(format!("generalSignJson serialize payload: {e}")))?;
+    let jwks_str = serde_json::to_string(&jwks)
+        .map_err(|e| napi::Error::from_reason(format!("generalSignJson serialize jwks: {e}")))?;
+
+    let result = jose_general_sign_json(typ.to_string(), payload_str, jwks_str)
+        .map_err(|e| napi::Error::from_reason(format!("generalSignJson failed: {e}")))?;
+
+    serde_json::from_str(&result)
+        .map_err(|e| napi::Error::from_reason(format!("generalSignJson parse result: {e}")))
+}

package/src/jsonld.rs

@@ -1,16 +1,12 @@
 use serde_json::{json, Value};
-use std::collections::HashMap;
-use std::num::NonZeroUsize;
 use std::sync::Arc;
 
-use lru::LruCache;
-
 use vc::{
-    document_loader::nuggets::{load_nuggets_context, DocumentLoader},
+    document_loader::nuggets::DocumentLoader,
     jsonld::{self, context_resolver::ContextResolver},
 };
 
-use crate::ld_signatures::parse_contexts;
+use crate::ld_signatures::loader_from_contexts;
 
 /// JSON-LD processor — drop-in replacement for the jsonld.js API.
 ///
@@ -37,26 +33,8 @@ impl JsonLd {
     /// of the built-in nuggets contexts).
     #[napi(constructor)]
     pub fn new(options: Option<Value>) -> Self {
-        let additional: HashMap<String, Value> = options
-            .as_ref()
-            .map(|o| parse_contexts(o))
-            .unwrap_or_default();
-
-        let mut ctx = load_nuggets_context();
-        ctx.extend(additional);
-
-        let resolver = Arc::new(tokio::sync::RwLock::new(
-            vc::did_resolver::resolver::Resolver::new(
-                vc::did_resolver::resolver::ResolverRegistry::new(),
-                None,
-            ),
-        ));
-        let opts = vc::did_resolver::resolver::DidResolutionOptions::default();
-        let loader = Arc::new(DocumentLoader::new(ctx, resolver, opts));
-        let cr = Arc::new(ContextResolver::new(LruCache::new(
-            NonZeroUsize::new(10).unwrap(),
-        )));
-
+        let contexts = options.as_ref().and_then(|o| o.get("contexts"));
+        let (loader, cr) = loader_from_contexts(contexts);
         Self { loader, cr }
     }
 

package/src/ld_signatures.rs

@@ -47,6 +47,18 @@ pub(crate) fn create_document_loader(
     (loader, cr)
 }
 
+/// Parse an optional nonce string: try base64 decode, fall back to raw bytes.
+fn parse_nonce(options: &Value) -> Option<Vec<u8>> {
+    options
+        .get("nonce")
+        .and_then(|v| v.as_str())
+        .map(|s| {
+            BASE64_STANDARD
+                .decode(s)
+                .unwrap_or_else(|_| s.as_bytes().to_vec())
+        })
+}
+
 /// Parse the `contexts` field from options JSON into a HashMap.
 pub(crate) fn parse_contexts(options: &Value) -> HashMap<String, Value> {
     options
@@ -60,6 +72,20 @@ pub(crate) fn parse_contexts(options: &Value) -> HashMap<String, Value> {
         .unwrap_or_default()
 }
 
+/// Create a DocumentLoader + ContextResolver from an optional contexts Value.
+///
+/// This is the common pattern used by all class-based suite methods:
+/// takes the `contexts` field from options and creates the loader pair.
+pub(crate) fn loader_from_contexts(
+    contexts: Option<&Value>,
+) -> (Arc<DocumentLoader>, Arc<ContextResolver>) {
+    let additional = contexts
+        .and_then(|v| v.as_object())
+        .map(|obj| obj.iter().map(|(k, v)| (k.clone(), v.clone())).collect())
+        .unwrap_or_default();
+    create_document_loader(additional)
+}
+
 /// Sign a document with BbsBlsSignature2020 and embed the proof.
 ///
 /// Input: `{ document, keyPair: {id, controller, publicKeyBase58, privateKeyBase58}, contexts? }`
@@ -135,14 +161,7 @@ pub async fn ld_derive_proof(options: Value) -> napi::Result<Value> {
         .cloned()
         .ok_or_else(|| napi::Error::from_reason("missing 'revealDocument' in options"))?;
 
