@originator-profile/verify 0.4.0 → 0.5.0-beta.2

package/dist/index.cjs

@@ -4,6 +4,7 @@ var securingMechanism = require('@originator-profile/securing-mechanism');
 var sign = require('@originator-profile/sign');
 var cryptography = require('@originator-profile/cryptography');
 var model = require('@originator-profile/model');
+var zod = require('zod');
 
 class CaInvalid extends Error {
   constructor(message, result) {
@@ -26,34 +27,6 @@ class CaVerifyFailed extends Error {
   code = CaVerifyFailed.code;
 }
 
-function verifyAllowedOrigin(origin, allowedOrigins) {
-  if (origin === "null") {
-    return false;
-  }
-  return [allowedOrigins].flat().includes(origin);
-}
-
-async function importURLPatternPolyfill() {
-  if (typeof URLPattern === "undefined") {
-    await Promise.resolve().then(function () { return require('./index-D-j8gXz_.cjs'); });
-  }
-}
-function ReplaceEncode(url) {
-  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
-    return match.toUpperCase();
-  });
-}
-async function verifyAllowedUrl(url, allowedUrl) {
-  await importURLPatternPolyfill();
-  return [allowedUrl].flat().some((value) => {
-    if (!value) {
-      return false;
-    }
-    const pattern = new URLPattern(ReplaceEncode(value));
-    return pattern.test(ReplaceEncode(url));
-  });
-}
-
 const supportedHashAlgorithms = {
   /** SHA-256 hash algorithm */
   sha256: "SHA-256",
@@ -328,12 +301,62 @@ async function createIntegrityMetadataSet(hashAlgorithms, data, options = {
   return new IntegrityMetadataSet(set, options);
 }
 
+const WARN_SUFFIX = `This will become an error after 2027. See: https://docs.originator-profile.org/en/opb/context/#the-image-datatype`;
 async function verifyDigestSri(content, fetcher = fetch) {
   const integrity = new IntegrityMetadataSet(content.digestSRI);
   const alg = integrity.strongestHashAlgorithms.filter(Boolean);
   if (alg.length === 0) return false;
-  const { digestSRI } = await sign.createDigestSri(alg[0], content, fetcher);
-  return integrity.match(digestSRI);
+  try {
+    const result = await sign.createDigestSri(alg[0], content, fetcher);
+    return "digestSRI" in result && integrity.match(result.digestSRI);
+  } catch (error) {
+    console.error(
+      "Failed to access content for digestSRI verification:",
+      error
+    );
+    return false;
+  }
+}
+async function verifyImageDigestSri(value, fetcher = fetch) {
+  if (!value) return;
+  if (!value.digestSRI) {
+    console.warn(`digestSRI is missing. ${WARN_SUFFIX}`);
+    return;
+  }
+  const valid = await verifyDigestSri(
+    { id: value.id, digestSRI: value.digestSRI },
+    fetcher
+  );
+  if (!valid) {
+    console.warn(`digestSRI verification failed. ${WARN_SUFFIX}`);
+  }
+}
+
+class IntegrityFetchFailed extends Error {
+  static get code() {
+    return "ERR_INTEGRITY_FETCH_FAILED";
+  }
+  code = IntegrityFetchFailed.code;
+  ok = false;
+  /** 取得結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class IntegrityVerificationFailed extends Error {
+  static get code() {
+    return "ERR_INTEGRITY_VERIFICATION_FAILED";
+  }
+  code = IntegrityVerificationFailed.code;
+  ok = false;
+  /** 取得結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
 }
 
