fix(ctap2): decode unsignedExtensionOutputs at GetAssertion 0x08#244
Merged
AlfioEmanueleFresta merged 1 commit intoJun 7, 2026
Merged
Conversation
GetAssertion response index 0x08 is unsignedExtensionOutputs, a CBOR map, not enterprise attestation. Decoding it as Option<bool> made the whole response fail to parse. Decode it as an optional map and remove the speculative enterprise_attestation and attestation_statement fields, which no spec defines for GetAssertion.
AlfioEmanueleFresta
force-pushed
the
fix/get-assertion-unsigned-extension-outputs
branch
from
fc34cda to
d285dc0
Compare
AlfioEmanueleFresta
deleted the
fix/get-assertion-unsigned-extension-outputs
branch
AlfioEmanueleFresta
added a commit
that referenced
this pull request
Jun 10, 2026
…nt extension results PR #244 decoded the unsigned extension outputs map at the getAssertion response but kept it on the protocol response without surfacing it. This maps each entry into the client extension results as a top-level member keyed by extension identifier, the same shape WebAuthn uses for client extension results. The map has no fixed schema, so values are converted to JSON-safe types, with byte strings encoded as base64url. An empty or absent map adds nothing, and ids that would clash with a typed output are skipped. Includes an end-to-end test from the encoded response through to the JSON output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The assertion response mapped entry 0x08 to a value it should not have, while the protocol defines 0x08 as the unsigned extension outputs map. An authenticator that returns that map caused the whole assertion response to fail to decode, breaking the ceremony. This becomes more likely as newer authenticators emit unsigned extension outputs.
This decodes entry 0x08 as the unsigned extension outputs map and removes two response fields that were never populated with valid data.
Scope: this fixes the decode failure. The unsigned outputs are kept on the decoded response but are not yet merged into the caller-facing extension results, since arbitrary CBOR maps do not map cleanly to the typed JSON outputs. That can be a follow-up. The change also drops two unused fields from the public assertion type, a minor change for a pre-1.0 crate.
Includes a regression test that decodes a response carrying the map and confirms it parses.