Validation `NoneAttestation` fails

[tpazderka]

I am trying to validate NoneAttestation (user refused to hand over the key attestation) and it fails asi the verify_x509_chain function gets empty chain.

The NoneAttestation doesn't have a CA trust chain and it probably shouldn't be subjected to these checks.

[dainnilsson]

If I understand you correctly, you've configured the Fido2Server instance to use attestation=DIRECT, to request attestation from the user. The user is then refusing the request for attestation, which (on some browsers) returns a registration with NONE attestation. Am I right so far?

The default is to not validate attestation at all, and should have no problem handling this case. If you provide your own verify_attestation function to the server, then it's up to you to handle this case. The abstract AttestationVerifier will throw an UnsupportedType exception, which you can catch outside of the call to register_complete if you wish. The exception contains a reference to the auth_data object.

You could also define your own logic for validating the NONE attestation, but I can't really say I see a scenario where it makes sense to verify some attestation, but then also allow NONE attestation.

[dainnilsson]

Closing issue due to inactivity.