Bugs in Ext: HMAC Secret - Strict PUAT2 tests

[nagreme]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

• [x] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• [ ] FIDO2 Server
• [ ] CTAP2.0
• [x] CTAP2.1
• [ ] UAF 1.1
• [ ] U2F 1.1
• [ ] U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• [x] Security Key / FIDO2 / U2F authenticators
• [ ] Server
• [ ] UAF Client-ASM-Authenticator combo
• [ ] UAF Client
• [ ] UAF ASM-Authenticator

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

1.7.14

What is the OS and the version are you running?

For desktop tools

• [ ] OSX
• [x] Windows 11
• [ ] Linux

For UAF mobile tools

• [ ] iOS
• [ ] Android

Issue description

Note: this is for an NFC smart card

Hello again, the 1.7.14 release did fix the issues seen in #714 but some of the new hmac-secret strict PUAT2 tests seem to have bad assertions. I assumed this was an early version and that they'd get fixed eventually, but this is impacting our ability to apply for the upcoming interoperability event in September (for the certification process), so I wanted to follow up.

Here are the failing tests and my understanding of the cause:

P-3

Send a valid CTAP2 getAssertion(0x02) message, "extensions" containing a valid "hmac-secret" extension request, with one salt, wait for the response, and check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code, and: (a) Check that response contains extensions encrypted "hmac-secret" extension response. Decrypt it and save it as salt1 (b) Send another GetAssertion with salt1 and salt2, and check that response still equal to result, and nonUvSalt2Hmac does not equal nonUvSalt1Hmac

Error: Authenticator did not return 32 bytes HMAC of salt2!
    at eval (eval at compileCode (js/sandbox.js:25:26), <anonymous>:2623:23)

I've combed through the logs for this one and my authenticator implementation is returning 64 bytes for the hmac-secret extension on the last (3rd) getAssertion in this test so I'm not sure why I'm getting the above message.

authdata 116b => rpId hash (32b) || flags (1b) || counter (4b) || extensions (79b) extensions 79b => CBOR map header (1b) || CBOR "hmac-secret" (12b) || bytes + header (66b, for 5840 followed by 2 x 32 byte outputs)

