@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.1

package/src/{entity/trust → trust}/index.ts

@@ -1,14 +1,25 @@
+import { decode, verify } from "./utils";
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import {
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
   CredentialIssuerEntityConfiguration,
-  RelyingPartyEntityConfiguration,
   EntityConfiguration,
   EntityStatement,
+  FederationListResponse,
+  RelyingPartyEntityConfiguration,
+  TrustAnchorEntityConfiguration,
+  WalletProviderEntityConfiguration,
 } from "./types";
-import { validateTrustChain, renewTrustChain } from "./chain";
-import { hasStatusOrThrow } from "../../utils/misc";
+import { renewTrustChain, validateTrustChain } from "./chain";
+import { hasStatusOrThrow } from "../utils/misc";
+import type { JWK } from "../utils/jwk";
+import {
+  BuildTrustChainError,
+  FederationListParseError,
+  MissingFederationFetchEndpointError,
+  RelyingPartyNotAuthorizedError,
+  TrustAnchorKidMissingError,
+} from "./errors";
+import type { X509CertificateOptions } from "@pagopa/io-react-native-crypto";
 
 export type {
   WalletProviderEntityConfiguration,
@@ -24,26 +35,32 @@ export type {
  * It can handle fast chain renewal, which means we try to fetch a fresh version of each statement.
  *
  * @param trustAnchorEntity The entity configuration of the known trust anchor
- * @param chain The chain of statements to be validate
- * @param options.renewOnFail Whether to renew the provided chain if the validation fails at first. Default: true
- * @param options.appFetch Fetch api implementation. Default: the built-in implementation
+ * @param chain The chain of statements to be validated
+ * @param x509Options Options for the verification process
+ * @param appFetch (optional) fetch api implementation
+ * @param renewOnFail Whether to attempt to renew the trust chain if the initial validation fails
  * @returns The result of the chain validation
- * @throws {IoWalletError} When either validation or renewal fail
+ * @throws {FederationError} If the chain is not valid
  */
 export async function verifyTrustChain(
   trustAnchorEntity: TrustAnchorEntityConfiguration,
   chain: string[],
+  x509Options: X509CertificateOptions = {
+    connectTimeout: 10000,
+    readTimeout: 10000,
+    requireCrl: true,
+  },
   {
     appFetch = fetch,
     renewOnFail = true,
   }: { appFetch?: GlobalFetch["fetch"]; renewOnFail?: boolean } = {}
 ): Promise<ReturnType<typeof validateTrustChain>> {
   try {
-    return validateTrustChain(trustAnchorEntity, chain);
+    return validateTrustChain(trustAnchorEntity, chain, x509Options);
   } catch (error) {
     if (renewOnFail) {
       const renewedChain = await renewTrustChain(chain, appFetch);
-      return validateTrustChain(trustAnchorEntity, renewedChain);
+      return validateTrustChain(trustAnchorEntity, renewedChain, x509Options);
     } else {
       throw error;
     }
@@ -54,7 +71,7 @@ export async function verifyTrustChain(
