From 9ba5038b4008edc923adf2f1cb389c6c11db77df Mon Sep 17 00:00:00 2001
From: Evgeny Margolis <emargolis@google.com>
Date: Mon, 28 Mar 2022 16:57:08 -0700
Subject: [PATCH] Fixed ValidateCertificateChain() Implementation for mbedTLS.
 (#16727)

In the mbedTLS implementation the root certificate shouldn't be included
in the certificate chain. It is sufficient that it is included in the
trusted certificates list.
---
 src/crypto/CHIPCryptoPALmbedTLS.cpp | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp
index 5b1a7709fb590b..d575ac46ffb4ce 100644
--- a/src/crypto/CHIPCryptoPALmbedTLS.cpp
+++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp
@@ -1302,10 +1302,6 @@ CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t root
     mbedResult = mbedtls_x509_crt_parse(&certChain, Uint8::to_const_uchar(caCertificate), caCertificateLen);
     VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kICAFormatInvalid, error = CHIP_ERROR_INTERNAL));
 
-    /* Add the root to the chain */
-    mbedResult = mbedtls_x509_crt_parse(&certChain, Uint8::to_const_uchar(rootCertificate), rootCertificateLen);
-    VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kRootFormatInvalid, error = CHIP_ERROR_INTERNAL));
-
     /* Parse the root cert */
     mbedResult = mbedtls_x509_crt_parse(&rootCert, Uint8::to_const_uchar(rootCertificate), rootCertificateLen);
     VerifyOrExit(mbedResult == 0, (result = CertificateChainValidationResult::kRootFormatInvalid, error = CHIP_ERROR_INTERNAL));