From 804cece99aa047cc2c84af0d484e1a357cd88050 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 27 Nov 2024 12:24:26 +0100
Subject: [PATCH 1/4] Fix reference to $$attStmtType in definition of
 attestation statement formats

---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index 7fff2d1e7..4f4556a5e 100644
--- a/index.bs
+++ b/index.bs
@@ -5736,7 +5736,7 @@ template:
 
 - <strong>Syntax:</strong>
     The syntax of an [=attestation statement=] produced in this format, defined using CDDL [[!RFC8610]] for the extension point
-    `$attStmtFormat` defined in [[#sctn-generating-an-attestation-object]].
+    `$$attStmtType` defined in [[#sctn-generating-an-attestation-object]].
 
 - <dfn>Signing procedure</dfn>:
     The [=signing procedure=] for computing an [=attestation statement=] in this [=attestation statement format|format=] given

From e6a998eb823871d7f6f7d51ebd0bfe4b8cdc68d2 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 27 Nov 2024 12:26:37 +0100
Subject: [PATCH 2/4] Formalize attStmtTemplate as more correct CDDL

I don't think the expression `attStmtTemplate .within $$attStmtType`
successfully encodes the intent "Every attestation statement format must have
the above fields", for two reasons: it does not define a CDDL rule since it
contains no = sign, and even if it did, the `.within` control operator would apply
only to the new type defined by that rule, but not to the `attObj` type.

CDDL generally makes a distinction between types and groups, and only mentions
control operators applying to types, so I don't think we can apply `.within` to
`$$attStmtType` directly. This is why we need to duplicate the `authData` field
in `attStmtTemplate`.
---
 index.bs | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/index.bs b/index.bs
index 4f4556a5e..9810edd32 100644
--- a/index.bs
+++ b/index.bs
@@ -5832,17 +5832,17 @@ the [=authenticator=] MUST:
 
     ```
     attObj = {
-                authData: bytes,
-                $$attStmtType
-             }
+        authData: bytes,
 
-    attStmtTemplate = (
-                          fmt: text,
-                          attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType
-                      )
+        ; Each choice in $$attStmtType defines the fmt value and attStmt structure
+        $$attStmtType
+    } .within attStmtTemplate
 
-    ; Every attestation statement format must have the above fields
-    attStmtTemplate .within $$attStmtType
+    attStmtTemplate = {
+        authData: bytes,
+        fmt: text,
+        attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType
+    }
     ```
 
 ### Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures ### {#sctn-signature-attestation-types}

From 9b161676e556d1f855d4bfc3b9819bf32e2227fd Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 27 Nov 2024 12:34:09 +0100
Subject: [PATCH 3/4] Allow attStmt to be of array type

This is required by the new "compound" attestation statement format.
---
 index.bs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index 9810edd32..ff52caf9e 100644
--- a/index.bs
+++ b/index.bs
@@ -5841,7 +5841,11 @@ the [=authenticator=] MUST:
     attStmtTemplate = {
         authData: bytes,
         fmt: text,
-        attStmt: { * tstr => any } ; Map is filled in by each concrete attStmtType
+        attStmt: (
+          { * tstr => any } ; Map is filled in by each concrete attStmtType
+          //
+          [ * any ]         ; attStmt may also be an array
+        )
     }
     ```
 

From 8b29bec5a3db3f803478403a7ec41c80bec0d28e Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 27 Nov 2024 12:39:32 +0100
Subject: [PATCH 4/4] Fix .within operator in nonCompountAttStmt

[CDDL][1] defines that:

>A map matches a specification given as a group when the group matches
>a sequence of name/value pairs such that all of these name/value
>pairs are present in the map and the map has no name/value pair that
>is not covered by the group.

Therefore the control `.within { fmt: text .ne "compound" }` forbids any maps
that contain additional fields besides `fmt`, which is clearly not what was
intended.

[1]: https://datatracker.ietf.org/doc/html/rfc8610#section-2.1
---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index ff52caf9e..20f322967 100644
--- a/index.bs
+++ b/index.bs
@@ -6933,7 +6933,7 @@ The "compound" attestation statement format is used to pass multiple, self-conta
                           attStmt: [2* nonCompoundAttStmt]
                       )
 
-    nonCompoundAttStmt = { $$attStmtType } .within { fmt: text .ne "compound" }
+    nonCompoundAttStmt = { $$attStmtType } .within { fmt: text .ne "compound", * any => any }
     ```
 
 : Signing procedure