  * Fetch the signed entity configuration token for an entity
  *
  * @param entityBaseUrl The url of the entity to fetch
- * @param param.appFetch (optional) fetch api implemention
+ * @param appFetch (optional) fetch api implementation
  * @returns The signed Entity Configuration token
  */
 export async function getSignedEntityConfiguration(
@@ -86,6 +103,7 @@ export async function getSignedEntityConfiguration(
  *
  * @param entityBaseUrl The base url of the entity.
  * @param schema The expected schema of the entity configuration, according to the kind of entity we are fetching from.
+ * @param options An optional object with additional options.
  * @param options.appFetch An optional instance of the http client to be used.
  * @returns The parsed entity configuration object
  * @throws {IoWalletError} If the http request fails
@@ -200,12 +218,11 @@ export const getEntityConfiguration = (
 /**
  * Fetch and parse the entity statement document for a given federation entity.
  *
- * @param accreditationBodyBaseUrl The base url of the accreditaion body which holds and signs the required entity statement
+ * @param accreditationBodyBaseUrl The base url of the accreditation body which holds and signs the required entity statement
  * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity
- * @param options.appFetch An optional instance of the http client to be used.
+ * @param appFetch An optional instance of the http client to be used.
  * @returns The parsed entity configuration object
  * @throws {IoWalletError} If the http request fails
- * @throws Parse error if the document is not in the expected shape.
  */
 export async function getEntityStatement(
   accreditationBodyBaseUrl: string,
@@ -234,14 +251,14 @@ export async function getEntityStatement(
 /**
  * Fetch the entity statement document for a given federation entity.
  *
- * @param accreditationBodyBaseUrl The base url of the accreditaion body which holds and signs the required entity statement
- * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity
- * @param options.appFetch An optional instance of the http client to be used.
- * @returns The signed entity statement token
- * @throws {IoWalletError} If the http request fails
+ * @param federationFetchEndpoint The exact endpoint provided by the parent EC's metadata.
+ * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The signed entity statement token.
+ * @throws {IoWalletError} If the http request fails.
  */
 export async function getSignedEntityStatement(
-  accreditationBodyBaseUrl: string,
+  federationFetchEndpoint: string,
   subordinatedEntityBaseUrl: string,
   {
     appFetch = fetch,
@@ -249,13 +266,178 @@ export async function getSignedEntityStatement(
     appFetch?: GlobalFetch["fetch"];
   } = {}
 ) {
-  const url = `${accreditationBodyBaseUrl}/fetch?${new URLSearchParams({
-    sub: subordinatedEntityBaseUrl,
-  })}`;
+  const url = new URL(federationFetchEndpoint);
+  url.searchParams.set("sub", subordinatedEntityBaseUrl);
 
