[FIDO2] about test P-1

[ShaneJANG]

What protocol and version of the protocol are you testing?

FIDO2

What is your implementation class?

Server

What is the version of the tool are you using?

v1.1.6

What is the OS and the version are you running?

windows 10

Issue description

We are under development for FIDO2 Server. During test with FIDO Conformance tools, we are confronted with an error below.

[Error log] Server-ServerAuthenticatorAttestationResponse-Resp-B Test server processing "android-safetynet" attestation P-1 Send a valid ServerAuthenticatorAttestationResponse with "android-safetynet" attestation, and check that server succeeds ‣ Error: Server responed with error. The errorMessage is: Invalid safety net attestation
at fetch.then.then (eval at compileCode (js/sandbox.js:25:26), :4241:19) at let username = generateRandomString(); let displayName = generateRandomName(); return getMakeCredentialsChallenge({'displayName': displayName, 'username':username, 'attestation': 'direct'}) .then((response) => { return webauthnClient.createCredential(response) }) .then((response) => { return sendAttestationResponse(response) })

The file we used during test is attached (toc.jwt) toc.zip Is this file occurs this error?

Please give us the information can be referenced.

Thank you.

[Spomky]

Same for me. This test used to pass few weeks ago (I will try again with an old release of the app).

[yackermann]

@ShaneJANG Try 1.2.0

[Spomky]

Unfortunately, there is no change with 1.2.0.

Hereafter the data I have. Options:

{"status":"ok","errorMessage":"","rp":{"name":"Webauthn Demo","id":"webauthn.spomky-labs.com"},"pubKeyCredParams":[{"type":"public-key","alg":-8},{"type":"public-key","alg":-7},{"type":"public-key","alg":-43},{"type":"public-key","alg":-35},{"type":"public-key","alg":-36},{"type":"public-key","alg":-257},{"type":"public-key","alg":-258},{"type":"public-key","alg":-259},{"type":"public-key","alg":-37},{"type":"public-key","alg":-38},{"type":"public-key","alg":-39}],"challenge":"YkjlTpqD8VIio0cOyAHYOPfqpK3_mVQDQlM85g9tQrk","attestation":"direct","user":{"name":"3f5hMCsxzRch6PavCrSy","id":"MzJkZDIyMzktMDEwMS00ZGFhLThiYTctOWY3ZjY2NmI2YmE3","displayName":"Donetta Lukasiewicz"},"authenticatorSelection":{"requireResidentKey":false,"userVerification":"preferred"},"timeout":60000}

Response:

{"id":"upr8iI3z8nJOJV1To_UcXf5nty10LYIjo1lrlhJT5JQ","rawId":"upr8iI3z8nJOJV1To_UcXf5nty10LYIjo1lrlhJT5JQ","response":{"attestationObject":"o2NmbXRxYW5kcm9pZC1zYWZldHluZXRnYXR0U3RtdKJjdmVyaDEyNjg1MDIzaHJlc3BvbnNlWRWVZXlKaGJHY2lPaUpTVXpJMU5pSXNJbmcxWXlJNld5Sk5TVWxHVDJwRFEwSkRTMmRCZDBsQ1FXZEpVRUpHZDFGSE1sSndSa3hrZWpaVmNHSktUbnBrVFVFd1IwTlRjVWRUU1dJelJGRkZRa04zVlVGTlJ6UjRRM3BCU2tKblRsWkNRVmxVUVd4V1ZFMVRjM2RMVVZsRVZsRlJTMFJEU2tkVFZWSlFTVVZHYzJKSGJHaGliVTVzWTNsQ1IxRlZkRVpKUmxKNVpGaE9NRWxHVG14amJscHdXVEpXZWsxVVNYZE5RVmxFVmxGUlJFUkRiRWRUVlZKUVNVVkdjMkpIYkdoaWJVNXNZM2xDUjFGVmRFWkpSV3gxWkVkV2VXSnRWakJKUlVZeFpFZG9kbU50YkRCbFUwSkhUVlJCWlVaM01IaFBSRUY1VFVSRmQwMUVRWGROUkVKaFJuY3dlVTFFUlhkTlZFRjVUV3BKZUUxVVFtRk5TRVY0UTNwQlNrSm5UbFpDUVZsVVFXeFdWRTFSYzNkRFVWbEVWbEZSU1VSQlNrNVhWRVZUVFVKQlIwRXhWVVZDZDNkS1ZqSkdjbHBYV25CYVYzaHJUVkpaZDBaQldVUldVVkZMUkVFeFIxTlZVbEJKUlVaellrZHNhR0p0VG14TlVYZDNRMmRaUkZaUlVVeEVRVTVFVmpCamVFZDZRVnBDWjA1V1FrRk5UVVZ0UmpCa1IxWjZaRU0xYUdKdFVubGlNbXhyVEcxT2RtSlVRME5CVTBsM1JGRlpTa3R2V2tsb2RtTk9RVkZGUWtKUlFVUm5aMFZRUVVSRFEwRlJiME5uWjBWQ1FVdG5kR1pyVTFSbFNGQXlUMVpwVmtOeldVdEpjWGRGTWsxNE1tWktXRFkwWVVNNVZuTlFVVEJzT1ZkMldFYzFUM1J1VFRKUE1VcDJhR2RwTlVaVFRVZDVUVEJHTTJwd2MwMXpNVVU0UjJKSE4wOXRNV1kxVDNKTGRFdFZibk14YzJGbWVWTjVla2hFVW13eWFIQmxibFpuT0VGaVlXMXBjM1JKVVdaU2MyOUhNSGxEUXl0VE4wWm1hSE5HWkZBMVluTnRlVVpHUlVGSmEwMVRVRTVZTTBscVVsY3ZhbFUwVjNWR2JEWkpNV2g2U2xkS1NqbHJNalZQVURSbFN6ZG1NRXRTTkdwWWNtUlZjRWhpUTFsT0wwNXZha3N2ZVU5ck1qTjVibEZNV1VFeE16RktUbXhrVEhVd1EyRk1abGRLVkVGRU9YaEpXa2RpZVZvelNYZ3ZkMWRVUlZWQmJVbGhXVTB4ZWtORWNFNHJhblJOYjAwNGJtWnhWM0Y2WTBjdk9XWlRaVlZDZDJ4Wk9Xd3JkVzQwUWtwMFlVMUJZWEl2T1VVdlpHOUtkM1J1YVhFM2J6ZHliRE5tSzJGM2NscGxlSEJVVWpkSk1FTkJkMFZCUVdGUFEwRmtRWGRuWjBoTlRVTkZSMEV4VldSSlFWRmhUVUpuZDBSQldVdExkMWxDUWtGSVYyVlJTVVpCZWtGSlFtZGFibWRSZDBKQlowbDNSWGRaUkZaU01HeENRWGQzUTJkWlNVdDNXVUpDVVZWSVFYZEZkMFJCV