@pagopa/io-react-native-wallet 3.1.2 → 3.3.0

package/src/credential/status/v1.3.3/01-status-list.ts

@@ -1,4 +1,5 @@
 import { CBOR } from "@pagopa/io-react-native-iso18013";
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
 import {
   getStatusListFromJWT,
   type StatusListEntry,
@@ -38,13 +39,26 @@ export const getStatusList: StatusListApi["get"] = async (
 ) => {
   const { uri, idx } = await getStatusListEntry(credential, format);
 
-  const statusList = await appFetch(uri, {
-    headers: {
-      Accept: "application/statuslist+jwt",
-    },
-  })
-    .then(hasStatusOrThrow(200))
-    .then((response) => response.text());
+  const fetchStatusList = (options: { cacheDisabled?: boolean } = {}) =>
+    appFetch(uri, {
+      headers: {
+        Accept: "application/statuslist+jwt",
+        ...(options.cacheDisabled && { "Cache-Control": "no-cache" }),
+      },
+    })
+      .then(hasStatusOrThrow(200))
+      .then((response) => response.text());
 
+  // When the HTTP response includes cache headers, fetch will return a cached response and the JWT might be expired
+  let statusList = await fetchStatusList();
+  const decoded = decodeJwt(statusList);
+
+  const { exp } = decoded.payload;
+
+  // If the status list JWT is expired, try to fetch it again bypassing the HTTP cache.
+  // If it is still expired after the refetch, `verifyAndParseStatusList` will throw.
+  if (exp && exp < Math.floor(Date.now() / 1000)) {
+    statusList = await fetchStatusList({ cacheDisabled: true });
+  }
   return { statusList, uri, idx, format: "jwt" };
 };

package/src/credential/status/v1.3.3/02-verify-and-parse-status-list.ts

@@ -2,18 +2,32 @@ import { verify } from "@pagopa/io-react-native-jwt";
 import { getListFromStatusListJWT } from "@sd-jwt/jwt-status-list";
 import type { StatusListApi } from "../api/status-list";
 
+/**
+ * Mapping of status bits to their corresponding meaning as defined in the specification.
+ * @see https://italia.github.io/eid-wallet-it-docs/releases/1.3.3/en/credential-revocation.html#token-status-lists
+ */
+const CredentialStatusMap = {
+  0x00: "VALID",
+  0x01: "INVALID",
+  0x02: "SUSPENDED",
+  0x03: "UPDATE",
+  0x0b: "ATTRIBUTE_UPDATE",
+} as const;
+
+type CredentialStatusBit = keyof typeof CredentialStatusMap;
+
 export const verifyAndParseStatusList: StatusListApi["verifyAndParse"] = async (
-  issuerConf,
+  keys,
   { statusList: rawStatusList, idx }
 ) => {
-  await verify(rawStatusList, issuerConf.keys);
+  await verify(rawStatusList, keys);
 
   const statusList = getListFromStatusListJWT(rawStatusList);
+  const statusBit = statusList.getStatus(idx) as CredentialStatusBit;
+  const status = CredentialStatusMap[statusBit];
 
-  const status = statusList.getStatus(idx);
-
-  // TODO: [SIW-3992] Improve the return object with additional data, throw CredentialInvalidStatus when invalid
   return {
     status,
+    statusBit: `0x${statusBit.toString(16).padStart(2, "0").toUpperCase()}`,
   };
 };

package/src/credentials-catalogue/api/DigitalCredentialsCatalogue.ts

@@ -117,8 +117,40 @@ export const DigitalCredential = z.object({
   // claims: z.array(Claim), // TODO: [SIW-3978] Should we keep claims?
 });
 
