@pagopa/io-react-native-wallet 2.5.1 → 3.0.0

package/lib/module/trust/README.md

@@ -38,15 +38,24 @@ sequenceDiagram
 ### Validate a trust chain
 
 ```ts
-import { validateTrustChain } from "./trust";
+import { IoWallet } from "@pagopa/io-react-native-wallet";
 import { trustAnchorEntityConfiguration } from "./your-data";
 import { chain } from "./your-data"; // array of JWTs, starting from leaf
 
-const result = await validateTrustChain(trustAnchorEntityConfiguration, chain, {
+const wallet = new IoWallet({ version: "1.0.0" });
+
+const result = await wallet.Trust.verifyTrustChain(
+  trustAnchorEntityConfiguration, 
+  chain, 
+  {
     connectTimeout: 3000,
     readTimeout: 3000,
     requireCrl: false,
-});
+  },
+  {
+    renewOnFail: true // Optional trust chain renewal
+  }
+);
 ```
 
 * The `chain` must be an array of signed JWT strings.
@@ -55,6 +64,9 @@ const result = await validateTrustChain(trustAnchorEntityConfiguration, chain, {
 
 ### Renew a trust chain
 
+[>!NOTE]
+> Internal only
+
 ```ts
 import { renewTrustChain } from "./trust";
 
@@ -66,9 +78,11 @@ This will fetch updated JWTs from each authority in the chain.
 ### Build a trust chain
 
 ```ts
-import { buildTrustChain } from "./trust";
+import { IoWallet } from "@pagopa/io-react-native-wallet";
 
-const chain = await buildTrustChain({
+const wallet = new IoWallet({ version: "1.0.0" });
+
+const chain = await wallet.Trust.buildTrustChain({
   leaf: "https://example-leaf",
   trustAnchor: trustAnchorEntityConfiguration,
 });
@@ -90,18 +104,17 @@ const chain = await buildTrustChain({
 ### Build and Validate Example
 
 ```ts
-import {
-  buildTrustChain,
-  validateTrustChain,
-} from "./trust";
+import { IoWallet } from "@pagopa/io-react-native-wallet";
 import { trustAnchorEntityConfiguration } from "./your-data";
 
-const chain = await buildTrustChain({
+const wallet = new IoWallet({ version: "1.0.0" });
+
+const chain = await wallet.Trust.buildTrustChain({
   leaf: "https://example-leaf",
   trustAnchor: trustAnchorEntityConfiguration,
 });
 
-const result = await validateTrustChain(trustAnchorEntityConfiguration, chain, {
+const result = await wallet.Trust.verifyTrustChain(trustAnchorEntityConfiguration, chain, {
   connectTimeout: 3000,
   readTimeout: 3000,
   requireCrl: true,

package/lib/module/trust/api/TrustAnchorConfig.js

@@ -0,0 +1,21 @@
+import * as z from "zod";
+import { JWK } from "../../utils/jwk";
+import { FederationEntityMetadata } from "../common/types";
+
+/**
+ * Common Trust Anchor configuration
+ * @public
+ */
+
+export const TrustAnchorConfig = z.object({
+  jwt: z.object({
+    header: z.object({
+      typ: z.literal("entity-statement+jwt"),
+      alg: z.string(),
+      kid: z.string()
+    })
+  }),
+  keys: z.array(JWK),
+  federation_entity: FederationEntityMetadata
+});
+//# sourceMappingURL=TrustAnchorConfig.js.map

package/lib/module/trust/api/TrustAnchorConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["z","JWK","FederationEntityMetadata","TrustAnchorConfig","object","jwt","header","typ","literal","alg","string","kid","keys","array","federation_entity"],"sourceRoot":"../../../../src","sources":["trust/api/TrustAnchorConfig.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,SAASC,GAAG,QAAQ,iBAAiB;AACrC,SAASC,wBAAwB,QAAQ,iBAAiB;;AAE1D;AACA;AACA;AACA;;AAEA,OAAO,MAAMC,iBAAiB,GAAGH,CAAC,CAACI,MAAM,CAAC;EACxCC,GAAG,EAAEL,CAAC,CAACI,MAAM,CAAC;IACZE,MAAM,EAAEN,CAAC,CAACI,MAAM,CAAC;MACfG,GAAG,EAAEP,CAAC,CAACQ,OAAO,CAAC,sBAAsB,CAAC;MACtCC,GAAG,EAAET,CAAC,CAACU,MAAM,CAAC,CAAC;MACfC,GAAG,EAAEX,CAAC,CAACU,MAAM,CAAC;IAChB,CAAC;EACH,CAAC,CAAC;EACFE,IAAI,EAAEZ,CAAC,CAACa,KAAK,CAACZ,GAAG,CAAC;EAClBa,iBAAiB,EAAEZ;AACrB,CAAC,CAAC"}

package/lib/module/trust/api/index.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.js.map

package/lib/module/trust/api/index.js.map

@@ -0,0 +1 @@
+{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["trust/api/index.ts"],"mappings":""}

package/lib/module/trust/common/build-chain.js

@@ -0,0 +1,111 @@
+import { BuildTrustChainError, MissingFederationFetchEndpointError, RelyingPartyNotAuthorizedError, TrustAnchorKidMissingError } from "./errors";
+import { decode, getFederationList, getSignedEntityConfiguration, getSignedEntityStatement, verify } from "./utils";
+/**
+ * Factory function to create `buildTrustChain`.
