webauthn-framework icon indicating copy to clipboard operation
webauthn-framework copied to clipboard
verified publisher icon web-auth

chore: simplify metadata statement check

Open zll600 opened this issue 1 month ago • 0 comments

Target branch: 5.3.x Resolves issue #

  • [ ] It is a Bug fix
  • [ ] It is a New feature
  • [ ] Breaks BC
  • [ ] Includes Deprecations

Overview

I submit this PR aims to make two changes for the CheckMetadataStatement

Simplify the Implementation

Current CheckMetadataStatement works really well and is excellent. But I think it's a little bit complex to understand the source code.

For example, we are checking the trust path of the none and self type attestation. https://github.com/web-auth/webauthn-framework/blob/4d7c777ef4ac38b20b036283f091c8d235e16a66/src/webauthn/src/CeremonyStep/CheckMetadataStatement.php#L84-L96

There are some points I think are a little bit complex to understand why we call the checkCertificateChain here

  1. No metadata statement provided to verify the trust path.
  2. Both None and Self type attestations do not include a valid trust path.

Add background info to explain the rationale

Current implementation handles aaguid 00000000-0000-0000-0000-000000000000 with special ways. But no explanation for it. I add more background to explain why we implement like this.

Note

I think the current implementation is really good. I opened this PR because I have some questions when reading the source code. Feel free to close this PR.

zll600 avatar Nov 26 '25 01:11 zll600