@pagopa/io-react-native-wallet 0.27.1 → 0.28.1

package/src/credential/presentation/index.ts

@@ -7,16 +7,33 @@ import {
   getRequestObject,
   type GetRequestObject,
 } from "./03-get-request-object";
+import { getJwksFromConfig, type FetchJwks } from "./04-retrieve-rp-jwks";
+import {
+  verifyRequestObject,
+  type VerifyRequestObject,
+} from "./05-verify-request-object";
+import {
+  fetchPresentDefinition,
+  type FetchPresentationDefinition,
+} from "./06-fetch-presentation-definition";
+import {
+  evaluateInputDescriptorForSdJwt4VC,
+  type EvaluateInputDescriptorSdJwt4VC,
+} from "./07-evaluate-input-descriptor";
 import {
   sendAuthorizationResponse,
   type SendAuthorizationResponse,
-} from "./04-send-authorization-response";
+} from "./08-send-authorization-response";
 import * as Errors from "./errors";
 
 export {
   startFlowFromQR,
   evaluateRelyingPartyTrust,
   getRequestObject,
+  getJwksFromConfig,
+  verifyRequestObject,
+  fetchPresentDefinition,
+  evaluateInputDescriptorForSdJwt4VC,
   sendAuthorizationResponse,
   Errors,
 };
@@ -24,5 +41,9 @@ export type {
   StartFlow,
   EvaluateRelyingPartyTrust,
   GetRequestObject,
+  FetchJwks,
+  VerifyRequestObject,
+  FetchPresentationDefinition,
+  EvaluateInputDescriptorSdJwt4VC,
   SendAuthorizationResponse,
 };

package/src/credential/presentation/types.ts

@@ -11,6 +11,84 @@ export type Presentation = [
   /* the context for the key associated to the credential */ CryptoContext,
 ];
 
