@pagopa/io-react-native-wallet 2.0.0-next.1 → 2.0.0-next.2

package/lib/typescript/trust/{chain.d.ts → verify-chain.d.ts}

@@ -20,4 +20,20 @@ export declare function validateTrustChain(trustAnchorEntity: TrustAnchorEntityC
  * @throws {FederationError} If the chain is not valid
  */
 export declare function renewTrustChain(chain: string[], appFetch?: GlobalFetch["fetch"]): Promise<string[]>;
-//# sourceMappingURL=chain.d.ts.map
+/**
+ * Verify a given trust chain is actually valid.
+ * It can handle fast chain renewal, which means we try to fetch a fresh version of each statement.
+ *
+ * @param trustAnchorEntity The entity configuration of the known trust anchor
+ * @param chain The chain of statements to be validated
+ * @param x509Options Options for the verification process
+ * @param appFetch (optional) fetch api implementation
+ * @param renewOnFail Whether to attempt to renew the trust chain if the initial validation fails
+ * @returns The result of the chain validation
+ * @throws {FederationError} If the chain is not valid
+ */
+export declare function verifyTrustChain(trustAnchorEntity: TrustAnchorEntityConfiguration, chain: string[], x509Options?: X509CertificateOptions, { appFetch, renewOnFail, }?: {
+    appFetch?: GlobalFetch["fetch"];
+    renewOnFail?: boolean;
+}): Promise<ReturnType<typeof validateTrustChain>>;
+//# sourceMappingURL=verify-chain.d.ts.map

package/lib/typescript/trust/verify-chain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-chain.d.ts","sourceRoot":"","sources":["../../../src/trust/verify-chain.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,8BAA8B,EAC/B,MAAM,SAAS,CAAC;AAGjB,OAAO,EAGL,KAAK,WAAW,EAEjB,MAAM,SAAS,CAAC;AAUjB,OAAO,EAGL,KAAK,sBAAsB,EAC5B,MAAM,gCAAgC,CAAC;AAiBxC;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,iBAAiB,EAAE,8BAA8B,EACjD,KAAK,EAAE,MAAM,EAAE,EACf,WAAW,EAAE,sBAAsB,GAClC,OAAO,CAAC,WAAW,EAAE,CAAC,CAkHxB;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EAAE,EACf,QAAQ,GAAE,WAAW,CAAC,OAAO,CAAS,GACrC,OAAO,CAAC,MAAM,EAAE,CAAC,CA8CnB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,gBAAgB,CACpC,iBAAiB,EAAE,8BAA8B,EACjD,KAAK,EAAE,MAAM,EAAE,EACf,WAAW,GAAE,sBAIZ,EACD,EACE,QAAgB,EAChB,WAAkB,GACnB,GAAE;IAAE,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;IAAC,WAAW,CAAC,EAAE,OAAO,CAAA;CAAO,GACjE,OAAO,CAAC,UAAU,CAAC,OAAO,kBAAkB,CAAC,CAAC,CAWhD"}

package/lib/typescript/utils/errors.d.ts

@@ -1,6 +1,6 @@
 import type { ProblemDetail } from "../client/generated/wallet-provider";
-import type { CredentialIssuerEntityConfiguration } from "../trust";
-import { IssuerResponseErrorCodes, WalletProviderResponseErrorCodes, RelyingPartyResponseErrorCodes, type IssuerResponseErrorCode, type WalletProviderResponseErrorCode, type RelyingPartyResponseErrorCode } from "./error-codes";
+import { type IssuerResponseErrorCode, IssuerResponseErrorCodes, type RelyingPartyResponseErrorCode, RelyingPartyResponseErrorCodes, type WalletProviderResponseErrorCode, WalletProviderResponseErrorCodes } from "./error-codes";
+import type { CredentialIssuerEntityConfiguration } from "../trust/types";
 export { IssuerResponseErrorCodes, WalletProviderResponseErrorCodes, RelyingPartyResponseErrorCodes, };
 type GenericErrorReason = string | Record<string, unknown>;
 /**

