From c39c2b35741262221c68a7b0d4ffa0020134ffb0 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Sun, 14 Aug 2022 11:18:52 -0700 Subject: Don't validate cert path when self-referenced --- .../src/metadata/verifyAttestationWithMetadata.ts | 36 ++++++++++++++++------ 1 file changed, 26 insertions(+), 10 deletions(-) (limited to 'packages/server/src') diff --git a/packages/server/src/metadata/verifyAttestationWithMetadata.ts b/packages/server/src/metadata/verifyAttestationWithMetadata.ts index 940b174..e068a05 100644 --- a/packages/server/src/metadata/verifyAttestationWithMetadata.ts +++ b/packages/server/src/metadata/verifyAttestationWithMetadata.ts @@ -92,16 +92,32 @@ export async function verifyAttestationWithMetadata( ); } - try { - await validateCertificatePath( - x5c.map(convertCertBufferToPEM), - statement.attestationRootCertificates.map(convertCertBufferToPEM), - ); - } catch (err) { - const _err = err as Error; - throw new Error( - `Could not validate certificate path with any metadata root certificates: ${_err.message}`, - ); + // Prepare to check the certificate chain + const authenticatorCerts = x5c.map(convertCertBufferToPEM); + const statementRootCerts = statement.attestationRootCertificates.map(convertCertBufferToPEM); + + /** + * If an authenticator returns exactly one certificate in its x5c, and that cert is found in the + * metadata statement then the authenticator is "self-referencing". In this case we forego + * certificate chain validation. + */ + let authenticatorIsSelfReferencing = false; + if ( + authenticatorCerts.length === 1 && + statementRootCerts.indexOf(authenticatorCerts[0]) >= 0 + ) { + authenticatorIsSelfReferencing = true; + } + + if (!authenticatorIsSelfReferencing) { + try { + await validateCertificatePath(authenticatorCerts, statementRootCerts); + } catch (err) { + const _err = err as Error; + throw new Error( + `Could not validate certificate path with any metadata root certificates: ${_err.message}`, + ); + } } return true; -- cgit v1.2.3