npm - @originator-profile/verify - Versions diffs - 0.4.0-beta.1 - Mend

@originator-profile/verify 0.4.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,1186 @@
+'use strict';
+var securingMechanism = require('@originator-profile/securing-mechanism');
+var sign = require('@originator-profile/sign');
+var cryptography = require('@originator-profile/cryptography');
+var model = require('@originator-profile/model');
+class CaInvalid extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_CONTENT_ATTESTATION_INVALID";
+  }
+  code = CaInvalid.code;
+}
+class CaVerifyFailed extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_CONTENT_ATTESTATION_VERIFY_FAILED";
+  }
+  code = CaVerifyFailed.code;
+}
+function verifyAllowedOrigin(origin, allowedOrigins) {
+  if (origin === "null") {
+    return false;
+  }
+  return [allowedOrigins].flat().includes(origin);
+}
+async function importURLPatternPolyfill() {
+  if (typeof URLPattern === "undefined") {
+    await Promise.resolve().then(function () { return require('./index-D-j8gXz_.cjs'); });
+  }
+}
+function ReplaceEncode(url) {
+  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
+    return match.toUpperCase();
+  });
+}
+async function verifyAllowedUrl(url, allowedUrl) {
+  await importURLPatternPolyfill();
+  return [allowedUrl].flat().some((value) => {
+    if (!value) {
+      return false;
+    }
+    const pattern = new URLPattern(ReplaceEncode(value));
+    return pattern.test(ReplaceEncode(url));
+  });
+}
+const supportedHashAlgorithms = {
+  /** SHA-256 hash algorithm */
+  sha256: "SHA-256",
+  /** SHA-384 hash algorithm */
+  sha384: "SHA-384",
+  /** SHA-512 hash algorithm */
+  sha512: "SHA-512"
+};
+function getPrioritizedHashAlgorithm(a, b) {
+  if (a === b) return "";
+  if (!(a in supportedHashAlgorithms)) {
+    return b in supportedHashAlgorithms ? b : "";
+  }
+  if (!(b in supportedHashAlgorithms)) {
+    return a in supportedHashAlgorithms ? a : "";
+  }
+  return a < b ? b : a;
+}
+const IntegrityMetadataRegex = /^(?<alg>sha256|sha384|sha512)-(?<val>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)(?:[?](?<opt>[\x21-\x7e]*))?$/;
+const SeparatorRegex = /[^\x21-\x7e]+/;
+class IntegrityMetadata {
+  /** Hash algorithm */
+  alg;
+  /** The base64-encoded hash value of the resource */
+  val;
+  /** Optional additional attributes */
+  opt;
+  /**
+   * Creates an instance of `IntegrityMetadata` from a given object or string.
+   * @param integrity The integrity metadata input, which can be a string or object.
+   * @example
+   * ```js
+   * new IntegrityMetadata("sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=")
+   * ```
+   *
+   * or
+   *
+   * ```js
+   * new IntegrityMetadata({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * })
+   * ```
+   */
+  constructor(integrity) {
+    const integrityString = typeof integrity === "object" && integrity !== null ? IntegrityMetadata.stringify(integrity) : String(integrity ?? "").trim();
+    const {
+      alg = "",
+      val = "",
+      opt
+    } = IntegrityMetadataRegex.exec(integrityString)?.groups ?? {};
+    Object.assign(this, {
+      alg,
+      val,
+      opt: opt?.split("?") ?? []
+    });
+  }
+  /**
+   * Compares the current integrity metadata with another object or string.
+   * @param integrity The integrity metadata to compare with.
+   * @returns `true` if the integrity metadata matches, `false` otherwise.
+   * @example
+   * ```js
+   * integrityMetadata.match("sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=")
+   * ```
+   *
+   * or
+   *
+   * ```js
+   * integrityMetadata.match({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * })
+   * ```
+   */
+  match(integrity) {
+    const { alg, val } = new IntegrityMetadata(integrity);
+    if (!alg) return false;
+    if (!val) return false;
+    if (!(alg in supportedHashAlgorithms)) return false;
+    return alg === this.alg && val === this.val;
+  }
+  /**
+   * Converts the integrity metadata into a string representation.
+   * @returns The string representation of the integrity metadata.
+   */
+  toString() {
+    return IntegrityMetadata.stringify(this);
+  }
+  /**
+   * Converts the integrity metadata into a JSON string.
+   * @returns The JSON string representation of the integrity metadata.
+   */
+  toJSON() {
+    return this.toString();
+  }
+  /**
+   * Static method to stringify an integrity metadata object.
+   * @param integrity The integrity metadata object to stringify.
+   * @returns The stringified integrity metadata.
