Skip to content

Reject non-empty attStmt in none attestation format#127

Open
ScottHelme wants to merge 1 commit intolbuchs:masterfrom
ScottHelme:reject-nonempty-none-attstmt
Open

Reject non-empty attStmt in none attestation format#127
ScottHelme wants to merge 1 commit intolbuchs:masterfrom
ScottHelme:reject-nonempty-none-attstmt

Conversation

@ScottHelme
Copy link
Copy Markdown

@ScottHelme ScottHelme commented Mar 27, 2026

Per W3C WebAuthn spec §8.7 (None Attestation Statement Format):

"If attStmt is a properly formed attestation statement, verify that attStmt is an empty CBOR map."

Currently None::validateAttestation() returns true unconditionally without checking attStmt. This means an attestation object with fmt: "none" but arbitrary data in attStmt is silently accepted.

This adds a check that throws WebAuthnException::INVALID_DATA if attStmt is not empty:

if (\count($this->_attestationObject['attStmt']) > 0) {
    throw new WebAuthnException('invalid none attestation: attStmt must be empty', WebAuthnException::INVALID_DATA);
}

Fixes #126

@ScottHelme
Reject non-empty attStmt in none attestation format
d1abada 
Per W3C WebAuthn spec §8.7, when the attestation format is "none",
attStmt must be an empty CBOR map. The library previously returned
true unconditionally without checking the contents.

Fixes lbuchs#126
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

None attestation format accepts non-empty attStmt

1 participant

@ScottHelme