fix: derive compound attestation type from nested attestation types (#819)

Spomky · claude · web-flow · commit 7bdf75de3edd · 2026-03-22T18:54:03.000+01:00
Instead of hardcoding TYPE_BASIC, the compound attestation type is now
derived from the nested attestation types by selecting the weakest
(least trusted) type. This prevents misrepresenting the trust level
when sub-attestations have lower trust than basic.

Trust order (strongest to weakest): attca &gt; anonca &gt; basic &gt; self &gt; none

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/webauthn/src/AttestationStatement/CompoundAttestationStatementSupport.php b/src/webauthn/src/AttestationStatement/CompoundAttestationStatementSupport.php
@@ -34,6 +34,14 @@ final class CompoundAttestationStatementSupport implements AttestationStatementS
 {
     use AttestationStatementSupportManagerAwareTrait;
 
+    private const ATTESTATION_TYPE_TRUST_ORDER = [
+        AttestationStatement::TYPE_ATTCA,
+        AttestationStatement::TYPE_ANONCA,
+        AttestationStatement::TYPE_BASIC,
+        AttestationStatement::TYPE_SELF,
+        AttestationStatement::TYPE_NONE,
+    ];
+
     private EventDispatcherInterface $dispatcher;
 
     private ?float $ratio = 1.0;
@@ -118,11 +126,12 @@ public function load(array $attestation): AttestationStatement
 
         /** @var string $compoundFmt */
         $compoundFmt = $attestation['fmt'];
+        $attestationType = $this->deriveAttestationType($loadedAttestations);
         // Create a compound attestation statement with compound trust path
         $attestationStatement = AttestationStatement::create(
             $compoundFmt,
             $loadedAttestations,
-            AttestationStatement::TYPE_BASIC,
+            $attestationType,
             EmptyTrustPath::create()
         );
 
@@ -171,6 +180,28 @@ public function isValid(
         return $countValid / $total >= $this->ratio;
     }
 
+    /**
+     * Derives the compound attestation type from the nested attestation types
+     * by selecting the weakest (least trusted) type among them.
+     *
+     * @param array<AttestationStatement> $loadedAttestations
+     */
+    private function deriveAttestationType(array $loadedAttestations): string
+    {
+        $weakest = 0;
+        foreach ($loadedAttestations as $stmt) {
+            $index = array_search($stmt->type, self::ATTESTATION_TYPE_TRUST_ORDER, true);
+            if ($index === false) {
+                return AttestationStatement::TYPE_NONE;
+            }
+            if ($index > $weakest) {
+                $weakest = $index;
+            }
+        }
+
+        return self::ATTESTATION_TYPE_TRUST_ORDER[$weakest];
+    }
+
     private function checkRules(?float $ratio, ?int $minimum): void
     {
         if ($ratio !== null && ($ratio <= 0 || $ratio > 1)) {
diff --git a/tests/library/Unit/AttestationStatement/CompoundAttestationStatementSupportTest.php b/tests/library/Unit/AttestationStatement/CompoundAttestationStatementSupportTest.php
@@ -6,6 +6,7 @@
 
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\TestCase;
+use Webauthn\AttestationStatement\AttestationStatement;
 use Webauthn\AttestationStatement\AttestationStatementSupportManager;
 use Webauthn\AttestationStatement\CompoundAttestationStatementSupport;
 use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
@@ -196,6 +197,35 @@ public function loadingCompoundAttestationWithUnsupportedNestedFormatThrowsExcep
         $support->load($attestation);
     }
 
+    #[Test]
+    public function loadingCompoundAttestationDerivesTypeFromNestedAttestations(): void
+    {
+        // Given
+        $manager = new AttestationStatementSupportManager([]);
+        $support = new CompoundAttestationStatementSupport();
+        $support->setAttestationStatementSupportManager($manager);
+
+        $attestation = [
+            'fmt' => 'compound',
+            'attStmt' => [
+                [
+                    'fmt' => 'none',
+                    'attStmt' => [],
+                ],
+                [
+                    'fmt' => 'none',
+                    'attStmt' => [],
+                ],
+            ],
+        ];
+
+        // When
+        $result = $support->load($attestation);
+
+        // Then — all nested are TYPE_NONE, so compound should derive TYPE_NONE
+        static::assertSame(AttestationStatement::TYPE_NONE, $result->type);
+    }
+
     #[Test]
     public function validatingCompoundAttestationWithValidNestedAttestationsSucceeds(): void
     {
