@originator-profile/verify 0.5.0-beta.1 → 0.5.0-beta.2

package/dist/index.cjs

@@ -4,6 +4,7 @@ var securingMechanism = require('@originator-profile/securing-mechanism');
 var sign = require('@originator-profile/sign');
 var cryptography = require('@originator-profile/cryptography');
 var model = require('@originator-profile/model');
+var zod = require('zod');
 
 class CaInvalid extends Error {
   constructor(message, result) {
@@ -300,12 +301,62 @@ async function createIntegrityMetadataSet(hashAlgorithms, data, options = {
   return new IntegrityMetadataSet(set, options);
 }
 
+const WARN_SUFFIX = `This will become an error after 2027. See: https://docs.originator-profile.org/en/opb/context/#the-image-datatype`;
 async function verifyDigestSri(content, fetcher = fetch) {
   const integrity = new IntegrityMetadataSet(content.digestSRI);
   const alg = integrity.strongestHashAlgorithms.filter(Boolean);
   if (alg.length === 0) return false;
-  const { digestSRI } = await sign.createDigestSri(alg[0], content, fetcher);
-  return integrity.match(digestSRI);
+  try {
+    const result = await sign.createDigestSri(alg[0], content, fetcher);
+    return "digestSRI" in result && integrity.match(result.digestSRI);
+  } catch (error) {
+    console.error(
+      "Failed to access content for digestSRI verification:",
+      error
+    );
+    return false;
+  }
+}
+async function verifyImageDigestSri(value, fetcher = fetch) {
+  if (!value) return;
+  if (!value.digestSRI) {
+    console.warn(`digestSRI is missing. ${WARN_SUFFIX}`);
+    return;
+  }
+  const valid = await verifyDigestSri(
+    { id: value.id, digestSRI: value.digestSRI },
+    fetcher
+  );
+  if (!valid) {
+    console.warn(`digestSRI verification failed. ${WARN_SUFFIX}`);
+  }
+}
+
+class IntegrityFetchFailed extends Error {
+  static get code() {
+    return "ERR_INTEGRITY_FETCH_FAILED";
+  }
+  code = IntegrityFetchFailed.code;
+  ok = false;
+  /** 取得結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class IntegrityVerificationFailed extends Error {
+  static get code() {
+    return "ERR_INTEGRITY_VERIFICATION_FAILED";
+  }
+  code = IntegrityVerificationFailed.code;
+  ok = false;
+  /** 取得結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
 }
 
 class IntegrityVerifier {
@@ -354,7 +405,14 @@ async function verifyIntegrity(content, doc = document, fetcher = fetch) {
     (content2) => contentFetcher(content2, fetcher),
     elementSelector
   );
-  return await integrityVerifier.verify(content, doc);
+  try {
+    return await integrityVerifier.verify(content, doc);
+  } catch (e) {
+    if (e instanceof sign.FetchFailed) {
+      return new IntegrityFetchFailed("Verify integrity failed", e.error);
+    }
+    return new IntegrityVerificationFailed("Verify integrity failed", e);
+  }
 }
 
 function verifyAllowedOrigin(origin, allowedOrigins) {
@@ -380,8 +438,13 @@ async function verifyAllowedUrl(url, allowedUrl) {
     if (!value) {
       return false;
     }
-    const pattern = new URLPattern(ReplaceEncode(value));
-    return pattern.test(ReplaceEncode(url));
+    try {
+      const pattern = new URLPattern(ReplaceEncode(value));
+      return pattern.test(ReplaceEncode(url));
+    } catch (e) {
+      console.error(`Invalid URLPattern: ${value} (url: ${url})`);
+    }
+    return false;
   });
 }
 
@@ -408,6 +471,32 @@ async function checkUrlAndOrigin(result, url) {
   }
   return result;
 }
+function checkIntegrityResults(integrityResults, urlResult) {
+  const fetchFailedResults = integrityResults.filter(
+    (r) => r.verifyResult instanceof Error && r.verifyResult.code === IntegrityFetchFailed.code
+  );
+  if (fetchFailedResults.length > 0) {
+    const failedIntegritiesMessage = fetchFailedResults.map((result) => {
+      return `target[${result.index}] Expected: ${result.expectedIntegrity}`;
+    }).join(", ");
+    return new CaVerifyFailed(
+      `Content Attestation Target integrity fetch failed for element(s): ${failedIntegritiesMessage}`,
+      urlResult
+    );
+  }
+  const verificationFailedResults = integrityResults.filter(
+    (r) => r.verifyResult instanceof Error && r.verifyResult.code === IntegrityVerificationFailed.code
+  );
+  if (verificationFailedResults.length > 0) {
+    const failedIntegritiesMessage = verificationFailedResults.map((result) => {
+      return `target[${result.index}] Expected: ${result.expectedIntegrity}`;
+    }).join(", ");
+    return new CaVerifyFailed(
+      `Content Attestation Target integrity verification failed for element(s): ${failedIntegritiesMessage}`,
+      urlResult
+    );
+  }
+}
 function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity, validator) {
   const verifyCa = securingMechanism.JwtVcVerifier(keys, issuer, validator);
   return async () => {
@@ -422,6 +511,9 @@ function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity,
     if (urlResult instanceof Error) {
       return urlResult;
     }
+    await verifyImageDigestSri(
+      urlResult.doc.credentialSubject.image
+    );
     if (urlResult.doc.target) {
       if (urlResult.doc.target.length === 0) {
         return new CaInvalid("Target is empty", urlResult);
@@ -433,12 +525,19 @@ function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity,
           expectedIntegrity: t.integrity
         }))
       );
-      const failedIndices = integrityResults.filter((result2) => !result2.verifyResult.valid).map((result2) => result2.index);
+      const error = checkIntegrityResults(integrityResults, urlResult);
+      if (error) {
+        return error;
+      }
+      const failedIndices = integrityResults.filter(
+        (result2) => !(result2.verifyResult instanceof Error) && !result2.verifyResult.valid
+      ).map((result2) => result2.index);
       if (failedIndices.length > 0) {
         const failedIntegritiesMessage = failedIndices.map((integrityResultIndex) => {
           const integrityResult = integrityResults[integrityResultIndex];
           if (integrityResult) {
-            const calculatedIntegrities = integrityResult.verifyResult.failedIntegrities.join();
+            const verifyResult = integrityResult.verifyResult;
+            const calculatedIntegrities = verifyResult.failedIntegrities.join();
             return `target[${integrityResultIndex}] Expected: ${integrityResult.expectedIntegrity}, Calculated: ${calculatedIntegrities}`;
           }
           return void 0;
@@ -514,91 +613,6 @@ async function verifyCas(cas, verifiedOps, url, verifyIntegrity, validator) {
   return resultCas;
 }
 
