Tests for stateful commands don't work for me, and to fix that, I'd have to introduce a security vulnerability.
The tool calls CTAPHID Init before each CTAP command. Therefore, a new HID channel is used for each command.
From the authenticator's perspective, it is indistinguishable whether it is talking to different clients or the same client, if they don't use the same HID channel.
So if you call GetAssertion on HID channel 1, and then GetNextAssertion on HID channel 2, the GetNextAssertion command should be rejected, as it might otherwise leak assertion responses to a client that didn't collect the required UV, for example.
By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.
If you have privacy concerns, please email conformance-tools@fidoalliance.org
FIRST PRE CHECK
What protocol are you implementing?
NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.
What is your implementation class?
If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org
What is the version of the tool are you using?
v1.7.17
What is the OS and the version are you running?
For desktop tools
For UAF mobile tools
Issue description
Tests for stateful commands don't work for me, and to fix that, I'd have to introduce a security vulnerability. The tool calls CTAPHID Init before each CTAP command. Therefore, a new HID channel is used for each command. From the authenticator's perspective, it is indistinguishable whether it is talking to different clients or the same client, if they don't use the same HID channel.
So if you call GetAssertion on HID channel 1, and then GetNextAssertion on HID channel 2, the GetNextAssertion command should be rejected, as it might otherwise leak assertion responses to a client that didn't collect the required UV, for example.
Affected tests with links for those with access: