fido-alliance / conformance-test-tools-resources

Certification Test Tools Resources. For security and privacy related issues email tools@certification.fidoalliance.org
https://fidoalliance.org/certification/functional-certification/conformance/
44 stars 14 forks source link

Enhance the test suite to detect potential server errors when the same challenge is used for different users #766

Open DavidGonzalezPineiro opened 3 months ago

DavidGonzalezPineiro commented 3 months ago

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

What protocol are you implementing?

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

v1.7.19-1

What is the OS and the version are you running?

For desktop tools

For UAF mobile tools

Issue description

Enhancing the test suite to verify that the assertion returns an error when different users use the same challenge could be beneficial.

After passing the certification testing tools with 100% accuracy on all the test suite, we identified that a false positive might be possible in the FIDO2 Interop tests.

The test case is as follows:

  1. Register two users by performing a MakeCredential with RK (USER1, USER2).
  2. Perform a GetAssertion with RK: 2.1. Perform a POST assertion/options request with USER1. 2.2. Perform a POST assertion/result request with USER2.

If the server does not handle the challenges correctly, the test result may be a false positive. It would be beneficial to include a test in the certification testing tool to check this behavior.