+const TaxonomyPurpose = z.object({
+  id: z.string(),
+  name_l10n_id: z.string(),
+});
+export type TaxonomyPurpose = z.infer<typeof TaxonomyPurpose>;
+
+const TaxonomyClass = z.object({
+  id: z.string(),
+  name_l10n_id: z.string(),
+  supported_purposes: z.array(z.string()),
+});
+export type TaxonomyClass = z.infer<typeof TaxonomyClass>;
+
+const TaxonomyDomain = z.object({
+  id: z.string(),
+  name_l10n_id: z.string(),
+  description_l10n_id: z.string(),
+  classes: z.array(TaxonomyClass),
+});
+export type TaxonomyDomain = z.infer<typeof TaxonomyDomain>;
+
+export const Taxonomy = z.object({
+  id: z.string(),
+  name_l10n_id: z.string(),
+  description_l10n_id: z.string(),
+  domains: z.array(TaxonomyDomain),
+  purposes: z.array(TaxonomyPurpose),
+  localization: LocalizationInfo.optional(),
+});
+export type Taxonomy = z.infer<typeof Taxonomy>;
+
 export const DigitalCredentialsCatalogue = z.object({
   taxonomy_uri: z.string().url(),
+  taxonomy: Taxonomy.optional(),
   credentials: z.array(DigitalCredential),
   iat: UnixTime,
   exp: UnixTime,

package/src/credentials-catalogue/api/index.ts

@@ -2,6 +2,7 @@ import {
   type CatalogueTranslations,
   type DigitalCredentialsCatalogue,
   type LocalizationInfo,
+  type Taxonomy,
 } from "./DigitalCredentialsCatalogue";
 
 type FetchContext = { appFetch?: GlobalFetch["fetch"] };
@@ -9,6 +10,7 @@ type FetchContext = { appFetch?: GlobalFetch["fetch"] };
 type FetchTranslationsLocalizations = {
   catalogue?: LocalizationInfo;
   authenticSources?: LocalizationInfo;
+  taxonomy?: LocalizationInfo;
 };
 
 export interface CredentialsCatalogueApi {
@@ -27,11 +29,11 @@ export interface CredentialsCatalogueApi {
   ): Promise<DigitalCredentialsCatalogue>;
 
   /**
-   * Fetch locale bundle files for the credential catalogue and authentic sources.
-   * For each requested locale, fetches translations from both registries (if the locale
+   * Fetch locale bundle files for the credential catalogue, authentic sources, and taxonomy.
+   * For each requested locale, fetches translations from all registries (if the locale
    * is listed in their respective `available_locales`) and merges the keys.
    * Locales not present in a registry's `available_locales` are silently skipped for that source.
-   * On key conflicts, authentic-sources translations take precedence.
+   * On key conflicts, later sources (authenticSources, taxonomy) take precedence.
    *
    * Optional: not supported by all versions. Check for existence before calling.
    *
@@ -52,4 +54,5 @@ export {
   type CatalogueTranslations,
   type DigitalCredentialsCatalogue,
   type LocalizationInfo,
+  type Taxonomy,
 };

package/src/credentials-catalogue/v1.3.3/fetch-and-parse-catalogue.ts

@@ -5,6 +5,7 @@ import {
   DigitalCredentialsCatalogueJwt,
   RegistryDiscoveryJwt,
   SchemaRegistry,
+  TaxonomyRegistry,
 } from "./types";
 import { mapToCredentialsCatalogue } from "./mappers";
 import { fetchRegistry } from "./utils";
@@ -46,6 +47,11 @@ export const fetchAndParseCatalogue: Api["fetchAndParseCatalogue"] = async (
       asJson: true,
       appFetch,
     }),
+    fetchRegistry(endpoints.taxonomy, {
+      schema: TaxonomyRegistry,
+      asJson: true,
+      appFetch,
+    }),
   ]);
 
   return mapToCredentialsCatalogue([discovery, ...registries]);

package/src/credentials-catalogue/v1.3.3/fetch-translations.ts

@@ -2,7 +2,7 @@ import type { CredentialsCatalogueApi as Api } from "../api";
 import { fetchLocaleBundle } from "./utils";
 
 export const fetchTranslations: NonNullable<Api["fetchTranslations"]> = async (
-  { catalogue, authenticSources },
+  { catalogue, authenticSources, taxonomy },
   locales,
   { appFetch = fetch } = {}
 ) => {
@@ -10,16 +10,19 @@ export const fetchTranslations: NonNullable<Api["fetchTranslations"]> = async (
 
   await Promise.all(
     locales.map(async (locale) => {
-      const [catalogueBundle, asBundle] = await Promise.all([
+      const [catalogueBundle, asBundle, taxonomyBundle] = await Promise.all([
         catalogue?.available_locales.includes(locale)
           ? fetchLocaleBundle(catalogue.base_uri, locale, appFetch)
           : Promise.resolve({}),
         authenticSources?.available_locales.includes(locale)
           ? fetchLocaleBundle(authenticSources.base_uri, locale, appFetch)
           : Promise.resolve({}),
+        taxonomy?.available_locales.includes(locale)
+          ? fetchLocaleBundle(taxonomy.base_uri, locale, appFetch)
+          : Promise.resolve({}),
       ]);
 
