@pagopa/io-react-native-wallet 2.0.0-next.0 → 2.0.0-next.1

package/lib/commonjs/trust/README.md

@@ -0,0 +1,147 @@
+# Trust Chain Validation
+
+This module implements **Trust Chain validation** for Entity Configurations and Entity Statements in line with the [IT Wallet Federation Specifications](https://italia.github.io/eid-wallet-it-docs/). It ensures that an entity's metadata is trusted by validating a chain of signed JWTs up to a known Trust Anchor.
+
+The validation covers:
+
+* JWT signature verification (using the next entity's JWKS)
+* Trust chain ordering (leaf → parent → Trust Anchor)
+* Optional X.509 CRL-based certificate validation
+
+## Sequence Diagram
+
+```mermaid
+sequenceDiagram
+  autonumber
+  participant A as Leaf Entity
+  participant B as Intermediate (Federation Authority)
+  participant C as Trust Anchor
+
+  A->>A: Self-issued Entity Configuration (JWT)
+  B->>A: Signed Entity Statement (JWT)
+  C->>B: Signed Entity Statement (JWT or self-issued EC)
+
+  Note over A,C: Each JWT is validated with the next issuer's public keys
+```
+
+## Errors
+
+| Error                         | Description                                                        |
+| ----------------------------- | ------------------------------------------------------------------ |
+| `TrustChainEmptyError`        | The input chain is empty.                                          |
+| `TrustChainTokenMissingError` | One of the JWTs in the chain is missing.                           |
+| `X509ValidationError`         | X.509 certificate validation failed (e.g. revocation, expiration). |
+| `FederationError`             | Generic federation processing error.                               |
+
+## Usage
+
+### Validate a trust chain
+
+```ts
+import { validateTrustChain } from "./trust";
+import { trustAnchorEntityConfiguration } from "./your-data";
+import { chain } from "./your-data"; // array of JWTs, starting from leaf
+
+const result = await validateTrustChain(trustAnchorEntityConfiguration, chain, {
+    connectTimeout: 3000,
+    readTimeout: 3000,
+    requireCrl: false,
+});
+```
+
+* The `chain` must be an array of signed JWT strings.
+* The first JWT must be a self-issued `EntityConfiguration`.
+* The last JWT must be an `EntityStatement` or a self-issued Trust Anchor `EntityConfiguration`.
+
+### Renew a trust chain
+
+```ts
+import { renewTrustChain } from "./trust";
+
+const newChain = await renewTrustChain(chain);
+```
+
+This will fetch updated JWTs from each authority in the chain.
+
+### Build a trust chain
+
+```ts
+import { buildTrustChain } from "./trust";
+
+const chain = await buildTrustChain({
+  leaf: "https://example-leaf",
+  trustAnchor: trustAnchorEntityConfiguration,
+});
+```
+
+* **leaf**: the entity URL of the subject to be trusted.
+* **trustAnchor**: the known trust anchor configuration.
+* Returns a list of JWT strings ordered from leaf to trust anchor.
+
+
+## Trust Chain Structure
+
+| Position | JWT Type                            | Requirements                  |
+| -------- | ----------------------------------- |-------------------------------|
+| First    | Entity Configuration                | `iss === sub` (self-issued)   |
+| Middle   | Entity Statement                    | `iss ≠ sub`, signed by parent |
+| Last     | Entity Statement or Trust Anchor EC | Trust Anchor must be known    |
+
+### Build and Validate Example
+
+```ts
+import {
+  buildTrustChain,
+  validateTrustChain,
+} from "./trust";
+import { trustAnchorEntityConfiguration } from "./your-data";
+
+const chain = await buildTrustChain({
+  leaf: "https://example-leaf",
+  trustAnchor: trustAnchorEntityConfiguration,
+});
+
+const result = await validateTrustChain(trustAnchorEntityConfiguration, chain, {
+  connectTimeout: 3000,
+  readTimeout: 3000,
+  requireCrl: true,
+});
+```
+
+* This example fetches and builds the full trust chain dynamically, then validates it end-to-end.
+
+## Example Trust Chain
+
+```ts
+[
+    {
+        header: { alg: "ES256", kid: "leaf-kid" },
+        payload: { iss: "https://leaf", sub: "https://leaf", jwks: { keys: [...] } }
+    },
+    {
+        header: { alg: "ES256", kid: "intermediate-kid" },
+        payload: { iss: "https://intermediate", sub: "https://leaf", jwks: { keys: [...] } }
+    },
+    {
+        header: { alg: "ES256", kid: "ta-kid" },
+        payload: { iss: "https://ta", sub: "https://ta", jwks: { keys: [...] } }
+    }
+]
+```
+
+## Mocking in Tests
+
+If you're testing in Node (not in React Native), you need to mock X.509 and crypto-native dependencies:
+
+```ts
+jest.mock("@pagopa/io-react-native-crypto", () => ({
+    verifyCertificateChain: jest.fn().mockResolvedValue({
+        isValid: true,
+        validationStatus: "VALID",
+        errorMessage: undefined,
+    }),
+    generate: jest.fn().mockResolvedValue({ ... }),
+}));
+```
+
+Ensure mocked `JWK`s contain an `x5c` array to trigger certificate validation logic during tests.

package/lib/commonjs/trust/chain.js

@@ -10,6 +10,7 @@ var z = _interopRequireWildcard(require("zod"));
 var _ = require(".");
 var _utils = require("./utils");
 var _errors = require("./errors");
+var _ioReactNativeCrypto = require("@pagopa/io-react-native-crypto");
 function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
 function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
 // The first element of the chain is supposed to be the Entity Configuration for the document issuer
@@ -21,14 +22,15 @@ const MiddleElementShape = _types.EntityStatement;
 const LastElementShape = z.union([_types.EntityStatement, _types.TrustAnchorEntityConfiguration]);
 
 /**
- * Validates a provided trust chain against a known trust
+ * Validates a provided trust chain against a known trust anchor, including X.509 certificate checks.
  *
- * @param trustAnchorEntity The entity configuration of the known trust anchor
- * @param chain The chain of statements to be validated
- * @returns The list of parsed token representing the chain
- * @throws {FederationError} If the chain is not valid
+ * @param trustAnchorEntity The entity configuration of the known trust anchor (for JWT validation).
+ * @param chain The chain of statements to be validated.
+ * @param x509Options Options for X.509 certificate validation.
+ * @returns The list of parsed tokens representing the chain.
+ * @throws {FederationError} If the chain is not valid (JWT or X.509). Specific errors like TrustChainEmptyError, X509ValidationError may be thrown.
  */
-async function validateTrustChain(trustAnchorEntity, chain) {
+async function validateTrustChain(trustAnchorEntity, chain, x509Options) {
   // If the chain is empty, fail
   if (chain.length === 0) {
     throw new _errors.TrustChainEmptyError("Cannot verify empty trust chain.");
@@ -37,7 +39,7 @@ async function validateTrustChain(trustAnchorEntity, chain) {
   // Select the expected token shape
   const selectTokenShape = elementIndex => elementIndex === 0 ? FirstElementShape : elementIndex === chain.length - 1 ? LastElementShape : MiddleElementShape;
 
-  // select the kid from the current index
+  // Select the kid from the current index
   const selectKid = currentIndex => {
     const token = chain[currentIndex];
     if (!token) {
@@ -49,8 +51,8 @@ async function validateTrustChain(trustAnchorEntity, chain) {
     return shape.parse((0, _utils.decode)(token)).header.kid;
   };
 
-  // select keys from the next token
-  // if the current token is the last, keys from trust anchor will be used
+  // Select keys from the next token
+  // If the current token is the last, keys from trust anchor will be used
   const selectKeys = currentIndex => {
     if (currentIndex === chain.length - 1) {
       return trustAnchorEntity.payload.jwks.keys;
@@ -65,10 +67,45 @@ async function validateTrustChain(trustAnchorEntity, chain) {
     const shape = selectTokenShape(nextIndex);
     return shape.parse((0, _utils.decode)(nextToken)).payload.jwks.keys;
   };
+  const x509TrustAnchorCertBase64 = (0, _utils.getTrustAnchorX509Certificate)(trustAnchorEntity);
 
   // Iterate the chain and validate each element's signature against the public keys of its next
   // If there is no next, hence it's the end of the chain, and it must be verified by the Trust Anchor
-  return Promise.all(chain.map((token, i) => [token, selectKid(i), selectKeys(i)]).map(args => (0, _utils.verify)(...args)));
+  const validationPromises = chain.map(async (tokenString, i) => {
+    const kidFromTokenHeader = selectKid(i);
+    const signerJwks = selectKeys(i);
+
+    // Step 1: Verify JWT signature
+    const parsedToken = await (0, _utils.verify)(tokenString, kidFromTokenHeader, signerJwks);
+
+    // Step 2: X.509 Certificate Chain Validation
+    const jwkUsedForVerification = signerJwks.find(k => k.kid === kidFromTokenHeader);
+    if (!jwkUsedForVerification) {
+      throw new _errors.FederationError(`JWK with kid '${kidFromTokenHeader}' was not found in signer's JWKS for token at index ${i}, though JWT verification passed.`, {
+        tokenIndex: i,
+        kid: kidFromTokenHeader
+      });
+    }
+    if (!jwkUsedForVerification.x5c || jwkUsedForVerification.x5c.length === 0) {
+      throw new _errors.MissingX509CertsError(`JWK with kid '${kidFromTokenHeader}' does not contain an X.509 certificate chain (x5c) for token at index ${i}.`);
+    }
+
+    // If the chain has more than one certificate AND
+    // the last certificate in the x5c chain is the same as the trust anchor,
+    // remove the anchor from the chain being passed, as it's supplied separately.
+    const certChainBase64 = jwkUsedForVerification.x5c.length > 1 && jwkUsedForVerification.x5c.at(-1) === x509TrustAnchorCertBase64 ? jwkUsedForVerification.x5c.slice(0, -1) : jwkUsedForVerification.x5c;
+    const x509ValidationResult = await (0, _ioReactNativeCrypto.verifyCertificateChain)(certChainBase64, x509TrustAnchorCertBase64, x509Options);
+    if (!x509ValidationResult.isValid) {
+      throw new _errors.X509ValidationError(`X.509 certificate chain validation failed for token at index ${i} (kid: ${kidFromTokenHeader}). Status: ${x509ValidationResult.validationStatus}. Error: ${x509ValidationResult.errorMessage}`, {
+        tokenIndex: i,
+        kid: kidFromTokenHeader,
+        x509ValidationStatus: x509ValidationResult.validationStatus,
+        x509ErrorMessage: x509ValidationResult.errorMessage
+      });
+    }
+    return parsedToken;
+  });
+  return Promise.all(validationPromises);
 }
 