+   * @example
+   * ```js
+   * IntegrityMetadata.stringify({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * }) // "sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM="
+   * ```
+   */
+  static stringify({ alg, val, opt = [] }) {
+    if (!alg) return "";
+    if (!val) return "";
+    if (!(alg in supportedHashAlgorithms)) return "";
+    return `${alg}-${[val, ...opt].join("?")}`;
+  }
+}
+async function createIntegrityMetadata(hashAlgorithm, data, opt = []) {
+  const alg = hashAlgorithm.toLowerCase();
+  if (!(alg in supportedHashAlgorithms)) {
+    return new IntegrityMetadata("");
+  }
+  const hashAlgorithmIdentifier = supportedHashAlgorithms[alg];
+  const arrayBuffer = await crypto.subtle.digest(hashAlgorithmIdentifier, data);
+  const val = btoa(String.fromCharCode(...new Uint8Array(arrayBuffer)));
+  const integrity = IntegrityMetadata.stringify({ alg, val, opt });
+  return new IntegrityMetadata(integrity);
+}
+class IntegrityMetadataSet {
+  #set;
+  #getPrioritizedHashAlgorithm = getPrioritizedHashAlgorithm;
+  /**
+   * Create an instance of `IntegrityMetadataSet` from integrity metadata or an array of integrity
+   * metadata.
+   * @param integrity The integrity metadata or an array of integrity metadata.
+   * @param options Optional configuration options for hash algorithm prioritization.
+   * @example
+   * ```js
+   * new IntegrityMetadataSet([
+   *   "sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   *   "sha384-VbxVaw0v4Pzlgrpf4Huq//A1ZTY4x6wNVJTCpkwL6hzFczHHwSpFzbyn9MNKCJ7r",
+   *   "sha512-wVJ82JPBJHc9gRkRlwyP5uhX1t9dySJr2KFgYUwM2WOk3eorlLt9NgIe+dhl1c6ilKgt1JoLsmn1H256V/eUIQ==",
+   * ])
+   * ```
+   *
+   * or
+   *
+   * ```js
+   * new IntegrityMetadataSet(`
+   *   sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=
+   *   sha384-VbxVaw0v4Pzlgrpf4Huq//A1ZTY4x6wNVJTCpkwL6hzFczHHwSpFzbyn9MNKCJ7r
+   *   sha512-wVJ82JPBJHc9gRkRlwyP5uhX1t9dySJr2KFgYUwM2WOk3eorlLt9NgIe+dhl1c6ilKgt1JoLsmn1H256V/eUIQ==
+   * `)
+   * ```
+   */
+  constructor(integrity, {
+    getPrioritizedHashAlgorithm: _getPrioritizedHashAlgorithm = getPrioritizedHashAlgorithm
+  } = {}) {
+    this.#set = [integrity].flat().flatMap(
+      (integrity2) => {
+        if (typeof integrity2 === "string") {
+          return integrity2.split(SeparatorRegex);
+        }
+        return [integrity2];
+      }
+    ).map((integrity2) => new IntegrityMetadata(integrity2)).filter((integrityMetadata) => integrityMetadata.toString() !== "");
+    this.#getPrioritizedHashAlgorithm = _getPrioritizedHashAlgorithm;
+  }
+  /**
+   * Enables iteration over the set of integrity metadata.
+   * @returns A generator that yields each IntegrityMetadata object.
+   * @example
+   * ```js
+   * [...integrityMetadataSet]
+   * ```
+   */
+  *[Symbol.iterator]() {
+    for (const integrityMetadata of this.#set) {
+      yield new IntegrityMetadata(integrityMetadata);
+    }
+  }
+  /**
+   * The number of integrity metadata entries in the set.
+   */
+  get size() {
+    return this.#set.length;
+  }
+  /**
+   * The strongest (most secure) integrity metadata from the set.
+   * @see {@link https://www.w3.org/TR/SRI/#get-the-strongest-metadata-from-set}
+   */
+  get strongest() {
+    let strongest = new IntegrityMetadataSet([]);
+    for (const integrityMetadata of this.#set) {
+      const [{ alg } = new IntegrityMetadata("")] = strongest;
+      const prioritizedHashAlgorithm = this.#getPrioritizedHashAlgorithm(
+        alg,
+        integrityMetadata.alg
+      );
+      switch (prioritizedHashAlgorithm) {
+        case "":
+          strongest = new IntegrityMetadataSet([
+            ...strongest,
+            integrityMetadata
+          ]);
+          break;
+        case integrityMetadata.alg:
+          strongest = new IntegrityMetadataSet(integrityMetadata);
+          break;
+      }
+    }
+    return strongest;
+  }
+  /**
+   * Returns an array of the strongest supported hash algorithms in the set.
+   */
+  get strongestHashAlgorithms() {
+    const strongestHashAlgorithms = [...this.strongest].map(({ alg }) => alg).filter(Boolean);
+    return [...new Set(strongestHashAlgorithms)];
+  }
+  /**
+   * Checks if a given integrity metadata object or string matches any in the set.
+   * @param integrity The integrity metadata to match.
