@originator-profile/verify 0.4.0 → 0.5.0-beta.2

package/dist/index.mjs

@@ -1,7 +1,8 @@
 import { JwtVcVerifier, VcValidateFailed, VcVerifyFailed, JwtVcDecoder } from '@originator-profile/securing-mechanism';
-import { createDigestSri, selectByIntegrity, fetchExternalResource, selectByCss, fetchVisibleTextContent, fetchTextContent, fetchHtmlContent } from '@originator-profile/sign';
+import { createDigestSri, selectByIntegrity, fetchExternalResource, selectByCss, fetchVisibleTextContent, fetchTextContent, fetchHtmlContent, FetchFailed } from '@originator-profile/sign';
 import { LocalKeys } from '@originator-profile/cryptography';
-import { ContentAttestation, CoreProfile, Certificate, JapaneseExistenceCertificate, WebMediaProfile, WebsiteProfile, CertificationSystem } from '@originator-profile/model';
+import { ContentAttestation, CoreProfile, Certificate, JapaneseExistenceCertificate, WebMediaProfile, WebsiteProfile } from '@originator-profile/model';
+import { z } from 'zod';
 
 class CaInvalid extends Error {
   constructor(message, result) {
@@ -24,34 +25,6 @@ class CaVerifyFailed extends Error {
   code = CaVerifyFailed.code;
 }
 
-function verifyAllowedOrigin(origin, allowedOrigins) {
-  if (origin === "null") {
-    return false;
-  }
-  return [allowedOrigins].flat().includes(origin);
-}
-
-async function importURLPatternPolyfill() {
-  if (typeof URLPattern === "undefined") {
-    await import('./index-CQxI_8IG.mjs');
-  }
-}
-function ReplaceEncode(url) {
-  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
-    return match.toUpperCase();
-  });
-}
-async function verifyAllowedUrl(url, allowedUrl) {
-  await importURLPatternPolyfill();
-  return [allowedUrl].flat().some((value) => {
-    if (!value) {
-      return false;
-    }
-    const pattern = new URLPattern(ReplaceEncode(value));
-    return pattern.test(ReplaceEncode(url));
-  });
-}
-
 const supportedHashAlgorithms = {
   /** SHA-256 hash algorithm */
   sha256: "SHA-256",
@@ -326,12 +299,62 @@ async function createIntegrityMetadataSet(hashAlgorithms, data, options = {
   return new IntegrityMetadataSet(set, options);
 }
 
+const WARN_SUFFIX = `This will become an error after 2027. See: https://docs.originator-profile.org/en/opb/context/#the-image-datatype`;
 async function verifyDigestSri(content, fetcher = fetch) {
   const integrity = new IntegrityMetadataSet(content.digestSRI);
   const alg = integrity.strongestHashAlgorithms.filter(Boolean);
   if (alg.length === 0) return false;
-  const { digestSRI } = await createDigestSri(alg[0], content, fetcher);
-  return integrity.match(digestSRI);
+  try {
+    const result = await createDigestSri(alg[0], content, fetcher);
+    return "digestSRI" in result && integrity.match(result.digestSRI);
+  } catch (error) {
+    console.error(
+      "Failed to access content for digestSRI verification:",
+      error
+    );
+    return false;
+  }
+}
+async function verifyImageDigestSri(value, fetcher = fetch) {
+  if (!value) return;
+  if (!value.digestSRI) {
+    console.warn(`digestSRI is missing. ${WARN_SUFFIX}`);
+    return;
+  }
+  const valid = await verifyDigestSri(
+    { id: value.id, digestSRI: value.digestSRI },
+    fetcher
+  );
+  if (!valid) {
+    console.warn(`digestSRI verification failed. ${WARN_SUFFIX}`);
+  }
+}
+
+class IntegrityFetchFailed extends Error {
+  static get code() {
+    return "ERR_INTEGRITY_FETCH_FAILED";
+  }
+  code = IntegrityFetchFailed.code;
+  ok = false;
+  /** 取得結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class IntegrityVerificationFailed extends Error {
+  static get code() {
+    return "ERR_INTEGRITY_VERIFICATION_FAILED";
+  }
+  code = IntegrityVerificationFailed.code;
+  ok = false;
+  /** 取得結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
 }
 
