Make AuthenticatorDetails.AaGuid nullable

claude · claude · commit 489bf7cc2a53 · 2026-06-04T19:08:18.000Z
Return null instead of Guid.Empty when the Win32 API does not provide a
valid 16-byte authenticator identifier, so the absence of an AAGUID is
represented distinctly rather than as an all-zero GUID.
diff --git a/Documentation/API/DSInternals.Win32.WebAuthn.AuthenticatorDetails.md b/Documentation/API/DSInternals.Win32.WebAuthn.AuthenticatorDetails.md
@@ -34,12 +34,12 @@ Corresponds to WEBAUTHN_AUTHENTICATOR_DETAILS.
 The Authenticator Attestation GUID (AAGUID) identifying the model of the authenticator.
 
 ```csharp
-public Guid AaGuid { get; set; }
+public Guid? AaGuid { get; set; }
 ```
 
 #### Property Value
 
- [Guid](https://learn.microsoft.com/dotnet/api/system.guid)
+ [Guid](https://learn.microsoft.com/dotnet/api/system.guid)?
 
 ### <a id="DSInternals_Win32_WebAuthn_AuthenticatorDetails_AuthenticatorLogo"></a> AuthenticatorLogo
 
diff --git a/Documentation/CHANGELOG.md b/Documentation/CHANGELOG.md
@@ -10,7 +10,7 @@ All notable changes to this project will be documented in this file. The format
 
 ### Changed
 
-- The `AuthenticatorDetails.AuthenticatorId` property (returned by `Get-PasskeyAuthenticator`) was renamed to `AaGuid` and its type changed from `byte[]` to `Guid`. The binary identifier returned by the Win32 API is a big-endian encoded Authenticator Attestation GUID (AAGUID), so it is now decoded and surfaced as a `Guid` instead of a Base64Url-encoded string.
+- The `AuthenticatorDetails.AuthenticatorId` property (returned by `Get-PasskeyAuthenticator`) was renamed to `AaGuid` and its type changed from `byte[]` to `Guid?`. The binary identifier returned by the Win32 API is a big-endian encoded Authenticator Attestation GUID (AAGUID), so it is now decoded and surfaced as a `Guid` (or `null` when absent) instead of a Base64Url-encoded string.
 
 ## [3.1.0] - 2026-05-14
 
diff --git a/Src/DSInternals.Win32.WebAuthn/AuthenticatorDetails.cs b/Src/DSInternals.Win32.WebAuthn/AuthenticatorDetails.cs
@@ -11,7 +11,7 @@ public sealed class AuthenticatorDetails
     /// <summary>
     /// The Authenticator Attestation GUID (AAGUID) identifying the model of the authenticator.
     /// </summary>
-    public Guid AaGuid { get; set; }
+    public Guid? AaGuid { get; set; }
 
     /// <summary>
     /// The authenticator name.
diff --git a/Src/DSInternals.Win32.WebAuthn/Interop/ApiHelper.cs b/Src/DSInternals.Win32.WebAuthn/Interop/ApiHelper.cs
@@ -266,12 +266,12 @@ public static UserInformation Translate(UserInformationOut userInfo)
         /// <summary>
         /// Decodes the authenticator identifier returned by the Win32 API, which is the AAGUID encoded as a big-endian GUID.
         /// </summary>
-        private static Guid DecodeAaGuid(byte[]? authenticatorId)
+        private static Guid? DecodeAaGuid(byte[]? authenticatorId)
         {
             // The AAGUID is always a 16-byte big-endian encoded GUID.
             return authenticatorId is { Length: 16 }
                 ? Guid.Create(authenticatorId, bigEndian: true)
-                : Guid.Empty;
+                : null;
         }
 
         /// <summary>

Original file line number	Diff line number	Diff line change
`@@ -266,12 +266,12 @@ public static UserInformation Translate(UserInformationOut userInfo)`
`266`	`266`	`/// <summary>`
`267`	`267`	`/// Decodes the authenticator identifier returned by the Win32 API, which is the AAGUID encoded as a big-endian GUID.`
`268`	`268`	`/// </summary>`
`269`		`- private static Guid DecodeAaGuid(byte[]? authenticatorId)`
	`269`	`+ private static Guid? DecodeAaGuid(byte[]? authenticatorId)`
`270`	`270`	`{`
`271`	`271`	`// The AAGUID is always a 16-byte big-endian encoded GUID.`
`272`	`272`	`return authenticatorId is { Length: 16 }`
`273`	`273`	`? Guid.Create(authenticatorId, bigEndian: true)`
`274`		`- : Guid.Empty;`
	`274`	`+ : null;`
`275`	`275`	`}`
`276`	`276`
`277`	`277`	`/// <summary>`