 /**

package/lib/commonjs/trust/chain.js.map

@@ -1 +1 @@
-{"version":3,"names":["_types","require","z","_interopRequireWildcard","_","_utils","_errors","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","FirstElementShape","EntityConfiguration","MiddleElementShape","EntityStatement","LastElementShape","union","TrustAnchorEntityConfiguration","validateTrustChain","trustAnchorEntity","chain","length","TrustChainEmptyError","selectTokenShape","elementIndex","selectKid","currentIndex","token","TrustChainTokenMissingError","index","shape","parse","decode","header","kid","selectKeys","payload","jwks","keys","nextIndex","nextToken","Promise","all","map","i","args","verify","renewTrustChain","appFetch","arguments","undefined","fetch","decoded","entityStatementResult","safeParse","entityConfigurationResult","success","getSignedEntityConfiguration","data","iss","entityStatement","parentBaseUrl","parentECJwt","parentEC","federationFetchEndpoint","metadata","federation_entity","federation_fetch_endpoint","MissingFederationFetchEndpointError","sub","entityBaseUrl","missingInEntityUrl","getSignedEntityStatement","TrustChainRenewalError","originalChain"],"sourceRoot":"../../../src","sources":["trust/chain.ts"],"mappings":";;;;;;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AAMA,IAAAC,CAAA,GAAAC,uBAAA,CAAAF,OAAA;AACA,IAAAG,CAAA,GAAAH,OAAA;AACA,IAAAI,MAAA,GAAAJ,OAAA;AACA,IAAAK,OAAA,GAAAL,OAAA;AAKkB,SAAAM,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAL,wBAAAS,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAElB;AACA,MAAMW,iBAAiB,GAAGC,0BAAmB;AAC7C;AACA,MAAMC,kBAAkB,GAAGC,sBAAe;AAC1C;AACA;AACA,MAAMC,gBAAgB,GAAG/B,CAAC,CAACgC,KAAK,CAAC,CAC/BF,sBAAe,EACfG,qCAA8B,CAC/B,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeC,kBAAkBA,CACtCC,iBAAiD,EACjDC,KAAe,EACS;EACxB;EACA,IAAIA,KAAK,CAACC,MAAM,KAAK,CAAC,EAAE;IACtB,MAAM,IAAIC,4BAAoB,CAAC,kCAAkC,CAAC;EACpE;;EAEA;EACA,MAAMC,gBAAgB,GAAIC,YAAoB,IAC5CA,YAAY,KAAK,CAAC,GACdb,iBAAiB,GACjBa,YAAY,KAAKJ,KAAK,CAACC,MAAM,GAAG,CAAC,GAC/BN,gBAAgB,GAChBF,kBAAkB;;EAE1B;EACA,MAAMY,SAAS,GAAIC,YAAoB,IAAa;IAClD,MAAMC,KAAK,GAAGP,KAAK,CAACM,YAAY,CAAC;IACjC,IAAI,CAACC,KAAK,EAAE;MACV,MAAM,IAAIC,mCAA2B,CAClC,0BAAyBF,YAAa,kBAAiB,EACxD;QAAEG,KAAK,EAAEH;MAAa,CACxB,CAAC;IACH;IACA,MAAMI,KAAK,GAAGP,gBAAgB,CAACG,YAAY,CAAC;IAC5C,OAAOI,KAAK,CAACC,KAAK,CAAC,IAAAC,aAAM,EAACL,KAAK,CAAC,CAAC,CAACM,MAAM,CAACC,GAAG;EAC9C,CAAC;;EAED;EACA;EACA,MAAMC,UAAU,GAAIT,YAAoB,IAAY;IAClD,IAAIA,YAAY,KAAKN,KAAK,CAACC,MAAM,GAAG,CAAC,EAAE;MACrC,OAAOF,iBAAiB,CAACiB,OAAO,CAACC,IAAI,CAACC,IAAI;IAC5C;IAEA,MAAMC,SAAS,GAAGb,YAAY,GAAG,CAAC;IAClC,MAAMc,SAAS,GAAGpB,KAAK,CAACmB,SAAS,CAAC;IAClC,IAAI,CAACC,SAAS,EAAE;MACd,MAAM,IAAIZ,mCAA2B,CAClC,+BAA8BW,SAAU,kCAAiCb,YAAa,IAAG,EAC1F;QAAEG,KAAK,EAAEU;MAAU,CACrB,CAAC;IACH;IACA,MAAMT,KAAK,GAAGP,gBAAgB,CAACgB,SAAS,CAAC;IACzC,OAAOT,KAAK,CAACC,KAAK,CAAC,IAAAC,aAAM,EAACQ,SAAS,CAAC,CAAC,CAACJ,OAAO,CAACC,IAAI,CAACC,IAAI;EACzD,CAAC;;EAED;EACA;EACA,OAAOG,OAAO,CAACC,GAAG,CAChBtB,KAAK,CACFuB,GAAG,CAAC,CAAChB,KAAK,EAAEiB,CAAC,KAAK,CAACjB,KAAK,EAAEF,SAAS,CAACmB,CAAC,CAAC,EAAET,UAAU,CAACS,CAAC,CAAC,CAAU,CAAC,CAChED,GAAG,CAAEE,IAAI,IAAK,IAAAC,aAAM,EAAC,GAAGD,IAAI,CAAC,CAClC,CAAC;AACH;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeE,eAAeA,CACnC3B,KAAe,EAEI;EAAA,IADnB4B,QAA8B,GAAAC,SAAA,CAAA5B,MAAA,QAAA4B,SAAA,QAAAC,SAAA,GAAAD,SAAA,MAAGE,KAAK;EAEtC,OAAOV,OAAO,CAACC,GAAG,CAChBtB,KAAK,CAACuB,GAAG,CAAC,OAAOhB,KAAK,EAAEE,KAAK,KAAK;IAChC,MAAMuB,OAAO,GAAG,IAAApB,aAAM,EAACL,KAAK,CAAC;IAE7B,MAAM0B,qBAAqB,GAAGvC,sBAAe,CAACwC,SAAS,CAACF,OAAO,CAAC;IAChE,MAAMG,yBAAyB,GAAG3C,0BAAmB,CAAC0C,SAAS,CAACF,OAAO,CAAC;IAExE,IAAIG,yBAAyB,CAACC,OAAO,EAAE;MACrC,OAAO,IAAAC,8BAA4B,EACjCF,yBAAyB,CAACG,IAAI,CAACtB,OAAO,CAACuB,GAAG,EAC1C;QAAEX;MAAS,CACb,CAAC;IACH;IACA,IAAIK,qBAAqB,CAACG,OAAO,EAAE;MACjC,MAAMI,eAAe,GAAGP,qBAAqB,CAACK,IAAI;MAElD,MAAMG,aAAa,GAAGD,eAAe,CAACxB,OAAO,CAACuB,GAAG;MACjD,MAAMG,WAAW,GAAG,MAAM,IAAAL,8BAA4B,EAACI,aAAa,EAAE;QACpEb;MACF,CAAC,CAAC;MACF,MAAMe,QAAQ,GAAGnD,0BAAmB,CAACmB,KAAK,CAAC,IAAAC,aAAM,EAAC8B,WAAW,CAAC,CAAC;MAE/D,MAAME,uBAAuB,GAC3BD,QAAQ,CAAC3B,OAAO,CAAC6B,QAAQ,CAACC,iBAAiB,CAACC,yBAAyB;MACvE,IAAI,CAACH,uBAAuB,EAAE;QAC5B,MAAM,IAAII,2CAAmC,CAC1C,gBAAeP,aAAc,8DAA6DD,eAAe,CAACxB,OAAO,CAACiC,GAAI,GAAE,EACzH;UACEC,aAAa,EAAEV,eAAe,CAACxB,OAAO,CAACiC,GAAG;UAC1CE,kBAAkB,EAAEV;QACtB,CACF,CAAC;MACH;MACA,OAAO,IAAAW,0BAAwB,EAC7BR,uBAAuB,EACvBJ,eAAe,CAACxB,OAAO,CAACiC,GAAG,EAC3B;QAAErB;MAAS,CACb,CAAC;IACH;IACA,MAAM,IAAIyB,8BAAsB,CAC7B,iDAAgD5C,KAAM,mBAAkB,EACzE;MAAE6C,aAAa,EAAEtD;IAAM,CACzB,CAAC;EACH,CAAC,CACH,CAAC;AACH"}
+{"version":3,"names":["_types","require","z","_interopRequireWildcard","_","_utils","_errors","_ioReactNativeCrypto","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","FirstElementShape","EntityConfiguration","MiddleElementShape","EntityStatement","LastElementShape","union","TrustAnchorEntityConfiguration","validateTrustChain","trustAnchorEntity","chain","x509Options","length","TrustChainEmptyError","selectTokenShape","elementIndex","selectKid","currentIndex","token","TrustChainTokenMissingError","index","shape","parse","decode","header","kid","selectKeys","payload","jwks","keys","nextIndex","nextToken","x509TrustAnchorCertBase64","getTrustAnchorX509Certificate","validationPromises","map","tokenString","i","kidFromTokenHeader","signerJwks","parsedToken","verify","jwkUsedForVerification","find","k","FederationError","tokenIndex","x5c","MissingX509CertsError","certChainBase64","at","slice","x509ValidationResult","verifyCertificateChain","isValid","X509ValidationError","validationStatus","errorMessage","x509ValidationStatus","x509ErrorMessage","Promise","all","renewTrustChain","appFetch","arguments","undefined","fetch","decoded","entityStatementResult","safeParse","entityConfigurationResult","success","getSignedEntityConfiguration","data","iss","entityStatement","parentBaseUrl","parentECJwt","parentEC","federationFetchEndpoint","metadata","federation_entity","federation_fetch_endpoint","MissingFederationFetchEndpointError","sub","entityBaseUrl","missingInEntityUrl","getSignedEntityStatement","TrustChainRenewalError","originalChain"],"sourceRoot":"../../../src","sources":["trust/chain.ts"],"mappings":";;;;;;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AAMA,IAAAC,CAAA,GAAAC,uBAAA,CAAAF,OAAA;AACA,IAAAG,CAAA,GAAAH,OAAA;AACA,IAAAI,MAAA,GAAAJ,OAAA;AAMA,IAAAK,OAAA,GAAAL,OAAA;AASA,IAAAM,oBAAA,GAAAN,OAAA;AAIwC,SAAAO,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAN,wBAAAU,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAExC;AACA,MAAMW,iBAAiB,GAAGC,0BAAmB;AAC7C;AACA,MAAMC,kBAAkB,GAAGC,sBAAe;AAC1C;AACA;AACA,MAAMC,gBAAgB,GAAGhC,CAAC,CAACiC,KAAK,CAAC,CAC/BF,sBAAe,EACfG,qCAA8B,CAC/B,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeC,kBAAkBA,CACtCC,iBAAiD,EACjDC,KAAe,EACfC,WAAmC,EACX;EACxB;EACA,IAAID,KAAK,CAACE,MAAM,KAAK,CAAC,EAAE;IACtB,MAAM,IAAIC,4BAAoB,CAAC,kCAAkC,CAAC;EACpE;;EAEA;EACA,MAAMC,gBAAgB,GAAIC,YAAoB,IAC5CA,YAAY,KAAK,CAAC,GACdd,iBAAiB,GACjBc,YAAY,KAAKL,KAAK,CAACE,MAAM,GAAG,CAAC,GAC/BP,gBAAgB,GAChBF,kBAAkB;;EAE1B;EACA,MAAMa,SAAS,GAAIC,YAAoB,IAAa;IAClD,MAAMC,KAAK,GAAGR,KAAK,CAACO,YAAY,CAAC;IACjC,IAAI,CAACC,KAAK,EAAE;MACV,MAAM,IAAIC,mCAA2B,CAClC,0BAAyBF,YAAa,kBAAiB,EACxD;QAAEG,KAAK,EAAEH;MAAa,CACxB,CAAC;IACH;IACA,MAAMI,KAAK,GAAGP,gBAAgB,CAACG,YAAY,CAAC;IAC5C,OAAOI,KAAK,CAACC,KAAK,CAAC,IAAAC,aAAM,EAACL,KAAK,CAAC,CAAC,CAACM,MAAM,CAACC,GAAG;EAC9C,CAAC;;EAED;EACA;EACA,MAAMC,UAAU,GAAIT,YAAoB,IAAY;IAClD,IAAIA,YAAY,KAAKP,KAAK,CAACE,MAAM,GAAG,CAAC,EAAE;MACrC,OAAOH,iBAAiB,CAACkB,OAAO,CAACC,IAAI,CAACC,IAAI;IAC5C;IAEA,MAAMC,SAAS,GAAGb,YAAY,GAAG,CAAC;IAClC,MAAMc,SAAS,GAAGrB,KAAK,CAACoB,SAAS,CAAC;IAClC,IAAI,CAACC,SAAS,EAAE;MACd,MAAM,IAAIZ,mCAA2B,CAClC,+BAA8BW,SAAU,kCAAiCb,YAAa,IAAG,EAC1F;QAAEG,KAAK,EAAEU;MAAU,CACrB,CAAC;IACH;IACA,MAAMT,KAAK,GAAGP,gBAAgB,CAACgB,SAAS,CAAC;IACzC,OAAOT,KAAK,CAACC,KAAK,CAAC,IAAAC,aAAM,EAACQ,SAAS,CAAC,CAAC,CAACJ,OAAO,CAACC,IAAI,CAACC,IAAI;EACzD,CAAC;EAED,MAAMG,yBAAyB,GAC7B,IAAAC,oCAA6B,EAACxB,iBAAiB,CAAC;;EAElD;EACA;EACA,MAAMyB,kBAAkB,GAAGxB,KAAK,CAACyB,GAAG,CAAC,OAAOC,WAAW,EAAEC,CAAC,KAAK;IAC7D,MAAMC,kBAAkB,GAAGtB,SAAS,CAACqB,CAAC,CAAC;IACvC,MAAME,UAAU,GAAGb,UAAU,CAACW,CAAC,CAAC;;IAEhC;IACA,MAAMG,WAAW,GAAG,MAAM,IAAAC,aAAM,EAC9BL,WAAW,EACXE,kBAAkB,EAClBC,UACF,CAAC;;IAED;IACA,MAAMG,sBAAsB,GAAGH,UAAU,CAACI,IAAI,CAC3CC,CAAC,IAAKA,CAAC,CAACnB,GAAG,KAAKa,kBACnB,CAAC;IAED,IAAI,CAACI,sBAAsB,EAAE;MAC3B,MAAM,IAAIG,uBAAe,CACtB,iBAAgBP,kBAAmB,uDAAsDD,CAAE,mCAAkC,EAC9H;QAAES,UAAU,EAAET,CAAC;QAAEZ,GAAG,EAAEa;MAAmB,CAC3C,CAAC;IACH;IAEA,IACE,CAACI,sBAAsB,CAACK,GAAG,IAC3BL,sBAAsB,CAACK,GAAG,CAACnC,MAAM,KAAK,CAAC,EACvC;MACA,MAAM,IAAIoC,6BAAqB,CAC5B,iBAAgBV,kBAAmB,0EAAyED,CAAE,GACjH,CAAC;IACH;;IAEA;IACA;IACA;IACA,MAAMY,eAAe,GACnBP,sBAAsB,CAACK,GAAG,CAACnC,MAAM,GAAG,CAAC,IACrC8B,sBAAsB,CAACK,GAAG,CAACG,EAAE,CAAC,CAAC,CAAC,CAAC,KAAKlB,yBAAyB,GAC3DU,sBAAsB,CAACK,GAAG,CAACI,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GACvCT,sBAAsB,CAACK,GAAG;IAEhC,MAAMK,oBAAiD,GACrD,MAAM,IAAAC,2CAAsB,EAC1BJ,eAAe,EACfjB,yBAAyB,EACzBrB,WACF,CAAC;IAEH,IAAI,CAACyC,oBAAoB,CAACE,OAAO,EAAE;MACjC,MAAM,IAAIC,2BAAmB,CAC1B,gEAA+DlB,CAAE,UAASC,kBAAmB,cAAac,oBAAoB,CAACI,gBAAiB,YAAWJ,oBAAoB,CAACK,YAAa,EAAC,EAC/L;QACEX,UAAU,EAAET,CAAC;QACbZ,GAAG,EAAEa,kBAAkB;QACvBoB,oBAAoB,EAAEN,oBAAoB,CAACI,gBAAgB;QAC3DG,gBAAgB,EAAEP,oBAAoB,CAACK;MACzC,CACF,CAAC;IACH;IACA,OAAOjB,WAAW;EACpB,CAAC,CAAC;EAEF,OAAOoB,OAAO,CAACC,GAAG,CAAC3B,kBAAkB,CAAC;AACxC;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe4B,eAAeA,CACnCpD,KAAe,EAEI;EAAA,IADnBqD,QAA8B,GAAAC,SAAA,CAAApD,MAAA,QAAAoD,SAAA,QAAAC,SAAA,GAAAD,SAAA,MAAGE,KAAK;EAEtC,OAAON,OAAO,CAACC,GAAG,CAChBnD,KAAK,CAACyB,GAAG,CAAC,OAAOjB,KAAK,EAAEE,KAAK,KAAK;IAChC,MAAM+C,OAAO,GAAG,IAAA5C,aAAM,EAACL,KAAK,CAAC;IAE7B,MAAMkD,qBAAqB,GAAGhE,sBAAe,CAACiE,SAAS,CAACF,OAAO,CAAC;IAChE,MAAMG,yBAAyB,GAAGpE,0BAAmB,CAACmE,SAAS,CAACF,OAAO,CAAC;IAExE,IAAIG,yBAAyB,CAACC,OAAO,EAAE;MACrC,OAAO,IAAAC,8BAA4B,EACjCF,yBAAyB,CAACG,IAAI,CAAC9C,OAAO,CAAC+C,GAAG,EAC1C;QAAEX;MAAS,CACb,CAAC;IACH;IACA,IAAIK,qBAAqB,CAACG,OAAO,EAAE;MACjC,MAAMI,eAAe,GAAGP,qBAAqB,CAACK,IAAI;MAElD,MAAMG,aAAa,GAAGD,eAAe,CAAChD,OAAO,CAAC+C,GAAG;MACjD,MAAMG,WAAW,GAAG,MAAM,IAAAL,8BAA4B,EAACI,aAAa,EAAE;QACpEb;MACF,CAAC,CAAC;MACF,MAAMe,QAAQ,GAAG5E,0BAAmB,CAACoB,KAAK,CAAC,IAAAC,aAAM,EAACsD,WAAW,CAAC,CAAC;MAE/D,MAAME,uBAAuB,GAC3BD,QAAQ,CAACnD,OAAO,CAACqD,QAAQ,CAACC,iBAAiB,CAACC,yBAAyB;MACvE,IAAI,CAACH,uBAAuB,EAAE;QAC5B,MAAM,IAAII,2CAAmC,CAC1C,gBAAeP,aAAc,8DAA6DD,eAAe,CAAChD,OAAO,CAACyD,GAAI,GAAE,EACzH;UACEC,aAAa,EAAEV,eAAe,CAAChD,OAAO,CAACyD,GAAG;UAC1CE,kBAAkB,EAAEV;QACtB,CACF,CAAC;MACH;MACA,OAAO,IAAAW,0BAAwB,EAC7BR,uBAAuB,EACvBJ,eAAe,CAAChD,OAAO,CAACyD,GAAG,EAC3B;QAAErB;MAAS,CACb,CAAC;IACH;IACA,MAAM,IAAIyB,8BAAsB,CAC7B,iDAAgDpE,KAAM,mBAAkB,EACzE;MAAEqE,aAAa,EAAE/E;IAAM,CACzB,CAAC;EACH,CAAC,CACH,CAAC;AACH"}

package/lib/commonjs/trust/errors.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.TrustChainTokenMissingError = exports.TrustChainRenewalError = exports.TrustChainEmptyError = exports.TrustAnchorKidMissingError = exports.RelyingPartyNotAuthorizedError = exports.MissingFederationFetchEndpointError = exports.FederationListParseError = exports.FederationError = exports.BuildTrustChainError = void 0;
+exports.X509ValidationError = exports.TrustChainTokenMissingError = exports.TrustChainRenewalError = exports.TrustChainEmptyError = exports.TrustAnchorKidMissingError = exports.RelyingPartyNotAuthorizedError = exports.MissingX509CertsError = exports.MissingFederationFetchEndpointError = exports.FederationListParseError = exports.FederationError = exports.BuildTrustChainError = void 0;
 var _errors = require("../utils/errors");
 // Ensure this path is correct
 