+   * @returns `true` if the integrity metadata matches, `false` otherwise.
+   * @example
+   * ```js
+   * integrityMetadataSet.match("sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=")
+   * ```
+   *
+   * or
+   *
+   * ```js
+   * integrityMetadataSet.match({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * })
+   * ```
+   */
+  match(integrity) {
+    return this.#set.some(
+      (integrityMetadata) => integrityMetadata.match(integrity)
+    );
+  }
+  /**
+   * Joins the integrity metadata in the set into a single string, separated by the specified
+   * separator.
+   * @param separator The separator to use (default is a space).
+   * @returns The joined string representation of the set.
+   */
+  join(separator = " ") {
+    return this.#set.map(String).join(separator);
+  }
+  /**
+   * Converts the set of integrity metadata to a string representation.
+   * @returns The string representation of the set.
+   */
+  toString() {
+    return this.join();
+  }
+  /**
+   * Converts the set of integrity metadata to a JSON string.
+   * @returns The JSON string representation of the set.
+   */
+  toJSON() {
+    return this.toString();
+  }
+}
+async function createIntegrityMetadataSet(hashAlgorithms, data, options = {
+  getPrioritizedHashAlgorithm
+}) {
+  const set = await Promise.all(
+    [hashAlgorithms].flat().map((alg) => createIntegrityMetadata(alg, data))
+  );
+  return new IntegrityMetadataSet(set, options);
+}
+async function verifyDigestSri(content, fetcher = fetch) {
+  const integrity = new IntegrityMetadataSet(content.digestSRI);
+  const alg = integrity.strongestHashAlgorithms.filter(Boolean);
+  if (alg.length === 0) return false;
+  const { digestSRI } = await sign.createDigestSri(alg[0], content, fetcher);
+  return integrity.match(digestSRI);
+}
+class IntegrityVerifier {
+  constructor(contentFetcher, elementSelector) {
+    this.contentFetcher = contentFetcher;
+    this.elementSelector = elementSelector;
+  }
+  async verify(content, document2) {
+    const integrity = new IntegrityMetadataSet(content.integrity);
+    const alg = integrity.strongestHashAlgorithms.filter(Boolean);
+    if (alg.length === 0) return { valid: false, failedIntegrities: [] };
+    const elements = this.elementSelector({ ...content, document: document2 });
+    if (elements.length === 0) return { valid: false, failedIntegrities: [] };
+    const responses = await this.contentFetcher(elements);
+    const meta = await Promise.all(
+      responses.map(async (res) => {
+        const data = await res.arrayBuffer();
+        return await createIntegrityMetadataSet(alg, data);
+      })
+    );
+    const failedIntegrities = meta.filter((m) => [...m].every((m2) => !integrity.match(m2))).map((m) => m.toString());
+    return { valid: failedIntegrities.length === 0, failedIntegrities };
+  }
+}
+const TargetIntegrityAlgorithm = {
+  HtmlTargetIntegrity: {
+    contentFetcher: sign.fetchHtmlContent,
+    elementSelector: sign.selectByCss
+  },
+  TextTargetIntegrity: {
+    contentFetcher: sign.fetchTextContent,
+    elementSelector: sign.selectByCss
+  },
+  VisibleTextTargetIntegrity: {
+    contentFetcher: sign.fetchVisibleTextContent,
+    elementSelector: sign.selectByCss
+  },
+  ExternalResourceTargetIntegrity: {
+    contentFetcher: sign.fetchExternalResource,
+    elementSelector: sign.selectByIntegrity
+  }
+};
+async function verifyIntegrity(content, doc = document, fetcher = fetch) {
+  const { contentFetcher, elementSelector } = TargetIntegrityAlgorithm[content.type];
+  const integrityVerifier = new IntegrityVerifier(
+    (content2) => contentFetcher(content2, fetcher),
+    elementSelector
+  );
+  return await integrityVerifier.verify(content, doc);
+}
+async function checkUrlAndOrigin(result, url) {
+  if (result.doc.allowedUrl && result.doc.allowedOrigin) {
+    return new CaInvalid("allowedUrl and allowedOrigin are exclusive", result);
+  }
+  if (result.doc.allowedUrl && !await verifyAllowedUrl(url.toString(), result.doc.allowedUrl)) {
+    return new CaVerifyFailed(
+      `URL not allowed. Expected:${Array.isArray(result.doc.allowedUrl) ? result.doc.allowedUrl.join(", ") : result.doc.allowedUrl} Actual:${url}`,
+      result
+    );
+  }
+  if (result.doc.allowedOrigin && !verifyAllowedOrigin(url.origin, result.doc.allowedOrigin)) {
+    return new CaVerifyFailed(
+      `Origin not allowed. Expected:${Array.isArray(result.doc.allowedOrigin) ? result.doc.allowedOrigin.join(", ") : result.doc.allowedOrigin} Actual:${url.origin}`,
+      result
+    );
+  }
+  return result;
