feat(protocol): enhance mds errors

[james-d-elliott]

This adds significant improvements to the MDS3 errors helping identify the root cause of a validation error.

[coderabbitai]

Walkthrough

The changes primarily focus on enhancing the error handling and validation processes within the VerifyAttestation method of the AttestationObject struct in protocol/attestation.go, as well as the ValidateMetadata function in protocol/metadata.go. A new error variable, ErrMetadata, is introduced in protocol/errors.go to handle specific metadata validation errors. The validateLogin method in webauthn/login.go is updated to include additional parameters for improved credential validation. Overall, these modifications streamline control flows and improve error reporting.

Changes

File	Change Summary
protocol/attestation.go	Modified VerifyAttestation method to include new error handling logic and streamlined flow.
protocol/errors.go	Introduced new error variable ErrMetadata for handling invalid metadata errors.
protocol/metadata.go	Updated ValidateMetadata function to return a pointer to Error and added validation for attestationType.
webauthn/login.go	Enhanced validateLogin method to include credential.AttestationType for better validation.
protocol/assertion.go	Updated ParseCredentialRequestResponse and Parse methods for improved type safety.
protocol/credential.go	Modified Parse method to use a constant for credential type instead of a string literal.
README.md	Updated Go version support policy and credential type definitions for clarity and type safety.
protocol/attestation_tpm.go	Enhanced error handling and logic for attestation verification related to SAN and EKU.

Possibly related issues

• Documentation doesn't define credentialBytes for parsedCredentialRequest.Verify #291: The changes in the documentation regarding the credentialBytes term could be linked to the modifications in the VerifyAttestation method, which enhances clarity around credential handling.

Possibly related PRs

• feat(metadata)!: rework as a provider #239: This PR introduces a new metadata.Provider which is relevant to the changes in the VerifyAttestation method that now accepts a metadata.Provider parameter for enhanced validation of attestation objects.
• FIx TPM attestation certificate problem #345: This PR modifies the VerifyAttestation method in protocol/attestation.go, enhancing the handling of attestation certificates, which directly relates to the changes made in the main PR regarding the VerifyAttestation method.
• refactor(protocol): adjust formatting #358: This PR includes changes to the protocol/attestation.go file, specifically refining the VerifyAttestation method, which aligns with the modifications made in the main PR to improve clarity and robustness in certificate validation.

Poem

🐰 In the meadow where data flows,
New checks and balances, how it glows!
With errors caught and types defined,
Our code now dances, beautifully aligned.
So hop along, let’s validate,
For every byte, we celebrate! 🎉

Tip

CodeRabbit's docstrings feature is now available as part of our Early Access Program! Simply use the command @coderabbitai generate docstrings to have CodeRabbit automatically generate docstrings for your pull request. We would love to hear your feedback on Discord.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (7)

protocol/errors.go (2)

43-46: Add a default details message for consistency

Unlike other error definitions in this file, ErrMetadata has an empty Details field. Consider adding a default message to maintain consistency and provide immediate context when the error is used without calling WithDetails().

 ErrMetadata = &Error{
   Type:    "invalid_metadata",
-  Details: "",
+  Details: "Error validating metadata statement",
 }

---

43-46: Consider maintaining alphabetical ordering of error definitions

The new ErrMetadata is placed between ErrInvalidAttestation and ErrAttestationFormat, breaking the apparent alphabetical ordering of error variables. Consider moving it after ErrInvalidAttestation but before ErrNotImplemented to maintain consistent ordering.

protocol/metadata.go (3)

22-22: Typographical Error in Error Message

The word "retrieving" is misspelled as "retreiving" in the error message. Please correct the spelling to improve clarity.

Apply this diff to fix the typo:

- return nil, ErrMetadata.WithInfo(fmt.Sprintf("Failed to validate authenticator metadata for Authenticator Attestation GUID '%s'. Error occurred retreiving the metadata entry: %+v", aaguid, err))
+ return nil, ErrMetadata.WithInfo(fmt.Sprintf("Failed to validate authenticator metadata for Authenticator Attestation GUID '%s'. Error occurred retrieving the metadata entry: %+v", aaguid, err))

---

49-49: Inconsistent Return Value on Attestation Type Mismatch

When the attestation type is not found, the function returns (entry, ErrMetadata.WithInfo(...)). In other error cases where validation fails, the function returns (nil, error). For consistency and to avoid potential confusion, consider returning (nil, error) when an error occurs.