+ * @param config Version specific Entity shapes
+ * @returns `buildTrustChain` function compliant with the public API
+ */
+export function createBuildTrustChain(config) {
+  return async function buildTrustChain(relyingPartyEntityBaseUrl, trustAnchorConfig) {
+    let appFetch = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : fetch;
+    // 1: Verify if the RP is authorized by the Trust Anchor's federation list
+    // Extract the Trust Anchor's signing key and federation_list_endpoint
+    // (we assume the TA has only one key, as per spec)
+    const trustAnchorKey = trustAnchorConfig.keys[0];
+    if (!trustAnchorKey) {
+      throw new BuildTrustChainError("Cannot verify trust anchor: missing signing key in entity configuration.");
+    }
+    const federationListEndpoint = trustAnchorConfig.federation_entity.federation_list_endpoint;
+    if (federationListEndpoint) {
+      const federationList = await getFederationList(federationListEndpoint, {
+        appFetch
+      });
+      if (!federationList.includes(relyingPartyEntityBaseUrl)) {
+        throw new RelyingPartyNotAuthorizedError("Relying Party entity base URL is not authorized by the Trust Anchor's federation list.", {
+          relyingPartyUrl: relyingPartyEntityBaseUrl,
+          federationListEndpoint
+        });
+      }
+    }
+    const gatherTrustChain = createGatherTrustChain(config);
+
+    // 1: Recursively gather the trust chain from the RP up to the Trust Anchor
+    const trustChain = await gatherTrustChain(relyingPartyEntityBaseUrl, appFetch);
+    // 2: Trust Anchor signature verification
+    const chainTrustAnchorJwt = trustChain[trustChain.length - 1];
+    if (!chainTrustAnchorJwt) {
+      throw new BuildTrustChainError("Cannot verify trust anchor: missing entity configuration in gathered chain.", {
+        relyingPartyUrl: relyingPartyEntityBaseUrl
+      });
+    }
+    if (!trustAnchorKey.kid) {
+      throw new TrustAnchorKidMissingError();
+    }
+    await verify(chainTrustAnchorJwt, trustAnchorKey.kid, [trustAnchorKey]);
+    return trustChain;
+  };
+}
+
+/**
+ * Factory function to create `gatherTrustChain`.
+ * @param config Version specific Entity shapes
+ * @returns `gatherTrustChain` function.
+ */
+export function createGatherTrustChain(_ref) {
+  let {
+    EntityConfigurationShape,
+    EntityStatementShape
+  } = _ref;
+  return async function gatherTrustChain(entityBaseUrl, appFetch) {
+    let isLeaf = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : true;
+    const chain = [];
+
+    // Fetch self-signed EC (only needed for the leaf)
+    const entityECJwt = await getSignedEntityConfiguration(entityBaseUrl, {
+      appFetch
+    });
+    const entityEC = EntityConfigurationShape.parse(decode(entityECJwt));
+    if (isLeaf) {
+      // Only push EC for the leaf
+      chain.push(entityECJwt);
+    }
+
+    // Find authority_hints (parent, if any)
+    const authorityHints = entityEC.payload.authority_hints ?? [];
+    if (authorityHints.length === 0) {
+      // This is the Trust Anchor (no parent)
+      if (!isLeaf) {
+        chain.push(entityECJwt);
+      }
+      return chain;
+    }
+    const parentEntityBaseUrl = authorityHints[0];
+
+    // Fetch parent EC
+    const parentECJwt = await getSignedEntityConfiguration(parentEntityBaseUrl, {
+      appFetch
+    });
+    const parentEC = EntityConfigurationShape.parse(decode(parentECJwt));
+    // Fetch ES
+    const federationFetchEndpoint = parentEC.payload.metadata.federation_entity.federation_fetch_endpoint;
+    if (!federationFetchEndpoint) {
+      throw new MissingFederationFetchEndpointError(`Missing federation_fetch_endpoint in parent's (${parentEntityBaseUrl}) configuration when gathering chain for ${entityBaseUrl}.`, {
+        entityBaseUrl,
+        missingInEntityUrl: parentEntityBaseUrl
+      });
+    }
+    const entityStatementJwt = await getSignedEntityStatement(federationFetchEndpoint, entityBaseUrl, {
+      appFetch
+    });
+    // Validate the ES
+    EntityStatementShape.parse(decode(entityStatementJwt));
+
+    // Push this ES into the chain
+    chain.push(entityStatementJwt);
+
+    // Recurse into the parent
+    const parentChain = await gatherTrustChain(parentEntityBaseUrl, appFetch, false);
