@pagopa/io-react-native-wallet 2.0.0-next.0 → 2.0.0-next.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/commonjs/trust/README.md +147 -0
- package/lib/commonjs/trust/chain.js +47 -10
- package/lib/commonjs/trust/chain.js.map +1 -1
- package/lib/commonjs/trust/errors.js +24 -1
- package/lib/commonjs/trust/errors.js.map +1 -1
- package/lib/commonjs/trust/index.js +11 -5
- package/lib/commonjs/trust/index.js.map +1 -1
- package/lib/commonjs/trust/utils.js +30 -1
- package/lib/commonjs/trust/utils.js.map +1 -1
- package/lib/module/trust/README.md +147 -0
- package/lib/module/trust/chain.js +49 -12
- package/lib/module/trust/chain.js.map +1 -1
- package/lib/module/trust/errors.js +23 -2
- package/lib/module/trust/errors.js.map +1 -1
- package/lib/module/trust/index.js +11 -5
- package/lib/module/trust/index.js.map +1 -1
- package/lib/module/trust/utils.js +27 -0
- package/lib/module/trust/utils.js.map +1 -1
- package/lib/typescript/client/generated/wallet-provider.d.ts +12 -12
- package/lib/typescript/credential/presentation/types.d.ts +4 -4
- package/lib/typescript/credential/status/types.d.ts +6 -6
- package/lib/typescript/sd-jwt/index.d.ts +12 -12
- package/lib/typescript/sd-jwt/types.d.ts +6 -6
- package/lib/typescript/trust/chain.d.ts +8 -6
- package/lib/typescript/trust/chain.d.ts.map +1 -1
- package/lib/typescript/trust/errors.d.ts +22 -0
- package/lib/typescript/trust/errors.d.ts.map +1 -1
- package/lib/typescript/trust/index.d.ts +208 -206
- package/lib/typescript/trust/index.d.ts.map +1 -1
- package/lib/typescript/trust/types.d.ts +559 -559
- package/lib/typescript/trust/utils.d.ts +10 -0
- package/lib/typescript/trust/utils.d.ts.map +1 -1
- package/lib/typescript/wallet-instance-attestation/types.d.ts +25 -25
- package/package.json +2 -2
- package/src/trust/README.md +147 -0
- package/src/trust/chain.ts +91 -15
- package/src/trust/errors.ts +32 -1
- package/src/trust/index.ts +11 -4
- package/src/trust/utils.ts +35 -0
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
import { EntityConfiguration, EntityStatement, TrustAnchorEntityConfiguration } from "./types";
|
|
2
2
|
import * as z from "zod";
|
|
3
3
|
import { getSignedEntityConfiguration, getSignedEntityStatement } from ".";
|
|
4
|
-
import { decode, verify } from "./utils";
|
|
5
|
-
import { MissingFederationFetchEndpointError, TrustChainEmptyError, TrustChainRenewalError, TrustChainTokenMissingError } from "./errors";
|
|
4
|
+
import { decode, getTrustAnchorX509Certificate, verify } from "./utils";
|
|
5
|
+
import { FederationError, MissingFederationFetchEndpointError, MissingX509CertsError, TrustChainEmptyError, TrustChainRenewalError, TrustChainTokenMissingError, X509ValidationError } from "./errors";
|
|
6
|
+
import { verifyCertificateChain } from "@pagopa/io-react-native-crypto";
|
|
6
7
|
|
|
7
8
|
// The first element of the chain is supposed to be the Entity Configuration for the document issuer
|
|
8
9
|
const FirstElementShape = EntityConfiguration;
|
|
@@ -13,14 +14,15 @@ const MiddleElementShape = EntityStatement;
|
|
|
13
14
|
const LastElementShape = z.union([EntityStatement, TrustAnchorEntityConfiguration]);
|
|
14
15
|
|
|
15
16
|
/**
|
|
16
|
-
* Validates a provided trust chain against a known trust
|
|
17
|
+
* Validates a provided trust chain against a known trust anchor, including X.509 certificate checks.
|
|
17
18
|
*
|
|
18
|
-
* @param trustAnchorEntity The entity configuration of the known trust anchor
|
|
19
|
-
* @param chain The chain of statements to be validated
|
|
20
|
-
* @
|
|
21
|
-
* @
|
|
19
|
+
* @param trustAnchorEntity The entity configuration of the known trust anchor (for JWT validation).
|
|
20
|
+
* @param chain The chain of statements to be validated.
|
|
21
|
+
* @param x509Options Options for X.509 certificate validation.
|
|
22
|
+
* @returns The list of parsed tokens representing the chain.
|
|
23
|
+
* @throws {FederationError} If the chain is not valid (JWT or X.509). Specific errors like TrustChainEmptyError, X509ValidationError may be thrown.
|
|
22
24
|
*/
|
|
23
|
-
export async function validateTrustChain(trustAnchorEntity, chain) {
|
|
25
|
+
export async function validateTrustChain(trustAnchorEntity, chain, x509Options) {
|
|
24
26
|
// If the chain is empty, fail
|
|
25
27
|
if (chain.length === 0) {
|
|
26
28
|
throw new TrustChainEmptyError("Cannot verify empty trust chain.");
|
|
@@ -29,7 +31,7 @@ export async function validateTrustChain(trustAnchorEntity, chain) {
|
|
|
29
31
|
// Select the expected token shape
|
|
30
32
|
const selectTokenShape = elementIndex => elementIndex === 0 ? FirstElementShape : elementIndex === chain.length - 1 ? LastElementShape : MiddleElementShape;
|
|
31
33
|
|
|
32
|
-
//
|
|
34
|
+
// Select the kid from the current index
|
|
33
35
|
const selectKid = currentIndex => {
|
|
34
36
|
const token = chain[currentIndex];
|
|
35
37
|
if (!token) {
|
|
@@ -41,8 +43,8 @@ export async function validateTrustChain(trustAnchorEntity, chain) {
|
|
|
41
43
|
return shape.parse(decode(token)).header.kid;
|
|
42
44
|
};
|
|
43
45
|
|
|
44
|
-
//
|
|
45
|
-
//
|
|
46
|
+
// Select keys from the next token
|
|
47
|
+
// If the current token is the last, keys from trust anchor will be used
|
|
46
48
|
const selectKeys = currentIndex => {
|
|
47
49
|
if (currentIndex === chain.length - 1) {
|
|
48
50
|
return trustAnchorEntity.payload.jwks.keys;
|
|
@@ -57,10 +59,45 @@ export async function validateTrustChain(trustAnchorEntity, chain) {
|
|
|
57
59
|
const shape = selectTokenShape(nextIndex);
|
|
58
60
|
return shape.parse(decode(nextToken)).payload.jwks.keys;
|
|
59
61
|
};
|
|
62
|
+
const x509TrustAnchorCertBase64 = getTrustAnchorX509Certificate(trustAnchorEntity);
|
|
60
63
|
|
|
61
64
|
// Iterate the chain and validate each element's signature against the public keys of its next
|
|
62
65
|
// If there is no next, hence it's the end of the chain, and it must be verified by the Trust Anchor
|
|
63
|
-
|
|
66
|
+
const validationPromises = chain.map(async (tokenString, i) => {
|
|
67
|
+
const kidFromTokenHeader = selectKid(i);
|
|
68
|
+
const signerJwks = selectKeys(i);
|
|
69
|
+
|
|
70
|
+
// Step 1: Verify JWT signature
|
|
71
|
+
const parsedToken = await verify(tokenString, kidFromTokenHeader, signerJwks);
|
|
72
|
+
|
|
73
|
+
// Step 2: X.509 Certificate Chain Validation
|
|
74
|
+
const jwkUsedForVerification = signerJwks.find(k => k.kid === kidFromTokenHeader);
|
|
75
|
+
if (!jwkUsedForVerification) {
|
|
76
|
+
throw new FederationError(`JWK with kid '${kidFromTokenHeader}' was not found in signer's JWKS for token at index ${i}, though JWT verification passed.`, {
|
|
77
|
+
tokenIndex: i,
|
|
78
|
+
kid: kidFromTokenHeader
|
|
79
|
+
});
|
|
80
|
+
}
|
|
81
|
+
if (!jwkUsedForVerification.x5c || jwkUsedForVerification.x5c.length === 0) {
|
|
82
|
+
throw new MissingX509CertsError(`JWK with kid '${kidFromTokenHeader}' does not contain an X.509 certificate chain (x5c) for token at index ${i}.`);
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
// If the chain has more than one certificate AND
|
|
86
|
+
// the last certificate in the x5c chain is the same as the trust anchor,
|
|
87
|
+
// remove the anchor from the chain being passed, as it's supplied separately.