-class ProfileGenericError extends Error {
-  static get code() {
-    return "ERR_PROFILE_GENERIC";
-  }
-  code = ProfileGenericError.code;
-}
-class ProfileClaimsValidationFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
-  }
-  code = ProfileClaimsValidationFailed.code;
-  /** 復号結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfileTokenVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_TOKEN_VERIFY_FAILED";
-  }
-  code = ProfileTokenVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfileBodyExtractFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_BODY_EXTRACT_FAILED";
-  }
-  code = ProfileBodyExtractFailed.code;
-}
-class ProfileBodyVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_BODY_VERIFY_FAILED";
-  }
-  code = ProfileBodyVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfilesResolveFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILES_RESOLVE_FAILED";
-  }
-  code = ProfilesResolveFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfilesVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILES_VERIFY_FAILED";
-  }
-  code = ProfilesVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class CertificationSystemValidationFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
-  }
-  code = CertificationSystemValidationFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-
 var REMOVE = "remove";
 var REPLACE = "replace";
 var ADD = "add";
@@ -984,28 +998,38 @@ async function verifyAnnotations(paIssuerKeys, annotations, validator) {
       const verify = OpVerifier(
         paIssuerKeys,
         annotation,
-        validator?.({
-          oneOf: [model.Certificate, model.JapaneseExistenceCertificate]
-        })
+        validator?.(zod.z.union([model.Certificate, model.JapaneseExistenceCertificate]))
       );
       const result = await verify(annotation.source);
       if (result instanceof Error) {
         return result;
       }
-      return validateCertificateExpiry(result);
+      const valid = validateCertificateExpiry(result);
+      if (valid instanceof CertificateExpired) {
+        return valid;
+      }
+      await verifyImageDigestSri(
+        valid.doc.credentialSubject.image
+      );
+      return valid;
     })
   );
 }
 async function verifyMedia(wmpIssuerKeys, media, validator) {
   if (!media) return;
   return await Promise.all(
-    media.map((m) => {
+    media.map(async (m) => {
       const verify = OpVerifier(
         wmpIssuerKeys,
         m,
         validator?.(model.WebMediaProfile)
       );
-      return verify(m.source);
+      const result = await verify(m.source);
+      if (result instanceof Error) {
+        return result;
+      }
+      await verifyImageDigestSri(result.doc.credentialSubject.logo);
+      return result;
     })
   );
 }
@@ -1150,11 +1174,12 @@ function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
           return verified;
         }
         if (verifyOrigin) {
-          const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
+          const allowedOrigin = "allowedOrigin" in verified.doc.credentialSubject ? verified.doc.credentialSubject.allowedOrigin : verified.doc.credentialSubject.url;
           if (!verifyAllowedOrigin(origin, allowedOrigin)) {
             return new Error("Origin not allowed");
           }
         }
+        await verifyImageDigestSri(verified.doc.credentialSubject.image);
         return verified;
       })
     );
@@ -1182,85 +1207,19 @@ function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
   return verify;
 }
 
-var objectTypeof = typeOf;
-function typeOf(obj) {
-  if (obj === null) {
-    return "null";
-  }
-  if (obj !== Object(obj)) {
-    return typeof obj;
-  }
-  var result = {}.toString.call(obj).slice(8, -1).toLowerCase();
-  return result.indexOf("function") > -1 ? "function" : result;
-}
-
-function CertificationSystemValidator() {
-  return function validate(payload) {
-    if (objectTypeof(payload) !== "object") {
-      return new CertificationSystemValidationFailed("should be an object", {
-        payload
-      });
-    }
-    const keys = Object.keys(payload);
-    const entries = Object.entries(payload);
-    if (!model.CertificationSystem.required.every((k) => keys.includes(k))) {
-      return new CertificationSystemValidationFailed(
-        "should be contain required properties",
-        { payload }
-      );
-    }
-    for (const entry of entries) {
-      const [key, value] = entry;
-      const propertySchema = model.CertificationSystem.properties[key];
-      if (objectTypeof(propertySchema) !== "object") {
-        return new CertificationSystemValidationFailed(
-          "should not contain additional properties",
-          { payload }
-        );
-      }
-      if ("const" in propertySchema && value !== propertySchema.const)
-        return new CertificationSystemValidationFailed(
-          `should be contain value of '${value}' in '${key}' property`,
-          { payload }
-        );
-      if ("type" in propertySchema && typeof value !== propertySchema.type)
-        return new CertificationSystemValidationFailed(
-          `should be contain ${propertySchema.type} value in '${key}' property`,
-          { payload }
-        );
-    }
-    return true;
-  };
-}
-function validateCertificationSystem(payload) {
-  const validator = CertificationSystemValidator();
-  const result = validator(payload);
-  if (result !== true) {
-    return result;
-  }
-  return payload;
-}
-
 exports.CaInvalid = CaInvalid;
 exports.CaVerifier = CaVerifier;
 exports.CaVerifyFailed = CaVerifyFailed;
 exports.CasVerifyFailed = CasVerifyFailed;
 exports.CertificateExpired = CertificateExpired;
-exports.CertificationSystemValidationFailed = CertificationSystemValidationFailed;
-exports.CertificationSystemValidator = CertificationSystemValidator;
 exports.CoreProfileNotFound = CoreProfileNotFound;
+exports.IntegrityFetchFailed = IntegrityFetchFailed;
+exports.IntegrityVerificationFailed = IntegrityVerificationFailed;
 exports.OpInvalid = OpInvalid;
 exports.OpVerifyFailed = OpVerifyFailed;
 exports.OpsInvalid = OpsInvalid;
 exports.OpsVerifier = OpsVerifier;
 exports.OpsVerifyFailed = OpsVerifyFailed;
-exports.ProfileBodyExtractFailed = ProfileBodyExtractFailed;
-exports.ProfileBodyVerifyFailed = ProfileBodyVerifyFailed;
-exports.ProfileClaimsValidationFailed = ProfileClaimsValidationFailed;
-exports.ProfileGenericError = ProfileGenericError;
-exports.ProfileTokenVerifyFailed = ProfileTokenVerifyFailed;
-exports.ProfilesResolveFailed = ProfilesResolveFailed;
-exports.ProfilesVerifyFailed = ProfilesVerifyFailed;
 exports.SiteProfileInvalid = SiteProfileInvalid;
 exports.SiteProfileVerifyFailed = SiteProfileVerifyFailed;
 exports.SpVerifier = SpVerifier;
@@ -1277,10 +1236,10 @@ exports.getTupledKeys = getTupledKeys;
 exports.normalizeCasItem = normalizeCasItem;
 exports.opId = opId;
 exports.patch = patch;
-exports.validateCertificationSystem = validateCertificationSystem;
 exports.verifyAllowedOrigin = verifyAllowedOrigin;
 exports.verifyCas = verifyCas;
 exports.verifyDigestSri = verifyDigestSri;
+exports.verifyImageDigestSri = verifyImageDigestSri;
 exports.verifyIntegrity = verifyIntegrity;
 exports.wmp = wmp;
 exports.wsp = wsp;