+    return chain.concat(parentChain);
+  };
+}
+//# sourceMappingURL=build-chain.js.map

package/lib/module/trust/common/build-chain.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["BuildTrustChainError","MissingFederationFetchEndpointError","RelyingPartyNotAuthorizedError","TrustAnchorKidMissingError","decode","getFederationList","getSignedEntityConfiguration","getSignedEntityStatement","verify","createBuildTrustChain","config","buildTrustChain","relyingPartyEntityBaseUrl","trustAnchorConfig","appFetch","arguments","length","undefined","fetch","trustAnchorKey","keys","federationListEndpoint","federation_entity","federation_list_endpoint","federationList","includes","relyingPartyUrl","gatherTrustChain","createGatherTrustChain","trustChain","chainTrustAnchorJwt","kid","_ref","EntityConfigurationShape","EntityStatementShape","entityBaseUrl","isLeaf","chain","entityECJwt","entityEC","parse","push","authorityHints","payload","authority_hints","parentEntityBaseUrl","parentECJwt","parentEC","federationFetchEndpoint","metadata","federation_fetch_endpoint","missingInEntityUrl","entityStatementJwt","parentChain","concat"],"sourceRoot":"../../../../src","sources":["trust/common/build-chain.ts"],"mappings":"AAAA,SACEA,oBAAoB,EACpBC,mCAAmC,EACnCC,8BAA8B,EAC9BC,0BAA0B,QACrB,UAAU;AACjB,SACEC,MAAM,EACNC,iBAAiB,EACjBC,4BAA4B,EAC5BC,wBAAwB,EACxBC,MAAM,QACD,SAAS;AAUhB;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,qBAAqBA,CACnCC,MAAqB,EACQ;EAC7B,OAAO,eAAeC,eAAeA,CACnCC,yBAAyB,EACzBC,iBAAiB,EAEjB;IAAA,IADAC,QAAQ,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGG,KAAK;IAEhB;IACA;IACA;IACA,MAAMC,cAAc,GAAGN,iBAAiB,CAACO,IAAI,CAAC,CAAC,CAAC;IAEhD,IAAI,CAACD,cAAc,EAAE;MACnB,MAAM,IAAInB,oBAAoB,CAC5B,0EACF,CAAC;IACH;IAEA,MAAMqB,sBAAsB,GAC1BR,iBAAiB,CAACS,iBAAiB,CAACC,wBAAwB;IAE9D,IAAIF,sBAAsB,EAAE;MAC1B,MAAMG,cAAc,GAAG,MAAMnB,iBAAiB,CAACgB,sBAAsB,EAAE;QACrEP;MACF,CAAC,CAAC;MAEF,IAAI,CAACU,cAAc,CAACC,QAAQ,CAACb,yBAAyB,CAAC,EAAE;QACvD,MAAM,IAAIV,8BAA8B,CACtC,wFAAwF,EACxF;UAAEwB,eAAe,EAAEd,yBAAyB;UAAES;QAAuB,CACvE,CAAC;MACH;IACF;IAEA,MAAMM,gBAAgB,GAAGC,sBAAsB,CAAClB,MAAM,CAAC;;IAEvD;IACA,MAAMmB,UAAU,GAAG,MAAMF,gBAAgB,CACvCf,yBAAyB,EACzBE,QACF,CAAC;IACD;IACA,MAAMgB,mBAAmB,GAAGD,UAAU,CAACA,UAAU,CAACb,MAAM,GAAG,CAAC,CAAC;IAC7D,IAAI,CAACc,mBAAmB,EAAE;MACxB,MAAM,IAAI9B,oBAAoB,CAC5B,6EAA6E,EAC7E;QAAE0B,eAAe,EAAEd;MAA0B,CAC/C,CAAC;IACH;IAEA,IAAI,CAACO,cAAc,CAACY,GAAG,EAAE;MACvB,MAAM,IAAI5B,0BAA0B,CAAC,CAAC;IACxC;IAEA,MAAMK,MAAM,CAACsB,mBAAmB,EAAEX,cAAc,CAACY,GAAG,EAAE,CAACZ,cAAc,CAAC,CAAC;IAEvE,OAAOU,UAAU;EACnB,CAAC;AACH;;AAEA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASD,sBAAsBA,CAAAI,IAAA,EAGpB;EAAA,IAHqB;IACrCC,wBAAwB;IACxBC;EACa,CAAC,GAAAF,IAAA;EACd,OAAO,eAAeL,gBAAgBA,CACpCQ,aAAqB,EACrBrB,QAA8B,EAEX;IAAA,IADnBsB,MAAe,GAAArB,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,IAAI;IAEtB,MAAMsB,KAAe,GAAG,EAAE;;IAE1B;IACA,MAAMC,WAAW,GAAG,MAAMhC,4BAA4B,CAAC6B,aAAa,EAAE;MACpErB;IACF,CAAC,CAAC;IACF,MAAMyB,QAAQ,GAAGN,wBAAwB,CAACO,KAAK,CAACpC,MAAM,CAACkC,WAAW,CAAC,CAAC;IACpE,IAAIF,MAAM,EAAE;MACV;MACAC,KAAK,CAACI,IAAI,CAACH,WAAW,CAAC;IACzB;;IAEA;IACA,MAAMI,cAAc,GAAGH,QAAQ,CAACI,OAAO,CAACC,eAAe,IAAI,EAAE;IAC7D,IAAIF,cAAc,CAAC1B,MAAM,KAAK,CAAC,EAAE;MAC/B;MACA,IAAI,CAACoB,MAAM,EAAE;QACXC,KAAK,CAACI,IAAI,CAACH,WAAW,CAAC;MACzB;MACA,OAAOD,KAAK;IACd;IACA,MAAMQ,mBAAmB,GAAGH,cAAc,CAAC,CAAC,CAAE;;IAE9C;IACA,MAAMI,WAAW,GAAG,MAAMxC,4BAA4B,CACpDuC,mBAAmB,EACnB;MAAE/B;IAAS,CACb,CAAC;IACD,MAAMiC,QAAQ,GAAGd,wBAAwB,CAACO,KAAK,CAACpC,MAAM,CAAC0C,WAAW,CAAC,CAAC;IACpE;IACA,MAAME,uBAAuB,GAC3BD,QAAQ,CAACJ,OAAO,CAACM,QAAQ,CAAC3B,iBAAiB,CAAC4B,yBAAyB;IACvE,IAAI,CAACF,uBAAuB,EAAE;MAC5B,MAAM,IAAI/C,mCAAmC,CAC1C,kDAAiD4C,mBAAoB,4CAA2CV,aAAc,GAAE,EACjI;QAAEA,aAAa;QAAEgB,kBAAkB,EAAEN;MAAoB,CAC3D,CAAC;IACH;IACA,MAAMO,kBAAkB,GAAG,MAAM7C,wBAAwB,CACvDyC,uBAAuB,EACvBb,aAAa,EACb;MAAErB;IAAS,CACb,CAAC;IACD;IACAoB,oBAAoB,CAACM,KAAK,CAACpC,MAAM,CAACgD,kBAAkB,CAAC,CAAC;;IAEtD;IACAf,KAAK,CAACI,IAAI,CAACW,kBAAkB,CAAC;;IAE9B;IACA,MAAMC,WAAW,GAAG,MAAM1B,gBAAgB,CACxCkB,mBAAmB,EACnB/B,QAAQ,EACR,KACF,CAAC;IAED,OAAOuB,KAAK,CAACiB,MAAM,CAACD,WAAW,CAAC;EAClC,CAAC;AACH"}

package/lib/module/trust/common/errors.js

@@ -0,0 +1,116 @@
+import { IoWalletError, serializeAttrs } from "../../utils/errors";
+// Ensure this path is correct
+/**
+ * Base class for all federation-specific errors.