+/**
+ * A object that associate the information needed to multiple remote presentation
+ * Used with `presentation_definition`
+ * @deprecated Use `RemotePresentation`
+ */
+export type LegacyRemotePresentation = {
+  requestedClaims: string[];
+  inputDescriptor: InputDescriptor;
+  format: string;
+  vpToken: string;
+};
+
+/**
+ * A object that associate the information needed to multiple remote presentation
+ * Used with DCQL queries
+ */
+export type RemotePresentation = {
+  requestedClaims: string[];
+  credentialId: string;
+  format: string;
+  vpToken: string;
+};
+
+const Fields = z.object({
+  path: z.array(z.string().min(1)), // Array of JSONPath string expressions
+  id: z.string().optional(), // Unique string ID
+  purpose: z.string().optional(), // Purpose of the field
+  name: z.string().optional(), // Human-friendly name
+  filter: z.any().optional(), // JSON Schema descriptor for filtering
+  optional: z.boolean().optional(), // Boolean indicating if the field is optional
+  intent_to_retain: z.boolean().optional(), // Boolean indicating that the Verifier intends to retain the Claim's data being requested
+});
+
+// Define the Constraints Object Schema
+const Constraints = z.object({
+  fields: z.array(Fields).optional(), // Array of Field Objects
+  limit_disclosure: z.enum(["required", "preferred"]).optional(), // Limit disclosure property
+});
+
+// Define the Input Descriptor Object Schema
+export type InputDescriptor = z.infer<typeof InputDescriptor>;
+export const InputDescriptor = z.object({
+  id: z.string().min(1), // Mandatory unique string ID
+  name: z.string().optional(), // Human-friendly name
+  purpose: z.string().optional(), // Purpose of the schema
+  format: z.record(z.string(), z.any()).optional(), // Object with Claim Format Designations
+  constraints: Constraints, // Constraints Object (mandatory)
+  group: z.string().optional(), // Match one of the grouping strings listed in the "from" values of a Submission Requirement Rule
+});
+
+const SubmissionRequirement = z.object({
+  name: z.string().optional(),
+  purpose: z.string().optional(),
+  rule: z.string(), // "all": all group's rules must be present, or "pick": at least group's "count" rules must be present
+  from: z.string().optional(), // MUST contain either a "from" or "from_nested" property
+  from_nested: z
+    .array(
+      z.object({
+        name: z.string().optional(),
+        purpose: z.string().optional(),
+        rule: z.string(),
+        from: z.string(),
+      })
+    )
+    .optional(),
+  count: z.number().optional(),
+  //"count", "min", and "max" may be present with a "pick" rule
+});
+
+export type PresentationDefinition = z.infer<typeof PresentationDefinition>;
+export const PresentationDefinition = z.object({
+  id: z.string(),
+  name: z.string().optional(),
+  purpose: z.string().optional(),
+  input_descriptors: z.array(InputDescriptor),
+  submission_requirements: z.array(SubmissionRequirement).optional(),
+});
+
 export type RequestObject = z.infer<typeof RequestObject>;
 export const RequestObject = z.object({
   iss: z.string(),
@@ -19,9 +97,62 @@ export const RequestObject = z.object({
   state: z.string(),
   nonce: z.string(),
   response_uri: z.string(),
+  response_uri_method: z.string().optional(),
   response_type: z.literal("vp_token"),
   response_mode: z.literal("direct_post.jwt"),
   client_id: z.string(),
-  client_id_scheme: z.literal("entity_id"),
-  scope: z.string(),
+  dcql_query: z.record(z.string(), z.any()).optional(), // Validation happens within the `dcql` library, no need to duplicate it here
+  scope: z.string().optional(),
+  presentation_definition: PresentationDefinition.optional(),
+});
+
+export type WalletMetadata = z.infer<typeof WalletMetadata>;
+export const WalletMetadata = z.object({
+  presentation_definition_uri_supported: z.boolean().optional(),
+  client_id_schemes_supported: z.array(z.string()).optional(),
+  request_object_signing_alg_values_supported: z.array(z.string()).optional(),
+  vp_formats_supported: z.record(
+    z.string(), // TODO [SIW-2110]: use explicit credential format?
+    z.object({
+      "sd-jwt_alg_values": z.array(z.string()).optional(), // alg_values_supported?
+    })
+  ),
+  // TODO [SIW-2110]: include other metadata?
+});
+
+/**
+ * Wallet capabilities that must be submitted to get the Request Object
+ * via POST request when the `request_uri_method` is `post`.
+ */
+export type RequestObjectWalletCapabilities = z.infer<
+  typeof RequestObjectWalletCapabilities
+>;
+export const RequestObjectWalletCapabilities = z.object({
+  wallet_metadata: WalletMetadata,
+  wallet_nonce: z.string().optional(),
+});
+
+/**
+ * Authorization Response payload when using `presentation_definition`.
+ * @deprecated Use `DirectAuthorizationBodyPayload`
+ */
+export type LegacyDirectAuthorizationBodyPayload = z.infer<
+  typeof LegacyDirectAuthorizationBodyPayload
+>;
+/**
+ * @deprecated Use `DirectAuthorizationBodyPayload`
+ */
+export const LegacyDirectAuthorizationBodyPayload = z.object({
+  vp_token: z.union([z.string(), z.array(z.string())]).optional(),
+  presentation_submission: z.record(z.string(), z.unknown()),
+});
+
+/**
+ * Authorization Response payload when using DCQL queries.
+ */
+export type DirectAuthorizationBodyPayload = z.infer<
+  typeof DirectAuthorizationBodyPayload
+>;
+export const DirectAuthorizationBodyPayload = z.object({
+  vp_token: z.record(z.string(), z.string()),
 });

package/src/sd-jwt/index.ts

@@ -2,12 +2,13 @@ import { z } from "zod";
 
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import { verify as verifyJwt } from "@pagopa/io-react-native-jwt";
-import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import { SignJWT, sha256ToBase64 } from "@pagopa/io-react-native-jwt";
 import { Disclosure, SdJwt4VC, type DisclosureWithEncoded } from "./types";
 import { verifyDisclosure } from "./verifier";
 import type { JWK } from "../utils/jwk";
 import * as Errors from "./errors";
 import { Base64 } from "js-base64";
+import { type Presentation } from "../credential/presentation/types";
 
 const decodeDisclosure = (encoded: string): DisclosureWithEncoded => {
   const utf8String = Base64.decode(encoded); // Decode Base64 into UTF-8 string
@@ -163,4 +164,51 @@ export const verify = async <S extends z.ZodType<SdJwt4VC>>(
   };
 };
 
