@pagopa/io-react-native-wallet 2.0.0-next.0 → 2.0.0-next.2

package/src/trust/index.ts

@@ -1,436 +1,6 @@
-import { decode, verify } from "./utils";
-import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
-import {
-  CredentialIssuerEntityConfiguration,
-  EntityConfiguration,
-  EntityStatement,
-  FederationListResponse,
-  RelyingPartyEntityConfiguration,
-  TrustAnchorEntityConfiguration,
-  WalletProviderEntityConfiguration,
-} from "./types";
-import { renewTrustChain, validateTrustChain } from "./chain";
-import { hasStatusOrThrow } from "../utils/misc";
-import type { JWK } from "../utils/jwk";
-import {
-  BuildTrustChainError,
-  FederationListParseError,
-  MissingFederationFetchEndpointError,
-  RelyingPartyNotAuthorizedError,
-  TrustAnchorKidMissingError,
-} from "./errors";
+import * as Build from "./build-chain";
+import * as Verify from "./verify-chain";
+import * as Errors from "./errors";
+import * as Types from "./types";
 
-export type {
-  WalletProviderEntityConfiguration,
-  TrustAnchorEntityConfiguration,
-  CredentialIssuerEntityConfiguration,
-  RelyingPartyEntityConfiguration,
-  EntityConfiguration,
-  EntityStatement,
-};
-
-/**
- * Verify a given trust chain is actually valid.
- * It can handle fast chain renewal, which means we try to fetch a fresh version of each statement.
- *
- * @param trustAnchorEntity The entity configuration of the known trust anchor
- * @param chain The chain of statements to be validated
- * @param renewOnFail Whether to renew the provided chain if the validation fails at first. Default: true
- * @param appFetch Fetch api implementation. Default: the built-in implementation
- * @returns The result of the chain validation
- * @throws {FederationError} If the chain is not valid
- */
-export async function verifyTrustChain(
-  trustAnchorEntity: TrustAnchorEntityConfiguration,
-  chain: string[],
-  {
-    appFetch = fetch,
-    renewOnFail = true,
-  }: { appFetch?: GlobalFetch["fetch"]; renewOnFail?: boolean } = {}
-): Promise<ReturnType<typeof validateTrustChain>> {
-  try {
-    return validateTrustChain(trustAnchorEntity, chain);
-  } catch (error) {
-    if (renewOnFail) {
-      const renewedChain = await renewTrustChain(chain, appFetch);
-      return validateTrustChain(trustAnchorEntity, renewedChain);
-    } else {
-      throw error;
-    }
-  }
-}
-
-/**
- * Fetch the signed entity configuration token for an entity
- *
- * @param entityBaseUrl The url of the entity to fetch
- * @param appFetch (optional) fetch api implementation
- * @returns The signed Entity Configuration token
- */
-export async function getSignedEntityConfiguration(
-  entityBaseUrl: string,
-  {
-    appFetch = fetch,
-  }: {
-    appFetch?: GlobalFetch["fetch"];
-  } = {}
-): Promise<string> {
-  const wellKnownUrl = `${entityBaseUrl}/.well-known/openid-federation`;
-
-  return await appFetch(wellKnownUrl, {
-    method: "GET",
-  })
-    .then(hasStatusOrThrow(200))
-    .then((res) => res.text());
-}
-
-/**
- * Fetch and parse the entity configuration document for a given federation entity.
- * This is an inner method to serve public interfaces.
- *
- * To add another entity configuration type (example: Foo entity type):
- *  - create its zod schema and type by inherit from the base type (example: FooEntityConfiguration = BaseEntityConfiguration.and(...))
- *  - add such type to EntityConfiguration union
- *  - add an overload to this function
- *  - create a public function which use such type (example: getFooEntityConfiguration = (url, options) => Promise<FooEntityConfiguration>)
- *
- * @param entityBaseUrl The base url of the entity.
- * @param schema The expected schema of the entity configuration, according to the kind of entity we are fetching from.
- * @param options An optional object with additional options.
- * @param options.appFetch An optional instance of the http client to be used.
- * @returns The parsed entity configuration object
- * @throws {IoWalletError} If the http request fails
- * @throws Parse error if the document is not in the expected shape.
- */
-async function fetchAndParseEntityConfiguration(
-  entityBaseUrl: string,
-  schema: typeof WalletProviderEntityConfiguration,
-  options?: {
-    appFetch?: GlobalFetch["fetch"];
-  }
-): Promise<WalletProviderEntityConfiguration>;
-async function fetchAndParseEntityConfiguration(
-  entityBaseUrl: string,
-  schema: typeof RelyingPartyEntityConfiguration,
-  options?: {
-    appFetch?: GlobalFetch["fetch"];
-  }
-): Promise<RelyingPartyEntityConfiguration>;
-async function fetchAndParseEntityConfiguration(
-  entityBaseUrl: string,
-  schema: typeof TrustAnchorEntityConfiguration,
-  options?: {
-    appFetch?: GlobalFetch["fetch"];
-  }
-): Promise<TrustAnchorEntityConfiguration>;
-async function fetchAndParseEntityConfiguration(
-  entityBaseUrl: string,
-  schema: typeof CredentialIssuerEntityConfiguration,
-  options?: {
-    appFetch?: GlobalFetch["fetch"];