package/lib/typescript/utils/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/utils/errors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzE,OAAO,KAAK,EAAE,mCAAmC,EAAE,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,wBAAwB,EACxB,gCAAgC,EAChC,8BAA8B,EAC9B,KAAK,uBAAuB,EAC5B,KAAK,+BAA+B,EACpC,KAAK,6BAA6B,EACnC,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,wBAAwB,EACxB,gCAAgC,EAChC,8BAA8B,GAC/B,CAAC;AAGF,KAAK,kBAAkB,GAAG,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE3D;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,UAClB,OAAO,MAAM,EAAE,kBAAkB,GAAG,MAAM,GAAG,MAAM,MAAM,CAAC,GAAG,SAAS,CAAC,KAC7E,MASW,CAAC;AAEf;;;;;;;;;;GAUG;AACH,qBAAa,aAAc,SAAQ,KAAK;IACtC,6DAA6D;IAC7D,IAAI,EAAE,MAAM,CAA2B;gBAE3B,OAAO,CAAC,EAAE,MAAM;CAI7B;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,aAAa;IACjD,IAAI,SAAqC;IAEzC,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IAEd,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;gBAEH,EACV,OAAO,EACP,KAAqB,EACrB,MAAsB,GACvB,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;CAKF;AAED;;GAEG;AACH,qBAAa,yBAA0B,SAAQ,aAAa;IAC1D,IAAI,EAAE,MAAM,CAAgC;IAC5C,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,kBAAkB,CAAC;gBAEf,EACV,OAAO,EACP,MAAM,EACN,UAAU,GACX,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,kBAAkB,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC;KACpB;CAKF;AAED;;;GAGG;AACH,qBAAa,mBAAoB,SAAQ,yBAAyB;IAChE,IAAI,EAAE,uBAAuB,CAAC;gBAElB,MAAM,EAAE;QAClB,IAAI,CAAC,EAAE,uBAAuB,CAAC;QAC/B,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,kBAAkB,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC;KACpB;CAIF;AAED;;;GAGG;AACH,qBAAa,2BAA4B,SAAQ,yBAAyB;IACxE,IAAI,EAAE,+BAA+B,CAAC;IACtC,MAAM,EAAE,aAAa,CAAC;gBAEV,MAAM,EAAE;QAClB,IAAI,CAAC,EAAE,+BAA+B,CAAC;QACvC,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,aAAa,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;KACpB;CAOF;AAED;;;GAGG;AACH,qBAAa,yBAA0B,SAAQ,yBAAyB;IACtE,IAAI,EAAE,6BAA6B,CAAC;gBAExB,MAAM,EAAE;QAClB,IAAI,CAAC,EAAE,6BAA6B,CAAC;QACrC,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,kBAAkB,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC;KACpB;CAKF;AAED,KAAK,sBAAsB,GAAG;IAC5B,CAAC,MAAM,EAAE,MAAM,GAAG;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,CAAC;AAEF;;;;;;;GAOG;AACH,wBAAgB,iCAAiC,CAC/C,SAAS,EAAE,MAAM,EACjB,EACE,UAAU,EACV,cAAc,GACf,EAAE;IACD,UAAU,EAAE,mCAAmC,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC,CAAC;IACvE,cAAc,EAAE,MAAM,CAAC;CACxB,GACA,sBAAsB,GAAG,SAAS,CAwBpC;AAaD,eAAO,MAAM,qBAAqB,UAHxB,OAAO,6EAG2D,CAAC;AAC7E,eAAO,MAAM,6BAA6B,UAJhC,OAAO,6FAMhB,CAAC;AACF,eAAO,MAAM,2BAA2B,UAP9B,OAAO,yFAShB,CAAC;AAGF,KAAK,YAAY,GACb;IACE,IAAI,EAAE,OAAO,mBAAmB,CAAC;IACjC,IAAI,EAAE,uBAAuB,CAAC;CAC/B,GACD;IACE,IAAI,EAAE,OAAO,2BAA2B,CAAC;IACzC,IAAI,EAAE,+BAA+B,CAAC;CACvC,GACD;IACE,IAAI,EAAE,OAAO,yBAAyB,CAAC;IACvC,IAAI,EAAE,6BAA6B,CAAC;CACrC,CAAC;AAEN,KAAK,gBAAgB,CAAC,CAAC,IAAI,OAAO,CAAC,YAAY,EAAE;IAAE,IAAI,EAAE,CAAC,CAAA;CAAE,CAAC,CAAC,MAAM,CAAC,CAAC;AAEtE,KAAK,SAAS,CAAC,CAAC,IAAI;IAClB,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,qBAAa,oBAAoB,CAAC,CAAC,SAAS,OAAO,yBAAyB;IAK9D,OAAO,CAAC,UAAU;IAJ9B,OAAO,CAAC,UAAU,CAEX;gBAEa,UAAU,EAAE,CAAC;IAEjC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;IAKjD,SAAS,CAAC,aAAa,EAAE,yBAAyB;CAUnD"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/utils/errors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAC;AACzE,OAAO,EACL,KAAK,uBAAuB,EAC5B,wBAAwB,EACxB,KAAK,6BAA6B,EAClC,8BAA8B,EAC9B,KAAK,+BAA+B,EACpC,gCAAgC,EACjC,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,mCAAmC,EAAE,MAAM,gBAAgB,CAAC;AAE1E,OAAO,EACL,wBAAwB,EACxB,gCAAgC,EAChC,8BAA8B,GAC/B,CAAC;AAGF,KAAK,kBAAkB,GAAG,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE3D;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,UAClB,OAAO,MAAM,EAAE,kBAAkB,GAAG,MAAM,GAAG,MAAM,MAAM,CAAC,GAAG,SAAS,CAAC,KAC7E,MASW,CAAC;AAEf;;;;;;;;;;GAUG;AACH,qBAAa,aAAc,SAAQ,KAAK;IACtC,6DAA6D;IAC7D,IAAI,EAAE,MAAM,CAA2B;gBAE3B,OAAO,CAAC,EAAE,MAAM;CAI7B;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,aAAa;IACjD,IAAI,SAAqC;IAEzC,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IAEd,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;gBAEH,EACV,OAAO,EACP,KAAqB,EACrB,MAAsB,GACvB,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;CAKF;AAED;;GAEG;AACH,qBAAa,yBAA0B,SAAQ,aAAa;IAC1D,IAAI,EAAE,MAAM,CAAgC;IAC5C,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,kBAAkB,CAAC;gBAEf,EACV,OAAO,EACP,MAAM,EACN,UAAU,GACX,EAAE;QACD,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,kBAAkB,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC;KACpB;CAKF;AAED;;;GAGG;AACH,qBAAa,mBAAoB,SAAQ,yBAAyB;IAChE,IAAI,EAAE,uBAAuB,CAAC;gBAElB,MAAM,EAAE;QAClB,IAAI,CAAC,EAAE,uBAAuB,CAAC;QAC/B,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,kBAAkB,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC;KACpB;CAIF;AAED;;;GAGG;AACH,qBAAa,2BAA4B,SAAQ,yBAAyB;IACxE,IAAI,EAAE,+BAA+B,CAAC;IACtC,MAAM,EAAE,aAAa,CAAC;gBAEV,MAAM,EAAE;QAClB,IAAI,CAAC,EAAE,+BAA+B,CAAC;QACvC,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,aAAa,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;KACpB;CAOF;AAED;;;GAGG;AACH,qBAAa,yBAA0B,SAAQ,yBAAyB;IACtE,IAAI,EAAE,6BAA6B,CAAC;gBAExB,MAAM,EAAE;QAClB,IAAI,CAAC,EAAE,6BAA6B,CAAC;QACrC,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,kBAAkB,CAAC;QAC3B,UAAU,EAAE,MAAM,CAAC;KACpB;CAKF;AAED,KAAK,sBAAsB,GAAG;IAC5B,CAAC,MAAM,EAAE,MAAM,GAAG;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,CAAC;AAEF;;;;;;;GAOG;AACH,wBAAgB,iCAAiC,CAC/C,SAAS,EAAE,MAAM,EACjB,EACE,UAAU,EACV,cAAc,GACf,EAAE;IACD,UAAU,EAAE,mCAAmC,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC,CAAC;IACvE,cAAc,EAAE,MAAM,CAAC;CACxB,GACA,sBAAsB,GAAG,SAAS,CAwBpC;AAaD,eAAO,MAAM,qBAAqB,UAHxB,OAAO,6EAG2D,CAAC;AAC7E,eAAO,MAAM,6BAA6B,UAJhC,OAAO,6FAMhB,CAAC;AACF,eAAO,MAAM,2BAA2B,UAP9B,OAAO,yFAShB,CAAC;AAGF,KAAK,YAAY,GACb;IACE,IAAI,EAAE,OAAO,mBAAmB,CAAC;IACjC,IAAI,EAAE,uBAAuB,CAAC;CAC/B,GACD;IACE,IAAI,EAAE,OAAO,2BAA2B,CAAC;IACzC,IAAI,EAAE,+BAA+B,CAAC;CACvC,GACD;IACE,IAAI,EAAE,OAAO,yBAAyB,CAAC;IACvC,IAAI,EAAE,6BAA6B,CAAC;CACrC,CAAC;AAEN,KAAK,gBAAgB,CAAC,CAAC,IAAI,OAAO,CAAC,YAAY,EAAE;IAAE,IAAI,EAAE,CAAC,CAAA;CAAE,CAAC,CAAC,MAAM,CAAC,CAAC;AAEtE,KAAK,SAAS,CAAC,CAAC,IAAI;IAClB,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,qBAAa,oBAAoB,CAAC,CAAC,SAAS,OAAO,yBAAyB;IAK9D,OAAO,CAAC,UAAU;IAJ9B,OAAO,CAAC,UAAU,CAEX;gBAEa,UAAU,EAAE,CAAC;IAEjC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;IAKjD,SAAS,CAAC,aAAa,EAAE,yBAAyB;CAUnD"}