+/**
+ * Prepares a Verified Presentation (VP) token to be sent as part of an
+ * authorization response in an OpenID 4 Verifiable Presentations flow.
+ *
+ * @param nonce - The nonce provided by the relying party.
+ * @param client_id - The client identifier of the relying party.
+ * @param presentation - An object containing the verifiable credential, the claims to disclose,
+ *                       and the cryptographic context for signing.
+ * @returns An object containing the signed VP token (`vp_token`).
+ *
+ * @remarks
+ *  1. The `disclose()` function is used to produce a token with only the requested claims.
+ *  2. A KB-JWT is then signed, including sd_hash and `nonce`.
+ *  3. The `vp_token` is composed of the disclosed VP and the KB-JWT.
+ */
+export const prepareVpToken = async (
+  nonce: string,
+  client_id: string,
+  [verifiableCredential, requestedClaims, cryptoContext]: Presentation
+): Promise<{
+  vp_token: string;
+}> => {
+  // Produce a VP token with only requested claims from the verifiable credential
+  const { token: vp } = await disclose(verifiableCredential, requestedClaims);
+
+  // <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~
+  const sd_hash = await sha256ToBase64(`${vp}~`);
+
+  const kbJwt = await new SignJWT(cryptoContext)
+    .setProtectedHeader({
+      typ: "kb+jwt",
+      alg: "ES256",
+    })
+    .setPayload({
+      sd_hash,
+      nonce: nonce,
+    })
+    .setAudience(client_id)
+    .setIssuedAt()
+    .sign();
+
+  // <Issuer-signed JWT>~<Disclosure 1>~...~<Disclosure N>~<KB-JWT>
+  const vp_token = [vp, kbJwt].join("~");
+
+  return { vp_token };
+};
+
 export { SdJwt4VC, Errors };

package/src/trust/chain.ts

@@ -1,7 +1,3 @@
-import {
-  decode as decodeJwt,
-  verify as verifyJwt,
-} from "@pagopa/io-react-native-jwt";
 import {
   EntityConfiguration,
   EntityStatement,
@@ -10,33 +6,8 @@ import {
 import { JWK } from "../utils/jwk";
 import { IoWalletError } from "../utils/errors";
 import * as z from "zod";
-import type { JWTDecodeResult } from "@pagopa/io-react-native-jwt/lib/typescript/types";
 import { getSignedEntityConfiguration, getSignedEntityStatement } from ".";
-
-type ParsedToken = {
-  header: JWTDecodeResult["protectedHeader"];
-  payload: JWTDecodeResult["payload"];
-};
-
-// Verify a token signature
-// The kid is extracted from the token header
-const verify = async (
-  token: string,
-  kid: string,
-  jwks: JWK[]
-): Promise<ParsedToken> => {
-  const jwk = jwks.find((k) => k.kid === kid);
-  if (!jwk) {
-    throw new Error(`Invalid kid: ${kid}, token: ${token}`);
-  }
-  const { protectedHeader: header, payload } = await verifyJwt(token, jwk);
-  return { header, payload };
-};
-
-const decode = (token: string) => {
-  const { protectedHeader: header, payload } = decodeJwt(token);
-  return { header, payload };
-};
+import { decode, type ParsedToken, verify } from "./utils";
 
 // The first element of the chain is supposed to be the Entity Configuration for the document issuer
 const FirstElementShape = EntityConfiguration;
@@ -53,7 +24,7 @@ const LastElementShape = z.union([
  * Validates a provided trust chain against a known trust
  *
  * @param trustAnchorEntity The entity configuration of the known trust anchor
- * @param chain The chain of statements to be validate
+ * @param chain The chain of statements to be validated
  * @returns The list of parsed token representing the chain
  * @throws {IoWalletError} If the chain is not valid
  */
@@ -85,7 +56,7 @@ export async function validateTrustChain(
   };
 
   // select keys from the next token
-  // if the current token is the last, keys fro  trust anchor will be used
+  // if the current token is the last, keys from trust anchor will be used
   const selectKeys = (currentIndex: number): JWK[] => {
     if (currentIndex === chain.length - 1) {
       return trustAnchorEntity.payload.jwks.keys;
@@ -101,7 +72,7 @@ export async function validateTrustChain(
   };
 
