{
  "tool_id": "art-124-content-credential-signature-verifier",
  "note": "art-124 uses a fixed deterministic test keypair (Ed25519). The signer_public_key_jwk + signature_b64 were precomputed once over signed_bytes_b64 so the golden hash is stable across machines. golden_hash is empty until first `node golden-parity.test.mjs --update`.",
  "vectors": [
    {
      "name": "accept-valid-signature-trusted-chain",
      "policy_parameters": {
        "alg": "Ed25519",
        "signer_public_key_jwk": {
          "key_ops": [
            "verify"
          ],
          "ext": true,
          "alg": "Ed25519",
          "crv": "Ed25519",
          "x": "UCJluj4JmGYxBS1ecl_Q8kHKgd4ASBu6Hx6sHgfb0kk",
          "kty": "OKP"
        },
        "signed_bytes_b64": "YzJwYS10ZXN0LXNpZ25lZC1jbGFpbS1ieXRlcy0yMDI2LTA2LTI1",
        "signature_b64": "BSIkzTIAjJ2YVc347NUIBXJZAtx9uE5oSdhMIvA5LrL4UDdBkvpx2KSL5J8SJQOZro6M2m3iHAXbK+b7/YEBAQ==",
        "trust_anchor_match": true,
        "cert_not_expired": true,
        "revocation_status": "good"
      },
      "output_payload": {
        "signature_cryptographically_valid": true,
        "chain_trusted": true,
        "alg": "Ed25519",
        "alg_allowed": true,
        "verdict": "ACCEPT"
      },
      "golden_hash": "7ddb9d02763bbd32719913d7cfb2c90ff3535ca6f7deb4023cb8da86c33f41af"
    },
    {
      "name": "refuse-revoked-cert",
      "policy_parameters": {
        "alg": "Ed25519",
        "signer_public_key_jwk": {
          "key_ops": [
            "verify"
          ],
          "ext": true,
          "alg": "Ed25519",
          "crv": "Ed25519",
          "x": "UCJluj4JmGYxBS1ecl_Q8kHKgd4ASBu6Hx6sHgfb0kk",
          "kty": "OKP"
        },
        "signed_bytes_b64": "YzJwYS10ZXN0LXNpZ25lZC1jbGFpbS1ieXRlcy0yMDI2LTA2LTI1",
        "signature_b64": "BSIkzTIAjJ2YVc347NUIBXJZAtx9uE5oSdhMIvA5LrL4UDdBkvpx2KSL5J8SJQOZro6M2m3iHAXbK+b7/YEBAQ==",
        "trust_anchor_match": true,
        "cert_not_expired": true,
        "revocation_status": "revoked"
      },
      "output_payload": {
        "signature_cryptographically_valid": true,
        "chain_trusted": false,
        "alg": "Ed25519",
        "alg_allowed": true,
        "verdict": "REFUSE"
      },
      "golden_hash": "63ee4f3e285911083d8f5642cb974eb5968cdf900110ea2cd4af215ca22818af"
    },
    {
      "name": "refuse-bad-signature",
      "policy_parameters": {
        "alg": "Ed25519",
        "signer_public_key_jwk": {
          "key_ops": [
            "verify"
          ],
          "ext": true,
          "alg": "Ed25519",
          "crv": "Ed25519",
          "x": "UCJluj4JmGYxBS1ecl_Q8kHKgd4ASBu6Hx6sHgfb0kk",
          "kty": "OKP"
        },
        "signed_bytes_b64": "YzJwYS10ZXN0LXNpZ25lZC1jbGFpbS1ieXRlcy0yMDI2LTA2LTI1",
        "signature_b64": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
        "trust_anchor_match": true,
        "cert_not_expired": true,
        "revocation_status": "good"
      },
      "output_payload": {
        "signature_cryptographically_valid": false,
        "chain_trusted": true,
        "alg": "Ed25519",
        "alg_allowed": true,
        "verdict": "REFUSE"
      },
      "golden_hash": "af2a59ff8bd882458df2af5150c8e21904fe0ed2e98f05e07a30c8376cc398bf"
    },
    {
      "name": "refuse-disallowed-algorithm",
      "policy_parameters": {
        "alg": "RS256",
        "trust_anchor_match": true,
        "cert_not_expired": true,
        "revocation_status": "good"
      },
      "output_payload": {
        "signature_cryptographically_valid": false,
        "chain_trusted": true,
        "alg": "RS256",
        "alg_allowed": false,
        "verdict": "REFUSE"
      },
      "golden_hash": "f433361d17c2f60b60f1eaf13f0b420d0ec4165a5328b5f91a33fbb871b1493d"
    }
  ]
}
