FIDO2.1, Tools 1.6.31 - HMAC Secret missing pinUvAuthProtocol

[KeySoftSK]

FIDO Alliance - Certification Conformance Testing Tools 1.6.31

CTAP2.1 Authenticator Tests

We have got problem with testing hmac-secret extension. In the FIDO2.1 authenticatorGetAssertion additional behaviors documentation, there is written:

pinUvAuthProtocol(0x04): (optional) as selected when getting the shared secret. CTAP2.1 platforms MUST include this parameter if the value of pinUvAuthProtocol is not 1.

The tests are using pinUvAuthProtocol = 2, but it is missing in the request.

There is screenshot from debugging the testtool code>

What is the correct way of handling this? Is it problem in the tools, or in our code?

Best regards KeySoft

[nuno0529]

I still see this problem in 1.6.34 Ext: HMAC Secret test items P-3/P-6

I see the test code only support the test of hmac-secret in pin_v1, due to it only return 16 bytes of saltAuth https://github.com/fido-alliance/ctap2.1-conformance-module/blob/main/js/CTAP2.js#L228

So if the keyagreement command go for pin_v2 should be something wrong in test code. Below is my test with Yubikey Bio that it fails on P-6 due to commands go for pin_v2. Below is the log from the conformance test tool's inspector.

And for P-3 also has the same problem, but if the authenticator use option "alwaysUv:true" then P-3 won't be failed maybe due to some steps of get PUAT correct the pinUvAuthProtocol in following keyagreement command.

[nuno0529]

In new tool version 1.6.36 on Widows10 with transport type HID, the test will be freeze at P-6 and then cause 60sec timeout error with Yubikey Bio. The tool on MacOS also has the same freeze issue and blocking remain tests.

With transport type BLE, the test won't be freeze but it's still failed when trying to get pinUvToken with below flow

1. getKeyAgreement(0x02)+pin_v2
2. getAssert okay
3. getKeyAgreement(0x02)+pin_v1
4. getPinToken (0x05)+ pin_v1

"fidoControlPoint": 83000606a201020202
RECEIVING BLE BUFFER: 82000101
RECEIVING BLE BUFFER: 83005100a101a5010203381820012158205e3ec5381403487c91ab27f25df3d1fc0edd6adac1cb71ef135448fab3fcb1e8225820a9e0144c59cb7d5fce4a01b79565ccd0ca2d191f7b5b8ba2f04bbff55f91693c
SUCCESSFULLY RECEIVED RESPONSE!
{status: "ok", data: {…}}
{status: "ok", data: {…}}
VM228:3269 Sending CTAP CMD: ClientPIN...
VM228:3270 Uint8Array(102) [164, 1, 1, 2, 5, 3, 165, 1, 2, 3, 56, 24, 32, 1, 33, 88, 32, 18, 215, 167, 255, 201, 51, 36, 155, 119, 52, 160, 78, 169, 42, 79, 68, 74, 81, 156, 241, 54, 160, 177, 106, 238, 192, 102, 7, 4, 111, 43, 25, 34, 88, 32, 232, 204, 1, 220, 246, 110, 13, 87, 9, 232, 25, 26, 248, 142, 40, 255, 3, 220, 63, 26, 193, 173, 181, 1, 242, 208, 63, 78, 30, 139, 26, 247, 6, 80, 76, 223, 210, 65, 59, 80, 117, 110, 158, 144, 29, 78, 204, 192, …]
VM228:2763 Generating GetAssertion CBOR for struct...  {1: "obedientcommunicate.um", 2: Uint8Array(32), 3: Array(1), 4: {…}, 5: undefined, 6: undefined, 7: undefined}
VM228:3269 Sending CTAP CMD: GetAssertion...
VM228:3270 Uint8Array(327) [164, 1, 118, 111, 98, 101, 100, 105, 101, 110, 116, 99, 111, 109, 109, 117, 110, 105, 99, 97, 116, 101, 46, 117, 109, 2, 88, 32, 228, 104, 46, 205, 112, 160, 37, 79, 19, 160, 179, 234, 92, 202, 88, 111, 173, 74, 121, 254, 48, 54, 33, 209, 158, 222, 59, 55, 16, 134, 92, 9, 3, 129, 162, 98, 105, 100, 88, 64, 26, 112, 189, 104, 83, 191, 230, 44, 80, 30, 10, 116, 170, 71, 231, 38, 99, 19, 97, 144, 150, 79, 140, 79, 3, 23, 247, 2, 30, 153, 112, 149, …]
RECEIVING BLE BUFFER: 83005100a101a5010203381820012158205e3ec5381403487c91ab27f25df3d1fc0edd6adac1cb71ef135448fab3fcb1e8225820a9e0144c59cb7d5fce4a01b79565ccd0ca2d191f7b5b8ba2f04bbff55f91693c
Received unexpected message...
WRITING BLE BUFFER TO "fidoControlPoint": 83000606a201010202
RECEIVING BLE BUFFER: 83005100a101a5010203381820012158207bffae94edbf197b215dd1704562dc3256afde26fac70ac3ff279d8fc70fc0e4225820aa5406f363ebcf18e24d102b71444cdcba8d3c3ff22eaab6d5a932bfb4c5b47b
SUCCESSFULLY RECEIVED RESPONSE!
fido2 sendFIDOBuffers {transport: "BLE", uuid: "c971a7d0a1c4", product: "UNKNOWN c9:71:a7:d0:a1:c4 (C971A7)"} [Uint8Array(106)]
fido2 sendFIDOBuffers {transport: "BLE", uuid: "c971a7d0a1c4", product: "UNKNOWN c9:71:a7:d0:a1:c4 (C971A7)"} [Uint8Array(331)]
WRITING BLE BUFFER TO "fidoControlPoint": 83006706a40101020503a50102033818200121582012d7a7ffc933249b7734a04ea92a4f444a519cf136a0b16aeec06607046f2b19225820e8cc01dcf66e0d5709e8191af88e28ff03dc3f1ac1adb501f2d03f4e1e8b1af706504cdfd2413b50756e9e901d4eccc0469d
RECEIVING BLE BUFFER: 82000101
RECEIVING BLE BUFFER: 83000131
SUCCESSFULLY RECEIVED RESPONSE!
{status: "ok", data: {…}}
{status: "ok", data: {…}}
RECEIVING BLE BUFFER: 83000102
Received unexpected message...
VM228:3336 Uncaught (in promise) Error: Expected authenticator to succeed with CTAP1_ERR_SUCCESS(0). Got CTAP2_ERR_PIN_INVALID(49)
    at eval (eval at compileCode (sandbox.js:25), <anonymous>:3336:19)

[nuno0529]

v1.6.37 still have the freeze issue in P-6

[yackermann]

Addressed in 1.6.38

[yackermann]

Resolved in 1.6.38 https://builds.fidoalliance.org/Desktop%20UAF%20FIDO2%20U2F/EXPERIMENTAL/v1.6.38/

[nuno0529]

Thanks, I see the P-6 is removed in v1.6.38.