|
|
88
|
+
const certChainBase64 = jwkUsedForVerification.x5c.length > 1 && jwkUsedForVerification.x5c.at(-1) === x509TrustAnchorCertBase64 ? jwkUsedForVerification.x5c.slice(0, -1) : jwkUsedForVerification.x5c;
|
|
89
|
+
const x509ValidationResult = await verifyCertificateChain(certChainBase64, x509TrustAnchorCertBase64, x509Options);
|
|
90
|
+
if (!x509ValidationResult.isValid) {
|
|
91
|
+
throw new X509ValidationError(`X.509 certificate chain validation failed for token at index ${i} (kid: ${kidFromTokenHeader}). Status: ${x509ValidationResult.validationStatus}. Error: ${x509ValidationResult.errorMessage}`, {
|
|
92
|
+
tokenIndex: i,
|
|
93
|
+
kid: kidFromTokenHeader,
|
|
94
|
+
x509ValidationStatus: x509ValidationResult.validationStatus,
|
|
95
|
+
x509ErrorMessage: x509ValidationResult.errorMessage
|
|
96
|
+
});
|
|
97
|
+
}
|
|
98
|
+
return parsedToken;
|
|
99
|
+
});
|
|
100
|
+
return Promise.all(validationPromises);
|
|
64
101
|
}
|
|
65
102
|
|
|
66
103
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["EntityConfiguration","EntityStatement","TrustAnchorEntityConfiguration","z","getSignedEntityConfiguration","getSignedEntityStatement","decode","verify","MissingFederationFetchEndpointError","TrustChainEmptyError","TrustChainRenewalError","TrustChainTokenMissingError","FirstElementShape","MiddleElementShape","LastElementShape","union","validateTrustChain","trustAnchorEntity","chain","length","selectTokenShape","elementIndex","selectKid","currentIndex","token","index","shape","parse","header","kid","selectKeys","payload","jwks","keys","nextIndex","nextToken","
|
|
1
|
+
{"version":3,"names":["EntityConfiguration","EntityStatement","TrustAnchorEntityConfiguration","z","getSignedEntityConfiguration","getSignedEntityStatement","decode","getTrustAnchorX509Certificate","verify","FederationError","MissingFederationFetchEndpointError","MissingX509CertsError","TrustChainEmptyError","TrustChainRenewalError","TrustChainTokenMissingError","X509ValidationError","verifyCertificateChain","FirstElementShape","MiddleElementShape","LastElementShape","union","validateTrustChain","trustAnchorEntity","chain","x509Options","length","selectTokenShape","elementIndex","selectKid","currentIndex","token","index","shape","parse","header","kid","selectKeys","payload","jwks","keys","nextIndex","nextToken","x509TrustAnchorCertBase64","validationPromises","map","tokenString","i","kidFromTokenHeader","signerJwks","parsedToken","jwkUsedForVerification","find","k","tokenIndex","x5c","certChainBase64","at","slice","x509ValidationResult","isValid","validationStatus","errorMessage","x509ValidationStatus","x509ErrorMessage","Promise","all","renewTrustChain","appFetch","arguments","undefined","fetch","decoded","entityStatementResult","safeParse","entityConfigurationResult","success","data","iss","entityStatement","parentBaseUrl","parentECJwt","parentEC","federationFetchEndpoint","metadata","federation_entity","federation_fetch_endpoint","sub","entityBaseUrl","missingInEntityUrl","originalChain"],"sourceRoot":"../../../src","sources":["trust/chain.ts"],"mappings":"AAAA,SACEA,mBAAmB,EACnBC,eAAe,EACfC,8BAA8B,QACzB,SAAS;AAEhB,OAAO,KAAKC,CAAC,MAAM,KAAK;AACxB,SAASC,4BAA4B,EAAEC,wBAAwB,QAAQ,GAAG;AAC1E,SACEC,MAAM,EACNC,6BAA6B,EAE7BC,MAAM,QACD,SAAS;AAChB,SACEC,eAAe,EACfC,mCAAmC,EACnCC,qBAAqB,EACrBC,oBAAoB,EACpBC,sBAAsB,EACtBC,2BAA2B,EAC3BC,mBAAmB,QACd,UAAU;AACjB,SAEEC,sBAAsB,QAEjB,gCAAgC;;AAEvC;AACA,MAAMC,iBAAiB,GAAGjB,mBAAmB;AAC7C;AACA,MAAMkB,kBAAkB,GAAGjB,eAAe;AAC1C;AACA;AACA,MAAMkB,gBAAgB,GAAGhB,CAAC,CAACiB,KAAK,CAAC,CAC/BnB,eAAe,EACfC,8BAA8B,CAC/B,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAemB,kBAAkBA,CACtCC,iBAAiD,EACjDC,KAAe,EACfC,WAAmC,EACX;EACxB;EACA,IAAID,KAAK,CAACE,MAAM,KAAK,CAAC,EAAE;IACtB,MAAM,IAAIb,oBAAoB,CAAC,kCAAkC,CAAC;EACpE;;EAEA;EACA,MAAMc,gBAAgB,GAAIC,YAAoB,IAC5CA,YAAY,KAAK,CAAC,GACdV,iBAAiB,GACjBU,YAAY,KAAKJ,KAAK,CAACE,MAAM,GAAG,CAAC,GAC/BN,gBAAgB,GAChBD,kBAAkB;;EAE1B;EACA,MAAMU,SAAS,GAAIC,YAAoB,IAAa;IAClD,MAAMC,KAAK,GAAGP,KAAK,CAACM,YAAY,CAAC;IACjC,IAAI,CAACC,KAAK,EAAE;MACV,MAAM,IAAIhB,2BAA2B,CAClC,0BAAyBe,YAAa,kBAAiB,EACxD;QAAEE,KAAK,EAAEF;MAAa,CACxB,CAAC;IACH;IACA,MAAMG,KAAK,GAAGN,gBAAgB,CAACG,YAAY,CAAC;IAC5C,OAAOG,KAAK,CAACC,KAAK,CAAC3B,MAAM,CAACwB,KAAK,CAAC,CAAC,CAACI,MAAM,CAACC,GAAG;EAC9C,CAAC;;EAED;EACA;EACA,MAAMC,UAAU,GAAIP,YAAoB,IAAY;IAClD,IAAIA,YAAY