-      const merged = { ...catalogueBundle, ...asBundle };
+      const merged = { ...catalogueBundle, ...asBundle, ...taxonomyBundle };
 
       // Only include the locale in the result if at least one source provided translations
       if (Object.keys(merged).length > 0) {

package/src/credentials-catalogue/v1.3.3/mappers.ts

@@ -11,6 +11,7 @@ import {
   DigitalCredentialsCatalogueJwt,
   RegistryDiscoveryJwt,
   SchemaRegistry,
+  TaxonomyRegistry,
 } from "./types";
 
 export const mapToCredentialsCatalogue = createMapper<
@@ -19,10 +20,17 @@ export const mapToCredentialsCatalogue = createMapper<
     DigitalCredentialsCatalogueJwt,
     AuthenticSourceRegistry,
     SchemaRegistry,
+    TaxonomyRegistry,
   ],
   DigitalCredentialsCatalogue
 >(
-  ([discoveryJwt, catalogueJwt, authSourceRegistry, schemaRegistry]) => {
+  ([
+    discoveryJwt,
+    catalogueJwt,
+    authSourceRegistry,
+    schemaRegistry,
+    taxonomyRegistry,
+  ]) => {
     const authSourcesById = keyBy(
       authSourceRegistry.authentic_sources,
       "entity_id"
@@ -65,6 +73,14 @@ export const mapToCredentialsCatalogue = createMapper<
     return {
       ...catalogueJwt.payload,
       taxonomy_uri: discoveryJwt.payload.endpoints.taxonomy,
+      taxonomy: {
+        id: taxonomyRegistry.id,
+        name_l10n_id: taxonomyRegistry.name_l10n_id,
+        description_l10n_id: taxonomyRegistry.description_l10n_id,
+        domains: taxonomyRegistry.domains,
+        purposes: taxonomyRegistry.purposes,
+        localization: taxonomyRegistry.localization,
+      },
       localization: catalogueJwt.payload.localization,
       as_localization: authSourceRegistry.localization,
       credentials: catalogueJwt.payload.credentials.map(

package/src/credentials-catalogue/v1.3.3/types.ts

@@ -233,3 +233,54 @@ export const RegistryDiscoveryJwt = z.object({
   }),
 });
 export type RegistryDiscoveryJwt = z.infer<typeof RegistryDiscoveryJwt>;
+
+/**
+ * Taxonomy purpose (top-level flat list).
+ */
+const TaxonomyPurpose = z.object({
+  id: z.string(),
+  name_l10n_id: z.string(),
+});
+
+/**
+ * Taxonomy class within a domain.
+ */
+const TaxonomyClass = z.object({
+  id: z.string(),
+  name_l10n_id: z.string(),
+  supported_purposes: z.array(z.string()),
+});
+
+/**
+ * Taxonomy domain containing classes.
+ */
+const TaxonomyDomain = z.object({
+  id: z.string(),
+  name_l10n_id: z.string(),
+  description_l10n_id: z.string(),
+  classes: z.array(TaxonomyClass),
+});
+
+/**
+ * Taxonomy registry, available at a dedicated endpoint.
+ * Provides a hierarchical classification of domains, classes, and purposes.
+ * @see https://italia.github.io/eid-wallet-it-docs/releases/1.3.3/en/registry.html#taxonomy
+ */
+export const TaxonomyRegistry = z.object({
+  version: z.string(),
+  last_modified: z.string(),
+  id: z.string(),
+  localization: z
+    .object({
+      available_locales: z.array(z.string()),
+      base_uri: z.string(),
+      default_locale: z.string(),
+      version: z.string(),
+    })
+    .optional(),
+  name_l10n_id: z.string(),
+  description_l10n_id: z.string(),
+  domains: z.array(TaxonomyDomain),
+  purposes: z.array(TaxonomyPurpose),
+});
+export type TaxonomyRegistry = z.infer<typeof TaxonomyRegistry>;