package/lib/typescript/wallet-instance-attestation/types.d.ts

@@ -695,21 +695,21 @@ export declare const WalletAttestationResponse: z.ZodObject<{
         wallet_attestation: z.ZodString;
         format: z.ZodEnum<["jwt", "dc+sd-jwt", "mso_mdoc"]>;
     }, "strip", z.ZodTypeAny, {
-        wallet_attestation: string;
         format: "jwt" | "dc+sd-jwt" | "mso_mdoc";
-    }, {
         wallet_attestation: string;
+    }, {
         format: "jwt" | "dc+sd-jwt" | "mso_mdoc";
+        wallet_attestation: string;
     }>, "many">;
 }, "strip", z.ZodTypeAny, {
     wallet_attestations: {
-        wallet_attestation: string;
         format: "jwt" | "dc+sd-jwt" | "mso_mdoc";
+        wallet_attestation: string;
     }[];
 }, {
     wallet_attestations: {
-        wallet_attestation: string;
         format: "jwt" | "dc+sd-jwt" | "mso_mdoc";
+        wallet_attestation: string;
     }[];
 }>;
 //# sourceMappingURL=types.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "2.0.0-next.1",
+  "version": "2.0.0-next.2",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",

package/src/credential/issuance/02-evaluate-issuer-trust.ts

@@ -1,7 +1,7 @@
-import { getCredentialIssuerEntityConfiguration } from "../../trust";
 import { CredentialIssuerEntityConfiguration } from "../../trust/types";
 import type { StartFlow } from "./01-start-flow";
 import type { Out } from "../../utils/misc";
+import { getCredentialIssuerEntityConfiguration } from "../../trust/build-chain";
 
 export type EvaluateIssuerTrust = (
   issuerUrl: Out<StartFlow>["issuerUrl"],

package/src/credential/presentation/02-evaluate-rp-trust.ts

@@ -1,7 +1,7 @@
-import { getRelyingPartyEntityConfiguration } from "../../trust";
 import { RelyingPartyEntityConfiguration } from "../../trust/types";
 import type { StartFlow } from "../issuance/01-start-flow";
 import type { Out } from "../../utils/misc";
+import { getRelyingPartyEntityConfiguration } from "../../trust/build-chain";
 
 export type EvaluateRelyingPartyTrust = (
   rpUrl: Out<StartFlow>["issuerUrl"],

package/src/credential/presentation/05-verify-request-object.ts

@@ -1,8 +1,8 @@
 import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
-import type { RelyingPartyEntityConfiguration } from "../../trust";
 import { InvalidRequestObjectError } from "./errors";
 import { RequestObject } from "./types";
 import { getJwksFromConfig } from "./04-retrieve-rp-jwks";
+import type { RelyingPartyEntityConfiguration } from "../../trust/types";
 