@@ -106,5 +106,28 @@ class MissingFederationFetchEndpointError extends FederationError {
     super(message, details);
   }
 }
+
+/**
+ * Error thrown when the X.509 certificate chain is missing in an entity's configuration.
+ */
 exports.MissingFederationFetchEndpointError = MissingFederationFetchEndpointError;
+class MissingX509CertsError extends FederationError {
+  code = "ERR_FED_MISSING_X509_CERTS";
+  constructor(message) {
+    super(message, undefined);
+  }
+}
+
+/**
+ * Error thrown when an X.509 certificate validation fails.
+ * This is used to indicate issues with the certificate chain or signature verification.
+ */
+exports.MissingX509CertsError = MissingX509CertsError;
+class X509ValidationError extends FederationError {
+  code = "ERR_FED_X509_VALIDATION_FAILED";
+  constructor(message, details) {
+    super(message, details);
+  }
+}
+exports.X509ValidationError = X509ValidationError;
 //# sourceMappingURL=errors.js.map

package/lib/commonjs/trust/errors.js.map

@@ -1 +1 @@
-{"version":3,"names":["_errors","require","FederationError","IoWalletError","constructor","message","details","serializeAttrs","name","exports","TrustChainEmptyError","code","arguments","length","undefined","TrustChainTokenMissingError","TrustChainRenewalError","FederationListParseError","BuildTrustChainError","TrustAnchorKidMissingError","RelyingPartyNotAuthorizedError","MissingFederationFetchEndpointError"],"sourceRoot":"../../../src","sources":["trust/errors.ts"],"mappings":";;;;;;AAAA,IAAAA,OAAA,GAAAC,OAAA;AAAiE;;AAEjE;AACA;AACA;AACO,MAAMC,eAAe,SAASC,qBAAa,CAAC;EACjDC,WAAWA,CAACC,OAAe,EAAEC,OAAiC,EAAE;IAC9D,KAAK,CAACA,OAAO,GAAG,IAAAC,sBAAc,EAAC;MAAEF,OAAO;MAAE,GAAGC;IAAQ,CAAC,CAAC,GAAGD,OAAO,CAAC;IAClE,IAAI,CAACG,IAAI,GAAG,IAAI,CAACJ,WAAW,CAACI,IAAI;EACnC;AACF;;AAEA;AACA;AACA;AAFAC,OAAA,CAAAP,eAAA,GAAAA,eAAA;AAGO,MAAMQ,oBAAoB,SAASR,eAAe,CAAC;EACxDS,IAAI,GAAG,2BAA2B;EAClCP,WAAWA,CAAA,EAA2C;IAAA,IAA1CC,OAAO,GAAAO,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,8BAA8B;IAClD,KAAK,CAACP,OAAO,EAAES,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AAFAL,OAAA,CAAAC,oBAAA,GAAAA,oBAAA;AAGO,MAAMK,2BAA2B,SAASb,eAAe,CAAC;EAC/DS,IAAI,GAAG,mCAAmC;EAC1CP,WAAWA,CAACC,OAAe,EAAEC,OAA4B,EAAE;IACzD,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA;AAHAG,OAAA,CAAAM,2BAAA,GAAAA,2BAAA;AAIO,MAAMC,sBAAsB,SAASd,eAAe,CAAC;EAC1DS,IAAI,GAAG,oCAAoC;EAC3CP,WAAWA,CACTC,OAAe,EACfC,OAA8D,EAC9D;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;AAACG,OAAA,CAAAO,sBAAA,GAAAA,sBAAA;AAEM,MAAMC,wBAAwB,SAASf,eAAe,CAAC;EAC5DS,IAAI,GAAG,sCAAsC;EAC7CP,WAAWA,CAACC,OAAe,EAAEC,OAA6C,EAAE;IAC1E,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AAFAG,OAAA,CAAAQ,wBAAA,GAAAA,wBAAA;AAGO,MAAMC,oBAAoB,SAAShB,eAAe,CAAC;EACxDS,IAAI,GAAG,kCAAkC;EACzCP,WAAWA,CACTC,OAAe,EACfC,OAIC,EACD;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AAFAG,OAAA,CAAAS,oBAAA,GAAAA,oBAAA;AAGO,MAAMC,0BAA0B,SAASjB,eAAe,CAAC;EAC9DS,IAAI,GAAG,kCAAkC;EACzCP,WAAWA,CAAA,EAA0D;IAAA,IAAzDC,OAAO,GAAAO,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,6CAA6C;IACjE,KAAK,CAACP,OAAO,EAAES,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AAFAL,OAAA,CAAAU,0BAAA,GAAAA,0BAAA;AAGO,MAAMC,8BAA8B,SAASlB,eAAe,CAAC;EAClES,IAAI,GAAG,sCAAsC;EAC7CP,WAAWA,CACTC,OAAe,EACfC,OAAqE,EACrE;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AAFAG,OAAA,CAAAW,8BAAA,GAAAA,8BAAA;AAGO,MAAMC,mCAAmC,SAASnB,eAAe,CAAC;EACvES,IAAI,GAAG,2CAA2C;EAClDP,WAAWA,CACTC,OAAe,EACfC,OAA8D,EAC9D;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;AAACG,OAAA,CAAAY,mCAAA,GAAAA,mCAAA"}
+{"version":3,"names":["_errors","require","FederationError","IoWalletError","constructor","message","details","serializeAttrs","name","exports","TrustChainEmptyError","code","arguments","length","undefined","TrustChainTokenMissingError","TrustChainRenewalError","FederationListParseError","BuildTrustChainError","TrustAnchorKidMissingError","RelyingPartyNotAuthorizedError","MissingFederationFetchEndpointError","MissingX509CertsError","X509ValidationError"],"sourceRoot":"../../../src","sources":["trust/errors.ts"],"mappings":";;;;;;AAAA,IAAAA,OAAA,GAAAC,OAAA;AACmF;;AAEnF;AACA;AACA;AACO,MAAMC,eAAe,SAASC,qBAAa,CAAC;EACjDC,WAAWA,CAACC,OAAe,EAAEC,OAAiC,EAAE;IAC9D,KAAK,CAACA,OAAO,GAAG,IAAAC,sBAAc,EAAC;MAAEF,OAAO;MAAE,GAAGC;IAAQ,CAAC,CAAC,GAAGD,OAAO,CAAC;IAClE,IAAI,CAACG,IAAI,GAAG,IAAI,CAACJ,WAAW,CAACI,IAAI;EACnC;AACF;;AAEA;AACA;AACA;AAFAC,OAAA,CAAAP,eAAA,GAAAA,eAAA;AAGO,MAAMQ,oBAAoB,SAASR,eAAe,CAAC;EACxDS,IAAI,GAAG,2BAA2B;EAClCP,WAAWA,CAAA,EAA2C;IAAA,IAA1CC,OAAO,GAAAO,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,8BAA8B;IAClD,KAAK,CAACP,OAAO,EAAES,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AAFAL,OAAA,CAAAC,oBAAA,GAAAA,oBAAA;AAGO,MAAMK,2BAA2B,SAASb,eAAe,CAAC;EAC/DS,IAAI,GAAG,mCAAmC;EAC1CP,WAAWA,CAACC,OAAe,EAAEC,OAA4B,EAAE;IACzD,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA;AAHAG,OAAA,CAAAM,2BAAA,GAAAA,2BAAA;AAIO,MAAMC,sBAAsB,SAASd,eAAe,CAAC;EAC1DS,IAAI,GAAG,oCAAoC;EAC3CP,WAAWA,CACTC,OAAe,EACfC,OAA8D,EAC9D;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;AAACG,OAAA,CAAAO,sBAAA,GAAAA,sBAAA;AAEM,MAAMC,wBAAwB,SAASf,eAAe,CAAC;EAC5DS,IAAI,GAAG,sCAAsC;EAC7CP,WAAWA,CAACC,OAAe,EAAEC,OAA6C,EAAE;IAC1E,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AAFAG,OAAA,CAAAQ,wBAAA,GAAAA,wBAAA;AAGO,MAAMC,oBAAoB,SAAShB,eAAe,CAAC;EACxDS,IAAI,GAAG,kCAAkC;EACzCP,WAAWA,CACTC,OAAe,EACfC,OAIC,EACD;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AAFAG,OAAA,CAAAS,oBAAA,GAAAA,oBAAA;AAGO,MAAMC,0BAA0B,SAASjB,eAAe,CAAC;EAC9DS,IAAI,GAAG,kCAAkC;EACzCP,WAAWA,CAAA,EAA0D;IAAA,IAAzDC,OAAO,GAAAO,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,6CAA6C;IACjE,KAAK,CAACP,OAAO,EAAES,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AAFAL,OAAA,CAAAU,0BAAA,GAAAA,0BAAA;AAGO,MAAMC,8BAA8B,SAASlB,eAAe,CAAC;EAClES,IAAI,GAAG,sCAAsC;EAC7CP,WAAWA,CACTC,OAAe,EACfC,OAAqE,EACrE;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AAFAG,OAAA,CAAAW,8BAAA,GAAAA,8BAAA;AAGO,MAAMC,mCAAmC,SAASnB,eAAe,CAAC;EACvES,IAAI,GAAG,2CAA2C;EAClDP,WAAWA,CACTC,OAAe,EACfC,OAA8D,EAC9D;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AAFAG,OAAA,CAAAY,mCAAA,GAAAA,mCAAA;AAGO,MAAMC,qBAAqB,SAASpB,eAAe,CAAC;EACzDS,IAAI,GAAG,4BAA4B;EACnCP,WAAWA,CAACC,OAAe,EAAE;IAC3B,KAAK,CAACA,OAAO,EAAES,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AACA;AAHAL,OAAA,CAAAa,qBAAA,GAAAA,qBAAA;AAIO,MAAMC,mBAAmB,SAASrB,eAAe,CAAC;EACvDS,IAAI,GAAG,gCAAgC;EACvCP,WAAWA,CACTC,OAAe,EACfC,OAMC,EACD;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;AAACG,OAAA,CAAAc,mBAAA,GAAAA,mBAAA"}

