@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.0

package/src/sd-jwt/__test__/types.test.ts

@@ -5,48 +5,35 @@ describe("SdJwt4VC", () => {
     // example provided at https://italia.github.io/eidas-it-wallet-docs/en/pid-data-model.html
     const token = {
       header: {
-        kid: "eNN-g5i6CnLKcltQBp6abbioGMbzM6muW3vuxw6uh88",
         typ: "vc+sd-jwt",
-        alg: "RS256",
+        alg: "RS512",
+        kid: "dB67gL7ck3TFiIAf7N6_7SHvqk0MDYMEQcoGGlkUAAw",
       },
       payload: {
-        sub: "sj1OpYiiLTVYANnBGNwSK2krMwqpWaz2iHmN1t0_Esg",
         _sd: [
-          "1UmtISsdd7udbFaFy-ViZ8dZFherbOGD2N3HlX4PIC8",
-          "Fmjs4qzc5vkeOAY5G20_ZPvU-1q-oXaV7Ax516CCMFk",
-          "Q3bagNzMeQh6EgwPBSHimbgQplmY_6v9SW4go2XAkgA",
-          "QVwkn71B4pWfCOzzlQl9HnxFSVdEHuW35zdTQQdFQGc",
-          "VVdR41A2KOOVzxYagZCGbVang7sSkegCeiuWf3DOtjs",
-          "vO2dvncmzlv37MQkmWudSDIHDE9YHd0EFB8xBTDVjz0",
+          "0q1D5Jmav6pQaEh_J_Fcv_uNNMQIgCyhQOxqlY4l3qU",
+          "KCJ-AVNv88d-xj6sUIAOJxFnbUh3rHXDKkIH1lFqbRs",
+          "M9lo9YxDNIXrAq2qWeiCA40zpJ_zYfFdR_4AEALcRtU",
+          "czgjUk0nqRCswShChCjdS6A1-v47d_qTCSFIvIHhMoI",
+          "nGnQr7clm3tfTp8yjL_uHrDSOtzR2PVb8S7GeLdAqBQ",
+          "xNIVwlpSsaZ8CJSf0gz5x_75VRWWc6V1mlpejdCrqUs",
         ],
-        "vct#integrity":
-          "242302d97d38da2714a257f2a253bf2fa30aae5c109fe9581bfcda3b1d797c97",
+        sub: "216f8946-9ecb-4819-9309-c076f34a7e11",
         _sd_alg: "sha-256",
-        vct: "urn:eu.europa.ec.eudi:pid:1",
-        iss: "https://api.potential-wallet-it-pid-provider.it",
+        vct: "PersonIdentificationData",
+        iss: "https://pidprovider.example.com",
         cnf: {
           jwk: {
             kty: "EC",
             crv: "P-256",
-            kid: "LegnFQ8lvhA6qyPutYv48nWWpSnO5tHigavywyds5S0",
-            x: "czZrN9lcNuc0q69X40n27c5jKpii0A-aYX_Pbo9pqBQ",
-            y: "YGKGaCJNWfTiKiz3JmAG9ky7h4twPuUfzYOgy1bzLv8",
+            kid: "zEv_qGSL5r0_F67j2dwEgUJmBgbMNSEJ5K_iH1PYc7A",
+            x: "0Pj7v_afNp9ETJx11JbYgkI7yQpd0rtiYuo5feuAN2o",
+            y: "XB62Um02vHqedkOzSfJ5hdtjPz-zmV9jmWh4sKgdD9o",
           },
         },
-        exp: 1768490196,
-        iat: 1736954196,
-        expiry_date: "2026-12-05",
-        issuing_country: "IT",
-        issuing_authority: "Istituto Poligrafico e Zecca dello Stato",
-        verification: {
-          evidence: {
-            method: "cie",
-          },
-          trust_framework: "eidas",
-          assurance_level: "high",
-        },
+        exp: 1751107255,
         status: {
-          status_assertion: {
+          status_attestation: {
             credential_hash_alg: "sha-256",
           },
         },

package/src/sd-jwt/index.ts

@@ -187,11 +187,7 @@ export const prepareVpToken = async (
   vp_token: string;
 }> => {
   // Produce a VP token with only requested claims from the verifiable credential
-  const requestedClaimsString = requestedClaims.map(({ name }) => name);
-  const { token: vp } = await disclose(
-    verifiableCredential,
-    requestedClaimsString
-  );
+  const { token: vp } = await disclose(verifiableCredential, requestedClaims);
 
