@pagopa/io-react-native-wallet 2.1.0 → 2.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/commonjs/trust/build-chain.js +22 -19
- package/lib/commonjs/trust/build-chain.js.map +1 -1
- package/lib/module/trust/build-chain.js +22 -19
- package/lib/module/trust/build-chain.js.map +1 -1
- package/lib/typescript/trust/build-chain.d.ts +2 -3
- package/lib/typescript/trust/build-chain.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/trust/build-chain.ts +28 -25
|
@@ -150,30 +150,20 @@ async function getFederationList(federationListEndpoint) {
|
|
|
150
150
|
* Build a not-verified trust chain for a given Relying Party (RP) entity.
|
|
151
151
|
*
|
|
152
152
|
* @param relyingPartyEntityBaseUrl The base URL of the RP entity
|
|
153
|
-
* @param
|
|
153
|
+
* @param trustAnchorConfig The entity configuration of the known trust anchor.
|
|
154
154
|
* @param appFetch An optional instance of the http client to be used.
|
|
155
155
|
* @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
|
|
156
156
|
* @throws {FederationError} When an element of the chain fails to parse or other build steps fail.
|
|
157
157
|
*/
|
|
158
|
-
async function buildTrustChain(relyingPartyEntityBaseUrl,
|
|
158
|
+
async function buildTrustChain(relyingPartyEntityBaseUrl, trustAnchorConfig) {
|
|
159
159
|
let appFetch = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : fetch;
|
|
160
|
-
// 1:
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
throw new _errors.BuildTrustChainError("Cannot verify trust anchor: missing entity configuration in gathered chain.", {
|
|
167
|
-
relyingPartyUrl: relyingPartyEntityBaseUrl
|
|
168
|
-
});
|
|
169
|
-
}
|
|
170
|
-
if (!trustAnchorKey.kid) {
|
|
171
|
-
throw new _errors.TrustAnchorKidMissingError();
|
|
160
|
+
// 1: Verify if the RP is authorized by the Trust Anchor's federation list
|
|
161
|
+
// Extract the Trust Anchor's signing key and federation_list_endpoint
|
|
162
|
+
// (we assume the TA has only one key, as per spec)
|
|
163
|
+
const trustAnchorKey = trustAnchorConfig.payload.jwks.keys[0];
|
|
164
|
+
if (!trustAnchorKey) {
|
|
165
|
+
throw new _errors.BuildTrustChainError("Cannot verify trust anchor: missing signing key in entity configuration.");
|
|
172
166
|
}
|
|
173
|
-
await (0, _utils.verify)(trustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
|
|
174
|
-
|
|
175
|
-
// 3: Check the federation list
|
|
176
|
-
const trustAnchorConfig = _types.EntityConfiguration.parse((0, _utils.decode)(trustAnchorJwt));
|
|
177
167
|
const federationListEndpoint = trustAnchorConfig.payload.metadata.federation_entity.federation_list_endpoint;
|
|
178
168
|
if (federationListEndpoint) {
|
|
179
169
|
const federationList = await getFederationList(federationListEndpoint, {
|
|
@@ -186,6 +176,20 @@ async function buildTrustChain(relyingPartyEntityBaseUrl, trustAnchorKey) {
|
|
|
186
176
|
});
|
|
187
177
|
}
|
|
188
178
|
}
|
|
179
|
+
|
|
180
|
+
// 1: Recursively gather the trust chain from the RP up to the Trust Anchor
|
|
181
|
+
const trustChain = await gatherTrustChain(relyingPartyEntityBaseUrl, appFetch);
|
|
182
|
+
// 2: Trust Anchor signature verification
|
|
183
|
+
const chainTrustAnchorJwt = trustChain[trustChain.length - 1];
|
|
184
|
+
if (!chainTrustAnchorJwt) {
|
|
185
|
+
throw new _errors.BuildTrustChainError("Cannot verify trust anchor: missing entity configuration in gathered chain.", {
|
|
186
|
+
relyingPartyUrl: relyingPartyEntityBaseUrl
|
|
187
|
+
});
|
|
188
|
+
}
|
|
189
|
+
if (!trustAnchorKey.kid) {
|
|
190
|
+
throw new _errors.TrustAnchorKidMissingError();
|
|
191
|
+
}
|
|
192
|
+
await (0, _utils.verify)(chainTrustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
|
|
189
193
|
return trustChain;
|
|
190
194
|
}
|
|
191
195
|
|
|
@@ -227,7 +231,6 @@ async function gatherTrustChain(entityBaseUrl, appFetch) {
|
|
|
227
231
|
appFetch
|
|
228
232
|
});
|
|
229
233
|
const parentEC = _types.EntityConfiguration.parse((0, _utils.decode)(parentECJwt));
|
|
230
|
-
|
|
231
234
|
// Fetch ES
|
|
232
235
|
const federationFetchEndpoint = parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
|
|
233
236
|
