feat: [SIW-402] Resolve trust chain #34
Conversation
| // FIXME: SIW-422 require federation_metadata field | ||
| // Actual RP implementation does not comply with the spec | ||
| /* federation_entity: z.object({ | ||
| organization_name: z.string(), | ||
| homepage_uri: z.string(), | ||
| policy_uri: z.string(), | ||
| logo_uri: z.string(), | ||
| contacts: z.array(z.string()), | ||
| }), */ |
There was a problem hiding this comment.
Sorry for rework but federation_entity has been added!
There was a problem hiding this comment.
Sorry but I still don't see the update here
| @@ -80,7 +90,7 @@ export default async () => { | |||
| ).then((t) => RP.getRequestObject(t, authRequestUrl, entity)); | |||
|
|
|||
| // Attest Relying Party trust | |||
| // TODO [SIW-354] | |||
| await verifyTrustChain(trustAnchorEntity, requestObj.header.trust_chain); | |||
There was a problem hiding this comment.
what do you think about adding this check also into the SDK function (like getEntityConfiguration())making sure that the caller is not responsible for doing the checks.
There was a problem hiding this comment.
Interesting point. That is true for every trustable document we have (including PID, WIA, RequestObject, etc).
I think it's good, anyway I'd do it in another PR as it involves a sensible refactor of classes because:
- we must provide Trust Anchor data
- we must model better error to avoid to hide informations on error.
| const selectTokenShape = (elementIndex: number) => | ||
| elementIndex === 0 | ||
| ? FirstElementShape | ||
| : elementIndex === chain.length - 1 | ||
| ? LastElementShape | ||
| : MiddleElementShape; | ||
|
|
src/trust/types.ts
Outdated
| // Actual RP implementation does not comply with the spec | ||
| /* federation_entity: z.object({ | ||
| organization_name: z.string(), | ||
| homepage_uri: z.string(), | ||
| policy_uri: z.string(), | ||
| logo_uri: z.string(), | ||
| contacts: z.array(z.string()), | ||
| }), */ |
There was a problem hiding this comment.
RP added federation_entity. You can uncomment this part
balanza
force-pushed
the
SIW-402--resolve-trust-chain
branch
from
e205909
to
98ca656
Compare
balanza
dismissed
grausof’s stale review
Please check again, I pushed something new
|
It is necessary to add (certainly with a separate PR) fast renewal for entity configurations. |
Co-authored-by: grausof <[email protected]>
List of Changes
trustfolder for utilities related to the trust modelMotivation and Context
Documents shared with other parties (credentials, attestations, authz requests, etc) are signed and trusted according to https://italia.github.io/eudi-wallet-it-docs/v0.4.1/en/trust.html. Such documents contain a
trust_chainfield, which is intended to provide a static representation of the federation trust chain that connects the Leaf entity (i.e. the entity whose trustworthiness is being checked) to the known Trust Anchor entity,The
trust_chainis a list of signed token in the form:Each token MUST be signed using one of the keys declared in the token next to it in the chain. The last token's signature will be checked against the known Trust Anchor's keys. Optionally, Trust Anchor entity configuration can be added as last element of the chain.
This PR proposes the
verifyTrustChainfunction to be used asHow Has This Been Tested?
Screenshots (if appropriate):
Checklist: