Question on attestation..

[sf-troot]

The method VerifyAttestation takes two certs as input but I don't see where 'attestedCert' is used, should it be here?:

go-ykpiv/attestation.go

Line 83 in 32315ce

ints.AddCert(attestationCert)

or here?:

go-ykpiv/attestation.go

Line 85 in 32315ce

return attestationCert.Verify(x509.VerifyOptions{

[jtakkala]

Good catch, looks like attestedCert should be on line 85.

[jtakkala]

This mistake basically means that VerifyAttestation() would never return an error provided a valid attestation cert is passed in, even if the attested cert is invalid. Would be nice to add tests to any fix to prevent a regression here in the future.

[sf-troot]

Another question:

go-ykpiv/attestation.go

Line 81 in 32315ce

attestationCert.IsCA = true

In this line the attestationCert is marked as CA and added as an Intermediate, would this stop the 'chain' validation since the CARoot is also added as a root? I am thinking for a proper chain validation this line should not be here? or am I miss understanding something?

[jtakkala]

In this line the attestationCert is marked as CA and added as an Intermediate, would this stop the 'chain' validation since the CARoot is also added as a root? I am thinking for a proper chain validation this line should not be here? or am I miss understanding something?

No, the reason it’s explicitly set here is because some (all?) Yubikey’s don’t set the isCA attribute on the attestation cert, so chain verification would fail. I believe all intermediate CA certs need the isCA attribute set to true.