Apply this diff to make the return value consistent:

- return entry, ErrMetadata.WithInfo(fmt.Sprintf("Failed to validate authenticator metadata for Authenticator Attestation GUID '%s'. The attestation type '%s' is not known to be used by this authenticator.", aaguid.String(), attestationType))
+ return nil, ErrMetadata.WithInfo(fmt.Sprintf("Failed to validate authenticator metadata for Authenticator Attestation GUID '%s'. The attestation type '%s' is not known to be used by this authenticator.", aaguid.String(), attestationType))

---

55-55: Inconsistent Return Value on Status Validation Error

Similarly, when mds.ValidateStatusReports returns an error, the function returns (entry, error). To maintain consistency across the function, consider returning (nil, error) unless there is a specific reason to return the entry alongside the error.

Apply this diff to align the return values:

- return entry, ErrMetadata.WithInfo(fmt.Sprintf("Failed to validate authenticator metadata for Authenticator Attestation GUID '%s'. Error occurred validating the authenticator status: %+v", aaguid, err))
+ return nil, ErrMetadata.WithInfo(fmt.Sprintf("Failed to validate authenticator metadata for Authenticator Attestation GUID '%s'. Error occurred validating the authenticator status: %+v", aaguid, err))

protocol/attestation.go (1)

190-190: Use the declared context variable ctx

The context variable ctx is declared but not used. Consider using ctx in the call to ValidateMetadata for consistency.

Apply this diff to utilize the ctx variable:

 var protoErr *Error

 ctx := context.Background()

- if entry, protoErr = ValidateMetadata(context.Background(), aaguid, attestationType, mds); protoErr != nil {
+ if entry, protoErr = ValidateMetadata(ctx, aaguid, attestationType, mds); protoErr != nil {

webauthn/login.go (1)

320-323: Consider passing a context instead of using context.Background()

Using context.Background() may limit the ability to handle cancellations and timeouts effectively. Consider passing a context.Context from the caller to allow for better control over the execution flow and resource management.

Apply the following changes:

1. Modify the call to ValidateMetadata:

   -		if _, protoErr = protocol.ValidateMetadata(context.Background(), aaguid, credential.AttestationType, webauthn.Config.MDS); protoErr != nil {
   +		if _, protoErr = protocol.ValidateMetadata(ctx, aaguid, credential.AttestationType, webauthn.Config.MDS); protoErr != nil {

2. Update the function signature to accept a context.Context:

   -	func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedResponse *protocol.ParsedCredentialAssertionData) (*Credential, error) {
   +	func (webauthn *WebAuthn) validateLogin(ctx context.Context, user User, session SessionData, parsedResponse *protocol.ParsedCredentialAssertionData) (*Credential, error) {

3. Ensure that all callers of validateLogin pass the appropriate context. For example:

   -	return webauthn.validateLogin(user, session, parsedResponse)
   +	return webauthn.validateLogin(ctx, user, session, parsedResponse)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between e5657ab and 0ee4cb8.

📒 Files selected for processing (4)

• protocol/attestation.go (1 hunks)
• protocol/errors.go (1 hunks)
• protocol/metadata.go (1 hunks)
• webauthn/login.go (1 hunks)

🔇 Additional comments (2)

protocol/errors.go (1)

43-46: Verify error handling consistency across metadata validation

Let's ensure this new error is properly integrated with appropriate error details where used.

✅ Verification successful

Error handling is consistent but uses WithInfo instead of WithDetails

The error is properly integrated across the codebase in protocol/metadata.go with detailed error messages, but it consistently uses WithInfo() method instead of WithDetails(). All usages provide specific error context including the AAGUID and detailed failure reasons. The error is used in appropriate scenarios:

• When metadata entry retrieval fails
• When authenticator has no registered metadata
• When attestation type validation fails
• When status report validation fails

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check how ErrMetadata is used across the codebase
# Expect: Usage in ValidateMetadata with WithDetails() calls

# Check for direct ErrMetadata usage
rg "ErrMetadata" -B 2 -A 2

# Check for "invalid_metadata" type usage
rg "invalid_metadata" -B 2 -A 2

# Look for potential error wrapping patterns
ast-grep --pattern 'WithDetails($$$)'

Length of output: 1982

protocol/metadata.go (1)

14-14: Verify the Handling of Nil Metadata Provider

When mds == nil, the function returns (nil, nil). Ensure that this behavior is intentional and that the calling code correctly handles a nil entry and a nil error. If a nil mds should be considered an error, you might want to return an appropriate error to avoid potential nil pointer dereferences.