 class IntegrityVerifier {
@@ -380,7 +403,47 @@ async function verifyIntegrity(content, doc = document, fetcher = fetch) {
     (content2) => contentFetcher(content2, fetcher),
     elementSelector
   );
-  return await integrityVerifier.verify(content, doc);
+  try {
+    return await integrityVerifier.verify(content, doc);
+  } catch (e) {
+    if (e instanceof FetchFailed) {
+      return new IntegrityFetchFailed("Verify integrity failed", e.error);
+    }
+    return new IntegrityVerificationFailed("Verify integrity failed", e);
+  }
+}
+
+function verifyAllowedOrigin(origin, allowedOrigins) {
+  if (origin === "null") {
+    return false;
+  }
+  return [allowedOrigins].flat().includes(origin);
+}
+
+async function importURLPatternPolyfill() {
+  if (typeof URLPattern === "undefined") {
+    await import('./index-CQxI_8IG.mjs');
+  }
+}
+function ReplaceEncode(url) {
+  return url.replace(/(%[0-9a-f]{2}?)+/g, function(match) {
+    return match.toUpperCase();
+  });
+}
+async function verifyAllowedUrl(url, allowedUrl) {
+  await importURLPatternPolyfill();
+  return [allowedUrl].flat().some((value) => {
+    if (!value) {
+      return false;
+    }
+    try {
+      const pattern = new URLPattern(ReplaceEncode(value));
+      return pattern.test(ReplaceEncode(url));
+    } catch (e) {
+      console.error(`Invalid URLPattern: ${value} (url: ${url})`);
+    }
+    return false;
+  });
 }
 
 async function checkUrlAndOrigin(result, url) {
@@ -406,6 +469,32 @@ async function checkUrlAndOrigin(result, url) {
   }
   return result;
 }
+function checkIntegrityResults(integrityResults, urlResult) {
+  const fetchFailedResults = integrityResults.filter(
+    (r) => r.verifyResult instanceof Error && r.verifyResult.code === IntegrityFetchFailed.code
+  );
+  if (fetchFailedResults.length > 0) {
+    const failedIntegritiesMessage = fetchFailedResults.map((result) => {
+      return `target[${result.index}] Expected: ${result.expectedIntegrity}`;
+    }).join(", ");
+    return new CaVerifyFailed(
+      `Content Attestation Target integrity fetch failed for element(s): ${failedIntegritiesMessage}`,
+      urlResult
+    );
+  }
+  const verificationFailedResults = integrityResults.filter(
+    (r) => r.verifyResult instanceof Error && r.verifyResult.code === IntegrityVerificationFailed.code
+  );
+  if (verificationFailedResults.length > 0) {
+    const failedIntegritiesMessage = verificationFailedResults.map((result) => {
+      return `target[${result.index}] Expected: ${result.expectedIntegrity}`;
+    }).join(", ");
+    return new CaVerifyFailed(
+      `Content Attestation Target integrity verification failed for element(s): ${failedIntegritiesMessage}`,
+      urlResult
+    );
+  }
+}
 function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity, validator) {
   const verifyCa = JwtVcVerifier(keys, issuer, validator);
   return async () => {
@@ -420,6 +509,9 @@ function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity,
     if (urlResult instanceof Error) {
       return urlResult;
     }
+    await verifyImageDigestSri(
+      urlResult.doc.credentialSubject.image
+    );
     if (urlResult.doc.target) {
       if (urlResult.doc.target.length === 0) {
         return new CaInvalid("Target is empty", urlResult);
@@ -431,12 +523,19 @@ function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity,
           expectedIntegrity: t.integrity
         }))
       );
-      const failedIndices = integrityResults.filter((result2) => !result2.verifyResult.valid).map((result2) => result2.index);
+      const error = checkIntegrityResults(integrityResults, urlResult);
+      if (error) {
+        return error;
+      }
+      const failedIndices = integrityResults.filter(
+        (result2) => !(result2.verifyResult instanceof Error) && !result2.verifyResult.valid
+      ).map((result2) => result2.index);
       if (failedIndices.length > 0) {
         const failedIntegritiesMessage = failedIndices.map((integrityResultIndex) => {
           const integrityResult = integrityResults[integrityResultIndex];
           if (integrityResult) {
-            const calculatedIntegrities = integrityResult.verifyResult.failedIntegrities.join();
+            const verifyResult = integrityResult.verifyResult;
+            const calculatedIntegrities = verifyResult.failedIntegrities.join();
             return `target[${integrityResultIndex}] Expected: ${integrityResult.expectedIntegrity}, Calculated: ${calculatedIntegrities}`;
           }
           return void 0;
@@ -512,91 +611,6 @@ async function verifyCas(cas, verifiedOps, url, verifyIntegrity, validator) {
   return resultCas;
 }
 
