@originator-profile/verify 0.5.3 → 0.6.0-beta.1

package/dist/{index.d.mts → index.d.ts}

@@ -1,4 +1,4 @@
-import { ContentAttestation, Image, Target, ContentAttestationSet, OpVc, Jwk, ArticleCA, Certificate as Certificate$1, CoreProfile, WebMediaProfile, WebsiteProfile, JapaneseExistenceCertificate, OriginatorProfileSet, Jwks, SiteProfile, AllowedOrigin } from '@originator-profile/model';
+import { ContentAttestation, Image, Target, ContentAttestationSet, OpVc, Jwk, ArticleCA, Certificate as Certificate$1, CoreProfile, WebMediaProfile, WebsiteProfile, JapaneseExistenceCertificate, ProfileAnnotation, JapaneseExistencePA, ProfileAnnotationIssuerRegistration, OriginatorProfileSet, Jwks, SiteProfile, AllowedOrigin } from '@originator-profile/model';
 import { JwtVcDecodingResult, UnverifiedJwtVc, JwtVcVerificationResult, VerifiedJwtVc, VcValidator } from '@originator-profile/securing-mechanism';
 import { Keys } from '@originator-profile/cryptography';
 import { DigestSriResult, ContentFetcher, ElementSelector } from '@originator-profile/sign';
@@ -344,7 +344,8 @@ declare class CertificateExpired<T extends OpVc> extends Error {
     constructor(message: string, result: VerifiedJwtVc<T>);
 }
 
-type Certificate = Certificate$1 | JapaneseExistenceCertificate;
+/** @deprecated Profile Annotation とその派生として整理する可能性あるため "Certificate" の利用は非推奨 */
+type Certificate = Certificate$1 | JapaneseExistenceCertificate | ProfileAnnotation | JapaneseExistencePA | ProfileAnnotationIssuerRegistration;
 /** Originator Profile 復号失敗 */
 type OpDecodingFailure = {
     core: JwtVcDecodingResult<CoreProfile>;

package/dist/{index.mjs → index.js}

@@ -1,7 +1,7 @@
 import { JwtVcVerifier, VcValidateFailed, VcVerifyFailed, JwtVcDecoder } from '@originator-profile/securing-mechanism';
 import { createDigestSri, selectByIntegrity, fetchExternalResource, selectByCss, fetchVisibleTextContent, fetchTextContent, fetchHtmlContent, FetchFailed } from '@originator-profile/sign';
 import { LocalKeys } from '@originator-profile/cryptography';
-import { ContentAttestation, CoreProfile, Certificate, JapaneseExistenceCertificate, WebMediaProfile, WebsiteProfile } from '@originator-profile/model';
+import { ContentAttestation, JapaneseExistencePA, ProfileAnnotationIssuerRegistration, ProfileAnnotation, JapaneseExistenceCertificate, Certificate, WebMediaProfile, CoreProfile, WebsiteProfile } from '@originator-profile/model';
 import { z } from 'zod';
 
 class CaInvalid extends Error {
@@ -422,7 +422,7 @@ function verifyAllowedOrigin(origin, allowedOrigins) {
 
 async function importURLPatternPolyfill() {
   if (typeof URLPattern === "undefined") {
-    await import('./index-CQxI_8IG.mjs');
+    await import('./index-CQxI_8IG.js');
   }
 }
 function ReplaceEncode(url) {
@@ -912,29 +912,48 @@ class CertificateExpired extends Error {
 