-  }
-): Promise<CredentialIssuerEntityConfiguration>;
-async function fetchAndParseEntityConfiguration(
-  entityBaseUrl: string,
-  schema: typeof EntityConfiguration,
-  options?: {
-    appFetch?: GlobalFetch["fetch"];
-  }
-): Promise<EntityConfiguration>;
-async function fetchAndParseEntityConfiguration(
-  entityBaseUrl: string,
-  schema: /* FIXME: why is it different from "typeof EntityConfiguration"? */
-  | typeof CredentialIssuerEntityConfiguration
-    | typeof WalletProviderEntityConfiguration
-    | typeof RelyingPartyEntityConfiguration
-    | typeof TrustAnchorEntityConfiguration
-    | typeof EntityConfiguration,
-  {
-    appFetch = fetch,
-  }: {
-    appFetch?: GlobalFetch["fetch"];
-  } = {}
-) {
-  const responseText = await getSignedEntityConfiguration(entityBaseUrl, {
-    appFetch,
-  });
-
-  const responseJwt = decodeJwt(responseText);
-  return schema.parse({
-    header: responseJwt.protectedHeader,
-    payload: responseJwt.payload,
-  });
-}
-
-export const getWalletProviderEntityConfiguration = (
-  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
-  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
-) =>
-  fetchAndParseEntityConfiguration(
-    entityBaseUrl,
-    WalletProviderEntityConfiguration,
-    options
-  );
-
-export const getCredentialIssuerEntityConfiguration = (
-  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
-  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
-) =>
-  fetchAndParseEntityConfiguration(
-    entityBaseUrl,
-    CredentialIssuerEntityConfiguration,
-    options
-  );
-
-export const getTrustAnchorEntityConfiguration = (
-  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
-  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
-) =>
-  fetchAndParseEntityConfiguration(
-    entityBaseUrl,
-    TrustAnchorEntityConfiguration,
-    options
-  );
-
-export const getRelyingPartyEntityConfiguration = (
-  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
-  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
-) =>
-  fetchAndParseEntityConfiguration(
-    entityBaseUrl,
-    RelyingPartyEntityConfiguration,
-    options
-  );
-
-export const getEntityConfiguration = (
-  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
-  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
-) =>
-  fetchAndParseEntityConfiguration(entityBaseUrl, EntityConfiguration, options);
-
-/**
- * Fetch and parse the entity statement document for a given federation entity.
- *
- * @param accreditationBodyBaseUrl The base url of the accreditation body which holds and signs the required entity statement
- * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity
- * @param appFetch An optional instance of the http client to be used.
- * @returns The parsed entity configuration object
- * @throws {IoWalletError} If the http request fails
- */
-export async function getEntityStatement(
-  accreditationBodyBaseUrl: string,
-  subordinatedEntityBaseUrl: string,
-  {
-    appFetch = fetch,
-  }: {
-    appFetch?: GlobalFetch["fetch"];
-  } = {}
-) {
-  const responseText = await getSignedEntityStatement(
-    accreditationBodyBaseUrl,
-    subordinatedEntityBaseUrl,
-    {
-      appFetch,
-    }
-  );
-
-  const responseJwt = decodeJwt(responseText);
-  return EntityStatement.parse({
-    header: responseJwt.protectedHeader,
-    payload: responseJwt.payload,
-  });
-}
-
-/**
- * Fetch the entity statement document for a given federation entity.
- *
- * @param federationFetchEndpoint The exact endpoint provided by the parent EC's metadata.
- * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity.
- * @param appFetch An optional instance of the http client to be used.
- * @returns The signed entity statement token.
- * @throws {IoWalletError} If the http request fails.
- */
-export async function getSignedEntityStatement(
-  federationFetchEndpoint: string,
-  subordinatedEntityBaseUrl: string,
-  {
-    appFetch = fetch,
-  }: {
-    appFetch?: GlobalFetch["fetch"];
-  } = {}
-) {
-  const url = new URL(federationFetchEndpoint);
-  url.searchParams.set("sub", subordinatedEntityBaseUrl);
-
-  return await appFetch(url.toString(), {
-    method: "GET",
-  })
-    .then(hasStatusOrThrow(200))
-    .then((res) => res.text());
-}
-
-/**
- * Fetch the federation list document from a given endpoint.
- *
- * @param federationListEndpoint The URL of the federation list endpoint.
- * @param appFetch An optional instance of the http client to be used.
- * @returns The federation list as an array of strings.
- * @throws {IoWalletError} If the HTTP request fails.
- * @throws {FederationError} If the result is not in the expected format.
- */
-export async function getFederationList(
-  federationListEndpoint: string,
-  {
-    appFetch = fetch,
-  }: {
-    appFetch?: GlobalFetch["fetch"];
-  } = {}
-): Promise<string[]> {
-  return await appFetch(federationListEndpoint, {
-    method: "GET",
-  })