package/src/mdoc/index.ts

@@ -1,19 +1,12 @@
 import { CBOR, COSE, ISO18013_7 } from "@pagopa/io-react-native-iso18013";
 import { b64utob64 } from "jsrsasign";
-import {
-  verifyCertificateChain,
-  type CertificateValidationResult,
-  type PublicKey,
-  type X509CertificateOptions,
-} from "@pagopa/io-react-native-crypto";
-import {
-  MissingX509CertsError,
-  X509ValidationError,
-} from "../trust/common/errors";
+import { type PublicKey } from "@pagopa/io-react-native-crypto";
+import { MissingX509CertsError } from "../trust/common/errors";
 import { IoWalletError } from "../utils/errors";
 import { convertBase64DerToPem, getSigninJwkFromCert } from "../utils/crypto";
-import type { Presentation } from "src/credential/presentation";
+import type { Presentation } from "../credential/presentation";
 import { removePadding } from "@pagopa/io-react-native-jwt";
+import { verifyX509Chain } from "../utils/x509";
 export * from "./utils";
 
 export const verify = async (
@@ -37,7 +30,7 @@ export const verify = async (
   const x5chain =
     issuerSigned.issuerAuth.unprotectedHeader.x5chain.map(b64utob64);
   // Verify the x5chain
-  await verifyX5chain(x5chain, x509CertRoot);
+  await verifyX509Chain(x5chain, x509CertRoot);
 
   const coseSign1 = issuerSigned.issuerAuth.rawValue;
 
@@ -50,35 +43,6 @@ export const verify = async (
   return { issuerSigned };
 };
 
-/**
- * This function checks whether the x509 certificate chain is valid against a specified Certificate Authority (CA)
- *
- * @param x5chain The mdoc's x509 certificate chain
- * @param x509CertRoot The Trust Anchor CA
- * @param options Options for certificate validation
- */
-const verifyX5chain = async (
-  x5chain: string[],
-  x509CertRoot: string,
-  options: X509CertificateOptions = {
-    connectTimeout: 10000,
-    readTimeout: 10000,
-    requireCrl: true,
-  }
-) => {
-  const x509ValidationResult: CertificateValidationResult =
-    await verifyCertificateChain(x5chain, x509CertRoot, options);
-
-  if (!x509ValidationResult.isValid) {
-    throw new X509ValidationError(
-      `X.509 certificate chain validation failed. Status: ${x509ValidationResult.validationStatus}. Error: ${x509ValidationResult.errorMessage}`,
-      {
-        x509ValidationStatus: x509ValidationResult.validationStatus,
-        x509ErrorMessage: x509ValidationResult.errorMessage,
-      }
-    );
-  }
-};
 /**
  * This function verifies that the signature is valid for the given certificate.
  * If not, it throws an error

package/src/sd-jwt/__test__/types.test.ts

@@ -28,20 +28,8 @@ describe("Verification.time", () => {
 
   it("rejects invalid type", () => {
     const value = {
-      trust_framework: "eidas",
+      trust_framework: ["eidas"],
       assurance_level: "high",
-      evidence: [
-        {
-          type: "vouch",
-          time: null,
-          attestation: {
-            type: "digital_attestation",
-            reference_number: "abc",
-            date_of_issuance: "2025-09-02",
-            voucher: { organization: "IPZS" },
-          },
-        },
-      ],
     };
 
     expect(Verification.safeParse(value).success).toBe(false);

package/src/sd-jwt/__test__/utils.test.ts

@@ -4,18 +4,6 @@ import { getVerification } from "..";
 describe("SD-JWT getVerification", () => {
   it("extracts the verification claims correctly", () => {
     expect(getVerification(pid)).toEqual({
-      evidence: [
-        {
-          attestation: {
-            date_of_issuance: "2025-06-23",
-            voucher: { organization: "Ministero dell'Interno" },
-            type: "digital_attestation",
-            reference_number: "123456789",
-          },
-          time: "2025-06-23T13:14:25Z",
-          type: "vouch",
-        },
-      ],
       trust_framework: "it_cie",
       assurance_level: "high",
     });

package/src/sd-jwt/types.ts

@@ -64,19 +64,6 @@ export type Verification = z.infer<typeof Verification>;
 export const Verification = z.object({
   trust_framework: z.string(),
   assurance_level: z.string(),
-  evidence: z.array(
-    z.object({
-      type: z.literal("vouch"),
-      // Support both string and UNIX timestamp for backward compatibility
-      time: z.union([z.string(), z.number()]),
-      attestation: z.object({
-        type: z.literal("digital_attestation"),
-        reference_number: z.string(),
-        date_of_issuance: z.string(),
-        voucher: z.object({ organization: z.string() }),
-      }),
-    })
-  ),
 });
 
