Conformance fix: Remove trustpath subject-issuer comparison (#555)

abergs · web-flow · commit e588f52c1335 · 2025-08-29T15:03:16.000+02:00
* Revert "Conformance-breaking: Keep the stricter rules" This reverts commit ac11a81. * Improve comments
diff --git a/Src/Fido2/Extensions/CryptoUtils.cs b/Src/Fido2/Extensions/CryptoUtils.cs
@@ -58,10 +58,8 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific
         // The array does not represent a certificate chain, but only the trust anchor of that chain.
         // A trust anchor can be a root certificate, an intermediate CA certificate or even the attestation certificate itself.
 
-        // Let's check the simplest case first.  If subject and issuer are the same, and the attestation cert is in the list, that's all the validation we need
-
-        // We have the same singular root cert in trustpath and it is in attestationRootCertificates
-        if (trustPath.Length == 1 && trustPath[0].Subject.Equals(trustPath[0].Issuer, StringComparison.Ordinal))
+        // Single certificate case: if it matches a declared trust anchor, validation is complete
+        if (trustPath.Length == 1)
         {
             foreach (X509Certificate2 cert in attestationRootCertificates)
             {
@@ -72,7 +70,7 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific
             }
         }
 
-        // If the attestation cert is not self signed, we will need to build a chain
+        // For certificates not directly declared as trust anchors, build and validate a certificate chain
         var chain = new X509Chain();
 
         // Put all potential trust anchors into extra store
diff --git a/Tests/Fido2.Tests/CryptoUtilsTests.cs b/Tests/Fido2.Tests/CryptoUtilsTests.cs
@@ -66,8 +66,8 @@ public void TestValidateTrustChainSubAnchor()
 
         Assert.False(0 == attestationRootCertificates[0].Issuer.CompareTo(attestationRootCertificates[0].Subject));
         Assert.True(CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates));
-        Assert.False(CryptoUtils.ValidateTrustChain(trustPath, trustPath));
-        Assert.False(CryptoUtils.ValidateTrustChain(attestationRootCertificates, attestationRootCertificates));
+        Assert.True(CryptoUtils.ValidateTrustChain(trustPath, trustPath));
+        Assert.True(CryptoUtils.ValidateTrustChain(attestationRootCertificates, attestationRootCertificates));
         Assert.False(CryptoUtils.ValidateTrustChain(attestationRootCertificates, trustPath));
     }
 

Original file line number	Diff line number	Diff line change
`@@ -58,10 +58,8 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific`
`58`	`58`	`// The array does not represent a certificate chain, but only the trust anchor of that chain.`
`59`	`59`	`// A trust anchor can be a root certificate, an intermediate CA certificate or even the attestation certificate itself.`
`60`	`60`
`61`		`- // Let's check the simplest case first. If subject and issuer are the same, and the attestation cert is in the list, that's all the validation we need`
`62`		`-`
`63`		`- // We have the same singular root cert in trustpath and it is in attestationRootCertificates`
`64`		`- if (trustPath.Length == 1 && trustPath[0].Subject.Equals(trustPath[0].Issuer, StringComparison.Ordinal))`
	`61`	`+ // Single certificate case: if it matches a declared trust anchor, validation is complete`
	`62`	`+ if (trustPath.Length == 1)`
`65`	`63`	`{`
`66`	`64`	`foreach (X509Certificate2 cert in attestationRootCertificates)`
`67`	`65`	`{`
`@@ -72,7 +70,7 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific`
`72`	`70`	`}`
`73`	`71`	`}`
`74`	`72`
`75`		`- // If the attestation cert is not self signed, we will need to build a chain`
	`73`	`+ // For certificates not directly declared as trust anchors, build and validate a certificate chain`
`76`	`74`	`var chain = new X509Chain();`
`77`	`75`
`78`	`76`	`// Put all potential trust anchors into extra store`
Original file line number	Diff line number	Diff line change
`@@ -66,8 +66,8 @@ public void TestValidateTrustChainSubAnchor()`
`66`	`66`
`67`	`67`	`Assert.False(0 == attestationRootCertificates[0].Issuer.CompareTo(attestationRootCertificates[0].Subject));`
`68`	`68`	`Assert.True(CryptoUtils.ValidateTrustChain(trustPath, attestationRootCertificates));`
`69`		`- Assert.False(CryptoUtils.ValidateTrustChain(trustPath, trustPath));`
`70`		`- Assert.False(CryptoUtils.ValidateTrustChain(attestationRootCertificates, attestationRootCertificates));`
	`69`	`+ Assert.True(CryptoUtils.ValidateTrustChain(trustPath, trustPath));`
	`70`	`+ Assert.True(CryptoUtils.ValidateTrustChain(attestationRootCertificates, attestationRootCertificates));`
`71`	`71`	`Assert.False(CryptoUtils.ValidateTrustChain(attestationRootCertificates, trustPath));`
`72`	`72`	`}`
`73`	`73`