Run the following script to check how ValidateMetadata is called in the codebase and whether mds can be nil:

✅ Verification successful

Returning nil, nil for a nil Provider is Correct

The current behavior is intentional and safe. From the code analysis:

1. The webauthn.Config.MDS is explicitly checked for nil before calling ValidateMetadata
2. The ValidateMetadata function gracefully handles both nil provider and nil entry cases
3. The metadata validation is an optional feature, as evidenced by the conditional checks in login.go

The function correctly follows the pattern where a nil provider indicates that metadata validation is disabled, which is a valid configuration state. No changes are needed.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Find all calls to ValidateMetadata and check for nil `mds`.

# Search for all usages of ValidateMetadata
rg 'ValidateMetadata\('

# Check if `mds` is ever passed as `nil`
rg -A2 -B2 'ValidateMetadata\([^,]+,[^,]+,[^,]+,\s*nil\)'

Length of output: 552

---

Script:

#!/bin/bash
# Let's check how webauthn.Config.MDS is used and initialized
rg -A 5 -B 5 'Config.*MDS'

# Let's also check the metadata.Provider interface definition
ast-grep --pattern 'type Provider interface {
  $$$
}'

# And check if there are any tests that verify nil provider behavior
rg -A 5 -B 5 'TestValidateMetadata'

Length of output: 4107

---

Script:

#!/bin/bash
# Let's check the implementation of ValidateMetadata to understand the nil handling logic
rg -A 20 "func ValidateMetadata"

# Let's also check if there are any tests in protocol package
fd ".*_test.go" protocol/ --exec rg -l "TestValidate"

Length of output: 1340

[coderabbitai]

⚠️ Potential issue

Possible Type Conversion Issue in Attestation Type Comparison

In the comparison string(atype) == attestationType, there may be a type mismatch. If atype is not inherently a string, converting it using string(atype) might not yield the expected result. Ensure that atype is properly converted to a string that represents the attestation type.

Apply this diff if atype is of a custom type that implements String():

- if string(atype) == attestationType {
+ if atype.String() == attestationType {

Alternatively, if attestationType can be converted to the same type as atype, consider:

- if string(atype) == attestationType {
+ if atype == metadata.AttestationType(attestationType) {

Please verify that the comparison accurately reflects the intended logic.

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

protocol/metadata.go (2)

90-90: Fix spelling error in error message

The word "agaisnt" is misspelled and should be "against".

- return ErrMetadata.WithDetails(fmt.Sprintf("Failed to validate attestation statement signature during attestation validation for Authenticator Attestation GUID '%s'. The attestation certificate could not be verified due to an error validating the trust chain agaisnt the Metadata Service.", aaguid))
+ return ErrMetadata.WithDetails(fmt.Sprintf("Failed to validate attestation statement signature during attestation validation for Authenticator Attestation GUID '%s'. The attestation certificate could not be verified due to an error validating the trust chain against the Metadata Service.", aaguid))

🧰 Tools

🪛 golangci-lint (1.62.2)

90-90: agaisnt is a misspelling of against

(misspell)

---

72-91: Consider using error constants for common error messages

The error messages for certificate validation are quite long and repeated. Consider extracting them into constants for better maintainability and consistency.

Example:

const (
    errNoCertificates       = "The attestation had no certificates"
    errCertificateTypeMismatch = "The first certificate in the attestation was type '%T' but '[]byte' was expected"
    errFullFormatUnsupported = "Attestation was provided in the full format but the authenticator doesn't support the full attestation format"
    // ... more constants
)

🧰 Tools

🪛 golangci-lint (1.62.2)

90-90: agaisnt is a misspelling of against

(misspell)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0ee4cb8 and 493a377.

