@originator-profile/verify 0.4.0 → 0.5.0-beta.1

package/dist/index.cjs

@@ -26,34 +26,6 @@ class CaVerifyFailed extends Error {
   code = CaVerifyFailed.code;
 }
 
-function verifyAllowedOrigin(origin, allowedOrigins) {
-  if (origin === "null") {
-    return false;
-  }
-  return [allowedOrigins].flat().includes(origin);
-}
-
-async function importURLPatternPolyfill() {
-  if (typeof URLPattern === "undefined") {
-    await Promise.resolve().then(function () { return require('./index-D-j8gXz_.cjs'); });
-  }
-}
-function ReplaceEncode(url) {
-  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
-    return match.toUpperCase();
-  });
-}
-async function verifyAllowedUrl(url, allowedUrl) {
-  await importURLPatternPolyfill();
-  return [allowedUrl].flat().some((value) => {
-    if (!value) {
-      return false;
-    }
-    const pattern = new URLPattern(ReplaceEncode(value));
-    return pattern.test(ReplaceEncode(url));
-  });
-}
-
 const supportedHashAlgorithms = {
   /** SHA-256 hash algorithm */
   sha256: "SHA-256",
@@ -385,6 +357,34 @@ async function verifyIntegrity(content, doc = document, fetcher = fetch) {
   return await integrityVerifier.verify(content, doc);
 }
 
+function verifyAllowedOrigin(origin, allowedOrigins) {
+  if (origin === "null") {
+    return false;
+  }
+  return [allowedOrigins].flat().includes(origin);
+}
+
+async function importURLPatternPolyfill() {
+  if (typeof URLPattern === "undefined") {
+    await Promise.resolve().then(function () { return require('./index-D-j8gXz_.cjs'); });
+  }
+}
+function ReplaceEncode(url) {
+  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
+    return match.toUpperCase();
+  });
+}
+async function verifyAllowedUrl(url, allowedUrl) {
+  await importURLPatternPolyfill();
+  return [allowedUrl].flat().some((value) => {
+    if (!value) {
+      return false;
+    }
+    const pattern = new URLPattern(ReplaceEncode(value));
+    return pattern.test(ReplaceEncode(url));
+  });
+}
+
 async function checkUrlAndOrigin(result, url) {
   if (result.doc.allowedUrl && result.doc.allowedOrigin) {
     return new CaInvalid("allowedUrl and allowedOrigin are exclusive", result);
@@ -887,8 +887,44 @@ class OpVerifyFailed extends Error {
   }
   code = OpVerifyFailed.code;
 }
+class CertificateExpired extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_CERTIFICATE_EXPIRED";
+  }
+  code = CertificateExpired.code;
+}
 
 const isEveryDecodedPa = (annotations) => annotations.every((annotation) => "doc" in annotation);
+const isEveryDecodedWmp = (media) => media.every((m) => "doc" in m);
+const validateDecodedOp = (core, annotations, media, resultOp) => {
+  if (annotations && !isEveryDecodedPa(annotations)) {
+    return new OpInvalid("Profile Annotation decode failed", resultOp);
+  }
+  if (media && !isEveryDecodedWmp(media)) {
+    return new OpInvalid("Web Media Profile decode failed", resultOp);
+  }
+  if (media && media.some(
+    (m) => core.doc.credentialSubject.id !== m.doc.credentialSubject.id
+  )) {
+    return new OpInvalid(
+      "Subject mismatch between Core Profile and Web Media Profile",
+      resultOp
+    );
+  }
+  if (annotations && annotations.some(
+    (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
+  )) {
+    return new OpInvalid(
+      "Subject mismatch between Core Profile and Profile Annotation",
+      resultOp
+    );
+  }
+  return { type: "valid", annotations, media };
+};
 const isDecodedOps = (ops) => ops.every((op) => !(op instanceof OpInvalid));
 function decodeOps(ops) {
   const decodeCp = securingMechanism.JwtVcDecoder();
@@ -897,32 +933,22 @@ function decodeOps(ops) {
   const resultOps = ops.map((op) => {
     const core = decodeCp(op.core);
     const annotations = op.annotations ? op.annotations.map(decodePa) : void 0;
-    const media = op.media ? decodeWmp(op.media) : void 0;
+    const mediaInput = op.media;
+    const mediaArray = mediaInput ? Array.isArray(mediaInput) ? mediaInput : [mediaInput] : void 0;
+    const media = mediaArray ? mediaArray.map(decodeWmp) : void 0;
     const resultOp = { core, annotations, media };
     if (core instanceof Error) {
       return new OpInvalid("Core Profile decode failed", resultOp);
     }
-    if (annotations && !isEveryDecodedPa(annotations)) {
-      return new OpInvalid("Profile Annotation decode failed", resultOp);
-    }
-    if (media instanceof Error) {
-      return new OpInvalid("Web Media Profile decode failed", resultOp);
-    }
-    if (media && core.doc.credentialSubject.id !== media.doc.credentialSubject.id) {
-      return new OpInvalid(
-        "Subject mismatch between Core Profile and Web Media Profile",
-        resultOp
-      );
+    const validated = validateDecodedOp(core, annotations, media, resultOp);
+    if (validated instanceof OpInvalid) {
+      return validated;
     }
-    if (annotations && annotations.some(
-      (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
-    )) {
-      return new OpInvalid(
-        "Subject mismatch between Core Profile and Profile Annotation",
-        resultOp
-      );
-    }
-    return resultOp;
+    return {
+      core,
+      annotations: validated.annotations,
+      media: validated.media
+    };
   });
   if (!isDecodedOps(resultOps)) {
     return new OpsInvalid("Invalid Originator Profile Set", resultOps);
@@ -939,10 +965,22 @@ function OpVerifier(paOrWmpIssuerKeys, vc, validator) {
   const cpKeys = cryptography.LocalKeys(jwks);
   return securingMechanism.JwtVcVerifier(cpKeys, issuer, validator);
 }
+function validateCertificateExpiry(verifiedVc) {
+  const now = /* @__PURE__ */ new Date();
+  const validFrom = verifiedVc.doc.validFrom ? new Date(verifiedVc.doc.validFrom) : null;
+  const validUntil = verifiedVc.doc.validUntil ? new Date(verifiedVc.doc.validUntil) : null;
+  if (validFrom && now < validFrom) {
+    return new CertificateExpired("Certificate not yet valid", verifiedVc);
+  }
+  if (validUntil && now > validUntil) {
+    return new CertificateExpired("Certificate expired", verifiedVc);
+  }
+  return verifiedVc;
+}
 async function verifyAnnotations(paIssuerKeys, annotations, validator) {
   if (!annotations) return;
   return await Promise.all(
-    annotations.map((annotation) => {
+    annotations.map(async (annotation) => {
       const verify = OpVerifier(
         paIssuerKeys,
         annotation,
@@ -950,18 +988,26 @@ async function verifyAnnotations(paIssuerKeys, annotations, validator) {
           oneOf: [model.Certificate, model.JapaneseExistenceCertificate]
         })
       );
-      return verify(annotation.source);
+      const result = await verify(annotation.source);
+      if (result instanceof Error) {
+        return result;
+      }
+      return validateCertificateExpiry(result);
     })
   );
 }
 async function verifyMedia(wmpIssuerKeys, media, validator) {
   if (!media) return;
-  const verify = OpVerifier(
-    wmpIssuerKeys,
-    media,
-    validator?.(model.WebMediaProfile)
+  return await Promise.all(
+    media.map((m) => {
+      const verify = OpVerifier(
+        wmpIssuerKeys,
+        m,
+        validator?.(model.WebMediaProfile)
+      );
+      return verify(m.source);
+    })
   );
-  return await verify(media.source);
 }
 const isVerifiedOps = (ops) => ops.every((op) => !(op instanceof OpVerifyFailed));
 function OpsVerifier(ops, keys, issuer, validator) {
@@ -995,7 +1041,7 @@ function OpsVerifier(ops, keys, issuer, validator) {
             resultOp
           );
         }
-        if (media instanceof Error) {
+        if (media && media.some((m) => m instanceof Error)) {
           return new OpVerifyFailed(
             "Web Media Profile verify failed",
             resultOp
@@ -1036,64 +1082,102 @@ class SiteProfileVerifyFailed extends Error {
   code = SiteProfileVerifyFailed.code;
 }
 
+const decodeWebsiteProfiles = (sp, opsVerified) => {
+  const wspSources = sp.sites || (sp.credential ? [sp.credential] : []);
+  if (wspSources.length === 0) {
+    return new SiteProfileInvalid("No Website Profile found", {
+      originators: opsVerified,
+      sites: []
+    });
+  }
+  const decodeWsp = securingMechanism.JwtVcDecoder();
+  const decodedWsps = wspSources.map(decodeWsp);
+  const decodeErrors = decodedWsps.filter((wsp) => wsp instanceof Error);
+  if (decodeErrors.length > 0) {
+    return new SiteProfileInvalid("Website Profile invalid", {
+      originators: opsVerified,
+      sites: decodeErrors
+    });
+  }
+  return {
+    decodedWsps,
+    wspSources
+  };
+};
 function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
   async function verify() {
     const verifyOps = OpsVerifier(sp.originators, keys, issuer, validator);
     const opsVerified = await verifyOps();
     if (opsVerified instanceof OpsInvalid) {
       return new SiteProfileInvalid("Originator Profile Set invalid", {
-        originators: opsVerified
+        originators: opsVerified,
+        sites: []
       });
     }
     if (opsVerified instanceof OpsVerifyFailed) {
       return new SiteProfileVerifyFailed(
         "Originator Profile Set verify failed",
-        { originators: opsVerified }
+        { originators: opsVerified, sites: [] }
       );
     }
-    const decodeWsp = securingMechanism.JwtVcDecoder();
-    const decodedWsp = decodeWsp(sp.credential);
-    if (decodedWsp instanceof Error) {
-      return new SiteProfileInvalid("Website Profile invalid", {
-        originators: opsVerified,
-        credential: decodedWsp
-      });
+    const decoded = decodeWebsiteProfiles(sp, opsVerified);
+    if (decoded instanceof SiteProfileInvalid) {
+      return decoded;
     }
-    const wspIssuer = decodedWsp.doc.issuer;
-    const cp = opsVerified.find(
-      (op) => op.core.doc.credentialSubject.id === wspIssuer
+    const { decodedWsps, wspSources } = decoded;
+    const verifiedWsps = await Promise.all(
+      decodedWsps.map(async (decodedWsp, index) => {
+        if (decodedWsp instanceof Error) {
+          return decodedWsp;
+        }
+        const wspIssuer = decodedWsp.doc.issuer;
+        const cp = opsVerified.find(
+          (op) => op.core.doc.credentialSubject.id === wspIssuer
+        );
+        if (!cp) {
+          return new CoreProfileNotFound(
+            `Missing Core Profile (${wspIssuer})`,
+            decodedWsp
+          );
+        }
+        const verifyWsp = securingMechanism.JwtVcVerifier(
+          cryptography.LocalKeys(cp.core.doc.credentialSubject.jwks),
+          cp.core.doc.credentialSubject.id,
+          validator?.(model.WebsiteProfile)
+        );
+        const verified = await verifyWsp(wspSources[index]);
+        if (verified instanceof Error) {
+          return verified;
+        }
+        if (verifyOrigin) {
+          const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
+          if (!verifyAllowedOrigin(origin, allowedOrigin)) {
+            return new Error("Origin not allowed");
+          }
+        }
+        return verified;
+      })
+    );
+    const hasCoreProfileNotFound = verifiedWsps.some(
+      (wsp) => wsp instanceof CoreProfileNotFound
     );
-    if (!cp) {
+    if (hasCoreProfileNotFound) {
       return new SiteProfileInvalid("Appropriate Core Profile not found", {
         originators: opsVerified,
-        credential: new CoreProfileNotFound(
-          `Missing Core Profile (${wspIssuer})`,
-          decodedWsp
-        )
+        sites: verifiedWsps
       });
     }
-    const verifyWsp = securingMechanism.JwtVcVerifier(
-      cryptography.LocalKeys(cp.core.doc.credentialSubject.jwks),
-      cp.core.doc.credentialSubject.id,
-      validator?.(model.WebsiteProfile)
-    );
-    const credential = await verifyWsp(sp.credential);
-    if (credential instanceof Error) {
+    const hasError = verifiedWsps.some((wsp) => wsp instanceof Error);
+    if (hasError) {
       return new SiteProfileVerifyFailed("Website Profile verify failed", {
         originators: opsVerified,
-        credential
+        sites: verifiedWsps
       });
     }
-    if (verifyOrigin) {
-      const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
-      if (!verifyAllowedOrigin(origin, allowedOrigin)) {
-        return new SiteProfileVerifyFailed("Origin not allowed", {
-          originators: opsVerified,
-          credential
-        });
-      }
-    }
-    return { originators: opsVerified, credential };
+    return {
+      originators: opsVerified,
+      sites: verifiedWsps
+    };
   }
   return verify;
 }
@@ -1161,6 +1245,7 @@ exports.CaInvalid = CaInvalid;
 exports.CaVerifier = CaVerifier;
 exports.CaVerifyFailed = CaVerifyFailed;
 exports.CasVerifyFailed = CasVerifyFailed;
+exports.CertificateExpired = CertificateExpired;
 exports.CertificationSystemValidationFailed = CertificationSystemValidationFailed;
 exports.CertificationSystemValidator = CertificationSystemValidator;
 exports.CoreProfileNotFound = CoreProfileNotFound;

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { JwtVcDecodingResult, JwtVcVerificationResult, UnverifiedJwtVc, VerifiedJwtVc, VcValidator } from '@originator-profile/securing-mechanism';
 import { ContentAttestation, Target, ContentAttestationSet, JwtOpPayload, JwtDpPayload, Op, Dp, OpVc, Jwk, CoreProfile, Certificate as Certificate$1, WebMediaProfile, WebsiteProfile, ArticleCA, JapaneseExistenceCertificate, OriginatorProfileSet, Jwks, SiteProfile, CertificationSystem, AllowedOrigin } from '@originator-profile/model';
+import { JwtVcDecodingResult, JwtVcVerificationResult, UnverifiedJwtVc, VerifiedJwtVc, VcValidator } from '@originator-profile/securing-mechanism';
 import { Keys } from '@originator-profile/cryptography';
 import { DigestSriContent, ContentFetcher, ElementSelector } from '@originator-profile/sign';
 import { ErrorObject } from 'ajv';
@@ -415,19 +415,36 @@ declare class OpVerifyFailed extends Error {
     readonly code: string;
     constructor(message: string, result: OpVerificationFailure);
 }
+/**
+ * 証明書の有効期限エラー
+ *
+ * 証明書の有効期限チェックに失敗しました。次の原因で使用されます。
+ *
+ * - 証明書の有効期限が開始していない (validFrom より前)
+ * - 証明書の有効期限が切れている (validUntil より後)
+ *
+ * なお、validFrom と validUntil はオプショナルフィールドのため、
+ * 片方のみが指定されている場合もあります。
+ **/
+declare class CertificateExpired<T extends OpVc> extends Error {
+    result: VerifiedJwtVc<T>;
+    static get code(): string;
+    readonly code: string;
+    constructor(message: string, result: VerifiedJwtVc<T>);
+}
 
