Be better when verifying attestation w/meta

author: Matthew Miller <matthew@millerti.me> 2020-07-24 16:48:47 -0700
committer: Matthew Miller <matthew@millerti.me> 2020-07-24 16:48:47 -0700
commit: bc9ad0f68fc49c4ac23cd22428248faa26d3f9b6 (patch)
tree: 9af66e1496f246039b5a5bc801420786eece66cb
parent: 562df5c8fb0242b0332fe1d14956f002d038a520 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
index 6b4d2f6..085144e 100644
--- a/packages/server/src/metadata/verifyAttestationWithMetadata.ts
+++ b/packages/server/src/metadata/verifyAttestationWithMetadata.ts
@@ -16,15 +16,21 @@ export default async function verifyAttestationWithMetadata(
     throw new Error(`Attestation alg "${alg}" did not match metadata auth alg "${metaCOSE.alg}"`);
   }
 
+  // Make a copy of x5c so we don't modify the original
+  const path = [...x5c].map(convertASN1toPEM);
+
   // Try to validate the chain with each metadata root cert until we find one that works
   let foundValidPath = false;
   for (const rootCert of statement.attestationRootCertificates) {
     try {
-      const path = [...x5c, rootCert].map(convertASN1toPEM);
+      // Push the root cert to the cert path and try to validate it
+      path.push(convertASN1toPEM(rootCert));
       foundValidPath = await validateCertificatePath(path);
     } catch (err) {
       // Swallow the error for now
       foundValidPath = false;
+      // Remove the root cert before we try again with another
+      path.splice(path.length - 1, 1);
     }
 
     // Don't continue if we've validated a full path
author	Matthew Miller <matthew@millerti.me>	2020-07-24 16:48:47 -0700
committer	Matthew Miller <matthew@millerti.me>	2020-07-24 16:48:47 -0700
commit	bc9ad0f68fc49c4ac23cd22428248faa26d3f9b6 (patch)
tree	9af66e1496f246039b5a5bc801420786eece66cb
parent	562df5c8fb0242b0332fe1d14956f002d038a520 (diff)