-    .then(hasStatusOrThrow(200))
-    .then((res) => res.json())
-    .then((json) => {
-      const result = FederationListResponse.safeParse(json);
-      if (!result.success) {
-        throw new FederationListParseError(
-          `Invalid federation list format received from ${federationListEndpoint}. Error: ${result.error.message}`,
-          { url: federationListEndpoint, parseError: result.error.toString() }
-        );
-      }
-      return result.data;
-    });
-}
-
-/**
- * Build a not-verified trust chain for a given Relying Party (RP) entity.
- *
- * @param relyingPartyEntityBaseUrl The base URL of the RP entity
- * @param trustAnchorKey The public key of the Trust Anchor (TA) entity
- * @param appFetch An optional instance of the http client to be used.
- * @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
- * @throws {FederationError} When an element of the chain fails to parse or other build steps fail.
- */
-export async function buildTrustChain(
-  relyingPartyEntityBaseUrl: string,
-  trustAnchorKey: JWK,
-  appFetch: GlobalFetch["fetch"] = fetch
-): Promise<string[]> {
-  // 1: Recursively gather the trust chain from the RP up to the Trust Anchor
-  const trustChain = await gatherTrustChain(
-    relyingPartyEntityBaseUrl,
-    appFetch
-  );
-
-  // 2: Trust Anchor signature verification
-  const trustAnchorJwt = trustChain[trustChain.length - 1];
-  if (!trustAnchorJwt) {
-    throw new BuildTrustChainError(
-      "Cannot verify trust anchor: missing entity configuration in gathered chain.",
-      { relyingPartyUrl: relyingPartyEntityBaseUrl }
-    );
-  }
-
-  if (!trustAnchorKey.kid) {
-    throw new TrustAnchorKidMissingError();
-  }
-
-  await verify(trustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
-
-  // 3: Check the federation list
-  const trustAnchorConfig = EntityConfiguration.parse(decode(trustAnchorJwt));
-  const federationListEndpoint =
-    trustAnchorConfig.payload.metadata.federation_entity
-      .federation_list_endpoint;
-
-  if (federationListEndpoint) {
-    const federationList = await getFederationList(federationListEndpoint, {
-      appFetch,
-    });
-
-    if (!federationList.includes(relyingPartyEntityBaseUrl)) {
-      throw new RelyingPartyNotAuthorizedError(
-        "Relying Party entity base URL is not authorized by the Trust Anchor's federation list.",
-        { relyingPartyUrl: relyingPartyEntityBaseUrl, federationListEndpoint }
-      );
-    }
-  }
-
-  return trustChain;
-}
-
-/**
- * Recursively gather the trust chain for an entity and all its superiors.
- * @param entityBaseUrl The base URL of the entity for which to gather the chain.
- * @param appFetch An optional instance of the http client to be used.
- * @param isLeaf Whether the current entity is the leaf of the chain.
- * @returns A full ordered list of JWTs (ECs and ESs) forming the trust chain.
- * @throws {FederationError} If any of the fetched documents fail to parse or other errors occur during the gathering process.
- */
-async function gatherTrustChain(
-  entityBaseUrl: string,
-  appFetch: GlobalFetch["fetch"],
-  isLeaf: boolean = true
-): Promise<string[]> {
-  const chain: string[] = [];
-
-  // Fetch self-signed EC (only needed for the leaf)
-  const entityECJwt = await getSignedEntityConfiguration(entityBaseUrl, {
-    appFetch,
-  });
-  const entityEC = EntityConfiguration.parse(decode(entityECJwt));
-
-  if (isLeaf) {
-    // Only push EC for the leaf
-    chain.push(entityECJwt);
-  }
-
-  // Find authority_hints (parent, if any)
-  const authorityHints = entityEC.payload.authority_hints ?? [];
-  if (authorityHints.length === 0) {
-    // This is the Trust Anchor (no parent)
-    if (!isLeaf) {
-      chain.push(entityECJwt);
-    }
-    return chain;
-  }
-
-  const parentEntityBaseUrl = authorityHints[0]!;
-
-  // Fetch parent EC
-  const parentECJwt = await getSignedEntityConfiguration(parentEntityBaseUrl, {
-    appFetch,
-  });
-  const parentEC = EntityConfiguration.parse(decode(parentECJwt));
-
-  // Fetch ES
-  const federationFetchEndpoint =
-    parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
-  if (!federationFetchEndpoint) {
-    throw new MissingFederationFetchEndpointError(
-      `Missing federation_fetch_endpoint in parent's (${parentEntityBaseUrl}) configuration when gathering chain for ${entityBaseUrl}.`,
-      { entityBaseUrl, missingInEntityUrl: parentEntityBaseUrl }
-    );
-  }
-
-  const entityStatementJwt = await getSignedEntityStatement(
-    federationFetchEndpoint,
-    entityBaseUrl,
-    { appFetch }
-  );
-  // Validate the ES
-  EntityStatement.parse(decode(entityStatementJwt));
-
-  // Push this ES into the chain
-  chain.push(entityStatementJwt);
-
-  // Recurse into the parent
-  const parentChain = await gatherTrustChain(
-    parentEntityBaseUrl,
-    appFetch,
-    false
-  );
-
-  return chain.concat(parentChain);
-}
+export { Build, Verify, Errors, Types };