   // <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~
   const sd_hash = await sha256ToBase64(`${vp}~`);

package/src/sd-jwt/types.ts

@@ -1,4 +1,3 @@
-import { CredentialFormat } from "../entity/openid-connect/issuer/types";
 import { JWK } from "../utils/jwk";
 import { z } from "zod";
 
@@ -34,23 +33,12 @@ export type DisclosureWithEncoded = {
   encoded: string;
 };
 
-export type Verification = z.infer<typeof Verification>;
-export const Verification = z.object({
-  trust_framework: z.literal("eidas"),
-  assurance_level: z.string(),
-  evidence: z.object({
-    method: z.string(),
-  }),
-});
-
 export type SdJwt4VC = z.infer<typeof SdJwt4VC>;
 export const SdJwt4VC = z.object({
   header: z.object({
-    typ: CredentialFormat,
+    typ: z.literal("vc+sd-jwt"),
     alg: z.string(),
     kid: z.string().optional(),
-    x5c: z.string().optional(),
-    vctm: z.array(z.string()).optional(),
   }),
   payload: z.intersection(
     z.object({
@@ -60,7 +48,7 @@ export const SdJwt4VC = z.object({
       exp: UnixTime,
       _sd_alg: z.literal("sha-256"),
       status: z.object({
-        status_assertion: z.object({
+        status_attestation: z.object({
           credential_hash_alg: z.literal("sha-256"),
         }),
       }),
@@ -68,11 +56,6 @@ export const SdJwt4VC = z.object({
         jwk: JWK,
       }),
       vct: z.string(),
-      "vct#integrity": z.string().optional(),
-      verification: Verification.optional(),
-      expiry_date: z.string().refine((str) => !isNaN(new Date(str).getTime())),
-      issuing_authority: z.string(),
-      issuing_country: z.string(),
     }),
     ObfuscatedDisclosures
   ),

