search

fido-alliance / conformance-test-tools-resources

Certification Test Tools Resources. For security and privacy related issues email tools@certification.fidoalliance.org
https://fidoalliance.org/certification/functional-certification/conformance/
43 stars 14 forks source link

ctap2.1 ClientPin protocol 2/Authr-ClientPin2-Policy, F-2 Try setting new pin, that is bigger than 63 bytes #627

Closed nuno0529 closed 2 years ago

nuno0529 commented 3 years ago

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

What protocol are you implementing?

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

1.6.34

What is the OS and the version are you running?

For desktop tools

For UAF mobile tools

Issue description

The newPinEnc in this test case will exceed pin_v2's 80byte length, 16B iv || 64B enc(newPin), so this should be failed early when doing pinUvAuthParam check in step 5 or paddedNewPin length check in step 7 https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#:~:text=the%20authenticator%20calls%20verify(shared%20secret%2C%20newpinenc%2C%20pinuvauthparam)

This test item should accept CTAP2_ERR_PIN_AUTH_INVALID(0x33) and CTAP1_ERR_INVALID_PARAMETER(0x2) as well, not only limit to CTAP2_ERR_PIN_POLICY_VIOLATION(0x37).

yackermann commented 2 years ago

Addressed in 1.6.38

yackermann commented 2 years ago

Resolved in 1.6.38 https://builds.fidoalliance.org/Desktop%20UAF%20FIDO2%20U2F/EXPERIMENTAL/v1.6.38/

nuno0529 commented 2 years ago

I see this F-2/F-3 check error code is relaxed, but I see a new relative problem as #645