 export type VerifyRequestObject = (
   requestObjectEncodedJwt: string,

package/src/credential/presentation/08-send-authorization-response.ts

@@ -1,24 +1,24 @@
 import { EncryptJwe } from "@pagopa/io-react-native-jwt";
 import uuid from "react-native-uuid";
-import { getJwksFromConfig, type FetchJwks } from "./04-retrieve-rp-jwks";
+import { type FetchJwks, getJwksFromConfig } from "./04-retrieve-rp-jwks";
 import type { VerifyRequestObject } from "./05-verify-request-object";
 import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import {
-  type RemotePresentation,
   DirectAuthorizationBodyPayload,
   ErrorResponse,
   type LegacyRemotePresentation,
+  type RemotePresentation,
 } from "./types";
 import * as z from "zod";
 import type { JWK } from "../../utils/jwk";
-import type { RelyingPartyEntityConfiguration } from "../../trust";
 import {
   RelyingPartyResponseError,
+  RelyingPartyResponseErrorCodes,
   ResponseErrorBuilder,
   UnexpectedStatusCodeError,
-  RelyingPartyResponseErrorCodes,
 } from "../../utils/errors";
+import type { RelyingPartyEntityConfiguration } from "../../trust/types";
 
 export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
 export const AuthorizationResponse = z.object({