package/dist/index.d.cts

@@ -1,10 +1,7 @@
-import { ContentAttestation, Target, ContentAttestationSet, JwtOpPayload, JwtDpPayload, Op, Dp, OpVc, Jwk, CoreProfile, Certificate as Certificate$1, WebMediaProfile, WebsiteProfile, ArticleCA, JapaneseExistenceCertificate, OriginatorProfileSet, Jwks, SiteProfile, CertificationSystem, AllowedOrigin } from '@originator-profile/model';
+import { ContentAttestation, Image, Target, ContentAttestationSet, OpVc, Jwk, CoreProfile, Certificate as Certificate$1, WebMediaProfile, WebsiteProfile, ArticleCA, JapaneseExistenceCertificate, OriginatorProfileSet, Jwks, SiteProfile, AllowedOrigin } from '@originator-profile/model';
 import { JwtVcDecodingResult, JwtVcVerificationResult, UnverifiedJwtVc, VerifiedJwtVc, VcValidator } from '@originator-profile/securing-mechanism';
 import { Keys } from '@originator-profile/cryptography';
-import { DigestSriContent, ContentFetcher, ElementSelector } from '@originator-profile/sign';
-import { ErrorObject } from 'ajv';
-import { JWTVerifyResult, ResolvedKey, JWTPayload } from 'jose';
-import { JOSEError } from 'jose/errors';
+import { DigestSriResult, ContentFetcher, ElementSelector } from '@originator-profile/sign';
 
 /** Content Attestation 復号失敗 */
 type CaDecodingFailure = JwtVcDecodingResult<ContentAttestation>;
@@ -47,7 +44,7 @@ declare class CaVerifyFailed extends Error {
  * @see {@link https://www.w3.org/TR/SRI/#the-integrity-attribute}
  * @example
  * ```ts
- * const content: DigestSriContent = {
+ * const content = {
  *   id: "<URL>",
  *   digestSRI: "sha256-...",
  * };
@@ -55,12 +52,36 @@ declare class CaVerifyFailed extends Error {
  * await verifyDigestSri(content); // true or false
  * ```
  */
-declare function verifyDigestSri(content: DigestSriContent, fetcher?: typeof fetch): Promise<boolean>;
+declare function verifyDigestSri(content: DigestSriResult, fetcher?: typeof fetch): Promise<boolean>;
+/**
+ * Image の digestSRI を検証する。
+ * 後方互換性の観点で、2027年までは検証失敗時に console.warn のみで処理を中断しない。
+ */
+declare function verifyImageDigestSri(value: Image | undefined, fetcher?: typeof fetch): Promise<void>;
+
+declare class IntegrityFetchFailed extends Error {
+    static get code(): "ERR_INTEGRITY_FETCH_FAILED";
+    readonly code: "ERR_INTEGRITY_FETCH_FAILED";
+    readonly ok = false;
+    /** 取得結果 */
+    result?: Error;
+    constructor(message: string, result: IntegrityFetchFailed["result"]);
+}
+declare class IntegrityVerificationFailed extends Error {
+    static get code(): "ERR_INTEGRITY_VERIFICATION_FAILED";
+    readonly code: "ERR_INTEGRITY_VERIFICATION_FAILED";
+    readonly ok = false;
+    /** 取得結果 */
+    result?: unknown;
+    constructor(message: string, result: IntegrityVerificationFailed["result"]);
+}
 