package/lib/commonjs/trust/index.js

@@ -24,22 +24,28 @@ var _errors = require("./errors");
  *
  * @param trustAnchorEntity The entity configuration of the known trust anchor
  * @param chain The chain of statements to be validated
- * @param renewOnFail Whether to renew the provided chain if the validation fails at first. Default: true
- * @param appFetch Fetch api implementation. Default: the built-in implementation
+ * @param x509Options Options for the verification process
+ * @param appFetch (optional) fetch api implementation
+ * @param renewOnFail Whether to attempt to renew the trust chain if the initial validation fails
  * @returns The result of the chain validation
  * @throws {FederationError} If the chain is not valid
  */
 async function verifyTrustChain(trustAnchorEntity, chain) {
+  let x509Options = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {
+    connectTimeout: 10000,
+    readTimeout: 10000,
+    requireCrl: true
+  };
   let {
     appFetch = fetch,
     renewOnFail = true
-  } = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {};
+  } = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : {};
   try {
-    return (0, _chain.validateTrustChain)(trustAnchorEntity, chain);
+    return (0, _chain.validateTrustChain)(trustAnchorEntity, chain, x509Options);
   } catch (error) {
     if (renewOnFail) {
       const renewedChain = await (0, _chain.renewTrustChain)(chain, appFetch);
-      return (0, _chain.validateTrustChain)(trustAnchorEntity, renewedChain);
+      return (0, _chain.validateTrustChain)(trustAnchorEntity, renewedChain, x509Options);
     } else {
       throw error;
     }