package/src/trust/build-chain.ts

@@ -0,0 +1,395 @@
+import type { JWK } from "../utils/jwk";
+import {
+  BuildTrustChainError,
+  FederationListParseError,
+  MissingFederationFetchEndpointError,
+  RelyingPartyNotAuthorizedError,
+  TrustAnchorKidMissingError,
+} from "./errors";
+import { decode, verify } from "./utils";
+import {
+  CredentialIssuerEntityConfiguration,
+  EntityConfiguration,
+  EntityStatement,
+  FederationListResponse,
+  RelyingPartyEntityConfiguration,
+  TrustAnchorEntityConfiguration,
+  WalletProviderEntityConfiguration,
+} from "./types";
+import { hasStatusOrThrow } from "../utils/misc";
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+
+/**
+ * Fetch and parse the entity configuration document for a given federation entity.
+ * This is an inner method to serve public interfaces.
+ *
+ * To add another entity configuration type (example: Foo entity type):
+ *  - create its zod schema and type by inherit from the base type (example: FooEntityConfiguration = BaseEntityConfiguration.and(...))
+ *  - add such type to EntityConfiguration union
+ *  - add an overload to this function
+ *  - create a public function which use such type (example: getFooEntityConfiguration = (url, options) => Promise<FooEntityConfiguration>)
+ *
+ * @param entityBaseUrl The base url of the entity.
+ * @param schema The expected schema of the entity configuration, according to the kind of entity we are fetching from.
+ * @param options An optional object with additional options.
+ * @param options.appFetch An optional instance of the http client to be used.
+ * @returns The parsed entity configuration object
+ * @throws {IoWalletError} If the http request fails
+ * @throws Parse error if the document is not in the expected shape.
+ */
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof WalletProviderEntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<WalletProviderEntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof RelyingPartyEntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<RelyingPartyEntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof TrustAnchorEntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<TrustAnchorEntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof CredentialIssuerEntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<CredentialIssuerEntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: typeof EntityConfiguration,
+  options?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+): Promise<EntityConfiguration>;
+async function fetchAndParseEntityConfiguration(
+  entityBaseUrl: string,
+  schema: /* FIXME: why is it different from "typeof EntityConfiguration"? */
+  | typeof CredentialIssuerEntityConfiguration
+    | typeof WalletProviderEntityConfiguration
+    | typeof RelyingPartyEntityConfiguration
+    | typeof TrustAnchorEntityConfiguration
+    | typeof EntityConfiguration,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+) {
+  const responseText = await getSignedEntityConfiguration(entityBaseUrl, {
+    appFetch,
+  });
+
+  const responseJwt = decodeJwt(responseText);
+  return schema.parse({
+    header: responseJwt.protectedHeader,
+    payload: responseJwt.payload,
+  });
+}
+
+export const getWalletProviderEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(
+    entityBaseUrl,
+    WalletProviderEntityConfiguration,
+    options
+  );
+
+export const getCredentialIssuerEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(
+    entityBaseUrl,
+    CredentialIssuerEntityConfiguration,
+    options
+  );
+
+export const getTrustAnchorEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(
+    entityBaseUrl,
+    TrustAnchorEntityConfiguration,
+    options
+  );
+
+export const getRelyingPartyEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(
+    entityBaseUrl,
+    RelyingPartyEntityConfiguration,
+    options
+  );
+
+export const getEntityConfiguration = (
+  entityBaseUrl: Parameters<typeof fetchAndParseEntityConfiguration>[0],
+  options?: Parameters<typeof fetchAndParseEntityConfiguration>[2]
+) =>
+  fetchAndParseEntityConfiguration(entityBaseUrl, EntityConfiguration, options);
+
+/**
+ * Fetch and parse the entity statement document for a given federation entity.
+ *
+ * @param accreditationBodyBaseUrl The base url of the accreditation body which holds and signs the required entity statement
+ * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The parsed entity configuration object
+ * @throws {IoWalletError} If the http request fails
+ */
+export async function getEntityStatement(
+  accreditationBodyBaseUrl: string,
+  subordinatedEntityBaseUrl: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+) {
+  const responseText = await getSignedEntityStatement(
+    accreditationBodyBaseUrl,
+    subordinatedEntityBaseUrl,
+    {
+      appFetch,
+    }
+  );
+
+  const responseJwt = decodeJwt(responseText);
+  return EntityStatement.parse({
+    header: responseJwt.protectedHeader,
+    payload: responseJwt.payload,
+  });
+}
+
+/**
+ * Fetch the signed entity configuration token for an entity
+ *
+ * @param entityBaseUrl The url of the entity to fetch
+ * @param appFetch (optional) fetch api implementation
+ * @returns The signed Entity Configuration token
+ */
+export async function getSignedEntityConfiguration(
+  entityBaseUrl: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<string> {
+  const wellKnownUrl = `${entityBaseUrl}/.well-known/openid-federation`;
+
+  return await appFetch(wellKnownUrl, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.text());
+}
+
+/**
+ * Fetch the entity statement document for a given federation entity.
+ *
+ * @param federationFetchEndpoint The exact endpoint provided by the parent EC's metadata.
+ * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The signed entity statement token.
+ * @throws {IoWalletError} If the http request fails.