,KAAKN,KAAK,CAACE,MAAM,GAAG,CAAC,EAAE;MACrC,OAAOH,iBAAiB,CAACe,OAAO,CAACC,IAAI,CAACC,IAAI;IAC5C;IAEA,MAAMC,SAAS,GAAGX,YAAY,GAAG,CAAC;IAClC,MAAMY,SAAS,GAAGlB,KAAK,CAACiB,SAAS,CAAC;IAClC,IAAI,CAACC,SAAS,EAAE;MACd,MAAM,IAAI3B,2BAA2B,CAClC,+BAA8B0B,SAAU,kCAAiCX,YAAa,IAAG,EAC1F;QAAEE,KAAK,EAAES;MAAU,CACrB,CAAC;IACH;IACA,MAAMR,KAAK,GAAGN,gBAAgB,CAACc,SAAS,CAAC;IACzC,OAAOR,KAAK,CAACC,KAAK,CAAC3B,MAAM,CAACmC,SAAS,CAAC,CAAC,CAACJ,OAAO,CAACC,IAAI,CAACC,IAAI;EACzD,CAAC;EAED,MAAMG,yBAAyB,GAC7BnC,6BAA6B,CAACe,iBAAiB,CAAC;;EAElD;EACA;EACA,MAAMqB,kBAAkB,GAAGpB,KAAK,CAACqB,GAAG,CAAC,OAAOC,WAAW,EAAEC,CAAC,KAAK;IAC7D,MAAMC,kBAAkB,GAAGnB,SAAS,CAACkB,CAAC,CAAC;IACvC,MAAME,UAAU,GAAGZ,UAAU,CAACU,CAAC,CAAC;;IAEhC;IACA,MAAMG,WAAW,GAAG,MAAMzC,MAAM,CAC9BqC,WAAW,EACXE,kBAAkB,EAClBC,UACF,CAAC;;IAED;IACA,MAAME,sBAAsB,GAAGF,UAAU,CAACG,IAAI,CAC3CC,CAAC,IAAKA,CAAC,CAACjB,GAAG,KAAKY,kBACnB,CAAC;IAED,IAAI,CAACG,sBAAsB,EAAE;MAC3B,MAAM,IAAIzC,eAAe,CACtB,iBAAgBsC,kBAAmB,uDAAsDD,CAAE,mCAAkC,EAC9H;QAAEO,UAAU,EAAEP,CAAC;QAAEX,GAAG,EAAEY;MAAmB,CAC3C,CAAC;IACH;IAEA,IACE,CAACG,sBAAsB,CAACI,GAAG,IAC3BJ,sBAAsB,CAACI,GAAG,CAAC7B,MAAM,KAAK,CAAC,EACvC;MACA,MAAM,IAAId,qBAAqB,CAC5B,iBAAgBoC,kBAAmB,0EAAyED,CAAE,GACjH,CAAC;IACH;;IAEA;IACA;IACA;IACA,MAAMS,eAAe,GACnBL,sBAAsB,CAACI,GAAG,CAAC7B,MAAM,GAAG,CAAC,IACrCyB,sBAAsB,CAACI,GAAG,CAACE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAKd,yBAAyB,GAC3DQ,sBAAsB,CAACI,GAAG,CAACG,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GACvCP,sBAAsB,CAACI,GAAG;IAEhC,MAAMI,oBAAiD,GACrD,MAAM1C,sBAAsB,CAC1BuC,eAAe,EACfb,yBAAyB,EACzBlB,WACF,CAAC;IAEH,IAAI,CAACkC,oBAAoB,CAACC,OAAO,EAAE;MACjC,MAAM,IAAI5C,mBAAmB,CAC1B,gEAA+D+B,CAAE,UAASC,kBAAmB,cAAaW,oBAAoB,CAACE,gBAAiB,YAAWF,oBAAoB,CAACG,YAAa,EAAC,EAC/L;QACER,UAAU,EAAEP,CAAC;QACbX,GAAG,EAAEY,kBAAkB;QACvBe,oBAAoB,EAAEJ,oBAAoB,CAACE,gBAAgB;QAC3DG,gBAAgB,EAAEL,oBAAoB,CAACG;MACzC,CACF,CAAC;IACH;IACA,OAAOZ,WAAW;EACpB,CAAC,CAAC;EAEF,OAAOe,OAAO,CAACC,GAAG,CAACtB,kBAAkB,CAAC;AACxC;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeuB,eAAeA,CACnC3C,KAAe,EAEI;EAAA,IADnB4C,QAA8B,GAAAC,SAAA,CAAA3C,MAAA,QAAA2C,SAAA,QAAAC,SAAA,GAAAD,SAAA,MAAGE,KAAK;EAEtC,OAAON,OAAO,CAACC,GAAG,CAChB1C,KAAK,CAACqB,GAAG,CAAC,OAAOd,KAAK,EAAEC,KAAK,KAAK;IAChC,MAAMwC,OAAO,GAAGjE,MAAM,CAACwB,KAAK,CAAC;IAE7B,MAAM0C,qBAAqB,GAAGvE,eAAe,CAACwE,SAAS,CAACF,OAAO,CAAC;IAChE,MAAMG,yBAAyB,GAAG1E,mBAAmB,CAACyE,SAAS,CAACF,OAAO,CAAC;IAExE,IAAIG,yBAAyB,CAACC,OAAO,EAAE;MACrC,OAAOvE,4BAA4B,CACjCsE,yBAAyB,CAACE,IAAI,CAACvC,OAAO,CAACwC,GAAG,EAC1C;QAAEV;MAAS,CACb,CAAC;IACH;IACA,IAAIK,qBAAqB,CAACG,OAAO,EAAE;MACjC,MAAMG,eAAe,GAAGN,qBAAqB,CAACI,IAAI;MAElD,MAAMG,aAAa,GAAGD,eAAe,CAACzC,OAAO,CAACwC,GAAG;MACjD,MAAMG,WAAW,GAAG,MAAM5E,4BAA4B,CAAC2E,aAAa,EAAE;QACpEZ;MACF,CAAC,CAAC;MACF,MAAMc,QAAQ,GAAGjF,mBAAmB,CAACiC,KAAK,CAAC3B,MAAM,CAAC0E,WAAW,CAAC,CAAC;MAE/D,MAAME,uBAAuB,GAC3BD,QAAQ,CAAC5C,OAAO,CAAC8C,QAAQ,CAACC,iBAAiB,CAACC,yBAAyB;MACvE,IAAI,CAACH,uBAAuB,EAAE;QAC5B,MAAM,IAAIxE,mCAAmC,CAC1C,gBAAeqE,aAAc,8DAA6DD,eAAe,CAACzC,OAAO,CAACiD,GAAI,GAAE,EACzH;UACEC,aAAa,EAAET,eAAe,CAACzC,OAAO,CAACiD,GAAG;UAC1CE,kBAAkB,EAAET;QACtB,CACF,CAAC;MACH;MACA,OAAO1E,wBAAwB,CAC7B6E,uBAAuB,EACvBJ,eAAe,CAACzC,OAAO,CAACiD,GAAG,EAC3B;QAAEnB;MAAS,CACb,CAAC;IACH;IACA,MAAM,IAAItD,sBAAsB,CAC7B,iDAAgDkB,KAAM,mBAAkB,EACzE;MAAE0D,aAAa,EAAElE;IAAM,CACzB,CAAC;EACH,CAAC,CACH,CAAC;AACH"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { IoWalletError, serializeAttrs } from "../utils/errors";
|
|
2
|
-
|
|
1
|
+
import { IoWalletError, serializeAttrs } from "../utils/errors";
|
|
2
|
+
// Ensure this path is correct
|
|
3
3
|
/**
|
|
4
4
|
* Base class for all federation-specific errors.
|
|
5
5
|
*/
|
|
@@ -91,4 +91,25 @@ export class MissingFederationFetchEndpointError extends FederationError {
|
|
|
91
91
|
super(message, details);
|
|
92
92
|
}
|
|
93
93
|
}
|
|
94
|
+
|
|
95
|
+
/**
|
|
96
|
+
* Error thrown when the X.509 certificate chain is missing in an entity's configuration.
|
|
97
|
+
*/
|
|
98
|
+
export class MissingX509CertsError extends FederationError {
|
|
99
|
+
code = "ERR_FED_MISSING_X509_CERTS";
|
|
100
|
+
constructor(message) {
|
|
101
|
+
super(message, undefined);
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
/**
|
|
106
|
+
* Error thrown when an X.509 certificate validation fails.
|
|
107
|
+
* This is used to indicate issues with the certificate chain or signature verification.