package/src/trust/utils.ts

@@ -4,6 +4,8 @@ import {
 } from "@pagopa/io-react-native-jwt";
 
 import type { JWK, JWTDecodeResult } from "../utils/jwk";
+import { FederationError } from "./errors";
+import type { TrustAnchorEntityConfiguration } from "./types";
 
 export type ParsedToken = {
   header: JWTDecodeResult["protectedHeader"];
@@ -33,3 +35,36 @@ export const decode = (token: string): ParsedToken => {
   const { protectedHeader: header, payload } = decodeJwt(token);
   return { header, payload };
 };
+
+/**
+ * Extracts the X.509 Trust Anchor certificate (Base64 encoded) from the
+ * Trust Anchor's Entity Configuration.
+ *
+ * @param trustAnchorEntity The entity configuration of the known trust anchor.
+ * @returns The Base64 encoded X.509 certificate string.
+ * @throws {FederationError} If the certificate cannot be derived.
+ */
+export function getTrustAnchorX509Certificate(
+  trustAnchorEntity: TrustAnchorEntityConfiguration
+): string {
+  const taHeaderKid = trustAnchorEntity.header.kid;
+  const taSigningJwk = trustAnchorEntity.payload.jwks.keys.find(
+    (key) => key.kid === taHeaderKid
+  );
+
+  if (!taSigningJwk) {
+    throw new FederationError(
+      `Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' not found in Trust Anchor's JWKS.`,
+      { trustAnchorKid: taHeaderKid, reason: "JWK not found for header kid" }
+    );
+  }
+
+  if (taSigningJwk.x5c && taSigningJwk.x5c.length > 0 && taSigningJwk.x5c[0]) {
+    return taSigningJwk.x5c[0];
+  }
+
+  throw new FederationError(
+    `Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' does not contain a valid 'x5c' certificate array.`,
+    { trustAnchorKid: taHeaderKid, reason: "Missing or empty x5c in JWK" }
+  );
+}

