[BUG] Incompatible Hash/Hmac type, Device stestation and Owner attestation

quanvincss commented 1 year ago

To simplify issue resolution process, please provide network logs, and or test voucher.

What part of the spec are you testing?

[ ] Rendezvous Server
[x] Device Onboarding Service
[ ] Device Implementation

What protocol are having issue with?

[ ] TO0
[ ] TO1
[ ] TO2

Issue description

You have this sigtype map here https://github.com/fido-alliance/iot-fdo-conformance-tools/blob/f42c2df04a54c7aba2bd54884d91446260d155ed/core/shared/signing.misc.go#L250 but it's not correct according to table "Mapping of Hash/HMAC Types with Key sizes" in https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-PS-v1.1-20220419/FIDO-Device-Onboard-PS-v1.1-20220419.html#hashhmac. The Hash and Hmac types depend on both owner attestation and device attestation but not an individual one.

yackermann commented 1 year ago

@quanvincss you mean when one of the key algorithms is weaker than the other?

Yeah, I think this is certainly a bug, but not a critical, and will resolve in the next iteration.

quanvincss commented 1 year ago

@quanvincss you mean when one of the key algorithms is weaker than the other?

Yeah, I think this is certainly a bug, but not a critical, and will resolve in the next iteration.

@herrjemand yeah, I couldn't pass some vouchers for the TO2 test because I'm checking hash/hmac type with both OA and DA, for example, if DA is ECDSA NIST P-384 and OA is ECDSA NIST P-256, then hash/hmac type should be SHA384/HMAC-SHA384, but the voucher used SHA256/HMAC-SHA256, etc.

But what do you mean by "next iteration"?

fido-alliance / iot-fdo-conformance-tools