package/src/trust/chain.ts

@@ -0,0 +1,151 @@
+import {
+  EntityConfiguration,
+  EntityStatement,
+  TrustAnchorEntityConfiguration,
+} from "./types";
+import { JWK } from "../utils/jwk";
+import * as z from "zod";
+import { getSignedEntityConfiguration, getSignedEntityStatement } from ".";
+import { decode, type ParsedToken, verify } from "./utils";
+import {
+  MissingFederationFetchEndpointError,
+  TrustChainEmptyError,
+  TrustChainRenewalError,
+  TrustChainTokenMissingError,
+} from "./errors";
+
+// The first element of the chain is supposed to be the Entity Configuration for the document issuer
+const FirstElementShape = EntityConfiguration;
+// Each element but the first is supposed to be an Entity Statement
+const MiddleElementShape = EntityStatement;
+// The last element of the chain can either be an Entity Statement
+//  or the Entity Configuration for the known Trust Anchor
+const LastElementShape = z.union([
+  EntityStatement,
+  TrustAnchorEntityConfiguration,
+]);
+
+/**
+ * Validates a provided trust chain against a known trust
+ *
+ * @param trustAnchorEntity The entity configuration of the known trust anchor
+ * @param chain The chain of statements to be validated
+ * @returns The list of parsed token representing the chain
+ * @throws {FederationError} If the chain is not valid
+ */
+export async function validateTrustChain(
+  trustAnchorEntity: TrustAnchorEntityConfiguration,
+  chain: string[]
+): Promise<ParsedToken[]> {
+  // If the chain is empty, fail
+  if (chain.length === 0) {
+    throw new TrustChainEmptyError("Cannot verify empty trust chain.");
+  }
+
+  // Select the expected token shape
+  const selectTokenShape = (elementIndex: number) =>
+    elementIndex === 0
+      ? FirstElementShape
+      : elementIndex === chain.length - 1
+        ? LastElementShape
+        : MiddleElementShape;
+
+  // select the kid from the current index
+  const selectKid = (currentIndex: number): string => {
+    const token = chain[currentIndex];
+    if (!token) {
+      throw new TrustChainTokenMissingError(
+        `Token missing at index ${currentIndex} in trust chain.`,
+        { index: currentIndex }
+      );
+    }
+    const shape = selectTokenShape(currentIndex);
+    return shape.parse(decode(token)).header.kid;
+  };
+
+  // select keys from the next token
+  // if the current token is the last, keys from trust anchor will be used
+  const selectKeys = (currentIndex: number): JWK[] => {
+    if (currentIndex === chain.length - 1) {
+      return trustAnchorEntity.payload.jwks.keys;
+    }
+
+    const nextIndex = currentIndex + 1;
+    const nextToken = chain[nextIndex];
+    if (!nextToken) {
+      throw new TrustChainTokenMissingError(
+        `Next token missing at index ${nextIndex} (needed for keys for token at ${currentIndex}).`,
+        { index: nextIndex }
+      );
+    }
+    const shape = selectTokenShape(nextIndex);
+    return shape.parse(decode(nextToken)).payload.jwks.keys;
+  };
+
+  // Iterate the chain and validate each element's signature against the public keys of its next
+  // If there is no next, hence it's the end of the chain, and it must be verified by the Trust Anchor
+  return Promise.all(
+    chain
+      .map((token, i) => [token, selectKid(i), selectKeys(i)] as const)
+      .map((args) => verify(...args))
+  );
+}
+
+/**
+ * Given a trust chain, obtain a new trust chain by fetching each element's fresh version
+ *
+ * @param chain The original chain
+ * @param appFetch (optional) fetch api implementation
+ * @returns A list of signed token that represent the trust chain, in the same order of the provided chain
+ * @throws {FederationError} If the chain is not valid
+ */
+export async function renewTrustChain(
+  chain: string[],
+  appFetch: GlobalFetch["fetch"] = fetch
+): Promise<string[]> {
+  return Promise.all(
+    chain.map(async (token, index) => {
+      const decoded = decode(token);
+
+      const entityStatementResult = EntityStatement.safeParse(decoded);
+      const entityConfigurationResult = EntityConfiguration.safeParse(decoded);
+
+      if (entityConfigurationResult.success) {
+        return getSignedEntityConfiguration(
+          entityConfigurationResult.data.payload.iss,
+          { appFetch }
+        );
+      }
+      if (entityStatementResult.success) {
+        const entityStatement = entityStatementResult.data;
+
+        const parentBaseUrl = entityStatement.payload.iss;
+        const parentECJwt = await getSignedEntityConfiguration(parentBaseUrl, {
+          appFetch,
+        });
+        const parentEC = EntityConfiguration.parse(decode(parentECJwt));
+
+        const federationFetchEndpoint =
+          parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
+        if (!federationFetchEndpoint) {
+          throw new MissingFederationFetchEndpointError(
+            `Parent EC at ${parentBaseUrl} is missing federation_fetch_endpoint, cannot renew ES for ${entityStatement.payload.sub}.`,
+            {
+              entityBaseUrl: entityStatement.payload.sub,
+              missingInEntityUrl: parentBaseUrl,
+            }
+          );
+        }
+        return getSignedEntityStatement(
+          federationFetchEndpoint,
+          entityStatement.payload.sub,
+          { appFetch }
+        );
+      }
+      throw new TrustChainRenewalError(
+        `Failed to renew trust chain. Reason: element #${index} failed to parse.`,
+        { originalChain: chain }
+      );
+    })
+  );
+}