package/src/trust/{chain.ts → verify-chain.ts}

@@ -5,14 +5,30 @@ import {
 } from "./types";
 import { JWK } from "../utils/jwk";
 import * as z from "zod";
-import { getSignedEntityConfiguration, getSignedEntityStatement } from ".";
-import { decode, type ParsedToken, verify } from "./utils";
 import {
+  decode,
+  getTrustAnchorX509Certificate,
+  type ParsedToken,
+  verify,
+} from "./utils";
+import {
+  FederationError,
   MissingFederationFetchEndpointError,
+  MissingX509CertsError,
   TrustChainEmptyError,
   TrustChainRenewalError,
   TrustChainTokenMissingError,
+  X509ValidationError,
 } from "./errors";
+import {
+  type CertificateValidationResult,
+  verifyCertificateChain,
+  type X509CertificateOptions,
+} from "@pagopa/io-react-native-crypto";
+import {
+  getSignedEntityConfiguration,
+  getSignedEntityStatement,
+} from "./build-chain";
 
 // The first element of the chain is supposed to be the Entity Configuration for the document issuer
 const FirstElementShape = EntityConfiguration;
@@ -26,16 +42,18 @@ const LastElementShape = z.union([
 ]);
 
 /**
- * Validates a provided trust chain against a known trust
+ * Validates a provided trust chain against a known trust anchor, including X.509 certificate checks.
  *
- * @param trustAnchorEntity The entity configuration of the known trust anchor
- * @param chain The chain of statements to be validated
- * @returns The list of parsed token representing the chain
- * @throws {FederationError} If the chain is not valid
+ * @param trustAnchorEntity The entity configuration of the known trust anchor (for JWT validation).
+ * @param chain The chain of statements to be validated.
+ * @param x509Options Options for X.509 certificate validation.
+ * @returns The list of parsed tokens representing the chain.
+ * @throws {FederationError} If the chain is not valid (JWT or X.509). Specific errors like TrustChainEmptyError, X509ValidationError may be thrown.
  */
 export async function validateTrustChain(
   trustAnchorEntity: TrustAnchorEntityConfiguration,
-  chain: string[]
+  chain: string[],
+  x509Options: X509CertificateOptions
 ): Promise<ParsedToken[]> {
   // If the chain is empty, fail
   if (chain.length === 0) {
@@ -50,7 +68,7 @@ export async function validateTrustChain(
         ? LastElementShape
         : MiddleElementShape;
 
-  // select the kid from the current index
+  // Select the kid from the current index
   const selectKid = (currentIndex: number): string => {
     const token = chain[currentIndex];
     if (!token) {
@@ -63,8 +81,8 @@ export async function validateTrustChain(
     return shape.parse(decode(token)).header.kid;
   };
 
-  // select keys from the next token
-  // if the current token is the last, keys from trust anchor will be used
+  // Select keys from the next token
+  // If the current token is the last, keys from trust anchor will be used
   const selectKeys = (currentIndex: number): JWK[] => {
     if (currentIndex === chain.length - 1) {
       return trustAnchorEntity.payload.jwks.keys;
@@ -82,13 +100,74 @@ export async function validateTrustChain(
     return shape.parse(decode(nextToken)).payload.jwks.keys;
   };
 