See detailed logs

Click to expand

``` controller.js:444 Test started: P-3 Send a valid CTAP2 getAssertion(0x02) message, "extensions" containing a valid "hmac-secret" extension request, with one salt, wait for the response, and check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code, and: (a) Check that response contains extensions encrypted "hmac-secret" extension response. Decrypt it and save it as salt1 (b) Send another GetAssertion with salt1 and salt2, and check that response still equal to result, and nonUvSalt2Hmac does not equal nonUvSalt1Hmac VM224:3171 [CTAP2.1] GetInfo: ---> Sending CTAP CMD... 04 undefined [NFC] Selected protocol "2" for reader "HID Global OMNIKEY 5022 Smart Card Reader 0" [NFC] ---> DATA SENT: 00a4040008a0000006472f000100 [NFC] <--- DATA RECEIVED: 4649444f5f325f309000 [NFC] RECEIVED SW_NO_ERROR [NFC] ---> DATA SENT: 80100000010400 [NFC] <--- DATA RECEIVED: 00a80183684649444f5f325f30684649444f5f325f316c4649444f5f325f315f50524502826b686d61632d7365637265746b6372656450726f7465637403509907c3a8248349b59c482c69d90e8a3804a962726bf5627570f5627576f568616c776179735576f468637265644d676d74f569636c69656e7450696ef46e70696e557641757468546f6b656ef5706d616b654372656455764e6f74527164f47563726564656e7469616c4d676d7450726576696577f5068201020a81a263616c672664747970656a7075626c69632d6b65790e1af000200511019000 [NFC] RECEIVED SW_NO_ERROR VM224:3253 [CTAP2.1] GetInfo: <--- Received successful response {statusCode: 0, type: "GetInfo", cborResponse: {…}, cborResponseStruct: {…}, cborBuffer: Uint8Array(216), …} VM224:3171 [CTAP2.1] ClientPIN: ---> Sending CTAP CMD... 06a201020202 {1: 2, 2: 2} [NFC] ---> DATA SENT: 801000000606a20102020200 [NFC] <--- DATA RECEIVED: 00a101a50102033818200121582024635ad9dee087e4e551449b6cebe6e0772857df4ef744da8e8fe35f7adeac152258205feeabe327963c2444092dc0867dbf6b475d856992a3b4b231119b0ec16dadcd9000 [NFC] RECEIVED SW_NO_ERROR VM224:2776 [CTAP2.1] Generating GetAssertion CBOR for struct... {1: "leveltable.ec", 2: Uint8Array(32), 3: Array(1), 4: {…}, 5: undefined, 6: undefined, 7: undefined} VM224:3171 [CTAP2.1] GetAssertion: ---> Sending CTAP CMD... 02a4016d6c6576656c7461626c652e65630258208358f5b79904a22e0ac7bc879bb43c3d4678ab01cc3a3a511fe150b39f78b16e0381a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657904a16b686d61632d736563726574a401a501020338182001215820fb851d91bdf765b31f8908c0607565a8273e64a59a8f4113badf3b5669e4363022582020a4355ac0e53d695fe71f70a50a766de9c39ffca5bc811330067eea355c0f7a025830ae617250ac84c3360e97c9df67cb30a482ba96aa80abec7664d42f7408f135358077973c8bfd58006a60c991fe8ca2e7035820dfb7fca452d7e6f4cee0f4313d8982ce66c42ff244979b2905d0c4263a7b6bab0402 {1: "leveltable.ec", 2: "8358f5b79904a22e0ac7bc879bb43c3d4678ab01cc3a3a511fe150b39f78b16e", 3: Array(1), 4: {…}} [NFC] ---> DATA SENT: 90100000f002a4016d6c6576656c7461626c652e65630258208358f5b79904a22e0ac7bc879bb43c3d4678ab01cc3a3a511fe150b39f78b16e0381a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657904a16b686d61632d736563726574a401a501020338182001215820fb851d91bdf765b31f8908c0607565a8273e64a59a8f4113badf3b5669e4363022582020a4355ac0e53d695fe71f70a50a766de9c39ffca5bc811330067eea355c0f7a025830ae617250ac84c3360e97c9df67cb30a482ba96aa80abec7664d42f7408f13535807797 [NFC] <--- DATA RECEIVED: 9000 [NFC] RECEIVED SW_NO_ERROR [NFC] ---> DATA SENT: 80100000323c8bfd58006a60c991fe8ca2e7035820dfb7fca452d7e6f4cee0f4313d8982ce66c42ff244979b2905d0c4263a7b6bab040200 [NFC] <--- DATA RECEIVED: 00a401a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657902585476d3dc0ac7cf59fdbc6591f93646a565413952dca88afe5dcb3ac6f742545390810000001ba16b686d61632d7365637265745820cbf556ad2cb782f91ca8b3fecb8deb5f9f2a9f092cdee5b431bc75f04a28bc28035847304502202e543d297db7383eb1c6f5ddc8d9ed814801a70a3a0d9252a443aecdb90a7396022100f322ba752200aa040cc6b286576d20f95fdc4d9bdf92927664e81106c6409db204a1626964582097b6f658eec4893ca1e07bf01a348337b2251dd7ccafe3758d895bfbc2678d6101 [NFC] RECEIVED undefined [NFC] Bytes remaining: 1 [NFC] ---> DATA