|
|
108
|
+
*/
|
|
109
|
+
export class X509ValidationError extends FederationError {
|
|
110
|
+
code = "ERR_FED_X509_VALIDATION_FAILED";
|
|
111
|
+
constructor(message, details) {
|
|
112
|
+
super(message, details);
|
|
113
|
+
}
|
|
114
|
+
}
|
|
94
115
|
//# sourceMappingURL=errors.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["IoWalletError","serializeAttrs","FederationError","constructor","message","details","name","TrustChainEmptyError","code","arguments","length","undefined","TrustChainTokenMissingError","TrustChainRenewalError","FederationListParseError","BuildTrustChainError","TrustAnchorKidMissingError","RelyingPartyNotAuthorizedError","MissingFederationFetchEndpointError"],"sourceRoot":"../../../src","sources":["trust/errors.ts"],"mappings":"AAAA,SAASA,aAAa,EAAEC,cAAc,QAAQ,iBAAiB
|
|
1
|
+
{"version":3,"names":["IoWalletError","serializeAttrs","FederationError","constructor","message","details","name","TrustChainEmptyError","code","arguments","length","undefined","TrustChainTokenMissingError","TrustChainRenewalError","FederationListParseError","BuildTrustChainError","TrustAnchorKidMissingError","RelyingPartyNotAuthorizedError","MissingFederationFetchEndpointError","MissingX509CertsError","X509ValidationError"],"sourceRoot":"../../../src","sources":["trust/errors.ts"],"mappings":"AAAA,SAASA,aAAa,EAAEC,cAAc,QAAQ,iBAAiB;AACoB;AAEnF;AACA;AACA;AACA,OAAO,MAAMC,eAAe,SAASF,aAAa,CAAC;EACjDG,WAAWA,CAACC,OAAe,EAAEC,OAAiC,EAAE;IAC9D,KAAK,CAACA,OAAO,GAAGJ,cAAc,CAAC;MAAEG,OAAO;MAAE,GAAGC;IAAQ,CAAC,CAAC,GAAGD,OAAO,CAAC;IAClE,IAAI,CAACE,IAAI,GAAG,IAAI,CAACH,WAAW,CAACG,IAAI;EACnC;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMC,oBAAoB,SAASL,eAAe,CAAC;EACxDM,IAAI,GAAG,2BAA2B;EAClCL,WAAWA,CAAA,EAA2C;IAAA,IAA1CC,OAAO,GAAAK,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,8BAA8B;IAClD,KAAK,CAACL,OAAO,EAAEO,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMC,2BAA2B,SAASV,eAAe,CAAC;EAC/DM,IAAI,GAAG,mCAAmC;EAC1CL,WAAWA,CAACC,OAAe,EAAEC,OAA4B,EAAE;IACzD,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMQ,sBAAsB,SAASX,eAAe,CAAC;EAC1DM,IAAI,GAAG,oCAAoC;EAC3CL,WAAWA,CACTC,OAAe,EACfC,OAA8D,EAC9D;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;AAEA,OAAO,MAAMS,wBAAwB,SAASZ,eAAe,CAAC;EAC5DM,IAAI,GAAG,sCAAsC;EAC7CL,WAAWA,CAACC,OAAe,EAAEC,OAA6C,EAAE;IAC1E,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMU,oBAAoB,SAASb,eAAe,CAAC;EACxDM,IAAI,GAAG,kCAAkC;EACzCL,WAAWA,CACTC,OAAe,EACfC,OAIC,EACD;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMW,0BAA0B,SAASd,eAAe,CAAC;EAC9DM,IAAI,GAAG,kCAAkC;EACzCL,WAAWA,CAAA,EAA0D;IAAA,IAAzDC,OAAO,GAAAK,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,6CAA6C;IACjE,KAAK,CAACL,OAAO,EAAEO,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMM,8BAA8B,SAASf,eAAe,CAAC;EAClEM,IAAI,GAAG,sCAAsC;EAC7CL,WAAWA,CACTC,OAAe,EACfC,OAAqE,EACrE;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMa,mCAAmC,SAAShB,eAAe,CAAC;EACvEM,IAAI,GAAG,2CAA2C;EAClDL,WAAWA,CACTC,OAAe,EACfC,OAA8D,EAC9D;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMc,qBAAqB,SAASjB,eAAe,CAAC;EACzDM,IAAI,GAAG,4BAA4B;EACnCL,WAAWA,CAACC,OAAe,EAAE;IAC3B,KAAK,CAACA,OAAO,EAAEO,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMS,mBAAmB,SAASlB,eAAe,CAAC;EACvDM,IAAI,GAAG,gCAAgC;EACvCL,WAAWA,CACTC,OAAe,EACfC,OAMC,EACD;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF"}
|
|
@@ -10,22 +10,28 @@ import { BuildTrustChainError, FederationListParseError, MissingFederationFetchE
|
|
|
10
10
|
*
|
|
11
11
|
* @param trustAnchorEntity The entity configuration of the known trust anchor
|
|
12
12
|
* @param chain The chain of statements to be validated
|
|
13
|
-
* @param
|
|
14
|
-
* @param appFetch
|
|
13
|
+
* @param x509Options Options for the verification process
|
|
14
|
+
* @param appFetch (optional) fetch api implementation
|
|
15
|
+
* @param renewOnFail Whether to attempt to renew the trust chain if the initial validation fails
|
|
15
16
|
* @returns The result of the chain validation
|
|
16
17
|
* @throws {FederationError} If the chain is not valid
|
|
17
18
|
*/
|
|
18
19
|
export async function verifyTrustChain(trustAnchorEntity, chain) {
|
|
20
|
+
let x509Options = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {
|
|
21
|
+
connectTimeout: 10000,
|
|
22
|
+
readTimeout: 10000,
|
|
23
|
+
requireCrl: true
|
|
24
|
+
};
|
|
19
25
|
let {
|
|
20
26
|
appFetch = fetch,
|
|
21
27
|
renewOnFail = true
|
|
22
|
-
} = arguments.length >
|
|
28
|
+
} = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : {};
|
|
23
29
|
try {
|
|
24
|
-
return validateTrustChain(trustAnchorEntity, chain);
|
|
30
|
+
return validateTrustChain(trustAnchorEntity, chain, x509Options);
|
|
25
31
|
} catch (error) {
|
|
26
32
|
if (renewOnFail) {
|
|
27
33
|
const renewedChain = await renewTrustChain(chain, appFetch);
|
|
28
|
-
return validateTrustChain(trustAnchorEntity, renewedChain);
|
|
34
|
+
return validateTrustChain(trustAnchorEntity, renewedChain, x509Options);
|
|
29
35
|
} else {
|
|
30
36
|
throw error;
|
|
31
37
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["decode","verify","decodeJwt","CredentialIssuerEntityConfiguration","EntityConfiguration","EntityStatement","FederationListResponse","RelyingPartyEntityConfiguration","TrustAnchorEntityConfiguration","WalletProviderEntityConfiguration","renewTrustChain","validateTrustChain","hasStatusOrThrow","BuildTrustChainError","FederationListParseError","MissingFederationFetchEndpointError","RelyingPartyNotAuthorizedError","TrustAnchorKidMissingError","verifyTrustChain","trustAnchorEntity","chain","
|
|
1
|
+
{"version":3,"names":["decode","verify","decodeJwt","CredentialIssuerEntityConfiguration","EntityConfiguration","EntityStatement","FederationListResponse","RelyingPartyEntityConfiguration","TrustAnchorEntityConfiguration","WalletProviderEntityConfiguration","renewTrustChain","validateTrustChain","hasStatusOrThrow","BuildTrustChainError","FederationListParseError","MissingFederationFetchEndpointError","RelyingPartyNotAuthorizedError","TrustAnchorKidMissingError","verifyTrustChain","trustAnchorEntity","chain","x509Options","arguments","length","undefined","connectTimeout","readTimeout","requireCrl","appFetch","fetch","renewOnFail","error","renewedChain","getSignedEntityConfiguration","entityBaseUrl","wellKnownUrl","method","then","res","text","fetchAndParseEntityConfiguration","schema","responseText","responseJwt","parse","header","protectedHeader","payload","getWalletProviderEntityConfiguration","options","getCredentialIssuerEntityConfiguration","getTrustAnchorEntityConfiguration","getRelyingPartyEntityConfiguration","getEntityConfiguration","getEntityStatement","accreditationBodyBaseUrl","subordinatedEntityBaseUrl","getSignedEntityStatement","federationFetchEndpoint","url","URL","searchParams","set","toString","getFederationList","federationListEndpoint","json","result","safeParse","success","message","parseError","data","buildTrustChain","relyingPartyEntityBaseUrl","trustAnchorKey","trustChain","gatherTrustChain","trustAnchorJwt","relyingPartyUrl","kid","trustAnchorConfig","metadata","federation_entity","federation_list_endpoint","federationList","includes","isLeaf","entityECJwt","entityEC","push","authorityHints","authority_hints","parentEntityBaseUrl","parentECJwt","parentEC","federation_fetch_endpoint","missingInEntityUrl","entityStatementJwt","parentChain","concat"],"sourceRoot":"../../../src","sources":["trust/index.ts"],"mappings":"AAAA,SAASA,MAAM,EAAEC,MAAM,QAAQ,SAAS;AACxC,SAASD,MAAM,IAAIE,SAAS,QAAQ,6BAA6B;AACjE,SACEC,mCAAmC,EACnCC,mBAAmB,EACnBC,eAAe,EACfC,sBAAsB,EACtBC,+BAA+B,EAC/BC,8BAA8B,EAC9BC,iCAAiC,QAC5B,SAAS;AAChB,SAASC,eAAe,EAAEC,kBAAkB,QAAQ,SAAS;AAC7D,SAASC,gBAAgB,QAAQ,eAAe;AAEhD,SACEC,oBAAoB,EACpBC,wBAAwB,EACxBC,mCAAmC,EACnCC,8BAA8B,EAC9BC,0BAA0B,QACrB,UAAU;AAYjB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeC,gBAAgBA,CACpCC,iBAAiD,EACjDC,KAAe,EAUiC;EAAA,IAThDC,WAAmC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG;IACpCG,cAAc,EAAE,KAAK;IACrBC,WAAW,EAAE,KAAK;IAClBC,UAAU,EAAE;EACd,CAAC;EAAA,IACD;IACEC,QAAQ,GAAGC,KAAK;IAChBC,WAAW,GAAG;EAC4C,CAAC,GAAAR,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAElE,IAAI;IACF,OAAOX,kBAAkB,CAACQ,iBAAiB,EAAEC,KAAK,EAAEC,WAAW,CAAC;EAClE,CAAC,CAAC,OAAOU,KAAK,EAAE;IACd,IAAID,WAAW,EAAE;MACf,MAAME,YAAY,GAAG,MAAMtB,eAAe,CAACU,KAAK,EAAEQ,QAAQ,CAAC;MAC3D,OAAOjB,kBAAkB,CAACQ,iBAAiB,EAAEa,YAAY,EAAEX,WAAW,CAAC;IACzE,CAAC,MAAM;MACL,MAAMU,KAAK;IACb;EACF;AACF;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeE,4BAA4BA,CAChDC,aAAqB,EAMJ;EAAA,IALjB;IACEN,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMa,YAAY,GAAI,GAAED,aAAc,gCAA+B;EAErE,OAAO,MAAMN,QAAQ,CAACO,YAAY,EAAE;IAClCC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAACzB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3ByB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoCA,eAAeC,gCAAgCA,CAC7CN,aAAqB,EACrBO,MAK8B,EAM9B;EAAA,IALA;IACEb,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMoB,YAAY,GAAG,MAAMT,4BAA4B,CAACC,aAAa,EAAE;IACrEN;EACF,CAAC,CAAC;EAEF,MAAMe,WAAW,GAAGzC,SAAS,CAACwC,YAAY,CAAC;EAC3C,OAAOD,MAAM,CAACG,KAAK,CAAC;IAClBC,MAAM,EAAEF,WAAW,CAACG,eAAe;IACnCC,OAAO,EAAEJ,WAAW,CAACI;EACvB,CAAC,CAAC;AACJ;AAEA,OAAO,MAAMC,oCAAoC,GAAGA,CAClDd,aAAqE,EACrEe,OAAgE,KAEhET,gCAAgC,CAC9BN,aAAa,EACbzB,iCAAiC,EACjCwC,OACF,CAAC;AAEH,OAAO,MAAMC,sCAAsC,GAAGA,CACpDhB,aAAqE,EACrEe,OAAgE,KAEhET,gCAAgC,CAC9BN,aAAa,EACb/B,mCAAmC,EACnC8C,OACF,CAAC;AAEH,OAAO,MAAME,iCAAiC,GAAGA,CAC/CjB,aAAqE,EACrEe,OAAgE,KAEhET,gCAAgC,CAC9BN,aAAa,EACb1B,8BAA8B,EAC9ByC,OACF,CAAC;AAEH,OAAO,MAAMG,kCAAkC,GAAGA,CAChDlB,aAAqE,EACrEe,OAAgE,KAEhET,gCAAgC,CAC9BN,aAAa,EACb3B,+BAA+B,EAC/B0C,OACF,CAAC;AAEH,OAAO,MAAMI,sBAAsB,GAAGA,CACpCnB,aAAqE,EACrEe,OAAgE,KAEhET,gCAAgC,CAACN,aAAa,EAAE9B,mBAAmB,EAAE6C,OAAO,CAAC;;AAE/E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeK,kBAAkBA,CACtCC,wBAAgC,EAChCC,yBAAiC,EAMjC;EAAA,IALA;IACE5B,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMoB,YAAY,GAAG,MAAMe,wBAAwB,CACjDF,wBAAwB,EACxBC,yBAAyB,EACzB;IACE5B;EACF,CACF,CAAC;EAED,MAAMe,WAAW,GAAGzC,SAAS,CAACwC,YAAY,CAAC;EAC3C,OAAOrC,eAAe,CAACuC,KAAK,CAAC;IAC3BC,MAAM,EAAEF,WAAW,CAACG,eAAe;IACnCC,OAAO,EAAEJ,WAAW,CAACI;EACvB,CAAC,CAAC;AACJ;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeU,wBAAwBA,CAC5CC,uBAA+B,EAC/BF,yBAAiC,EAMjC;EAAA,IALA;IACE5B,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMqC,GAAG,GAAG,IAAIC,GAAG,CAACF,uBAAuB,CAAC;EAC5CC,GAAG,CAACE,YAAY,CAACC,GAAG,CAAC,KAAK,EAAEN,yBAAyB,CAAC;EAEtD,OAAO,MAAM5B,QAAQ,CAAC+B,GAAG,CAACI,QAAQ,CAAC,CAAC,EAAE;IACpC3B,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAACzB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3ByB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeyB,iBAAiBA,CACrCC,sBAA8B,EAMX;EAAA,IALnB;IACErC,QAAQ,GAAGC;EAGb,CAAC,GAAAP,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,OAAO,MAAMM,QAAQ,CAACqC,sBAAsB,EAAE;IAC5C7B,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAACzB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3ByB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAAC4B,IAAI,CAAC,CAAC,CAAC,CACzB7B,IAAI,CAAE6B,IAAI,IAAK;IACd,MAAMC,MAAM,GAAG7D,sBAAsB,CAAC8D,SAAS,CAACF,IAAI,CAAC;IACrD,IAAI,CAACC,MAAM,CAACE,OAAO,EAAE;MACnB,MAAM,IAAIvD,wBAAwB,CAC/B,gDAA+CmD,sBAAuB,YAAWE,MAAM,CAACpC,KAAK,CAACuC,OAAQ,EAAC,EACxG;QAAEX,GAAG,EAAEM,sBAAsB;QAAEM,UAAU,EAAEJ,MAAM,CAACpC,KAAK,CAACgC,QAAQ,CAAC;MAAE,CACrE,CAAC;IACH;IACA,OAAOI,MAAM,CAACK,IAAI;EACpB,CAAC,CAAC;AACN;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeC,eAAeA,CACnCC,yBAAiC,EACjCC,cAAmB,EAEA;EAAA,IADnB/C,QAA8B,GAAAN,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGO,KAAK;EAEtC;EACA,MAAM+C,UAAU,GAAG,MAAMC,gBAAgB,CACvCH,yBAAyB,EACzB9C,QACF,CAAC;;EAED;EACA,MAAMkD,cAAc,GAAGF,UAAU,CAACA,UAAU,CAACrD,MAAM,GAAG,CAAC,CAAC;EACxD,IAAI,CAACuD,cAAc,EAAE;IACnB,MAAM,IAAIjE,oBAAoB,CAC5B,6EAA6E,EAC7E;MAAEkE,eAAe,EAAEL;IAA0B,CAC/C,CAAC;EACH;EAEA,IAAI,CAACC,cAAc,CAACK,GAAG,EAAE;IACvB,MAAM,IAAI/D,0BAA0B,CAAC,CAAC;EACxC;EAEA,MAAMhB,MAAM,CAAC6E,cAAc,EAAEH,cAAc,CAACK,GAAG,EAAE,CAACL,cAAc,CAAC,CAAC;;EAElE;EACA,MAAMM,iBAAiB,GAAG7E,mBAAmB,CAACwC,KAAK,CAAC5C,MAAM,CAAC8E,cAAc,CAAC,CAAC;EAC3E,MAAMb,sBAAsB,GAC1BgB,iBAAiB,CAAClC,OAAO,CAACmC,QAAQ,CAACC,iBAAiB,CACjDC,wBAAwB;EAE7B,IAAInB,sBAAsB,EAAE;IAC1B,MAAMoB,cAAc,GAAG,MAAMrB,iBAAiB,CAACC,sBAAsB,EAAE;MACrErC;IACF,CAAC,CAAC;IAEF,IAAI,CAACyD,cAAc,CAACC,QAAQ,CAACZ,yBAAyB,CAAC,EAAE;MACvD,MAAM,IAAI1D,8BAA8B,CACtC,wFAAwF,EACxF;QAAE+D,eAAe,EAAEL,yBAAyB;QAAET;MAAuB,CACvE,CAAC;IACH;EACF;EAEA,OAAOW,UAAU;AACnB;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAeC,gBAAgBA,CAC7B3C,aAAqB,EACrBN,QAA8B,EAEX;EAAA,IADnB2D,MAAe,GAAAjE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,IAAI;EAEtB,MAAMF,KAAe,GAAG,EAAE;;EAE1B;EACA,MAAMoE,WAAW,GAAG,MAAMvD,4BAA4B,CAACC,aAAa,EAAE;IACpEN;EACF,CAAC,CAAC;EACF,MAAM6D,QAAQ,GAAGrF,mBAAmB,CAACwC,KAAK,CAAC5C,MAAM,CAACwF,WAAW,CAAC,CAAC;EAE/D,IAAID,MAAM,EAAE;IACV;IACAnE,KAAK,CAACsE,IAAI,CAACF,WAAW,CAAC;EACzB;;EAEA;EACA,MAAMG,cAAc,GAAGF,QAAQ,CAAC1C,OAAO,CAAC6C,eAAe,IAAI,EAAE;EAC7D,IAAID,cAAc,CAACpE,MAAM,KAAK,CAAC,EAAE;IAC/B;IACA,IAAI,CAACgE,MAAM,EAAE;MACXnE,KAAK,CAACsE,IAAI,CAACF,WAAW,CAAC;IACzB;IACA,OAAOpE,KAAK;EACd;EAEA,MAAMyE,mBAAmB,GAAGF,cAAc,CAAC,CAAC,CAAE;;EAE9C;EACA,MAAMG,WAAW,GAAG,MAAM7D,4BAA4B,CAAC4D,mBAAmB,EAAE;IAC1EjE;EACF,CAAC,CAAC;EACF,MAAMmE,QAAQ,GAAG3F,mBAAmB,CAACwC,KAAK,CAAC5C,MAAM,CAAC8F,WAAW,CAAC,CAAC;;EAE/D;EACA,MAAMpC,uBAAuB,GAC3BqC,QAAQ,CAAChD,OAAO,CAACmC,QAAQ,CAACC,iBAAiB,CAACa,yBAAyB;EACvE,IAAI,CAACtC,uBAAuB,EAAE;IAC5B,MAAM,IAAI3C,mCAAmC,CAC1C,kDAAiD8E,mBAAoB,4CAA2C3D,aAAc,GAAE,EACjI;MAAEA,aAAa;MAAE+D,kBAAkB,EAAEJ;IAAoB,CAC3D,CAAC;EACH;EAEA,MAAMK,kBAAkB,GAAG,MAAMzC,wBAAwB,CACvDC,uBAAuB,EACvBxB,aAAa,EACb;IAAEN;EAAS,CACb,CAAC;EACD;EACAvB,eAAe,CAACuC,KAAK,CAAC5C,MAAM,CAACkG,kBAAkB,CAAC,CAAC;;EAEjD;EACA9E,KAAK,CAACsE,IAAI,CAACQ,kBAAkB,CAAC;;EAE9B;EACA,MAAMC,WAAW,GAAG,MAAMtB,gBAAgB,CACxCgB,mBAAmB,EACnBjE,QAAQ,EACR,KACF,CAAC;EAED,OAAOR,KAAK,CAACgF,MAAM,CAACD,WAAW,CAAC;AAClC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { decode as decodeJwt, verify as verifyJwt } from "@pagopa/io-react-native-jwt";
|
|
2
|
+
import { FederationError } from "./errors";
|
|
2
3
|
// Verify a token signature
|
|
3
4
|
// The kid is extracted from the token header
|
|
4
5
|
export const verify = async (token, kid, jwks) => {
|
|
@@ -30,4 +31,30 @@ export const decode = token => {
|
|
|
30
31
|
payload
|
|
31
32
|
};
|
|
32
33
|
};
|
|
34
|
+
|
|
35
|
+
/**
|
|
36
|
+
* Extracts the X.509 Trust Anchor certificate (Base64 encoded) from the
|
|
37
|
+
* Trust Anchor's Entity Configuration.