+ */
+export async function getSignedEntityStatement(
+  federationFetchEndpoint: string,
+  subordinatedEntityBaseUrl: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+) {
+  const url = new URL(federationFetchEndpoint);
+  url.searchParams.set("sub", subordinatedEntityBaseUrl);
+
+  return await appFetch(url.toString(), {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.text());
+}
+
+/**
+ * Fetch the federation list document from a given endpoint.
+ *
+ * @param federationListEndpoint The URL of the federation list endpoint.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The federation list as an array of strings.
+ * @throws {IoWalletError} If the HTTP request fails.
+ * @throws {FederationError} If the result is not in the expected format.
+ */
+export async function getFederationList(
+  federationListEndpoint: string,
+  {
+    appFetch = fetch,
+  }: {
+    appFetch?: GlobalFetch["fetch"];
+  } = {}
+): Promise<string[]> {
+  return await appFetch(federationListEndpoint, {
+    method: "GET",
+  })
+    .then(hasStatusOrThrow(200))
+    .then((res) => res.json())
+    .then((json) => {
+      const result = FederationListResponse.safeParse(json);
+      if (!result.success) {
+        throw new FederationListParseError(
+          `Invalid federation list format received from ${federationListEndpoint}. Error: ${result.error.message}`,
+          { url: federationListEndpoint, parseError: result.error.toString() }
+        );
+      }
+      return result.data;
+    });
+}
+
+/**
+ * Build a not-verified trust chain for a given Relying Party (RP) entity.
+ *
+ * @param relyingPartyEntityBaseUrl The base URL of the RP entity
+ * @param trustAnchorKey The public key of the Trust Anchor (TA) entity
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
+ * @throws {FederationError} When an element of the chain fails to parse or other build steps fail.
+ */
+export async function buildTrustChain(
+  relyingPartyEntityBaseUrl: string,
+  trustAnchorKey: JWK,
+  appFetch: GlobalFetch["fetch"] = fetch
+): Promise<string[]> {
+  // 1: Recursively gather the trust chain from the RP up to the Trust Anchor
+  const trustChain = await gatherTrustChain(
+    relyingPartyEntityBaseUrl,
+    appFetch
+  );
+
+  // 2: Trust Anchor signature verification
+  const trustAnchorJwt = trustChain[trustChain.length - 1];
+  if (!trustAnchorJwt) {
+    throw new BuildTrustChainError(
+      "Cannot verify trust anchor: missing entity configuration in gathered chain.",
+      { relyingPartyUrl: relyingPartyEntityBaseUrl }
+    );
+  }
+
+  if (!trustAnchorKey.kid) {
+    throw new TrustAnchorKidMissingError();
+  }
+
+  await verify(trustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
+
+  // 3: Check the federation list
+  const trustAnchorConfig = EntityConfiguration.parse(decode(trustAnchorJwt));
+  const federationListEndpoint =
+    trustAnchorConfig.payload.metadata.federation_entity
+      .federation_list_endpoint;
+
+  if (federationListEndpoint) {
+    const federationList = await getFederationList(federationListEndpoint, {
+      appFetch,
+    });
+
+    if (!federationList.includes(relyingPartyEntityBaseUrl)) {
+      throw new RelyingPartyNotAuthorizedError(
+        "Relying Party entity base URL is not authorized by the Trust Anchor's federation list.",
+        { relyingPartyUrl: relyingPartyEntityBaseUrl, federationListEndpoint }
+      );
+    }
+  }
+
+  return trustChain;
+}
+
+/**
+ * Recursively gather the trust chain for an entity and all its superiors.
+ * @param entityBaseUrl The base URL of the entity for which to gather the chain.
+ * @param appFetch An optional instance of the http client to be used.
+ * @param isLeaf Whether the current entity is the leaf of the chain.
+ * @returns A full ordered list of JWTs (ECs and ESs) forming the trust chain.
+ * @throws {FederationError} If any of the fetched documents fail to parse or other errors occur during the gathering process.
+ */
+async function gatherTrustChain(
+  entityBaseUrl: string,
+  appFetch: GlobalFetch["fetch"],
+  isLeaf: boolean = true
+): Promise<string[]> {
+  const chain: string[] = [];
+
+  // Fetch self-signed EC (only needed for the leaf)
+  const entityECJwt = await getSignedEntityConfiguration(entityBaseUrl, {
+    appFetch,
+  });
+  const entityEC = EntityConfiguration.parse(decode(entityECJwt));
+
+  if (isLeaf) {
+    // Only push EC for the leaf
+    chain.push(entityECJwt);
+  }
+
+  // Find authority_hints (parent, if any)
+  const authorityHints = entityEC.payload.authority_hints ?? [];
+  if (authorityHints.length === 0) {
+    // This is the Trust Anchor (no parent)
+    if (!isLeaf) {
+      chain.push(entityECJwt);
+    }
+    return chain;
+  }
+
+  const parentEntityBaseUrl = authorityHints[0]!;
+
+  // Fetch parent EC
+  const parentECJwt = await getSignedEntityConfiguration(parentEntityBaseUrl, {
+    appFetch,
+  });
+  const parentEC = EntityConfiguration.parse(decode(parentECJwt));
+
+  // Fetch ES
+  const federationFetchEndpoint =
+    parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
+  if (!federationFetchEndpoint) {
+    throw new MissingFederationFetchEndpointError(
+      `Missing federation_fetch_endpoint in parent's (${parentEntityBaseUrl}) configuration when gathering chain for ${entityBaseUrl}.`,
+      { entityBaseUrl, missingInEntityUrl: parentEntityBaseUrl }
+    );
+  }
+
+  const entityStatementJwt = await getSignedEntityStatement(
+    federationFetchEndpoint,
+    entityBaseUrl,
+    { appFetch }
+  );
+  // Validate the ES
+  EntityStatement.parse(decode(entityStatementJwt));
+
+  // Push this ES into the chain
+  chain.push(entityStatementJwt);
+
+  // Recurse into the parent
+  const parentChain = await gatherTrustChain(
+    parentEntityBaseUrl,
+    appFetch,
+    false
+  );
+
+  return chain.concat(parentChain);
+}