 class IntegrityVerifier {
@@ -382,7 +405,47 @@ async function verifyIntegrity(content, doc = document, fetcher = fetch) {
     (content2) => contentFetcher(content2, fetcher),
     elementSelector
   );
-  return await integrityVerifier.verify(content, doc);
+  try {
+    return await integrityVerifier.verify(content, doc);
+  } catch (e) {
+    if (e instanceof sign.FetchFailed) {
+      return new IntegrityFetchFailed("Verify integrity failed", e.error);
+    }
+    return new IntegrityVerificationFailed("Verify integrity failed", e);
+  }
+}
+
+function verifyAllowedOrigin(origin, allowedOrigins) {
+  if (origin === "null") {
+    return false;
+  }
+  return [allowedOrigins].flat().includes(origin);
+}
+
+async function importURLPatternPolyfill() {
+  if (typeof URLPattern === "undefined") {
+    await Promise.resolve().then(function () { return require('./index-D-j8gXz_.cjs'); });
+  }
+}
+function ReplaceEncode(url) {
+  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
+    return match.toUpperCase();
+  });
+}
+async function verifyAllowedUrl(url, allowedUrl) {
+  await importURLPatternPolyfill();
+  return [allowedUrl].flat().some((value) => {
+    if (!value) {
+      return false;
+    }
+    try {
+      const pattern = new URLPattern(ReplaceEncode(value));
+      return pattern.test(ReplaceEncode(url));
+    } catch (e) {
+      console.error(`Invalid URLPattern: ${value} (url: ${url})`);
+    }
+    return false;
+  });
 }
 
 async function checkUrlAndOrigin(result, url) {
@@ -408,6 +471,32 @@ async function checkUrlAndOrigin(result, url) {
   }
   return result;
 }
+function checkIntegrityResults(integrityResults, urlResult) {
+  const fetchFailedResults = integrityResults.filter(
+    (r) => r.verifyResult instanceof Error && r.verifyResult.code === IntegrityFetchFailed.code
+  );
+  if (fetchFailedResults.length > 0) {
+    const failedIntegritiesMessage = fetchFailedResults.map((result) => {
+      return `target[${result.index}] Expected: ${result.expectedIntegrity}`;
+    }).join(", ");
+    return new CaVerifyFailed(
+      `Content Attestation Target integrity fetch failed for element(s): ${failedIntegritiesMessage}`,
+      urlResult
+    );
+  }
+  const verificationFailedResults = integrityResults.filter(
+    (r) => r.verifyResult instanceof Error && r.verifyResult.code === IntegrityVerificationFailed.code
+  );
+  if (verificationFailedResults.length > 0) {
+    const failedIntegritiesMessage = verificationFailedResults.map((result) => {
+      return `target[${result.index}] Expected: ${result.expectedIntegrity}`;
+    }).join(", ");
+    return new CaVerifyFailed(
+      `Content Attestation Target integrity verification failed for element(s): ${failedIntegritiesMessage}`,
+      urlResult
+    );
+  }
+}
 function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity, validator) {
   const verifyCa = securingMechanism.JwtVcVerifier(keys, issuer, validator);
   return async () => {
@@ -422,6 +511,9 @@ function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity,
     if (urlResult instanceof Error) {
       return urlResult;
     }
+    await verifyImageDigestSri(
+      urlResult.doc.credentialSubject.image
+    );
     if (urlResult.doc.target) {
       if (urlResult.doc.target.length === 0) {
         return new CaInvalid("Target is empty", urlResult);
@@ -433,12 +525,19 @@ function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity,
           expectedIntegrity: t.integrity
         }))
       );
-      const failedIndices = integrityResults.filter((result2) => !result2.verifyResult.valid).map((result2) => result2.index);
+      const error = checkIntegrityResults(integrityResults, urlResult);
+      if (error) {
+        return error;
+      }
+      const failedIndices = integrityResults.filter(
+        (result2) => !(result2.verifyResult instanceof Error) && !result2.verifyResult.valid
+      ).map((result2) => result2.index);
       if (failedIndices.length > 0) {
         const failedIntegritiesMessage = failedIndices.map((integrityResultIndex) => {
           const integrityResult = integrityResults[integrityResultIndex];
           if (integrityResult) {
-            const calculatedIntegrities = integrityResult.verifyResult.failedIntegrities.join();
+            const verifyResult = integrityResult.verifyResult;
+            const calculatedIntegrities = verifyResult.failedIntegrities.join();
             return `target[${integrityResultIndex}] Expected: ${integrityResult.expectedIntegrity}, Calculated: ${calculatedIntegrities}`;
           }
           return void 0;
@@ -514,91 +613,6 @@ async function verifyCas(cas, verifiedOps, url, verifyIntegrity, validator) {
   return resultCas;
 }
 