-  return await appFetch(url, {
+  return await appFetch(url.toString(), {
     method: "GET",
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.text());
 }
+
+/**
+ * Fetch the federation list document from a given endpoint.
+ *
+ * @param federationListEndpoint The URL of the federation list endpoint.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The federation list as an array of strings.
+ * @throws {IoWalletError} If the HTTP request fails.
+ * @throws {FederationError} If the result is not in the expected format.
+ */
+export async function getFederationList(
+  federationListEndpoint: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<string[]> {
+  return await appFetch(federationListEndpoint, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.json())
+    .then((json) => {
+      const result = FederationListResponse.safeParse(json);
+      if (!result.success) {
+        throw new FederationListParseError(
+          `Invalid federation list format received from ${federationListEndpoint}. Error: ${result.error.message}`,
+          { url: federationListEndpoint, parseError: result.error.toString() }
+        );
+      }
+      return result.data;
+    });
+}
+
+/**
+ * Build a not-verified trust chain for a given Relying Party (RP) entity.
+ *
+ * @param relyingPartyEntityBaseUrl The base URL of the RP entity
+ * @param trustAnchorKey The public key of the Trust Anchor (TA) entity
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
+ * @throws {FederationError} When an element of the chain fails to parse or other build steps fail.
+ */
+export async function buildTrustChain(
+  relyingPartyEntityBaseUrl: string,
+  trustAnchorKey: JWK,
+  appFetch: GlobalFetch["fetch"] = fetch
+): Promise<string[]> {
+  // 1: Recursively gather the trust chain from the RP up to the Trust Anchor
+  const trustChain = await gatherTrustChain(
+    relyingPartyEntityBaseUrl,
+    appFetch
+  );
+
+  // 2: Trust Anchor signature verification
+  const trustAnchorJwt = trustChain[trustChain.length - 1];
+  if (!trustAnchorJwt) {
+    throw new BuildTrustChainError(
+      "Cannot verify trust anchor: missing entity configuration in gathered chain.",
+      { relyingPartyUrl: relyingPartyEntityBaseUrl }
+    );
+  }
+
+  if (!trustAnchorKey.kid) {
+    throw new TrustAnchorKidMissingError();
+  }
+
+  await verify(trustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
+
+  // 3: Check the federation list
+  const trustAnchorConfig = EntityConfiguration.parse(decode(trustAnchorJwt));
+  const federationListEndpoint =
+    trustAnchorConfig.payload.metadata.federation_entity
+      .federation_list_endpoint;
+
+  if (federationListEndpoint) {
+    const federationList = await getFederationList(federationListEndpoint, {
+      appFetch,
+    });
+
+    if (!federationList.includes(relyingPartyEntityBaseUrl)) {
+      throw new RelyingPartyNotAuthorizedError(
+        "Relying Party entity base URL is not authorized by the Trust Anchor's federation list.",
+        { relyingPartyUrl: relyingPartyEntityBaseUrl, federationListEndpoint }
+      );
+    }
+  }
+
+  return trustChain;
+}
+
+/**
+ * Recursively gather the trust chain for an entity and all its superiors.
+ * @param entityBaseUrl The base URL of the entity for which to gather the chain.
+ * @param appFetch An optional instance of the http client to be used.
+ * @param isLeaf Whether the current entity is the leaf of the chain.
+ * @returns A full ordered list of JWTs (ECs and ESs) forming the trust chain.
+ * @throws {FederationError} If any of the fetched documents fail to parse or other errors occur during the gathering process.
+ */
+async function gatherTrustChain(
+  entityBaseUrl: string,
+  appFetch: GlobalFetch["fetch"],
+  isLeaf: boolean = true
+): Promise<string[]> {
+  const chain: string[] = [];
+
+  // Fetch self-signed EC (only needed for the leaf)
+  const entityECJwt = await getSignedEntityConfiguration(entityBaseUrl, {
+    appFetch,
+  });
+  const entityEC = EntityConfiguration.parse(decode(entityECJwt));
+
+  if (isLeaf) {
+    // Only push EC for the leaf
+    chain.push(entityECJwt);
+  }
+
+  // Find authority_hints (parent, if any)
+  const authorityHints = entityEC.payload.authority_hints ?? [];
+  if (authorityHints.length === 0) {
+    // This is the Trust Anchor (no parent)
+    if (!isLeaf) {
+      chain.push(entityECJwt);
+    }
+    return chain;
+  }
+
+  const parentEntityBaseUrl = authorityHints[0]!;
+
+  // Fetch parent EC
+  const parentECJwt = await getSignedEntityConfiguration(parentEntityBaseUrl, {
+    appFetch,
+  });
+  const parentEC = EntityConfiguration.parse(decode(parentECJwt));
+
+  // Fetch ES
+  const federationFetchEndpoint =
+    parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
+  if (!federationFetchEndpoint) {
+    throw new MissingFederationFetchEndpointError(
+      `Missing federation_fetch_endpoint in parent's (${parentEntityBaseUrl}) configuration when gathering chain for ${entityBaseUrl}.`,
+      { entityBaseUrl, missingInEntityUrl: parentEntityBaseUrl }
+    );
+  }
+
+  const entityStatementJwt = await getSignedEntityStatement(
+    federationFetchEndpoint,
+    entityBaseUrl,
+    { appFetch }
+  );
+  // Validate the ES
+  EntityStatement.parse(decode(entityStatementJwt));
+
+  // Push this ES into the chain
+  chain.push(entityStatementJwt);
+
+  // Recurse into the parent
+  const parentChain = await gatherTrustChain(
+    parentEntityBaseUrl,
+    appFetch,
+    false
+  );
+
+  return chain.concat(parentChain);
+}

