hmac-secret: protocol used is protocol v1 even if only protocol v2 is supported

carov0610 commented 1 year ago

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

[X] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

[ ] FIDO2 Server
[ ] CTAP2.0
[X] CTAP2.1
[ ] UAF 1.1
[ ] U2F 1.1
[ ] U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

[X] Security Key / FIDO2 / U2F authenticators
[ ] Server
[ ] UAF Client-ASM-Authenticator combo
[ ] UAF Client
[ ] UAF ASM-Authenticator

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

v1.7.11

What is the OS and the version are you running?

For desktop tools

[ ] OSX
[X] Windows
[ ] Linux

For UAF mobile tools

[ ] iOS
[ ] Android

Issue description

Our authenticator supports only Protocol v2. All tests in conformance tool check protocol supported in authenticatorGetInfo response except test concerning hmac-secret.

Trace Send a valid CTAP2 authenticatorClientPin(0x01) message with getKeyAgreement(0x02) subCommand, wait for the response, and check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code, and: (a) check that authenticatorClientPin_Response contains "keyAgreement" field, and its of type MAP (b) in COSE "keyAgreement" field: (1) check that public key is EC2(kty(1) is set to 2) (2) check that key crv(-1) curve field that is set to P256(1) (3) check that key alg(3) is set to ECDH-ES+HKDF-256(-25) (4) check that key contains x(-2) is of type BYTE STRING, and is 32bytes long (5) check that key contains y(-3) is of type BYTE STRING, and is 32bytes long (6) check that key does NOT contains ANY other coefficients

VM230:3284 Sending CTAP CMD: ClientPIN... VM230:3285 Uint8Array(5) [162, 1, 1, 2, 2] C:\Users\t0265240\AppData\Local\Programs\fido-conformance-tools-electron\resources\app.asar\dependencies\transports\nfcdep.js:238 NFC DATA SENT: 801000000606a20101020200 C:\Users\t0265240\AppData\Local\Programs\fido-conformance-tools-electron\resources\app.asar\dependencies\transports\nfcdep.js:243 NFC DATA RECEIVED: 029000

authenticator returns 02 (CTAP1_ERR_INVALID_PARAMETER) because getKeyAgreement command is sent with protocol 1 selected (If the authenticator does not support the selected pinUvAuthProtocol, it returns CTAP1_ERR_INVALID_PARAMETER.)

test of hmac-secret extension calls clientpin1_generateCMD_GetKeyAgreement() - so implicitly Protocol 1 - directly.

Could you please fix this problem?

yackermann commented 1 year ago

@carov0610 I am almost done with that. Will release build by wednesday.

yackermann commented 1 year ago

This one is almost done

yackermann commented 1 year ago

Ref #667

yackermann commented 1 year ago

Latest build https://builds.fidoalliance.org/Desktop%20UAF%20FIDO2%20U2F/v1.7.14/

fido-alliance / conformance-test-tools-resources