Are unknown extensions not allowed in metadata check?

nuno0529 commented 3 years ago

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

[x] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

[ ] FIDO2 Server
[ ] CTAP2.0
[x] CTAP2.1
[ ] UAF 1.1
[ ] U2F 1.1
[ ] U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

[x] Security Key / FIDO2 / U2F authenticators
[ ] Server
[ ] UAF Client-ASM-Authenticator combo
[ ] UAF Client
[ ] UAF ASM-Authenticator

Issue description

Below line check that only defined extensions are allowed. https://github.com/fido-alliance/ctap2.1-conformance-module/blob/main/tests/CTAP2/Metadata/Metadata-Stmt-1.js#L736

var GETINFO_EXTENSION_IDENTIFIERS = ['credProtect', 'credBlob', 'largeBlobKey', 'minPinLength', 'hmac-secret', 'txAuthSimple', 'txAuthGeneric'];

Could you help to share where the description about this in spec? I can't find the place.

yackermann commented 2 years ago

There are two extensions list:

https://w3c.github.io/webauthn/#sctn-extensions

and https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-defined-extensions

nuno0529 commented 2 years ago

My point is just why only ever mentioned extensions in ctap2/webauthn spec are allowed in metadata/getInfo? I can't see this kind of restriction in spec.

Besides as txAuthSimple and txAuthGeneric are removed in webauthn L3, so how to judge they are allowed or not?

fido-alliance / conformance-test-tools-resources