Our authenticator supports only Protocol v2.
All tests in conformance tool check protocol supported in authenticatorGetInfo response except test concerning hmac-secret.
Trace
Send a valid CTAP2 authenticatorClientPin(0x01) message with getKeyAgreement(0x02) subCommand, wait for the response, and check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code, and:
(a) check that authenticatorClientPin_Response contains "keyAgreement" field, and its of type MAP
(b) in COSE "keyAgreement" field:
(1) check that public key is EC2(kty(1) is set to 2)
(2) check that key crv(-1) curve field that is set to P256(1)
(3) check that key alg(3) is set to ECDH-ES+HKDF-256(-25)
(4) check that key contains x(-2) is of type BYTE STRING, and is 32bytes long
(5) check that key contains y(-3) is of type BYTE STRING, and is 32bytes long
(6) check that key does NOT contains ANY other coefficients
authenticator returns 02 (CTAP1_ERR_INVALID_PARAMETER) because getKeyAgreement command is sent with protocol 1 selected
(If the authenticator does not support the selected pinUvAuthProtocol, it returns CTAP1_ERR_INVALID_PARAMETER.)
test of hmac-secret extension calls clientpin1_generateCMD_GetKeyAgreement() - so implicitly Protocol 1 - directly.
By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.
If you have privacy concerns, please email conformance-tools@fidoalliance.org
FIRST PRE CHECK
What protocol are you implementing?
NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.
What is your implementation class?
If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org
What is the version of the tool are you using?
v1.7.11
What is the OS and the version are you running?
For desktop tools
For UAF mobile tools
Issue description
Our authenticator supports only Protocol v2. All tests in conformance tool check protocol supported in authenticatorGetInfo response except test concerning hmac-secret.
Trace Send a valid CTAP2 authenticatorClientPin(0x01) message with getKeyAgreement(0x02) subCommand, wait for the response, and check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code, and: (a) check that authenticatorClientPin_Response contains "keyAgreement" field, and its of type MAP (b) in COSE "keyAgreement" field: (1) check that public key is EC2(kty(1) is set to 2) (2) check that key crv(-1) curve field that is set to P256(1) (3) check that key alg(3) is set to ECDH-ES+HKDF-256(-25) (4) check that key contains x(-2) is of type BYTE STRING, and is 32bytes long (5) check that key contains y(-3) is of type BYTE STRING, and is 32bytes long (6) check that key does NOT contains ANY other coefficients
VM230:3284 Sending CTAP CMD: ClientPIN... VM230:3285 Uint8Array(5) [162, 1, 1, 2, 2] C:\Users\t0265240\AppData\Local\Programs\fido-conformance-tools-electron\resources\app.asar\dependencies\transports\nfcdep.js:238 NFC DATA SENT: 801000000606a20101020200 C:\Users\t0265240\AppData\Local\Programs\fido-conformance-tools-electron\resources\app.asar\dependencies\transports\nfcdep.js:243 NFC DATA RECEIVED: 029000
authenticator returns 02 (CTAP1_ERR_INVALID_PARAMETER) because getKeyAgreement command is sent with protocol 1 selected (If the authenticator does not support the selected pinUvAuthProtocol, it returns CTAP1_ERR_INVALID_PARAMETER.)
test of hmac-secret extension calls clientpin1_generateCMD_GetKeyAgreement() - so implicitly Protocol 1 - directly.
Could you please fix this problem?