-    let nonce = options
-        .get("nonce")
-        .and_then(|v| v.as_str())
-        .map(|s| {
-            BASE64_STANDARD
-                .decode(s)
-                .unwrap_or_else(|_| s.as_bytes().to_vec())
-        });
+    let nonce = parse_nonce(&options);
 
     let additional_contexts = parse_contexts(&options);
 
@@ -163,14 +182,7 @@ pub async fn derive_proof(
     reveal_document: Value,
     options: Value,
 ) -> napi::Result<Value> {
-    let nonce = options
-        .get("nonce")
-        .and_then(|v| v.as_str())
-        .map(|s| {
-            BASE64_STANDARD
-                .decode(s)
-                .unwrap_or_else(|_| s.as_bytes().to_vec())
-        });
+    let nonce = parse_nonce(&options);
 
     let additional_contexts = parse_contexts(&options);
 
@@ -298,14 +310,7 @@ pub async fn derive_proof_holder_bound(
         })
         .collect::<napi::Result<_>>()?;
 
-    let nonce = options
-        .get("nonce")
-        .and_then(|v| v.as_str())
-        .map(|s| {
-            BASE64_STANDARD
-                .decode(s)
-                .unwrap_or_else(|_| s.as_bytes().to_vec())
-        });
+    let nonce = parse_nonce(&options);
 
     let additional_contexts = parse_contexts(&options);
 

package/src/lib.rs

@@ -4,5 +4,6 @@
 extern crate napi_derive;
 
 pub mod bls_signatures;
+pub mod jose;
 pub mod jsonld;
 pub mod ld_signatures;

package/test.mjs

@@ -240,6 +240,44 @@ test('full demo_single flow: sign → verify → derive → verify derived', asy
     assert.equal(derivedVerifyResult.verified, true, `derived verify failed: ${derivedVerifyResult.error}`);
 });
 
+test('demo_multi flow: sign twice → verify → derive → verify derived', async () => {
+    // Step 1: First sign
+    const signed = await ldSign({
+        document: inputDocument,
+        keyPair,
+        contexts,
+    });
+    assert.ok(signed.proof, 'signed document has proof');
+    assert.ok(!Array.isArray(signed.proof), 'single sign produces a single proof (not array)');
+
+    // Step 2: Second sign (creates multi-proof array)
+    const multiSigned = await ldSign({
+        document: signed,
+        keyPair,
+        contexts,
+    });
+    assert.ok(Array.isArray(multiSigned.proof), 'double sign produces proof array');
+    assert.equal(multiSigned.proof.length, 2, 'proof array has 2 proofs');
+    assert.equal(multiSigned.proof[0].type, 'BbsBlsSignature2020');
+    assert.equal(multiSigned.proof[1].type, 'BbsBlsSignature2020');
+
+    // Step 3: Verify multi-proof document
+    const verifyResult = await ldVerify({ document: multiSigned, contexts });
+    assert.equal(verifyResult.verified, true, `multi-proof verify failed: ${verifyResult.error}`);
+
+    // Step 4: Derive selective disclosure from multi-proof document
+    const derived = await ldDeriveProof({
+        document: multiSigned,
+        revealDocument,
+        contexts,
+    });
+    assert.ok(derived.proof, 'derived document has proof');
+
+    // Step 5: Verify derived proof
+    const derivedVerifyResult = await ldVerify({ document: derived, contexts });
+    assert.equal(derivedVerifyResult.verified, true, `multi-proof derived verify failed: ${derivedVerifyResult.error}`);
+});
+
 
 //
 // BbsBlsSignature2020 class-based API tests