+}
+function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity, validator) {
+  const verifyCa = securingMechanism.JwtVcVerifier(keys, issuer, validator);
+  return async () => {
+    const result = await verifyCa(ca);
+    if (result instanceof securingMechanism.VcValidateFailed) {
+      return new CaInvalid("Content Attestation validate failed", result);
+    }
+    if (result instanceof securingMechanism.VcVerifyFailed) {
+      return new CaVerifyFailed("Content Attestation verify failed", result);
+    }
+    const urlResult = await checkUrlAndOrigin(result, url);
+    if (urlResult instanceof Error) {
+      return urlResult;
+    }
+    if (urlResult.doc.target) {
+      if (urlResult.doc.target.length === 0) {
+        return new CaInvalid("Target is empty", urlResult);
+      }
+      const integrityResults = await Promise.all(
+        urlResult.doc.target.map(async (t, index) => ({
+          index,
+          verifyResult: await verifyIntegrity$1(t),
+          expectedIntegrity: t.integrity
+        }))
+      );
+      const failedIndices = integrityResults.filter((result2) => !result2.verifyResult.valid).map((result2) => result2.index);
+      if (failedIndices.length > 0) {
+        const failedIntegritiesMessage = failedIndices.map((integrityResultIndex) => {
+          const integrityResult = integrityResults[integrityResultIndex];
+          if (integrityResult) {
+            const calculatedIntegrities = integrityResult.verifyResult.failedIntegrities.join();
+            return `target[${integrityResultIndex}] Expected: ${integrityResult.expectedIntegrity}, Calculated: ${calculatedIntegrities}`;
+          }
+          return void 0;
+        }).join(", ");
+        return new CaVerifyFailed(
+          `Content Attestation Target integrity verification failed for element(s): ${failedIntegritiesMessage}`,
+          urlResult
+        );
+      }
+    }
+    return urlResult;
+  };
+}
+class CasVerifyFailed extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_CONTENT_ATTESTATION_SET_VERIFY_FAILED";
+  }
+  code = CasVerifyFailed.code;
+}
+function normalizeCasItem(ca) {
+  if (typeof ca === "object" && ca !== null && "attestation" in ca) {
+    return ca;
+  }
+  return { main: false, attestation: ca };
+}
+async function verifyCas(cas, verifiedOps, url, verifyIntegrity, validator) {
+  const decodeCa = securingMechanism.JwtVcDecoder();
+  const resultCas = await Promise.all(
+    cas.map(async (ca) => {
+      const { main, attestation: source } = normalizeCasItem(ca);
+      const decodedCa = decodeCa(source);
+      if (decodedCa instanceof Error) {
+        return { main, attestation: new CaInvalid("Invalid CA", decodedCa) };
+      }
+      const cp = verifiedOps.find(
+        (ops) => ops.core.doc.credentialSubject.id === decodedCa.doc.issuer
+      );
+      if (!cp) {
+        return {
+          main,
+          attestation: new CoreProfileNotFound(
+            "Appropriate Core Profile not found",
+            decodedCa
+          )
+        };
+      }
+      const verify = CaVerifier(
+        source,
+        cryptography.LocalKeys(cp.core.doc.credentialSubject.jwks),
+        decodedCa.doc.issuer,
+        new URL(url),
+        verifyIntegrity,
+        validator?.(model.ContentAttestation)
+      );
+      return { main, attestation: await verify() };
+    })
+  );
+  if (resultCas.some((ca) => {
+    return ca.attestation instanceof CaInvalid || ca.attestation instanceof CoreProfileNotFound || ca.attestation instanceof CaVerifyFailed;
+  })) {
+    return new CasVerifyFailed(
+      "Content Attestation Set verify failed",
+      resultCas
+    );
+  }
+  return resultCas;
+}
+class ProfileGenericError extends Error {
+  static get code() {
+    return "ERR_PROFILE_GENERIC";
+  }
+  code = ProfileGenericError.code;
+}
+class ProfileClaimsValidationFailed extends ProfileGenericError {
+  static get code() {
+    return "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
+  }
+  code = ProfileClaimsValidationFailed.code;
+  /** 復号結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class ProfileTokenVerifyFailed extends ProfileGenericError {
+  static get code() {
+    return "ERR_PROFILE_TOKEN_VERIFY_FAILED";
+  }
+  code = ProfileTokenVerifyFailed.code;
+  /** 検証結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class ProfileBodyExtractFailed extends ProfileGenericError {
+  static get code() {
+    return "ERR_PROFILE_BODY_EXTRACT_FAILED";
+  }
+  code = ProfileBodyExtractFailed.code;
+}
+class ProfileBodyVerifyFailed extends ProfileGenericError {
