From ef232f8035e27b77db7b036016dc5200e8a3a3da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Fri, 18 Oct 2024 13:52:52 +0200 Subject: [PATCH 1/2] Revert "Conformance-breaking: Keep the stricter rules" This reverts commit ac11a81bb8d0e9fc5338ee90fd6786df2d9587ed. --- Src/Fido2/Extensions/CryptoUtils.cs | 2 +- Tests/Fido2.Tests/CryptoUtilsTests.cs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Src/Fido2/Extensions/CryptoUtils.cs b/Src/Fido2/Extensions/CryptoUtils.cs index 6edb3407..4d8da0d2 100644 --- a/Src/Fido2/Extensions/CryptoUtils.cs +++ b/Src/Fido2/Extensions/CryptoUtils.cs @@ -61,7 +61,7 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific // Let's check the simplest case first. If subject and issuer are the same, and the attestation cert is in the list, that's all the validation we need // We have the same singular root cert in trustpath and it is in attestationRootCertificates - if (trustPath.Length == 1 && trustPath[0].Subject.Equals(trustPath[0].Issuer, StringComparison.Ordinal)) + if (trustPath.Length == 1) { foreach (X509Certificate2 cert in attestationRootCertificates) { diff --git a/Tests/Fido2.Tests/CryptoUtilsTests.cs b/Tests/Fido2.Tests/CryptoUtilsTests.cs index 2ce5d81a..505f75db 100644 --- a/Tests/Fido2.Tests/CryptoUtilsTests.cs +++ b/Tests/Fido2.Tests/CryptoUtilsTests.cs @@ -66,8 +66,8 @@ public void TestValidateTrustChainSubAnchor() Assert.False(0 == attestationRootCertificates[0].Issuer.CompareTo(attestationRootCertificates[0].Subject)); Assert.True(CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates)); - Assert.False(CryptoUtils.ValidateTrustChain(trustPath, trustPath)); - Assert.False(CryptoUtils.ValidateTrustChain(attestationRootCertificates, attestationRootCertificates)); + Assert.True(CryptoUtils.ValidateTrustChain(trustPath, trustPath)); + Assert.True(CryptoUtils.ValidateTrustChain(attestationRootCertificates, attestationRootCertificates)); Assert.False(CryptoUtils.ValidateTrustChain(attestationRootCertificates, trustPath)); } From 8dbf35a27f67db4c47a07d4ef876e633b90f7439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Fri, 29 Aug 2025 15:02:52 +0200 Subject: [PATCH 2/2] Improve comments --- Src/Fido2/Extensions/CryptoUtils.cs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/Src/Fido2/Extensions/CryptoUtils.cs b/Src/Fido2/Extensions/CryptoUtils.cs index 4d8da0d2..cda3287e 100644 --- a/Src/Fido2/Extensions/CryptoUtils.cs +++ b/Src/Fido2/Extensions/CryptoUtils.cs @@ -58,9 +58,7 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific // The array does not represent a certificate chain, but only the trust anchor of that chain. // A trust anchor can be a root certificate, an intermediate CA certificate or even the attestation certificate itself. - // Let's check the simplest case first. If subject and issuer are the same, and the attestation cert is in the list, that's all the validation we need - - // We have the same singular root cert in trustpath and it is in attestationRootCertificates + // Single certificate case: if it matches a declared trust anchor, validation is complete if (trustPath.Length == 1) { foreach (X509Certificate2 cert in attestationRootCertificates) @@ -72,7 +70,7 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific } } - // If the attestation cert is not self signed, we will need to build a chain + // For certificates not directly declared as trust anchors, build and validate a certificate chain var chain = new X509Chain(); // Put all potential trust anchors into extra store