 type Certificate = Certificate$1 | JapaneseExistenceCertificate;
 /** Originator Profile 復号失敗 */
 type OpDecodingFailure = {
     core: JwtVcDecodingResult<CoreProfile>;
     annotations?: JwtVcDecodingResult<Certificate>[];
-    media?: JwtVcDecodingResult<WebMediaProfile>;
+    media?: JwtVcDecodingResult<WebMediaProfile>[];
 };
 /** 復号済み Originator Profile */
 type DecodedOp = {
     core: UnverifiedJwtVc<CoreProfile>;
     annotations?: UnverifiedJwtVc<Certificate>[];
-    media: UnverifiedJwtVc<WebMediaProfile>;
+    media?: UnverifiedJwtVc<WebMediaProfile>[];
 };
 /** Originator Profile 復号結果 */
 type OpDecodingResult = DecodedOp | OpInvalid;
@@ -441,13 +458,13 @@ type OpsDecodingResult = DecodedOps | OpsInvalid;
 type OpVerificationFailure = {
     core: JwtVcVerificationResult<CoreProfile> | CoreProfileNotFound<CoreProfile>;
     annotations?: (JwtVcVerificationResult<Certificate> | CoreProfileNotFound<Certificate>)[];
-    media?: JwtVcVerificationResult<WebMediaProfile> | CoreProfileNotFound<WebMediaProfile>;
+    media?: (JwtVcVerificationResult<WebMediaProfile> | CoreProfileNotFound<WebMediaProfile>)[];
 };
 /** 検証済み Originator Profile */
 type VerifiedOp = {
     core: VerifiedJwtVc<CoreProfile>;
     annotations?: VerifiedJwtVc<Certificate>[];
-    media?: VerifiedJwtVc<WebMediaProfile>;
+    media?: VerifiedJwtVc<WebMediaProfile>[];
 };
 /** Originator Profile 検証結果 */
 type OpVerificationResult = VerifiedOp | OpVerifyFailed;
@@ -511,11 +528,11 @@ declare class SiteProfileVerifyFailed extends Error {
 /** Site Profile 検証失敗 */
 type SpVerificationFailure = {
     originators: OpsVerificationResult;
-    credential?: JwtVcVerificationResult<WebsiteProfile> | JwtVcDecodingResult<WebsiteProfile> | CoreProfileNotFound<WebsiteProfile>;
+    sites: (JwtVcVerificationResult<WebsiteProfile> | JwtVcDecodingResult<WebsiteProfile> | CoreProfileNotFound<WebsiteProfile>)[];
 };
 type VerifiedSp = {
     originators: VerifiedOps;
-    credential: VerifiedJwtVc<WebsiteProfile>;
+    sites: VerifiedJwtVc<WebsiteProfile>[];
 };
 type SpVerificationResult = VerifiedSp | SiteProfileInvalid | SiteProfileVerifyFailed;
 
@@ -549,4 +566,4 @@ declare function validateCertificationSystem(payload: unknown): CertificationSys
  */
 declare function verifyAllowedOrigin(origin: URL["origin"], allowedOrigins: AllowedOrigin): boolean;
 
-export { type AdProfilePair, type CaDecodingFailure, type CaDecodingResult, CaInvalid, type CaVerificationFailure, type CaVerificationResult, CaVerifier, CaVerifyFailed, type CasItem, type CasVerificationFailure, type CasVerificationResult, CasVerifyFailed, type Certificate, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, type DecodeResult, type DecodedCa, type DecodedOp, type DecodedOps, type IntegrityVerifyResult, type MappedKeys, type OpDecodingFailure, type OpDecodingResult, OpInvalid, type OpVerificationFailure, type OpVerificationResult, OpVerifyFailed, type OpsDecodingFailure, type OpsDecodingResult, OpsInvalid, type OpsVerificationFailure, type OpsVerificationResult, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, type ProfilePair, ProfileTokenVerifyFailed, type Profiles, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, type SpVerificationFailure, type SpVerificationResult, SpVerifier, TargetIntegrityAlgorithm, type TupledKeys, type VerifiedCa, type VerifiedCas, type VerifiedOp, type VerifiedOps, type VerifiedSp, type VerifyIntegrity, type VerifyResult, VerifyResultFactory, type VerifyResults, type VerifyTokenResult, type WebsiteProfilePair, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };
+export { type AdProfilePair, type CaDecodingFailure, type CaDecodingResult, CaInvalid, type CaVerificationFailure, type CaVerificationResult, CaVerifier, CaVerifyFailed, type CasItem, type CasVerificationFailure, type CasVerificationResult, CasVerifyFailed, type Certificate, CertificateExpired, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, type DecodeResult, type DecodedCa, type DecodedOp, type DecodedOps, type IntegrityVerifyResult, type MappedKeys, type OpDecodingFailure, type OpDecodingResult, OpInvalid, type OpVerificationFailure, type OpVerificationResult, OpVerifyFailed, type OpsDecodingFailure, type OpsDecodingResult, OpsInvalid, type OpsVerificationFailure, type OpsVerificationResult, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, type ProfilePair, ProfileTokenVerifyFailed, type Profiles, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, type SpVerificationFailure, type SpVerificationResult, SpVerifier, TargetIntegrityAlgorithm, type TupledKeys, type VerifiedCa, type VerifiedCas, type VerifiedOp, type VerifiedOps, type VerifiedSp, type VerifyIntegrity, type VerifyResult, VerifyResultFactory, type VerifyResults, type VerifyTokenResult, type WebsiteProfilePair, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { JwtVcDecodingResult, JwtVcVerificationResult, UnverifiedJwtVc, VerifiedJwtVc, VcValidator } from '@originator-profile/securing-mechanism';
 import { ContentAttestation, Target, ContentAttestationSet, JwtOpPayload, JwtDpPayload, Op, Dp, OpVc, Jwk, CoreProfile, Certificate as Certificate$1, WebMediaProfile, WebsiteProfile, ArticleCA, JapaneseExistenceCertificate, OriginatorProfileSet, Jwks, SiteProfile, CertificationSystem, AllowedOrigin } from '@originator-profile/model';
+import { JwtVcDecodingResult, JwtVcVerificationResult, UnverifiedJwtVc, VerifiedJwtVc, VcValidator } from '@originator-profile/securing-mechanism';
 import { Keys } from '@originator-profile/cryptography';
 import { DigestSriContent, ContentFetcher, ElementSelector } from '@originator-profile/sign';
 import { ErrorObject } from 'ajv';
@@ -415,19 +415,36 @@ declare class OpVerifyFailed extends Error {
     readonly code: string;
     constructor(message: string, result: OpVerificationFailure);
 }
+/**
+ * 証明書の有効期限エラー
+ *
+ * 証明書の有効期限チェックに失敗しました。次の原因で使用されます。
+ *
+ * - 証明書の有効期限が開始していない (validFrom より前)
+ * - 証明書の有効期限が切れている (validUntil より後)
+ *
+ * なお、validFrom と validUntil はオプショナルフィールドのため、
+ * 片方のみが指定されている場合もあります。
+ **/
+declare class CertificateExpired<T extends OpVc> extends Error {
+    result: VerifiedJwtVc<T>;
+    static get code(): string;
+    readonly code: string;
+    constructor(message: string, result: VerifiedJwtVc<T>);
+}
 