|
|
38
|
+
*
|
|
39
|
+
* @param trustAnchorEntity The entity configuration of the known trust anchor.
|
|
40
|
+
* @returns The Base64 encoded X.509 certificate string.
|
|
41
|
+
* @throws {FederationError} If the certificate cannot be derived.
|
|
42
|
+
*/
|
|
43
|
+
export function getTrustAnchorX509Certificate(trustAnchorEntity) {
|
|
44
|
+
const taHeaderKid = trustAnchorEntity.header.kid;
|
|
45
|
+
const taSigningJwk = trustAnchorEntity.payload.jwks.keys.find(key => key.kid === taHeaderKid);
|
|
46
|
+
if (!taSigningJwk) {
|
|
47
|
+
throw new FederationError(`Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' not found in Trust Anchor's JWKS.`, {
|
|
48
|
+
trustAnchorKid: taHeaderKid,
|
|
49
|
+
reason: "JWK not found for header kid"
|
|
50
|
+
});
|
|
51
|
+
}
|
|
52
|
+
if (taSigningJwk.x5c && taSigningJwk.x5c.length > 0 && taSigningJwk.x5c[0]) {
|
|
53
|
+
return taSigningJwk.x5c[0];
|
|
54
|
+
}
|
|
55
|
+
throw new FederationError(`Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' does not contain a valid 'x5c' certificate array.`, {
|
|
56
|
+
trustAnchorKid: taHeaderKid,
|
|
57
|
+
reason: "Missing or empty x5c in JWK"
|
|
58
|
+
});
|
|
59
|
+
}
|
|
33
60
|
//# sourceMappingURL=utils.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["decode","decodeJwt","verify","verifyJwt","token","kid","jwks","jwk","find","k","Error","protectedHeader","header","payload"],"sourceRoot":"../../../src","sources":["trust/utils.ts"],"mappings":"AAAA,SACEA,MAAM,IAAIC,SAAS,EACnBC,MAAM,IAAIC,SAAS,QACd,6BAA6B;
|
|
1
|
+
{"version":3,"names":["decode","decodeJwt","verify","verifyJwt","FederationError","token","kid","jwks","jwk","find","k","Error","protectedHeader","header","payload","getTrustAnchorX509Certificate","trustAnchorEntity","taHeaderKid","taSigningJwk","keys","key","trustAnchorKid","reason","x5c","length"],"sourceRoot":"../../../src","sources":["trust/utils.ts"],"mappings":"AAAA,SACEA,MAAM,IAAIC,SAAS,EACnBC,MAAM,IAAIC,SAAS,QACd,6BAA6B;AAGpC,SAASC,eAAe,QAAQ,UAAU;AAQ1C;AACA;AACA,OAAO,MAAMF,MAAM,GAAG,MAAAA,CACpBG,KAAa,EACbC,GAAW,EACXC,IAAW,KACc;EACzB,MAAMC,GAAG,GAAGD,IAAI,CAACE,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACJ,GAAG,KAAKA,GAAG,CAAC;EAC3C,IAAI,CAACE,GAAG,EAAE;IACR,MAAM,IAAIG,KAAK,CAAE,gBAAeL,GAAI,YAAWD,KAAM,EAAC,CAAC;EACzD;EACA,MAAM;IAAEO,eAAe,EAAEC,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAMX,SAAS,CAACE,KAAK,EAAEG,GAAG,CAAC;EACxE,OAAO;IAAEK,MAAM;IAAEC;EAAQ,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;AACA,OAAO,MAAMd,MAAM,GAAIK,KAAa,IAAkB;EACpD,MAAM;IAAEO,eAAe,EAAEC,MAAM;IAAEC;EAAQ,CAAC,GAAGb,SAAS,CAACI,KAAK,CAAC;EAC7D,OAAO;IAAEQ,MAAM;IAAEC;EAAQ,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,6BAA6BA,CAC3CC,iBAAiD,EACzC;EACR,MAAMC,WAAW,GAAGD,iBAAiB,CAACH,MAAM,CAACP,GAAG;EAChD,MAAMY,YAAY,GAAGF,iBAAiB,CAACF,OAAO,CAACP,IAAI,CAACY,IAAI,CAACV,IAAI,CAC1DW,GAAG,IAAKA,GAAG,CAACd,GAAG,KAAKW,WACvB,CAAC;EAED,IAAI,CAACC,YAAY,EAAE;IACjB,MAAM,IAAId,eAAe,CACtB,+DAA8Da,WAAY,qCAAoC,EAC/G;MAAEI,cAAc,EAAEJ,WAAW;MAAEK,MAAM,EAAE;IAA+B,CACxE,CAAC;EACH;EAEA,IAAIJ,YAAY,CAACK,GAAG,IAAIL,YAAY,CAACK,GAAG,CAACC,MAAM,GAAG,CAAC,IAAIN,YAAY,CAACK,GAAG,CAAC,CAAC,CAAC,EAAE;IAC1E,OAAOL,YAAY,CAACK,GAAG,CAAC,CAAC,CAAC;EAC5B;EAEA,MAAM,IAAInB,eAAe,CACtB,+DAA8Da,WAAY,qDAAoD,EAC/H;IAAEI,cAAc,EAAEJ,WAAW;IAAEK,MAAM,EAAE;EAA8B,CACvE,CAAC;AACH"}
|
|
@@ -21,21 +21,21 @@ export declare const WalletAttestationsView: z.ZodObject<{
|
|
|
21
21
|
format: z.ZodUnion<[z.ZodLiteral<"jwt">, z.ZodLiteral<"dc+sd-jwt">]>;
|
|
22
22
|
wallet_attestation: z.ZodString;
|
|
23
23
|
}, "strip", z.ZodTypeAny, {
|
|
24
|
-
format: "jwt" | "dc+sd-jwt";
|
|
25
24
|
wallet_attestation: string;
|
|
26
|
-
}, {
|
|
27
25
|
format: "jwt" | "dc+sd-jwt";
|
|
26
|
+
}, {
|
|
28
27
|
wallet_attestation: string;
|
|
28
|
+
format: "jwt" | "dc+sd-jwt";
|
|
29
29
|
}>, "many">;
|
|
30
30
|
}, "strip", z.ZodTypeAny, {
|
|
31
31
|
wallet_attestations: {
|
|
32
|
-
format: "jwt" | "dc+sd-jwt";
|
|
33
32
|
wallet_attestation: string;
|
|
33
|
+
format: "jwt" | "dc+sd-jwt";
|
|
34
34
|
}[];
|
|
35
35
|
}, {
|
|
36
36
|
wallet_attestations: {
|
|
37
|
-
format: "jwt" | "dc+sd-jwt";
|
|
38
37
|
wallet_attestation: string;
|
|
38
|
+
format: "jwt" | "dc+sd-jwt";
|
|
39
39
|
}[];
|
|
40
40
|
}>;
|
|
41
41
|
export type CreateWalletInstanceBody = z.infer<typeof CreateWalletInstanceBody>;
|
|
@@ -221,21 +221,21 @@ export declare const post_CreateWalletAttestationV2: {
|
|
|
221
221
|
format: z.ZodUnion<[z.ZodLiteral<"jwt">, z.ZodLiteral<"dc+sd-jwt">]>;
|
|
222
222
|
wallet_attestation: z.ZodString;
|
|
223
223
|
}, "strip", z.ZodTypeAny, {
|
|
224
|
-
format: "jwt" | "dc+sd-jwt";
|
|
225
224
|
wallet_attestation: string;
|
|
226
|
-
}, {
|
|
227
225
|
format: "jwt" | "dc+sd-jwt";
|
|
226
|
+
}, {
|
|
228
227
|
wallet_attestation: string;
|
|
228
|
+
format: "jwt" | "dc+sd-jwt";
|
|
229
229
|
}>, "many">;
|
|
230
230
|
}, "strip", z.ZodTypeAny, {
|
|
231
231
|
wallet_attestations: {
|
|
232
|
-
format: "jwt" | "dc+sd-jwt";
|
|
233
232
|
wallet_attestation: string;
|
|
233
|
+
format: "jwt" | "dc+sd-jwt";
|
|
234
234
|
}[];
|
|
235
235
|
}, {
|
|
236
236
|
wallet_attestations: {
|
|
237
|
-
format: "jwt" | "dc+sd-jwt";
|
|
238
237
|
wallet_attestation: string;
|
|
238
|
+
format: "jwt" | "dc+sd-jwt";
|
|
239
239
|
}[];
|
|
240
240
|
}>;
|
|
241
241
|
};
|
|