 /**

package/src/utils/callbacks.ts

@@ -1,11 +1,17 @@
-import { EncryptJwe, getJwkFromHeader } from "@pagopa/io-react-native-jwt";
+import {
+  EncryptJwe,
+  getJwkFromHeader,
+  SignJWT,
+  type CryptoContext,
+} from "@pagopa/io-react-native-jwt";
 import { verify } from "@pagopa/io-react-native-jwt";
-import { type CallbackContext } from "@pagopa/io-wallet-oauth2";
+import { type CallbackContext, type JwtSigner } from "@pagopa/io-wallet-oauth2";
 import { digest } from "@sd-jwt/crypto-nodejs";
 import { X509 } from "jsrsasign";
 import { IoWalletError } from "./errors";
-import { generateRandomBytes } from "./misc";
+import { assert, generateRandomBytes } from "./misc";
 import type { JWK } from "./jwk";
+import { getJwkFromCertificateChain, getJwkFromTrustChain } from "./crypto";
 
 type PartialCallbackContext = Omit<
   CallbackContext,
@@ -18,6 +24,29 @@ type DigestFixed = (
   algorithm?: string
 ) => Uint8Array;
 
+/**
+ * Extract the signing JWK from one of the supported signer methods.
+ * @param signer - The JWT signer.
+ * @returns The JWK for signature verification.
+ */
+const getJwkFromSigner = async (signer: JwtSigner): Promise<JWK> => {
+  switch (signer.method) {
+    case "x5c":
+      return getJwkFromCertificateChain(signer.x5c);
+    case "federation": {
+      assert(
+        signer.trustChain && signer.trustChain.length > 0,
+        "Trust chain is required for federation signer"
+      );
+      return getJwkFromTrustChain(signer.trustChain, signer.kid);
+    }
+    case "jwk":
+      return signer.publicJwk as JWK;
+    default:
+      throw new IoWalletError(`Unsupported signer method: ${signer.method}`);
+  }
+};
+
 /**
  * Shared callbacks with React Native implementations for use
  * in IO Wallet SDK. Callbacks not found here must be provided by the caller,
@@ -32,13 +61,10 @@ export const partialCallbacks: PartialCallbackContext = {
     encryptionJwk: publicJwk,
   }),
   verifyJwt: async (jwtSigner, jwt) => {
-    // TODO: support other signing methods if needed
-    if (jwtSigner.method !== "jwk") {
-      throw new IoWalletError(`Unsupported signer method: ${jwtSigner.method}`);
-    }
     try {
-      await verify(jwt.compact, jwtSigner.publicJwk);
-      return { verified: true, signerJwk: jwtSigner.publicJwk };
+      const signerJwk = await getJwkFromSigner(jwtSigner);
+      await verify(jwt.compact, signerJwk);
+      return { verified: true, signerJwk };
     } catch {
       return { verified: false };
     }
@@ -88,3 +114,25 @@ export const createVerifyJwtFromJwks = (
     }
   };
 };
+
+/**
+ * Create a signJwt implementation that signs a JWT using the provided CryptoContext.
+ * @param cryptoContext The CryptoContext to use for signing the JWT
+ * @returns Function that implements `signJwt` callback
+ */
+export const createSignJwtFromCryptoContext = (
+  cryptoContext: CryptoContext
+): CallbackContext["signJwt"] => {
+  return async function signJwt(jwtSigner, { header, payload }) {
+    return {
+      jwt: await new SignJWT(cryptoContext)
+        .setProtectedHeader(header)
+        .setPayload(payload)
+        .sign(),
+      signerJwk:
+        jwtSigner.method === "jwk"
+          ? jwtSigner.publicJwk
+          : await cryptoContext.getPublicKey(),
+    };
+  };
+};

package/src/utils/crypto.ts

@@ -5,11 +5,34 @@ import {
   sign,
 } from "@pagopa/io-react-native-crypto";
 import { v4 as uuidv4 } from "uuid";
-import { thumbprint, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { JWK } from "./jwk";
+import {
+  decode,
+  thumbprint,
+  type CryptoContext,
+} from "@pagopa/io-react-native-jwt";
+import type { BaseEntityConfiguration } from "../trust/common/types";
+import { JWK, JWKS } from "./jwk";
 import { KEYUTIL, KJUR, RSAKey, X509 } from "jsrsasign";
 import { IoWalletError } from "./errors";
 