if (!federationFetchEndpoint) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_errors","require","_utils","_types","_misc","_ioReactNativeJwt","fetchAndParseEntityConfiguration","entityBaseUrl","schema","appFetch","fetch","arguments","length","undefined","responseText","getSignedEntityConfiguration","responseJwt","decodeJwt","parse","header","protectedHeader","payload","getWalletProviderEntityConfiguration","options","WalletProviderEntityConfiguration","exports","getCredentialIssuerEntityConfiguration","CredentialIssuerEntityConfiguration","getTrustAnchorEntityConfiguration","TrustAnchorEntityConfiguration","getRelyingPartyEntityConfiguration","RelyingPartyEntityConfiguration","getEntityConfiguration","EntityConfiguration","getEntityStatement","accreditationBodyBaseUrl","subordinatedEntityBaseUrl","getSignedEntityStatement","EntityStatement","wellKnownUrl","method","then","hasStatusOrThrow","res","text","federationFetchEndpoint","url","URL","searchParams","set","toString","getFederationList","federationListEndpoint","json","result","FederationListResponse","safeParse","success","FederationListParseError","error","message","parseError","data","buildTrustChain","relyingPartyEntityBaseUrl","
|
|
1
|
+
{"version":3,"names":["_errors","require","_utils","_types","_misc","_ioReactNativeJwt","fetchAndParseEntityConfiguration","entityBaseUrl","schema","appFetch","fetch","arguments","length","undefined","responseText","getSignedEntityConfiguration","responseJwt","decodeJwt","parse","header","protectedHeader","payload","getWalletProviderEntityConfiguration","options","WalletProviderEntityConfiguration","exports","getCredentialIssuerEntityConfiguration","CredentialIssuerEntityConfiguration","getTrustAnchorEntityConfiguration","TrustAnchorEntityConfiguration","getRelyingPartyEntityConfiguration","RelyingPartyEntityConfiguration","getEntityConfiguration","EntityConfiguration","getEntityStatement","accreditationBodyBaseUrl","subordinatedEntityBaseUrl","getSignedEntityStatement","EntityStatement","wellKnownUrl","method","then","hasStatusOrThrow","res","text","federationFetchEndpoint","url","URL","searchParams","set","toString","getFederationList","federationListEndpoint","json","result","FederationListResponse","safeParse","success","FederationListParseError","error","message","parseError","data","buildTrustChain","relyingPartyEntityBaseUrl","trustAnchorConfig","trustAnchorKey","jwks","keys","BuildTrustChainError","metadata","federation_entity","federation_list_endpoint","federationList","includes","RelyingPartyNotAuthorizedError","relyingPartyUrl","trustChain","gatherTrustChain","chainTrustAnchorJwt","kid","TrustAnchorKidMissingError","verify","isLeaf","chain","entityECJwt","entityEC","decode","push","authorityHints","authority_hints","parentEntityBaseUrl","parentECJwt","parentEC","federation_fetch_endpoint","MissingFederationFetchEndpointError","missingInEntityUrl","entityStatementJwt","parentChain","concat"],"sourceRoot":"../../../src","sources":["trust/build-chain.ts"],"mappings":";;;;;;;;;;;;;AAAA,IAAAA,OAAA,GAAAC,OAAA;AAOA,IAAAC,MAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AASA,IAAAG,KAAA,GAAAH,OAAA;AACA,IAAAI,iBAAA,GAAAJ,OAAA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoCA,eAAeK,gCAAgCA,CAC7CC,aAAqB,EACrBC,MAK8B,EAM9B;EAAA,IALA;IACEC,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMG,YAAY,GAAG,MAAMC,4BAA4B,CAACR,aAAa,EAAE;IACrEE;EACF,CAAC,CAAC;EAEF,MAAMO,WAAW,GAAG,IAAAC,wBAAS,EAACH,YAAY,CAAC;EAC3C,OAAON,MAAM,CAACU,KAAK,CAAC;IAClBC,MAAM,EAAEH,WAAW,CAACI,eAAe;IACnCC,OAAO,EAAEL,WAAW,CAACK;EACvB,CAAC,CAAC;AACJ;AAEO,MAAMC,oCAAoC,GAAGA,CAClDf,aAAqE,EACrEgB,OAAgE,KAEhEjB,gCAAgC,CAC9BC,aAAa,EACbiB,wCAAiC,EACjCD,OACF,CAAC;AAACE,OAAA,CAAAH,oCAAA,GAAAA,oCAAA;AAEG,MAAMI,sCAAsC,GAAGA,CACpDnB,aAAqE,EACrEgB,OAAgE,KAEhEjB,gCAAgC,CAC9BC,aAAa,EACboB,0CAAmC,EACnCJ,OACF,CAAC;AAACE,OAAA,CAAAC,sCAAA,GAAAA,sCAAA;AAEG,MAAME,iCAAiC,GAAGA,CAC/CrB,aAAqE,EACrEgB,OAAgE,KAEhEjB,gCAAgC,CAC9BC,aAAa,EACbsB,qCAA8B,EAC9BN,OACF,CAAC;AAACE,OAAA,CAAAG,iCAAA,GAAAA,iCAAA;AAEG,MAAME,kCAAkC,GAAGA,CAChDvB,aAAqE,EACrEgB,OAAgE,KAEhEjB,gCAAgC,CAC9BC,aAAa,EACbwB,sCAA+B,EAC/BR,OACF,CAAC;AAACE,OAAA,CAAAK,kCAAA,GAAAA,kCAAA;AAEG,MAAME,sBAAsB,GAAGA,CACpCzB,aAAqE,EACrEgB,OAAgE,KAEhEjB,gCAAgC,CAACC,aAAa,EAAE0B,0BAAmB,EAAEV,OAAO,CAAC;;AAE/E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AARAE,OAAA,CAAAO,sBAAA,GAAAA,sBAAA;AASO,eAAeE,kBAAkBA,CACtCC,wBAAgC,EAChCC,yBAAiC,EAMjC;EAAA,IALA;IACE3B,