Bug: set trust anchor with trusted certificates

[zll600]

Target branch: 5.x
Resolves issue #788

• It is a Bug fix
• It is a New feature
• Breaks BC
• Includes Deprecations

Overview

Set the trust anchor with the trusted certificates when validating the certificate path.

Problems

The implementation passes the trusted certificate as the first certificate of the certificate path when validating.

webauthn-framework/src/webauthn/src/MetadataService/CertificateChain/PhpCertificateChainValidator.php

Lines 190 to 191 in eb2aa67

	$config = PathValidationConfig::create($this->clock->now(), self::MAX_VALIDATION_LENGTH);
	CertificationPath::create(...$certificates)->validate($config);

This works well when the trusted certificate is self-signed because the self-signed certificate can be used to verify itself.

But it fails when the trusted certificate is an intermediate certificate(e.g., trust anchor from FIDO MDS).
The intermediate CA can not verify itself, which can only be verified with its issuer.

For any CA of FIDO MDS, we can trust it even if it is an intermediate CA, and use it as the trust anchor directly to verify the trust path of the attestation.

List of attestation trust anchors for the batch chain in the authenticator attestation. Each element of this array represents a PKIX [RFC5280] X.509 certificate that is a valid trust anchor for this authenticator model. Multiple certificates might be used for different batches of the same model. The array does not represent a certificate chain, but only the trust anchor of that chain. A trust anchor can be a root certificate, an intermediate CA certificate or even the attestation certificate itself.

[Spomky]

I created another PR with those changes and based on 5.2.x.
Will be tagged 5.2.3.
Many thanks.

[zll600]

Real thanks 🙇

Just for others' references, the new PR: #793