📒 Files selected for processing (4)

• protocol/attestation.go (1 hunks)
• protocol/errors.go (1 hunks)
• protocol/metadata.go (2 hunks)
• webauthn/login.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• protocol/attestation.go
• protocol/errors.go
• webauthn/login.go

🧰 Additional context used

🪛 golangci-lint (1.62.2)

protocol/metadata.go

13-13: cyclomatic complexity 21 of func ValidateMetadata is high (> 15)

(gocyclo)

---

90-90: agaisnt is a misspelling of against

(misspell)

🔇 Additional comments (3)

protocol/metadata.go (3)

Line range hint 23-38: LGTM! Enhanced error messages provide better context

The entry validation logic has been improved with detailed error messages that include the AAGUID, making it easier to diagnose issues.

🧰 Tools

🪛 golangci-lint (1.62.2)

90-90: agaisnt is a misspelling of against

(misspell)

---

42-48: Ensure safe type conversion in attestation type comparison

The string(atype) conversion might not yield the expected result if atype is not inherently a string.

Consider using the type's String() method or proper type conversion:

- if string(atype) == attestationType {
+ if atype.String() == attestationType {

---

54-59: LGTM! Clear error handling for status validation

The status validation error handling has been improved with detailed context.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

protocol/metadata.go (2)

96-96: Fix spelling error in error message

There's a spelling error in the error message: "agaisnt" should be "against".

Apply this diff:

-				return ErrMetadata.WithDetails(fmt.Sprintf("Failed to validate attestation statement signature during attestation validation for Authenticator Attestation GUID '%s'. The attestation certificate could not be verified due to an error validating the trust chain agaisnt the Metadata Service.", aaguid))
+				return ErrMetadata.WithDetails(fmt.Sprintf("Failed to validate attestation statement signature during attestation validation for Authenticator Attestation GUID '%s'. The attestation certificate could not be verified due to an error validating the trust chain against the Metadata Service.", aaguid))

🧰 Tools

🪛 golangci-lint (1.62.2)

96-96: agaisnt is a misspelling of against

(misspell)

---

76-82: Consider additional error handling for certificate parsing

While the current error handling is good, consider adding validation for the certificate data length before parsing:

 if data, ok = x5cs[0].([]byte); !ok {
     return ErrMetadata.WithDetails(fmt.Sprintf("Failed to parse attestation certificate from x5c during attestation validation for Authenticator Attestation GUID '%s'.", aaguid)).WithInfo(fmt.Sprintf("The first certificate in the attestation was type '%T' but '[]byte' was expected", x5cs[0]))
 }

+if len(data) == 0 {
+    return ErrMetadata.WithDetails(fmt.Sprintf("Failed to parse attestation certificate from x5c during attestation validation for Authenticator Attestation GUID '%s'.", aaguid)).WithInfo("The certificate data is empty")
+}
+
 if x5c, err = x509.ParseCertificate(data); err != nil {
     return ErrMetadata.WithDetails(fmt.Sprintf("Failed to parse attestation certificate from x5c during attestation validation for Authenticator Attestation GUID '%s'.", aaguid)).WithInfo(fmt.Sprintf("Error returned from x509.ParseCertificate: %+v", err))
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 493a377 and 9ac95ef.

📒 Files selected for processing (4)

• protocol/attestation.go (1 hunks)
• protocol/errors.go (1 hunks)
• protocol/metadata.go (2 hunks)
• webauthn/login.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• protocol/attestation.go
• protocol/errors.go
• webauthn/login.go

🧰 Additional context used

🪛 golangci-lint (1.62.2)

protocol/metadata.go

13-13: cyclomatic complexity 23 of func ValidateMetadata is high (> 15)

(gocyclo)

---

96-96: agaisnt is a misspelling of against

(misspell)

🔇 Additional comments (4)

protocol/metadata.go (4)

Line range hint 23-38: LGTM! Error handling improvements

The error handling has been enhanced with more descriptive messages using ErrMetadata.WithInfo. The special case handling for zero AAGUID is well-implemented.

🧰 Tools

🪛 golangci-lint (1.62.2)

96-96: agaisnt is a misspelling of against

(misspell)

---

42-48: Possible Type Conversion Issue in Attestation Type Comparison

The comparison string(atype) == attestationType might not yield the expected result if atype is not inherently a string type.

Let's verify the type definition:

#!/bin/bash
# Search for AttestationType definition
ast-grep --pattern 'type AttestationType'

---

54-59: LGTM! Clear status validation

The status validation logic is well-structured with proper error handling and descriptive messages.