-class ProfileGenericError extends Error {
-  static get code() {
-    return "ERR_PROFILE_GENERIC";
-  }
-  code = ProfileGenericError.code;
-}
-class ProfileClaimsValidationFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
-  }
-  code = ProfileClaimsValidationFailed.code;
-  /** 復号結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfileTokenVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_TOKEN_VERIFY_FAILED";
-  }
-  code = ProfileTokenVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfileBodyExtractFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_BODY_EXTRACT_FAILED";
-  }
-  code = ProfileBodyExtractFailed.code;
-}
-class ProfileBodyVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_BODY_VERIFY_FAILED";
-  }
-  code = ProfileBodyVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfilesResolveFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILES_RESOLVE_FAILED";
-  }
-  code = ProfilesResolveFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfilesVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILES_VERIFY_FAILED";
-  }
-  code = ProfilesVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class CertificationSystemValidationFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
-  }
-  code = CertificationSystemValidationFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-
 var REMOVE = "remove";
 var REPLACE = "replace";
 var ADD = "add";
@@ -887,8 +901,44 @@ class OpVerifyFailed extends Error {
   }
   code = OpVerifyFailed.code;
 }
+class CertificateExpired extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_CERTIFICATE_EXPIRED";
+  }
+  code = CertificateExpired.code;
+}
 