package/src/{entity/trust → trust}/types.ts

@@ -1,7 +1,7 @@
-import { UnixTime } from "../../sd-jwt/types";
-import { JWK } from "../../utils/jwk";
+import { UnixTime } from "../sd-jwt/types";
+import { JWK } from "../utils/jwk";
 import * as z from "zod";
-import { PresentationDefinition } from "../../credential/presentation/types";
+import { PresentationDefinition } from "../credential/presentation/types";
 
 export const TrustMark = z.object({ id: z.string(), trust_mark: z.string() });
 export type TrustMark = z.infer<typeof TrustMark>;
@@ -13,9 +13,11 @@ const RelyingPartyMetadata = z.object({
   jwks: z.object({ keys: z.array(JWK) }),
   contacts: z.array(z.string()).optional(),
   presentation_definition: PresentationDefinition.optional(),
-  presentation_definition_uri: z.string().optional(),
+  request_uris: z.array(z.string()).optional(),
+  authorization_signed_response_alg: z.string().optional(),
+  authorization_encrypted_response_alg: z.string().optional(),
+  authorization_encrypted_response_enc: z.string().optional(),
 });
-//.passthrough();
 
 // Display metadata for a credential, used by the issuer to
 // instruct the Wallet Solution on how to render the credential correctly
@@ -23,14 +25,6 @@ type CredentialDisplayMetadata = z.infer<typeof CredentialDisplayMetadata>;
 const CredentialDisplayMetadata = z.object({
   name: z.string(),
   locale: z.string(),
-  logo: z
-    .object({
-      url: z.string(),
-      alt_text: z.string(),
-    })
-    .optional(), // TODO [SIW-1268]: should not be optional
-  background_color: z.string().optional(), // TODO [SIW-1268]: should not be optional
-  text_color: z.string().optional(), // TODO [SIW-1268]: should not be optional
 });
 
 // Metadata for displaying issuer information
@@ -40,12 +34,6 @@ type CredentialIssuerDisplayMetadata = z.infer<
 const CredentialIssuerDisplayMetadata = z.object({
   name: z.string(),
   locale: z.string(),
-  logo: z
-    .object({
-      url: z.string(),
-      alt_text: z.string(),
-    })
-    .optional(), // TODO [SIW-1268]: should not be optional
 });
 
 type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
@@ -67,13 +55,13 @@ const IssuanceErrorSupported = z.object({
   ),
 });
 
-// Metadata for a credentia which is supported by a Issuer
+// Metadata for a credential which is supported by an Issuer
 type SupportedCredentialMetadata = z.infer<typeof SupportedCredentialMetadata>;
 const SupportedCredentialMetadata = z.object({
-  format: z.union([z.literal("vc+sd-jwt"), z.literal("mso_mdoc")]),
+  format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
   scope: z.string(),
   display: z.array(CredentialDisplayMetadata),
-  claims: ClaimsMetadata.optional(), // TODO [SIW-1268]: should not be optional
+  claims: ClaimsMetadata,
   cryptographic_binding_methods_supported: z.array(z.string()),
   credential_signing_alg_values_supported: z.array(z.string()),
   authentic_source: z.string().optional(),
@@ -91,7 +79,7 @@ export const EntityStatement = z.object({
     iss: z.string(),
     sub: z.string(),
     jwks: z.object({ keys: z.array(JWK) }),
-    trust_marks: z.array(TrustMark),
+    trust_marks: z.array(TrustMark).optional(),
     iat: z.number(),
     exp: z.number(),
   }),
@@ -107,7 +95,7 @@ export const EntityConfigurationHeader = z.object({
 });
 
 /**
- * @see https://openid.net/specs/openid-connect-federation-1_0-29.html#name-federation-entity
+ * @see https://openid.net/specs/openid-federation-1_0-41.html
  */
 const FederationEntityMetadata = z
   .object({
@@ -116,6 +104,9 @@ const FederationEntityMetadata = z
     federation_resolve_endpoint: z.string().optional(),
     federation_trust_mark_status_endpoint: z.string().optional(),
     federation_trust_mark_list_endpoint: z.string().optional(),
+    federation_trust_mark_endpoint: z.string().optional(),
+    federation_historical_keys_endpoint: z.string().optional(),
+    endpoint_auth_signing_alg_values_supported: z.string().optional(),
     organization_name: z.string().optional(),
     homepage_uri: z.string().optional(),
     policy_uri: z.string().optional(),
@@ -124,7 +115,7 @@ const FederationEntityMetadata = z
   })
   .passthrough();
 