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMG,YAAY,GAAG,MAAMuB,wBAAwB,CACjDF,wBAAwB,EACxBC,yBAAyB,EACzB;IACE3B;EACF,CACF,CAAC;EAED,MAAMO,WAAW,GAAG,IAAAC,wBAAS,EAACH,YAAY,CAAC;EAC3C,OAAOwB,sBAAe,CAACpB,KAAK,CAAC;IAC3BC,MAAM,EAAEH,WAAW,CAACI,eAAe;IACnCC,OAAO,EAAEL,WAAW,CAACK;EACvB,CAAC,CAAC;AACJ;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeN,4BAA4BA,CAChDR,aAAqB,EAMJ;EAAA,IALjB;IACEE,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAM4B,YAAY,GAAI,GAAEhC,aAAc,gCAA+B;EAErE,OAAO,MAAME,QAAQ,CAAC8B,YAAY,EAAE;IAClCC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeP,wBAAwBA,CAC5CQ,uBAA+B,EAC/BT,yBAAiC,EAMjC;EAAA,IALA;IACE3B,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMmC,GAAG,GAAG,IAAIC,GAAG,CAACF,uBAAuB,CAAC;EAC5CC,GAAG,CAACE,YAAY,CAACC,GAAG,CAAC,KAAK,EAAEb,yBAAyB,CAAC;EAEtD,OAAO,MAAM3B,QAAQ,CAACqC,GAAG,CAACI,QAAQ,CAAC,CAAC,EAAE;IACpCV,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeO,iBAAiBA,CACrCC,sBAA8B,EAMX;EAAA,IALnB;IACE3C,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,OAAO,MAAMF,QAAQ,CAAC2C,sBAAsB,EAAE;IAC5CZ,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,CAAC,CAAC,CAC3BD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACU,IAAI,CAAC,CAAC,CAAC,CACzBZ,IAAI,CAAEY,IAAI,IAAK;IACd,MAAMC,MAAM,GAAGC,6BAAsB,CAACC,SAAS,CAACH,IAAI,CAAC;IACrD,IAAI,CAACC,MAAM,CAACG,OAAO,EAAE;MACnB,MAAM,IAAIC,gCAAwB,CAC/B,gDAA+CN,sBAAuB,YAAWE,MAAM,CAACK,KAAK,CAACC,OAAQ,EAAC,EACxG;QAAEd,GAAG,EAAEM,sBAAsB;QAAES,UAAU,EAAEP,MAAM,CAACK,KAAK,CAACT,QAAQ,CAAC;MAAE,CACrE,CAAC;IACH;IACA,OAAOI,MAAM,CAACQ,IAAI;EACpB,CAAC,CAAC;AACN;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAeC,eAAeA,CACnCC,yBAAiC,EACjCC,iBAAiD,EAE9B;EAAA,IADnBxD,QAA8B,GAAAE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGD,KAAK;EAEtC;EACA;EACA;EACA,MAAMwD,cAAc,GAAGD,iBAAiB,CAAC5C,OAAO,CAAC8C,IAAI,CAACC,IAAI,CAAC,CAAC,CAAC;EAE7D,IAAI,CAACF,cAAc,EAAE;IACnB,MAAM,IAAIG,4BAAoB,CAC5B,0EACF,CAAC;EACH;EAEA,MAAMjB,sBAAsB,GAC1Ba,iBAAiB,CAAC5C,OAAO,CAACiD,QAAQ,CAACC,iBAAiB,CACjDC,wBAAwB;EAE7B,IAAIpB,sBAAsB,EAAE;IAC1B,MAAMqB,cAAc,GAAG,MAAMtB,iBAAiB,CAACC,sBAAsB,EAAE;MACrE3C;IACF,CAAC,CAAC;IAEF,IAAI,CAACgE,cAAc,CAACC,QAAQ,CAACV,yBAAyB,CAAC,EAAE;MACvD,MAAM,IAAIW,sCAA8B,CACtC,wFAAwF,EACxF;QAAEC,eAAe,EAAEZ,yBAAyB;QAAEZ;MAAuB,CACvE,CAAC;IACH;EACF;;EAEA;EACA,MAAMyB,UAAU,GAAG,MAAMC,gBAAgB,CACvCd,yBAAyB,EACzBvD,QACF,CAAC;EACD;EACA,MAAMsE,mBAAmB,GAAGF,UAAU,CAACA,UAAU,CAACjE,MAAM,GAAG,CAAC,CAAC;EAC7D,IAAI,CAACmE,mBAAmB,EAAE;IACxB,MAAM,IAAIV,4BAAoB,CAC5B,6EAA6E,EAC7E;MAAEO,eAAe,EAAEZ;IAA0B,CAC/C,CAAC;EACH;EAEA,IAAI,CAACE,cAAc,CAACc,GAAG,EAAE;IACvB,MAAM,IAAIC,kCAA0B,CAAC,CAAC;EACxC;EAEA,MAAM,IAAAC,aAAM,EAACH,mBAAmB,EAAEb,cAAc,CAACc,GAAG,EAAE,CAACd,cAAc,CAAC,CAAC;EAEvE,OAAOW,UAAU;AACnB;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAeC,gBAAgBA,CAC7BvE,aAAqB,EACrBE,QAA8B,EAEX;EAAA,IADnB0E,MAAe,GAAAxE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,IAAI;EAEtB,MAAMyE,KAAe,GAAG,EAAE;;EAE1B;EACA,MAAMC,WAAW,GAAG,MAAMtE,4BAA4B,CAACR,aAAa,EAAE;IACpEE;EACF,CAAC,CAAC;EACF,MAAM6E,QAAQ,GAAGrD,0BAAmB,CAACf,KAAK,CAAC,IAAAqE,aAAM,EAACF,WAAW,CAAC,CAAC;EAC/D,IAAIF,MAAM,EAAE;IACV;IACAC,KAAK,CAACI,IAAI,CAACH,WAAW,CAAC;EACzB;;EAEA;EACA,MAAMI,cAAc,GAAGH,QAAQ,CAACjE,OAAO,CAACqE,eAAe,IAAI,EAAE;EAC7D,IAAID,cAAc,CAAC7E,MAAM,KAAK,CAAC,EAAE;IAC/B;IACA,IAAI,CAACuE,MAAM,EAAE;MACXC,KAAK,CAACI,IAAI,CAACH,WAAW,CAAC;IACzB;IACA,OAAOD,KAAK;EACd;EACA,MAAMO,mBAAmB,GAAGF,cAAc,CAAC,CAAC,CAAE;;EAE9C;EACA,MAAMG,WAAW,GAAG,MAAM7E,4BAA4B,CAAC4E,mBAAmB,EAAE;IAC1ElF;EACF,CAAC,CAAC;EACF,MAAMoF,QAAQ,GAAG5D,0BAAmB,CAACf,KAAK,CAAC,IAAAqE,aAAM,EAACK,WAAW,CAAC,CAAC;EAC/D;EACA,MAAM/C,uBAAuB,GAC3BgD,QAAQ,CAACxE,OAAO,CAACiD,QAAQ,CAACC,iBAAiB,CAACuB,yBAAyB;EACvE,IAAI,CAACjD,uBAAuB,EAAE;IAC5B,MAAM,IAAIkD,2CAAmC,CAC1C,kDAAiDJ,mBAAoB,4CAA2CpF,aAAc,GAAE,EACjI;MAAEA,aAAa;MAAEyF,kBAAkB,EAAEL;IAAoB,CAC3D,CAAC;EACH;EACA,MAAMM,kBAAkB,GAAG,MAAM5D,wBAAwB,CACvDQ,uBAAuB,EACvBtC,aAAa,EACb;IAAEE;EAAS,CACb,CAAC;EACD;EACA6B,sBAAe,CAACpB,KAAK,CAAC,IAAAqE,aAAM,EAACU,kBAAkB,CAAC,CAAC;;EAEjD;EACAb,KAAK,CAACI,IAAI,CAACS,kBAAkB,CAAC;;EAE9B;EACA,MAAMC,WAAW,GAAG,MAAMpB,gBAAgB,CACxCa,mBAAmB,EACnBlF,QAAQ,EACR,KACF,CAAC;EAED,OAAO2E,KAAK,CAACe,MAAM,CAACD,WAAW,CAAC;AAClC"}
|
|
@@ -133,30 +133,20 @@ export async function getFederationList(federationListEndpoint) {
|
|
|
133
133
|
* Build a not-verified trust chain for a given Relying Party (RP) entity.
