android · copybara-service · Jun 3, 2026
diff --git a/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt b/src/main/kotlin/provider/KeyAttestationCertPathValidator.kt
@@ -92,7 +92,12 @@ class KeyAttestationCertPathValidator : CertPathValidatorSpi() {
     sigProvider: String?,
   ): CertPathValidatorResult {
     val certList = certPath.toCertList()
-    val selector = X509CertSelector().apply { issuer = certList.first().issuerX500Principal }
+    val expectedIssuer = certList.first().issuerX500Principal
+    val selector =
+      X509CertSelector().apply {
+        subject = expectedIssuer
+        issuer = expectedIssuer
+      }
 
     var lastException: CertPathValidatorException? = null
     for (anchor in trustAnchors) {

diff --git a/src/main/kotlin/testing/Certs.kt b/src/main/kotlin/testing/Certs.kt
@@ -54,6 +54,15 @@ object Certs {
   val factoryIntermediate = certFactory.factoryIntermediate
   val remoteIntermediate = certFactory.remoteIntermediate
   val factoryAttestation = certFactory.factoryAttestation
+  val notSelfIssuedAnchor =
+    TrustAnchor(
+      certFactory.generateIntermediateCertificate(
+        publicKey = certFactory.rootKey.public,
+        signingKey = certFactory.rootKey.private,
+        issuer = X500Name("SERIALNUMBER=badc0de"),
+      ),
+      null,
+    )
 }
 
 /**

diff --git a/src/test/kotlin/provider/KeyAttestationCertPathValidatorTest.kt b/src/test/kotlin/provider/KeyAttestationCertPathValidatorTest.kt
@@ -18,6 +18,7 @@ package com.android.keyattestation.verifier.provider
 
 import com.android.keyattestation.verifier.KeyAttestationReason
 import com.android.keyattestation.verifier.testing.CertLists
+import com.android.keyattestation.verifier.testing.Certs.notSelfIssuedAnchor
 import com.android.keyattestation.verifier.testing.Certs.rootAnchor as testAnchor
 import com.android.keyattestation.verifier.testing.Chains
 import com.android.keyattestation.verifier.testing.FakeCalendar
@@ -167,6 +168,17 @@ class KeyAttestationCertPathValidatorTest {
     assertThat(exception.reason).isEqualTo(PKIXReason.NO_TRUST_ANCHOR)
   }
 
+  @Test
+  fun wrongAnchor_notSelfIssued_throwsCertPathValidatorException() {
+    val params =
+      PKIXParameters(setOf(notSelfIssuedAnchor)).apply { date = FakeCalendar.DEFAULT.today() }
+    val exception =
+      assertFailsWith<CertPathValidatorException> {
+        certPathValidator.validate(Chains.validFactoryProvisioned, params)
+      }
+    assertThat(exception.reason).isEqualTo(PKIXReason.NO_TRUST_ANCHOR)
+  }
+
   @Test
   fun wrongIssuer_throwsCertPathValidatorException() {
     val certPath = Chains.wrongIssuer