-class ProfileGenericError extends Error {
-  static get code() {
-    return "ERR_PROFILE_GENERIC";
-  }
-  code = ProfileGenericError.code;
-}
-class ProfileClaimsValidationFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
-  }
-  code = ProfileClaimsValidationFailed.code;
-  /** 復号結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfileTokenVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_TOKEN_VERIFY_FAILED";
-  }
-  code = ProfileTokenVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfileBodyExtractFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_BODY_EXTRACT_FAILED";
-  }
-  code = ProfileBodyExtractFailed.code;
-}
-class ProfileBodyVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_BODY_VERIFY_FAILED";
-  }
-  code = ProfileBodyVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfilesResolveFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILES_RESOLVE_FAILED";
-  }
-  code = ProfilesResolveFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfilesVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILES_VERIFY_FAILED";
-  }
-  code = ProfilesVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class CertificationSystemValidationFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
-  }
-  code = CertificationSystemValidationFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-
 var REMOVE = "remove";
 var REPLACE = "replace";
 var ADD = "add";
@@ -885,8 +899,44 @@ class OpVerifyFailed extends Error {
   }
   code = OpVerifyFailed.code;
 }
+class CertificateExpired extends Error {
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+  static get code() {
+    return "ERR_CERTIFICATE_EXPIRED";
+  }
+  code = CertificateExpired.code;
+}
 