|
|
134
134
|
*
|
|
135
135
|
* @param relyingPartyEntityBaseUrl The base URL of the RP entity
|
|
136
|
-
* @param
|
|
136
|
+
* @param trustAnchorConfig The entity configuration of the known trust anchor.
|
|
137
137
|
* @param appFetch An optional instance of the http client to be used.
|
|
138
138
|
* @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
|
|
139
139
|
* @throws {FederationError} When an element of the chain fails to parse or other build steps fail.
|
|
140
140
|
*/
|
|
141
|
-
export async function buildTrustChain(relyingPartyEntityBaseUrl,
|
|
141
|
+
export async function buildTrustChain(relyingPartyEntityBaseUrl, trustAnchorConfig) {
|
|
142
142
|
let appFetch = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : fetch;
|
|
143
|
-
// 1:
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
throw new BuildTrustChainError("Cannot verify trust anchor: missing entity configuration in gathered chain.", {
|
|
150
|
-
relyingPartyUrl: relyingPartyEntityBaseUrl
|
|
151
|
-
});
|
|
152
|
-
}
|
|
153
|
-
if (!trustAnchorKey.kid) {
|
|
154
|
-
throw new TrustAnchorKidMissingError();
|
|
143
|
+
// 1: Verify if the RP is authorized by the Trust Anchor's federation list
|
|
144
|
+
// Extract the Trust Anchor's signing key and federation_list_endpoint
|
|
145
|
+
// (we assume the TA has only one key, as per spec)
|
|
146
|
+
const trustAnchorKey = trustAnchorConfig.payload.jwks.keys[0];
|
|
147
|
+
if (!trustAnchorKey) {
|
|
148
|
+
throw new BuildTrustChainError("Cannot verify trust anchor: missing signing key in entity configuration.");
|
|
155
149
|
}
|
|
156
|
-
await verify(trustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
|
|
157
|
-
|
|
158
|
-
// 3: Check the federation list
|
|
159
|
-
const trustAnchorConfig = EntityConfiguration.parse(decode(trustAnchorJwt));
|
|
160
150
|
const federationListEndpoint = trustAnchorConfig.payload.metadata.federation_entity.federation_list_endpoint;
|
|
161
151
|
if (federationListEndpoint) {
|
|
162
152
|
const federationList = await getFederationList(federationListEndpoint, {
|
|
@@ -169,6 +159,20 @@ export async function buildTrustChain(relyingPartyEntityBaseUrl, trustAnchorKey)
|
|
|
169
159
|
});
|
|
170
160
|
}
|
|
171
161
|
}
|
|
162
|
+
|
|
163
|
+
// 1: Recursively gather the trust chain from the RP up to the Trust Anchor
|
|
164
|
+
const trustChain = await gatherTrustChain(relyingPartyEntityBaseUrl, appFetch);
|
|
165
|
+
// 2: Trust Anchor signature verification
|
|
166
|
+
const chainTrustAnchorJwt = trustChain[trustChain.length - 1];
|
|
167
|
+
if (!chainTrustAnchorJwt) {
|
|
168
|
+
throw new BuildTrustChainError("Cannot verify trust anchor: missing entity configuration in gathered chain.", {
|
|
169
|
+
relyingPartyUrl: relyingPartyEntityBaseUrl
|
|
170
|
+
});
|
|
171
|
+
}
|
|
172
|
+
if (!trustAnchorKey.kid) {
|
|
173
|
+
throw new TrustAnchorKidMissingError();
|
|
174
|
+
}
|
|
175
|
+
await verify(chainTrustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
|
|
172
176
|
return trustChain;
|
|
173
177
|
}
|
|
174
178
|
|
|
@@ -210,7 +214,6 @@ async function gatherTrustChain(entityBaseUrl, appFetch) {
|
|
|
210
214
|
appFetch
|
|
211
215
|
});
|
|
212
216
|
const parentEC = EntityConfiguration.parse(decode(parentECJwt));
|
|
213
|
-
|
|
214
217
|
// Fetch ES
|
|
215
218
|
const federationFetchEndpoint = parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
|
|
216
219
|
if (!federationFetchEndpoint) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["BuildTrustChainError","FederationListParseError","MissingFederationFetchEndpointError","RelyingPartyNotAuthorizedError","TrustAnchorKidMissingError","decode","verify","CredentialIssuerEntityConfiguration","EntityConfiguration","EntityStatement","FederationListResponse","RelyingPartyEntityConfiguration","TrustAnchorEntityConfiguration","WalletProviderEntityConfiguration","hasStatusOrThrow","decodeJwt","fetchAndParseEntityConfiguration","entityBaseUrl","schema","appFetch","fetch","arguments","length","undefined","responseText","getSignedEntityConfiguration","responseJwt","parse","header","protectedHeader","payload","getWalletProviderEntityConfiguration","options","getCredentialIssuerEntityConfiguration","getTrustAnchorEntityConfiguration","getRelyingPartyEntityConfiguration","getEntityConfiguration","getEntityStatement","accreditationBodyBaseUrl","subordinatedEntityBaseUrl","getSignedEntityStatement","wellKnownUrl","method","then","res","text","federationFetchEndpoint","url","URL","searchParams","set","toString","getFederationList","federationListEndpoint","json","result","safeParse","success","error","message","parseError","data","buildTrustChain","relyingPartyEntityBaseUrl","trustAnchorKey","
