2 files changed, 21 insertions, 3 deletions

diff --git a/packages/server/src/helpers/constants.ts b/packages/server/src/helpers/constants.ts
index 02075b5..e4fbd69 100644
--- a/packages/server/src/helpers/constants.ts
+++ b/packages/server/src/helpers/constants.ts
@@ -2,7 +2,7 @@ import dotenv from 'dotenv';
 
 dotenv.config();
 
-const { ENABLE_MDS, MDS_API_TOKEN, MDS_TOC_URL } = process.env;
+const { ENABLE_MDS, MDS_API_TOKEN, MDS_TOC_URL, MDS_ROOT_CERT_URL } = process.env;
 
 /**
  * Supported environment variables:
@@ -11,9 +11,11 @@ const { ENABLE_MDS, MDS_API_TOKEN, MDS_TOC_URL } = process.env;
  * @prop `MDS_API_TOKEN`: FIDO Metadata Service API token (see https://fidoalliance.org/metadata/)
  * @prop `MDS_TOC_URL`: Alternative URL to the FIDO Metadata Service TOC endpoint (defaults to
  * https://mds2.fidoalliance.org/)
+ * @prop `MDS_ROOT_CERT_URL`: URL to root certificate for completing certificate chains
  */
 export const ENV_VARS = {
   ENABLE_MDS: ENABLE_MDS === 'true' ? true : false,
   MDS_API_TOKEN: MDS_API_TOKEN || '',
   MDS_TOC_URL: MDS_TOC_URL || 'https://mds2.fidoalliance.org/',
+  MDS_ROOT_CERT_URL: MDS_ROOT_CERT_URL || 'https://mds.fidoalliance.org/Root.cer',
 };
diff --git a/packages/server/src/metadata/metadataService.ts b/packages/server/src/metadata/metadataService.ts
index 4eee0a8..0b9d555 100644
--- a/packages/server/src/metadata/metadataService.ts
+++ b/packages/server/src/metadata/metadataService.ts
@@ -3,10 +3,12 @@ import fetch from 'node-fetch';
 
 import { ENV_VARS } from '../helpers/constants';
 import toHash from '../helpers/toHash';
+import validateCertificatePath from '../helpers/validateCertificatePath';
+import convertASN1toPEM from '../helpers/convertASN1toPEM';
 
 import parseJWT from './parseJWT';
 
-const { ENABLE_MDS, MDS_TOC_URL, MDS_API_TOKEN } = ENV_VARS;
+const { ENABLE_MDS, MDS_TOC_URL, MDS_API_TOKEN, MDS_ROOT_CERT_URL } = ENV_VARS;
 
 type CachedAAGUID = {
   url: string;
@@ -111,7 +113,21 @@ class MetadataService {
       return;
     }
 
-    // Convert the nextUpdate property into a Date so we can detemrine when to redownload
+    // Download FIDO the root certificate and append it to the TOC certs
+    const respFIDORootCert = await fetch(MDS_ROOT_CERT_URL);
+    const rootCert = await respFIDORootCert.text();
+    const fullCertPath = header.x5c.map(convertASN1toPEM).concat(rootCert);
+
+    try {
+      // Validate the certificate chain
+      validateCertificatePath(fullCertPath);
+    } catch (err) {
+      console.error(err);
+      // From FIDO MDS docs: "The FIDO Server SHOULD ignore the file if the signature is invalid."
+      return;
+    }
+
+    // Convert the nextUpdate property into a Date so we can determine when to redownload
     const [year, month, day] = payload.nextUpdate.split('-');
     this.nextUpdate = new Date(
       parseInt(year, 10),