Open miguelvillaresb opened 5 days ago
The test suite uses mocked root anchors for testing purpose. Given the architecture of FIDO, it obviously cannot generate genuine real credentials.
MDSV3 is the official repository of root anchors from vendors. Unfortunately, not all vendors publish publicly or in time their certificates in it. Therefore there’s another mechanism to load metadata from file. Last time I checked for instance, Apple didn’t publish their metadata in mdsv3.
Trying to pass "Metadata Service Tests" I do not find the way to tell wax how to download the metadata from the 5 endpoints you get when registering the service in FIDO:
These tests don’t apply to wax afaik
From my point of view, you already have a way to validate metadata blobs in wax so wax could include a way to get the endpoints from the domain, iterate over the endpoints and save the blob passing the validation. This was not included for a specific reason?
Haven't dig these test to be honest. Are they fake MDSv3 endpoints to be parsed and tested by a WebAuthn server implementation?
I found this https://github.com/fido-alliance/conformance-test-tools-resources/issues/422
It seems that to pass those tests new metadata has to be used. The way to get the metadata is to go through https://mds3.certinfra.fidoalliance.org/ and try with the 5 provided endpoints. Only one of the endpoints provides a valid blob metatada. This right metadata is the one to be used with the tests.
What is the difference between the 2 options described in the README for loading FIDO2 Metadata?
I downloaded the metadata from the FIDO test suite client and the I used option "Loading FIDO2 metadata from a directory". With this option the tests pass.
The another option "Configuring MDSv3 metadata" replaces the first one? I tried to pass the tests loading MDSv3 metadata from the web site and removing the local metadata files but the tests failed. It seems that the
aaguid
is not found in the downloaded metadata.Thanks in advance