SENT: 80c0000001 [NFC] <--- DATA RECEIVED: bd9000 [NFC] RECEIVED SW_NO_ERROR VM224:3253 [CTAP2.1] GetAssertion: <--- Received successful response {statusCode: 0, type: "GetAssertion", cborResponse: {…}, cborResponseStruct: {…}, cborBuffer: Uint8Array(256), …} VM224:3171 [CTAP2.1] ClientPIN: ---> Sending CTAP CMD... 06a201020202 {1: 2, 2: 2} [NFC] Selected protocol "2" for reader "HID Global OMNIKEY 5022 Smart Card Reader 0" [NFC] ---> DATA SENT: 00a4040008a0000006472f000100 [NFC] <--- DATA RECEIVED: 4649444f5f325f309000 [NFC] RECEIVED SW_NO_ERROR [NFC] ---> DATA SENT: 801000000606a20102020200 [NFC] <--- DATA RECEIVED: 00a101a501020338182001215820913b57b16ef1f351296b3d3d13275dbec11487b01e5f8ea1f1c6ffa8e52f79b1225820e5a961db29c915ef59b97f7cad7b894919c9c7aff423cba60d6b7e9caa2431689000 [NFC] RECEIVED SW_NO_ERROR VM224:2776 [CTAP2.1] Generating GetAssertion CBOR for struct... {1: "leveltable.ec", 2: Uint8Array(32), 3: Array(1), 4: {…}, 5: undefined, 6: undefined, 7: undefined} VM224:3171 [CTAP2.1] GetAssertion: ---> Sending CTAP CMD... 02a4016d6c6576656c7461626c652e6563025820950cca3e1a3486ff1fb4cb281d171cc8bcb28975cae90e669e659ffa3e5c39c90381a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657904a16b686d61632d736563726574a401a5010203381820012158207b8a99cd39a55f6e9df1cc729090262980caa04da413c8fd8ca13625f8f8cda12258203f0f9998f6725de4235dcdc7d788cb61f912f6aa82014e5bd18839cdcbcd33f1025830bae33f4815ade6e73aa0f0200de106e86f5a613de75bb1281d6ce296dd6216b9166af8139dba7967f65bf4a73bc70c22035820311c810303d9d179b66071005645561b7b9b7c08ba72a149346d0d19976aa1d20402 {1: "leveltable.ec", 2: "950cca3e1a3486ff1fb4cb281d171cc8bcb28975cae90e669e659ffa3e5c39c9", 3: Array(1), 4: {…}} [NFC] ---> DATA SENT: 90100000f002a4016d6c6576656c7461626c652e6563025820950cca3e1a3486ff1fb4cb281d171cc8bcb28975cae90e669e659ffa3e5c39c90381a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657904a16b686d61632d736563726574a401a5010203381820012158207b8a99cd39a55f6e9df1cc729090262980caa04da413c8fd8ca13625f8f8cda12258203f0f9998f6725de4235dcdc7d788cb61f912f6aa82014e5bd18839cdcbcd33f1025830bae33f4815ade6e73aa0f0200de106e86f5a613de75bb1281d6ce296dd6216b9166af8 [NFC] <--- DATA RECEIVED: 9000 [NFC] RECEIVED SW_NO_ERROR [NFC] ---> DATA SENT: 8010000032139dba7967f65bf4a73bc70c22035820311c810303d9d179b66071005645561b7b9b7c08ba72a149346d0d19976aa1d2040200 [NFC] <--- DATA RECEIVED: 00a401a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657902585476d3dc0ac7cf59fdbc6591f93646a565413952dca88afe5dcb3ac6f742545390810000001ca16b686d61632d7365637265745820a0bd6c0f1031c3bed72c9479d9bb608fe9b8edbe972def69708509cbb4c62c5d035846304402206c505b13e8c1003f85758e9317492b657399dd099c1e9b8d9df02025d70c4fce02203c5526cbea7bcde1ab1fd186ee00ac1bd0553a8d3c4b1ab976c854d80e63a22704a1626964582097b6f658eec4893ca1e07bf01a348337b2251dd7ccafe3758d895bfbc2678dbd9000 [NFC] RECEIVED SW_NO_ERROR VM224:3253 [CTAP2.1] GetAssertion: <--- Received successful response {statusCode: 0, type: "GetAssertion", cborResponse: {…}, cborResponseStruct: {…}, cborBuffer: Uint8Array(255), …} VM224:3171 [CTAP2.1] ClientPIN: ---> Sending CTAP CMD... 06a201020202 {1: 2, 2: 2} [NFC] Selected protocol "2" for reader "HID Global OMNIKEY 5022 Smart Card Reader 0" [NFC] ---> DATA SENT: 00a4040008a0000006472f000100 [NFC] <--- DATA RECEIVED: 4649444f5f325f309000 [NFC] RECEIVED SW_NO_ERROR [NFC] ---> DATA SENT: 801000000606a20102020200 [NFC] <--- DATA RECEIVED: 00a101a501020338182001215820a869df96bfbf07962975f5f5d5e819a2c80ee9abc2bd4ca3c75696a9c387847e225820432d43b12aa5fc7f45bd750dc758cace4b381d0fa6827bf65bf1ed731a4979689000 [NFC] RECEIVED SW_NO_ERROR VM224:2776 [CTAP2.1] Generating GetAssertion CBOR for struct... {1: "leveltable.ec", 2: Uint8Array(32), 3: Array(1), 4: {…}, 5: {…}, 6: undefined, 7: undefined} VM224:3171 [CTAP2.1] GetAssertion: ---> Sending CTAP CMD... 