+  static get code() {
+    return "ERR_PROFILE_BODY_VERIFY_FAILED";
+  }
+  code = ProfileBodyVerifyFailed.code;
+  /** 検証結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class ProfilesResolveFailed extends ProfileGenericError {
+  static get code() {
+    return "ERR_PROFILES_RESOLVE_FAILED";
+  }
+  code = ProfilesResolveFailed.code;
+  /** 検証結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class ProfilesVerifyFailed extends ProfileGenericError {
+  static get code() {
+    return "ERR_PROFILES_VERIFY_FAILED";
+  }
+  code = ProfilesVerifyFailed.code;
+  /** 検証結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class CertificationSystemValidationFailed extends ProfileGenericError {
+  static get code() {
+    return "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
+  }
+  code = CertificationSystemValidationFailed.code;
+  /** 検証結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+var REMOVE = "remove";
+var REPLACE = "replace";
+var ADD = "add";
+var MOVE = "move";
+function diffApply(obj, diff, pathConverter) {
+  if (!obj || typeof obj != "object") {
+    throw new Error("base object must be an object or an array");
+  }
+  if (!Array.isArray(diff)) {
+    throw new Error("diff must be an array");
+  }
+  var diffLength = diff.length;
+  for (var i = 0; i < diffLength; i++) {
+    var thisDiff = diff[i];
+    var subObject = obj;
+    var thisOp = thisDiff.op;
+    var thisPath = transformPath(pathConverter, thisDiff.path);
+    var thisFromPath = thisDiff.from && transformPath(pathConverter, thisDiff.from);
+    var toPath, toPathCopy, lastToProp, subToObject, valueToMove;
+    if (thisFromPath) {
+      toPath = thisPath;
+      thisPath = thisFromPath;
+      toPathCopy = toPath.slice();
+      lastToProp = toPathCopy.pop();
+      prototypeCheck(lastToProp);
+      if (lastToProp == null) {
+        return false;
+      }
+      var thisToProp;
+      while ((thisToProp = toPathCopy.shift()) != null) {
+        prototypeCheck(thisToProp);
+        if (!(thisToProp in subToObject)) {
+          subToObject[thisToProp] = {};
+        }
+        subToObject = subToObject[thisToProp];
+      }
+    }
+    var pathCopy = thisPath.slice();
+    var lastProp = pathCopy.pop();
+    prototypeCheck(lastProp);
+    if (lastProp == null) {
+      return false;
+    }
+    var thisProp;
+    while ((thisProp = pathCopy.shift()) != null) {
+      prototypeCheck(thisProp);
+      if (!(thisProp in subObject)) {
+        subObject[thisProp] = {};
+      }
+      subObject = subObject[thisProp];
+    }
+    if (thisOp === REMOVE || thisOp === REPLACE || thisOp === MOVE) {
+      var path = thisOp === MOVE ? thisDiff.from : thisDiff.path;
+      if (!subObject.hasOwnProperty(lastProp)) {
+        throw new Error(["expected to find property", path, "in object", obj].join(" "));
+      }
+    }
+    if (thisOp === REMOVE || thisOp === MOVE) {
+      if (thisOp === MOVE) {
+        valueToMove = subObject[lastProp];
+      }
+      Array.isArray(subObject) ? subObject.splice(lastProp, 1) : delete subObject[lastProp];
+    }
+    if (thisOp === REPLACE || thisOp === ADD) {
+      subObject[lastProp] = thisDiff.value;
+    }
+    if (thisOp === MOVE) {
+      subObject[lastToProp] = valueToMove;
+    }
+  }
+  return subObject;
+}
+function transformPath(pathConverter, thisPath) {
+  {
+    if (!Array.isArray(thisPath)) {
+      throw new Error([
+        "diff path",
+        thisPath,
+        "must be an array, consider supplying a path converter"
+      ].join(" "));
+    }
+  }
+  return thisPath;
+}
+function prototypeCheck(prop) {
+  if (prop == "__proto__" || prop == "constructor" || prop == "prototype") {
+    throw new Error("setting of prototype values not supported");
+  }
+}
+const patch = (...args) => {
+  const [source, diff] = args;
+  const patched = structuredClone(source);
+  diffApply(patched, diff);
+  return patched;
+};
+const VerifyResultFactory = (issuedAt, expiredAt) => ({
+  create: (vc, jwt, verificationKey, validated = false) => {
+    const unverified = {
+      doc: vc,
+      issuedAt,
+      expiredAt,
+      algorithm: "ES256",
+      mediaType: "application/vc+jwt",
+      source: jwt
+    };
+    if (!verificationKey) return unverified;
+    return { ...unverified, verificationKey, validated };
+  }
+});
+const opId = {
+  /** CP 発行者 */
+  authority: "dns:cp-issuer.example.org",
+  /** PA 発行者 */
+  certifier: "dns:pa-issuer.example.org",
+  /** CA 発行者 */
+  originator: "dns:originator.example.org",
+  /** 無効な第三者 */
+  invalid: "dns:invalid.example.org"
+};
+const cp = {
