Skip to content

Conformance fix: Remove trustpath subject-issuer comparison #555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 29, 2025
Merged

Conformance fix: Remove trustpath subject-issuer comparison #555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ef232f8
Revert "Conformance-breaking: Keep the stricter rules"
abergs Oct 18, 2024
8dbf35a
Improve comments
abergs Aug 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions Src/Fido2/Extensions/CryptoUtils.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,8 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific
// The array does not represent a certificate chain, but only the trust anchor of that chain.
// A trust anchor can be a root certificate, an intermediate CA certificate or even the attestation certificate itself.

// Let's check the simplest case first. If subject and issuer are the same, and the attestation cert is in the list, that's all the validation we need

// We have the same singular root cert in trustpath and it is in attestationRootCertificates
if (trustPath.Length == 1 && trustPath[0].Subject.Equals(trustPath[0].Issuer, StringComparison.Ordinal))
// Single certificate case: if it matches a declared trust anchor, validation is complete
if (trustPath.Length == 1)
{
foreach (X509Certificate2 cert in attestationRootCertificates)
{
Expand All @@ -72,7 +70,7 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific
}
}

// If the attestation cert is not self signed, we will need to build a chain
// For certificates not directly declared as trust anchors, build and validate a certificate chain
var chain = new X509Chain();

// Put all potential trust anchors into extra store
Expand Down
4 changes: 2 additions & 2 deletions Tests/Fido2.Tests/CryptoUtilsTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,8 @@ public void TestValidateTrustChainSubAnchor()

Assert.False(0 == attestationRootCertificates[0].Issuer.CompareTo(attestationRootCertificates[0].Subject));
Assert.True(CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates));
Assert.False(CryptoUtils.ValidateTrustChain(trustPath, trustPath));
Assert.False(CryptoUtils.ValidateTrustChain(attestationRootCertificates, attestationRootCertificates));
Assert.True(CryptoUtils.ValidateTrustChain(trustPath, trustPath));
Assert.True(CryptoUtils.ValidateTrustChain(attestationRootCertificates, attestationRootCertificates));
Assert.False(CryptoUtils.ValidateTrustChain(attestationRootCertificates, trustPath));
}

Expand Down
Loading