02a5016d6c6576656c7461626c652e656302582043834ae428939946dc82fd9687d907acd3f755a6c089d61ab3781ce1c809a7d50381a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657904a16b686d61632d736563726574a401a5010203381820012158206324269ea272f0b3a2ce8cc15d3a4ef7fd0092ba982635a2e2aba9dbdb8c602d225820e3e4b7807c1a56323406152ba1478ed09ddba850289863f76271325d741ea44c025850ddb1e5dfe16f649026efa3a9898264c20ef9717f671d548d3a74365c1893141b893ec0a0eb2f4846dd842f920ca3a065f62814145207633fcc858f58f67a36ab71db77a5535a0656c98509bdeb2b70fa035820723689d401ee3bb9fc51b4c62c4e74579834e5854ff0d8df748e5132f1b0f0d2040205a0 {1: "leveltable.ec", 2: "43834ae428939946dc82fd9687d907acd3f755a6c089d61ab3781ce1c809a7d5", 3: Array(1), 4: {…}, 5: {…}} [NFC] ---> DATA SENT: 90100000f002a5016d6c6576656c7461626c652e656302582043834ae428939946dc82fd9687d907acd3f755a6c089d61ab3781ce1c809a7d50381a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657904a16b686d61632d736563726574a401a5010203381820012158206324269ea272f0b3a2ce8cc15d3a4ef7fd0092ba982635a2e2aba9dbdb8c602d225820e3e4b7807c1a56323406152ba1478ed09ddba850289863f76271325d741ea44c025850ddb1e5dfe16f649026efa3a9898264c20ef9717f671d548d3a74365c1893141b893ec0 [NFC] <--- DATA RECEIVED: 9000 [NFC] RECEIVED SW_NO_ERROR [NFC] ---> DATA SENT: 8010000054a0eb2f4846dd842f920ca3a065f62814145207633fcc858f58f67a36ab71db77a5535a0656c98509bdeb2b70fa035820723689d401ee3bb9fc51b4c62c4e74579834e5854ff0d8df748e5132f1b0f0d2040205a000 [NFC] <--- DATA RECEIVED: 00a401a262696458205bf7892df6e8c87f0550ededc17e02e14c8cf3173e0d27127bacaa9fc21abcca64747970656a7075626c69632d6b657902587476d3dc0ac7cf59fdbc6591f93646a565413952dca88afe5dcb3ac6f742545390810000001da16b686d61632d7365637265745840c34fb638e33f42423adef3a4167b4a63e10f53be59e3d51738dc8e1c9288d793c4c25c87b1bd4a438d6c25b72caf0ba16be5b05171de823b7dcf2fddcf5fd61e0358483046022100d283ac9edaff2f0642ceda180d943148927818deb26256c5a736a08ffc5f2fe3022100c5dea49b9c0819fb710133b4835aac98654306c870d199d187c49460a1ec4c7c04a16269646122 [NFC] RECEIVED undefined [NFC] Bytes remaining: 34 [NFC] ---> DATA SENT: 80c0000022 [NFC] <--- DATA RECEIVED: 582097b6f658eec4893ca1e07bf01a348337b2251dd7ccafe3758d895bfbc2678dbd9000 [NFC] RECEIVED SW_NO_ERROR VM224:3253 [CTAP2.1] GetAssertion: <--- Received successful response {statusCode: 0, type: "GetAssertion", cborResponse: {…}, cborResponseStruct: {…}, cborBuffer: Uint8Array(289), …} controller.js:444 Test started: P-4 ```

Error case tests (F-1, F-2, F-3)

For the next three you can see the test description says to expect an error response code but the code seems to be checking for a success code:

[BryanJacobs]

When I investigated this one in a situation similar to yours, I found that the test suite sent a different PINProtocol inside the hmac-secret extension block than the one used outside (in the actual getAssertion code).

If the hmac-secret extension input contains pinProtocol=2, and the getAssertion request has no PIN protocol (or an explicit 1), you still need to use PIN protocol 2 for the HMAC-secret extension result - in other words, the response should be 48/90 bytes long because there is a 16 byte IV on there.

Is it possible you're using the PIN protocol from "outside" for the HMAC secret?

[nagreme]

Oh good catch, I'll make that change to see if it helps with the conformance test and get back to you :+1:

In the meantime, any updates on the other 3 tests (F-1, F-2, F-3)?

[BryanJacobs]

I'm not from the FIDO Alliance, I'm just a random guy on the Internet who wrote an authenticator implementation.

I can tell you that my standards-correct implementation passes these tests. I suspect the test suite bug here is just reversing the "expected" and "actual" values, and your implementation is passing when it should fail. But you're the only one who'd be able to tell for sure, as you didn't include the detailed console logs for tests F-1/2/3.

[nagreme]

Not sure why the fail cases were not passing since I was returning error codes when appropriate, but separating the protocol version used in hmac-secret from the "external" one ended up fixing everything!

Thanks for the advice @BryanJacobs, cheers 🥂