package/lib/commonjs/trust/index.js.map

@@ -1 +1 @@
-{"version":3,"names":["_utils","require","_ioReactNativeJwt","_types","_chain","_misc","_errors","verifyTrustChain","trustAnchorEntity","chain","appFetch","fetch","renewOnFail","arguments","length","undefined","validateTrustChain","error","renewedChain","renewTrustChain","getSignedEntityConfiguration","entityBaseUrl","wellKnownUrl","method","then","hasStatusOrThrow","res","text","fetchAndParseEntityConfiguration","schema","responseText","responseJwt","decodeJwt","parse","header","protectedHeader","payload","getWalletProviderEntityConfiguration","options","WalletProviderEntityConfiguration","exports","getCredentialIssuerEntityConfiguration","CredentialIssuerEntityConfiguration","getTrustAnchorEntityConfiguration","TrustAnchorEntityConfiguration","getRelyingPartyEntityConfiguration","RelyingPartyEntityConfiguration","getEntityConfiguration","EntityConfiguration","getEntityStatement","accreditationBodyBaseUrl","subordinatedEntityBaseUrl","getSignedEntityStatement","EntityStatement","federationFetchEndpoint","url","URL","searchParams","set","toString","getFederationList","federationListEndpoint","json","result","FederationListResponse","safeParse","success","FederationListParseError","message","parseError","data","buildTrustChain","relyingPartyEntityBaseUrl","trustAnchorKey","trustChain","gatherTrustChain","trustAnchorJwt","BuildTrustChainError","relyingPartyUrl","kid","TrustAnchorKidMissingError","verify","trustAnchorConfig","decode","metadata","federation_entity","federation_list_endpoint","federationList","includes","RelyingPartyNotAuthorizedError","isLeaf","entityECJwt","entityEC","push","authorityHints","authority_hints","parentEntityBaseUrl","parentECJwt","parentEC","federation_fetch_endpoint","MissingFederationFetchEndpointError","missingInEntityUrl","entityStatementJwt","parentChain","concat"],"sourceRoot":"../../../src","sources":["trust/index.ts"],"mappings":";;;;;;;;;;;;;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AACA,IAAAC,iBAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AASA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,KAAA,GAAAJ,OAAA;AAEA,IAAAK,OAAA,GAAAL,OAAA;AAiBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeM,gBAAgBA,CACpCC,iBAAiD,EACjDC,KAAe,EAKiC;EAAA,IAJhD;IACEC,QAAQ,GAAGC,KAAK;IAChBC,WAAW,GAAG;EAC4C,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAElE,IAAI;IACF,OAAO,IAAAG,yBAAkB,EAACR,iBAAiB,EAAEC,KAAK,CAAC;EACrD,CAAC,CAAC,OAAOQ,KAAK,EAAE;IACd,IAAIL,WAAW,EAAE;MACf,MAAMM,YAAY,GAAG,MAAM,IAAAC,sBAAe,EAACV,KAAK,EAAEC,QAAQ,CAAC;MAC3D,OAAO,IAAAM,yBAAkB,EAACR,iBAAiB,EAAEU,YAAY,CAAC;IAC5D,CAAC,MAAM;MACL,MAAMD,KAAK;IACb;EACF;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeG,4BAA4BA,CAChDC,aAAqB,EAMJ;EAAA,IALjB;IACEX,QAAQ,GAAGC;EAGb,CAAC,GAAAE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMS,YAAY,GAAI,GAAED,aAAc,gCAA+B;EAErE,OAAO,MAAMX,QAAQ,CAACY,YAAY,EAAE;IAClCC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoCA,eAAeC,gCAAgCA,CAC7CP,aAAqB,EACrBQ,MAK8B,EAM9B;EAAA,IALA;IACEnB,QAAQ,GAAGC;EAGb,CAAC,GAAAE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMiB,YAAY,GAAG,MAAMV,4BAA4B,CAACC,aAAa,EAAE;IACrEX;EACF,CAAC,CAAC;EAEF,MAAMqB,WAAW,GAAG,IAAAC,wBAAS,EAACF,YAAY,CAAC;EAC3C,OAAOD,MAAM,CAACI,KAAK,CAAC;IAClBC,MAAM,EAAEH,WAAW,CAACI,eAAe;IACnCC,OAAO,EAAEL,WAAW,CAACK;EACvB,CAAC,CAAC;AACJ;AAEO,MAAMC,oCAAoC,GAAGA,CAClDhB,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAC9BP,aAAa,EACbkB,wCAAiC,EACjCD,OACF,CAAC;AAACE,OAAA,CAAAH,oCAAA,GAAAA,oCAAA;AAEG,MAAMI,sCAAsC,GAAGA,CACpDpB,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAC9BP,aAAa,EACbqB,0CAAmC,EACnCJ,OACF,CAAC;AAACE,OAAA,CAAAC,sCAAA,GAAAA,sCAAA;AAEG,MAAME,iCAAiC,GAAGA,CAC/CtB,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAC9BP,aAAa,EACbuB,qCAA8B,EAC9BN,OACF,CAAC;AAACE,OAAA,CAAAG,iCAAA,GAAAA,iCAAA;AAEG,MAAME,kCAAkC,GAAGA,CAChDxB,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAC9BP,aAAa,EACbyB,sCAA+B,EAC/BR,OACF,CAAC;AAACE,OAAA,CAAAK,kCAAA,GAAAA,kCAAA;AAEG,MAAME,sBAAsB,GAAGA,CACpC1B,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAACP,aAAa,EAAE2B,0BAAmB,EAAEV,OAAO,CAAC;;AAE/E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AARAE,OAAA,CAAAO,sBAAA,GAAAA,sBAAA;AASO,eAAeE,kBAAkBA,CACtCC,wBAAgC,EAChCC,yBAAiC,EAMjC;EAAA,IALA;IACEzC,QAAQ,GAAGC;EAGb,CAAC,GAAAE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMiB,YAAY,GAAG,MAAMsB,wBAAwB,CACjDF,wBAAwB,EACxBC,yBAAyB,EACzB;IACEzC;EACF,CACF,CAAC;EAED,MAAMqB,WAAW,GAAG,IAAAC,wBAAS,EAACF,YAAY,CAAC;EAC3C,OAAOuB,sBAAe,CAACpB,KAAK,CAAC;IAC3BC,MAAM,EAAEH,WAAW,CAACI,eAAe;IACnCC,OAAO,EAAEL,WAAW,CAACK;EACvB,CAAC,CAAC;AACJ;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAegB,wBAAwBA,CAC5CE,uBAA+B,EAC/BH,yBAAiC,EAMjC;EAAA,IALA;IACEzC,QAAQ,GAAGC;EAGb,CAAC,GAAAE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAM0C,GAAG,GAAG,IAAIC,GAAG,CAACF,uBAAuB,CAAC;EAC5CC,GAAG,CAACE,YAAY,CAACC,GAAG,CAAC,KAAK,EAAEP,yBAAyB,CAAC;EAEtD,OAAO,MAAMzC,QAAQ,CAAC6C,GAAG,CAACI,QAAQ,CAAC,CAAC,EAAE;IACpCpC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeiC,iBAAiBA,CACrCC,sBAA8B,EAMX;EAAA,IALnB;IACEnD,QAAQ,GAAGC;EAGb,CAAC,GAAAE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,OAAO,MAAMH,QAAQ,CAACmD,sBAAsB,EAAE;IAC5CtC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACoC,IAAI,CAAC,CAAC,CAAC,CACzBtC,IAAI,CAAEsC,IAAI,IAAK;IACd,MAAMC,MAAM,GAAGC,6BAAsB,CAACC,SAAS,CAACH,IAAI,CAAC;IACrD,IAAI,CAACC,MAAM,CAACG,OAAO,EAAE;MACnB,MAAM,IAAIC,gCAAwB,CAC/B,gDAA+CN,sBAAuB,YAAWE,MAAM,CAAC9C,KAAK,CAACmD,OAAQ,EAAC,EACxG;QAAEb,GAAG,EAAEM,sBAAsB;QAAEQ,UAAU,EAAEN,MAAM,CAAC9C,KAAK,CAAC0C,QAAQ,CAAC;MAAE,CACrE,CAAC;IACH;IACA,OAAOI,MAAM,CAACO,IAAI;EACpB,CAAC,CAAC;AACN;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeC,eAAeA,CACnCC,yBAAiC,EACjCC,cAAmB,EAEA;EAAA,IADnB/D,QAA8B,GAAAG,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGF,KAAK;EAEtC;EACA,MAAM+D,UAAU,GAAG,MAAMC,gBAAgB,CACvCH,yBAAyB,EACzB9D,QACF,CAAC;;EAED;EACA,MAAMkE,cAAc,GAAGF,UAAU,CAACA,UAAU,CAAC5D,MAAM,GAAG,CAAC,CAAC;EACxD,IAAI,CAAC8D,cAAc,EAAE;IACnB,MAAM,IAAIC,4BAAoB,CAC5B,6EAA6E,EAC7E;MAAEC,eAAe,EAAEN;IAA0B,CAC/C,CAAC;EACH;EAEA,IAAI,CAACC,cAAc,CAACM,GAAG,EAAE;IACvB,MAAM,IAAIC,kCAA0B,CAAC,CAAC;EACxC;EAEA,MAAM,IAAAC,aAAM,EAACL,cAAc,EAAEH,cAAc,CAACM,GAAG,EAAE,CAACN,cAAc,CAAC,CAAC;;EAElE;EACA,MAAMS,iBAAiB,GAAGlC,0BAAmB,CAACf,KAAK,CAAC,IAAAkD,aAAM,EAACP,cAAc,CAAC,CAAC;EAC3E,MAAMf,sBAAsB,GAC1BqB,iBAAiB,CAAC9C,OAAO,CAACgD,QAAQ,CAACC,iBAAiB,CACjDC,wBAAwB;EAE7B,IAAIzB,sBAAsB,EAAE;IAC1B,MAAM0B,cAAc,GAAG,MAAM3B,iBAAiB,CAACC,sBAAsB,EAAE;MACrEnD;IACF,CAAC,CAAC;IAEF,IAAI,CAAC6E,cAAc,CAACC,QAAQ,CAAChB,yBAAyB,CAAC,EAAE;MACvD,MAAM,IAAIiB,sCAA8B,CACtC,wFAAwF,EACxF;QAAEX,eAAe,EAAEN,yBAAyB;QAAEX;MAAuB,CACvE,CAAC;IACH;EACF;EAEA,OAAOa,UAAU;AACnB;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAeC,gBAAgBA,CAC7BtD,aAAqB,EACrBX,QAA8B,EAEX;EAAA,IADnBgF,MAAe,GAAA7E,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,IAAI;EAEtB,MAAMJ,KAAe,GAAG,EAAE;;EAE1B;EACA,MAAMkF,WAAW,GAAG,MAAMvE,4BAA4B,CAACC,aAAa,EAAE;IACpEX;EACF,CAAC,CAAC;EACF,MAAMkF,QAAQ,GAAG5C,0BAAmB,CAACf,KAAK,CAAC,IAAAkD,aAAM,EAACQ,WAAW,CAAC,CAAC;EAE/D,IAAID,MAAM,EAAE;IACV;IACAjF,KAAK,CAACoF,IAAI,CAACF,WAAW,CAAC;EACzB;;EAEA;EACA,MAAMG,cAAc,GAAGF,QAAQ,CAACxD,OAAO,CAAC2D,eAAe,IAAI,EAAE;EAC7D,IAAID,cAAc,CAAChF,MAAM,KAAK,CAAC,EAAE;IAC/B;IACA,IAAI,CAAC4E,MAAM,EAAE;MACXjF,KAAK,CAACoF,IAAI,CAACF,WAAW,CAAC;IACzB;IACA,OAAOlF,KAAK;EACd;EAEA,MAAMuF,mBAAmB,GAAGF,cAAc,CAAC,CAAC,CAAE;;EAE9C;EACA,MAAMG,WAAW,GAAG,MAAM7E,4BAA4B,CAAC4E,mBAAmB,EAAE;IAC1EtF;EACF,CAAC,CAAC;EACF,MAAMwF,QAAQ,GAAGlD,0BAAmB,CAACf,KAAK,CAAC,IAAAkD,aAAM,EAACc,WAAW,CAAC,CAAC;;EAE/D;EACA,MAAM3C,uBAAuB,GAC3B4C,QAAQ,CAAC9D,OAAO,CAACgD,QAAQ,CAACC,iBAAiB,CAACc,yBAAyB;EACvE,IAAI,CAAC7C,uBAAuB,EAAE;IAC5B,MAAM,IAAI8C,2CAAmC,CAC1C,kDAAiDJ,mBAAoB,4CAA2C3E,aAAc,GAAE,EACjI;MAAEA,aAAa;MAAEgF,kBAAkB,EAAEL;IAAoB,CAC3D,CAAC;EACH;EAEA,MAAMM,kBAAkB,GAAG,MAAMlD,wBAAwB,CACvDE,uBAAuB,EACvBjC,aAAa,EACb;IAAEX;EAAS,CACb,CAAC;EACD;EACA2C,sBAAe,CAACpB,KAAK,CAAC,IAAAkD,aAAM,EAACmB,kBAAkB,CAAC,CAAC;;EAEjD;EACA7F,KAAK,CAACoF,IAAI,CAACS,kBAAkB,CAAC;;EAE9B;EACA,MAAMC,WAAW,GAAG,MAAM5B,gBAAgB,CACxCqB,mBAAmB,EACnBtF,QAAQ,EACR,KACF,CAAC;EAED,OAAOD,KAAK,CAAC+F,MAAM,CAACD,WAAW,CAAC;AAClC"}