|
|
1
|
+
{"version":3,"names":["BuildTrustChainError","FederationListParseError","MissingFederationFetchEndpointError","RelyingPartyNotAuthorizedError","TrustAnchorKidMissingError","decode","verify","CredentialIssuerEntityConfiguration","EntityConfiguration","EntityStatement","FederationListResponse","RelyingPartyEntityConfiguration","TrustAnchorEntityConfiguration","WalletProviderEntityConfiguration","hasStatusOrThrow","decodeJwt","fetchAndParseEntityConfiguration","entityBaseUrl","schema","appFetch","fetch","arguments","length","undefined","responseText","getSignedEntityConfiguration","responseJwt","parse","header","protectedHeader","payload","getWalletProviderEntityConfiguration","options","getCredentialIssuerEntityConfiguration","getTrustAnchorEntityConfiguration","getRelyingPartyEntityConfiguration","getEntityConfiguration","getEntityStatement","accreditationBodyBaseUrl","subordinatedEntityBaseUrl","getSignedEntityStatement","wellKnownUrl","method","then","res","text","federationFetchEndpoint","url","URL","searchParams","set","toString","getFederationList","federationListEndpoint","json","result","safeParse","success","error","message","parseError","data","buildTrustChain","relyingPartyEntityBaseUrl","trustAnchorConfig","trustAnchorKey","jwks","keys","metadata","federation_entity","federation_list_endpoint","federationList","includes","relyingPartyUrl","trustChain","gatherTrustChain","chainTrustAnchorJwt","kid","isLeaf","chain","entityECJwt","entityEC","push","authorityHints","authority_hints","parentEntityBaseUrl","parentECJwt","parentEC","federation_fetch_endpoint","missingInEntityUrl","entityStatementJwt","parentChain","concat"],"sourceRoot":"../../../src","sources":["trust/build-chain.ts"],"mappings":"AAAA,SACEA,oBAAoB,EACpBC,wBAAwB,EACxBC,mCAAmC,EACnCC,8BAA8B,EAC9BC,0BAA0B,QACrB,UAAU;AACjB,SAASC,MAAM,EAAEC,MAAM,QAAQ,SAAS;AACxC,SACEC,mCAAmC,EACnCC,mBAAmB,EACnBC,eAAe,EACfC,sBAAsB,EACtBC,+BAA+B,EAC/BC,8BAA8B,EAC9BC,iCAAiC,QAC5B,SAAS;AAChB,SAASC,gBAAgB,QAAQ,eAAe;AAChD,SAAST,MAAM,IAAIU,SAAS,QAAQ,6BAA6B;;AAEjE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoCA,eAAeC,gCAAgCA,CAC7CC,aAAqB,EACrBC,MAK8B,EAM9B;EAAA,IALA;IACEC,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMG,YAAY,GAAG,MAAMC,4BAA4B,CAACR,aAAa,EAAE;IACrEE;EACF,CAAC,CAAC;EAEF,MAAMO,WAAW,GAAGX,SAAS,CAACS,YAAY,CAAC;EAC3C,OAAON,MAAM,CAACS,KAAK,CAAC;IAClBC,MAAM,EAAEF,WAAW,CAACG,eAAe;IACnCC,OAAO,EAAEJ,WAAW,CAACI;EACvB,CAAC,CAAC;AACJ;AAEA,OAAO,MAAMC,oCAAoC,GAAGA,CAClDd,aAAqE,EACrEe,OAAgE,KAEhEhB,gCAAgC,CAC9BC,aAAa,EACbJ,iCAAiC,EACjCmB,OACF,CAAC;AAEH,OAAO,MAAMC,sCAAsC,GAAGA,CACpDhB,aAAqE,EACrEe,OAAgE,KAEhEhB,gCAAgC,CAC9BC,aAAa,EACbV,mCAAmC,EACnCyB,OACF,CAAC;AAEH,OAAO,MAAME,iCAAiC,GAAGA,CAC/CjB,aAAqE,EACrEe,OAAgE,KAEhEhB,gCAAgC,CAC9BC,aAAa,EACbL,8BAA8B,EAC9BoB,OACF,CAAC;AAEH,OAAO,MAAMG,kCAAkC,GAAGA,CAChDlB,aAAqE,EACrEe,OAAgE,KAEhEhB,gCAAgC,CAC9BC,aAAa,EACbN,+BAA+B,EAC/BqB,OACF,CAAC;AAEH,OAAO,MAAMI,sBAAsB,GAAGA,CACpCnB,aAAqE,EACrEe,OAAgE,KAEhEhB,gCAAgC,CAACC,aAAa,EAAET,mBAAmB,EAAEwB,OAAO,CAAC;;AAE/E;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeK,kBAAkBA,CACtCC,wBAAgC,EAChCC,yBAAiC,EAMjC;EAAA,IALA;IACEpB,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMG,YAAY,GAAG,MAAMgB,wBAAwB,CACjDF,wBAAwB,EACxBC,yBAAyB,EACzB;IACEpB;EACF,CACF,CAAC;EAED,MAAMO,WAAW,GAAGX,SAAS,CAACS,YAAY,CAAC;EAC3C,OAAOf,eAAe,CAACkB,KAAK,CAAC;IAC3BC,MAAM,EAAEF,WAAW,CAACG,eAAe;IACnCC,OAAO,EAAEJ,WAAW,CAACI;EACvB,CAAC,CAAC;AACJ;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeL,4BAA4BA,CAChDR,aAAqB,EAMJ;EAAA,IALjB;IACEE,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAMoB,YAAY,GAAI,GAAExB,aAAc,gCAA+B;EAErE,OAAO,MAAME,QAAQ,CAACsB,YAAY,EAAE;IAClCC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC7B