Add certificate path validation to Android-Key

author: Matthew Miller <matthew@millerti.me> 2020-06-25 23:29:23 -0700
committer: Matthew Miller <matthew@millerti.me> 2020-06-25 23:29:23 -0700
commit: fe06f39f89e2004bb26cb6df0762c7e559f62247 (patch)
tree: 767405f9d46a0714ea1654da2f5415eecfe37cc4 /packages/server/src
parent: c63fedc675e5639c3f04201c36ef5c2d28b9dac0 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/packages/server/src/attestation/verifications/verifyAndroidKey.ts b/packages/server/src/attestation/verifications/verifyAndroidKey.ts
index 9275a17..b3b1883 100644
--- a/packages/server/src/attestation/verifications/verifyAndroidKey.ts
+++ b/packages/server/src/attestation/verifications/verifyAndroidKey.ts
@@ -9,6 +9,7 @@ import {
   JASN1,
 } from '../../helpers/asn1Utils';
 import convertCOSEtoPKCS, { COSEALGHASH } from '../../helpers/convertCOSEtoPKCS';
+import validateCertificatePath from '../../helpers/validateCertificatePath';
 
 type Options = {
   authData: Buffer;
@@ -85,8 +86,12 @@ export default function verifyAttestationAndroidKey(options: Options): boolean {
   //   throw new Error('Root certificate was not expected certificate (AndroidKey)');
   // }
 
-  // TODO: Verify certificate path using the algorithm specified in RFC5280 section 6
-  // Related to to-be-implemented validateCertificatePath();
+  // Verify certificate path
+  try {
+    validateCertificatePath(x5c.map(convertASN1toPEM));
+  } catch (err) {
+    throw new Error(`${err} (AndroidKey)`);
+  }
 
   const signatureBase = Buffer.concat([authData, clientDataHash]);
   const leafCertPEM = convertASN1toPEM(x5c[0]);
author	Matthew Miller <matthew@millerti.me>	2020-06-25 23:29:23 -0700
committer	Matthew Miller <matthew@millerti.me>	2020-06-25 23:29:23 -0700
commit	fe06f39f89e2004bb26cb6df0762c7e559f62247 (patch)
tree	767405f9d46a0714ea1654da2f5415eecfe37cc4 /packages/server/src
parent	c63fedc675e5639c3f04201c36ef5c2d28b9dac0 (diff)