-// Structuire common to every Entity Configuration document
+// Structure common to every Entity Configuration document
 const BaseEntityConfiguration = z.object({
   header: EntityConfigurationHeader,
   payload: z
@@ -175,30 +166,24 @@ export const CredentialIssuerEntityConfiguration = BaseEntityConfiguration.and(
         oauth_authorization_server: z.object({
           authorization_endpoint: z.string(),
           pushed_authorization_request_endpoint: z.string(),
-          dpop_signing_alg_values_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
           token_endpoint: z.string(),
-          introspection_endpoint: z.string().optional(), // TODO [SIW-1268]: should not be optional
           client_registration_types_supported: z.array(z.string()),
           code_challenge_methods_supported: z.array(z.string()),
-          authorization_details_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional,
           acr_values_supported: z.array(z.string()),
           grant_types_supported: z.array(z.string()),
           issuer: z.string(),
           jwks: z.object({ keys: z.array(JWK) }),
           scopes_supported: z.array(z.string()),
-          request_parameter_supported: z.boolean().optional(), // TODO [SIW-1268]: should not be optional
-          request_uri_parameter_supported: z.boolean().optional(), // TODO [SIW-1268]: should not be optional
-          response_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
           response_modes_supported: z.array(z.string()),
-          subject_types_supported: z.array(z.string()).optional(), // TODO [SIW-1268]: should not be optional
           token_endpoint_auth_methods_supported: z.array(z.string()),
           token_endpoint_auth_signing_alg_values_supported: z.array(z.string()),
           request_object_signing_alg_values_supported: z.array(z.string()),
         }),
-        /** Credential Issuers act as Relying Party
-            when they require the presentation of other credentials.
-            This does not apply for PID issuance, which requires CIE authz. */
-        wallet_relying_party: RelyingPartyMetadata.optional(),
+        /**
+         * Credential Issuers act as Relying Party when they require the presentation of other credentials.
+         * This does not apply for PID issuance, which requires CIE authz.
+         */
+        openid_credential_verifier: RelyingPartyMetadata.optional(),
       }),
     }),
   })
@@ -212,7 +197,7 @@ export const RelyingPartyEntityConfiguration = BaseEntityConfiguration.and(
   z.object({
     payload: z.object({
       metadata: z.object({
-        wallet_relying_party: RelyingPartyMetadata,
+        openid_credential_verifier: RelyingPartyMetadata,
       }),
     }),
   })
@@ -256,3 +241,5 @@ export const EntityConfiguration = z.union(
     description: "Any kind of Entity Configuration allowed in the ecosystem",
   }
 );
+
+export const FederationListResponse = z.array(z.string());