 type Certificate = Certificate$1 | JapaneseExistenceCertificate;
 /** Originator Profile 復号失敗 */
 type OpDecodingFailure = {
     core: JwtVcDecodingResult<CoreProfile>;
     annotations?: JwtVcDecodingResult<Certificate>[];
-    media?: JwtVcDecodingResult<WebMediaProfile>;
+    media?: JwtVcDecodingResult<WebMediaProfile>[];
 };
 /** 復号済み Originator Profile */
 type DecodedOp = {
     core: UnverifiedJwtVc<CoreProfile>;
     annotations?: UnverifiedJwtVc<Certificate>[];
-    media: UnverifiedJwtVc<WebMediaProfile>;
+    media?: UnverifiedJwtVc<WebMediaProfile>[];
 };
 /** Originator Profile 復号結果 */
 type OpDecodingResult = DecodedOp | OpInvalid;
@@ -441,13 +458,13 @@ type OpsDecodingResult = DecodedOps | OpsInvalid;
 type OpVerificationFailure = {
     core: JwtVcVerificationResult<CoreProfile> | CoreProfileNotFound<CoreProfile>;
     annotations?: (JwtVcVerificationResult<Certificate> | CoreProfileNotFound<Certificate>)[];
-    media?: JwtVcVerificationResult<WebMediaProfile> | CoreProfileNotFound<WebMediaProfile>;
+    media?: (JwtVcVerificationResult<WebMediaProfile> | CoreProfileNotFound<WebMediaProfile>)[];
 };
 /** 検証済み Originator Profile */
 type VerifiedOp = {
     core: VerifiedJwtVc<CoreProfile>;
     annotations?: VerifiedJwtVc<Certificate>[];
-    media?: VerifiedJwtVc<WebMediaProfile>;
+    media?: VerifiedJwtVc<WebMediaProfile>[];
 };
 /** Originator Profile 検証結果 */
 type OpVerificationResult = VerifiedOp | OpVerifyFailed;
@@ -511,11 +528,11 @@ declare class SiteProfileVerifyFailed extends Error {
 /** Site Profile 検証失敗 */
 type SpVerificationFailure = {
     originators: OpsVerificationResult;
-    credential?: JwtVcVerificationResult<WebsiteProfile> | JwtVcDecodingResult<WebsiteProfile> | CoreProfileNotFound<WebsiteProfile>;
+    sites: (JwtVcVerificationResult<WebsiteProfile> | JwtVcDecodingResult<WebsiteProfile> | CoreProfileNotFound<WebsiteProfile>)[];
 };
 type VerifiedSp = {
     originators: VerifiedOps;
-    credential: VerifiedJwtVc<WebsiteProfile>;
+    sites: VerifiedJwtVc<WebsiteProfile>[];
 };
 type SpVerificationResult = VerifiedSp | SiteProfileInvalid | SiteProfileVerifyFailed;
 
@@ -549,4 +566,4 @@ declare function validateCertificationSystem(payload: unknown): CertificationSys
  */
 declare function verifyAllowedOrigin(origin: URL["origin"], allowedOrigins: AllowedOrigin): boolean;
 
-export { type AdProfilePair, type CaDecodingFailure, type CaDecodingResult, CaInvalid, type CaVerificationFailure, type CaVerificationResult, CaVerifier, CaVerifyFailed, type CasItem, type CasVerificationFailure, type CasVerificationResult, CasVerifyFailed, type Certificate, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, type DecodeResult, type DecodedCa, type DecodedOp, type DecodedOps, type IntegrityVerifyResult, type MappedKeys, type OpDecodingFailure, type OpDecodingResult, OpInvalid, type OpVerificationFailure, type OpVerificationResult, OpVerifyFailed, type OpsDecodingFailure, type OpsDecodingResult, OpsInvalid, type OpsVerificationFailure, type OpsVerificationResult, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, type ProfilePair, ProfileTokenVerifyFailed, type Profiles, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, type SpVerificationFailure, type SpVerificationResult, SpVerifier, TargetIntegrityAlgorithm, type TupledKeys, type VerifiedCa, type VerifiedCas, type VerifiedOp, type VerifiedOps, type VerifiedSp, type VerifyIntegrity, type VerifyResult, VerifyResultFactory, type VerifyResults, type VerifyTokenResult, type WebsiteProfilePair, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };
+export { type AdProfilePair, type CaDecodingFailure, type CaDecodingResult, CaInvalid, type CaVerificationFailure, type CaVerificationResult, CaVerifier, CaVerifyFailed, type CasItem, type CasVerificationFailure, type CasVerificationResult, CasVerifyFailed, type Certificate, CertificateExpired, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, type DecodeResult, type DecodedCa, type DecodedOp, type DecodedOps, type IntegrityVerifyResult, type MappedKeys, type OpDecodingFailure, type OpDecodingResult, OpInvalid, type OpVerificationFailure, type OpVerificationResult, OpVerifyFailed, type OpsDecodingFailure, type OpsDecodingResult, OpsInvalid, type OpsVerificationFailure, type OpsVerificationResult, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, type ProfilePair, ProfileTokenVerifyFailed, type Profiles, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, type SpVerificationFailure, type SpVerificationResult, SpVerifier, TargetIntegrityAlgorithm, type TupledKeys, type VerifiedCa, type VerifiedCas, type VerifiedOp, type VerifiedOps, type VerifiedSp, type VerifyIntegrity, type VerifyResult, VerifyResultFactory, type VerifyResults, type VerifyTokenResult, type WebsiteProfilePair, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };

package/dist/index.mjs

@@ -24,34 +24,6 @@ class CaVerifyFailed extends Error {
   code = CaVerifyFailed.code;
 }
 
-function verifyAllowedOrigin(origin, allowedOrigins) {
-  if (origin === "null") {
-    return false;
-  }
-  return [allowedOrigins].flat().includes(origin);
-}
-
-async function importURLPatternPolyfill() {
-  if (typeof URLPattern === "undefined") {
-    await import('./index-CQxI_8IG.mjs');
-  }
-}
-function ReplaceEncode(url) {
-  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
-    return match.toUpperCase();
-  });
-}
-async function verifyAllowedUrl(url, allowedUrl) {
-  await importURLPatternPolyfill();
-  return [allowedUrl].flat().some((value) => {
-    if (!value) {
-      return false;
-    }
-    const pattern = new URLPattern(ReplaceEncode(value));
-    return pattern.test(ReplaceEncode(url));
-  });
-}
-
 const supportedHashAlgorithms = {
   /** SHA-256 hash algorithm */
   sha256: "SHA-256",
@@ -383,6 +355,34 @@ async function verifyIntegrity(content, doc = document, fetcher = fetch) {
   return await integrityVerifier.verify(content, doc);
 }
 
+function verifyAllowedOrigin(origin, allowedOrigins) {
+  if (origin === "null") {
+    return false;
+  }
+  return [allowedOrigins].flat().includes(origin);
+}
+
+async function importURLPatternPolyfill() {
+  if (typeof URLPattern === "undefined") {
+    await import('./index-CQxI_8IG.mjs');
+  }
+}
+function ReplaceEncode(url) {
+  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
+    return match.toUpperCase();
+  });
+}
+async function verifyAllowedUrl(url, allowedUrl) {
+  await importURLPatternPolyfill();
+  return [allowedUrl].flat().some((value) => {
+    if (!value) {
+      return false;
+    }
+    const pattern = new URLPattern(ReplaceEncode(value));
+    return pattern.test(ReplaceEncode(url));
+  });
+}
+
 async function checkUrlAndOrigin(result, url) {
   if (result.doc.allowedUrl && result.doc.allowedOrigin) {
     return new CaInvalid("allowedUrl and allowedOrigin are exclusive", result);
@@ -885,8 +885,44 @@ class OpVerifyFailed extends Error {
   }
   code = OpVerifyFailed.code;
 }
+class CertificateExpired extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_CERTIFICATE_EXPIRED";
+  }
+  code = CertificateExpired.code;
+}
 