 const isEveryDecodedPa = (annotations) => annotations.every((annotation) => "doc" in annotation);
 const isEveryDecodedWmp = (media) => media.every((m) => "doc" in m);
-const validateDecodedOp = (core, annotations, media, resultOp) => {
+const failedPaths = (items, opIndex, prefix, isFailed) => items.map(
+  (item, index) => isFailed(item) ? `OP[${opIndex}].${prefix}[${index}]` : null
+).filter((path) => path !== null);
+const validateDecodedOp = (core, annotations, media, resultOp, opIndex) => {
   if (annotations && !isEveryDecodedPa(annotations)) {
-    return new OpInvalid("Profile Annotation decode failed", resultOp);
+    const paths = failedPaths(annotations, opIndex, "PA", (a) => !("doc" in a));
+    return new OpInvalid(
+      `Profile Annotation decode failed (${paths.join(", ")})`,
+      resultOp
+    );
   }
   if (media && !isEveryDecodedWmp(media)) {
-    return new OpInvalid("Web Media Profile decode failed", resultOp);
+    const paths = failedPaths(media, opIndex, "WMP", (m) => !("doc" in m));
+    return new OpInvalid(
+      `Web Media Profile decode failed (${paths.join(", ")})`,
+      resultOp
+    );
   }
+  const subjectMismatchErrors = [];
   if (media && media.some(
     (m) => core.doc.credentialSubject.id !== m.doc.credentialSubject.id
   )) {
-    return new OpInvalid(
-      "Subject mismatch between Core Profile and Web Media Profile",
-      resultOp
+    const details = media.map(
+      (m, index) => core.doc.credentialSubject.id !== m.doc.credentialSubject.id ? `OP[${opIndex}].WMP[${index}] issuer: ${m.doc.issuer}, subject: ${m.doc.credentialSubject.id}` : null
+    ).filter((d) => d !== null);
+    subjectMismatchErrors.push(
+      `Subject mismatch between Core Profile and Web Media Profile (${details.join(", ")})`
     );
   }
   if (annotations && annotations.some(
     (annotation) => core.doc.credentialSubject.id !== annotation.doc.credentialSubject.id
   )) {
-    return new OpInvalid(
-      "Subject mismatch between Core Profile and Profile Annotation",
-      resultOp
+    const details = annotations.map(
+      (a, index) => core.doc.credentialSubject.id !== a.doc.credentialSubject.id ? `OP[${opIndex}].PA[${index}] issuer: ${a.doc.issuer}, subject: ${a.doc.credentialSubject.id}` : null
+    ).filter((d) => d !== null);
+    subjectMismatchErrors.push(
+      `Subject mismatch between Core Profile and Profile Annotation (${details.join(", ")})`
     );
   }
+  if (subjectMismatchErrors.length > 0) {
+    return new OpInvalid(subjectMismatchErrors.join("\n"), resultOp);
+  }
   return { type: "valid", annotations, media };
 };
 const isDecodedOps = (ops) => ops.every((op) => !(op instanceof OpInvalid));
@@ -942,7 +961,7 @@ function decodeOps(ops) {
   const decodeCp = JwtVcDecoder();
   const decodePa = JwtVcDecoder();
   const decodeWmp = JwtVcDecoder();
-  const resultOps = ops.map((op) => {
+  const resultOps = ops.map((op, opIndex) => {
     const core = decodeCp(op.core);
     const annotations = op.annotations ? op.annotations.map(decodePa) : void 0;
     const mediaInput = op.media;
@@ -950,9 +969,18 @@ function decodeOps(ops) {
     const media = mediaArray ? mediaArray.map(decodeWmp) : void 0;
     const resultOp = { core, annotations, media };
     if (core instanceof Error) {
-      return new OpInvalid("Core Profile decode failed", resultOp);
+      return new OpInvalid(
+        `Core Profile decode failed (OP[${opIndex}])`,
+        resultOp
+      );
     }
-    const validated = validateDecodedOp(core, annotations, media, resultOp);
+    const validated = validateDecodedOp(
+      core,
+      annotations,
+      media,
+      resultOp,
+      opIndex
+    );
     if (validated instanceof OpInvalid) {