 const isEveryDecodedPa = (annotations) => annotations.every((annotation) => "doc" in annotation);
+const isEveryDecodedWmp = (media) => media.every((m) => "doc" in m);
+const validateDecodedOp = (core, annotations, media, resultOp) => {
+  if (annotations && !isEveryDecodedPa(annotations)) {
+    return new OpInvalid("Profile Annotation decode failed", resultOp);
+  }
+  if (media && !isEveryDecodedWmp(media)) {
+    return new OpInvalid("Web Media Profile decode failed", resultOp);
+  }
+  if (media && media.some(
+    (m) => core.doc.credentialSubject.id !== m.doc.credentialSubject.id
+  )) {
+    return new OpInvalid(
+      "Subject mismatch between Core Profile and Web Media Profile",
+      resultOp
+    );
+  }
+  if (annotations && annotations.some(
+    (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
+  )) {
+    return new OpInvalid(
+      "Subject mismatch between Core Profile and Profile Annotation",
+      resultOp
+    );
+  }
+  return { type: "valid", annotations, media };
+};
 const isDecodedOps = (ops) => ops.every((op) => !(op instanceof OpInvalid));
 function decodeOps(ops) {
   const decodeCp = securingMechanism.JwtVcDecoder();
@@ -897,32 +947,22 @@ function decodeOps(ops) {
   const resultOps = ops.map((op) => {
     const core = decodeCp(op.core);
     const annotations = op.annotations ? op.annotations.map(decodePa) : void 0;
-    const media = op.media ? decodeWmp(op.media) : void 0;
+    const mediaInput = op.media;
+    const mediaArray = mediaInput ? Array.isArray(mediaInput) ? mediaInput : [mediaInput] : void 0;
+    const media = mediaArray ? mediaArray.map(decodeWmp) : void 0;
     const resultOp = { core, annotations, media };
     if (core instanceof Error) {
       return new OpInvalid("Core Profile decode failed", resultOp);
     }
-    if (annotations && !isEveryDecodedPa(annotations)) {
-      return new OpInvalid("Profile Annotation decode failed", resultOp);
-    }
-    if (media instanceof Error) {
-      return new OpInvalid("Web Media Profile decode failed", resultOp);
-    }
-    if (media && core.doc.credentialSubject.id !== media.doc.credentialSubject.id) {
-      return new OpInvalid(
-        "Subject mismatch between Core Profile and Web Media Profile",
-        resultOp
-      );
-    }
-    if (annotations && annotations.some(
-      (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
-    )) {
-      return new OpInvalid(
-        "Subject mismatch between Core Profile and Profile Annotation",
-        resultOp
-      );
+    const validated = validateDecodedOp(core, annotations, media, resultOp);
+    if (validated instanceof OpInvalid) {
+      return validated;
     }
-    return resultOp;
+    return {
+      core,
+      annotations: validated.annotations,
+      media: validated.media
+    };
   });
   if (!isDecodedOps(resultOps)) {
     return new OpsInvalid("Invalid Originator Profile Set", resultOps);
@@ -939,29 +979,59 @@ function OpVerifier(paOrWmpIssuerKeys, vc, validator) {
   const cpKeys = cryptography.LocalKeys(jwks);
   return securingMechanism.JwtVcVerifier(cpKeys, issuer, validator);
 }
+function validateCertificateExpiry(verifiedVc) {
+  const now = /* @__PURE__ */ new Date();
+  const validFrom = verifiedVc.doc.validFrom ? new Date(verifiedVc.doc.validFrom) : null;
+  const validUntil = verifiedVc.doc.validUntil ? new Date(verifiedVc.doc.validUntil) : null;
+  if (validFrom && now < validFrom) {
+    return new CertificateExpired("Certificate not yet valid", verifiedVc);
+  }
+  if (validUntil && now > validUntil) {
+    return new CertificateExpired("Certificate expired", verifiedVc);
+  }
+  return verifiedVc;
+}
 async function verifyAnnotations(paIssuerKeys, annotations, validator) {
   if (!annotations) return;
   return await Promise.all(
-    annotations.map((annotation) => {
+    annotations.map(async (annotation) => {
       const verify = OpVerifier(
         paIssuerKeys,
         annotation,
-        validator?.({
-          oneOf: [model.Certificate, model.JapaneseExistenceCertificate]
-        })
+        validator?.(zod.z.union([model.Certificate, model.JapaneseExistenceCertificate]))
+      );
+      const result = await verify(annotation.source);
+      if (result instanceof Error) {
+        return result;
+      }
+      const valid = validateCertificateExpiry(result);
+      if (valid instanceof CertificateExpired) {
+        return valid;
+      }
+      await verifyImageDigestSri(
+        valid.doc.credentialSubject.image
       );
-      return verify(annotation.source);
+      return valid;
     })
   );
 }
 async function verifyMedia(wmpIssuerKeys, media, validator) {
   if (!media) return;
-  const verify = OpVerifier(
-    wmpIssuerKeys,
-    media,
-    validator?.(model.WebMediaProfile)
+  return await Promise.all(
+    media.map(async (m) => {
+      const verify = OpVerifier(
+        wmpIssuerKeys,
+        m,
+        validator?.(model.WebMediaProfile)
+      );
+      const result = await verify(m.source);
+      if (result instanceof Error) {
+        return result;
+      }
+      await verifyImageDigestSri(result.doc.credentialSubject.logo);
+      return result;
+    })
   );
-  return await verify(media.source);
 }
 const isVerifiedOps = (ops) => ops.every((op) => !(op instanceof OpVerifyFailed));
 function OpsVerifier(ops, keys, issuer, validator) {
@@ -995,7 +1065,7 @@ function OpsVerifier(ops, keys, issuer, validator) {
             resultOp
           );
         }
-        if (media instanceof Error) {
+        if (media && media.some((m) => m instanceof Error)) {
           return new OpVerifyFailed(
             "Web Media Profile verify failed",
             resultOp
@@ -1036,146 +1106,120 @@ class SiteProfileVerifyFailed extends Error {
   code = SiteProfileVerifyFailed.code;
 }
 