+ */
+export class FederationError extends IoWalletError {
+  constructor(message, details) {
+    super(details ? serializeAttrs({
+      message,
+      ...details
+    }) : message);
+    this.name = this.constructor.name;
+    this.details = details;
+  }
+}
+
+/**
+ * Error thrown when a trust chain is unexpectedly empty.
+ */
+export class TrustChainEmptyError extends FederationError {
+  code = "ERR_FED_TRUST_CHAIN_EMPTY";
+  constructor() {
+    let message = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : "Trust chain cannot be empty.";
+    super(message, undefined);
+  }
+}
+
+/**
+ * Error thrown when a token is unexpectedly missing from a trust chain during processing.
+ */
+export class TrustChainTokenMissingError extends FederationError {
+  code = "ERR_FED_TRUST_CHAIN_TOKEN_MISSING";
+  constructor(message, details) {
+    super(message, details);
+  }
+}
+
+/**
+ * Error thrown when renewing a trust chain fails.
+ * This class itself might be used or could be considered a more general renewal error.
+ */
+export class TrustChainRenewalError extends FederationError {
+  code = "ERR_FED_TRUST_CHAIN_RENEWAL_FAILED";
+  constructor(message, details) {
+    super(message, details);
+  }
+}
+export class FederationListParseError extends FederationError {
+  code = "ERR_FED_FEDERATION_LIST_PARSE_FAILED";
+  constructor(message, details) {
+    super(message, details);
+  }
+}
+
+/**
+ * General error thrown during the trust chain building process.
+ */
+export class BuildTrustChainError extends FederationError {
+  code = "ERR_FED_BUILD_TRUST_CHAIN_FAILED";
+  constructor(message, details) {
+    super(message, details);
+  }
+}
+
+/**
+ * Error thrown when the Trust Anchor's key is missing a 'kid'.
+ */
+export class TrustAnchorKidMissingError extends FederationError {
+  code = "ERR_FED_TRUST_ANCHOR_KID_MISSING";
+  constructor() {
+    let message = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : "Missing 'kid' in provided Trust Anchor key.";
+    super(message, undefined);
+  }
+}
+
+/**
+ * Error thrown if the Relying Party is not found in the Trust Anchor's federation list.
+ */
+export class RelyingPartyNotAuthorizedError extends FederationError {
+  code = "ERR_FED_RELYING_PARTY_NOT_AUTHORIZED";
+  constructor(message, details) {
+    super(message, details);
+  }
+}
+
+/**
+ * Error thrown when a 'federation_fetch_endpoint' is missing in an entity's configuration.
+ */
+export class MissingFederationFetchEndpointError extends FederationError {
+  code = "ERR_FED_MISSING_FEDERATION_FETCH_ENDPOINT";
+  constructor(message, details) {
+    super(message, details);
+  }
+}
+
+/**
+ * Error thrown when the X.509 certificate chain is missing in an entity's configuration.
+ */
+export class MissingX509CertsError extends FederationError {
+  code = "ERR_FED_MISSING_X509_CERTS";
+  constructor(message) {
+    super(message, undefined);
+  }
+}
+
+/**
+ * Error thrown when an X.509 certificate validation fails.
+ * This is used to indicate issues with the certificate chain or signature verification.
+ */
+export class X509ValidationError extends FederationError {
+  code = "ERR_FED_X509_VALIDATION_FAILED";
+  constructor(message, details) {
+    super(message, details);
+  }
+}
+//# sourceMappingURL=errors.js.map

package/lib/module/trust/common/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["IoWalletError","serializeAttrs","FederationError","constructor","message","details","name","TrustChainEmptyError","code","arguments","length","undefined","TrustChainTokenMissingError","TrustChainRenewalError","FederationListParseError","BuildTrustChainError","TrustAnchorKidMissingError","RelyingPartyNotAuthorizedError","MissingFederationFetchEndpointError","MissingX509CertsError","X509ValidationError"],"sourceRoot":"../../../../src","sources":["trust/common/errors.ts"],"mappings":"AAAA,SAASA,aAAa,EAAEC,cAAc,QAAQ,oBAAoB;AACiB;AAEnF;AACA;AACA;AACA,OAAO,MAAMC,eAAe,SAASF,aAAa,CAAC;EAEjDG,WAAWA,CAACC,OAAe,EAAEC,OAAiC,EAAE;IAC9D,KAAK,CAACA,OAAO,GAAGJ,cAAc,CAAC;MAAEG,OAAO;MAAE,GAAGC;IAAQ,CAAC,CAAC,GAAGD,OAAO,CAAC;IAClE,IAAI,CAACE,IAAI,GAAG,IAAI,CAACH,WAAW,CAACG,IAAI;IACjC,IAAI,CAACD,OAAO,GAAGA,OAAO;EACxB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAME,oBAAoB,SAASL,eAAe,CAAC;EACxDM,IAAI,GAAG,2BAA2B;EAClCL,WAAWA,CAAA,EAA2C;IAAA,IAA1CC,OAAO,GAAAK,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,8BAA8B;IAClD,KAAK,CAACL,OAAO,EAAEO,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMC,2BAA2B,SAASV,eAAe,CAAC;EAC/DM,IAAI,GAAG,mCAAmC;EAC1CL,WAAWA,CAACC,OAAe,EAAEC,OAA4B,EAAE;IACzD,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMQ,sBAAsB,SAASX,eAAe,CAAC;EAC1DM,IAAI,GAAG,oCAAoC;EAC3CL,WAAWA,CACTC,OAAe,EACfC,OAA8D,EAC9D;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;AAEA,OAAO,MAAMS,wBAAwB,SAASZ,eAAe,CAAC;EAC5DM,IAAI,GAAG,sCAAsC;EAC7CL,WAAWA,CAACC,OAAe,EAAEC,OAA6C,EAAE;IAC1E,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMU,oBAAoB,SAASb,eAAe,CAAC;EACxDM,IAAI,GAAG,kCAAkC;EACzCL,WAAWA,CACTC,OAAe,EACfC,OAIC,EACD;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMW,0BAA0B,SAASd,eAAe,CAAC;EAC9DM,IAAI,GAAG,kCAAkC;EACzCL,WAAWA,CAAA,EAA0D;IAAA,IAAzDC,OAAO,GAAAK,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,6CAA6C;IACjE,KAAK,CAACL,OAAO,EAAEO,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMM,8BAA8B,SAASf,eAAe,CAAC;EAClEM,IAAI,GAAG,sCAAsC;EAC7CL,WAAWA,CACTC,OAAe,EACfC,OAAqE,EACrE;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMa,mCAAmC,SAAShB,eAAe,CAAC;EACvEM,IAAI,GAAG,2CAA2C;EAClDL,WAAWA,CACTC,OAAe,EACfC,OAA8D,EAC9D;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF;;AAEA;AACA;AACA;AACA,OAAO,MAAMc,qBAAqB,SAASjB,eAAe,CAAC;EACzDM,IAAI,GAAG,4BAA4B;EACnCL,WAAWA,CAACC,OAAe,EAAE;IAC3B,KAAK,CAACA,OAAO,EAAEO,SAAS,CAAC;EAC3B;AACF;;AAEA;AACA;AACA;AACA;AACA,OAAO,MAAMS,mBAAmB,SAASlB,eAAe,CAAC;EACvDM,IAAI,GAAG,gCAAgC;EACvCL,WAAWA,CACTC,OAAe,EACfC,OAMC,EACD;IACA,KAAK,CAACD,OAAO,EAAEC,OAAO,CAAC;EACzB;AACF"}

package/lib/module/trust/common/types.js

@@ -0,0 +1,69 @@
+import * as z from "zod";
+import { JWK } from "../../utils/jwk";
+import { UnixTime } from "../../utils/zod";
+export const TrustMark = z.object({
+  id: z.string(),
+  trust_mark: z.string()
+});
+export const EntityStatement = z.object({
+  header: z.object({
+    typ: z.literal("entity-statement+jwt"),
+    alg: z.string(),
+    kid: z.string()
+  }),
+  payload: z.object({
+    iss: z.string(),
+    sub: z.string(),
+    jwks: z.object({
+      keys: z.array(JWK)
+    }),
+    trust_marks: z.array(TrustMark).optional(),
+    iat: z.number(),
+    exp: z.number()
+  })
+});
+export const EntityConfigurationHeader = z.object({
+  typ: z.literal("entity-statement+jwt"),
+  alg: z.string(),
+  kid: z.string()
+});
+
+/**
+ * @see https://openid.net/specs/openid-federation-1_0-46.html
+ */
+export const FederationEntityMetadata = z.object({
+  federation_fetch_endpoint: z.string().optional(),
+  federation_list_endpoint: z.string().optional(),
+  federation_resolve_endpoint: z.string().optional(),
+  federation_trust_mark_status_endpoint: z.string().optional(),
+  federation_trust_mark_list_endpoint: z.string().optional(),
+  federation_trust_mark_endpoint: z.string().optional(),
+  federation_historical_keys_endpoint: z.string().optional(),
+  endpoint_auth_signing_alg_values_supported: z.string().optional(),
+  organization_name: z.string().optional(),
+  homepage_uri: z.string().optional(),
+  policy_uri: z.string().optional(),
+  logo_uri: z.string().optional(),
+  contacts: z.array(z.string()).optional()
+}).passthrough();
+
+// Structure common to every Entity Configuration document
+
+export const BaseEntityConfiguration = z.object({
+  header: EntityConfigurationHeader,
+  payload: z.object({
+    iss: z.string(),
+    sub: z.string(),
+    iat: UnixTime,
+    exp: UnixTime,
+    authority_hints: z.array(z.string()).optional(),
+    metadata: z.object({
+      federation_entity: FederationEntityMetadata
+    }).passthrough(),
+    jwks: z.object({
+      keys: z.array(JWK)
+    })
+  }).passthrough()
+});
+export const FederationListResponse = z.array(z.string());
+//# sourceMappingURL=types.js.map