+/**
+ * Extension of the {@link CryptoContext} that adds key generation with optional key attestation.
+ *
+ * This context requires the consumer to provide an additional method for **key generation**;
+ * on Android this method should also generate a key attestation as a certificate chain
+ * to ensure the key pair is hardware-backed.
+ */
+export type KeyAttestationCryptoContext = CryptoContext & {
+  /**
+   * Generate a key pair with an **optional key attestation** (Android).
+   * @param challenge The challenge for the key attestation.
+   * @returns An object with a success flag and a key attestation, if it was generated.
+   */
+  generateKeyWithAttestation(
+    challenge: string
+  ): Promise<{ success: boolean; attestation?: string }>;
+};
+
 /**
  * Create a CryptoContext bound to a key pair.
  * Key pair is supposed to exist already in the device's keychain.
@@ -92,19 +115,67 @@ export const getSigninJwkFromCert = (pemCert: string): JWK => {
 };
 
 /**
- * Extension of the {@link CryptoContext} that adds key generation with optional key attestation.
+ * Retrieves the signing JWK from a x509 certificate chain.
  *
- * This context requires the consumer to provide an additional method for **key generation**;
- * on Android this method should also generate a key attestation as a certificate chain
- * to ensure the key pair is hardware-backed.
+ * @param certChain - The x509 certificate chain.
+ * @returns The signing JWK.
+ * @throws Will throw an error if no suitable keys are found.
  */
-export type KeyAttestationCryptoContext = CryptoContext & {
-  /**
-   * Generate a key pair with an **optional key attestation** (Android).
-   * @param challenge The challenge for the key attestation.
-   * @returns An object with a success flag and a key attestation, if it was generated.
-   */
-  generateKeyWithAttestation(
-    challenge: string
-  ): Promise<{ success: boolean; attestation?: string }>;
+export const getJwkFromCertificateChain = async (
+  certChain: string[]
+): Promise<JWK> => {
+  const [leafCert] = certChain;
+  if (!leafCert) {
+    throw new IoWalletError(
+      "The provided certificate chain is invalid or malformed"
+    );
+  }
+  const pemCert = convertBase64DerToPem(leafCert);
+  return getSigninJwkFromCert(pemCert);
+};
+
+/**
+ * Retrieves the signing JWK from a trust chain of entity configuration JWTs, matching the provided signer KID.
+ *
+ * @param trustChain - The trust chain of entity configuration JWTs.
+ * @param signerKid - The KID of the signer to look for in the trust chain.
+ * @returns The signing JWK.
+ * @throws Will throw an error if no suitable keys are found.
+ */
+export const getJwkFromTrustChain = (
+  trustChain: string[],
+  signerKid: string
+): JWK => {
+  const [entityConfigurationJwt] = trustChain;
+  if (!entityConfigurationJwt) {
+    throw new IoWalletError("The provided trust chain is invalid or malformed");
+  }
+
+  const keys: JWK[] = [];
+  const decodedEntityConfigJwt = decode(entityConfigurationJwt);
+  const baseEntityConfig =
+    decodedEntityConfigJwt.payload as BaseEntityConfiguration["payload"];
+
+  // Get top-level JWKS
+  if (baseEntityConfig.jwks) {
+    keys.push(...JWKS.parse(baseEntityConfig.jwks).keys);
+  }
+
+  // Check metadata entries for additional JWKS like openid_credential_verifier
+  if (baseEntityConfig.metadata) {
+    for (const metadata of Object.values(
+      baseEntityConfig.metadata as Record<string, { jwks?: JWKS }>
+    )) {
+      if (metadata.jwks) {
+        keys.push(...JWKS.parse(metadata.jwks).keys);
+      }
+    }
+  }
+
+  const federationJwk = keys.find((key) => key.kid === signerKid);
+  if (!federationJwk)
+    throw new IoWalletError(
+      "No suitable key was found in the provided trust chain"
+    );
+  return federationJwk;
 };