       return validated;
     }
@@ -963,7 +991,9 @@ function decodeOps(ops) {
     };
   });
   if (!isDecodedOps(resultOps)) {
-    return new OpsInvalid("Invalid Originator Profile Set", resultOps);
+    const invalidIndexes = resultOps.map((op, index) => op instanceof OpInvalid ? index : null).filter((i) => i !== null);
+    const msg = invalidIndexes.length > 0 ? `Invalid Originator Profile Set (${invalidIndexes.map((i) => `OP[${i}]`).join(", ")})` : "Invalid Originator Profile Set";
+    return new OpsInvalid(msg, resultOps);
   }
   return resultOps;
 }
@@ -977,6 +1007,7 @@ function OpVerifier(paOrWmpIssuerKeys, vc, validator) {
   const cpKeys = LocalKeys(jwks);
   return JwtVcVerifier(cpKeys, issuer, validator);
 }
+
 function validateCertificateExpiry(verifiedVc) {
   const now = /* @__PURE__ */ new Date();
   const validFrom = verifiedVc.doc.validFrom ? new Date(verifiedVc.doc.validFrom) : null;
@@ -996,7 +1027,16 @@ async function verifyAnnotations(paIssuerKeys, annotations, validator) {
       const verify = OpVerifier(
         paIssuerKeys,
         annotation,
-        validator?.(z.union([Certificate, JapaneseExistenceCertificate]))
+        validator?.(
+          // TODO: Profile Annotation とその派生のスキーマとして整理
+          z.union([
+            JapaneseExistencePA,
+            ProfileAnnotationIssuerRegistration,
+            ProfileAnnotation,
+            JapaneseExistenceCertificate,
+            Certificate
+          ])
+        )
       );
       const result = await verify(annotation.source);
       if (result instanceof Error) {
@@ -1006,13 +1046,12 @@ async function verifyAnnotations(paIssuerKeys, annotations, validator) {
       if (valid instanceof CertificateExpired) {
         return valid;
       }
-      await verifyImageDigestSri(
-        valid.doc.credentialSubject.image
-      );
+      await verifyImageDigestSri(valid.doc.credentialSubject.image);
       return valid;
     })
   );
 }
+
 async function verifyMedia(wmpIssuerKeys, media, validator) {
   if (!media) return;
   return await Promise.all(
@@ -1031,6 +1070,16 @@ async function verifyMedia(wmpIssuerKeys, media, validator) {
     })
   );
 }
+
+function generateErrorDetails(items, opIndex, prefix, sources) {
+  if (!items) return [];
+  return items.map((item, index) => {
+    if (!(item instanceof Error)) return null;
+    const src = sources?.[index];
+    const info = src ? ` issuer: ${src.doc.issuer}, subject: ${src.doc.credentialSubject.id}` : "";
+    return `OP[${opIndex}].${prefix}[${index}]${info}`;
+  }).filter((d) => d !== null);
+}
 const isVerifiedOps = (ops) => ops.every((op) => !(op instanceof OpVerifyFailed));
 function OpsVerifier(ops, keys, issuer, validator) {
   const decoded = decodeOps(ops);
@@ -1045,7 +1094,7 @@ function OpsVerifier(ops, keys, issuer, validator) {
     }
     const paOrWmpIssuerKeys = getMappedKeys(decoded);
     const resultOps = await Promise.all(
-      decoded.map(async (op) => {
+      decoded.map(async (op, opIndex) => {
         const core = await verifyCp(op.core.source);
         const annotations = await verifyAnnotations(
           paOrWmpIssuerKeys,
@@ -1055,17 +1104,27 @@ function OpsVerifier(ops, keys, issuer, validator) {
         const media = await verifyMedia(paOrWmpIssuerKeys, op.media, validator);
         const resultOp = { core, annotations, media };
         if (core instanceof Error) {
-          return new OpVerifyFailed("Core Profile verify failed", resultOp);
+          return new OpVerifyFailed(
+            `Core Profile verify failed (OP[${opIndex}])`,
+            resultOp
+          );
         }
         if (annotations && annotations.some((annotation) => annotation instanceof Error)) {
+          const details = generateErrorDetails(
