This PR fixes FIDO MDS statement authenticationAlgorithms verification to confirm the algorithm used to generate the keypair. This should fix #174; I specifically tested "android-safetynet" direct attestation from an OG Pixel using metadata available from https://mds.fidoalliance.org/ and was able to successfully register the device:
This new functionality was tested against a preview build of FIDO Conformance Tools that supports FIDO MDS3 and passed all good tests (the two failures are a known issue with TPM tests):
Additionally, certificate chain issues are handled more gracefully so that multiple root certificates have a chance of being tested instead of the first bad one short-circuiting path validation before a good cert can be tested. In the case of a bad cert detected the error thrown will include the bad certificate.
This PR fixes FIDO MDS statement
authenticationAlgorithmsverification to confirm the algorithm used to generate the keypair. This should fix #174; I specifically tested"android-safetynet"direct attestation from an OG Pixel using metadata available from https://mds.fidoalliance.org/ and was able to successfully register the device:This new functionality was tested against a preview build of FIDO Conformance Tools that supports FIDO MDS3 and passed all good tests (the two failures are a known issue with TPM tests):
Additionally, certificate chain issues are handled more gracefully so that multiple root certificates have a chance of being tested instead of the first bad one short-circuiting path validation before a good cert can be tested. In the case of a bad cert detected the error thrown will include the bad certificate.