@@ -487,21 +487,21 @@ export declare const EndpointByMethod: {
|
|
|
487
487
|
format: z.ZodUnion<[z.ZodLiteral<"jwt">, z.ZodLiteral<"dc+sd-jwt">]>;
|
|
488
488
|
wallet_attestation: z.ZodString;
|
|
489
489
|
}, "strip", z.ZodTypeAny, {
|
|
490
|
-
format: "jwt" | "dc+sd-jwt";
|
|
491
490
|
wallet_attestation: string;
|
|
492
|
-
}, {
|
|
493
491
|
format: "jwt" | "dc+sd-jwt";
|
|
492
|
+
}, {
|
|
494
493
|
wallet_attestation: string;
|
|
494
|
+
format: "jwt" | "dc+sd-jwt";
|
|
495
495
|
}>, "many">;
|
|
496
496
|
}, "strip", z.ZodTypeAny, {
|
|
497
497
|
wallet_attestations: {
|
|
498
|
-
format: "jwt" | "dc+sd-jwt";
|
|
499
498
|
wallet_attestation: string;
|
|
499
|
+
format: "jwt" | "dc+sd-jwt";
|
|
500
500
|
}[];
|
|
501
501
|
}, {
|
|
502
502
|
wallet_attestations: {
|
|
503
|
-
format: "jwt" | "dc+sd-jwt";
|
|
504
503
|
wallet_attestation: string;
|
|
504
|
+
format: "jwt" | "dc+sd-jwt";
|
|
505
505
|
}[];
|
|
506
506
|
}>;
|
|
507
507
|
};
|
|
@@ -574,13 +574,13 @@ export declare const RequestObject: z.ZodObject<{
|
|
|
574
574
|
}>>;
|
|
575
575
|
}, "strip", z.ZodTypeAny, {
|
|
576
576
|
iss: string;
|
|
577
|
+
nonce: string;
|
|
577
578
|
iat: number;
|
|
578
579
|
exp: number;
|
|
579
|
-
|
|
580
|
+
client_id: string;
|
|
580
581
|
response_uri: string;
|
|
581
582
|
response_type: "vp_token";
|
|
582
583
|
response_mode: "direct_post.jwt";
|
|
583
|
-
client_id: string;
|
|
584
584
|
state?: string | undefined;
|
|
585
585
|
response_uri_method?: string | undefined;
|
|
586
586
|
dcql_query?: Record<string, any> | undefined;
|
|
@@ -624,13 +624,13 @@ export declare const RequestObject: z.ZodObject<{
|
|
|
624
624
|
} | undefined;
|
|
625
625
|
}, {
|
|
626
626
|
iss: string;
|
|
627
|
+
nonce: string;
|
|
627
628
|
iat: number;
|
|
628
629
|
exp: number;
|
|
629
|
-
|
|
630
|
+
client_id: string;
|
|
630
631
|
response_uri: string;
|
|
631
632
|
response_type: "vp_token";
|
|
632
633
|
response_mode: "direct_post.jwt";
|
|
633
|
-
client_id: string;
|
|
634
634
|
state?: string | undefined;
|
|
635
635
|
response_uri_method?: string | undefined;
|
|
636
636
|
dcql_query?: Record<string, any> | undefined;
|
|
@@ -226,6 +226,11 @@ export declare const ParsedStatusAttestation: z.ZodObject<{
|
|
|
226
226
|
credential_hash: string;
|
|
227
227
|
}>;
|
|
228
228
|
}, "strip", z.ZodTypeAny, {
|
|
229
|
+
header: {
|
|
230
|
+
alg: string;
|
|
231
|
+
typ: "status-attestation+jwt";
|
|
232
|
+
kid?: string | undefined;
|
|
233
|
+
};
|
|
229
234
|
payload: {
|
|
230
235
|
iat: number;
|
|
231
236
|
exp: number;
|
|
@@ -258,12 +263,12 @@ export declare const ParsedStatusAttestation: z.ZodObject<{
|
|
|
258
263
|
};
|
|
259
264
|
credential_hash: string;
|
|
260
265
|
};
|
|
266
|
+
}, {
|
|
261
267
|
header: {
|
|
262
268
|
alg: string;
|
|
263
269
|
typ: "status-attestation+jwt";
|
|
264
270
|
kid?: string | undefined;
|
|
265
271
|
};
|
|
266
|
-
}, {
|
|
267
272
|
payload: {
|
|
268
273
|
iat: number;
|
|
269
274
|
exp: number;
|
|
@@ -296,10 +301,5 @@ export declare const ParsedStatusAttestation: z.ZodObject<{
|
|
|
296
301
|
};
|
|
297
302
|
credential_hash: string;
|
|
298
303
|
};
|
|
299
|
-
header: {
|
|
300
|
-
alg: string;
|
|
301
|
-
typ: "status-attestation+jwt";
|
|
302
|
-
kid?: string | undefined;
|
|
303
|
-
};
|
|
304
304
|
}>;
|
|
305
305
|
//# sourceMappingURL=types.d.ts.map
|
|
@@ -18,6 +18,11 @@ import { type Presentation } from "../credential/presentation/types";
|
|
|
18
18
|
*
|
|
19
19
|
*/
|
|
20
20
|
export declare const decode: <S extends z.ZodType<{
|
|
21
|
+
header: {
|
|
22
|
+
alg: string;
|
|
23
|
+
typ: "vc+sd-jwt";
|
|
24
|
+
kid?: string | undefined;
|
|
25
|
+
};
|
|
21
26
|
payload: {
|
|
22
27
|
iss: string;
|
|
23
28
|
status: {
|
|
@@ -59,12 +64,12 @@ export declare const decode: <S extends z.ZodType<{
|
|
|
59
64
|
} & {
|
|
60
65
|
_sd: string[];
|
|
61
66
|
};
|
|
67
|
+
}, z.ZodTypeDef, {
|
|
62
68
|
header: {
|
|
63
69
|
alg: string;
|
|
64
70
|
typ: "vc+sd-jwt";
|
|
65
71
|
kid?: string | undefined;
|
|
66
72
|
};
|
|
67
|
-
}, z.ZodTypeDef, {
|
|
68
73
|
payload: {
|
|
69
74
|
iss: string;
|
|
70
75
|
status: {
|
|
@@ -106,11 +111,6 @@ export declare const decode: <S extends z.ZodType<{
|
|
|
106
111
|
} & {
|
|
107
112
|
_sd: string[];
|
|
108
113
|
};
|
|
109
|
-
header: {
|
|
110
|
-
alg: string;
|
|
111
|
-
typ: "vc+sd-jwt";
|
|
112
|
-
kid?: string | undefined;
|
|
113
|
-
};
|
|
114
114
|
}>>(token: string, customSchema?: S | undefined) => {
|
|
115
115
|
sdJwt: z.TypeOf<S>;
|
|
116
116
|
disclosures: DisclosureWithEncoded[];
|
|
@@ -152,6 +152,11 @@ export declare const disclose: (token: string, claims: string[]) => Promise<{
|
|
|
152
152
|
*
|
|
153
153
|
*/
|
|
154
154
|
export declare const verify: <S extends z.ZodType<{
|
|
155
|
+
header: {
|
|
156
|
+
alg: string;
|
|
157
|
+
typ: "vc+sd-jwt";
|
|
158
|
+
kid?: string | undefined;
|
|
159
|
+
};
|
|
155
160
|
payload: {
|
|
156
161
|
iss: string;
|
|
157
162
|
status: {
|
|
@@ -193,12 +198,12 @@ export declare const verify: <S extends z.ZodType<{
|
|
|
193
198
|
} & {
|
|
194
199
|
_sd: string[];
|
|
195
200
|
};
|
|
201
|
+
}, z.ZodTypeDef, {
|
|
196
202
|
header: {
|
|
197
203
|
alg: string;
|
|
198
204
|
typ: "vc+sd-jwt";
|
|
199
205
|
kid?: string | undefined;
|
|
200
206
|
};
|
|
201
|
-
}, z.ZodTypeDef, {
|
|
202
207
|