 type IntegrityVerifyResult = {
     valid: boolean;
     failedIntegrities: ReadonlyArray<string>;
 };
+type FetchIntegrityResult = IntegrityVerifyResult | IntegrityFetchFailed | IntegrityVerificationFailed;
+
 /** Target Integrity のコンテンツ取得・要素位置特定アルゴリズム */
 declare const TargetIntegrityAlgorithm: {
     HtmlTargetIntegrity: {
@@ -94,7 +115,7 @@ declare const TargetIntegrityAlgorithm: {
  * await verifyIntegrity(content); // true or false
  * ```
  */
-declare function verifyIntegrity(content: Target, doc?: Document, fetcher?: typeof fetch): Promise<IntegrityVerifyResult>;
+declare function verifyIntegrity(content: Target, doc?: Document, fetcher?: typeof fetch): Promise<FetchIntegrityResult>;
 type VerifyIntegrity = typeof verifyIntegrity;
 
 /**
@@ -171,116 +192,6 @@ declare function normalizeCasItem<Ca>(ca: Ca | CasItem<Ca>): CasItem<Ca>;
  */
 declare function verifyCas<T extends ContentAttestation = ContentAttestation>(cas: ContentAttestationSet, verifiedOps: VerifiedOps, url: string, verifyIntegrity: VerifyIntegrity, validator?: typeof VcValidator): Promise<CasVerificationResult<T>>;
 
-interface ProfilePair {
-    op: {
-        iss: string;
-        sub: string;
-        profile: string;
-    };
-    dp: {
-        sub: string;
-        profile: string;
-    };
-}
-interface WebsiteProfilePair {
-    "@context": string;
-    website: ProfilePair;
-}
-interface AdProfilePair {
-    "@context": string;
-    ad: ProfilePair;
-}
-/** Profile の Token の復号結果 */
-type DecodeResult = {
-    op: true;
-    payload: JwtOpPayload;
-    jwt: string;
-} | {
-    dp: true;
-    payload: JwtDpPayload;
-    jwt: string;
-} | ProfileClaimsValidationFailed;
-/** Profile の Token の検証結果 */
-type VerifyTokenResult = (JWTVerifyResult & ResolvedKey & ({
-    op: Op;
-    jwt: string;
-} | {
-    dp: Dp;
-    jwt: string;
-})) | ProfileClaimsValidationFailed | ProfileTokenVerifyFailed;
-/** Profile Set */
-type Profiles = {
-    profile: string[];
-    ad?: ProfilePair[];
-};
-/** Profile の検証結果 */
-type VerifyResult = VerifyTokenResult | ProfilesResolveFailed | ProfilesVerifyFailed;
-/** Profile Set の検証結果 */
-type VerifyResults = VerifyResult[];
-
-declare class ProfileGenericError extends Error {
-    static get code(): string;
-    readonly code: string;
-}
-declare class ProfileClaimsValidationFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
-    readonly code: "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
-    /** 復号結果 */
-    result: {
-        error?: JOSEError;
-        errors?: ErrorObject[];
-        payload?: JWTPayload;
-        jwt: string;
-    };
-    constructor(message: string, result: ProfileClaimsValidationFailed["result"]);
-}
-declare class ProfileTokenVerifyFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILE_TOKEN_VERIFY_FAILED";
-    readonly code: "ERR_PROFILE_TOKEN_VERIFY_FAILED";
-    /** 検証結果 */
-    result: Exclude<DecodeResult, ProfileGenericError> & {
-        error?: JOSEError;
-    };
-    constructor(message: string, result: ProfileTokenVerifyFailed["result"]);
-}
-declare class ProfileBodyExtractFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILE_BODY_EXTRACT_FAILED";
-    readonly code: "ERR_PROFILE_BODY_EXTRACT_FAILED";
-}
-declare class ProfileBodyVerifyFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILE_BODY_VERIFY_FAILED";
-    readonly code: "ERR_PROFILE_BODY_VERIFY_FAILED";
-    /** 検証結果 */
-    result: {
-        error?: JOSEError;
-        body: string;
-    };
-    constructor(message: string, result: ProfileBodyVerifyFailed["result"]);
-}
-declare class ProfilesResolveFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILES_RESOLVE_FAILED";
-    readonly code: "ERR_PROFILES_RESOLVE_FAILED";
-    /** 検証結果 */
-    result: Exclude<DecodeResult, ProfileGenericError>;
-    constructor(message: string, result: ProfilesResolveFailed["result"]);
-}
-declare class ProfilesVerifyFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILES_VERIFY_FAILED";
-    readonly code: "ERR_PROFILES_VERIFY_FAILED";
-    /** 検証結果 */
-    result: Exclude<DecodeResult | VerifyTokenResult, ProfileGenericError>;
-    constructor(message: string, result: ProfilesVerifyFailed["result"]);
-}
-declare class CertificationSystemValidationFailed extends ProfileGenericError {
-    static get code(): "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
-    readonly code: "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
-    /** 検証結果 */
-    result: {
-        payload?: unknown;
-    };
-    constructor(message: string, result: CertificationSystemValidationFailed["result"]);
-}
-
 // Definitions by: Eddie Atkinson <https://github.com/eddie-atkinson>
 
 type Operation = "add" | "replace" | "remove" | "move";
@@ -548,16 +459,6 @@ type SpVerificationResult = VerifiedSp | SiteProfileInvalid | SiteProfileVerifyF
  */
 declare function SpVerifier(sp: SiteProfile, keys: Keys, issuer: string | string[], origin: URL["origin"], verifyOrigin?: boolean, validator?: typeof VcValidator): () => Promise<SpVerificationResult>;
 
-/** 認証制度ペイロードの確認のためのバリデーター */
-declare function CertificationSystemValidator(): (payload: unknown) => true | CertificationSystemValidationFailed;
-type CertificationSystemValidator = ReturnType<typeof CertificationSystemValidator>;
-/**
- * 認証制度の検証
- * @param payload ペイロード
- * @return 検証結果
- */
-declare function validateCertificationSystem(payload: unknown): CertificationSystem | CertificationSystemValidationFailed;
-
 /**
  * URLオリジンが対象のオリジンの中に含まれているのか検証する
  * @param origin 対象とするオリジン
@@ -566,4 +467,4 @@ declare function validateCertificationSystem(payload: unknown): CertificationSys
  */
 declare function verifyAllowedOrigin(origin: URL["origin"], allowedOrigins: AllowedOrigin): boolean;
 
-export { type AdProfilePair, type CaDecodingFailure, type CaDecodingResult, CaInvalid, type CaVerificationFailure, type CaVerificationResult, CaVerifier, CaVerifyFailed, type CasItem, type CasVerificationFailure, type CasVerificationResult, CasVerifyFailed, type Certificate, CertificateExpired, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, type DecodeResult, type DecodedCa, type DecodedOp, type DecodedOps, type IntegrityVerifyResult, type MappedKeys, type OpDecodingFailure, type OpDecodingResult, OpInvalid, type OpVerificationFailure, type OpVerificationResult, OpVerifyFailed, type OpsDecodingFailure, type OpsDecodingResult, OpsInvalid, type OpsVerificationFailure, type OpsVerificationResult, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, type ProfilePair, ProfileTokenVerifyFailed, type Profiles, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, type SpVerificationFailure, type SpVerificationResult, SpVerifier, TargetIntegrityAlgorithm, type TupledKeys, type VerifiedCa, type VerifiedCas, type VerifiedOp, type VerifiedOps, type VerifiedSp, type VerifyIntegrity, type VerifyResult, VerifyResultFactory, type VerifyResults, type VerifyTokenResult, type WebsiteProfilePair, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };
+export { type CaDecodingFailure, type CaDecodingResult, CaInvalid, type CaVerificationFailure, type CaVerificationResult, CaVerifier, CaVerifyFailed, type CasItem, type CasVerificationFailure, type CasVerificationResult, CasVerifyFailed, type Certificate, CertificateExpired, CoreProfileNotFound, type DecodedCa, type DecodedOp, type DecodedOps, type FetchIntegrityResult, IntegrityFetchFailed, IntegrityVerificationFailed, type IntegrityVerifyResult, type MappedKeys, type OpDecodingFailure, type OpDecodingResult, OpInvalid, type OpVerificationFailure, type OpVerificationResult, OpVerifyFailed, type OpsDecodingFailure, type OpsDecodingResult, OpsInvalid, type OpsVerificationFailure, type OpsVerificationResult, OpsVerifier, OpsVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, type SpVerificationFailure, type SpVerificationResult, SpVerifier, TargetIntegrityAlgorithm, type TupledKeys, type VerifiedCa, type VerifiedCas, type VerifiedOp, type VerifiedOps, type VerifiedSp, type VerifyIntegrity, VerifyResultFactory, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyImageDigestSri, verifyIntegrity, wmp, wsp };

package/dist/index.d.mts

@@ -1,10 +1,7 @@
-import { ContentAttestation, Target, ContentAttestationSet, JwtOpPayload, JwtDpPayload, Op, Dp, OpVc, Jwk, CoreProfile, Certificate as Certificate$1, WebMediaProfile, WebsiteProfile, ArticleCA, JapaneseExistenceCertificate, OriginatorProfileSet, Jwks, SiteProfile, CertificationSystem, AllowedOrigin } from '@originator-profile/model';
+import { ContentAttestation, Image, Target, ContentAttestationSet, OpVc, Jwk, CoreProfile, Certificate as Certificate$1, WebMediaProfile, WebsiteProfile, ArticleCA, JapaneseExistenceCertificate, OriginatorProfileSet, Jwks, SiteProfile, AllowedOrigin } from '@originator-profile/model';
 import { JwtVcDecodingResult, JwtVcVerificationResult, UnverifiedJwtVc, VerifiedJwtVc, VcValidator } from '@originator-profile/securing-mechanism';
 import { Keys } from '@originator-profile/cryptography';
-import { DigestSriContent, ContentFetcher, ElementSelector } from '@originator-profile/sign';
-import { ErrorObject } from 'ajv';
-import { JWTVerifyResult, ResolvedKey, JWTPayload } from 'jose';
-import { JOSEError } from 'jose/errors';
+import { DigestSriResult, ContentFetcher, ElementSelector } from '@originator-profile/sign';
 
 /** Content Attestation 復号失敗 */
 type CaDecodingFailure = JwtVcDecodingResult<ContentAttestation>;
@@ -47,7 +44,7 @@ declare class CaVerifyFailed extends Error {
  * @see {@link https://www.w3.org/TR/SRI/#the-integrity-attribute}
  * @example
  * ```ts
- * const content: DigestSriContent = {
+ * const content = {
  *   id: "<URL>",
  *   digestSRI: "sha256-...",
  * };
@@ -55,12 +52,36 @@ declare class CaVerifyFailed extends Error {
  * await verifyDigestSri(content); // true or false
  * ```
  */
-declare function verifyDigestSri(content: DigestSriContent, fetcher?: typeof fetch): Promise<boolean>;
+declare function verifyDigestSri(content: DigestSriResult, fetcher?: typeof fetch): Promise<boolean>;
+/**
+ * Image の digestSRI を検証する。
+ * 後方互換性の観点で、2027年までは検証失敗時に console.warn のみで処理を中断しない。
+ */
+declare function verifyImageDigestSri(value: Image | undefined, fetcher?: typeof fetch): Promise<void>;
+
+declare class IntegrityFetchFailed extends Error {
+    static get code(): "ERR_INTEGRITY_FETCH_FAILED";
+    readonly code: "ERR_INTEGRITY_FETCH_FAILED";
+    readonly ok = false;
+    /** 取得結果 */
+    result?: Error;
+    constructor(message: string, result: IntegrityFetchFailed["result"]);
+}
+declare class IntegrityVerificationFailed extends Error {
+    static get code(): "ERR_INTEGRITY_VERIFICATION_FAILED";
+    readonly code: "ERR_INTEGRITY_VERIFICATION_FAILED";
+    readonly ok = false;
+    /** 取得結果 */
+    result?: unknown;
+    constructor(message: string, result: IntegrityVerificationFailed["result"]);
+}
 
 type IntegrityVerifyResult = {
     valid: boolean;
     failedIntegrities: ReadonlyArray<string>;
 };
+type FetchIntegrityResult = IntegrityVerifyResult | IntegrityFetchFailed | IntegrityVerificationFailed;
+
 /** Target Integrity のコンテンツ取得・要素位置特定アルゴリズム */
 declare const TargetIntegrityAlgorithm: {
     HtmlTargetIntegrity: {
@@ -94,7 +115,7 @@ declare const TargetIntegrityAlgorithm: {
  * await verifyIntegrity(content); // true or false
  * ```
  */
-declare function verifyIntegrity(content: Target, doc?: Document, fetcher?: typeof fetch): Promise<IntegrityVerifyResult>;
+declare function verifyIntegrity(content: Target, doc?: Document, fetcher?: typeof fetch): Promise<FetchIntegrityResult>;
 type VerifyIntegrity = typeof verifyIntegrity;
 
