Removing cert chain check from broker app verification, Fixes AB#3437920 #2855
+18
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
melissaahn
added
the
No-Changelog
github-actions
bot
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes the certificate chain validation check from broker app verification by default, while introducing a feature flag to re-enable it if needed. This change aligns with a similar modification in the broker repository (referenced PR #3300).
Key Changes:
- Added a new feature flag
RE_ENABLE_VALIDATE_SIGNING_CERT_CHAIN_BROKER_APPS(default:false) to control certificate chain validation - Modified
BrokerValidator.validateSigningCertificate()to conditionally perform certificate chain validation only when the feature flag is enabled - The signature thumbprint validation (
verifySignatureHash) remains active in all cases; only the chain validation logic is now gated
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java |
Adds the RE_ENABLE_VALIDATE_SIGNING_CERT_CHAIN_BROKER_APPS feature flag enum with default value false to allow disabling certificate chain validation by default while maintaining rollback capability |
common/src/main/java/com/microsoft/identity/common/internal/broker/BrokerValidator.kt |
Wraps the certificate chain validation logic in a feature flag check, ensuring the validation is only executed when RE_ENABLE_VALIDATE_SIGNING_CERT_CHAIN_BROKER_APPS is enabled; imports the required flighting classes |
common/src/main/java/com/microsoft/identity/common/internal/broker/BrokerValidator.kt
Show resolved
Hide resolved
common/src/main/java/com/microsoft/identity/common/internal/broker/BrokerValidator.kt
Show resolved
Hide resolved
rpdome
approved these changes
Jan 6, 2026
shahzaibj
approved these changes
Jan 7, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
See https://github.com/AzureAD/ad-accounts-for-android/pull/3300. We are going to keep it consistent and also remove this check for broker app validation (but put a feature flag just in case).
AB#3437920