 const isEveryDecodedPa = (annotations) => annotations.every((annotation) => "doc" in annotation);
+const isEveryDecodedWmp = (media) => media.every((m) => "doc" in m);
+const validateDecodedOp = (core, annotations, media, resultOp) => {
+  if (annotations && !isEveryDecodedPa(annotations)) {
+    return new OpInvalid("Profile Annotation decode failed", resultOp);
+  }
+  if (media && !isEveryDecodedWmp(media)) {
+    return new OpInvalid("Web Media Profile decode failed", resultOp);
+  }
+  if (media && media.some(
+    (m) => core.doc.credentialSubject.id !== m.doc.credentialSubject.id
+  )) {
+    return new OpInvalid(
+      "Subject mismatch between Core Profile and Web Media Profile",
+      resultOp
+    );
+  }
+  if (annotations && annotations.some(
+    (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
+  )) {
+    return new OpInvalid(
+      "Subject mismatch between Core Profile and Profile Annotation",
+      resultOp
+    );
+  }
+  return { type: "valid", annotations, media };
+};
 const isDecodedOps = (ops) => ops.every((op) => !(op instanceof OpInvalid));
 function decodeOps(ops) {
   const decodeCp = JwtVcDecoder();
@@ -895,32 +931,22 @@ function decodeOps(ops) {
   const resultOps = ops.map((op) => {
     const core = decodeCp(op.core);
     const annotations = op.annotations ? op.annotations.map(decodePa) : void 0;
-    const media = op.media ? decodeWmp(op.media) : void 0;
+    const mediaInput = op.media;
+    const mediaArray = mediaInput ? Array.isArray(mediaInput) ? mediaInput : [mediaInput] : void 0;
+    const media = mediaArray ? mediaArray.map(decodeWmp) : void 0;
     const resultOp = { core, annotations, media };
     if (core instanceof Error) {
       return new OpInvalid("Core Profile decode failed", resultOp);
     }
-    if (annotations && !isEveryDecodedPa(annotations)) {
-      return new OpInvalid("Profile Annotation decode failed", resultOp);
-    }
-    if (media instanceof Error) {
-      return new OpInvalid("Web Media Profile decode failed", resultOp);
-    }
-    if (media && core.doc.credentialSubject.id !== media.doc.credentialSubject.id) {
-      return new OpInvalid(
-        "Subject mismatch between Core Profile and Web Media Profile",
-        resultOp
-      );
+    const validated = validateDecodedOp(core, annotations, media, resultOp);
+    if (validated instanceof OpInvalid) {
+      return validated;
     }
-    if (annotations && annotations.some(
-      (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
-    )) {
-      return new OpInvalid(
-        "Subject mismatch between Core Profile and Profile Annotation",
-        resultOp
-      );
-    }
-    return resultOp;
+    return {
+      core,
+      annotations: validated.annotations,
+      media: validated.media
+    };
   });
   if (!isDecodedOps(resultOps)) {
     return new OpsInvalid("Invalid Originator Profile Set", resultOps);
@@ -937,10 +963,22 @@ function OpVerifier(paOrWmpIssuerKeys, vc, validator) {
   const cpKeys = LocalKeys(jwks);
   return JwtVcVerifier(cpKeys, issuer, validator);
 }
+function validateCertificateExpiry(verifiedVc) {
+  const now = /* @__PURE__ */ new Date();
+  const validFrom = verifiedVc.doc.validFrom ? new Date(verifiedVc.doc.validFrom) : null;
+  const validUntil = verifiedVc.doc.validUntil ? new Date(verifiedVc.doc.validUntil) : null;
+  if (validFrom && now < validFrom) {
+    return new CertificateExpired("Certificate not yet valid", verifiedVc);
+  }
+  if (validUntil && now > validUntil) {
+    return new CertificateExpired("Certificate expired", verifiedVc);
+  }
+  return verifiedVc;
+}
 async function verifyAnnotations(paIssuerKeys, annotations, validator) {
   if (!annotations) return;
   return await Promise.all(
-    annotations.map((annotation) => {
+    annotations.map(async (annotation) => {
       const verify = OpVerifier(
         paIssuerKeys,
         annotation,
@@ -948,18 +986,26 @@ async function verifyAnnotations(paIssuerKeys, annotations, validator) {
           oneOf: [Certificate, JapaneseExistenceCertificate]
         })
       );
-      return verify(annotation.source);
+      const result = await verify(annotation.source);
+      if (result instanceof Error) {
+        return result;
+      }
+      return validateCertificateExpiry(result);
     })
   );
 }
 async function verifyMedia(wmpIssuerKeys, media, validator) {
   if (!media) return;
-  const verify = OpVerifier(
-    wmpIssuerKeys,
-    media,
-    validator?.(WebMediaProfile)
+  return await Promise.all(
+    media.map((m) => {
+      const verify = OpVerifier(
+        wmpIssuerKeys,
+        m,
+        validator?.(WebMediaProfile)
+      );
+      return verify(m.source);
+    })
   );
-  return await verify(media.source);
 }
 const isVerifiedOps = (ops) => ops.every((op) => !(op instanceof OpVerifyFailed));
 function OpsVerifier(ops, keys, issuer, validator) {
@@ -993,7 +1039,7 @@ function OpsVerifier(ops, keys, issuer, validator) {
             resultOp
           );
         }
-        if (media instanceof Error) {
+        if (media && media.some((m) => m instanceof Error)) {
           return new OpVerifyFailed(
             "Web Media Profile verify failed",
             resultOp
@@ -1034,64 +1080,102 @@ class SiteProfileVerifyFailed extends Error {
   code = SiteProfileVerifyFailed.code;
 }
 