+  const x509TrustAnchorCertBase64 =
+    getTrustAnchorX509Certificate(trustAnchorEntity);
+
   // Iterate the chain and validate each element's signature against the public keys of its next
   // If there is no next, hence it's the end of the chain, and it must be verified by the Trust Anchor
-  return Promise.all(
-    chain
-      .map((token, i) => [token, selectKid(i), selectKeys(i)] as const)
-      .map((args) => verify(...args))
-  );
+  const validationPromises = chain.map(async (tokenString, i) => {
+    const kidFromTokenHeader = selectKid(i);
+    const signerJwks = selectKeys(i);
+
+    // Step 1: Verify JWT signature
+    const parsedToken = await verify(
+      tokenString,
+      kidFromTokenHeader,
+      signerJwks
+    );
+
+    // Step 2: X.509 Certificate Chain Validation
+    const jwkUsedForVerification = signerJwks.find(
+      (k) => k.kid === kidFromTokenHeader
+    );
+
+    if (!jwkUsedForVerification) {
+      throw new FederationError(
+        `JWK with kid '${kidFromTokenHeader}' was not found in signer's JWKS for token at index ${i}, though JWT verification passed.`,
+        { tokenIndex: i, kid: kidFromTokenHeader }
+      );
+    }
+
+    if (
+      !jwkUsedForVerification.x5c ||
+      jwkUsedForVerification.x5c.length === 0
+    ) {
+      throw new MissingX509CertsError(
+        `JWK with kid '${kidFromTokenHeader}' does not contain an X.509 certificate chain (x5c) for token at index ${i}.`
+      );
+    }
+
+    // If the chain has more than one certificate AND
+    // the last certificate in the x5c chain is the same as the trust anchor,
+    // remove the anchor from the chain being passed, as it's supplied separately.
+    const certChainBase64 =
+      jwkUsedForVerification.x5c.length > 1 &&
+      jwkUsedForVerification.x5c.at(-1) === x509TrustAnchorCertBase64
+        ? jwkUsedForVerification.x5c.slice(0, -1)
+        : jwkUsedForVerification.x5c;
+
+    const x509ValidationResult: CertificateValidationResult =
+      await verifyCertificateChain(
+        certChainBase64,
+        x509TrustAnchorCertBase64,
+        x509Options
+      );
+
+    if (!x509ValidationResult.isValid) {
+      throw new X509ValidationError(
+        `X.509 certificate chain validation failed for token at index ${i} (kid: ${kidFromTokenHeader}). Status: ${x509ValidationResult.validationStatus}. Error: ${x509ValidationResult.errorMessage}`,
+        {
+          tokenIndex: i,
+          kid: kidFromTokenHeader,
+          x509ValidationStatus: x509ValidationResult.validationStatus,
+          x509ErrorMessage: x509ValidationResult.errorMessage,
+        }
+      );
+    }
+    return parsedToken;
+  });
+
+  return Promise.all(validationPromises);
 }
 
 /**
@@ -149,3 +228,40 @@ export async function renewTrustChain(
     })
   );
 }
+
+/**
+ * Verify a given trust chain is actually valid.
+ * It can handle fast chain renewal, which means we try to fetch a fresh version of each statement.
+ *
+ * @param trustAnchorEntity The entity configuration of the known trust anchor
+ * @param chain The chain of statements to be validated
+ * @param x509Options Options for the verification process
+ * @param appFetch (optional) fetch api implementation
+ * @param renewOnFail Whether to attempt to renew the trust chain if the initial validation fails
+ * @returns The result of the chain validation
+ * @throws {FederationError} If the chain is not valid
+ */
+export async function verifyTrustChain(
+  trustAnchorEntity: TrustAnchorEntityConfiguration,
+  chain: string[],
+  x509Options: X509CertificateOptions = {
+    connectTimeout: 10000,
+    readTimeout: 10000,
+    requireCrl: true,
+  },
+  {
+    appFetch = fetch,
+    renewOnFail = true,
+  }: { appFetch?: GlobalFetch["fetch"]; renewOnFail?: boolean } = {}
+): Promise<ReturnType<typeof validateTrustChain>> {
+  try {
+    return validateTrustChain(trustAnchorEntity, chain, x509Options);
+  } catch (error) {
+    if (renewOnFail) {
+      const renewedChain = await renewTrustChain(chain, appFetch);
+      return validateTrustChain(trustAnchorEntity, renewedChain, x509Options);
+    } else {
+      throw error;
+    }
+  }
+}

package/src/utils/errors.ts

@@ -1,13 +1,13 @@
 import type { ProblemDetail } from "../client/generated/wallet-provider";
-import type { CredentialIssuerEntityConfiguration } from "../trust";
 import {
+  type IssuerResponseErrorCode,
   IssuerResponseErrorCodes,
-  WalletProviderResponseErrorCodes,
+  type RelyingPartyResponseErrorCode,
   RelyingPartyResponseErrorCodes,
-  type IssuerResponseErrorCode,
   type WalletProviderResponseErrorCode,
-  type RelyingPartyResponseErrorCode,
+  WalletProviderResponseErrorCodes,
 } from "./error-codes";
+import type { CredentialIssuerEntityConfiguration } from "../trust/types";
 
 export {
   IssuerResponseErrorCodes,