package/lib/module/trust/common/types.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["z","JWK","UnixTime","TrustMark","object","id","string","trust_mark","EntityStatement","header","typ","literal","alg","kid","payload","iss","sub","jwks","keys","array","trust_marks","optional","iat","number","exp","EntityConfigurationHeader","FederationEntityMetadata","federation_fetch_endpoint","federation_list_endpoint","federation_resolve_endpoint","federation_trust_mark_status_endpoint","federation_trust_mark_list_endpoint","federation_trust_mark_endpoint","federation_historical_keys_endpoint","endpoint_auth_signing_alg_values_supported","organization_name","homepage_uri","policy_uri","logo_uri","contacts","passthrough","BaseEntityConfiguration","authority_hints","metadata","federation_entity","FederationListResponse"],"sourceRoot":"../../../../src","sources":["trust/common/types.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,SAASC,GAAG,QAAQ,iBAAiB;AACrC,SAASC,QAAQ,QAAQ,iBAAiB;AAE1C,OAAO,MAAMC,SAAS,GAAGH,CAAC,CAACI,MAAM,CAAC;EAAEC,EAAE,EAAEL,CAAC,CAACM,MAAM,CAAC,CAAC;EAAEC,UAAU,EAAEP,CAAC,CAACM,MAAM,CAAC;AAAE,CAAC,CAAC;AAI7E,OAAO,MAAME,eAAe,GAAGR,CAAC,CAACI,MAAM,CAAC;EACtCK,MAAM,EAAET,CAAC,CAACI,MAAM,CAAC;IACfM,GAAG,EAAEV,CAAC,CAACW,OAAO,CAAC,sBAAsB,CAAC;IACtCC,GAAG,EAAEZ,CAAC,CAACM,MAAM,CAAC,CAAC;IACfO,GAAG,EAAEb,CAAC,CAACM,MAAM,CAAC;EAChB,CAAC,CAAC;EACFQ,OAAO,EAAEd,CAAC,CAACI,MAAM,CAAC;IAChBW,GAAG,EAAEf,CAAC,CAACM,MAAM,CAAC,CAAC;IACfU,GAAG,EAAEhB,CAAC,CAACM,MAAM,CAAC,CAAC;IACfW,IAAI,EAAEjB,CAAC,CAACI,MAAM,CAAC;MAAEc,IAAI,EAAElB,CAAC,CAACmB,KAAK,CAAClB,GAAG;IAAE,CAAC,CAAC;IACtCmB,WAAW,EAAEpB,CAAC,CAACmB,KAAK,CAAChB,SAAS,CAAC,CAACkB,QAAQ,CAAC,CAAC;IAC1CC,GAAG,EAAEtB,CAAC,CAACuB,MAAM,CAAC,CAAC;IACfC,GAAG,EAAExB,CAAC,CAACuB,MAAM,CAAC;EAChB,CAAC;AACH,CAAC,CAAC;AAKF,OAAO,MAAME,yBAAyB,GAAGzB,CAAC,CAACI,MAAM,CAAC;EAChDM,GAAG,EAAEV,CAAC,CAACW,OAAO,CAAC,sBAAsB,CAAC;EACtCC,GAAG,EAAEZ,CAAC,CAACM,MAAM,CAAC,CAAC;EACfO,GAAG,EAAEb,CAAC,CAACM,MAAM,CAAC;AAChB,CAAC,CAAC;;AAEF;AACA;AACA;AACA,OAAO,MAAMoB,wBAAwB,GAAG1B,CAAC,CACtCI,MAAM,CAAC;EACNuB,yBAAyB,EAAE3B,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EAChDO,wBAAwB,EAAE5B,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EAC/CQ,2BAA2B,EAAE7B,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EAClDS,qCAAqC,EAAE9B,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EAC5DU,mCAAmC,EAAE/B,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EAC1DW,8BAA8B,EAAEhC,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EACrDY,mCAAmC,EAAEjC,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EAC1Da,0CAA0C,EAAElC,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EACjEc,iBAAiB,EAAEnC,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EACxCe,YAAY,EAAEpC,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EACnCgB,UAAU,EAAErC,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EACjCiB,QAAQ,EAAEtC,CAAC,CAACM,MAAM,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;EAC/BkB,QAAQ,EAAEvC,CAAC,CAACmB,KAAK,CAACnB,CAAC,CAACM,MAAM,CAAC,CAAC,CAAC,CAACe,QAAQ,CAAC;AACzC,CAAC,CAAC,CACDmB,WAAW,CAAC,CAAC;;AAEhB;;AAEA,OAAO,MAAMC,uBAAuB,GAAGzC,CAAC,CAACI,MAAM,CAAC;EAC9CK,MAAM,EAAEgB,yBAAyB;EACjCX,OAAO,EAAEd,CAAC,CACPI,MAAM,CAAC;IACNW,GAAG,EAAEf,CAAC,CAACM,MAAM,CAAC,CAAC;IACfU,GAAG,EAAEhB,CAAC,CAACM,MAAM,CAAC,CAAC;IACfgB,GAAG,EAAEpB,QAAQ;IACbsB,GAAG,EAAEtB,QAAQ;IACbwC,eAAe,EAAE1C,CAAC,CAACmB,KAAK,CAACnB,CAAC,CAACM,MAAM,CAAC,CAAC,CAAC,CAACe,QAAQ,CAAC,CAAC;IAC/CsB,QAAQ,EAAE3C,CAAC,CACRI,MAAM,CAAC;MACNwC,iBAAiB,EAAElB;IACrB,CAAC,CAAC,CACDc,WAAW,CAAC,CAAC;IAChBvB,IAAI,EAAEjB,CAAC,CAACI,MAAM,CAAC;MACbc,IAAI,EAAElB,CAAC,CAACmB,KAAK,CAAClB,GAAG;IACnB,CAAC;EACH,CAAC,CAAC,CACDuC,WAAW,CAAC;AACjB,CAAC,CAAC;AAEF,OAAO,MAAMK,sBAAsB,GAAG7C,CAAC,CAACmB,KAAK,CAACnB,CAAC,CAACM,MAAM,CAAC,CAAC,CAAC"}

package/lib/module/trust/common/utils.js

@@ -0,0 +1,126 @@
+import { decode as decodeJwt, verify as verifyJwt } from "@pagopa/io-react-native-jwt";
+import { hasStatusOrThrow } from "../../utils/misc";
+import { FederationError, FederationListParseError } from "./errors";
+import { FederationListResponse } from "./types";
+// Verify a token signature
+// The kid is extracted from the token header
+export const verify = async (token, kid, jwks) => {
+  const jwk = jwks.find(k => k.kid === kid);
+  if (!jwk) {
+    throw new Error(`Invalid kid: ${kid}, token: ${token}`);
+  }
+  const {
+    protectedHeader: header,
+    payload
+  } = await verifyJwt(token, jwk);
+  return {
+    header,
+    payload
+  };
+};
+
+/**
+ * Return type for this function is necessary to avoid an issue during the bob build process.