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3B6B,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeL,wBAAwBA,CAC5CM,uBAA+B,EAC/BP,yBAAiC,EAMjC;EAAA,IALA;IACEpB,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,MAAM0B,GAAG,GAAG,IAAIC,GAAG,CAACF,uBAAuB,CAAC;EAC5CC,GAAG,CAACE,YAAY,CAACC,GAAG,CAAC,KAAK,EAAEX,yBAAyB,CAAC;EAEtD,OAAO,MAAMpB,QAAQ,CAAC4B,GAAG,CAACI,QAAQ,CAAC,CAAC,EAAE;IACpCT,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC7B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3B6B,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeO,iBAAiBA,CACrCC,sBAA8B,EAMX;EAAA,IALnB;IACElC,QAAQ,GAAGC;EAGb,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEN,OAAO,MAAMF,QAAQ,CAACkC,sBAAsB,EAAE;IAC5CX,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAAC7B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3B6B,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACU,IAAI,CAAC,CAAC,CAAC,CACzBX,IAAI,CAAEW,IAAI,IAAK;IACd,MAAMC,MAAM,GAAG7C,sBAAsB,CAAC8C,SAAS,CAACF,IAAI,CAAC;IACrD,IAAI,CAACC,MAAM,CAACE,OAAO,EAAE;MACnB,MAAM,IAAIxD,wBAAwB,CAC/B,gDAA+CoD,sBAAuB,YAAWE,MAAM,CAACG,KAAK,CAACC,OAAQ,EAAC,EACxG;QAAEZ,GAAG,EAAEM,sBAAsB;QAAEO,UAAU,EAAEL,MAAM,CAACG,KAAK,CAACP,QAAQ,CAAC;MAAE,CACrE,CAAC;IACH;IACA,OAAOI,MAAM,CAACM,IAAI;EACpB,CAAC,CAAC;AACN;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeC,eAAeA,CACnCC,yBAAiC,EACjCC,iBAAiD,EAE9B;EAAA,IADnB7C,QAA8B,GAAAE,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGD,KAAK;EAEtC;EACA;EACA;EACA,MAAM6C,cAAc,GAAGD,iBAAiB,CAAClC,OAAO,CAACoC,IAAI,CAACC,IAAI,CAAC,CAAC,CAAC;EAE7D,IAAI,CAACF,cAAc,EAAE;IACnB,MAAM,IAAIjE,oBAAoB,CAC5B,0EACF,CAAC;EACH;EAEA,MAAMqD,sBAAsB,GAC1BW,iBAAiB,CAAClC,OAAO,CAACsC,QAAQ,CAACC,iBAAiB,CACjDC,wBAAwB;EAE7B,IAAIjB,sBAAsB,EAAE;IAC1B,MAAMkB,cAAc,GAAG,MAAMnB,iBAAiB,CAACC,sBAAsB,EAAE;MACrElC;IACF,CAAC,CAAC;IAEF,IAAI,CAACoD,cAAc,CAACC,QAAQ,CAACT,yBAAyB,CAAC,EAAE;MACvD,MAAM,IAAI5D,8BAA8B,CACtC,wFAAwF,EACxF;QAAEsE,eAAe,EAAEV,yBAAyB;QAAEV;MAAuB,CACvE,CAAC;IACH;EACF;;EAEA;EACA,MAAMqB,UAAU,GAAG,MAAMC,gBAAgB,CACvCZ,yBAAyB,EACzB5C,QACF,CAAC;EACD;EACA,MAAMyD,mBAAmB,GAAGF,UAAU,CAACA,UAAU,CAACpD,MAAM,GAAG,CAAC,CAAC;EAC7D,IAAI,CAACsD,mBAAmB,EAAE;IACxB,MAAM,IAAI5E,oBAAoB,CAC5B,6EAA6E,EAC7E;MAAEyE,eAAe,EAAEV;IAA0B,CAC/C,CAAC;EACH;EAEA,IAAI,CAACE,cAAc,CAACY,GAAG,EAAE;IACvB,MAAM,IAAIzE,0BAA0B,CAAC,CAAC;EACxC;EAEA,MAAME,MAAM,CAACsE,mBAAmB,EAAEX,cAAc,CAACY,GAAG,EAAE,CAACZ,cAAc,CAAC,CAAC;EAEvE,OAAOS,UAAU;AACnB;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,eAAeC,gBAAgBA,CAC7B1D,aAAqB,EACrBE,QAA8B,EAEX;EAAA,IADnB2D,MAAe,GAAAzD,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,IAAI;EAEtB,MAAM0D,KAAe,GAAG,EAAE;;EAE1B;EACA,MAAMC,WAAW,GAAG,MAAMvD,4BAA4B,CAACR,aAAa,EAAE;IACpEE;EACF,CAAC,CAAC;EACF,MAAM8D,QAAQ,GAAGzE,mBAAmB,CAACmB,KAAK,CAACtB,MAAM,CAAC2E,WAAW,CAAC,CAAC;EAC/D,IAAIF,MAAM,EAAE;IACV;IACAC,KAAK,CAACG,IAAI,CAACF,WAAW,CAAC;EACzB;;EAEA;EACA,MAAMG,cAAc,GAAGF,QAAQ,CAACnD,OAAO,CAACsD,eAAe,IAAI,EAAE;EAC7D,IAAID,cAAc,CAAC7D,MAAM,KAAK,CAAC,EAAE;IAC/B;IACA,IAAI,CAACwD,MAAM,EAAE;MACXC,KAAK,CAACG,IAAI,CAACF,WAAW,CAAC;IACzB;IACA,OAAOD,KAAK;EACd;EACA,MAAMM,mBAAmB,GAAGF,cAAc,CAAC,CAAC,CAAE;;EAE9C;EACA,MAAMG,WAAW,GAAG,MAAM7D,4BAA4B,CAAC4D,mBAAmB,EAAE;IAC1ElE;EACF,CAAC,CAAC;EACF,MAAMoE,QAAQ,GAAG/E,mBAAmB,CAACmB,KAAK,CAACtB,MAAM,CAACiF,WAAW,CAAC,CAAC;EAC/D;EACA,MAAMxC,uBAAuB,GAC3ByC,QAAQ,CAACzD,OAAO,CAACsC,QAAQ,CAACC,iBAAiB,CAACmB,yBAAyB;EACvE,IAAI,CAAC1C,uBAAuB,EAAE;IAC5B,MAAM,IAAI5C,mCAAmC,CAC1C,kDAAiDmF,mBAAoB,4CAA2CpE,aAAc,GAAE,EACjI;MAAEA,aAAa;MAAEwE,kBAAkB,EAAEJ;IAAoB,CAC3D,CAAC;EACH;EACA,MAAMK,kBAAkB,GAAG,MAAMlD,wBAAwB,CACvDM,uBAAuB,EACvB7B,aAAa,EACb;IAAEE;EAAS,CACb,CAAC;EACD;EACAV,eAAe,CAACkB,KAAK,CAACtB,MAAM,CAACqF,kBAAkB,CAAC,CAAC;;EAEjD;EACAX,KAAK,CAACG,IAAI,CAACQ,kBAAkB,CAAC;;EAE9B;EACA,MAAMC,WAAW,GAAG,MAAMhB,gBAAgB,CACxCU,mBAAmB,EACnBlE,QAAQ,EACR,KACF,CAAC;EAED,OAAO4D,KAAK,CAACa,MAAM,CAACD,WAAW,CAAC;AAClC"}
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
import type { JWK } from "../utils/jwk";
|
|
2
1
|
import { CredentialIssuerEntityConfiguration, EntityConfiguration, RelyingPartyEntityConfiguration, TrustAnchorEntityConfiguration, WalletProviderEntityConfiguration } from "./types";
|
|
3
2
|
/**
|
|
4
3
|
* Fetch and parse the entity configuration document for a given federation entity.
