UVM Test Case fails

[BryanJacobs]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

• [X] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• [ ] FIDO2 Server
• [X] CTAP2.0
• [X] CTAP2.1
• [ ] UAF 1.1
• [ ] U2F 1.1
• [X] U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• [X] Security Key / FIDO2 / U2F authenticators
• [ ] Server
• [ ] UAF Client-ASM-Authenticator combo
• [ ] UAF Client
• [ ] UAF ASM-Authenticator

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

1.7.14

What is the OS and the version are you running?

For desktop tools

• [ ] OSX
• [X] Windows
• [ ] Linux

For UAF mobile tools

• [ ] iOS
• [ ] Android

Issue description

First off, the UVM extension isn't part of CTAP2.1 (or CTAP2.2 drafts). In fact it's not even mentioned in the spec document - it's part of webauthn-2. So it's a bit odd that "CTAP2.1 full feature profile" requires implementating something that isn't even alluded to in the specification itself.

That said, the test suite implementation seems to be bugged. With a MDS containing:

"userVerificationDetails": [                                                                                                                                                                                     
 [                                                                                                                                                                                                              
   {"userVerificationMethod": "none"}                                                                                                                                                                           
 ],                                                                                                                                                                                                             
 [{                                                                                                                                                                                                             
   "userVerificationMethod": "passcode_external"                                                                                                                                                                
 }]                                                                                                                                                                                                             
 ],

and

"authenticatorGetInfo": {                                                                                                                                                                                                                                                                                                                                                                     
"uvModality": 512

the test suite for "P-1 Create a new credential with extensions containing uvm extension input set to True, and check that authenticator succeeds Check that MakeCredential response extensions contain uvm extension output." gives:

TypeError: userVerificationDetails is not iterable                                                                                                                                                         
at Proxy.userVerificationDetailsContains (js/utils.js:990:20)                                                                                                                                             
at eval (eval at compileCode (js/sandbox.js:25:26), <anonymous>:13104:31)

I've manually inspected the request and response, and they look fine - the authenticator is returning a one-element CBOR array whose first element is itself a three-element array of integers, which is what the webauthn-2 spec says is supposed to come back.

[iirachek]

New build with a fix for this issue will be available in a few days.

[iirachek]

@BryanJacobs Sorry for the wait. We've uploaded a new build v1.7.15 with a fix for this issue.

[BryanJacobs]

@iirachek Thanks for the build, but I still see two blocking issues, sorry.

1. My authenticator returning keyProtection 0x0A ( secure_element=0x08 | hardware=0x02) with an MDS that says keyProtection = ["hardware", "secure_element"] causes the test to complain it didn't find TEE. So something's up with the values you're checking in there.

2. https://github.com/fido-alliance/conformance-test-tools-resources/issues/719 is still open, and makes it impossible to pass the CredProtect tests on an authenticator supporting turning on alwaysUv but defaulting to off.

[iirachek]

@BryanJacobs

1. I've looked into it and see what might be the problem. Although I'm not exactly sure where the TEE comes from in that case. Could you please link a small screenshot or copy the tools output with the error?
2. We are working on addressing it.

[BryanJacobs]

I'm very sorry, it looks like my authenticator return value was incorrect, as I tweaked it to try to pass the test-as-it-was.

I stil think there's a problem with this test, though, when the authenticator returns >1 key protection method in one array element.

My authenticator returns uvm=0x81831908000A04. Broken down:

0x81 - one-element array 0x83 - three-element array 0x19 0800 - user verification passcode_external 0x0A - key protection secure_element | hardware (together - secure element is 0x08 and hardware is 0x02) 0x04 - matcher protection on_chip

I think this is a correct response per the webauthn specification. I think the combination of values is what's intended; after all, the FIDO registry defined values are clearly bitfield numbers (powers of two).

The error message I get when running the test suite with this authenticator response is:

Metadata does not support keyProtection modality "undefined"(10)!: expected [ 'hardware', 'secure_element' ] to include undefined

I think you need to treat key protection (and matcher protection) as bitfields not just map lookups.

[iirachek]

Thank you.

I think you need to treat key protection (and matcher protection) as bitfields not just map lookups.

Yeah, that's the problem I've mentioned previously and it's being addressed.

[BryanJacobs]

This is closed but I don't see a release of the test tools containing the fix available, sorry. Is it possible you closed the issue before making available a build?

[iirachek]

@BryanJacobs The issue got closed automatically due to a link in the internal pull request. The new build is being prepared and will be available soon.

[iirachek]

@BryanJacobs This issue should be resolved in the latest v1.7.16 update.