+const decodeWebsiteProfiles = (sp, opsVerified) => {
+  const wspSources = sp.sites || (sp.credential ? [sp.credential] : []);
+  if (wspSources.length === 0) {
+    return new SiteProfileInvalid("No Website Profile found", {
+      originators: opsVerified,
+      sites: []
+    });
+  }
+  const decodeWsp = securingMechanism.JwtVcDecoder();
+  const decodedWsps = wspSources.map(decodeWsp);
+  const decodeErrors = decodedWsps.filter((wsp) => wsp instanceof Error);
+  if (decodeErrors.length > 0) {
+    return new SiteProfileInvalid("Website Profile invalid", {
+      originators: opsVerified,
+      sites: decodeErrors
+    });
+  }
+  return {
+    decodedWsps,
+    wspSources
+  };
+};
 function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
   async function verify() {
     const verifyOps = OpsVerifier(sp.originators, keys, issuer, validator);
     const opsVerified = await verifyOps();
     if (opsVerified instanceof OpsInvalid) {
       return new SiteProfileInvalid("Originator Profile Set invalid", {
-        originators: opsVerified
+        originators: opsVerified,
+        sites: []
       });
     }
     if (opsVerified instanceof OpsVerifyFailed) {
       return new SiteProfileVerifyFailed(
         "Originator Profile Set verify failed",
-        { originators: opsVerified }
+        { originators: opsVerified, sites: [] }
       );
     }
-    const decodeWsp = securingMechanism.JwtVcDecoder();
-    const decodedWsp = decodeWsp(sp.credential);
-    if (decodedWsp instanceof Error) {
-      return new SiteProfileInvalid("Website Profile invalid", {
-        originators: opsVerified,
-        credential: decodedWsp
-      });
+    const decoded = decodeWebsiteProfiles(sp, opsVerified);
+    if (decoded instanceof SiteProfileInvalid) {
+      return decoded;
     }
-    const wspIssuer = decodedWsp.doc.issuer;
-    const cp = opsVerified.find(
-      (op) => op.core.doc.credentialSubject.id === wspIssuer
+    const { decodedWsps, wspSources } = decoded;
+    const verifiedWsps = await Promise.all(
+      decodedWsps.map(async (decodedWsp, index) => {
+        if (decodedWsp instanceof Error) {
+          return decodedWsp;
+        }
+        const wspIssuer = decodedWsp.doc.issuer;
+        const cp = opsVerified.find(
+          (op) => op.core.doc.credentialSubject.id === wspIssuer
+        );
+        if (!cp) {
+          return new CoreProfileNotFound(
+            `Missing Core Profile (${wspIssuer})`,
+            decodedWsp
+          );
+        }
+        const verifyWsp = securingMechanism.JwtVcVerifier(
+          cryptography.LocalKeys(cp.core.doc.credentialSubject.jwks),
+          cp.core.doc.credentialSubject.id,
+          validator?.(model.WebsiteProfile)
+        );
+        const verified = await verifyWsp(wspSources[index]);
+        if (verified instanceof Error) {
+          return verified;
+        }
+        if (verifyOrigin) {
+          const allowedOrigin = "allowedOrigin" in verified.doc.credentialSubject ? verified.doc.credentialSubject.allowedOrigin : verified.doc.credentialSubject.url;
+          if (!verifyAllowedOrigin(origin, allowedOrigin)) {
+            return new Error("Origin not allowed");
+          }
+        }
+        await verifyImageDigestSri(verified.doc.credentialSubject.image);
+        return verified;
+      })
     );
-    if (!cp) {
+    const hasCoreProfileNotFound = verifiedWsps.some(
+      (wsp) => wsp instanceof CoreProfileNotFound
+    );
+    if (hasCoreProfileNotFound) {
       return new SiteProfileInvalid("Appropriate Core Profile not found", {
         originators: opsVerified,
-        credential: new CoreProfileNotFound(
-          `Missing Core Profile (${wspIssuer})`,
-          decodedWsp
-        )
+        sites: verifiedWsps
       });
     }
-    const verifyWsp = securingMechanism.JwtVcVerifier(
-      cryptography.LocalKeys(cp.core.doc.credentialSubject.jwks),
-      cp.core.doc.credentialSubject.id,
-      validator?.(model.WebsiteProfile)
-    );
-    const credential = await verifyWsp(sp.credential);
-    if (credential instanceof Error) {
+    const hasError = verifiedWsps.some((wsp) => wsp instanceof Error);
+    if (hasError) {
       return new SiteProfileVerifyFailed("Website Profile verify failed", {
         originators: opsVerified,
-        credential
+        sites: verifiedWsps
       });
     }
-    if (verifyOrigin) {
-      const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
-      if (!verifyAllowedOrigin(origin, allowedOrigin)) {
-        return new SiteProfileVerifyFailed("Origin not allowed", {
-          originators: opsVerified,
-          credential
-        });
-      }
-    }
-    return { originators: opsVerified, credential };
+    return {
+      originators: opsVerified,
+      sites: verifiedWsps
+    };
   }
   return verify;
 }
 