|
|
@@ -1290,11 +1289,11 @@ export declare function getFederationList(federationListEndpoint: string, { appF
|
|
|
1290
1289
|
* Build a not-verified trust chain for a given Relying Party (RP) entity.
|
|
1291
1290
|
*
|
|
1292
1291
|
* @param relyingPartyEntityBaseUrl The base URL of the RP entity
|
|
1293
|
-
* @param
|
|
1292
|
+
* @param trustAnchorConfig The entity configuration of the known trust anchor.
|
|
1294
1293
|
* @param appFetch An optional instance of the http client to be used.
|
|
1295
1294
|
* @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
|
|
1296
1295
|
* @throws {FederationError} When an element of the chain fails to parse or other build steps fail.
|
|
1297
1296
|
*/
|
|
1298
|
-
export declare function buildTrustChain(relyingPartyEntityBaseUrl: string,
|
|
1297
|
+
export declare function buildTrustChain(relyingPartyEntityBaseUrl: string, trustAnchorConfig: TrustAnchorEntityConfiguration, appFetch?: GlobalFetch["fetch"]): Promise<string[]>;
|
|
1299
1298
|
export {};
|
|
1300
1299
|
//# sourceMappingURL=build-chain.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"build-chain.d.ts","sourceRoot":"","sources":["../../../src/trust/build-chain.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"build-chain.d.ts","sourceRoot":"","sources":["../../../src/trust/build-chain.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,mCAAmC,EACnC,mBAAmB,EAGnB,+BAA+B,EAC/B,8BAA8B,EAC9B,iCAAiC,EAClC,MAAM,SAAS,CAAC;AAIjB;;;;;;;;;;;;;;;;;GAiBG;AACH,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,iCAAiC,EAChD,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,iCAAiC,CAAC,CAAC;AAC9C,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,+BAA+B,EAC9C,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,+BAA+B,CAAC,CAAC;AAC5C,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,8BAA8B,EAC7C,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,8BAA8B,CAAC,CAAC;AAC3C,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,mCAAmC,EAClD,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,mCAAmC,CAAC,CAAC;AAChD,iBAAe,gCAAgC,CAC7C,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,OAAO,mBAAmB,EAClC,OAAO,CAAC,EAAE;IACR,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,mBAAmB,CAAC,CAAC;AA0BhC,eAAO,MAAM,oCAAoC,kBAChC,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/D,CAAC;AAEJ,eAAO,MAAM,sCAAsC,kBAClC,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/D,CAAC;AAEJ,eAAO,MAAM,iCAAiC,kBAC7B,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/D,CAAC;AAEJ,eAAO,MAAM,kCAAkC,kBAC9B,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM/D,CAAC;AAEJ,eAAO,MAAM,sBAAsB,kBAClB,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC,YAC3D,WAAW,uCAAuC,CAAC,CAAC,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAEa,CAAC;AAEhF;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,wBAAwB,EAAE,MAAM,EAChC,yBAAyB,EAAE,MAAM,EACjC,EACE,QAAgB,GACjB,GAAE;IACD,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CAC5B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAeP;AAED;;;;;;GAMG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,MAAM,EACrB,EACE,QAAgB,GACjB,GAAE;IACD,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CAC5B,GACL,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED;;;;;;;;GAQG;AACH,wBAAsB,wBAAwB,CAC5C,uBAAuB,EAAE,MAAM,EAC/B,yBAAyB,EAAE,MAAM,EACjC,EACE,QAAgB,GACjB,GAAE;IACD,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CAC5B,mBAUP;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACrC,sBAAsB,EAAE,MAAM,EAC9B,EACE,QAAgB,GACjB,GAAE;IACD,QAAQ,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;CAC5B,GACL,OAAO,CAAC,MAAM,EAAE,CAAC,CAgBnB;AAED;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CACnC,yBAAyB,EAAE,MAAM,EACjC,iBAAiB,EAAE,8BAA8B,EACjD,QAAQ,GAAE,WAAW,CAAC,OAAO,CAAS,GACrC,OAAO,CAAC,MAAM,EAAE,CAAC,CAkDnB"}
|
package/package.json
CHANGED
package/src/trust/build-chain.ts
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
import type { JWK } from "../utils/jwk";
|
|
2
1
|
import {
|
|
3
2
|
BuildTrustChainError,
|
|
4
3
|
FederationListParseError,
|
|
@@ -266,39 +265,27 @@ export async function getFederationList(
|
|
|
266
265
|
* Build a not-verified trust chain for a given Relying Party (RP) entity.