   // Iterate the chain and validate each element's signature against the public keys of its next
-  // If there is no next, hence it's the end of the chain and it must be verified by the Trust Anchor
+  // If there is no next, hence it's the end of the chain, and it must be verified by the Trust Anchor
   return Promise.all(
     chain
       .map((token, i) => [token, selectKid(i), selectKeys(i)] as const)
@@ -114,42 +85,51 @@ export async function validateTrustChain(
  *
  * @param chain The original chain
  * @param appFetch (optional) fetch api implementation
- * @returns A list of signed token that reprensent the trust chain, in the same order of the provided chain
- * @throws When an element of the chain fails to parse
+ * @returns A list of signed token that represent the trust chain, in the same order of the provided chain
+ * @throws IoWalletError When an element of the chain fails to parse
  */
-export function renewTrustChain(
+export async function renewTrustChain(
   chain: string[],
   appFetch: GlobalFetch["fetch"] = fetch
-) {
+): Promise<string[]> {
   return Promise.all(
-    chain
-      // Decode each item to determine its shape
-      .map(decode)
-      .map(
-        (e) =>
-          [
-            EntityStatement.safeParse(e),
-            EntityConfiguration.safeParse(e),
-          ] as const
-      )
-      // fetch the element according to its shape
-      .map(([es, ec], i) =>
-        ec.success
-          ? getSignedEntityConfiguration(ec.data.payload.iss, { appFetch })
-          : es.success
-            ? getSignedEntityStatement(
-                es.data.payload.iss,
-                es.data.payload.sub,
-                {
-                  appFetch,
-                }
-              )
-            : // if the element fail to parse in both EntityStatement and EntityConfiguration, raise an error
-              Promise.reject(
-                new IoWalletError(
-                  `Cannot renew trust chain because the element #${i} failed to be parsed.`
-                )
-              )
-      )
+    chain.map(async (token, index) => {
+      const decoded = decode(token);
+
+      const entityStatementResult = EntityStatement.safeParse(decoded);
+      const entityConfigurationResult = EntityConfiguration.safeParse(decoded);
+
+      if (entityConfigurationResult.success) {
+        return getSignedEntityConfiguration(
+          entityConfigurationResult.data.payload.iss,
+          { appFetch }
+        );
+      }
+      if (entityStatementResult.success) {
+        const entityStatement = entityStatementResult.data;
+
+        const parentBaseUrl = entityStatement.payload.iss;
+        const parentECJwt = await getSignedEntityConfiguration(parentBaseUrl, {
+          appFetch,
+        });
+        const parentEC = EntityConfiguration.parse(decode(parentECJwt));
+
+        const federationFetchEndpoint =
+          parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
+        if (!federationFetchEndpoint) {
+          throw new IoWalletError(
+            `Parent EC at ${parentBaseUrl} is missing federation_fetch_endpoint`
+          );
+        }
+        return getSignedEntityStatement(
+          federationFetchEndpoint,
+          entityStatement.payload.sub,
+          { appFetch }
+        );
+      }
+      throw new IoWalletError(
+        `Cannot renew trust chain because element #${index} failed to parse.`
+      );
+    })
   );
 }

package/src/trust/index.ts

@@ -1,14 +1,18 @@
+import { decode, verify } from "./utils";
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import {
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
   CredentialIssuerEntityConfiguration,
-  RelyingPartyEntityConfiguration,
   EntityConfiguration,
   EntityStatement,
+  FederationListResponse,
+  RelyingPartyEntityConfiguration,
+  TrustAnchorEntityConfiguration,
+  WalletProviderEntityConfiguration,
 } from "./types";
-import { validateTrustChain, renewTrustChain } from "./chain";
+import { renewTrustChain, validateTrustChain } from "./chain";
 import { hasStatusOrThrow } from "../utils/misc";
+import { IoWalletError } from "../utils/errors";
+import type { JWK } from "../utils/jwk";
 
