@@ -58,10 +58,8 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific
5858 // The array does not represent a certificate chain, but only the trust anchor of that chain.
5959 // A trust anchor can be a root certificate, an intermediate CA certificate or even the attestation certificate itself.
6060
61- // Let's check the simplest case first. If subject and issuer are the same, and the attestation cert is in the list, that's all the validation we need
62- 63- // We have the same singular root cert in trustpath and it is in attestationRootCertificates
64- if ( trustPath . Length == 1 && trustPath [ 0 ] . Subject . Equals ( trustPath [ 0 ] . Issuer , StringComparison . Ordinal ) )
61+ // Single certificate case: if it matches a declared trust anchor, validation is complete
62+ if ( trustPath . Length == 1 )
6563 {
6664 foreach ( X509Certificate2 cert in attestationRootCertificates )
6765 {
@@ -72,7 +70,7 @@ public static bool ValidateTrustChain(X509Certificate2[] trustPath, X509Certific
7270 }
7371 }
7472
75- // If the attestation cert is not self signed, we will need to build a chain
73+ // For certificates not directly declared as trust anchors, build and validate a certificate chain
7674 var chain = new X509Chain ( ) ;
7775
7876 // Put all potential trust anchors into extra store
0 commit comments