Comment added regarding the potential security issue if the certificate chain is not verified.

Useless and inconsistent check removed.

Author: Spomky

src/Component/KeyManagement/JWKFactory.php

@@ -359,6 +359,10 @@ public static function createFromKey(string $key, ?string $password = null, arra
 
     /**
      * This method will try to load and convert a X.509 certificate chain into a public key.
+     *
+     * Be careful! The certificate chain is loaded, but it is NOT VERIFIED by any mean!
+     * It is mandatory to verify the root CA or intermediate  CA are trusted.
+     * If not done, it may lead to potential security issues.
      */
     public static function createFromX5C(array $x5c, array $additional_values = []): JWK
     {

src/Component/KeyManagement/KeyConverter/KeyConverter.php

@@ -165,6 +165,11 @@ private static function sanitizePEM(string &$pem)
         $pem .= $matches[0][1].PHP_EOL;
     }
 
+    /**
+     * Be careful! The certificate chain is loaded, but it is NOT VERIFIED by any mean!
+     * It is mandatory to verify the root CA or intermediate  CA are trusted.
+     * If not done, it may lead to potential security issues.
+     */
     public static function loadFromX5C(array $x5c): array
     {
         $certificate = null;
@@ -204,9 +209,6 @@ public static function loadFromX5C(array $x5c): array
                 }
             }
         }
-        if (null === $certificate || null !== $last_issuer && \json_encode($last_issuer) !== \json_encode($last_subject)) {
-            throw new \InvalidArgumentException('Invalid certificate chain.');
-        }
 
         return self::loadKeyFromCertificate($certificate);
     }