From 3d142efc6dc28015dac7eb5cf803fd78d16ac91c Mon Sep 17 00:00:00 2001
From: Marc Boorshtein <marc.boorshtein@tremolosecurity.com>
Date: Sat, 15 Apr 2017 15:32:20 -0400
Subject: [PATCH] changed attestation check to allow trusted certs

---
 .../u2f/server/impl/U2FServerReferenceImpl.java    | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/u2f-ref-code/java/src/com/google/u2f/server/impl/U2FServerReferenceImpl.java b/u2f-ref-code/java/src/com/google/u2f/server/impl/U2FServerReferenceImpl.java
index 369b326..ae1c4d2 100644
--- a/u2f-ref-code/java/src/com/google/u2f/server/impl/U2FServerReferenceImpl.java
+++ b/u2f-ref-code/java/src/com/google/u2f/server/impl/U2FServerReferenceImpl.java
@@ -150,8 +150,20 @@ public SecurityKeyData processRegistrationResponse(
     byte[] signedBytes = RawMessageCodec.encodeRegistrationSignedBytes(
         appIdSha256, clientDataSha256, keyHandle, userPublicKey);
 
+
+    //check if issuers are trusted
     Set<X509Certificate> trustedCertificates = dataStore.getTrustedCertificates();
-    if (!trustedCertificates.contains(attestationCertificate)) {
+    boolean found = false;
+    for (X509Certificate trusted : trustedCertificates) {
+    	try {
+			  attestationCertificate.verify(trusted.getPublicKey());
+			  found = true;
+		  } catch (InvalidKeyException | CertificateException | NoSuchAlgorithmException | NoSuchProviderException| SignatureException e) {
+
+		  }
+    }
+
+    if (!found) {
       Log.warning("attestion cert is not trusted");
     }