Tool version 1.7.17: Min PIN length defined in authenticatorGetInfo not taken into account in FIDO Alliance Conformance Test Tool

[carov0610]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

• [ ] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• [ ] FIDO2 Server
• [ ] CTAP2.0
• [X] CTAP2.1
• [ ] UAF 1.1
• [ ] U2F 1.1
• [ ] U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• [X] Security Key / FIDO2 / U2F authenticators
• [ ] Server
• [ ] UAF Client-ASM-Authenticator combo
• [ ] UAF Client
• [ ] UAF ASM-Authenticator

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

1.7.17

What is the OS and the version are you running?

For desktop tools

• [ ] OSX
• [X] Windows
• [ ] Linux

For UAF mobile tools

• [ ] iOS
• [ ] Android

Issue description

In several tests, begining with test below, the PIN created doesn't take into account the min PIN length defined in the authenticatorGetInfo response Authr-Reset-1 Test authenticator support of Reset command P-1 Successfully executy makeCredential, and test it by sending consequent getAssertion and check that both are succeeding. Send authenticatorReset(0x07) immidietly after, and check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code. Send a valid CTAP2 authenticatorGetAssertion(0x02) message, with credId from the previously registered makeCredential, wait for the response, and check that Authenticator returns CTAP2_ERR_NO_CREDENTIALS(0x2E) error code.

---

Trace extract authenticator Reset

get Info {1: ["U2F_V2", "FIDO_2_0", "FIDO_2_1", "FIDO_2_1_PRE"], 2: ["credProtect", "hmac-secret", "minPinLength"], 3: h'B50D5E0A7F8149599B12F45407407503', 4: {"rk": true, "up": true, "plat": false, "alwaysUv": false, "credMgmt": true, "authnrCfg": true, "clientPin": false, "pinUvAuthToken": true, "setMinPINLength": true, "makeCredUvNotRqd": true, "credentialMgmtPreview": true, "noMcGaPermissionsWithClientPin": false}, 6: [2, 1], 8: 96, 9: ["nfc"], 10: [{"alg": -7, "type": "public-key"}], 12: false, 13: 6, 16: 4, 19: {"FIDO": 2, "FIPS-CMVP-3": 2}, 20: 50}

Client PIN get key agreement {1: {1: 2, 3: -25, -1: 1, -2: h'FD6E3EEF37E108F929CA037B4D5B5B7285C3E26AE164EE5A10003E46C6AC368F', -3: h'5C2593A777AF0C40330A605B0BC959ABB81E77EAE6B4576A9232EAA3E0D4EAD8'}}

Client PIN create PIN a50102020303a501020338182001215820d70eb8eb95bfa2f7efa97930b379f5854ff19482626223c60dbf0cb76fa8b2aa22582073bc7d5c4f116bcd132bb2bdda6d14c6b0f168df59de0c3115d2ee6af7fe1b7b045820d831a99edcd2d1943b5f7f3284d59f3c0dbc6c23bebee5ee25ac5baad96b1f24055850a9008fd45bcc8643188ae1cb0c1aab30d3cc754ccd0873f5df8eee850820af5b4b1bf18b22ab712237f6c4ef821fddef8af1e832d91618b814c12227474f232ae8cb966e18a57705d992ea79eff74d7b {1: 2, 2: 3, 3: {1: 2, 3: -25, -1: 1, -2: h'D70EB8EB95BFA2F7EFA97930B379F5854FF19482626223C60DBF0CB76FA8B2AA', -3: h'73BC7D5C4F116BCD132BB2BDDA6D14C6B0F168DF59DE0C3115D2EE6AF7FE1B7B'}, 4: h'D831A99EDCD2D1943B5F7F3284D59F3C0DBC6C23BEBEE5EE25AC5BAAD96B1F24', 5: h'A9008FD45BCC8643188AE1CB0C1AAB30D3CC754CCD0873F5DF8EEE850820AF5B4B1BF18B22AB712237F6C4EF821FDDEF8AF1E832D91618B814C12227474F232AE8CB966E18A57705D992EA79EFF74D7B'}

Response : 379000 (CTAP2_ERR_PIN_POLICY_VIOLATION)

[iirachek]

The v1.7.20 build with a fix for this is available for download.

[carov0610]

Checked version 1.7.20 of Conformance tool.

There is still an issue with PIN, in particular in tests concerning hmac secret extension, the PIN used is a static defined one in CTAP2.js module: const FIDOGreatPinCodeThatNoOneWillEverGuess = '0xF1D0'; (4 characters long) in hmacSecret.js test P-4 l 296 return ClientPinLatest_SetNewPINCode(FIDOGreatPinCodeThatNoOneWillEverGuess)

[iirachek]

@carov0610 Sorry for that. Just uploaded a v1.7.20.3, where this and several other remaining hardcoded PIN declarations were fixed.

[carov0610]

Thank you for the updates. There is still a test with an hardcoded length in version 1.7.20 patch 3: test P-3 If authenticator supports setMinPINLength: Send authenticatorConfig(0x0D) with setMinPINLength(0x03), with newMinPINLength(0x01) larger than current 4 character limit, and see that

[iirachek]

Now with v1.7.20.4 should be fixed too.