+            annotations,
+            opIndex,
+            "PA",
+            op.annotations
+          );
           return new OpVerifyFailed(
-            "Profile Annotation verify failed",
+            `Profile Annotation verify failed (${details.join(", ")})`,
             resultOp
           );
         }
         if (media && media.some((m) => m instanceof Error)) {
+          const details = generateErrorDetails(media, opIndex, "WMP", op.media);
           return new OpVerifyFailed(
-            "Web Media Profile verify failed",
+            `Web Media Profile verify failed (${details.join(", ")})`,
             resultOp
           );
         }
@@ -1073,10 +1132,9 @@ function OpsVerifier(ops, keys, issuer, validator) {
       })
     );
     if (!isVerifiedOps(resultOps)) {
-      return new OpsVerifyFailed(
-        "Originator Profile Set verify failed",
-        resultOps
-      );
+      const verifyFailedIndexes = resultOps.map((op, index) => op instanceof OpVerifyFailed ? index : null).filter((i) => i !== null);
+      const msg = verifyFailedIndexes.length > 0 ? `Originator Profile Set verify failed (${verifyFailedIndexes.map((i) => `OP[${i}]`).join(", ")})` : "Originator Profile Set verify failed";
+      return new OpsVerifyFailed(msg, resultOps);
     }
     return resultOps;
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@originator-profile/verify",
-  "version": "0.5.3",
+  "version": "0.6.0-beta.1",
   "license": "Apache-2.0",
   "homepage": "https://docs.originator-profile.org",
   "repository": {
@@ -13,14 +13,8 @@
   },
   "type": "module",
   "exports": {
-    "require": {
-      "types": "./dist/index.d.cts",
-      "default": "./dist/index.cjs"
-    },
-    "import": {
-      "types": "./dist/index.d.mts",
-      "default": "./dist/index.mjs"
-    }
+    "types": "./dist/index.d.ts",
+    "default": "./dist/index.js"
   },
   "files": [
     "dist",
@@ -33,31 +27,31 @@
     "jose": "^6.2.2",
     "jsonld": "^9.0.0",
     "zod": "^4.3.6",
-    "@originator-profile/core": "0.5.3",
-    "@originator-profile/cryptography": "0.5.3",
-    "@originator-profile/securing-mechanism": "0.5.3",
-    "@originator-profile/model": "0.5.3",
-    "@originator-profile/sign": "0.5.3"
+    "@originator-profile/core": "0.6.0-beta.1",
+    "@originator-profile/model": "0.6.0-beta.1",
+    "@originator-profile/cryptography": "0.6.0-beta.1",
+    "@originator-profile/securing-mechanism": "0.6.0-beta.1",
+    "@originator-profile/sign": "0.6.0-beta.1"
   },
   "devDependencies": {
-    "@playwright/test": "^1.60.0",
-    "date-fns": "^4.1.0",
-    "eslint": "^10.1.0",
-    "happy-dom": "^20.8.9",
-    "just-diff-apply": "^5.5.0",
-    "just-typeof": "^3.2.0",
-    "pkgroll": "^2.27.0",
-    "playwright": "^1.60.0",
-    "typescript": "^6.0.2",
-    "urlpattern-polyfill": "^10.1.0",
-    "vite": "^8.0.3",
-    "vitest": "^4.1.2",
-    "websri": "^1.0.1",
-    "eslint-config-originator-profile": "0.5.3",
-    "@originator-profile/tsconfig": "0.5.3"
+    "@playwright/test": "1.59.1",
+    "date-fns": "4.1.0",
+    "eslint": "10.2.0",
+    "happy-dom": "20.8.9",
+    "just-diff-apply": "5.5.0",
+    "just-typeof": "3.2.0",
+    "pkgroll": "2.27.0",
+    "playwright": "1.59.1",
+    "typescript": "6.0.2",
+    "urlpattern-polyfill": "10.1.0",
+    "vite": "8.0.8",
+    "vitest": "4.1.4",
+    "websri": "1.0.1",
+    "@originator-profile/tsconfig": "0.6.0-beta.1",
+    "eslint-config-originator-profile": "0.6.0-beta.1"
   },
   "scripts": {
-    "build": "pkgroll --clean-dist --target=node20",
+    "build": "pkgroll --clean-dist",
     "test": "vitest run",
     "e2e": "playwright test",
     "e2e:update": "playwright test --update-snapshots",