 /**
@@ -171,116 +192,6 @@ declare function normalizeCasItem<Ca>(ca: Ca | CasItem<Ca>): CasItem<Ca>;
  */
 declare function verifyCas<T extends ContentAttestation = ContentAttestation>(cas: ContentAttestationSet, verifiedOps: VerifiedOps, url: string, verifyIntegrity: VerifyIntegrity, validator?: typeof VcValidator): Promise<CasVerificationResult<T>>;
 
-interface ProfilePair {
-    op: {
-        iss: string;
-        sub: string;
-        profile: string;
-    };
-    dp: {
-        sub: string;
-        profile: string;
-    };
-}
-interface WebsiteProfilePair {
-    "@context": string;
-    website: ProfilePair;
-}
-interface AdProfilePair {
-    "@context": string;
-    ad: ProfilePair;
-}
-/** Profile の Token の復号結果 */
-type DecodeResult = {
-    op: true;
-    payload: JwtOpPayload;
-    jwt: string;
-} | {
-    dp: true;
-    payload: JwtDpPayload;
-    jwt: string;
-} | ProfileClaimsValidationFailed;
-/** Profile の Token の検証結果 */
-type VerifyTokenResult = (JWTVerifyResult & ResolvedKey & ({
-    op: Op;
-    jwt: string;
-} | {
-    dp: Dp;
-    jwt: string;
-})) | ProfileClaimsValidationFailed | ProfileTokenVerifyFailed;
-/** Profile Set */
-type Profiles = {
-    profile: string[];
-    ad?: ProfilePair[];
-};
-/** Profile の検証結果 */
-type VerifyResult = VerifyTokenResult | ProfilesResolveFailed | ProfilesVerifyFailed;
-/** Profile Set の検証結果 */
-type VerifyResults = VerifyResult[];
-
-declare class ProfileGenericError extends Error {
-    static get code(): string;
-    readonly code: string;
-}
-declare class ProfileClaimsValidationFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
-    readonly code: "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
-    /** 復号結果 */
-    result: {
-        error?: JOSEError;
-        errors?: ErrorObject[];
-        payload?: JWTPayload;
-        jwt: string;
-    };
-    constructor(message: string, result: ProfileClaimsValidationFailed["result"]);
-}
-declare class ProfileTokenVerifyFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILE_TOKEN_VERIFY_FAILED";
-    readonly code: "ERR_PROFILE_TOKEN_VERIFY_FAILED";
-    /** 検証結果 */
-    result: Exclude<DecodeResult, ProfileGenericError> & {
-        error?: JOSEError;
-    };
-    constructor(message: string, result: ProfileTokenVerifyFailed["result"]);
-}
-declare class ProfileBodyExtractFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILE_BODY_EXTRACT_FAILED";
-    readonly code: "ERR_PROFILE_BODY_EXTRACT_FAILED";
-}
-declare class ProfileBodyVerifyFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILE_BODY_VERIFY_FAILED";
-    readonly code: "ERR_PROFILE_BODY_VERIFY_FAILED";
-    /** 検証結果 */
-    result: {
-        error?: JOSEError;
-        body: string;
-    };
-    constructor(message: string, result: ProfileBodyVerifyFailed["result"]);
-}
-declare class ProfilesResolveFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILES_RESOLVE_FAILED";
-    readonly code: "ERR_PROFILES_RESOLVE_FAILED";
-    /** 検証結果 */
-    result: Exclude<DecodeResult, ProfileGenericError>;
-    constructor(message: string, result: ProfilesResolveFailed["result"]);
-}
-declare class ProfilesVerifyFailed extends ProfileGenericError {
-    static get code(): "ERR_PROFILES_VERIFY_FAILED";
-    readonly code: "ERR_PROFILES_VERIFY_FAILED";
-    /** 検証結果 */
-    result: Exclude<DecodeResult | VerifyTokenResult, ProfileGenericError>;
-    constructor(message: string, result: ProfilesVerifyFailed["result"]);
-}
-declare class CertificationSystemValidationFailed extends ProfileGenericError {
-    static get code(): "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
-    readonly code: "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
-    /** 検証結果 */
-    result: {
-        payload?: unknown;
-    };
-    constructor(message: string, result: CertificationSystemValidationFailed["result"]);
-}
-
 // Definitions by: Eddie Atkinson <https://github.com/eddie-atkinson>
 
 type Operation = "add" | "replace" | "remove" | "move";
@@ -548,16 +459,6 @@ type SpVerificationResult = VerifiedSp | SiteProfileInvalid | SiteProfileVerifyF
  */
 declare function SpVerifier(sp: SiteProfile, keys: Keys, issuer: string | string[], origin: URL["origin"], verifyOrigin?: boolean, validator?: typeof VcValidator): () => Promise<SpVerificationResult>;
 