+{"version":3,"names":["_utils","require","_ioReactNativeJwt","_types","_chain","_misc","_errors","verifyTrustChain","trustAnchorEntity","chain","x509Options","arguments","length","undefined","connectTimeout","readTimeout","requireCrl","appFetch","fetch","renewOnFail","validateTrustChain","error","renewedChain","renewTrustChain","getSignedEntityConfiguration","entityBaseUrl","wellKnownUrl","method","then","hasStatusOrThrow","res","text","fetchAndParseEntityConfiguration","schema","responseText","responseJwt","decodeJwt","parse","header","protectedHeader","payload","getWalletProviderEntityConfiguration","options","WalletProviderEntityConfiguration","exports","getCredentialIssuerEntityConfiguration","CredentialIssuerEntityConfiguration","getTrustAnchorEntityConfiguration","TrustAnchorEntityConfiguration","getRelyingPartyEntityConfiguration","RelyingPartyEntityConfiguration","getEntityConfiguration","EntityConfiguration","getEntityStatement","accreditationBodyBaseUrl","subordinatedEntityBaseUrl","getSignedEntityStatement","EntityStatement","federationFetchEndpoint","url","URL","searchParams","set","toString","getFederationList","federationListEndpoint","json","result","FederationListResponse","safeParse","success","FederationListParseError","message","parseError","data","buildTrustChain","relyingPartyEntityBaseUrl","trustAnchorKey","trustChain","gatherTrustChain","trustAnchorJwt","BuildTrustChainError","relyingPartyUrl","kid","TrustAnchorKidMissingError","verify","trustAnchorConfig","decode","metadata","federation_entity","federation_list_endpoint","federationList","includes","RelyingPartyNotAuthorizedError","isLeaf","entityECJwt","entityEC","push","authorityHints","authority_hints","parentEntityBaseUrl","parentECJwt","parentEC","federation_fetch_endpoint","MissingFederationFetchEndpointError","missingInEntityUrl","entityStatementJwt","parentChain","concat"],"sourceRoot":"../../../src","sources":["trust/index.ts"],"mappings":";;;;;;;;;;;;;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AACA,IAAAC,iBAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AASA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,KAAA,GAAAJ,OAAA;AAEA,IAAAK,OAAA,GAAAL,OAAA;AAkBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeM,gBAAgBA,CACpCC,iBAAiD,EACjDC,KAAe,EAUiC;EAAA,IAThDC,WAAmC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG;IACpCG,cAAc,EAAE,KAAK;IACrBC,WAAW,EAAE,KAAK;IAClBC,UAAU,EAAE;EACd,CAAC;EAAA,IACD;IACEC,QAAQ,GAAGC,KAAK;IAChBC,WAAW,GAAG;EAC4C,CAAC,GAAAR,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAElE,IAAI;IACF,OAAO,IAAAS,yBAAkB,EAACZ,iBAAiB,EAAEC,KAAK,EAAEC,WAAW,CAAC;EAClE,CAAC,CAAC,OAAOW,KAAK,EAAE;IACd,IAAIF,WAAW,EAAE;MACf,MAAMG,YAAY,GAAG,MAAM,IAAAC,sBAAe,EAACd,KAAK,EAAEQ,QAAQ,CAAC;MAC3D,OAAO,IAAAG,yBAAkB,EAACZ,iBAAiB,EAAEc,YAAY,EAAEZ,WAAW,CAAC;IACzE,CAAC,MAAM;MACL,MAAMW,KAAK;IACb;EACF;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeG,4BAA4BA,CAChDC,aAAqB,EAMJ;EAAA,IALjB;IACER,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMe,YAAY,GAAI,GAAED,aAAc,gCAA+B;EAErE,OAAO,MAAMR,QAAQ,CAACS,YAAY,EAAE;IAClCC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoCA,eAAeC,gCAAgCA,CAC7CP,aAAqB,EACrBQ,MAK8B,EAM9B;EAAA,IALA;IACEhB,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMuB,YAAY,GAAG,MAAMV,4BAA4B,CAACC,aAAa,EAAE;IACrER;EACF,CAAC,CAAC;EAEF,MAAMkB,WAAW,GAAG,IAAAC,wBAAS,EAACF,YAAY,CAAC;EAC3C,OAAOD,MAAM,CAACI,KAAK,CAAC;IAClBC,MAAM,EAAEH,WAAW,CAACI,eAAe;IACnCC,OAAO,EAAEL,WAAW,CAACK;EACvB,CAAC,CAAC;AACJ;AAEO,MAAMC,oCAAoC,GAAGA,CAClDhB,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAC9BP,aAAa,EACbkB,wCAAiC,EACjCD,OACF,CAAC;AAACE,OAAA,CAAAH,oCAAA,GAAAA,oCAAA;AAEG,MAAMI,sCAAsC,GAAGA,CACpDpB,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAC9BP,aAAa,EACbqB,0CAAmC,EACnCJ,OACF,CAAC;AAACE,OAAA,CAAAC,sCAAA,GAAAA,sCAAA;AAEG,MAAME,iCAAiC,GAAGA,CAC/CtB,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAC9BP,aAAa,EACbuB,qCAA8B,EAC9BN,OACF,CAAC;AAACE,OAAA,CAAAG,iCAAA,GAAAA,iCAAA;AAEG,MAAME,kCAAkC,GAAGA,CAChDxB,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAC9BP,aAAa,EACbyB,sCAA+B,EAC/BR,OACF,CAAC;AAACE,OAAA,CAAAK,kCAAA,GAAAA,kCAAA;AAEG,MAAME,sBAAsB,GAAGA,CACpC1B,aAAqE,EACrEiB,OAAgE,KAEhEV,gCAAgC,CAACP,aAAa,EAAE2B,0BAAmB,EAAEV,OAAO,CAAC;;AAE/E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AARAE,OAAA,CAAAO,sBAAA,GAAAA,sBAAA;AASO,eAAeE,kBAAkBA,CACtCC,wBAAgC,EAChCC,yBAAiC,EAMjC;EAAA,IALA;IACEtC,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMuB,YAAY,GAAG,MAAMsB,wBAAwB,CACjDF,wBAAwB,EACxBC,yBAAyB,EACzB;IACEtC;EACF,CACF,CAAC;EAED,MAAMkB,WAAW,GAAG,IAAAC,wBAAS,EAACF,YAAY,CAAC;EAC3C,OAAOuB,sBAAe,CAACpB,KAAK,CAAC;IAC3BC,MAAM,EAAEH,WAAW,CAACI,eAAe;IACnCC,OAAO,EAAEL,WAAW,CAACK;EACvB,CAAC,CAAC;AACJ;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAegB,wBAAwBA,CAC5CE,uBAA+B,EAC/BH,yBAAiC,EAMjC;EAAA,IALA;IACEtC,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMgD,GAAG,GAAG,IAAIC,GAAG,CAACF,uBAAuB,CAAC;EAC5CC,GAAG,CAACE,YAAY,CAACC,GAAG,CAAC,KAAK,EAAEP,yBAAyB,CAAC;EAEtD,OAAO,MAAMtC,QAAQ,CAAC0C,GAAG,CAACI,QAAQ,CAAC,CAAC,EAAE;IACpCpC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeiC,iBAAiBA,CACrCC,sBAA8B,EAMX;EAAA,IALnB;IACEhD,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,OAAO,MAAMM,QAAQ,CAACgD,sBAAsB,EAAE;IAC5CtC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACoC,IAAI,CAAC,CAAC,CAAC,CACzBtC,IAAI,CAAEsC,IAAI,IAAK;IACd,MAAMC,MAAM,GAAGC,6BAAsB,CAACC,SAAS,CAACH,IAAI,CAAC;IACrD,IAAI,CAACC,MAAM,CAACG,OAAO,EAAE;MACnB,MAAM,IAAIC,gCAAwB,CAC/B,gDAA+CN,sBAAuB,YAAWE,MAAM,CAAC9C,KAAK,CAACmD,OAAQ,EAAC,EACxG;QAAEb,GAAG,EAAEM,sBAAsB;QAAEQ,UAAU,EAAEN,MAAM,CAAC9C,KAAK,CAAC0C,QAAQ,CAAC;MAAE,CACrE,CAAC;IACH;IACA,OAAOI,MAAM,CAACO,IAAI;EACpB,CAAC,CAAC;AACN;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeC,eAAeA,CACnCC,yBAAiC,EACjCC,cAAmB,EAEA;EAAA,IADnB5D,QAA8B,GAAAN,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGO,KAAK;EAEtC;EACA,MAAM4D,UAAU,GAAG,MAAMC,gBAAgB,CACvCH,yBAAyB,EACzB3D,QACF,CAAC;;EAED;EACA,MAAM+D,cAAc,GAAGF,UAAU,CAACA,UAAU,CAAClE,MAAM,GAAG,CAAC,CAAC;EACxD,IAAI,CAACoE,cAAc,EAAE;IACnB,MAAM,IAAIC,4BAAoB,CAC5B,6EAA6E,EAC7E;MAAEC,eAAe,EAAEN;IAA0B,CAC/C,CAAC;EACH;EAEA,IAAI,CAACC,cAAc,CAACM,GAAG,EAAE;IACvB,MAAM,IAAIC,kCAA0B,CAAC,CAAC;EACxC;EAEA,MAAM,IAAAC,aAAM,EAACL,cAAc,EAAEH,cAAc,CAACM,GAAG,EAAE,CAACN,cAAc,CAAC,CAAC;;EAElE;EACA,MAAMS,iBAAiB,GAAGlC,0BAAmB,CAACf,KAAK,CAAC,IAAAkD,aAAM,EAACP,cAAc,CAAC,CAAC;EAC3E,MAAMf,sBAAsB,GAC1BqB,iBAAiB,CAAC9C,OAAO,CAACgD,QAAQ,CAACC,iBAAiB,CACjDC,wBAAwB;EAE7B,IAAIzB,sBAAsB,EAAE;IAC1B,MAAM0B,cAAc,GAAG,MAAM3B,iBAAiB,CAACC,sBAAsB,EAAE;MACrEhD;IACF,CAAC,CAAC;IAEF,IAAI,CAAC0E,cAAc,CAACC,QAAQ,CAAChB,yBAAyB,CAAC,EAAE;MACvD,MAAM,IAAIiB,sCAA8B,CACtC,wFAAwF,EACxF;QAAEX,eAAe,EAAEN,yBAAyB;QAAEX;MAAuB,CACvE,CAAC;IACH;EACF;EAEA,OAAOa,UAAU;AACnB;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAeC,gBAAgBA,CAC7BtD,aAAqB,EACrBR,QAA8B,EAEX;EAAA,IADnB6E,MAAe,GAAAnF,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,IAAI;EAEtB,MAAMF,KAAe,GAAG,EAAE;;EAE1B;EACA,MAAMsF,WAAW,GAAG,MAAMvE,4BAA4B,CAACC,aAAa,EAAE;IACpER;EACF,CAAC,CAAC;EACF,MAAM+E,QAAQ,GAAG5C,0BAAmB,CAACf,KAAK,CAAC,IAAAkD,aAAM,EAACQ,WAAW,CAAC,CAAC;EAE/D,IAAID,MAAM,EAAE;IACV;IACArF,KAAK,CAACwF,IAAI,CAACF,WAAW,CAAC;EACzB;;EAEA;EACA,MAAMG,cAAc,GAAGF,QAAQ,CAACxD,OAAO,CAAC2D,eAAe,IAAI,EAAE;EAC7D,IAAID,cAAc,CAACtF,MAAM,KAAK,CAAC,EAAE;IAC/B;IACA,IAAI,CAACkF,MAAM,EAAE;MACXrF,KAAK,CAACwF,IAAI,CAACF,WAAW,CAAC;IACzB;IACA,OAAOtF,KAAK;EACd;EAEA,MAAM2F,mBAAmB,GAAGF,cAAc,CAAC,CAAC,CAAE;;EAE9C;EACA,MAAMG,WAAW,GAAG,MAAM7E,4BAA4B,CAAC4E,mBAAmB,EAAE;IAC1EnF;EACF,CAAC,CAAC;EACF,MAAMqF,QAAQ,GAAGlD,0BAAmB,CAACf,KAAK,CAAC,IAAAkD,aAAM,EAACc,WAAW,CAAC,CAAC;;EAE/D;EACA,MAAM3C,uBAAuB,GAC3B4C,QAAQ,CAAC9D,OAAO,CAACgD,QAAQ,CAACC,iBAAiB,CAACc,yBAAyB;EACvE,IAAI,CAAC7C,uBAAuB,EAAE;IAC5B,MAAM,IAAI8C,2CAAmC,CAC1C,kDAAiDJ,mBAAoB,4CAA2C3E,aAAc,GAAE,EACjI;MAAEA,aAAa;MAAEgF,kBAAkB,EAAEL;IAAoB,CAC3D,CAAC;EACH;EAEA,MAAMM,kBAAkB,GAAG,MAAMlD,wBAAwB,CACvDE,uBAAuB,EACvBjC,aAAa,EACb;IAAER;EAAS,CACb,CAAC;EACD;EACAwC,sBAAe,CAACpB,KAAK,CAAC,IAAAkD,aAAM,EAACmB,kBAAkB,CAAC,CAAC;;EAEjD;EACAjG,KAAK,CAACwF,IAAI,CAACS,kBAAkB,CAAC;;EAE9B;EACA,MAAMC,WAAW,GAAG,MAAM5B,gBAAgB,CACxCqB,mBAAmB,EACnBnF,QAAQ,EACR,KACF,CAAC;EAED,OAAOR,KAAK,CAACmG,MAAM,CAACD,WAAW,CAAC;AAClC"}