package/src/trust/utils.ts

@@ -0,0 +1,70 @@
+import {
+  decode as decodeJwt,
+  verify as verifyJwt,
+} from "@pagopa/io-react-native-jwt";
+
+import type { JWK, JWTDecodeResult } from "../utils/jwk";
+import { FederationError } from "./errors";
+import type { TrustAnchorEntityConfiguration } from "./types";
+
+export type ParsedToken = {
+  header: JWTDecodeResult["protectedHeader"];
+  payload: JWTDecodeResult["payload"];
+};
+
+// Verify a token signature
+// The kid is extracted from the token header
+export const verify = async (
+  token: string,
+  kid: string,
+  jwks: JWK[]
+): Promise<ParsedToken> => {
+  const jwk = jwks.find((k) => k.kid === kid);
+  if (!jwk) {
+    throw new Error(`Invalid kid: ${kid}, token: ${token}`);
+  }
+  const { protectedHeader: header, payload } = await verifyJwt(token, jwk);
+  return { header, payload };
+};
+
+/**
+ * Return type for this function is necessary to avoid an issue during the bob build process.
+ * It seems like typescript can't correctly infer the return type of the function.
+ */
+export const decode = (token: string): ParsedToken => {
+  const { protectedHeader: header, payload } = decodeJwt(token);
+  return { header, payload };
+};
+
+/**
+ * Extracts the X.509 Trust Anchor certificate (Base64 encoded) from the
+ * Trust Anchor's Entity Configuration.
+ *
+ * @param trustAnchorEntity The entity configuration of the known trust anchor.
+ * @returns The Base64 encoded X.509 certificate string.
+ * @throws {FederationError} If the certificate cannot be derived.
+ */
+export function getTrustAnchorX509Certificate(
+  trustAnchorEntity: TrustAnchorEntityConfiguration
+): string {
+  const taHeaderKid = trustAnchorEntity.header.kid;
+  const taSigningJwk = trustAnchorEntity.payload.jwks.keys.find(
+    (key) => key.kid === taHeaderKid
+  );
+
+  if (!taSigningJwk) {
+    throw new FederationError(
+      `Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' not found in Trust Anchor's JWKS.`,
+      { trustAnchorKid: taHeaderKid, reason: "JWK not found for header kid" }
+    );
+  }
+
+  if (taSigningJwk.x5c && taSigningJwk.x5c.length > 0 && taSigningJwk.x5c[0]) {
+    return taSigningJwk.x5c[0];
+  }
+
+  throw new FederationError(
+    `Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' does not contain a valid 'x5c' certificate array.`,
+    { trustAnchorKid: taHeaderKid, reason: "Missing or empty x5c in JWK" }
+  );
+}

package/src/utils/crypto.ts

@@ -3,14 +3,10 @@ import {
   sign,
   generate,
   deleteKey,
-  type PublicKey,
 } from "@pagopa/io-react-native-crypto";
-import uuid from "react-native-uuid";
+import { v4 as uuidv4 } from "uuid";
 import { thumbprint, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { X509, KEYUTIL, RSAKey, KJUR } from "jsrsasign";
-import { JWK } from "./jwk";
-import { removePadding } from "@pagopa/io-react-native-jwt";
-import { Buffer } from "buffer";
+import { fixBase64EncodingOnKey } from "./jwk";
 
 /**
  * Create a CryptoContext bound to a key pair.
@@ -28,7 +24,7 @@ export const createCryptoContextFor = (keytag: string): CryptoContext => {
      */
     async getPublicKey() {
       return getPublicKey(keytag)
-        .then(fixBase64WithLeadingZero)
+        .then(fixBase64EncodingOnKey)
         .then(async (jwk) => ({
           ...jwk,
           // Keys in the TEE are not stored with their KID, which is supposed to be assigned when they are included in JWK sets.
@@ -50,45 +46,6 @@ export const createCryptoContextFor = (keytag: string): CryptoContext => {
   };
 };
 