+  "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1"
+  ],
+  type: ["VerifiableCredential", "CoreProfile"],
+  issuer: opId.authority,
+  credentialSubject: {
+    id: opId.originator,
+    type: "Core",
+    jwks: {
+      keys: []
+    }
+  }
+};
+const certificate = {
+  "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    {
+      "@language": "ja"
+    }
+  ],
+  type: ["VerifiableCredential", "Certificate"],
+  issuer: opId.certifier,
+  credentialSubject: {
+    id: opId.originator,
+    type: "CertificateProperties",
+    description: "Example Certificate",
+    certificationSystem: {
+      id: "urn:uuid:de5d6e80-10a5-404f-b4d3-e9f0e6926a21",
+      type: "CertificationSystem",
+      name: "Example Certification System",
+      description: "Example Certification System Description"
+    }
+  }
+};
+const wmp = {
+  "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    {
+      "@language": "ja"
+    }
+  ],
+  type: ["VerifiableCredential", "WebMediaProfile"],
+  issuer: opId.authority,
+  credentialSubject: {
+    id: opId.originator,
+    type: "OnlineBusiness",
+    name: "Example OP Holder",
+    url: "https://op-originator.example.org/"
+  }
+};
+const wsp = {
+  "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    {
+      "@language": "ja"
+    }
+  ],
+  type: ["VerifiableCredential", "WebsiteProfile"],
+  issuer: opId.originator,
+  credentialSubject: {
+    id: "https://originator.example.org",
+    type: "WebSite",
+    name: "Example Website",
+    description: "Example Website Description",
+    allowedOrigin: ["https://originator.example.org"]
+  }
+};
+const caId = "urn:uuid:78550fa7-f846-4e0f-ad5c-8d34461cb95b";
+const caUrl = new URL("https://www.example.org/articles/example");
+const article = {
+  "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    { "@language": "ja" }
+  ],
+  type: ["VerifiableCredential", "ContentAttestation"],
+  issuer: opId.originator,
+  target: [],
+  allowedUrl: ["https://www.example.org/articles*"],
+  credentialSubject: {
+    id: caId,
+    type: "Article",
+    headline: "\u30C6\u30B9\u30C8\u8A18\u4E8B",
+    description: "\u8A18\u4E8B\u306E\u8AAC\u660E"
+  }
+};
+class OpsInvalid extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_ORIGINATOR_PROFILE_SET_INVALID";
+  }
+  code = OpsInvalid.code;
+}
+class OpInvalid extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_ORIGINATOR_PROFILE_INVALID";
+  }
+  code = OpInvalid.code;
+}
+class CoreProfileNotFound extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_CORE_PROFILE_NOT_FOUND";
+  }
+  code = CoreProfileNotFound.code;
+}
+class OpsVerifyFailed extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_ORIGINATOR_PROFILE_SET_VERIFY_FAILED";
+  }
+  code = OpsVerifyFailed.code;
+}
+class OpVerifyFailed extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_ORIGINATOR_PROFILE_VERIFY_FAILED";
+  }
+  code = OpVerifyFailed.code;
+}
+const isEveryDecodedPa = (annotations) => annotations.every((annotation) => "doc" in annotation);
+const isDecodedOps = (ops) => ops.every((op) => !(op instanceof OpInvalid));
+function decodeOps(ops) {
+  const decodeCp = securingMechanism.JwtVcDecoder();
+  const decodePa = securingMechanism.JwtVcDecoder();
+  const decodeWmp = securingMechanism.JwtVcDecoder();
+  const resultOps = ops.map((op) => {
+    const core = decodeCp(op.core);
+    const annotations = op.annotations ? op.annotations.map(decodePa) : void 0;
+    const media = op.media ? decodeWmp(op.media) : void 0;
+    const resultOp = { core, annotations, media };
+    if (core instanceof Error) {
+      return new OpInvalid("Core Profile decode failed", resultOp);
+    }
+    if (annotations && !isEveryDecodedPa(annotations)) {
+      return new OpInvalid("Profile Annotation decode failed", resultOp);
+    }
+    if (media instanceof Error) {
+      return new OpInvalid("Web Media Profile decode failed", resultOp);
+    }
+    if (media && core.doc.credentialSubject.id !== media.doc.credentialSubject.id) {
+      return new OpInvalid(
+        "Subject mismatch between Core Profile and Web Media Profile",
+        resultOp
+      );
+    }
+    if (annotations && annotations.some(
+      (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
+    )) {
+      return new OpInvalid(
+        "Subject mismatch between Core Profile and Profile Annotation",
+        resultOp
+      );
+    }
+    return resultOp;
+  });
+  if (!isDecodedOps(resultOps)) {
+    return new OpsInvalid("Invalid Originator Profile Set", resultOps);
+  }
+  return resultOps;
+}