package/lib/commonjs/trust/utils.js

@@ -3,8 +3,11 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.verify = exports.decode = void 0;
+exports.decode = void 0;
+exports.getTrustAnchorX509Certificate = getTrustAnchorX509Certificate;
+exports.verify = void 0;
 var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
+var _errors = require("./errors");
 // Verify a token signature
 // The kid is extracted from the token header
 const verify = async (token, kid, jwks) => {
@@ -37,5 +40,31 @@ const decode = token => {
     payload
   };
 };
+
+/**
+ * Extracts the X.509 Trust Anchor certificate (Base64 encoded) from the
+ * Trust Anchor's Entity Configuration.
+ *
+ * @param trustAnchorEntity The entity configuration of the known trust anchor.
+ * @returns The Base64 encoded X.509 certificate string.
+ * @throws {FederationError} If the certificate cannot be derived.
+ */
 exports.decode = decode;
+function getTrustAnchorX509Certificate(trustAnchorEntity) {
+  const taHeaderKid = trustAnchorEntity.header.kid;
+  const taSigningJwk = trustAnchorEntity.payload.jwks.keys.find(key => key.kid === taHeaderKid);
+  if (!taSigningJwk) {
+    throw new _errors.FederationError(`Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' not found in Trust Anchor's JWKS.`, {
+      trustAnchorKid: taHeaderKid,
+      reason: "JWK not found for header kid"
+    });
+  }
+  if (taSigningJwk.x5c && taSigningJwk.x5c.length > 0 && taSigningJwk.x5c[0]) {
+    return taSigningJwk.x5c[0];
+  }
+  throw new _errors.FederationError(`Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' does not contain a valid 'x5c' certificate array.`, {
+    trustAnchorKid: taHeaderKid,
+    reason: "Missing or empty x5c in JWK"
+  });
+}
 //# sourceMappingURL=utils.js.map