 const isEveryDecodedPa = (annotations) => annotations.every((annotation) => "doc" in annotation);
+const isEveryDecodedWmp = (media) => media.every((m) => "doc" in m);
+const validateDecodedOp = (core, annotations, media, resultOp) => {
+  if (annotations && !isEveryDecodedPa(annotations)) {
+    return new OpInvalid("Profile Annotation decode failed", resultOp);
+  }
+  if (media && !isEveryDecodedWmp(media)) {
+    return new OpInvalid("Web Media Profile decode failed", resultOp);
+  }
+  if (media && media.some(
+    (m) => core.doc.credentialSubject.id !== m.doc.credentialSubject.id
+  )) {
+    return new OpInvalid(
+      "Subject mismatch between Core Profile and Web Media Profile",
+      resultOp
+    );
+  }
+  if (annotations && annotations.some(
+    (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
+  )) {
+    return new OpInvalid(
+      "Subject mismatch between Core Profile and Profile Annotation",
+      resultOp
+    );
+  }
+  return { type: "valid", annotations, media };
+};
 const isDecodedOps = (ops) => ops.every((op) => !(op instanceof OpInvalid));
 function decodeOps(ops) {
   const decodeCp = JwtVcDecoder();
@@ -895,32 +945,22 @@ function decodeOps(ops) {
   const resultOps = ops.map((op) => {
     const core = decodeCp(op.core);
     const annotations = op.annotations ? op.annotations.map(decodePa) : void 0;
-    const media = op.media ? decodeWmp(op.media) : void 0;
+    const mediaInput = op.media;
+    const mediaArray = mediaInput ? Array.isArray(mediaInput) ? mediaInput : [mediaInput] : void 0;
+    const media = mediaArray ? mediaArray.map(decodeWmp) : void 0;
     const resultOp = { core, annotations, media };
     if (core instanceof Error) {
       return new OpInvalid("Core Profile decode failed", resultOp);
     }
-    if (annotations && !isEveryDecodedPa(annotations)) {
-      return new OpInvalid("Profile Annotation decode failed", resultOp);
-    }
-    if (media instanceof Error) {
-      return new OpInvalid("Web Media Profile decode failed", resultOp);
-    }
-    if (media && core.doc.credentialSubject.id !== media.doc.credentialSubject.id) {
-      return new OpInvalid(
-        "Subject mismatch between Core Profile and Web Media Profile",
-        resultOp
-      );
-    }
-    if (annotations && annotations.some(
-      (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
-    )) {
-      return new OpInvalid(
-        "Subject mismatch between Core Profile and Profile Annotation",
-        resultOp
-      );
+    const validated = validateDecodedOp(core, annotations, media, resultOp);
+    if (validated instanceof OpInvalid) {
+      return validated;
     }
-    return resultOp;
+    return {
+      core,
+      annotations: validated.annotations,
+      media: validated.media
+    };
   });
   if (!isDecodedOps(resultOps)) {
     return new OpsInvalid("Invalid Originator Profile Set", resultOps);
@@ -937,29 +977,59 @@ function OpVerifier(paOrWmpIssuerKeys, vc, validator) {
   const cpKeys = LocalKeys(jwks);
   return JwtVcVerifier(cpKeys, issuer, validator);
 }
+function validateCertificateExpiry(verifiedVc) {
+  const now = /* @__PURE__ */ new Date();
+  const validFrom = verifiedVc.doc.validFrom ? new Date(verifiedVc.doc.validFrom) : null;
+  const validUntil = verifiedVc.doc.validUntil ? new Date(verifiedVc.doc.validUntil) : null;
+  if (validFrom && now < validFrom) {
+    return new CertificateExpired("Certificate not yet valid", verifiedVc);
+  }
+  if (validUntil && now > validUntil) {
+    return new CertificateExpired("Certificate expired", verifiedVc);
+  }
+  return verifiedVc;
+}
 async function verifyAnnotations(paIssuerKeys, annotations, validator) {
   if (!annotations) return;
   return await Promise.all(
-    annotations.map((annotation) => {
+    annotations.map(async (annotation) => {
       const verify = OpVerifier(
         paIssuerKeys,
         annotation,
-        validator?.({
-          oneOf: [Certificate, JapaneseExistenceCertificate]
-        })
+        validator?.(z.union([Certificate, JapaneseExistenceCertificate]))
+      );
+      const result = await verify(annotation.source);
+      if (result instanceof Error) {
+        return result;
+      }
+      const valid = validateCertificateExpiry(result);
+      if (valid instanceof CertificateExpired) {
+        return valid;
+      }
+      await verifyImageDigestSri(
+        valid.doc.credentialSubject.image
       );
-      return verify(annotation.source);
+      return valid;
     })
   );
 }
 async function verifyMedia(wmpIssuerKeys, media, validator) {
   if (!media) return;
-  const verify = OpVerifier(
-    wmpIssuerKeys,
-    media,
-    validator?.(WebMediaProfile)
+  return await Promise.all(
+    media.map(async (m) => {
+      const verify = OpVerifier(
+        wmpIssuerKeys,
+        m,
+        validator?.(WebMediaProfile)
+      );
+      const result = await verify(m.source);
+      if (result instanceof Error) {
+        return result;
+      }
+      await verifyImageDigestSri(result.doc.credentialSubject.logo);
+      return result;
+    })
   );
-  return await verify(media.source);
 }
 const isVerifiedOps = (ops) => ops.every((op) => !(op instanceof OpVerifyFailed));
 function OpsVerifier(ops, keys, issuer, validator) {
@@ -993,7 +1063,7 @@ function OpsVerifier(ops, keys, issuer, validator) {
             resultOp
           );
         }
-        if (media instanceof Error) {
+        if (media && media.some((m) => m instanceof Error)) {
           return new OpVerifyFailed(
             "Web Media Profile verify failed",
             resultOp
@@ -1034,125 +1104,105 @@ class SiteProfileVerifyFailed extends Error {
   code = SiteProfileVerifyFailed.code;
 }
 