|
|
267
266
|
*
|
|
268
267
|
* @param relyingPartyEntityBaseUrl The base URL of the RP entity
|
|
269
|
-
* @param
|
|
268
|
+
* @param trustAnchorConfig The entity configuration of the known trust anchor.
|
|
270
269
|
* @param appFetch An optional instance of the http client to be used.
|
|
271
270
|
* @returns A list of signed tokens that represent the trust chain, in the order of the chain (from the RP to the Trust Anchor)
|
|
272
271
|
* @throws {FederationError} When an element of the chain fails to parse or other build steps fail.
|
|
273
272
|
*/
|
|
274
273
|
export async function buildTrustChain(
|
|
275
274
|
relyingPartyEntityBaseUrl: string,
|
|
276
|
-
|
|
275
|
+
trustAnchorConfig: TrustAnchorEntityConfiguration,
|
|
277
276
|
appFetch: GlobalFetch["fetch"] = fetch
|
|
278
277
|
): Promise<string[]> {
|
|
279
|
-
// 1:
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
);
|
|
278
|
+
// 1: Verify if the RP is authorized by the Trust Anchor's federation list
|
|
279
|
+
// Extract the Trust Anchor's signing key and federation_list_endpoint
|
|
280
|
+
// (we assume the TA has only one key, as per spec)
|
|
281
|
+
const trustAnchorKey = trustAnchorConfig.payload.jwks.keys[0];
|
|
284
282
|
|
|
285
|
-
|
|
286
|
-
const trustAnchorJwt = trustChain[trustChain.length - 1];
|
|
287
|
-
if (!trustAnchorJwt) {
|
|
283
|
+
if (!trustAnchorKey) {
|
|
288
284
|
throw new BuildTrustChainError(
|
|
289
|
-
"Cannot verify trust anchor: missing
|
|
290
|
-
{ relyingPartyUrl: relyingPartyEntityBaseUrl }
|
|
285
|
+
"Cannot verify trust anchor: missing signing key in entity configuration."
|
|
291
286
|
);
|
|
292
287
|
}
|
|
293
288
|
|
|
294
|
-
if (!trustAnchorKey.kid) {
|
|
295
|
-
throw new TrustAnchorKidMissingError();
|
|
296
|
-
}
|
|
297
|
-
|
|
298
|
-
await verify(trustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
|
|
299
|
-
|
|
300
|
-
// 3: Check the federation list
|
|
301
|
-
const trustAnchorConfig = EntityConfiguration.parse(decode(trustAnchorJwt));
|
|
302
289
|
const federationListEndpoint =
|
|
303
290
|
trustAnchorConfig.payload.metadata.federation_entity
|
|
304
291
|
.federation_list_endpoint;
|
|
@@ -316,6 +303,26 @@ export async function buildTrustChain(
|
|
|
316
303
|
}
|
|
317
304
|
}
|
|
318
305
|
|
|
306
|
+
// 1: Recursively gather the trust chain from the RP up to the Trust Anchor
|
|
307
|
+
const trustChain = await gatherTrustChain(
|
|
308
|
+
relyingPartyEntityBaseUrl,
|
|
309
|
+
appFetch
|
|
310
|
+
);
|
|
311
|
+
// 2: Trust Anchor signature verification
|
|
312
|
+
const chainTrustAnchorJwt = trustChain[trustChain.length - 1];
|
|
313
|
+
if (!chainTrustAnchorJwt) {
|
|
314
|
+
throw new BuildTrustChainError(
|
|
315
|
+
"Cannot verify trust anchor: missing entity configuration in gathered chain.",
|
|
316
|
+
{ relyingPartyUrl: relyingPartyEntityBaseUrl }
|
|
317
|
+
);
|
|
318
|
+
}
|
|
319
|
+
|
|
320
|
+
if (!trustAnchorKey.kid) {
|
|
321
|
+
throw new TrustAnchorKidMissingError();
|
|
322
|
+
}
|
|
323
|
+
|
|
324
|
+
await verify(chainTrustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
|
|
325
|
+
|
|
319
326
|
return trustChain;
|
|
320
327
|
}
|
|
321
328
|
|
|
@@ -339,7 +346,6 @@ async function gatherTrustChain(
|
|
|
339
346
|
appFetch,
|
|
340
347
|
});
|
|
341
348
|
const entityEC = EntityConfiguration.parse(decode(entityECJwt));
|
|
342
|
-
|
|
343
349
|
if (isLeaf) {
|
|
344
350
|
// Only push EC for the leaf
|
|
345
351
|
chain.push(entityECJwt);
|
|
@@ -354,7 +360,6 @@ async function gatherTrustChain(
|
|
|
354
360
|
}
|
|
355
361
|
return chain;
|
|
356
362
|
}
|
|
357
|
-
|
|
358
363
|
const parentEntityBaseUrl = authorityHints[0]!;
|
|
359
364
|
|
|
360
365
|
// Fetch parent EC
|
|
@@ -362,7 +367,6 @@ async function gatherTrustChain(
|
|
|
362
367
|
appFetch,
|
|
363
368
|
});
|
|
364
369
|
const parentEC = EntityConfiguration.parse(decode(parentECJwt));
|
|
365
|
-
|
|
366
370
|
// Fetch ES
|
|
367
371
|
const federationFetchEndpoint =
|
|
368
372
|
parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
|
|
@@ -372,7 +376,6 @@ async function gatherTrustChain(
|
|
|
372
376
|
{ entityBaseUrl, missingInEntityUrl: parentEntityBaseUrl }
|
|
373
377
|
);
|
|
374
378
|
}
|
|
375
|
-
|
|
376
379
|
const entityStatementJwt = await getSignedEntityStatement(
|
|
377
380
|
federationFetchEndpoint,
|
|
378
381
|
entityBaseUrl,
|