I am aware of this test and personally think the test case is overly restrictive and wrong. That said, I believe I can at least explain what is happening.
"A certificate MUST NOT appear more than once in a prospective
certification path."
In that test case, the rootCA is included in the x5c of the attestation response. You then try find a trust root from matching metadata.My understanding is that the test authors believe this constitutes a duplicate certificate in the certification path because the CA appears twice at the end.
Clearly the authors of the Java certificate validation code I am using don’t think so, because if you take a trust chain that includes a CA, and match it against a copy of that CA, then it works without error.
Similarly if you take a self-signed cert you can do the same thing.
Anyway, that’s what I believe is happening.
Regards,
Shane.