Remove fallback to P256 in WebAuthn signer

[ernestognw]

Fixes #????

PR Checklist

• Tests
• Documentation
• Changeset entry (run npx changeset add)

[openzeppelin-security-agent]

The latest updates on your security scan. Learn more about OpenZeppelin Platform.

Project	Scan	Issues	Details	Updated
Openzeppelin Contracts	🟡 Queued	—	View	Feb 10, 2026, 4:36 AM (UTC)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2efd20b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The changes modify SignerWebAuthn._rawSignatureValidation to remove the fallback delegation to the parent's raw P256 validation. When WebAuthn.tryDecodeAuth(signature) fails, the function now returns false directly instead of delegating to super._rawSignatureValidation. The corresponding docstring is updated to reflect this behavior change, where non-WebAuthn assertions now yield false. A changelog entry documents this behavioral modification.

Possibly related PRs

• Defer signer() reads until after tryDecodeAuth success in SignerWebAuthn #6070: Modifies SignerWebAuthn._rawSignatureValidation with a different approach—defers signer() and retains fallback to super when decoding fails, whereas this PR removes the fallback entirely.

Suggested labels

ignore-changeset

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description lacks substantive detail about the changes, containing only unchecked checklist items and a placeholder issue reference.	Provide a meaningful description of the changes, including rationale for removing the P256 fallback and any migration guidance for users.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Remove fallback to P256 in WebAuthn signer' directly and specifically describes the primary change in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

CHANGELOG.md (1)

50-50: ⚠️ Potential issue | 🟡 Minor

Inconsistent documentation: line 50 still references the removed P256 fallback.

This entry under "Cryptography > Signers" still says SignerWebAuthn has "a P256 fallback," which contradicts the breaking change at line 10 that explicitly removes this fallback. Consider updating this description to reflect the current behavior.

📝 Suggested fix

-- `SignerWebAuthn`: Add an abstract signer that verifies WebAuthn signatures, with a P256 fallback. ([`#5809`](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/5809))
+- `SignerWebAuthn`: Add an abstract signer that verifies WebAuthn signatures. ([`#5809`](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/5809))

contracts/utils/cryptography/signers/SignerWebAuthn.sol (1)

10-14: ⚠️ Potential issue | 🟡 Minor

Contract docstring is inconsistent with new behavior.

The docstring states "It allows for both WebAuthn and raw P256 signature validation, providing compatibility with both signature types," but the new implementation only supports WebAuthn signatures and returns false for anything else. This documentation should be updated to reflect the current behavior.

📝 Suggested fix

 /**
  * `@dev` Implementation of {SignerP256} that supports WebAuthn authentication assertions.
  *
- * This contract enables signature validation using WebAuthn authentication assertions,
- * leveraging the P256 public key stored in the contract. It allows for both WebAuthn
- * and raw P256 signature validation, providing compatibility with both signature types.
+ * This contract enables signature validation using WebAuthn authentication assertions,
+ * leveraging the P256 public key stored in the contract. Signatures that are not valid
+ * WebAuthn authentication assertions will be rejected. To also support raw P256
+ * signatures, override {_rawSignatureValidation} and add a fallback to
+ * {SignerP256-_rawSignatureValidation}.
  *

🧹 Nitpick comments (1)

CHANGELOG.md (1)

10-10: Missing PR reference in changelog entry.

Other changelog entries include PR references (e.g., ([#5809](...))) for traceability. This entry should follow the same pattern.

📝 Suggested fix

-- `SignerWebAuthn`: The `_rawSignatureValidation` function now returns `false` when the signature is not a valid WebAuthn authentication assertion. P256 fallback is removed. Developers can add it back by overriding the function.
+- `SignerWebAuthn`: The `_rawSignatureValidation` function now returns `false` when the signature is not a valid WebAuthn authentication assertion. P256 fallback is removed. Developers can add it back by overriding the function. ([`#6337`](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/6337))