-var objectTypeof = typeOf;
-function typeOf(obj) {
-  if (obj === null) {
-    return "null";
-  }
-  if (obj !== Object(obj)) {
-    return typeof obj;
-  }
-  var result = {}.toString.call(obj).slice(8, -1).toLowerCase();
-  return result.indexOf("function") > -1 ? "function" : result;
-}
-
-function CertificationSystemValidator() {
-  return function validate(payload) {
-    if (objectTypeof(payload) !== "object") {
-      return new CertificationSystemValidationFailed("should be an object", {
-        payload
-      });
-    }
-    const keys = Object.keys(payload);
-    const entries = Object.entries(payload);
-    if (!model.CertificationSystem.required.every((k) => keys.includes(k))) {
-      return new CertificationSystemValidationFailed(
-        "should be contain required properties",
-        { payload }
-      );
-    }
-    for (const entry of entries) {
-      const [key, value] = entry;
-      const propertySchema = model.CertificationSystem.properties[key];
-      if (objectTypeof(propertySchema) !== "object") {
-        return new CertificationSystemValidationFailed(
-          "should not contain additional properties",
-          { payload }
-        );
-      }
-      if ("const" in propertySchema && value !== propertySchema.const)
-        return new CertificationSystemValidationFailed(
-          `should be contain value of '${value}' in '${key}' property`,
-          { payload }
-        );
-      if ("type" in propertySchema && typeof value !== propertySchema.type)
-        return new CertificationSystemValidationFailed(
-          `should be contain ${propertySchema.type} value in '${key}' property`,
-          { payload }
-        );
-    }
-    return true;
-  };
-}
-function validateCertificationSystem(payload) {
-  const validator = CertificationSystemValidator();
-  const result = validator(payload);
-  if (result !== true) {
-    return result;
-  }
-  return payload;
-}
-
 exports.CaInvalid = CaInvalid;
 exports.CaVerifier = CaVerifier;
 exports.CaVerifyFailed = CaVerifyFailed;
 exports.CasVerifyFailed = CasVerifyFailed;
-exports.CertificationSystemValidationFailed = CertificationSystemValidationFailed;
-exports.CertificationSystemValidator = CertificationSystemValidator;
+exports.CertificateExpired = CertificateExpired;
 exports.CoreProfileNotFound = CoreProfileNotFound;
+exports.IntegrityFetchFailed = IntegrityFetchFailed;
+exports.IntegrityVerificationFailed = IntegrityVerificationFailed;
 exports.OpInvalid = OpInvalid;
 exports.OpVerifyFailed = OpVerifyFailed;
 exports.OpsInvalid = OpsInvalid;
 exports.OpsVerifier = OpsVerifier;
 exports.OpsVerifyFailed = OpsVerifyFailed;
-exports.ProfileBodyExtractFailed = ProfileBodyExtractFailed;
-exports.ProfileBodyVerifyFailed = ProfileBodyVerifyFailed;
-exports.ProfileClaimsValidationFailed = ProfileClaimsValidationFailed;
-exports.ProfileGenericError = ProfileGenericError;
-exports.ProfileTokenVerifyFailed = ProfileTokenVerifyFailed;
-exports.ProfilesResolveFailed = ProfilesResolveFailed;
-exports.ProfilesVerifyFailed = ProfilesVerifyFailed;
 exports.SiteProfileInvalid = SiteProfileInvalid;
 exports.SiteProfileVerifyFailed = SiteProfileVerifyFailed;
 exports.SpVerifier = SpVerifier;
@@ -1192,10 +1236,10 @@ exports.getTupledKeys = getTupledKeys;
 exports.normalizeCasItem = normalizeCasItem;
 exports.opId = opId;
 exports.patch = patch;
-exports.validateCertificationSystem = validateCertificationSystem;
 exports.verifyAllowedOrigin = verifyAllowedOrigin;
 exports.verifyCas = verifyCas;
 exports.verifyDigestSri = verifyDigestSri;
+exports.verifyImageDigestSri = verifyImageDigestSri;
 exports.verifyIntegrity = verifyIntegrity;
 exports.wmp = wmp;
 exports.wsp = wsp;