payload: {
|
|
203
208
|
iss: string;
|
|
204
209
|
status: {
|
|
@@ -240,11 +245,6 @@ export declare const verify: <S extends z.ZodType<{
|
|
|
240
245
|
} & {
|
|
241
246
|
_sd: string[];
|
|
242
247
|
};
|
|
243
|
-
header: {
|
|
244
|
-
alg: string;
|
|
245
|
-
typ: "vc+sd-jwt";
|
|
246
|
-
kid?: string | undefined;
|
|
247
|
-
};
|
|
248
248
|
}>>(token: string, publicKey: JWK | JWK[], customSchema?: S | undefined) => Promise<{
|
|
249
249
|
sdJwt: z.TypeOf<S>;
|
|
250
250
|
disclosures: Disclosure[];
|
|
@@ -274,6 +274,11 @@ export declare const SdJwt4VC: z.ZodObject<{
|
|
|
274
274
|
_sd: string[];
|
|
275
275
|
}>>;
|
|
276
276
|
}, "strip", z.ZodTypeAny, {
|
|
277
|
+
header: {
|
|
278
|
+
alg: string;
|
|
279
|
+
typ: "vc+sd-jwt";
|
|
280
|
+
kid?: string | undefined;
|
|
281
|
+
};
|
|
277
282
|
payload: {
|
|
278
283
|
iss: string;
|
|
279
284
|
status: {
|
|
@@ -315,12 +320,12 @@ export declare const SdJwt4VC: z.ZodObject<{
|
|
|
315
320
|
} & {
|
|
316
321
|
_sd: string[];
|
|
317
322
|
};
|
|
323
|
+
}, {
|
|
318
324
|
header: {
|
|
319
325
|
alg: string;
|
|
320
326
|
typ: "vc+sd-jwt";
|
|
321
327
|
kid?: string | undefined;
|
|
322
328
|
};
|
|
323
|
-
}, {
|
|
324
329
|
payload: {
|
|
325
330
|
iss: string;
|
|
326
331
|
status: {
|
|
@@ -362,10 +367,5 @@ export declare const SdJwt4VC: z.ZodObject<{
|
|
|
362
367
|
} & {
|
|
363
368
|
_sd: string[];
|
|
364
369
|
};
|
|
365
|
-
header: {
|
|
366
|
-
alg: string;
|
|
367
|
-
typ: "vc+sd-jwt";
|
|
368
|
-
kid?: string | undefined;
|
|
369
|
-
};
|
|
370
370
|
}>;
|
|
371
371
|
//# sourceMappingURL=types.d.ts.map
|
|
@@ -1,14 +1,16 @@
|
|
|
1
1
|
import { TrustAnchorEntityConfiguration } from "./types";
|
|
2
2
|
import { type ParsedToken } from "./utils";
|
|
3
|
+
import { type X509CertificateOptions } from "@pagopa/io-react-native-crypto";
|
|
3
4
|
/**
|
|
4
|
-
* Validates a provided trust chain against a known trust
|
|
5
|
+
* Validates a provided trust chain against a known trust anchor, including X.509 certificate checks.
|
|
5
6
|
*
|
|
6
|
-
* @param trustAnchorEntity The entity configuration of the known trust anchor
|
|
7
|
-
* @param chain The chain of statements to be validated
|
|
8
|
-
* @
|
|
9
|
-
* @
|
|
7
|
+
* @param trustAnchorEntity The entity configuration of the known trust anchor (for JWT validation).
|
|
8
|
+
* @param chain The chain of statements to be validated.
|
|
9
|
+
* @param x509Options Options for X.509 certificate validation.
|
|
10
|
+
* @returns The list of parsed tokens representing the chain.
|
|
11
|
+
* @throws {FederationError} If the chain is not valid (JWT or X.509). Specific errors like TrustChainEmptyError, X509ValidationError may be thrown.
|
|
10
12
|
*/
|
|
11
|
-
export declare function validateTrustChain(trustAnchorEntity: TrustAnchorEntityConfiguration, chain: string[]): Promise<ParsedToken[]>;
|
|
13
|
+
export declare function validateTrustChain(trustAnchorEntity: TrustAnchorEntityConfiguration, chain: string[], x509Options: X509CertificateOptions): Promise<ParsedToken[]>;
|
|
12
14
|
/**
|
|
13
15
|
* Given a trust chain, obtain a new trust chain by fetching each element's fresh version
|
|
14
16
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"chain.d.ts","sourceRoot":"","sources":["../../../src/trust/chain.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,8BAA8B,EAC/B,MAAM,SAAS,CAAC;AAIjB,OAAO,
|
|
1
|
+
{"version":3,"file":"chain.d.ts","sourceRoot":"","sources":["../../../src/trust/chain.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,8BAA8B,EAC/B,MAAM,SAAS,CAAC;AAIjB,OAAO,EAGL,KAAK,WAAW,EAEjB,MAAM,SAAS,CAAC;AAUjB,OAAO,EAGL,KAAK,sBAAsB,EAC5B,MAAM,gCAAgC,CAAC;AAaxC;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,iBAAiB,EAAE,8BAA8B,EACjD,KAAK,EAAE,MAAM,EAAE,EACf,WAAW,EAAE,sBAAsB,GAClC,OAAO,CAAC,WAAW,EAAE,CAAC,CAkHxB;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EAAE,EACf,QAAQ,GAAE,WAAW,CAAC,OAAO,CAAS,GACrC,OAAO,CAAC,MAAM,EAAE,CAAC,CA8CnB"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { IoWalletError } from "../utils/errors";
|
|
2
|
+
import type { CertificateValidationStatus } from "@pagopa/io-react-native-crypto";
|
|
2
3
|
/**
|
|
3
4
|
* Base class for all federation-specific errors.
|
|
4
5
|
*/
|
|
@@ -77,4 +78,25 @@ export declare class MissingFederationFetchEndpointError extends FederationError
|
|
|
77
78
|
missingInEntityUrl: string;
|
|
78
79
|
});
|
|
79
80
|
}
|
|
81
|
+
/**
|
|
82
|
+
* Error thrown when the X.509 certificate chain is missing in an entity's configuration.
|
|
83
|
+
*/
|
|
84
|
+
export declare class MissingX509CertsError extends FederationError {
|
|
85
|
+
code: string;
|
|
86
|
+
constructor(message: string);
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* Error thrown when an X.509 certificate validation fails.
|
|
90
|
+
* This is used to indicate issues with the certificate chain or signature verification.
|
|
91
|
+
*/
|
|
92
|
+
export declare class X509ValidationError extends FederationError {
|
|
93
|
+
code: string;
|
|
94
|
+
constructor(message: string, details?: {
|
|
95
|
+
tokenIndex?: number;
|
|
96
|
+
kid?: string;
|
|
97
|
+
x509ValidationStatus?: CertificateValidationStatus;
|
|
98
|
+
x509ErrorMessage?: string;
|
|
99
|
+
[key: string]: unknown;
|
|
100
|
+
});
|
|
101
|
+
}
|
|
80
102
|
//# sourceMappingURL=errors.d.ts.map
|