+const decodeWebsiteProfiles = (sp, opsVerified) => {
+  const wspSources = sp.sites || (sp.credential ? [sp.credential] : []);
+  if (wspSources.length === 0) {
+    return new SiteProfileInvalid("No Website Profile found", {
+      originators: opsVerified,
+      sites: []
+    });
+  }
+  const decodeWsp = JwtVcDecoder();
+  const decodedWsps = wspSources.map(decodeWsp);
+  const decodeErrors = decodedWsps.filter((wsp) => wsp instanceof Error);
+  if (decodeErrors.length > 0) {
+    return new SiteProfileInvalid("Website Profile invalid", {
+      originators: opsVerified,
+      sites: decodeErrors
+    });
+  }
+  return {
+    decodedWsps,
+    wspSources
+  };
+};
 function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
   async function verify() {
     const verifyOps = OpsVerifier(sp.originators, keys, issuer, validator);
     const opsVerified = await verifyOps();
     if (opsVerified instanceof OpsInvalid) {
       return new SiteProfileInvalid("Originator Profile Set invalid", {
-        originators: opsVerified
+        originators: opsVerified,
+        sites: []
       });
     }
     if (opsVerified instanceof OpsVerifyFailed) {
       return new SiteProfileVerifyFailed(
         "Originator Profile Set verify failed",
-        { originators: opsVerified }
+        { originators: opsVerified, sites: [] }
       );
     }
-    const decodeWsp = JwtVcDecoder();
-    const decodedWsp = decodeWsp(sp.credential);
-    if (decodedWsp instanceof Error) {
-      return new SiteProfileInvalid("Website Profile invalid", {
-        originators: opsVerified,
-        credential: decodedWsp
-      });
+    const decoded = decodeWebsiteProfiles(sp, opsVerified);
+    if (decoded instanceof SiteProfileInvalid) {
+      return decoded;
     }
-    const wspIssuer = decodedWsp.doc.issuer;
-    const cp = opsVerified.find(
-      (op) => op.core.doc.credentialSubject.id === wspIssuer
+    const { decodedWsps, wspSources } = decoded;
+    const verifiedWsps = await Promise.all(
+      decodedWsps.map(async (decodedWsp, index) => {
+        if (decodedWsp instanceof Error) {
+          return decodedWsp;
+        }
+        const wspIssuer = decodedWsp.doc.issuer;
+        const cp = opsVerified.find(
+          (op) => op.core.doc.credentialSubject.id === wspIssuer
+        );
+        if (!cp) {
+          return new CoreProfileNotFound(
+            `Missing Core Profile (${wspIssuer})`,
+            decodedWsp
+          );
+        }
+        const verifyWsp = JwtVcVerifier(
+          LocalKeys(cp.core.doc.credentialSubject.jwks),
+          cp.core.doc.credentialSubject.id,
+          validator?.(WebsiteProfile)
+        );
+        const verified = await verifyWsp(wspSources[index]);
+        if (verified instanceof Error) {
+          return verified;
+        }
+        if (verifyOrigin) {
+          const allowedOrigin = "allowedOrigin" in verified.doc.credentialSubject ? verified.doc.credentialSubject.allowedOrigin : verified.doc.credentialSubject.url;
+          if (!verifyAllowedOrigin(origin, allowedOrigin)) {
+            return new Error("Origin not allowed");
+          }
+        }
+        await verifyImageDigestSri(verified.doc.credentialSubject.image);
+        return verified;
+      })
     );
-    if (!cp) {
+    const hasCoreProfileNotFound = verifiedWsps.some(
+      (wsp) => wsp instanceof CoreProfileNotFound
+    );
+    if (hasCoreProfileNotFound) {
       return new SiteProfileInvalid("Appropriate Core Profile not found", {
         originators: opsVerified,
-        credential: new CoreProfileNotFound(
-          `Missing Core Profile (${wspIssuer})`,
-          decodedWsp
-        )
+        sites: verifiedWsps
       });
     }
-    const verifyWsp = JwtVcVerifier(
-      LocalKeys(cp.core.doc.credentialSubject.jwks),
-      cp.core.doc.credentialSubject.id,
-      validator?.(WebsiteProfile)
-    );
-    const credential = await verifyWsp(sp.credential);
-    if (credential instanceof Error) {
+    const hasError = verifiedWsps.some((wsp) => wsp instanceof Error);
+    if (hasError) {
       return new SiteProfileVerifyFailed("Website Profile verify failed", {
         originators: opsVerified,
-        credential
+        sites: verifiedWsps
       });
     }
-    if (verifyOrigin) {
-      const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
-      if (!verifyAllowedOrigin(origin, allowedOrigin)) {
-        return new SiteProfileVerifyFailed("Origin not allowed", {
-          originators: opsVerified,
-          credential
-        });
-      }
-    }
-    return { originators: opsVerified, credential };
+    return {
+      originators: opsVerified,
+      sites: verifiedWsps
+    };
   }
   return verify;
 }
 