+function OpVerifier(cps, vc, validator) {
+  const cpHolder = vc.doc.issuer;
+  const cp = cps.get(cpHolder);
+  if (!cp) {
+    return async () => new CoreProfileNotFound(`Missing Core Profile (${cpHolder})`, vc);
+  }
+  if (cp instanceof Error) {
+    return async () => new CoreProfileNotFound(`Invalid Core Profile (${cpHolder})`, vc);
+  }
+  const cpKeys = cryptography.LocalKeys(cp.doc.credentialSubject.jwks);
+  return securingMechanism.JwtVcVerifier(cpKeys, cpHolder, validator);
+}
+async function verifyAnnotations(cps, annotations, validator) {
+  if (!annotations) return;
+  return await Promise.all(
+    annotations.map((annotation) => {
+      const verify = OpVerifier(
+        cps,
+        annotation,
+        validator?.({
+          oneOf: [model.Certificate, model.JapaneseExistenceCertificate]
+        })
+      );
+      return verify(annotation.source);
+    })
+  );
+}
+async function verifyMedia(cps, media, validator) {
+  if (!media) return;
+  const verify = OpVerifier(
+    cps,
+    media,
+    validator?.(model.WebMediaProfile)
+  );
+  return await verify(media.source);
+}
+const isVerifiedOps = (ops) => ops.every((op) => !(op instanceof OpVerifyFailed));
+function OpsVerifier(ops, keys, issuer, validator) {
+  const decoded = decodeOps(ops);
+  const verifyCp = securingMechanism.JwtVcVerifier(
+    keys,
+    issuer,
+    validator?.(model.CoreProfile)
+  );
+  async function verify() {
+    if (decoded instanceof OpsInvalid) {
+      return decoded;
+    }
+    const cps = new Map(
+      await Promise.all(
+        decoded.map(
+          ({ core }) => verifyCp(core.source).then(
+            (result) => [core.doc.credentialSubject.id, result]
+          )
+        )
+      )
+    );
+    const resultOps = await Promise.all(
+      decoded.map(async (op) => {
+        const core = cps.get(op.core.doc.credentialSubject.id) ?? new CoreProfileNotFound(
+          `Missing Core Profile (${op.core.doc.credentialSubject.id})`,
+          op.core
+        );
+        const annotations = await verifyAnnotations(
+          cps,
+          op.annotations,
+          validator
+        );
+        const media = await verifyMedia(cps, op.media, validator);
+        const resultOp = { core, annotations, media };
+        if (core instanceof Error) {
+          return new OpVerifyFailed("Core Profile verify failed", resultOp);
+        }
+        if (annotations && annotations.some((annotation) => annotation instanceof Error)) {
+          return new OpVerifyFailed(
+            "Profile Annotation verify failed",
+            resultOp
+          );
+        }
+        if (media instanceof Error) {
+          return new OpVerifyFailed(
+            "Web Media Profile verify failed",
+            resultOp
+          );
+        }
+        return resultOp;
+      })
+    );
+    if (!isVerifiedOps(resultOps)) {
+      return new OpsVerifyFailed(
+        "Originator Profile Set verify failed",
+        resultOps
+      );
+    }
+    return resultOps;
+  }
+  return verify;
+}
+class SiteProfileInvalid extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_SITE_PROFILE_INVALID";
+  }
+  code = SiteProfileInvalid.code;
+}
+class SiteProfileVerifyFailed extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_SITE_PROFILE_VERIFY_FAILED";
+  }
+  code = SiteProfileVerifyFailed.code;
+}
+function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
+  async function verify() {
+    const verifyOps = OpsVerifier(sp.originators, keys, issuer, validator);
+    const opsVerified = await verifyOps();
+    if (opsVerified instanceof OpsInvalid) {
+      return new SiteProfileInvalid("Originator Profile Set invalid", {
+        originators: opsVerified
+      });
+    }
+    if (opsVerified instanceof OpsVerifyFailed) {
+      return new SiteProfileVerifyFailed(
+        "Originator Profile Set verify failed",
+        { originators: opsVerified }
+      );
+    }
+    const decodeWsp = securingMechanism.JwtVcDecoder();
+    const decodedWsp = decodeWsp(sp.credential);
+    if (decodedWsp instanceof Error) {
+      return new SiteProfileInvalid("Website Profile invalid", {
+        originators: opsVerified,
+        credential: decodedWsp
+      });
+    }
+    const wspIssuer = decodedWsp.doc.issuer;
+    const cp = opsVerified.find(
+      (op) => op.core.doc.credentialSubject.id === wspIssuer
+    );
+    if (!cp) {
+      return new SiteProfileInvalid("Appropriate Core Profile not found", {
+        originators: opsVerified,
+        credential: new CoreProfileNotFound(
+          `Missing Core Profile (${wspIssuer})`,