-/** 認証制度ペイロードの確認のためのバリデーター */
-declare function CertificationSystemValidator(): (payload: unknown) => true | CertificationSystemValidationFailed;
-type CertificationSystemValidator = ReturnType<typeof CertificationSystemValidator>;
-/**
- * 認証制度の検証
- * @param payload ペイロード
- * @return 検証結果
- */
-declare function validateCertificationSystem(payload: unknown): CertificationSystem | CertificationSystemValidationFailed;
-
 /**
  * URLオリジンが対象のオリジンの中に含まれているのか検証する
  * @param origin 対象とするオリジン
@@ -566,4 +467,4 @@ declare function validateCertificationSystem(payload: unknown): CertificationSys
  */
 declare function verifyAllowedOrigin(origin: URL["origin"], allowedOrigins: AllowedOrigin): boolean;
 
-export { type AdProfilePair, type CaDecodingFailure, type CaDecodingResult, CaInvalid, type CaVerificationFailure, type CaVerificationResult, CaVerifier, CaVerifyFailed, type CasItem, type CasVerificationFailure, type CasVerificationResult, CasVerifyFailed, type Certificate, CertificateExpired, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, type DecodeResult, type DecodedCa, type DecodedOp, type DecodedOps, type IntegrityVerifyResult, type MappedKeys, type OpDecodingFailure, type OpDecodingResult, OpInvalid, type OpVerificationFailure, type OpVerificationResult, OpVerifyFailed, type OpsDecodingFailure, type OpsDecodingResult, OpsInvalid, type OpsVerificationFailure, type OpsVerificationResult, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, type ProfilePair, ProfileTokenVerifyFailed, type Profiles, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, type SpVerificationFailure, type SpVerificationResult, SpVerifier, TargetIntegrityAlgorithm, type TupledKeys, type VerifiedCa, type VerifiedCas, type VerifiedOp, type VerifiedOps, type VerifiedSp, type VerifyIntegrity, type VerifyResult, VerifyResultFactory, type VerifyResults, type VerifyTokenResult, type WebsiteProfilePair, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };
+export { type CaDecodingFailure, type CaDecodingResult, CaInvalid, type CaVerificationFailure, type CaVerificationResult, CaVerifier, CaVerifyFailed, type CasItem, type CasVerificationFailure, type CasVerificationResult, CasVerifyFailed, type Certificate, CertificateExpired, CoreProfileNotFound, type DecodedCa, type DecodedOp, type DecodedOps, type FetchIntegrityResult, IntegrityFetchFailed, IntegrityVerificationFailed, type IntegrityVerifyResult, type MappedKeys, type OpDecodingFailure, type OpDecodingResult, OpInvalid, type OpVerificationFailure, type OpVerificationResult, OpVerifyFailed, type OpsDecodingFailure, type OpsDecodingResult, OpsInvalid, type OpsVerificationFailure, type OpsVerificationResult, OpsVerifier, OpsVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, type SpVerificationFailure, type SpVerificationResult, SpVerifier, TargetIntegrityAlgorithm, type TupledKeys, type VerifiedCa, type VerifiedCas, type VerifiedOp, type VerifiedOps, type VerifiedSp, type VerifyIntegrity, VerifyResultFactory, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyImageDigestSri, verifyIntegrity, wmp, wsp };

package/dist/index.mjs

@@ -1,7 +1,8 @@
 import { JwtVcVerifier, VcValidateFailed, VcVerifyFailed, JwtVcDecoder } from '@originator-profile/securing-mechanism';
-import { createDigestSri, selectByIntegrity, fetchExternalResource, selectByCss, fetchVisibleTextContent, fetchTextContent, fetchHtmlContent } from '@originator-profile/sign';
+import { createDigestSri, selectByIntegrity, fetchExternalResource, selectByCss, fetchVisibleTextContent, fetchTextContent, fetchHtmlContent, FetchFailed } from '@originator-profile/sign';
 import { LocalKeys } from '@originator-profile/cryptography';
-import { ContentAttestation, CoreProfile, Certificate, JapaneseExistenceCertificate, WebMediaProfile, WebsiteProfile, CertificationSystem } from '@originator-profile/model';
+import { ContentAttestation, CoreProfile, Certificate, JapaneseExistenceCertificate, WebMediaProfile, WebsiteProfile } from '@originator-profile/model';
+import { z } from 'zod';
 
 class CaInvalid extends Error {
   constructor(message, result) {
@@ -298,12 +299,62 @@ async function createIntegrityMetadataSet(hashAlgorithms, data, options = {
   return new IntegrityMetadataSet(set, options);
 }
 
+const WARN_SUFFIX = `This will become an error after 2027. See: https://docs.originator-profile.org/en/opb/context/#the-image-datatype`;
 async function verifyDigestSri(content, fetcher = fetch) {
   const integrity = new IntegrityMetadataSet(content.digestSRI);
   const alg = integrity.strongestHashAlgorithms.filter(Boolean);
   if (alg.length === 0) return false;
-  const { digestSRI } = await createDigestSri(alg[0], content, fetcher);
-  return integrity.match(digestSRI);
+  try {
+    const result = await createDigestSri(alg[0], content, fetcher);
+    return "digestSRI" in result && integrity.match(result.digestSRI);
+  } catch (error) {
+    console.error(
+      "Failed to access content for digestSRI verification:",
+      error
+    );
+    return false;
+  }
+}
+async function verifyImageDigestSri(value, fetcher = fetch) {
+  if (!value) return;
+  if (!value.digestSRI) {
+    console.warn(`digestSRI is missing. ${WARN_SUFFIX}`);
+    return;
+  }
+  const valid = await verifyDigestSri(
+    { id: value.id, digestSRI: value.digestSRI },
+    fetcher
+  );
+  if (!valid) {
+    console.warn(`digestSRI verification failed. ${WARN_SUFFIX}`);
+  }
+}
+
+class IntegrityFetchFailed extends Error {
+  static get code() {
+    return "ERR_INTEGRITY_FETCH_FAILED";
+  }
+  code = IntegrityFetchFailed.code;
+  ok = false;
+  /** 取得結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
+}
+class IntegrityVerificationFailed extends Error {
+  static get code() {
+    return "ERR_INTEGRITY_VERIFICATION_FAILED";
+  }
+  code = IntegrityVerificationFailed.code;
+  ok = false;
+  /** 取得結果 */
+  result;
+  constructor(message, result) {
+    super(message);
+    this.result = result;
+  }
 }
 
