Skip to content

chore: simplify metadata statement check#777

Merged
Spomky merged 2 commits intoweb-auth:5.3.xfrom
zll600:feature/clean-up-metadata-statement-check
Dec 20, 2025
Merged

chore: simplify metadata statement check#777
Spomky merged 2 commits intoweb-auth:5.3.xfrom
zll600:feature/clean-up-metadata-statement-check

Conversation

@zll600
Copy link
Copy Markdown
Contributor

@zll600 zll600 commented Nov 26, 2025
edited
Loading

Target branch: 5.3.x
Resolves issue #

  • It is a Bug fix
  • It is a New feature
  • Breaks BC
  • Includes Deprecations

Overview

I submit this PR aims to make two changes for the CheckMetadataStatement

Simplify the Implementation

Current CheckMetadataStatement works really well and is excellent. But I think it's a little bit complex to understand the source code.

For example, we are checking the trust path of the none and self type attestation.

webauthn-framework/src/webauthn/src/CeremonyStep/CheckMetadataStatement.php

Lines 84 to 96 in 4d7c777

if ($publicKeyCredentialOptions->attestation === null || $publicKeyCredentialOptions->attestation === PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE) {
$this->logger->debug('No attestation is asked.');
if ($aaguid === '00000000-0000-0000-0000-000000000000' && in_array(
$attestationStatement->type,
[AttestationStatement::TYPE_NONE, AttestationStatement::TYPE_SELF],
true
)) {
$this->logger->debug('The Attestation Statement is anonymous.');
$this->checkCertificateChain($attestationStatement, null);
return;
}
return;
}

There are some points I think are a little bit complex to understand why we call the checkCertificateChain here

  1. No metadata statement provided to verify the trust path.
  2. Both None and Self type attestations do not include a valid trust path.

Add background info to explain the rationale

Current implementation handles aaguid 00000000-0000-0000-0000-000000000000 with special ways. But no explanation for it. I add more background to explain why we implement like this.

Note

I think the current implementation is really good. I opened this PR because I have some questions when reading the source code. Feel free to close this PR.

@zll600 zll600 force-pushed the feature/clean-up-metadata-statement-check branch from cca1b23 to 9aa1a6a Compare November 26, 2025 01:54
@zll600 zll600 marked this pull request as ready for review November 26, 2025 01:54
@Spomky Spomky force-pushed the feature/clean-up-metadata-statement-check branch from 9aa1a6a to 216f36e Compare December 20, 2025 13:23
@Spomky Spomky force-pushed the feature/clean-up-metadata-statement-check branch from 216f36e to 1584181 Compare December 20, 2025 20:30
@Spomky
Copy link
Copy Markdown
Contributor

Spomky commented Dec 20, 2025

Hi @zll600,

Many thanks for this PR. You’re right, this class was getting quite hard to read and maintain.
I took the opportunity to build on your work by adding a few complementary improvements and some additional references to the spec. I split the large process() method into smaller, more focused ones, and added a bit of structured logging to make debugging and audits easier.

@Spomky Spomky added this to the 5.3.0 milestone Dec 20, 2025
@Spomky Spomky added the enhancement New feature or request label Dec 20, 2025
@Spomky Spomky merged commit 8fb3981 into web-auth:5.3.x Dec 20, 2025
16 of 17 checks passed
@Spomky Spomky self-assigned this Dec 20, 2025
@zll600
Copy link
Copy Markdown
Contributor Author

zll600 commented Dec 21, 2025

Hi @Spomky, Really thanks.

Your changes make sense to me 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Spomky Spomky

Labels

enhancement New feature or request

Projects

None yet

Milestone

5.3.0

Development

Successfully merging this pull request may close these issues.

2 participants

@zll600 @Spomky