+          decodedWsp
+        )
+      });
+    }
+    const verifyWsp = securingMechanism.JwtVcVerifier(
+      cryptography.LocalKeys(cp.core.doc.credentialSubject.jwks),
+      cp.core.doc.credentialSubject.id,
+      validator?.(model.WebsiteProfile)
+    );
+    const credential = await verifyWsp(sp.credential);
+    if (credential instanceof Error) {
+      return new SiteProfileVerifyFailed("Website Profile verify failed", {
+        originators: opsVerified,
+        credential
+      });
+    }
+    if (verifyOrigin) {
+      const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
+      if (!verifyAllowedOrigin(origin, allowedOrigin)) {
+        return new SiteProfileVerifyFailed("Origin not allowed", {
+          originators: opsVerified,
+          credential
+        });
+      }
+    }
+    return { originators: opsVerified, credential };
+  }
+  return verify;
+}
+var objectTypeof = typeOf;
+function typeOf(obj) {
+  if (obj === null) {
+    return "null";
+  }
+  if (obj !== Object(obj)) {
+    return typeof obj;
+  }
+  var result = {}.toString.call(obj).slice(8, -1).toLowerCase();
+  return result.indexOf("function") > -1 ? "function" : result;
+}
+function CertificationSystemValidator() {
+  return function validate(payload) {
+    if (objectTypeof(payload) !== "object") {
+      return new CertificationSystemValidationFailed("should be an object", {
+        payload
+      });
+    }
+    const keys = Object.keys(payload);
+    const entries = Object.entries(payload);
+    if (!model.CertificationSystem.required.every((k) => keys.includes(k))) {
+      return new CertificationSystemValidationFailed(
+        "should be contain required properties",
+        { payload }
+      );
+    }
+    for (const entry of entries) {
+      const [key, value] = entry;
+      const propertySchema = model.CertificationSystem.properties[key];
+      if (objectTypeof(propertySchema) !== "object") {
+        return new CertificationSystemValidationFailed(
+          "should not contain additional properties",
+          { payload }
+        );
+      }
+      if ("const" in propertySchema && value !== propertySchema.const)
+        return new CertificationSystemValidationFailed(
+          `should be contain value of '${value}' in '${key}' property`,
+          { payload }
+        );
+      if ("type" in propertySchema && typeof value !== propertySchema.type)
+        return new CertificationSystemValidationFailed(
+          `should be contain ${propertySchema.type} value in '${key}' property`,
+          { payload }
+        );
+    }
+    return true;
+  };
+}
+function validateCertificationSystem(payload) {
+  const validator = CertificationSystemValidator();
+  const result = validator(payload);
+  if (result !== true) {
+    return result;
+  }
+  return payload;
+}
+exports.CaInvalid = CaInvalid;
+exports.CaVerifier = CaVerifier;
+exports.CaVerifyFailed = CaVerifyFailed;
+exports.CasVerifyFailed = CasVerifyFailed;
+exports.CertificationSystemValidationFailed = CertificationSystemValidationFailed;
+exports.CertificationSystemValidator = CertificationSystemValidator;
+exports.CoreProfileNotFound = CoreProfileNotFound;
+exports.OpInvalid = OpInvalid;
+exports.OpVerifyFailed = OpVerifyFailed;
+exports.OpsInvalid = OpsInvalid;
+exports.OpsVerifier = OpsVerifier;
+exports.OpsVerifyFailed = OpsVerifyFailed;
+exports.ProfileBodyExtractFailed = ProfileBodyExtractFailed;
+exports.ProfileBodyVerifyFailed = ProfileBodyVerifyFailed;
+exports.ProfileClaimsValidationFailed = ProfileClaimsValidationFailed;
+exports.ProfileGenericError = ProfileGenericError;
+exports.ProfileTokenVerifyFailed = ProfileTokenVerifyFailed;
+exports.ProfilesResolveFailed = ProfilesResolveFailed;
+exports.ProfilesVerifyFailed = ProfilesVerifyFailed;
+exports.SiteProfileInvalid = SiteProfileInvalid;
+exports.SiteProfileVerifyFailed = SiteProfileVerifyFailed;
+exports.SpVerifier = SpVerifier;
+exports.TargetIntegrityAlgorithm = TargetIntegrityAlgorithm;
+exports.VerifyResultFactory = VerifyResultFactory;
+exports.article = article;
+exports.caId = caId;
+exports.caUrl = caUrl;
+exports.certificate = certificate;
+exports.cp = cp;
+exports.decodeOps = decodeOps;
+exports.normalizeCasItem = normalizeCasItem;
+exports.opId = opId;
+exports.patch = patch;
+exports.validateCertificationSystem = validateCertificationSystem;
+exports.verifyAllowedOrigin = verifyAllowedOrigin;
+exports.verifyCas = verifyCas;
+exports.verifyDigestSri = verifyDigestSri;
+exports.verifyIntegrity = verifyIntegrity;
+exports.wmp = wmp;
+exports.wsp = wsp;