search

fido-alliance / conformance-test-tools-resources

Certification Test Tools Resources. For security and privacy related issues email tools@certification.fidoalliance.org
https://fidoalliance.org/certification/functional-certification/conformance/
40 stars 14 forks source link

FIDO2.1 CTAP2 Got CTAP2_ERR_PIN_INVALID(49) #763

Closed antonio-fr closed 3 months ago

antonio-fr commented 3 months ago

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

What protocol are you implementing?

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org.

What is the version of the tool are you using?

v1.7.20-2

What is the OS and the version are you running?

For desktop tools

For UAF mobile tools

Issue description

Some tests fail because of an incorrect PIN provided during the test (to get the token). Token access fails, the PIN provided is rejected.

It was earlier identified there : https://github.com/fido-alliance/conformance-test-tools-resources/issues/746#issuecomment-2128987856 I just open a formal issue dedicated.

The first fail test is HMAC-Secret Test HMAC-Secret extension support

P-4 Send a valid CTAP2 GetAssertion(0x02) message, "extensions" containing a valid "hmac-secret" extension request, with salt1 and salt2, wait for the response, and: (a) Check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code (b) Check that response extensions contain "hmac-secret" extension. Decrypt extensions (c) Check that decrypted hmacs contain uvSalt1Hmac, and uvSalt2Hmac (d) Check that uvSalt1Hmac does not equal to nonUvSalt1Hmac, an uvSalt2Hmac does not equal to nonUvSalt2Hmac.

Here'a a detailed log from the app.

Test started: P-4

        Send a valid CTAP2 GetAssertion(0x02) message, "extensions" containing a valid "hmac-secret" extension request, with salt1 and salt2, wait for the response, and:
            (a) Check that Authenticator returns CTAP1_ERR_SUCCESS(0x00) error code
            (b) Check that response extensions contain "hmac-secret" extension. Decrypt extensions
            (c) Check that decrypted hmacs contain uvSalt1Hmac, and uvSalt2Hmac
            (d) Check that uvSalt1Hmac does not equal to nonUvSalt1Hmac, an uvSalt2Hmac does not equal to nonUvSalt2Hmac

(unknown) [CTAP2.1] ClientPIN: ---> Sending CTAP CMD... 06a201020202 
Object
AppDat…ports\nfcdep.js:122 [NFC] Selected protocol "2" for reader "XXX"
AppDat…ports\nfcdep.js:238 [NFC] ---> DATA SENT: 00a4040008a0000006472f000100
AppDat…ports\nfcdep.js:243 [NFC] <--- DATA RECEIVED: 5532465f56329000
AppDat…ports\nfcdep.js:211 [NFC] RECEIVED  SW_NO_ERROR
AppDat…ports\nfcdep.js:238 [NFC] ---> DATA SENT: 801000000606a20102020200
AppDat…ports\nfcdep.js:243 [NFC] <--- DATA RECEIVED: 00a101a5010203381820012158201b4dca45926571f23ec4919e288210935a951b8392eec2aca317c6f09b3f87b3225820943aec060f6471f4f880ce8ec8e7f9d414eefcc5f53c30b9fe9e476735f0a87f9000
AppDat…ports\nfcdep.js:211 [NFC] RECEIVED  SW_NO_ERROR
(unknown) [CTAP2.1] ClientPIN: <--- Received response 
Object
(unknown) [CTAP2.1] ClientPIN: ---> Sending CTAP CMD... 06a50102020303a50102033818200121582028228789c88bf9306508e4fab764f9081ddfbf13c80ff017e6a6f2d7e4a02c8e225820a8e0b182dc1174a0cd7174bcff557c1d2cf062b7b44393dc40f5d556d74cacbf045820532c47acc2614549f20dc42faa01e9933e18af6521a8b84c6bfbee7fcf705a6905585079fc5fb2dd81ce55ca9f58effc2c1ad253ee56ea9e22b265e277b7a9b2d15c792954bfe26741d97f5107e9b4e60fc43a4be5c3cc9fede234696e4d1233427d430fa79989635a56af79a95bbeed5a159f 
Object
AppDat…ports\nfcdep.js:238 [NFC] ---> DATA SENT: 80100000cb06a50102020303a50102033818200121582028228789c88bf9306508e4fab764f9081ddfbf13c80ff017e6a6f2d7e4a02c8e225820a8e0b182dc1174a0cd7174bcff557c1d2cf062b7b44393dc40f5d556d74cacbf045820532c47acc2614549f20dc42faa01e9933e18af6521a8b84c6bfbee7fcf705a6905585079fc5fb2dd81ce55ca9f58effc2c1ad253ee56ea9e22b265e277b7a9b2d15c792954bfe26741d97f5107e9b4e60fc43a4be5c3cc9fede234696e4d1233427d430fa79989635a56af79a95bbeed5a159f00
AppDat…ports\nfcdep.js:243 [NFC] <--- DATA RECEIVED: 009000
AppDat…ports\nfcdep.js:211 [NFC] RECEIVED  SW_NO_ERROR
(unknown) [CTAP2.1] ClientPIN: <--- Received response 
Object
(unknown) [CTAP2.1] Generating test PUAT...
AppDat…ports\nfcdep.js:148 [NFC] Selected protocol "2" for reader "XXX"
(unknown) [CTAP2.1] ClientPIN: ---> Sending CTAP CMD... 06a201010202 
Object
AppDat…ports\nfcdep.js:238 [NFC] ---> DATA SENT: 00a4040008a0000006472f000100
AppDat…ports\nfcdep.js:243 [NFC] <--- DATA RECEIVED: 5532465f56329000
AppDat…ports\nfcdep.js:211 [NFC] RECEIVED  SW_NO_ERROR
AppDat…ports\nfcdep.js:238 [NFC] ---> DATA SENT: 801000000606a20101020200
AppDat…ports\nfcdep.js:243 [NFC] <--- DATA RECEIVED: 00a101a501020338182001215820968d0891de3bb72fe15cc42a5056cefeda407dcd4503bbf608ba3ad63246a3232258203b7c61f0b1c326b5c324c501ccdc3345644cb775a305fcd9fd8f1a34f86be66e9000
AppDat…ports\nfcdep.js:211 [NFC] RECEIVED  SW_NO_ERROR
(unknown) [CTAP2.1] ClientPIN: <--- Received response 
Object
(unknown) [CTAP2.1] ClientPIN: ---> Sending CTAP CMD... 06a40101020503a50102033818200121582077060554d069a937cb407a9477d56c6e0b9f39662083e39cf35a5024971286f8225820be7b3e1af75f657fa2e8737bcaa9428d7c467444d63a593c1225afc3babe74d90650a3b3f5c99ec40eedf554c1447a01dbf5 
Object
AppDat…ports\nfcdep.js:238 [NFC] ---> DATA SENT: 801000006706a40101020503a50102033818200121582077060554d069a937cb407a9477d56c6e0b9f39662083e39cf35a5024971286f8225820be7b3e1af75f657fa2e8737bcaa9428d7c467444d63a593c1225afc3babe74d90650a3b3f5c99ec40eedf554c1447a01dbf500
AppDat…ports\nfcdep.js:243 [NFC] <--- DATA RECEIVED: 319000

FIDOGreatPinCodeThatNoOneWillEverGuess, not even the authenticator under test. Can't wait for Patch3.

iirachek commented 3 months ago

Just uploaded a new 1.7.20.3 version, where this and several other remaining hardcoded PIN declarations are fixed.

antonio-fr commented 3 months ago

I confirm this version works fine (for our test case).