+ * It seems like typescript can't correctly infer the return type of the function.
+ */
+export const decode = token => {
+  const {
+    protectedHeader: header,
+    payload
+  } = decodeJwt(token);
+  return {
+    header,
+    payload
+  };
+};
+
+/**
+ * Extracts the X.509 Trust Anchor certificate (Base64 encoded) from the
+ * Trust Anchor's Entity Configuration.
+ *
+ * @param trustAnchorEntity The entity configuration of the known trust anchor.
+ * @returns The Base64 encoded X.509 certificate string.
+ * @throws {FederationError} If the certificate cannot be derived.
+ */
+export function getTrustAnchorX509Certificate(trustAnchorEntity) {
+  const taHeaderKid = trustAnchorEntity.jwt.header.kid;
+  const taSigningJwk = trustAnchorEntity.keys.find(key => key.kid === taHeaderKid);
+  if (!taSigningJwk) {
+    throw new FederationError(`Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' not found in Trust Anchor's JWKS.`, {
+      trustAnchorKid: taHeaderKid,
+      reason: "JWK not found for header kid"
+    });
+  }
+  if (taSigningJwk.x5c && taSigningJwk.x5c.length > 0 && taSigningJwk.x5c[0]) {
+    return taSigningJwk.x5c[0];
+  }
+  throw new FederationError(`Cannot derive X.509 Trust Anchor certificate: JWK with kid '${taHeaderKid}' does not contain a valid 'x5c' certificate array.`, {
+    trustAnchorKid: taHeaderKid,
+    reason: "Missing or empty x5c in JWK"
+  });
+}
+
+/**
+ * Fetch the signed entity configuration token for an entity
+ *
+ * @param entityBaseUrl The url of the entity to fetch
+ * @param appFetch (optional) fetch api implementation
+ * @returns The signed Entity Configuration token
+ */
+export async function getSignedEntityConfiguration(entityBaseUrl) {
+  let {
+    appFetch = fetch
+  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  const wellKnownUrl = `${entityBaseUrl}/.well-known/openid-federation`;
+  return await appFetch(wellKnownUrl, {
+    method: "GET"
+  }).then(hasStatusOrThrow(200)).then(res => res.text());
+}
+
+/**
+ * Fetch the entity statement document for a given federation entity.
+ *
+ * @param federationFetchEndpoint The exact endpoint provided by the parent EC's metadata.
+ * @param subordinatedEntityBaseUrl The url that identifies the subordinate entity.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The signed entity statement token.
+ * @throws {IoWalletError} If the http request fails.
+ */
+export async function getSignedEntityStatement(federationFetchEndpoint, subordinatedEntityBaseUrl) {
+  let {
+    appFetch = fetch
+  } = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {};
+  const url = new URL(federationFetchEndpoint);
+  url.searchParams.set("sub", subordinatedEntityBaseUrl);
+  return await appFetch(url.toString(), {
+    method: "GET"
+  }).then(hasStatusOrThrow(200)).then(res => res.text());
+}
+
+/**
+ * Fetch the federation list document from a given endpoint.
+ *
+ * @param federationListEndpoint The URL of the federation list endpoint.
+ * @param appFetch An optional instance of the http client to be used.
+ * @returns The federation list as an array of strings.
+ * @throws {IoWalletError} If the HTTP request fails.
+ * @throws {FederationError} If the result is not in the expected format.