 class IntegrityVerifier {
@@ -352,7 +403,14 @@ async function verifyIntegrity(content, doc = document, fetcher = fetch) {
     (content2) => contentFetcher(content2, fetcher),
     elementSelector
   );
-  return await integrityVerifier.verify(content, doc);
+  try {
+    return await integrityVerifier.verify(content, doc);
+  } catch (e) {
+    if (e instanceof FetchFailed) {
+      return new IntegrityFetchFailed("Verify integrity failed", e.error);
+    }
+    return new IntegrityVerificationFailed("Verify integrity failed", e);
+  }
 }
 
 function verifyAllowedOrigin(origin, allowedOrigins) {
@@ -378,8 +436,13 @@ async function verifyAllowedUrl(url, allowedUrl) {
     if (!value) {
       return false;
     }
-    const pattern = new URLPattern(ReplaceEncode(value));
-    return pattern.test(ReplaceEncode(url));
+    try {
+      const pattern = new URLPattern(ReplaceEncode(value));
+      return pattern.test(ReplaceEncode(url));
+    } catch (e) {
+      console.error(`Invalid URLPattern: ${value} (url: ${url})`);
+    }
+    return false;
   });
 }
 
@@ -406,6 +469,32 @@ async function checkUrlAndOrigin(result, url) {
   }
   return result;
 }
+function checkIntegrityResults(integrityResults, urlResult) {
+  const fetchFailedResults = integrityResults.filter(
+    (r) => r.verifyResult instanceof Error && r.verifyResult.code === IntegrityFetchFailed.code
+  );
+  if (fetchFailedResults.length > 0) {
+    const failedIntegritiesMessage = fetchFailedResults.map((result) => {
+      return `target[${result.index}] Expected: ${result.expectedIntegrity}`;
+    }).join(", ");
+    return new CaVerifyFailed(
+      `Content Attestation Target integrity fetch failed for element(s): ${failedIntegritiesMessage}`,
+      urlResult
+    );
+  }
+  const verificationFailedResults = integrityResults.filter(
+    (r) => r.verifyResult instanceof Error && r.verifyResult.code === IntegrityVerificationFailed.code
+  );
+  if (verificationFailedResults.length > 0) {
+    const failedIntegritiesMessage = verificationFailedResults.map((result) => {
+      return `target[${result.index}] Expected: ${result.expectedIntegrity}`;
+    }).join(", ");
+    return new CaVerifyFailed(
+      `Content Attestation Target integrity verification failed for element(s): ${failedIntegritiesMessage}`,
+      urlResult
+    );
+  }
+}
 function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity, validator) {
   const verifyCa = JwtVcVerifier(keys, issuer, validator);
   return async () => {
@@ -420,6 +509,9 @@ function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity,
     if (urlResult instanceof Error) {
       return urlResult;
     }
+    await verifyImageDigestSri(
+      urlResult.doc.credentialSubject.image
+    );
     if (urlResult.doc.target) {
       if (urlResult.doc.target.length === 0) {
         return new CaInvalid("Target is empty", urlResult);
@@ -431,12 +523,19 @@ function CaVerifier(ca, keys, issuer, url, verifyIntegrity$1 = verifyIntegrity,
           expectedIntegrity: t.integrity
         }))
       );
-      const failedIndices = integrityResults.filter((result2) => !result2.verifyResult.valid).map((result2) => result2.index);
+      const error = checkIntegrityResults(integrityResults, urlResult);
+      if (error) {
+        return error;
+      }
+      const failedIndices = integrityResults.filter(
+        (result2) => !(result2.verifyResult instanceof Error) && !result2.verifyResult.valid
+      ).map((result2) => result2.index);
       if (failedIndices.length > 0) {
         const failedIntegritiesMessage = failedIndices.map((integrityResultIndex) => {
           const integrityResult = integrityResults[integrityResultIndex];
           if (integrityResult) {
-            const calculatedIntegrities = integrityResult.verifyResult.failedIntegrities.join();
+            const verifyResult = integrityResult.verifyResult;
+            const calculatedIntegrities = verifyResult.failedIntegrities.join();
             return `target[${integrityResultIndex}] Expected: ${integrityResult.expectedIntegrity}, Calculated: ${calculatedIntegrities}`;
           }
           return void 0;
@@ -512,91 +611,6 @@ async function verifyCas(cas, verifiedOps, url, verifyIntegrity, validator) {
   return resultCas;
 }
 