-/**
- * This function takes a JSON Web Key (JWK) and returns a new JWK with its base64-url properties (x, y, e, n) processed.
- * Each property is passed through the `removeLeadingZeroAndParseb64u` function if it exists, which fixes any unwanted leading zeros.
- *
- * @param key - The input JSON Web Key that may contain properties with potential leading zero issues.
- * @returns A new JSON Web Key with the processed properties.
- */
-const fixBase64WithLeadingZero = (key: JWK): JWK => {
-  const { x, y, e, n, ...pk } = key;
-
-  return {
-    ...pk,
-    ...(x ? { x: removeLeadingZeroAndParseb64u(x) } : {}),
-    ...(y ? { y: removeLeadingZeroAndParseb64u(y) } : {}),
-    ...(e ? { e: removeLeadingZeroAndParseb64u(e) } : {}),
-    ...(n ? { n: removeLeadingZeroAndParseb64u(n) } : {}),
-  };
-};
-
-/**
- * This function processes a base64-encoded string to remove any unwanted leading zeros.
- * It converts the input base64 string into a buffer, then to a hex string, checks for a leading "00",
- * and removes it if present. The result is then converted back to a base64-url.
- *
- * @param input - The base64 encoded string to process.
- * @returns A new base64-url encoded string with any leading zero removed.
- */
-const removeLeadingZeroAndParseb64u = (input: string): string => {
-  // Decode base64 input into a Buffer
-  const buffer = Buffer.from(input, "base64");
-  const hex = buffer.toString("hex");
-  // If the hex string starts with "00", remove the first two characters
-  const fixedHex = hex.startsWith("00") ? hex.slice(2) : hex;
-  const newBuffer = Buffer.from(fixedHex, "hex");
-
-  // removePadding convert base64 string to base64-url
-  return removePadding(newBuffer.toString("base64"));
-};
-
 /**
  * Executes the input function injecting an ephemeral crypto context.
  * An ephemeral crypto context is a context which is bound to a key
@@ -101,67 +58,8 @@ export const withEphemeralKey = async <R>(
   fn: (ephemeralContext: CryptoContext) => Promise<R>
 ): Promise<R> => {
   // Use an ephemeral key to be destroyed after use
-  const keytag = `ephemeral-${uuid.v4()}`;
+  const keytag = `ephemeral-${uuidv4()}`;
   await generate(keytag);
   const ephemeralContext = createCryptoContextFor(keytag);
   return fn(ephemeralContext).finally(() => deleteKey(keytag));
 };
-
-/**
- * Converts a certificate string to PEM format.
- *
- * @param certificate - The certificate string.
- * @returns The PEM-formatted certificate.
- */
-export const convertCertToPem = (certificate: string): string =>
-  `-----BEGIN CERTIFICATE-----\n${certificate}\n-----END CERTIFICATE-----`;
-
-/**
- * Parses the public key from a PEM-formatted certificate.
- *
- * @param pemCert - The PEM-formatted certificate.
- * @returns The public key object.
- * @throws Will throw an error if the public key is unsupported.
- */
-export const parsePublicKey = (
-  pemCert: string
-): RSAKey | KJUR.crypto.ECDSA | undefined => {
-  const x509 = new X509();
-  x509.readCertPEM(pemCert);
-  const publicKey = x509.getPublicKey();
-
-  if (publicKey instanceof RSAKey || publicKey instanceof KJUR.crypto.ECDSA) {
-    return publicKey;
-  }
-
-  return undefined;
-};
-
-/**
- * Retrieves the signing JWK from the public key.
- *
- * @param publicKey - The public key object.
- * @returns The signing JWK.
- */
-export const getSigningJwk = (publicKey: RSAKey | KJUR.crypto.ECDSA): JWK => ({
-  ...JWK.parse(KEYUTIL.getJWKFromKey(publicKey)),
-  use: "sig",
-});
-
-/**
- * This function takes two {@link PublicKey} and evaluates and compares their thumbprints
- * @param key1 The first key
- * @param key2 The second key
- * @returns true if the keys' thumbprints are equal, false otherwise
- */
-export const compareKeysByThumbprint = async (
-  key1: PublicKey,
-  key2: PublicKey
-) => {
-  //Parallel for optimization
-  const [thumbprint1, thumbprint2] = await Promise.all([
-    thumbprint(key1),
-    thumbprint(key2),
-  ]);
-  return thumbprint1 === thumbprint2;
-};

package/src/utils/decoder.ts

@@ -1,6 +1,7 @@
 import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
-import { ValidationFailed } from "./errors";
 import type { JWTDecodeResult } from "./jwk";
+import { ValidationFailed } from "./errors";
+import { LogLevel, Logger } from "./logging";
 
 /*
  * Decode a form_post.jwt and return the final JWT.
@@ -47,6 +48,10 @@ export const getJwtFromFormPost = async (
     }
   }
 
+  Logger.log(
+    LogLevel.ERROR,
+    `Unable to obtain JWT from form_post.jwt. Form data: ${formData}`
+  );
   throw new ValidationFailed({
     message: `Unable to obtain JWT from form_post.jwt. Form data: ${formData}`,
   });