 export type {
   WalletProviderEntityConfiguration,
@@ -24,9 +28,9 @@ export type {
  * It can handle fast chain renewal, which means we try to fetch a fresh version of each statement.
  *
  * @param trustAnchorEntity The entity configuration of the known trust anchor
- * @param chain The chain of statements to be validate
- * @param options.renewOnFail Whether to renew the provided chain if the validation fails at first. Default: true
- * @param options.appFetch Fetch api implementation. Default: the built-in implementation
+ * @param chain The chain of statements to be validated
+ * @param renewOnFail Whether to renew the provided chain if the validation fails at first. Default: true
+ * @param appFetch Fetch api implementation. Default: the built-in implementation
  * @returns The result of the chain validation
  * @throws {IoWalletError} When either validation or renewal fail
  */
@@ -54,7 +58,7 @@ export async function verifyTrustChain(
  * Fetch the signed entity configuration token for an entity
  *
  * @param entityBaseUrl The url of the entity to fetch
- * @param param.appFetch (optional) fetch api implemention
+ * @param appFetch (optional) fetch api implementation
  * @returns The signed Entity Configuration token
  */
 export async function getSignedEntityConfiguration(
@@ -86,6 +90,7 @@ export async function getSignedEntityConfiguration(
  *
  * @param entityBaseUrl The base url of the entity.
  * @param schema The expected schema of the entity configuration, according to the kind of entity we are fetching from.
+ * @param options An optional object with additional options.
  * @param options.appFetch An optional instance of the http client to be used.
  * @returns The parsed entity configuration object
  * @throws {IoWalletError} If the http request fails
@@ -200,9 +205,9 @@ export const getEntityConfiguration = (
 /**
  * Fetch and parse the entity statement document for a given federation entity.
  *
- * @param accreditationBodyBaseUrl The base url of the accreditaion body which holds and signs the required entity statement
+ * @param accreditationBodyBaseUrl The base url of the accreditation body which holds and signs the required entity statement
  * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity
- * @param options.appFetch An optional instance of the http client to be used.
+ * @param appFetch An optional instance of the http client to be used.
  * @returns The parsed entity configuration object
  * @throws {IoWalletError} If the http request fails
  * @throws Parse error if the document is not in the expected shape.
@@ -234,14 +239,14 @@ export async function getEntityStatement(
 /**
  * Fetch the entity statement document for a given federation entity.
  *
- * @param accreditationBodyBaseUrl The base url of the accreditaion body which holds and signs the required entity statement
- * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity
- * @param options.appFetch An optional instance of the http client to be used.
- * @returns The signed entity statement token
- * @throws {IoWalletError} If the http request fails
+ * @param federationFetchEndpoint The exact endpoint provided by the parent EC's metadata.
+ * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The signed entity statement token.
+ * @throws {IoWalletError} If the http request fails.
  */
 export async function getSignedEntityStatement(
-  accreditationBodyBaseUrl: string,
+  federationFetchEndpoint: string,
   subordinatedEntityBaseUrl: string,
   {
     appFetch = fetch,
@@ -249,13 +254,173 @@ export async function getSignedEntityStatement(
     appFetch?: GlobalFetch["fetch"];
   } = {}
 ) {
-  const url = `${accreditationBodyBaseUrl}/fetch?${new URLSearchParams({
-    sub: subordinatedEntityBaseUrl,
-  })}`;
+  const url = new URL(federationFetchEndpoint);
+  url.searchParams.set("sub", subordinatedEntityBaseUrl);
 
