Closed BryanJacobs closed 9 months ago
New build with a fix for this issue will be available in a few days.
@BryanJacobs Sorry for the wait. We've uploaded a new build v1.7.15
with a fix for this issue.
@iirachek Thanks for the build, but I still see two blocking issues, sorry.
My authenticator returning keyProtection 0x0A ( secure_element=0x08 | hardware=0x02) with an MDS that says keyProtection = ["hardware", "secure_element"] causes the test to complain it didn't find TEE. So something's up with the values you're checking in there.
https://github.com/fido-alliance/conformance-test-tools-resources/issues/719 is still open, and makes it impossible to pass the CredProtect tests on an authenticator supporting turning on alwaysUv but defaulting to off.
@BryanJacobs
I'm very sorry, it looks like my authenticator return value was incorrect, as I tweaked it to try to pass the test-as-it-was.
I stil think there's a problem with this test, though, when the authenticator returns >1 key protection method in one array element.
My authenticator returns uvm=0x81831908000A04. Broken down:
0x81 - one-element array 0x83 - three-element array 0x19 0800 - user verification passcode_external 0x0A - key protection secure_element | hardware (together - secure element is 0x08 and hardware is 0x02) 0x04 - matcher protection on_chip
I think this is a correct response per the webauthn specification. I think the combination of values is what's intended; after all, the FIDO registry defined values are clearly bitfield numbers (powers of two).
The error message I get when running the test suite with this authenticator response is:
Metadata does not support keyProtection modality "undefined"(10)!: expected [ 'hardware', 'secure_element' ] to include undefined
I think you need to treat key protection (and matcher protection) as bitfields not just map lookups.
Thank you.
I think you need to treat key protection (and matcher protection) as bitfields not just map lookups.
Yeah, that's the problem I've mentioned previously and it's being addressed.
This is closed but I don't see a release of the test tools containing the fix available, sorry. Is it possible you closed the issue before making available a build?
@BryanJacobs The issue got closed automatically due to a link in the internal pull request. The new build is being prepared and will be available soon.
@BryanJacobs This issue should be resolved in the latest v1.7.16 update.
By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.
If you have privacy concerns, please email conformance-tools@fidoalliance.org
FIRST PRE CHECK
What protocol are you implementing?
NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.
What is your implementation class?
If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org
What is the version of the tool are you using?
1.7.14
What is the OS and the version are you running?
For desktop tools
For UAF mobile tools
Issue description
First off, the UVM extension isn't part of CTAP2.1 (or CTAP2.2 drafts). In fact it's not even mentioned in the spec document - it's part of webauthn-2. So it's a bit odd that "CTAP2.1 full feature profile" requires implementating something that isn't even alluded to in the specification itself.
That said, the test suite implementation seems to be bugged. With a MDS containing:
and
the test suite for "P-1 Create a new credential with extensions containing uvm extension input set to True, and check that authenticator succeeds Check that MakeCredential response extensions contain uvm extension output." gives:
I've manually inspected the request and response, and they look fine - the authenticator is returning a one-element CBOR array whose first element is itself a three-element array of integers, which is what the webauthn-2 spec says is supposed to come back.