1VSV1VqQlVRVkZJTDBKQlNYZEJSRUZrUW1kT1ZraFJORVZHWjFGVlRrdDNWV3cxWmtWS1ExUmhXVWwxZVZOb1QyRTJUek5GYm5CSmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZWUVUxZHllRU4zUmxCVVFrSnBVVlp3VkRKWksyaHlUVzFsWTBWM1ZYZFpSRlpTTUdaQ1JYZDNVMnBDU1c5RllXZFNTVnBEWVVoU01HTklUVFpNZVRsdFlWZFNkbGxYZUhOaFYwWjFXVEpWZFZreU9IVmlibTkyWXpKR2JWcFlValZpYlZZd1kwZDBjRXd5VG5saVF6bG9aRWhTYkdNelVYVlpWelZyWTIwNWNGcEROV3BpTWpCMVdUTktjMDFKU0hWQ1oyZHlRbWRGUmtKUlkwSkJVVk5DTkZSRFFqTnFRbkpDWjJkeVFtZEZSa0pSWTNkQmIxcG1ZVWhTTUdOSVRUWk1lVGx0WVZkU2RsbFhlSE5oVjBaMVdUSlZkVmt5T0hWaWJtOTJZekpHYlZwWVVqVmliVll3WTBkMGNFd3dXa3BTUlRoc1RXcENSMWxYZEd4S1ZFbDNWVzA1ZG1SRFZYbE5SVTVzWTI1U2NGcHRiR3BaV0ZKc1NsUkpkMUZZVmpCaFJ6bDVZVmhTTlVwVVNYZE5ha0Y0VDBNMWFtTnVVWGRpZDFsSlMzZFpRa0pSVlVoTlFVZEhXVEpvTUdSSVFucFBhVGgyV20xc2EySXlSbk5pUjJ4b1ltMU9iRXh0VG5aTWJUVTJURE5PYUZwdFZqQmxWelZzWkVoQ2NtRlRPV3BqYlhkMlVtdHNSVlI1VlhsTlJWcG9ZVEpWYkUxcVFsTmlNamt3U2xSSmQxRXlWbmxrUjJ4dFlWZE9hR1JIVld4TmFrSkNaRmhTYjJJelNuQmtTR3RzVFdwQmVVMUVSVFJNYlU1NVlrUkJUa0puYTNGb2EybEhPWGN3UWtGUmMwWkJRVTlEUVZGRlFXeEJLMVUwVG5RMVR6VXliMk5DZUVFNE5UQllWMDFLTVUxM1IzSlhZbms0YUd4b1RUaGtWSFl4WW1jeFpGVkRTRTAxYkVWeVpsWlNjemhyTm5wblpUQmtWRkZGY2xWRE9XdHFjQ3RrYUhVMVYzUnBlRXhvUXpWaVRYVlBUa1oxY0cxRE1WTlpNREp1WldOMmFXWmxSMk5SWTFsb1lUaHlPSGxRVDFSWVZVdDVabFpOV1ZCMFQwZHpUSHBsVW1oM056Uk1hWFZ5V0daaVlXVjZOMVZ2VEhkV1NtTmphRGxHZVVGamFrNWhjbkJOTkdrellrcFpRa0YzYlZacFdWUkNlSEZaTm1weFN6bEplQ3RYZUM5TVFtOTBSRXMwYmpJMVF6UnJiMUV3VHpGaVRVZHJNRWN4TlZOcGRYQTVNbFpWTlhjeE1XVnRkVkkyVDA5bVNuaHlhSGhPWlcxWGVXeGplblJQWlhGdVVXWktNelI0YVdsek5HUlFURVJaU1hOTGQyWXdVbEZoYmt3NWJtWjVkSEIzWWk5d2NHNXpiRkZoTjFwME1YQXdZMUoxVkRNdlJWSm1iRTlCWVdOc1IyOUxPVmRtTkhGSFp6MDlJaXdpVFVsSlJrUlVRME5CTDFkblFYZEpRa0ZuU1ZCQ1RXRXllSGhaVFVsd1pYZ3ZNMk1yZG5GNmJFMUJNRWREVTNGSFUwbGlNMFJSUlVKRGQxVkJUVVpCZUVONlFVcENaMDVXUWtGWlZFRnNWbFJOVWxsM1JrRlpSRlpSVVV0RVFURkhVMVZTVUVsRlJuTmlSMnhvWW0xT2JFMVRhM2RLZDFsRVZsRlJSRVJEUWtkVFZWSlFTVVZHYzJKSGJHaGliVTVzWTNsQ1IxRlZkRVpKUmtwMllqTlJaMUV3UldkTVUwSlVUVlJCWlVaM01IaE9la0Y1VFVSRmQwMUVRWGROUkVKaFJuY3dlazVVUVhoTmVrVjVUWHBWTlU1VWJHRk5SelI0UTNwQlNrSm5UbFpDUVZsVVFXeFdWRTFUYzNkTFVWbEVWbEZSUzBSRFNrZFRWVkpRU1VWR2MySkhiR2hpYlU1c1kzbENSMUZWZEVaSlJsSjVaRmhPTUVsR1RteGpibHB3V1RKV2VrMVVTWGROUVZsRVZsRlJSRVJEYkVkVFZWSlFTVVZHYzJKSGJHaGliVTVzWTNsQ1IxRlZkRVpKUld4MVpFZFdlV0p0VmpCSlJVWXhaRWRvZG1OdGJEQmxVMEpIVFZSRFEwRlRTWGRFVVZsS1MyOWFTV2gyWTA1QlVVVkNRbEZCUkdkblJWQkJSRU5EUVZGdlEyZG5SVUpCVFVWSWJVWm1ZazU1Y0ZCMWNUazBheXRUVTBOcFZYWllVM1Z0YjJ4WmNFaFpTR2xyVUdGV01tcFJZbUpZZGtkMVNpdDNPSGw0ZWtoSFZWSkdXbEZNWmtOR1ZuSlVXakkyT1dWaWRsa3ljRTVzYUZWVGNFNUtZemRUY0dodmJGTnlPWFJEYW5WSVpFZE1NM1YyUW1Sd2VHRmFhblowWkZaRk5ubHVOVnAyUTNoNWVDOW9RV2QxUldSclpGQjFWa1Z0WkZaRWNqWTBZelk0WkRJNGIya3ZNMWx6Um01SlluRk5iblZZZGpod2NYWkdZWE5IYW1SVVYwWkRNMkYxU2tka2RUSjJOalZ6UWxVMGRsZGpja1ZHWkZscU1FMW5kMDlFTUd4dldVaGlLekI2UzBzNWQzaG1hVnBRVlZZNFNFVmFZa3QzUkZkbU5XcHZkV0ZqU21WWFdqTXlORmRHTVV4SVQycFhjbmhJWjI5RVVVSnBlbk15Y1ZWR1NuWkRUbWx1YzJGRFUwMDFTbE40VVhWc1RVZGtZa1JWVlZOMldUTnVhV3Q2Ym5KNVRuSk9ObVl2VDFKdVptc3lLMHRKZW5SamRESnJUMGxqUTBGM1JVRkJZVTlEUVdOUmQyZG5TRUZOUVhOSFFURlZaRVIzVVVWQmQwbENhR3BDVEVKblRsWklVMEZGVWtSQ1EwMUZRVWRDYldWQ1JFRkZRMEZxUVRKTlJGRkhRME56UjBGUlZVWkNkMGxDUm1sb2IyUklVbmRqZW05MlRESmFjRnBIT1doaVIzaHdXVmMxYWxwVE5XcGllVFYxWldrNWVsbFhXbXhrU0d4MVdsaFNkMkV5YTNaTlFqQkhRVEZWWkVwUlVWZE5RbEZIUTBOelIwRlJWVVpDZDAxQ1FtZG5ja0puUlVaQ1VXTkVRV3BCVTBKblRsWklVazFDUVdZNFJVTkVRVWRCVVVndlFXZEZRVTFDTUVkQk1WVmtSR2RSVjBKQ1VUbEtZWFpGVEVGVk9VMUZSMHBDVjJ4UVdtbzJSM041V2pWM1ZFRm1RbWRPVmtoVFRVVkhSRUZYWjBKU1kxYzFRelJFYmpaQ05UWXphbTVWTW01RFZIRlVXWEIxWmt0RVFqQkNaMDVXU0ZJNFJXSlVRbkpOUjIxbldqWkNiR2h0VG05a1NGSjNZM3B2ZGt3eVduQmFSemxvWWtkNGNGbFhOV3BhVXpWcVluazFkV1ZwT1hwWlYxcHNaRWhzZFZwWVVuZGhNbXQyV1ROS2Mwd3dXa3BTUlRoc1RXcENSMWxYZEd4S1ZFbDNWVzA1ZG1SRFZYbE5SVTVzWTI1U2NGcHRiR3BaV0ZKc1NsUkpkMUZZVmpCaFJ6bDVZVmhTTlVwVVNYZE5ha0Y0VDBNMWFtTnRkM2RsZDFsSlMzZFpRa0pSVlVoQlVVVkZZbnBDZEUxSGMwZERRM05IUVZGVlJrSjZRVUpvYkRsdlpFaFNkMk42YjNaTU1scHdXa2M1YUdKSGVIQlpWelZxV2xNMWFtSjVOWFZsYVRsNldWZGFiR1JJYkhWYVdGSjNZVEpyZGxKcmJFVlVlVlY1VFVWYWFHRXlWV3hOYWtKVFlqSTVNRXBVU1hkUk1sWjVaRWRzYldGWFRtaGtSMVZzVFdwQ1FtUllVbTlpTTBwd1pFaHJiRTFxUVhsTlJFVTBURzFPZVdSRVFVNUNaMnR4YUd0cFJ6bDNNRUpCVVhOR1FVRlBRMEZSUlVGWlZVRmxhbTl4VFhwbFNsWkhhR2RXUTB0NE1Fd3ZTbmhhY2xnNWIxRkZiMnN3TVdReFkwTlJNRFZuWkdObGEyUjVRelp2Ykd4cllrRklUMGR0Y21WRGRuZEhiMVJJTWpkS05XdG5iSEpHYTFRd1pVWndSMjFDTTBGTWNHaDZPVmhPWm1oaWF6a3JSVk5YWm5adk1VODNiSEJVZGxNeU9YRkhRU3RQTUVweFFUaERkek50TDFoSlIxVllabTA0YjJkU1FTdDBaRTB6TW14S1RtcDBVR1Y1Y1Vad1RscHdjRWRrYWxRNGRqQnZSamhaZDBWc2VYRkJZMUl4VjBveldYUXdZeXRyWmxwQk5teEhTR3RZTkVjMGFYVnNjMUJIYlV4elUwNHJZMXBEVG5GR2IwTklNMmRYWlhwSWRucHNkWEJQUm1abU5tdEdVMU5CVVZKelJXcHZTeXR6UTJGS1JHeFJOM1pIUVU5R1pGZFlVR1ZhWnpWT00yRlpTM1ZoSzFCSVN6WlJWVVoyTVU4emMxcGpjbFJSVkZwbk5EZHdVRVpYY1daeVNXVTBiWFpyV2pObmFGUm9OSEZRUmtKaVlsZGhMMUZPYUdjOVBTSmRmUS5leUp1YjI1alpTSTZJamxCTjFaWldISmlTR0ZWYWxNMUsxaG1NelJuYUd4cU4zQkhjMWhWTVRaSFp6aFpTR2MxYzFsVFJFRTlJaXdpZEdsdFpYTjBZVzF3VFhNaU9qRTFOekEzTkRZd056QXdPVFVzSW1Gd2ExQmhZMnRoWjJWT1lXMWxJam9pWTI5dExtRnVaSEp2YVdRdWEyVjVjM1J2Y21VdVlXNWtjbTlwWkd0bGVYTjBiM0psWkdWdGJ5SXNJbUZ3YTBScFoyVnpkRk5vWVRJMU5pSTZJbVJOTDB4VlNGTkpPVk5yVVdoYVNFaHdVVmRTYm5wS00wMTJka0l5UVU1VFlYVnhXVUZCWWxNeVNtYzlJaXdpWVhCclEyVnlkR2xtYVdOaGRHVkVhV2RsYzNSVGFHRXlOVFlpT2xzaVluTmlOQzlYVVdSaFlVOVhXVU5rTDJvNVQwcHBVWEJuTjJJd2FYZEdaMEZqTDNwNlFURjBRMlozUlQwaVhTd2lZM1J6VUhKdlptbHNaVTFoZEdOb0lqcDBjblZsTENKaVlYTnBZMGx1ZEdWbmNtbDBlU0k2ZEhKMVpYMC5nbkNvRmt4SHlScThaWVhXZ1FZRHFPYTVxWmNtbmUxOEQtTWNGX3FSTVNXeGl5QWdpQms0YXVyajlOcGdoallVRmVNd0tBQmEzejdxWlNBRTVMM0hoT1dNeG5OeEhwYjB1bldaRHMtZTh2eUZUd09rTElCM09WTHJjMEo4TGN6TnFMaHZPejFOaEtUbUJxWEo0U0FaR2N4dmRmNjd5WXpPMjZKTVhfcGlaVTV2UTlsRG4zM0dsdEF3NU1QWVpRYWRfWnY2ZzRfVkczdF9aaHFmNVFRYzM4WWt6c0JKU3NwRzdmZVFRUWJ1cXg1OHd3VWdiVEttX1RMZ1JxdUtyTGp5N1pyWHJsR0YwS2NUX3B0NFRoaVZLdVJQUi1maDJGdy16cGo2X0hpbGlhMkZpRE12eHpsSC1Bakh0ZW95OU5SRjBockNIbG9Ya1NRZmI3dUs5dlVwMHdoYXV0aERhdGFZAWeWBOqCgk6YpK2hS0Ri0Nc6jsRpEw2pGxkwdFkin3SjWUEAAAAnyHzdl1bBSbieJMs2NlTzUAAgupr8iI3z8nJOJV1To_UcXf5nty10LYIjo1lrlhJT5JSkAQMDOQEAIFkBAL68VF07OJeMXSRTRvUwJtMpezmc1VNoP1UAIgbJeyutQ0mYmYO4TDxI581fRe4bo7Gvzx0CNaNPBbfdpDuDU90_Xg0zfBcf027bBVLd_1VqmayH59jXa07upiLe8VTcoAJCFz7E0DGOhwreGAnWWNlig5saD1XPhO7pGMszgbHJTdpHq2oY5fPJbUMMqhBuFyd6ATKZrGrk5IIlC_1bZ3DYhckHTkjpReUNGTEYk55tktBGiEnc6sLLLrpJxnuPfOWi00Q9hnyZ8y3O8S9P71wLLn6Fu5OnuKo05jWd6RRaJ4o5rvOxWzgMgB_QUNvFkh6RUbLpJUPlL1EzUQ6lH4khQwEAAQ","clientDataJSON":"eyJvcmlnaW4iOiJodHRwczovL3dlYmF1dGhuLnNwb21reS1sYWJzLmNvbSIsImNoYWxsZW5nZSI6IllramxUcHFEOFZJaW8wY095QUhZT1BmcXBLM19tVlFEUWxNODVnOXRRcmsiLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0"},"type":"public-key"}

It contains 2 certificates. The leaf certificate can be verified with the first one, but the chain cannot be validated using the 4 certificates received from the authenticator metatada.

[padulafacundo]

Same happens to me with 1.2.0. There's a mismatch between the subjectKeyIdentifier and authorityKeyIdentifier of the certificates, similar to #520. The attestation certificate can be linked to an intermediate certificate and this one to two of the four CA certificates from the metadata, but the authorityKeyIdentifiers of these two don't match against the subjectKeyIdentifier of any of the certificates left (or themselves, so they're not self-signed).

[yackermann]

Fixed in 1.2.1(will be up in an hour). Please download update metadata.

Sorry for the inconvenience

[Spomky]

I confirm it is now fixed. Thank you!