Closed carov0610 closed 2 months ago
The v1.7.20 build with a fix for this is available for download.
Checked version 1.7.20 of Conformance tool.
There is still an issue with PIN, in particular in tests concerning hmac secret extension, the PIN used is a static defined one in CTAP2.js module: const FIDOGreatPinCodeThatNoOneWillEverGuess = '0xF1D0'; (4 characters long) in hmacSecret.js test P-4 l 296 return ClientPinLatest_SetNewPINCode(FIDOGreatPinCodeThatNoOneWillEverGuess)
@carov0610 Sorry for that. Just uploaded a v1.7.20.3, where this and several other remaining hardcoded PIN declarations were fixed.
Thank you for the updates. There is still a test with an hardcoded length in version 1.7.20 patch 3: test P-3 If authenticator supports setMinPINLength: Send authenticatorConfig(0x0D) with setMinPINLength(0x03), with newMinPINLength(0x01) larger than current 4 character limit, and see that
Now with v1.7.20.4 should be fixed too.
By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.
If you have privacy concerns, please email conformance-tools@fidoalliance.org
FIRST PRE CHECK
What protocol are you implementing?
NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.
What is your implementation class?
If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org
What is the version of the tool are you using?
1.7.17
What is the OS and the version are you running?
For desktop tools
For UAF mobile tools
Issue description
In several tests, begining with test below, the PIN created doesn't take into account the min PIN length defined in the authenticatorGetInfo response Authr-Reset-1 Test authenticator support of Reset command P-1 Successfully executy makeCredential, and test it by sending consequent getAssertion and check that both are succeeding. Send authenticatorReset(0x07) immidietly after, and check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code. Send a valid CTAP2 authenticatorGetAssertion(0x02) message, with credId from the previously registered makeCredential, wait for the response, and check that Authenticator returns CTAP2_ERR_NO_CREDENTIALS(0x2E) error code.
Trace extract authenticator Reset
get Info {1: ["U2F_V2", "FIDO_2_0", "FIDO_2_1", "FIDO_2_1_PRE"], 2: ["credProtect", "hmac-secret", "minPinLength"], 3: h'B50D5E0A7F8149599B12F45407407503', 4: {"rk": true, "up": true, "plat": false, "alwaysUv": false, "credMgmt": true, "authnrCfg": true, "clientPin": false, "pinUvAuthToken": true, "setMinPINLength": true, "makeCredUvNotRqd": true, "credentialMgmtPreview": true, "noMcGaPermissionsWithClientPin": false}, 6: [2, 1], 8: 96, 9: ["nfc"], 10: [{"alg": -7, "type": "public-key"}], 12: false, 13: 6, 16: 4, 19: {"FIDO": 2, "FIPS-CMVP-3": 2}, 20: 50}
Client PIN get key agreement {1: {1: 2, 3: -25, -1: 1, -2: h'FD6E3EEF37E108F929CA037B4D5B5B7285C3E26AE164EE5A10003E46C6AC368F', -3: h'5C2593A777AF0C40330A605B0BC959ABB81E77EAE6B4576A9232EAA3E0D4EAD8'}}
Client PIN create PIN a50102020303a501020338182001215820d70eb8eb95bfa2f7efa97930b379f5854ff19482626223c60dbf0cb76fa8b2aa22582073bc7d5c4f116bcd132bb2bdda6d14c6b0f168df59de0c3115d2ee6af7fe1b7b045820d831a99edcd2d1943b5f7f3284d59f3c0dbc6c23bebee5ee25ac5baad96b1f24055850a9008fd45bcc8643188ae1cb0c1aab30d3cc754ccd0873f5df8eee850820af5b4b1bf18b22ab712237f6c4ef821fddef8af1e832d91618b814c12227474f232ae8cb966e18a57705d992ea79eff74d7b {1: 2, 2: 3, 3: {1: 2, 3: -25, -1: 1, -2: h'D70EB8EB95BFA2F7EFA97930B379F5854FF19482626223C60DBF0CB76FA8B2AA', -3: h'73BC7D5C4F116BCD132BB2BDDA6D14C6B0F168DF59DE0C3115D2EE6AF7FE1B7B'}, 4: h'D831A99EDCD2D1943B5F7F3284D59F3C0DBC6C23BEBEE5EE25AC5BAAD96B1F24', 5: h'A9008FD45BCC8643188AE1CB0C1AAB30D3CC754CCD0873F5DF8EEE850820AF5B4B1BF18B22AB712237F6C4EF821FDDEF8AF1E832D91618B814C12227474F232AE8CB966E18A57705D992EA79EFF74D7B'}
Response : 379000 (CTAP2_ERR_PIN_POLICY_VIOLATION)