package/src/trust/errors.ts

@@ -0,0 +1,105 @@
+import { IoWalletError, serializeAttrs } from "../utils/errors"; // Ensure this path is correct
+
+/**
+ * Base class for all federation-specific errors.
+ */
+export class FederationError extends IoWalletError {
+  constructor(message: string, details?: Record<string, unknown>) {
+    super(details ? serializeAttrs({ message, ...details }) : message);
+    this.name = this.constructor.name;
+  }
+}
+
+/**
+ * Error thrown when a trust chain is unexpectedly empty.
+ */
+export class TrustChainEmptyError extends FederationError {
+  code = "ERR_FED_TRUST_CHAIN_EMPTY";
+  constructor(message = "Trust chain cannot be empty.") {
+    super(message, undefined);
+  }
+}
+
+/**
+ * Error thrown when a token is unexpectedly missing from a trust chain during processing.
+ */
+export class TrustChainTokenMissingError extends FederationError {
+  code = "ERR_FED_TRUST_CHAIN_TOKEN_MISSING";
+  constructor(message: string, details?: { index?: number }) {
+    super(message, details);
+  }
+}
+
+/**
+ * Error thrown when renewing a trust chain fails.
+ * This class itself might be used or could be considered a more general renewal error.
+ */
+export class TrustChainRenewalError extends FederationError {
+  code = "ERR_FED_TRUST_CHAIN_RENEWAL_FAILED";
+  constructor(
+    message: string,
+    details?: { originalChain?: string[]; [key: string]: unknown }
+  ) {
+    super(message, details);
+  }
+}
+
+export class FederationListParseError extends FederationError {
+  code = "ERR_FED_FEDERATION_LIST_PARSE_FAILED";
+  constructor(message: string, details: { url: string; parseError?: string }) {
+    super(message, details);
+  }
+}
+
+/**
+ * General error thrown during the trust chain building process.
+ */
+export class BuildTrustChainError extends FederationError {
+  code = "ERR_FED_BUILD_TRUST_CHAIN_FAILED";
+  constructor(
+    message: string,
+    details?: {
+      relyingPartyUrl?: string;
+      trustAnchorKid?: string;
+      [key: string]: unknown;
+    }
+  ) {
+    super(message, details);
+  }
+}
+
+/**
+ * Error thrown when the Trust Anchor's key is missing a 'kid'.
+ */
+export class TrustAnchorKidMissingError extends FederationError {
+  code = "ERR_FED_TRUST_ANCHOR_KID_MISSING";
+  constructor(message = "Missing 'kid' in provided Trust Anchor key.") {
+    super(message, undefined);
+  }
+}
+
+/**
+ * Error thrown if the Relying Party is not found in the Trust Anchor's federation list.
+ */
+export class RelyingPartyNotAuthorizedError extends FederationError {
+  code = "ERR_FED_RELYING_PARTY_NOT_AUTHORIZED";
+  constructor(
+    message: string,
+    details: { relyingPartyUrl: string; federationListEndpoint?: string }
+  ) {
+    super(message, details);
+  }
+}
+
+/**
+ * Error thrown when a 'federation_fetch_endpoint' is missing in an entity's configuration.
+ */
+export class MissingFederationFetchEndpointError extends FederationError {
+  code = "ERR_FED_MISSING_FEDERATION_FETCH_ENDPOINT";
+  constructor(
+    message: string,
+    details: { entityBaseUrl: string; missingInEntityUrl: string }
+  ) {
+    super(message, details);
+  }
+}

package/src/{entity/trust → trust}/index.ts

@@ -1,14 +1,24 @@
+import { decode, verify } from "./utils";
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import {
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
   CredentialIssuerEntityConfiguration,
-  RelyingPartyEntityConfiguration,
   EntityConfiguration,
   EntityStatement,
+  FederationListResponse,
+  RelyingPartyEntityConfiguration,
+  TrustAnchorEntityConfiguration,
+  WalletProviderEntityConfiguration,
 } from "./types";
-import { validateTrustChain, renewTrustChain } from "./chain";
-import { hasStatusOrThrow } from "../../utils/misc";
+import { renewTrustChain, validateTrustChain } from "./chain";
+import { hasStatusOrThrow } from "../utils/misc";
+import type { JWK } from "../utils/jwk";
+import {
+  BuildTrustChainError,
+  FederationListParseError,
+  MissingFederationFetchEndpointError,
+  RelyingPartyNotAuthorizedError,
+  TrustAnchorKidMissingError,
+} from "./errors";
 
 export type {
   WalletProviderEntityConfiguration,
@@ -24,11 +34,11 @@ export type {
  * It can handle fast chain renewal, which means we try to fetch a fresh version of each statement.
  *
  * @param trustAnchorEntity The entity configuration of the known trust anchor
- * @param chain The chain of statements to be validate
- * @param options.renewOnFail Whether to renew the provided chain if the validation fails at first. Default: true
- * @param options.appFetch Fetch api implementation. Default: the built-in implementation
+ * @param chain The chain of statements to be validated
+ * @param renewOnFail Whether to renew the provided chain if the validation fails at first. Default: true
+ * @param appFetch Fetch api implementation. Default: the built-in implementation
  * @returns The result of the chain validation
- * @throws {IoWalletError} When either validation or renewal fail
+ * @throws {FederationError} If the chain is not valid
  */
 export async function verifyTrustChain(
   trustAnchorEntity: TrustAnchorEntityConfiguration,
@@ -54,7 +64,7 @@ export async function verifyTrustChain(
  * Fetch the signed entity configuration token for an entity
  *
  * @param entityBaseUrl The url of the entity to fetch
- * @param param.appFetch (optional) fetch api implemention
+ * @param appFetch (optional) fetch api implementation
  * @returns The signed Entity Configuration token
  */
 export async function getSignedEntityConfiguration(
@@ -86,6 +96,7 @@ export async function getSignedEntityConfiguration(
  *
  * @param entityBaseUrl The base url of the entity.
  * @param schema The expected schema of the entity configuration, according to the kind of entity we are fetching from.
+ * @param options An optional object with additional options.
  * @param options.appFetch An optional instance of the http client to be used.
  * @returns The parsed entity configuration object
  * @throws {IoWalletError} If the http request fails
@@ -200,12 +211,11 @@ export const getEntityConfiguration = (
 /**
  * Fetch and parse the entity statement document for a given federation entity.
  *
- * @param accreditationBodyBaseUrl The base url of the accreditaion body which holds and signs the required entity statement
+ * @param accreditationBodyBaseUrl The base url of the accreditation body which holds and signs the required entity statement
  * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity
- * @param options.appFetch An optional instance of the http client to be used.
+ * @param appFetch An optional instance of the http client to be used.
  * @returns The parsed entity configuration object
  * @throws {IoWalletError} If the http request fails
- * @throws Parse error if the document is not in the expected shape.
  */
 export async function getEntityStatement(
   accreditationBodyBaseUrl: string,
@@ -234,14 +244,14 @@ export async function getEntityStatement(
 /**
  * Fetch the entity statement document for a given federation entity.
  *
- * @param accreditationBodyBaseUrl The base url of the accreditaion body which holds and signs the required entity statement
- * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity
- * @param options.appFetch An optional instance of the http client to be used.
- * @returns The signed entity statement token
- * @throws {IoWalletError} If the http request fails
+ * @param federationFetchEndpoint The exact endpoint provided by the parent EC's metadata.
+ * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The signed entity statement token.
+ * @throws {IoWalletError} If the http request fails.
  */
 export async function getSignedEntityStatement(
-  accreditationBodyBaseUrl: string,
+  federationFetchEndpoint: string,
   subordinatedEntityBaseUrl: string,
   {
     appFetch = fetch,
@@ -249,13 +259,178 @@ export async function getSignedEntityStatement(
     appFetch?: GlobalFetch["fetch"];
   } = {}
 ) {
-  const url = `${accreditationBodyBaseUrl}/fetch?${new URLSearchParams({
-    sub: subordinatedEntityBaseUrl,
-  })}`;
+  const url = new URL(federationFetchEndpoint);
+  url.searchParams.set("sub", subordinatedEntityBaseUrl);
 