---

13-21: 🛠️ Refactor suggestion

Consider decomposing the function to reduce complexity

The function's cyclomatic complexity has increased to 23 (> 15), making it harder to maintain and test. Consider breaking it down into smaller, focused functions.

Consider splitting into these functions:

func validateEntry(ctx context.Context, mds metadata.Provider, aaguid uuid.UUID) *Error
func validateAttestationType(ctx context.Context, entry *metadata.Entry, attestationType string) *Error
func validateStatus(ctx context.Context, mds metadata.Provider, entry *metadata.Entry) *Error
func validateTrustAnchor(ctx context.Context, mds metadata.Provider, entry *metadata.Entry, attestationType string, x5cs []any) *Error

🧰 Tools

🪛 golangci-lint (1.62.2)

13-13: cyclomatic complexity 23 of func ValidateMetadata is high (> 15)

(gocyclo)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (17)

protocol/attestation_tpm.go (2)

223-239: Documentation is clear and references the relevant RFC.
These docstrings provide a solid explanation of the SAN structure. Including direct links or referencing the specific subsection in RFC 5280 could further assist contributors.

---

Line range hint 388-434: Clear separation of concerns in SAN extension parsing.
Returning a custom *Error type helps maintain clarity in error handling. The checks for empty manufacturer, model, and version are appropriate. However, if partial device attributes exist, consider presenting a more granular error message identifying which field is missing.

🧰 Tools

🪛 golangci-lint (1.62.2)

406-406: Consider pre-allocating unhandled

(prealloc)

protocol/assertion.go (2)

109-111: Selective handling of known AuthenticatorAttachment values.
Casting to AuthenticatorAttachment and selectively storing recognized values is concise and clear. Consider adding a default branch to log or handle unexpected attachments, if relevant.

---

146-148: Comment block clarifies the scope of steps being performed.
These lines help explain the following verification logic, though referencing the exact paragraph of the WebAuthn spec could further assist new contributors.

protocol/attestation_packed.go (1)

210-210: Clear specification reference.

Adding the comment referencing §4.1 clarifies the step for validating the attested algorithm, enhancing code readability.

protocol/attestation_tpm_test.go (1)

33-33: Consider removing redundant error check.
Line 32 already uses require.NoError(t, err) which will halt execution if err is non-nil. This subsequent if-statement on line 33 is therefore redundant.

 require.NoError(t, err)

-if err != nil {
-	t.Fatalf("Not valid: %+v", err)
-}

protocol/metadata.go (7)

13-13: Refactor suggestion for high cyclomatic complexity in ValidateMetadata.
The function’s cyclomatic complexity is 25 (>15). Consider splitting it into smaller helper functions for improved readability and maintainability.

🧰 Tools

🪛 golangci-lint (1.62.2)

13-13: cyclomatic complexity 25 of func ValidateMetadata is high (> 15)

(gocyclo)

---

24-24: Typographical fix: "retreiving" → "retrieving".
Improve clarity in the error message by correcting the spelling.

- Error occurred retreiving the metadata entry
+ Error occurred retrieving the metadata entry

---

39-53: Use a consistent approach for attestation-type matching.
Current code checks attestation types in a loop. If you frequently compare or log these types, consider switching to typed constants or enumerations to avoid mismatches.

---

50-51: Provide fallback or more context in error.
When no matching attestation type is found, the error might benefit from suggesting known or expected attestation types.

---

73-77: Improve error granularity for x5c parse type mismatch.
It might be useful to mention the index/ordinal in the error details to help pinpoint the offending certificate. The loopOrdinalNumber function is invoked below, but consider reusing it here if relevant.

---

78-81: Consider adding context to parse errors.
When x509.ParseCertificate fails, you might include the ordinal number or partial certificate data for easier debugging.

---

95-102: Typographical fix: "agaisnt" → "against".
Line 101 has the misspelling in the error message.

- error validating the trust chain agaisnt the Metadata Service
+ error validating the trust chain against the Metadata Service

🧰 Tools

🪛 golangci-lint (1.62.2)

101-101: agaisnt is a misspelling of against

(misspell)

protocol/attestation.go (3)

146-151: Confirm necessity of detailed comment.
These lines are purely comments describing the approach. Ensure they are still accurate given recently introduced logic and the updated attestation format references.

