TsgcWSAPIServer_WebAuthn › Events › OnWebAuthnRegistrationValidateCertificate
Fires during /register/verify to let the application validate the attestation certificate chain (for example against a cached FIDO MDS) and override the built-in check.
property OnWebAuthnRegistrationValidateCertificate: TsgcWebAuthnOnRegistrationValidateCertificate;
// TsgcWebAuthnOnRegistrationValidateCertificate = procedure(Sender: TObject; const aRequest: TsgcWebAuthn_RegistrationVerify_Request; const aValidate: TsgcWebAuthnValidateAttestationStatement; var Handled: Boolean) of object—
Allows the application to take over the attestation statement validation. aValidate exposes the parsed attestation (format, signature, AAGUID, x5c chain) and lets the handler mark it as valid or invalid. Set Handled to true to tell the server that your code has fully validated (or rejected) the statement — the built-in validator is then skipped. Leave Handled as false to let the default logic run after the hook, which is useful when you only want to enforce an extra policy (CA pinning, authenticator allowlist from MDS) on top of the standard checks.
procedure TForm1.sgcWSAPIServer_WebAuthn1WebAuthnRegistrationValidateCertificate(
Sender: TObject; const aRequest: TsgcWebAuthn_RegistrationVerify_Request;
const aValidate: TsgcWebAuthnValidateAttestationStatement;
var Handled: Boolean);
begin
if IsAAGUIDBlocked(aValidate.AAGUID) then
begin
aValidate.Valid := False;
Handled := True;
end;
end;