+ */
+export async function getFederationList(federationListEndpoint) {
+  let {
+    appFetch = fetch
+  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  return await appFetch(federationListEndpoint, {
+    method: "GET"
+  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(json => {
+    const result = FederationListResponse.safeParse(json);
+    if (!result.success) {
+      throw new FederationListParseError(`Invalid federation list format received from ${federationListEndpoint}. Error: ${result.error.message}`, {
+        url: federationListEndpoint,
+        parseError: result.error.toString()
+      });
+    }
+    return result.data;
+  });
+}
+//# sourceMappingURL=utils.js.map

package/lib/module/trust/common/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["decode","decodeJwt","verify","verifyJwt","hasStatusOrThrow","FederationError","FederationListParseError","FederationListResponse","token","kid","jwks","jwk","find","k","Error","protectedHeader","header","payload","getTrustAnchorX509Certificate","trustAnchorEntity","taHeaderKid","jwt","taSigningJwk","keys","key","trustAnchorKid","reason","x5c","length","getSignedEntityConfiguration","entityBaseUrl","appFetch","fetch","arguments","undefined","wellKnownUrl","method","then","res","text","getSignedEntityStatement","federationFetchEndpoint","subordinatedEntityBaseUrl","url","URL","searchParams","set","toString","getFederationList","federationListEndpoint","json","result","safeParse","success","error","message","parseError","data"],"sourceRoot":"../../../../src","sources":["trust/common/utils.ts"],"mappings":"AAAA,SACEA,MAAM,IAAIC,SAAS,EACnBC,MAAM,IAAIC,SAAS,QACd,6BAA6B;AAEpC,SAASC,gBAAgB,QAAQ,kBAAkB;AAEnD,SAASC,eAAe,EAAEC,wBAAwB,QAAQ,UAAU;AAEpE,SAASC,sBAAsB,QAAQ,SAAS;AAWhD;AACA;AACA,OAAO,MAAML,MAAM,GAAG,MAAAA,CACpBM,KAAa,EACbC,GAAW,EACXC,IAAW,KACc;EACzB,MAAMC,GAAG,GAAGD,IAAI,CAACE,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACJ,GAAG,KAAKA,GAAG,CAAC;EAC3C,IAAI,CAACE,GAAG,EAAE;IACR,MAAM,IAAIG,KAAK,CAAE,gBAAeL,GAAI,YAAWD,KAAM,EAAC,CAAC;EACzD;EACA,MAAM;IAAEO,eAAe,EAAEC,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAMd,SAAS,CAACK,KAAK,EAAEG,GAAG,CAAC;EACxE,OAAO;IAAEK,MAAM;IAAEC;EAAQ,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;AACA,OAAO,MAAMjB,MAAM,GAAIQ,KAAa,IAAkB;EACpD,MAAM;IAAEO,eAAe,EAAEC,MAAM;IAAEC;EAAQ,CAAC,GAAGhB,SAAS,CAACO,KAAK,CAAC;EAC7D,OAAO;IAAEQ,MAAM;IAAEC;EAAQ,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,6BAA6BA,CAC3CC,iBAAoC,EAC5B;EACR,MAAMC,WAAW,GAAGD,iBAAiB,CAACE,GAAG,CAACL,MAAM,CAACP,GAAG;EACpD,MAAMa,YAAY,GAAGH,iBAAiB,CAACI,IAAI,CAACX,IAAI,CAC7CY,GAAG,IAAKA,GAAG,CAACf,GAAG,KAAKW,WACvB,CAAC;EAED,IAAI,CAACE,YAAY,EAAE;IACjB,MAAM,IAAIjB,eAAe,CACtB,+DAA8De,WAAY,qCAAoC,EAC/G;MAAEK,cAAc,EAAEL,WAAW;MAAEM,MAAM,EAAE;IAA+B,CACxE,CAAC;EACH;EAEA,IAAIJ,YAAY,CAACK,GAAG,IAAIL,YAAY,CAACK,GAAG,CAACC,MAAM,GAAG,CAAC,IAAIN,YAAY,CAACK,GAAG,CAAC,CAAC,CAAC,EAAE;IAC1E,OAAOL,YAAY,CAACK,GAAG,CAAC,CAAC,CAAC;EAC5B;EAEA,MAAM,IAAItB,eAAe,CACtB,+DAA8De,WAAY,qDAAoD,EAC/H;IAAEK,cAAc,EAAEL,WAAW;IAAEM,MAAM,EAAE;EAA8B,CACvE,CAAC;AACH;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeG,4BAA4BA,CAChDC,aAAqB,EAEJ;EAAA,IADjB;IAAEC,QAAQ,GAAGC;EAAoB,CAAC,GAAAC,SAAA,CAAAL,MAAA,QAAAK,SAAA,QAAAC,SAAA,GAAAD,SAAA,MAAG,CAAC,CAAC;EAEvC,MAAME,YAAY,GAAI,GAAEL,aAAc,gCAA+B;EAErE,OAAO,MAAMC,QAAQ,CAACI,YAAY,EAAE;IAClCC,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BiC,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeC,wBAAwBA,CAC5CC,uBAA+B,EAC/BC,yBAAiC,EAEjC;EAAA,IADA;IAAEX,QAAQ,GAAGC;EAAoB,CAAC,GAAAC,SAAA,CAAAL,MAAA,QAAAK,SAAA,QAAAC,SAAA,GAAAD,SAAA,MAAG,CAAC,CAAC;EAEvC,MAAMU,GAAG,GAAG,IAAIC,GAAG,CAACH,uBAAuB,CAAC;EAC5CE,GAAG,CAACE,YAAY,CAACC,GAAG,CAAC,KAAK,EAAEJ,yBAAyB,CAAC;EAEtD,OAAO,MAAMX,QAAQ,CAACY,GAAG,CAACI,QAAQ,CAAC,CAAC,EAAE;IACpCX,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BiC,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;AAC9B;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,eAAeS,iBAAiBA,CACrCC,sBAA8B,EAEX;EAAA,IADnB;IAAElB,QAAQ,GAAGC;EAAoB,CAAC,GAAAC,SAAA,CAAAL,MAAA,QAAAK,SAAA,QAAAC,SAAA,GAAAD,SAAA,MAAG,CAAC,CAAC;EAEvC,OAAO,MAAMF,QAAQ,CAACkB,sBAAsB,EAAE;IAC5Cb,MAAM,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BiC,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACY,IAAI,CAAC,CAAC,CAAC,CACzBb,IAAI,CAAEa,IAAI,IAAK;IACd,MAAMC,MAAM,GAAG5C,sBAAsB,CAAC6C,SAAS,CAACF,IAAI,CAAC;IACrD,IAAI,CAACC,MAAM,CAACE,OAAO,EAAE;MACnB,MAAM,IAAI/C,wBAAwB,CAC/B,gDAA+C2C,sBAAuB,YAAWE,MAAM,CAACG,KAAK,CAACC,OAAQ,EAAC,EACxG;QAAEZ,GAAG,EAAEM,sBAAsB;QAAEO,UAAU,EAAEL,MAAM,CAACG,KAAK,CAACP,QAAQ,CAAC;MAAE,CACrE,CAAC;IACH;IACA,OAAOI,MAAM,CAACM,IAAI;EACpB,CAAC,CAAC;AACN"}