---

187-187: Consider a non-Background context.
Using context.Background() might hide cancellation or deadlines from upstream. Evaluate whether the calling context can be passed here instead.

---

189-190: Improve error context.
Including “protoErr” in the error message is useful, but consider also referencing attestationType or other local variables for deeper debugging.

README.md (1)

240-240: Replace hard tab with spaces.
In Markdown, use spaces to avoid potential rendering issues.

-		Type: protocol.PublicKeyCredentialType,
+    Type: protocol.PublicKeyCredentialType,

🧰 Tools

🪛 Markdownlint (0.37.0)

240-240: Column: 1
Hard tabs

(MD010, no-hard-tabs)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ac95ef and acf168c.

📒 Files selected for processing (18)

• README.md (1 hunks)
• protocol/assertion.go (3 hunks)
• protocol/assertion_test.go (2 hunks)
• protocol/attestation.go (2 hunks)
• protocol/attestation_androidkey_test.go (1 hunks)
• protocol/attestation_apple.go (2 hunks)
• protocol/attestation_packed.go (2 hunks)
• protocol/attestation_packed_test.go (1 hunks)
• protocol/attestation_safetynet.go (1 hunks)
• protocol/attestation_tpm.go (7 hunks)
• protocol/attestation_tpm_test.go (1 hunks)
• protocol/client.go (1 hunks)
• protocol/credential.go (1 hunks)
• protocol/credential_test.go (4 hunks)
• protocol/errors.go (1 hunks)
• protocol/metadata.go (2 hunks)
• protocol/options_test.go (1 hunks)
• webauthn/login.go (2 hunks)

✅ Files skipped from review due to trivial changes (3)

• protocol/client.go
• protocol/attestation_packed_test.go
• protocol/attestation_apple.go

🚧 Files skipped from review as they are similar to previous changes (2)

• protocol/errors.go
• webauthn/login.go

🧰 Additional context used

🪛 Markdownlint (0.37.0)

README.md

240-240: Column: 1
Hard tabs

(MD010, no-hard-tabs)

🪛 golangci-lint (1.62.2)

protocol/metadata.go

13-13: cyclomatic complexity 25 of func ValidateMetadata is high (> 15)

(gocyclo)

---

101-101: agaisnt is a misspelling of against

(misspell)

🔇 Additional comments (22)

protocol/attestation_tpm.go (4)

118-118: Well-structured verification of TPM CertInfo consistency.
This check correctly ensures that certInfo.ExtraData matches the expected hash of the concatenated authenticator data and client data. No issues found.

---

Line range hint 289-319: Potential edge case handling for 'id:' prefix.
Unmarshaling into tpmDeviceAttributes and trimming the "id:" prefix is straightforward. However, if "id:" is absent or partially spelled, the code silently sets the string as-is. Consider confirming that an "id:" prefix is truly expected, and handle partial matches or unexpected values.

---

370-386: Straightforward hierarchy checks for AIK CA certificate.
This function cleanly orchestrates SAN parsing and EKU removal. The loop that processes parent certificates also returns early upon first failure, which seems correct in preventing partial acceptance of a broken chain.

---

Line range hint 434-455: Mutating certificate UnknownExtKeyUsage in place.
This function removes invalid or unrecognized EKUs and checks for mandatory AIK usage. The in-place update of x5c.UnknownExtKeyUsage is intentional. Just ensure that no other code path relies on the original EKUs before this modification.

🧰 Tools

🪛 golangci-lint (1.62.2)

435-435: Consider pre-allocating unknown

(prealloc)

protocol/options_test.go (1)

30-30: Use of PublicKeyCredentialType constant improves maintainability.
Replacing the hardcoded string with a typed constant ensures consistency and reduces the risk of typos across the codebase.

protocol/attestation_safetynet.go (1)

88-88: Properly parsing the certificate from the SafetyNet JWT header.
This approach, using x509.ParseCertificate, is aligned with best practices for validating SafetyNet attestations. No issues found.

protocol/attestation_androidkey_test.go (1)

57-57: Enhanced test assertion ensures correctness.
Verifying the return value is consistent with the expected output. This clarifies test intentions.

protocol/assertion.go (2)

57-60: Ensuring request body is fully discarded and closed.
Capturing the body reading/closing in a defer function is a best practice that aids connection reuse. This pattern is safe for all typical use cases.