-  return await appFetch(url, {
+  return await appFetch(url.toString(), {
     method: "GET",
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.text());
 }
+
+/**
+ * Fetch the federation list document from a given endpoint.
+ *
+ * @param federationListEndpoint The URL of the federation list endpoint.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The federation list as an array of strings.
+ * @throws {IoWalletError} If the HTTP request fails.
+ * @throws {FederationError} If the result is not in the expected format.
+ */
+export async function getFederationList(
+  federationListEndpoint: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<string[]> {
+  return await appFetch(federationListEndpoint, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.json())
+    .then((json) => {
+      const result = FederationListResponse.safeParse(json);
+      if (!result.success) {
+        throw new FederationListParseError(
+          `Invalid federation list format received from ${federationListEndpoint}. Error: ${result.error.message}`,
+          { url: federationListEndpoint, parseError: result.error.toString() }
+        );
+      }
+      return result.data;
+    });
+}
+
+/**
+ * Build a not-verified trust chain for a given Relying Party (RP) entity.
+ *
+ * @param relyingPartyEntityBaseUrl The base URL of the RP entity
+ * @param trustAnchorKey The public key of the Trust Anchor (TA) entity
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
+ * @throws {FederationError} When an element of the chain fails to parse or other build steps fail.
+ */
+export async function buildTrustChain(
+  relyingPartyEntityBaseUrl: string,
+  trustAnchorKey: JWK,
+  appFetch: GlobalFetch["fetch"] = fetch
+): Promise<string[]> {
+  // 1: Recursively gather the trust chain from the RP up to the Trust Anchor
+  const trustChain = await gatherTrustChain(
+    relyingPartyEntityBaseUrl,
+    appFetch
+  );
+
+  // 2: Trust Anchor signature verification
+  const trustAnchorJwt = trustChain[trustChain.length - 1];
+  if (!trustAnchorJwt) {
+    throw new BuildTrustChainError(
+      "Cannot verify trust anchor: missing entity configuration in gathered chain.",
+      { relyingPartyUrl: relyingPartyEntityBaseUrl }
+    );
+  }
+
+  if (!trustAnchorKey.kid) {
+    throw new TrustAnchorKidMissingError();
+  }
+
+  await verify(trustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
+
+  // 3: Check the federation list
+  const trustAnchorConfig = EntityConfiguration.parse(decode(trustAnchorJwt));
+  const federationListEndpoint =
+    trustAnchorConfig.payload.metadata.federation_entity
+      .federation_list_endpoint;
+
+  if (federationListEndpoint) {
+    const federationList = await getFederationList(federationListEndpoint, {
+      appFetch,
+    });
+
+    if (!federationList.includes(relyingPartyEntityBaseUrl)) {
+      throw new RelyingPartyNotAuthorizedError(
+        "Relying Party entity base URL is not authorized by the Trust Anchor's federation list.",
+        { relyingPartyUrl: relyingPartyEntityBaseUrl, federationListEndpoint }
+      );
+    }
+  }
+
+  return trustChain;
+}
+
+/**
+ * Recursively gather the trust chain for an entity and all its superiors.
+ * @param entityBaseUrl The base URL of the entity for which to gather the chain.
+ * @param appFetch An optional instance of the http client to be used.
+ * @param isLeaf Whether the current entity is the leaf of the chain.
+ * @returns A full ordered list of JWTs (ECs and ESs) forming the trust chain.
+ * @throws {FederationError} If any of the fetched documents fail to parse or other errors occur during the gathering process.
+ */
+async function gatherTrustChain(
+  entityBaseUrl: string,
+  appFetch: GlobalFetch["fetch"],
+  isLeaf: boolean = true
+): Promise<string[]> {
+  const chain: string[] = [];
+
+  // Fetch self-signed EC (only needed for the leaf)
+  const entityECJwt = await getSignedEntityConfiguration(entityBaseUrl, {
+    appFetch,
+  });
+  const entityEC = EntityConfiguration.parse(decode(entityECJwt));
+
+  if (isLeaf) {
+    // Only push EC for the leaf
+    chain.push(entityECJwt);
+  }
+
+  // Find authority_hints (parent, if any)
+  const authorityHints = entityEC.payload.authority_hints ?? [];
+  if (authorityHints.length === 0) {
+    // This is the Trust Anchor (no parent)
+    if (!isLeaf) {
+      chain.push(entityECJwt);
+    }
+    return chain;
+  }
+
+  const parentEntityBaseUrl = authorityHints[0]!;
+
+  // Fetch parent EC
+  const parentECJwt = await getSignedEntityConfiguration(parentEntityBaseUrl, {
+    appFetch,
+  });
+  const parentEC = EntityConfiguration.parse(decode(parentECJwt));
+
+  // Fetch ES
+  const federationFetchEndpoint =
+    parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
+  if (!federationFetchEndpoint) {
+    throw new MissingFederationFetchEndpointError(
+      `Missing federation_fetch_endpoint in parent's (${parentEntityBaseUrl}) configuration when gathering chain for ${entityBaseUrl}.`,
+      { entityBaseUrl, missingInEntityUrl: parentEntityBaseUrl }
+    );
+  }
+
+  const entityStatementJwt = await getSignedEntityStatement(
+    federationFetchEndpoint,
+    entityBaseUrl,
+    { appFetch }
+  );
+  // Validate the ES
+  EntityStatement.parse(decode(entityStatementJwt));
+
+  // Push this ES into the chain
+  chain.push(entityStatementJwt);
+
+  // Recurse into the parent
+  const parentChain = await gatherTrustChain(
+    parentEntityBaseUrl,
+    appFetch,
+    false
+  );
+
+  return chain.concat(parentChain);
+}