Description
Hello,
I'm currently performing some tests with different Fido2 keys and have an issue with one of the them: Neowave Winkeo model.
(https://neowave.fr/fr/produits/gamme-fido-2/winkeo-c-fido-2/)
When I try to register the key, I receive this error from the library:
Fido2NetLib.Fido2VerificationException: Invalid certificate chain
at Fido2NetLib.AuthenticatorAttestationResponse.VerifyAsync(CredentialCreateOptions originalOptions, Fido2Configuration config, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, IMetadataService metadataService, Byte[] requestTokenBindingId, CancellationToken cancellationToken)
at Fido2NetLib.Fido2.MakeNewCredentialAsync(AuthenticatorAttestationRawResponse attestationResponse, CredentialCreateOptions origChallenge, IsCredentialIdUniqueToUserAsyncDelegate isCredentialIdUniqueToUser, Byte[] requestTokenBindingId, CancellationToken cancellationToken)
at TB.Fido.Server.Api.Impl.Login.Current.Registration.MakeCredentialCommandHandler.Handle(MakeCredentialCommand request, CancellationToken cancellationToken)
After investigation, it appears that disabling the online revocation check make the registration works. (CRLDP extension is present in the attestation certificate)
To make it work, I basically commented this line like this:
// if the attestation cert has a CDP extension, go ahead and turn on online revocation checking if (!string.IsNullOrEmpty(CDPFromCertificateExts(trustPath[0].Extensions)) && validationMode != FidoValidationMode.FidoConformance2024) //chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
I've seen some similar issues regarding the trust path chain validation, but it looks like this issue is different.
If you have any idea or solution about that, I would love it.
Thank you