---

103-103: Type check leverages typed constant for clarity.
Switching to string(PublicKeyCredentialType) for comparison is more robust than a hardcoded string, avoiding accidental mismatch.

protocol/assertion_test.go (2)

47-47: Use of typed constant instead of magic string.

Replacing the hard-coded "public-key" value with string(PublicKeyCredentialType) promotes consistency and reduces the risk of typographical errors.

---

77-77: Consistent credential type checks.

Updating the credential type to string(PublicKeyCredentialType) keeps it in sync with the existing constant, improving maintainability in test assertions.

protocol/attestation_packed.go (1)

226-227: Helpful documentation for signature verification flow.

These comments illustrate the signature validation over authData + clientDataHash, aligning with the official spec guidelines without altering logic.

protocol/credential.go (1)

118-118: Robust type check for credential creation.

Ensuring that PublicKeyCredentialType matches "public-key" via a typed constant avoids magic strings and possible mismatches. Well done.

protocol/credential_test.go (4)

44-44: Test alignment with the typed credential.

Using string(PublicKeyCredentialType) in tests guarantees consistency with production code, preventing accidental string mismatches.

---

77-77: Improved maintainability of credential tests.

This reiterates the same change—switching to the typed constant ensures consistent usage across test and production code.

---

185-185: Unified approach for credential type verification in tests.

Replacing the hard-coded value maintains a single source of truth, making future refactors simpler.

---

213-213: Update to typed constant for clarity.

Adopting string(PublicKeyCredentialType) clarifies that we are testing a public-key credential properly.

protocol/metadata.go (5)

54-59: ValidateStatus call looks correct.
The error handling properly wraps and returns a contextual message.

---

60-64: Double-check the early return when x5cs is empty.
Returning nil might skip further validation that could still be necessary. Confirm that a missing x5cs array is always valid in your scenario.

---

89-94: Check TPM-specific logic.
The code specifically calls tpmParseAIKAttCA only if attestationType == string(metadata.AttCA). Ensure that all expected TPM attestation types are covered and tested.

---

108-126: loopOrdinalNumber method is well-structured.
The switch statement neatly handles ordinal variants.

---

33-33: Clarify reason for returning nil.
When no metadata entry is found, yet the code returns nil here. Verify that skipping validation is the intended behavior, especially for AAGUIDs with no metadata.

✅ Verification successful

Let me gather more context about the validation logic by checking the surrounding code.

---

Let me check the validation configuration methods to understand the complete validation logic.

---

Let me check the memory provider's initialization to understand how these validation flags are configured.

---

Based on the gathered context, I can now provide the final response:

The return behavior for missing metadata entries is correct and well-documented

The code follows a clear validation strategy where:

• For zero AAGUID: Returns nil if GetValidateEntryPermitZeroAAGUID is true
• For missing entries: Returns error if GetValidateEntry is true, nil otherwise
• Default configuration (seen in cached provider) enforces validation (WithValidateEntry(true)) and doesn't permit zero AAGUID (WithValidateEntryPermitZeroAAGUID(false))

The error message is appropriate as it clearly indicates the validation failure reason for missing metadata entries.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Searching for any usage of the "GetValidateEntryPermitZeroAAGUID" method calls
# to see if there's code that expects a particular reaction to missing entries.
rg -A 5 'GetValidateEntryPermitZeroAAGUID'

Length of output: 1670

---

Script:

#!/bin/bash
# Check the full context of the validation logic in metadata.go
rg -B 10 -A 10 'Failed to validate authenticator metadata'

# Also check for any tests that might reveal the intended behavior
rg -l 'TestMetadata.*AAGUID|AAGUID.*Test' 

Length of output: 2825

---

Script:

#!/bin/bash
# Check for GetValidateEntry usage and implementation
rg -A 5 'GetValidateEntry[^P]'

# Look for any configuration or setup of these validation flags
rg -A 5 'validateEntry.*='

Length of output: 2300

---

Script:

#!/bin/bash
# Look for the Provider struct definition and initialization
rg -B 5 -A 10 'type Provider struct' metadata/providers/memory/

# Check for any configuration methods that set these validation flags
rg -A 5 'WithValidate|SetValidate'

Length of output: 5900