package/lib/commonjs/trust/utils.js.map

@@ -1 +1 @@
-{"version":3,"names":["_ioReactNativeJwt","require","verify","token","kid","jwks","jwk","find","k","Error","protectedHeader","header","payload","verifyJwt","exports","decode","decodeJwt"],"sourceRoot":"../../../src","sources":["trust/utils.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAYA;AACA;AACO,MAAMC,MAAM,GAAG,MAAAA,CACpBC,KAAa,EACbC,GAAW,EACXC,IAAW,KACc;EACzB,MAAMC,GAAG,GAAGD,IAAI,CAACE,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACJ,GAAG,KAAKA,GAAG,CAAC;EAC3C,IAAI,CAACE,GAAG,EAAE;IACR,MAAM,IAAIG,KAAK,CAAE,gBAAeL,GAAI,YAAWD,KAAM,EAAC,CAAC;EACzD;EACA,MAAM;IAAEO,eAAe,EAAEC,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAM,IAAAC,wBAAS,EAACV,KAAK,EAAEG,GAAG,CAAC;EACxE,OAAO;IAAEK,MAAM;IAAEC;EAAQ,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;AAHAE,OAAA,CAAAZ,MAAA,GAAAA,MAAA;AAIO,MAAMa,MAAM,GAAIZ,KAAa,IAAkB;EACpD,MAAM;IAAEO,eAAe,EAAEC,MAAM;IAAEC;EAAQ,CAAC,GAAG,IAAAI,wBAAS,EAACb,KAAK,CAAC;EAC7D,OAAO;IAAEQ,MAAM;IAAEC;EAAQ,CAAC;AAC5B,CAAC;AAACE,OAAA,CAAAC,MAAA,GAAAA,MAAA"}
+{"version":3,"names":["_ioReactNativeJwt","require","_errors","verify","token","kid","jwks","jwk","find","k","Error","protectedHeader","header","payload","verifyJwt","exports","decode","decodeJwt","getTrustAnchorX509Certificate","trustAnchorEntity","taHeaderKid","taSigningJwk","keys","key","FederationError","trustAnchorKid","reason","x5c","length"],"sourceRoot":"../../../src","sources":["trust/utils.ts"],"mappings":";;;;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAMA,IAAAC,OAAA,GAAAD,OAAA;AAQA;AACA;AACO,MAAME,MAAM,GAAG,MAAAA,CACpBC,KAAa,EACbC,GAAW,EACXC,IAAW,KACc;EACzB,MAAMC,GAAG,GAAGD,IAAI,CAACE,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACJ,GAAG,KAAKA,GAAG,CAAC;EAC3C,IAAI,CAACE,GAAG,EAAE;IACR,MAAM,IAAIG,KAAK,CAAE,gBAAeL,GAAI,YAAWD,KAAM,EAAC,CAAC;EACzD;EACA,MAAM;IAAEO,eAAe,EAAEC,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAM,IAAAC,wBAAS,EAACV,KAAK,EAAEG,GAAG,CAAC;EACxE,OAAO;IAAEK,MAAM;IAAEC;EAAQ,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;AAHAE,OAAA,CAAAZ,MAAA,GAAAA,MAAA;AAIO,MAAMa,MAAM,GAAIZ,KAAa,IAAkB;EACpD,MAAM;IAAEO,eAAe,EAAEC,MAAM;IAAEC;EAAQ,CAAC,GAAG,IAAAI,wBAAS,EAACb,KAAK,CAAC;EAC7D,OAAO;IAAEQ,MAAM;IAAEC;EAAQ,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAPAE,OAAA,CAAAC,MAAA,GAAAA,MAAA;AAQO,SAASE,6BAA6BA,CAC3CC,iBAAiD,EACzC;EACR,MAAMC,WAAW,GAAGD,iBAAiB,CAACP,MAAM,CAACP,GAAG;EAChD,MAAMgB,YAAY,GAAGF,iBAAiB,CAACN,OAAO,CAACP,IAAI,CAACgB,IAAI,CAACd,IAAI,CAC1De,GAAG,IAAKA,GAAG,CAAClB,GAAG,KAAKe,WACvB,CAAC;EAED,IAAI,CAACC,YAAY,EAAE;IACjB,MAAM,IAAIG,uBAAe,CACtB,+DAA8DJ,WAAY,qCAAoC,EAC/G;MAAEK,cAAc,EAAEL,WAAW;MAAEM,MAAM,EAAE;IAA+B,CACxE,CAAC;EACH;EAEA,IAAIL,YAAY,CAACM,GAAG,IAAIN,YAAY,CAACM,GAAG,CAACC,MAAM,GAAG,CAAC,IAAIP,YAAY,CAACM,GAAG,CAAC,CAAC,CAAC,EAAE;IAC1E,OAAON,YAAY,CAACM,GAAG,CAAC,CAAC,CAAC;EAC5B;EAEA,MAAM,IAAIH,uBAAe,CACtB,+DAA8DJ,WAAY,qDAAoD,EAC/H;IAAEK,cAAc,EAAEL,WAAW;IAAEM,MAAM,EAAE;EAA8B,CACvE,CAAC;AACH"}

package/lib/module/trust/README.md

@@ -0,0 +1,147 @@
+# Trust Chain Validation
+
+This module implements **Trust Chain validation** for Entity Configurations and Entity Statements in line with the [IT Wallet Federation Specifications](https://italia.github.io/eid-wallet-it-docs/). It ensures that an entity's metadata is trusted by validating a chain of signed JWTs up to a known Trust Anchor.
+
+The validation covers:
+
+* JWT signature verification (using the next entity's JWKS)
+* Trust chain ordering (leaf → parent → Trust Anchor)
+* Optional X.509 CRL-based certificate validation
+
+## Sequence Diagram
+
+```mermaid
+sequenceDiagram
+  autonumber
+  participant A as Leaf Entity
+  participant B as Intermediate (Federation Authority)
+  participant C as Trust Anchor
+
+  A->>A: Self-issued Entity Configuration (JWT)
+  B->>A: Signed Entity Statement (JWT)
+  C->>B: Signed Entity Statement (JWT or self-issued EC)
+
+  Note over A,C: Each JWT is validated with the next issuer's public keys
+```
+
+## Errors
+
+| Error                         | Description                                                        |
+| ----------------------------- | ------------------------------------------------------------------ |
+| `TrustChainEmptyError`        | The input chain is empty.                                          |
+| `TrustChainTokenMissingError` | One of the JWTs in the chain is missing.                           |
+| `X509ValidationError`         | X.509 certificate validation failed (e.g. revocation, expiration). |
+| `FederationError`             | Generic federation processing error.                               |
+
+## Usage
+
+### Validate a trust chain
+
+```ts
+import { validateTrustChain } from "./trust";
+import { trustAnchorEntityConfiguration } from "./your-data";
+import { chain } from "./your-data"; // array of JWTs, starting from leaf
+
+const result = await validateTrustChain(trustAnchorEntityConfiguration, chain, {
+    connectTimeout: 3000,
+    readTimeout: 3000,
+    requireCrl: false,
+});
+```
+
+* The `chain` must be an array of signed JWT strings.
+* The first JWT must be a self-issued `EntityConfiguration`.
+* The last JWT must be an `EntityStatement` or a self-issued Trust Anchor `EntityConfiguration`.
+
+### Renew a trust chain
+
+```ts
+import { renewTrustChain } from "./trust";
+
+const newChain = await renewTrustChain(chain);
+```
+
+This will fetch updated JWTs from each authority in the chain.
+
+### Build a trust chain
+
+```ts
+import { buildTrustChain } from "./trust";
+
+const chain = await buildTrustChain({
+  leaf: "https://example-leaf",
+  trustAnchor: trustAnchorEntityConfiguration,
+});
+```
+
+* **leaf**: the entity URL of the subject to be trusted.
+* **trustAnchor**: the known trust anchor configuration.
+* Returns a list of JWT strings ordered from leaf to trust anchor.
+
+
+## Trust Chain Structure
+
+| Position | JWT Type                            | Requirements                  |
+| -------- | ----------------------------------- |-------------------------------|
+| First    | Entity Configuration                | `iss === sub` (self-issued)   |
+| Middle   | Entity Statement                    | `iss ≠ sub`, signed by parent |
+| Last     | Entity Statement or Trust Anchor EC | Trust Anchor must be known    |
+
+### Build and Validate Example
+
+```ts
+import {
+  buildTrustChain,
+  validateTrustChain,
+} from "./trust";
+import { trustAnchorEntityConfiguration } from "./your-data";
+
+const chain = await buildTrustChain({
+  leaf: "https://example-leaf",
+  trustAnchor: trustAnchorEntityConfiguration,
+});
+
+const result = await validateTrustChain(trustAnchorEntityConfiguration, chain, {
+  connectTimeout: 3000,
+  readTimeout: 3000,
+  requireCrl: true,
+});
+```
+
+* This example fetches and builds the full trust chain dynamically, then validates it end-to-end.
+
+## Example Trust Chain
+
+```ts
+[
+    {
+        header: { alg: "ES256", kid: "leaf-kid" },
+        payload: { iss: "https://leaf", sub: "https://leaf", jwks: { keys: [...] } }
+    },
+    {
+        header: { alg: "ES256", kid: "intermediate-kid" },
+        payload: { iss: "https://intermediate", sub: "https://leaf", jwks: { keys: [...] } }
+    },
+    {
+        header: { alg: "ES256", kid: "ta-kid" },
+        payload: { iss: "https://ta", sub: "https://ta", jwks: { keys: [...] } }
+    }
+]
+```
+
+## Mocking in Tests
+
+If you're testing in Node (not in React Native), you need to mock X.509 and crypto-native dependencies:
+
+```ts
+jest.mock("@pagopa/io-react-native-crypto", () => ({
+    verifyCertificateChain: jest.fn().mockResolvedValue({
+        isValid: true,
+        validationStatus: "VALID",
+        errorMessage: undefined,
+    }),
+    generate: jest.fn().mockResolvedValue({ ... }),
+}));
+```
+
+Ensure mocked `JWK`s contain an `x5c` array to trigger certificate validation logic during tests.