+const decodeWebsiteProfiles = (sp, opsVerified) => {
+  const wspSources = sp.sites || (sp.credential ? [sp.credential] : []);
+  if (wspSources.length === 0) {
+    return new SiteProfileInvalid("No Website Profile found", {
+      originators: opsVerified,
+      sites: []
+    });
+  }
+  const decodeWsp = JwtVcDecoder();
+  const decodedWsps = wspSources.map(decodeWsp);
+  const decodeErrors = decodedWsps.filter((wsp) => wsp instanceof Error);
+  if (decodeErrors.length > 0) {
+    return new SiteProfileInvalid("Website Profile invalid", {
+      originators: opsVerified,
+      sites: decodeErrors
+    });
+  }
+  return {
+    decodedWsps,
+    wspSources
+  };
+};
 function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
   async function verify() {
     const verifyOps = OpsVerifier(sp.originators, keys, issuer, validator);
     const opsVerified = await verifyOps();
     if (opsVerified instanceof OpsInvalid) {
       return new SiteProfileInvalid("Originator Profile Set invalid", {
-        originators: opsVerified
+        originators: opsVerified,
+        sites: []
       });
     }
     if (opsVerified instanceof OpsVerifyFailed) {
       return new SiteProfileVerifyFailed(
         "Originator Profile Set verify failed",
-        { originators: opsVerified }
+        { originators: opsVerified, sites: [] }
       );
     }
-    const decodeWsp = JwtVcDecoder();
-    const decodedWsp = decodeWsp(sp.credential);
-    if (decodedWsp instanceof Error) {
-      return new SiteProfileInvalid("Website Profile invalid", {
-        originators: opsVerified,
-        credential: decodedWsp
-      });
+    const decoded = decodeWebsiteProfiles(sp, opsVerified);
+    if (decoded instanceof SiteProfileInvalid) {
+      return decoded;
     }
-    const wspIssuer = decodedWsp.doc.issuer;
-    const cp = opsVerified.find(
-      (op) => op.core.doc.credentialSubject.id === wspIssuer
+    const { decodedWsps, wspSources } = decoded;
+    const verifiedWsps = await Promise.all(
+      decodedWsps.map(async (decodedWsp, index) => {
+        if (decodedWsp instanceof Error) {
+          return decodedWsp;
+        }
+        const wspIssuer = decodedWsp.doc.issuer;
+        const cp = opsVerified.find(
+          (op) => op.core.doc.credentialSubject.id === wspIssuer
+        );
+        if (!cp) {
+          return new CoreProfileNotFound(
+            `Missing Core Profile (${wspIssuer})`,
+            decodedWsp
+          );
+        }
+        const verifyWsp = JwtVcVerifier(
+          LocalKeys(cp.core.doc.credentialSubject.jwks),
+          cp.core.doc.credentialSubject.id,
+          validator?.(WebsiteProfile)
+        );
+        const verified = await verifyWsp(wspSources[index]);
+        if (verified instanceof Error) {
+          return verified;
+        }
+        if (verifyOrigin) {
+          const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
+          if (!verifyAllowedOrigin(origin, allowedOrigin)) {
+            return new Error("Origin not allowed");
+          }
+        }
+        return verified;
+      })
+    );
+    const hasCoreProfileNotFound = verifiedWsps.some(
+      (wsp) => wsp instanceof CoreProfileNotFound
     );
-    if (!cp) {
+    if (hasCoreProfileNotFound) {
       return new SiteProfileInvalid("Appropriate Core Profile not found", {
         originators: opsVerified,
-        credential: new CoreProfileNotFound(
-          `Missing Core Profile (${wspIssuer})`,
-          decodedWsp
-        )
+        sites: verifiedWsps
       });
     }
-    const verifyWsp = JwtVcVerifier(
-      LocalKeys(cp.core.doc.credentialSubject.jwks),
-      cp.core.doc.credentialSubject.id,
-      validator?.(WebsiteProfile)
-    );
-    const credential = await verifyWsp(sp.credential);
-    if (credential instanceof Error) {
+    const hasError = verifiedWsps.some((wsp) => wsp instanceof Error);
+    if (hasError) {
       return new SiteProfileVerifyFailed("Website Profile verify failed", {
         originators: opsVerified,
-        credential
+        sites: verifiedWsps
       });
     }
-    if (verifyOrigin) {
-      const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
-      if (!verifyAllowedOrigin(origin, allowedOrigin)) {
-        return new SiteProfileVerifyFailed("Origin not allowed", {
-          originators: opsVerified,
-          credential
-        });
-      }
-    }
-    return { originators: opsVerified, credential };
+    return {
+      originators: opsVerified,
+      sites: verifiedWsps
+    };
   }
   return verify;
 }
@@ -1155,4 +1239,4 @@ function validateCertificationSystem(payload) {
   return payload;
 }
 
-export { CaInvalid, CaVerifier, CaVerifyFailed, CasVerifyFailed, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, OpInvalid, OpVerifyFailed, OpsInvalid, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, ProfileTokenVerifyFailed, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, SpVerifier, TargetIntegrityAlgorithm, VerifyResultFactory, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };
+export { CaInvalid, CaVerifier, CaVerifyFailed, CasVerifyFailed, CertificateExpired, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, OpInvalid, OpVerifyFailed, OpsInvalid, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, ProfileTokenVerifyFailed, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, SpVerifier, TargetIntegrityAlgorithm, VerifyResultFactory, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@originator-profile/verify",
-  "version": "0.4.0",
+  "version": "0.5.0-beta.1",
   "license": "Apache-2.0",
   "homepage": "https://docs.originator-profile.org",
   "repository": {
@@ -34,11 +34,11 @@
     "ajv-formats": "^3.0.1",
     "jose": "^6.0.10",
     "jsonld": "^9.0.0",
-    "@originator-profile/core": "0.4.0",
-    "@originator-profile/cryptography": "0.4.0",
-    "@originator-profile/model": "0.4.0",
-    "@originator-profile/securing-mechanism": "0.4.0",
-    "@originator-profile/sign": "0.4.0"
+    "@originator-profile/cryptography": "0.5.0-beta.1",
+    "@originator-profile/model": "0.5.0-beta.1",
+    "@originator-profile/securing-mechanism": "0.5.0-beta.1",
+    "@originator-profile/core": "0.5.0-beta.1",
+    "@originator-profile/sign": "0.5.0-beta.1"
   },
   "devDependencies": {
     "@playwright/test": "^1.57.0",
@@ -54,8 +54,8 @@
     "vite": "^7.0.0",
     "vitest": "^4.0.0",
     "websri": "^1.0.1",
-    "@originator-profile/tsconfig": "0.4.0",
-    "eslint-config-originator-profile": "0.4.0"
+    "@originator-profile/tsconfig": "0.5.0-beta.1",
+    "eslint-config-originator-profile": "0.5.0-beta.1"
   },
   "scripts": {
     "build": "pkgroll --clean-dist --target=node20",