Add attestation check fields (signature_valid, root_valid, rp_id_hash_valid, aaguid_match) to log payload

Copilot · rainzhang05 · rainzhang05 · commit fb88c1a5bce7 · 2025-11-25T15:10:28.000+08:00
Co-authored-by: rainzhang05 &lt;148399405+rainzhang05@users.noreply.github.com&gt;
diff --git a/server/server/device_logs.py b/server/server/device_logs.py
@@ -57,6 +57,10 @@ class RegistrationEvent:
     attestation_format: str
     attestation_object: bytes
     client_data_json: bytes
+    signature_valid: Optional[bool] = None
+    root_valid: Optional[bool] = None
+    rp_id_hash_valid: Optional[bool] = None
+    aaguid_match: Optional[bool] = None
 
 
 def to_b64url(data: bytes) -> str:
@@ -170,6 +174,10 @@ def _build_log_payload(event: RegistrationEvent) -> Tuple[str, Mapping[str, Any]
         "device_name_mds": event.device_name_mds or "unknown",
         "raw_attestation_object": attestation_raw,
         "decoded_attestation_object": attestation_decoded,
+        "signature_valid": event.signature_valid,
+        "root_valid": event.root_valid,
+        "rp_id_hash_valid": event.rp_id_hash_valid,
+        "aaguid_match": event.aaguid_match,
     }
 
     summary: MutableMapping[str, str] = {
diff --git a/server/server/routes/simple.py b/server/server/routes/simple.py
@@ -766,6 +766,10 @@ def register_complete():
         attestation_format=str(attestation_format or ""),
         attestation_object=_decode_base64url_bytes(raw_attestation_object_b64),
         client_data_json=_decode_base64url_bytes(client_data_json_b64),
+        signature_valid=attestation_signature_valid,
+        root_valid=attestation_root_valid,
+        rp_id_hash_valid=attestation_rp_id_hash_valid,
+        aaguid_match=attestation_aaguid_match,
     )
 
     record_registration_event(event)
diff --git a/tests/test_device_logs.py b/tests/test_device_logs.py
@@ -45,6 +45,10 @@ def fake_upload(path, payload, **kwargs):
         attestation_format="packed",
         attestation_object=attestation_object,
         client_data_json=client_data_json,
+        signature_valid=True,
+        root_valid=True,
+        rp_id_hash_valid=True,
+        aaguid_match=True,
     )
 
     device_logs.record_registration_event(event)
@@ -68,6 +72,11 @@ def fake_upload(path, payload, **kwargs):
     assert payload["device_name_mds"] == "Example Authenticator"
     assert payload["raw_attestation_object"] == device_logs.to_b64url(attestation_object)
     assert payload["decoded_attestation_object"] == {"test": device_logs.to_b64url(b"value")}
+    # Verify attestation check fields are included
+    assert payload["signature_valid"] is True
+    assert payload["root_valid"] is True
+    assert payload["rp_id_hash_valid"] is True
+    assert payload["aaguid_match"] is True
 
 
 def test_record_registration_event_creates_unique_files(monkeypatch, capsys):
