Closed nooobcoder closed 3 months ago
Does that mean, the authenticator must support clientPin protocol "2" always?
Yes, this is correct. Authenticators that implement CTAP 2.1 (FIDO_2_1) must also implement support for PIN/UV Auth protocol 2.
Because of that, the module for CTAP 2.1 conformance is unlikely to be updated to support authenticators with only pinUvAuthProtocol: 1
.
If the pinUvAuthProtocol
is absent from metadata statement, the tooling assumes this authenticator to be a UV-only authenticator, which aren't supported at the moment due to the difficulties of performing automated testing on them.
Thanks @iirachek for sharing your thoughts on this. @dangfan, dmattisonfido, @herrjemand and @nuno0529 can you comment on the related issue?
By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.
If you have privacy concerns, please email conformance-tools@fidoalliance.org
FIRST PRE CHECK
What protocol are you implementing?
NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.
What is your implementation class?
If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org
What is the version of the tool are you using?
FIDO Alliance - Certification Conformance Testing Tools v1.7.18-1
What is the OS and the version are you running?
Edition Windows 11 Enterprise Version 22H2 OS build 22621.3155 Experience Windows Feature Experience Pack 1000.22684.1000.0
For desktop tools
For UAF mobile tools
Issue description
The
pinUvAuthProtocol
value ingetKeyAgreement
command is being sent as "2" though my metadata statement mentions supports pinProtocol value "1", i.e.Which is the same thing in my
authenticatorGetInfo
response.9. Mandatory Features -> Point 6 says,
-> Does that mean, the authenticator must support clientPin protocol "2" always? Or can we have an authenticator that support only pinUvAuthProtocol "1"?
I have also reproduced, by making the parameter "pinUvAuthProtocols" absent in the authenticatorGetInfo response, then the following tests/test suites fail in the conformance tool,
Below is the error screenshot on executing credMgmt tests in the conformance tool 👇
-> Can you explain the reason behind such behavior, and when can such errors occur? We were expecting the test to pass, by making the parameter as absent in
getInfo
?Below is the MDS statement that we are using, Note: MDS tests are not failing, when I am mentioning
"pinUvAuthProtocols": [1]
also making it "absent", which again violates the spec's mandatory feature.This issue also relates to https://github.com/fido-alliance/conformance-test-tools-resources/issues/684 which is closed, but left me questioning if test case in the conf tool is right or we can expect changes in the conformance tool?