-var objectTypeof = typeOf;
-function typeOf(obj) {
-  if (obj === null) {
-    return "null";
-  }
-  if (obj !== Object(obj)) {
-    return typeof obj;
-  }
-  var result = {}.toString.call(obj).slice(8, -1).toLowerCase();
-  return result.indexOf("function") > -1 ? "function" : result;
-}
-
-function CertificationSystemValidator() {
-  return function validate(payload) {
-    if (objectTypeof(payload) !== "object") {
-      return new CertificationSystemValidationFailed("should be an object", {
-        payload
-      });
-    }
-    const keys = Object.keys(payload);
-    const entries = Object.entries(payload);
-    if (!CertificationSystem.required.every((k) => keys.includes(k))) {
-      return new CertificationSystemValidationFailed(
-        "should be contain required properties",
-        { payload }
-      );
-    }
-    for (const entry of entries) {
-      const [key, value] = entry;
-      const propertySchema = CertificationSystem.properties[key];
-      if (objectTypeof(propertySchema) !== "object") {
-        return new CertificationSystemValidationFailed(
-          "should not contain additional properties",
-          { payload }
-        );
-      }
-      if ("const" in propertySchema && value !== propertySchema.const)
-        return new CertificationSystemValidationFailed(
-          `should be contain value of '${value}' in '${key}' property`,
-          { payload }
-        );
-      if ("type" in propertySchema && typeof value !== propertySchema.type)
-        return new CertificationSystemValidationFailed(
-          `should be contain ${propertySchema.type} value in '${key}' property`,
-          { payload }
-        );
-    }
-    return true;
-  };
-}
-function validateCertificationSystem(payload) {
-  const validator = CertificationSystemValidator();
-  const result = validator(payload);
-  if (result !== true) {
-    return result;
-  }
-  return payload;
-}
-
-export { CaInvalid, CaVerifier, CaVerifyFailed, CasVerifyFailed, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, OpInvalid, OpVerifyFailed, OpsInvalid, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, ProfileTokenVerifyFailed, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, SpVerifier, TargetIntegrityAlgorithm, VerifyResultFactory, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };
+export { CaInvalid, CaVerifier, CaVerifyFailed, CasVerifyFailed, CertificateExpired, CoreProfileNotFound, IntegrityFetchFailed, IntegrityVerificationFailed, OpInvalid, OpVerifyFailed, OpsInvalid, OpsVerifier, OpsVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, SpVerifier, TargetIntegrityAlgorithm, VerifyResultFactory, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyImageDigestSri, verifyIntegrity, wmp, wsp };