Verification

OCC verification is deterministic and runs offline. No network calls, no API keys, no accounts.

Five-step algorithm

Input: a proof (OCCProof), the original bytes (Uint8Array), and an optional verification policy.

1

Structural validation

Check that all required fields are present with correct types. version must be "occ/1", hashAlg must be "sha256", enforcement must be one of the valid tiers, all base64 fields must decode correctly.

2

Artifact digest verification

Compute SHA-256 of the provided bytes. Compare against proof.artifact.digestB64 using constant-time comparison. If they don't match, the proof does not apply to these bytes.

3

Signed body reconstruction

Build the SignedBody object from the proof fields (including actor identity from agency, when present). Canonicalize to sorted-key JSON, encode as UTF-8 bytes. This is what the signature covers.

4

Ed25519 signature verification

Decode publicKeyB64 (must be 32 bytes) and signatureB64 (must be 64 bytes). Verify the Ed25519 signature against the canonical bytes. If invalid, the proof has been tampered with.

5

Policy checks

If a VerificationPolicy is provided, enforce its constraints: enforcement tier, allowed measurements, allowed public keys, attestation requirements, counter range, time range, epoch requirements.

Verification policy

interface VerificationPolicy {
  requireEnforcement?: "stub" | "hw-key" | "measured-tee";
  allowedMeasurements?: string[];     // exact match
  allowedPublicKeys?: string[];       // exact match
  requireAttestation?: boolean;
  requireAttestationFormat?: string[];
  minCounter?: string;                // BigInt-safe
  maxCounter?: string;
  minTime?: number;                   // Unix ms
  maxTime?: number;
  requireEpochId?: boolean;

  // Actor-bound proof policy
  requireActor?: boolean;             // reject proofs without agency
  allowedActorKeyIds?: string[];      // exact match
  allowedActorProviders?: string[];   // e.g. ["apple-secure-enclave"]
}

Trust anchor hierarchy

requireEnforcementalone — prevents in-transit downgrade only
requireEnforcement + allowedMeasurements— pins to specific enclave image
+ requireAttestation— full trust (vendor-attested hardware boundary)

What the verifier does NOT check

ItemWhy
Attestation report contentVendor-signed; platform-specific verification is caller responsibility
prevB64 chain integrityChain traversal is application-layer logic
Counter continuityGap detection is application-layer logic
Key provenanceRequires attestation verification
Timestamp validityTSA token parsing is out of scope