From d1abada868e9242b9d69461c160528a373cb8d78 Mon Sep 17 00:00:00 2001
From: Scott Helme <github@scotthelme.co.uk>
Date: Fri, 27 Mar 2026 23:02:39 +0000
Subject: [PATCH] Reject non-empty attStmt in none attestation format
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per W3C WebAuthn spec §8.7, when the attestation format is "none",
attStmt must be an empty CBOR map. The library previously returned
true unconditionally without checking the contents.

Fixes lbuchs/WebAuthn#126
---
 src/Attestation/Format/None.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Attestation/Format/None.php b/src/Attestation/Format/None.php
index ba95e40..cab9b1b 100644
--- a/src/Attestation/Format/None.php
+++ b/src/Attestation/Format/None.php
@@ -25,6 +25,11 @@ public function getCertificatePem() {
      * @param string $clientDataHash
      */
     public function validateAttestation($clientDataHash) {
+        // §8.7: attStmt must be an empty CBOR map for "none" format.
+        if (\count($this->_attestationObject['attStmt']) > 0) {
+            throw new WebAuthnException('invalid none attestation: attStmt must be empty', WebAuthnException::INVALID_DATA);
+        }
+
         return true;
     }