-class ProfileGenericError extends Error {
-  static get code() {
-    return "ERR_PROFILE_GENERIC";
-  }
-  code = ProfileGenericError.code;
-}
-class ProfileClaimsValidationFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_CLAIMS_VALIDATION_FAILED";
-  }
-  code = ProfileClaimsValidationFailed.code;
-  /** 復号結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfileTokenVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_TOKEN_VERIFY_FAILED";
-  }
-  code = ProfileTokenVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfileBodyExtractFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_BODY_EXTRACT_FAILED";
-  }
-  code = ProfileBodyExtractFailed.code;
-}
-class ProfileBodyVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILE_BODY_VERIFY_FAILED";
-  }
-  code = ProfileBodyVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfilesResolveFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILES_RESOLVE_FAILED";
-  }
-  code = ProfilesResolveFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class ProfilesVerifyFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_PROFILES_VERIFY_FAILED";
-  }
-  code = ProfilesVerifyFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-class CertificationSystemValidationFailed extends ProfileGenericError {
-  static get code() {
-    return "ERR_CERTIFICATION_SYSTEM_VALIDATION_FAILED";
-  }
-  code = CertificationSystemValidationFailed.code;
-  /** 検証結果 */
-  result;
-  constructor(message, result) {
-    super(message);
-    this.result = result;
-  }
-}
-
 var REMOVE = "remove";
 var REPLACE = "replace";
 var ADD = "add";
@@ -982,28 +996,38 @@ async function verifyAnnotations(paIssuerKeys, annotations, validator) {
       const verify = OpVerifier(
         paIssuerKeys,
         annotation,
-        validator?.({
-          oneOf: [Certificate, JapaneseExistenceCertificate]
-        })
+        validator?.(z.union([Certificate, JapaneseExistenceCertificate]))
       );
       const result = await verify(annotation.source);
       if (result instanceof Error) {
         return result;
       }
-      return validateCertificateExpiry(result);
+      const valid = validateCertificateExpiry(result);
+      if (valid instanceof CertificateExpired) {
+        return valid;
+      }
+      await verifyImageDigestSri(
+        valid.doc.credentialSubject.image
+      );
+      return valid;
     })
   );
 }
 async function verifyMedia(wmpIssuerKeys, media, validator) {
   if (!media) return;
   return await Promise.all(
-    media.map((m) => {
+    media.map(async (m) => {
       const verify = OpVerifier(
         wmpIssuerKeys,
         m,
         validator?.(WebMediaProfile)
       );
-      return verify(m.source);
+      const result = await verify(m.source);
+      if (result instanceof Error) {
+        return result;
+      }
+      await verifyImageDigestSri(result.doc.credentialSubject.logo);
+      return result;
     })
   );
 }
@@ -1148,11 +1172,12 @@ function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
           return verified;
         }
         if (verifyOrigin) {
-          const allowedOrigin = "allowedOrigin" in decodedWsp.doc.credentialSubject ? decodedWsp.doc.credentialSubject.allowedOrigin : decodedWsp.doc.credentialSubject.url;
+          const allowedOrigin = "allowedOrigin" in verified.doc.credentialSubject ? verified.doc.credentialSubject.allowedOrigin : verified.doc.credentialSubject.url;
           if (!verifyAllowedOrigin(origin, allowedOrigin)) {
             return new Error("Origin not allowed");
           }
         }
+        await verifyImageDigestSri(verified.doc.credentialSubject.image);
         return verified;
       })
     );
@@ -1180,63 +1205,4 @@ function SpVerifier(sp, keys, issuer, origin, verifyOrigin = true, validator) {
   return verify;
 }
 
-var objectTypeof = typeOf;
-function typeOf(obj) {
-  if (obj === null) {
-    return "null";
-  }
-  if (obj !== Object(obj)) {
-    return typeof obj;
-  }
-  var result = {}.toString.call(obj).slice(8, -1).toLowerCase();
-  return result.indexOf("function") > -1 ? "function" : result;
-}
-
-function CertificationSystemValidator() {
-  return function validate(payload) {
-    if (objectTypeof(payload) !== "object") {
-      return new CertificationSystemValidationFailed("should be an object", {
-        payload
-      });
-    }
-    const keys = Object.keys(payload);
-    const entries = Object.entries(payload);
-    if (!CertificationSystem.required.every((k) => keys.includes(k))) {
-      return new CertificationSystemValidationFailed(
-        "should be contain required properties",
-        { payload }
-      );
-    }
-    for (const entry of entries) {
-      const [key, value] = entry;
-      const propertySchema = CertificationSystem.properties[key];
-      if (objectTypeof(propertySchema) !== "object") {
-        return new CertificationSystemValidationFailed(
-          "should not contain additional properties",
-          { payload }
-        );
-      }
-      if ("const" in propertySchema && value !== propertySchema.const)
-        return new CertificationSystemValidationFailed(
-          `should be contain value of '${value}' in '${key}' property`,
-          { payload }
-        );
-      if ("type" in propertySchema && typeof value !== propertySchema.type)
-        return new CertificationSystemValidationFailed(
-          `should be contain ${propertySchema.type} value in '${key}' property`,
-          { payload }
-        );
-    }
-    return true;
-  };
-}
-function validateCertificationSystem(payload) {
-  const validator = CertificationSystemValidator();
-  const result = validator(payload);
-  if (result !== true) {
-    return result;
-  }
-  return payload;
-}
-
-export { CaInvalid, CaVerifier, CaVerifyFailed, CasVerifyFailed, CertificateExpired, CertificationSystemValidationFailed, CertificationSystemValidator, CoreProfileNotFound, OpInvalid, OpVerifyFailed, OpsInvalid, OpsVerifier, OpsVerifyFailed, ProfileBodyExtractFailed, ProfileBodyVerifyFailed, ProfileClaimsValidationFailed, ProfileGenericError, ProfileTokenVerifyFailed, ProfilesResolveFailed, ProfilesVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, SpVerifier, TargetIntegrityAlgorithm, VerifyResultFactory, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, validateCertificationSystem, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyIntegrity, wmp, wsp };
+export { CaInvalid, CaVerifier, CaVerifyFailed, CasVerifyFailed, CertificateExpired, CoreProfileNotFound, IntegrityFetchFailed, IntegrityVerificationFailed, OpInvalid, OpVerifyFailed, OpsInvalid, OpsVerifier, OpsVerifyFailed, SiteProfileInvalid, SiteProfileVerifyFailed, SpVerifier, TargetIntegrityAlgorithm, VerifyResultFactory, article, caId, caUrl, certificate, cp, decodeOps, getMappedKeys, getTupledKeys, normalizeCasItem, opId, patch, verifyAllowedOrigin, verifyCas, verifyDigestSri, verifyImageDigestSri, verifyIntegrity, wmp, wsp };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@originator-profile/verify",
-  "version": "0.5.0-beta.1",
+  "version": "0.5.0-beta.2",
   "license": "Apache-2.0",
   "homepage": "https://docs.originator-profile.org",
   "repository": {
@@ -30,15 +30,14 @@
   ],
   "dependencies": {
     "@types/jsonld": "^1.5.15",
-    "ajv": "^8.17.1",
-    "ajv-formats": "^3.0.1",
     "jose": "^6.0.10",
     "jsonld": "^9.0.0",
-    "@originator-profile/cryptography": "0.5.0-beta.1",
-    "@originator-profile/model": "0.5.0-beta.1",
-    "@originator-profile/securing-mechanism": "0.5.0-beta.1",
-    "@originator-profile/core": "0.5.0-beta.1",
-    "@originator-profile/sign": "0.5.0-beta.1"
+    "zod": "^4.3.6",
+    "@originator-profile/model": "0.5.0-beta.2",
+    "@originator-profile/cryptography": "0.5.0-beta.2",
+    "@originator-profile/core": "0.5.0-beta.2",
+    "@originator-profile/sign": "0.5.0-beta.2",
+    "@originator-profile/securing-mechanism": "0.5.0-beta.2"
   },
   "devDependencies": {
     "@playwright/test": "^1.57.0",
@@ -54,8 +53,8 @@
     "vite": "^7.0.0",
     "vitest": "^4.0.0",
     "websri": "^1.0.1",
-    "@originator-profile/tsconfig": "0.5.0-beta.1",
-    "eslint-config-originator-profile": "0.5.0-beta.1"
+    "eslint-config-originator-profile": "0.5.0-beta.2",
+    "@originator-profile/tsconfig": "0.5.0-beta.2"
   },
   "scripts": {
     "build": "pkgroll --clean-dist --target=node20",