-  return await appFetch(url, {
+  return await appFetch(url.toString(), {
     method: "GET",
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.text());
 }
+
+/**
+ * Fetch the federation list document from a given endpoint.
+ *
+ * @param federationListEndpoint The URL of the federation list endpoint.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The federation list as an array of strings.
+ * @throws {IoWalletError} If the HTTP request fails or the response cannot be parsed.
+ */
+export async function getFederationList(
+  federationListEndpoint: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<string[]> {
+  return await appFetch(federationListEndpoint, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.json())
+    .then((json) => {
+      const result = FederationListResponse.safeParse(json);
+      if (!result.success) {
+        throw new IoWalletError(
+          `Invalid federation list format received from Trust Anchor: ${result.error.message}`
+        );
+      }
+      return result.data;
+    });
+}
+
+/**
+ * Build a not-verified trust chain for a given Relying Party (RP) entity.
+ *
+ * @param relyingPartyEntityBaseUrl The base URL of the RP entity
+ * @param trustAnchorKey The public key of the Trust Anchor (TA) entity
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
+ * @throws {IoWalletError} When an element of the chain fails to parse
+ * The result of this function can be used to validate the trust chain with {@link verifyTrustChain}
+ */
+export async function buildTrustChain(
+  relyingPartyEntityBaseUrl: string,
+  trustAnchorKey: JWK,
+  appFetch: GlobalFetch["fetch"] = fetch
+): Promise<string[]> {
+  // 1: Recursively gather the trust chain from the RP up to the Trust Anchor
+  const trustChain = await gatherTrustChain(
+    relyingPartyEntityBaseUrl,
+    appFetch
+  );
+
+  // 2: Trust Anchor signature verification
+  const trustAnchorJwt = trustChain[trustChain.length - 1];
+  if (!trustAnchorJwt) {
+    throw new IoWalletError(
+      "Cannot verify trust anchor: missing entity configuration."
+    );
+  }
+
+  if (!trustAnchorKey.kid) {
+    throw new IoWalletError("Missing 'kid' in provided Trust Anchor key.");
+  }
+
+  await verify(trustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
+
+  // 3: Check the federation list
+  const trustAnchorConfig = EntityConfiguration.parse(decode(trustAnchorJwt));
+  const federationListEndpoint =
+    trustAnchorConfig.payload.metadata.federation_entity
+      .federation_list_endpoint;
+
+  if (federationListEndpoint) {
+    const federationList = await getFederationList(federationListEndpoint, {
+      appFetch,
+    });
+
+    if (!federationList.includes(relyingPartyEntityBaseUrl)) {
+      throw new IoWalletError(
+        "Relying Party entity base URL is not authorized by the Trust Anchor's federation list."
+      );
+    }
+  }
+
+  return trustChain;
+}
+
+/**
+ * Recursively gather the trust chain for an entity and all its superiors.
+ * @param entityBaseUrl The base URL of the entity for which to gather the chain.
+ * @param appFetch An optional instance of the http client to be used.
+ * @param isLeaf Whether the current entity is the leaf of the chain.
+ * @returns A full ordered list of JWTs (ECs and ESs) forming the trust chain.
+ */
+async function gatherTrustChain(
+  entityBaseUrl: string,
+  appFetch: GlobalFetch["fetch"],
+  isLeaf: boolean = true
+): Promise<string[]> {
+  const chain: string[] = [];
+
+  // Fetch self-signed EC (only needed for the leaf)
+  const entityECJwt = await getSignedEntityConfiguration(entityBaseUrl, {
+    appFetch,
+  });
+  const entityEC = EntityConfiguration.parse(decode(entityECJwt));
+
+  if (isLeaf) {
+    // Only push EC for the leaf
+    chain.push(entityECJwt);
+  }
+
+  // Find authority_hints (parent, if any)
+  const authorityHints = entityEC.payload.authority_hints ?? [];
+  if (authorityHints.length === 0) {
+    // This is the Trust Anchor (no parent)
+    if (!isLeaf) {
+      chain.push(entityECJwt);
+    }
+    return chain;
+  }
+
+  const parentEntityBaseUrl = authorityHints[0]!;
+
+  // Fetch parent EC
+  const parentECJwt = await getSignedEntityConfiguration(parentEntityBaseUrl, {
+    appFetch,
+  });
+  const parentEC = EntityConfiguration.parse(decode(parentECJwt));
+
+  // Fetch ES
+  const federationFetchEndpoint =
+    parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
+  if (!federationFetchEndpoint) {
+    throw new IoWalletError(
+      "Missing federation_fetch_endpoint in parent's configuration."
+    );
+  }
+
+  const entityStatementJwt = await getSignedEntityStatement(
+    federationFetchEndpoint,
+    entityBaseUrl,
+    { appFetch }
+  );
+  // Validate the ES
+  EntityStatement.parse(decode(entityStatementJwt));
+
+  // Push this ES into the chain
+  chain.push(entityStatementJwt);
+
+  // Recurse into the parent
+  const parentChain = await gatherTrustChain(
+    parentEntityBaseUrl,
+    appFetch,
+    false
+  );
+
+  return chain.concat(parentChain);
+}