You can start by looking at 2 certificate information, Issuer and AKI (Authority Key Identifer):
Issuer contains the name of the certificate authority that issued the certificate. To know the ICP-Brasil certifying authorities, you can consult on this site , which has the list of all CAs and their respective sites.
At each CA site, look for "repository" or "certificates" (or something like that), and download the certificates for each. So you'll know the exact names of each one.
Therefore, the issuer of your certificate ("Issuer" or "Issuer Name" field, depending on the API used) should be the same as the name ("Subject" field) of the CA certificate.
But the name alone is not enough, since there is nothing to prevent 2 certificates with the same name, but different CAs. Therefore, you should check the Authority Key Identifier extension (also called AKI).
In ICP-Brazil, it was defined that this extension contains the hash of the CA public key that issued the certificate, and this value is also in the CA certificate, but in the extension Subject Key Identifier (or SKI).
That is, the SKI of the CA certificate should have the same AKI value as the certificate you are verifying.
ICP-Brazil certificates have more than one "level" of hierarchy, so you should check the entire chain as well.
For example, an eCPF is usually issued by one of the accredited CAs (Serasa, Certisign, etc.). In turn, the certificates of these ACs were issued by the Federal Revenue Agency, which in turn was issued by Raip ICP-Brasil.
Ideally, you should validate the entire string, but usually the APIs already have methods that are ready to do so, provided you provide the chain certificates via configuration or parameters (and these can be downloaded by following the links in the CAs as explained above ). This varies depending on the API, but the general idea is that.
