FIDO2 Server - MDS3 | Metadata Service Test failures due to invalid data

[riteshvb]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

• [X] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• [X] FIDO2 Server
• [ ] CTAP2.0
• [ ] CTAP2.1
• [ ] UAF 1.1
• [ ] U2F 1.1
• [ ] U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• [ ] Security Key / FIDO2 / U2F authenticators
• [X] Server
• [ ] UAF Client-ASM-Authenticator combo
• [ ] UAF Client
• [ ] UAF ASM-Authenticator

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

FIDO Conformance Tools v1.7.17

What is the OS and the version are you running?

Windows 10 Enterprise

For desktop tools

• [ ] OSX
• [X] Windows
• [ ] Linux

For UAF mobile tools

• [ ] iOS
• [ ] Android

Issue description

We are currently in the process of executing 'Metadata Service Tests' from the 'FIDO2 Server - MDS3'. We have encountered issues with specific tests namely F-2, F-3, F-4, and F-5, which are failing consistently.

Our preliminary analysis indicates that these failures might be due to improperly provided Metadata Statements from https://mds3.fido.tools/getTestMetadata. For negative tests, we noticed that the server receives identical Metadata Statements to a positive test, with the only difference being the varying aaguid.

The MetadataStatement for each case is requested from https://mds3.certinfra.fidoalliance.org/getTestMetadata with the following body:

{
"endpoint": "{{endpoint_url}}",
"testcase": {{test_case}}
}

The testcase options are as follows:

• fido2_good (P-1)
• fido2_badReports (F-1)
• fido2_badSignature (F-2)
• fido2_badCertificateChain (F-3)
• fido2_intermediateCertificateRevoked (F-4)
• fido2_subjectCertificateRevoked (F-5)

Please refer to the attached screenshot for a detailed comparison of the metadata for P-1(fido2_good) and F-2(fido2_badSignature) tests. For other cases also, the structure is identical, with only the aaguid related fields changing.

Another observation is that the x5c in the attestation statement for both positive and negative tests is identical. Moreover, the x5c for fido2_subjectCertificateRevoked and fido2_intermediateCertificateRevoked tests do not have a CRL Dist Point to check the revocation status.

FOR MDS3: We registered our server url at http://mds3.certinfra.fidoalliance.org/ and added below provided MDS3 endpoints to the server. o https://mds3.fido.tools/execute/822afb1b84bb13a2c400fe0e064714c7f81bcc324016d1dda5273e6cb066089d o https://mds3.fido.tools/execute/d752505964b8d029dea59ff2f032344ffed5b91a6b0c64f660e8e4b4e0980b89 o https://mds3.fido.tools/execute/1c5cb84e15218b7431176569c7647f0202be4840194ff17872727b5ae7339729 o https://mds3.fido.tools/execute/d7025656c1f1acc58ea12cda8c0dce9344d3b527668a86102c522b6f11c7b031 o https://mds3.fido.tools/execute/889422556a2eb69b65a753fc5cc65488b8986f1370deee62671608dd3903183f

We would greatly appreciate it if you could provide some insight into these issues. Your expertise and guidance would be invaluable in helping us resolve these test failures.

Thank you in advance for your time and support.

1_fido2_good-p1-x5c.txt 1_fido2_subjectCertificateRevoked-f5-x5c.txt 2_fido2_badCertificateChain_getTestMetadata.txt 2_fido2_badReports_getTestMetadata.txt 2_fido2_badSignature_getTestMetadata.txt 2_fido2_good_getTestMetadata.txt 2_fido2_intermediateCertificateRevoked_getTestMetadata.txt 2_fido2_subjectCertificateRevoked_getTestMetadata.txt p1_f2_getTestMetadata_comparison.docx

[iirachek]

Duplicate. Being resolved over email.

[josephp-is]

Hi @iirachek , may I ask why is there a need to have 5 server endpoints for the MDS3 blob? Even on the official MDS3 site (https://fidoalliance.org/metadata/), there is only a single JSON file containing all the metadata statements.

What does testing using 5 endpoints achieve compared to a single endpoint?

Hope you can share more about this. Thank you in advance for your time!

Edit: If it isn't too much to ask, can I have your email address for further enquiries if needed as well?🙂

[iirachek]

@josephp-is

The specification permits usage of multiple metadata endpoints, which allows one to get information about authenticators from different sources. This can increase the range of supported authenticators.

For example, the metadata blob from MDS3 only contains authenticators that have passed the FIDO certification. Although personally I'm not aware of other public-facing metadata services.

In practical terms, multiple endpoints during tests are needed to ensure correct performance of metadata validation logic.