Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIDO2 Server test invalid: TPM attestation P-3 Send a valid ServerAuthenticatorAttestationResponse with "tpm" attestation pubArea.nameAlg is not matching algorithm used for generate attested.name, and check that server succeeds #773

Open
14 tasks
sbweeden opened this issue Nov 5, 2024 · 1 comment
Assignees
Labels
DONE Has been implemented as part of one of the published releases

Comments

@sbweeden
Copy link

sbweeden commented Nov 5, 2024

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email [email protected]

FIRST PRE CHECK

  • [ X ] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

  • [ X ] FIDO2 Server
  • CTAP2.0
  • CTAP2.1
  • UAF 1.1
  • U2F 1.1
  • U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

  • Security Key / FIDO2 / U2F authenticators
  • [ X ] Server
  • UAF Client-ASM-Authenticator combo
  • UAF Client
  • UAF ASM-Authenticator

If you are platform authenticator vendor, please email [email protected]

What is the version of the tool are you using?

What is the OS and the version are you running?

For desktop tools

  • OSX
  • Windows
  • Linux

For UAF mobile tools

  • iOS
  • Android

Issue description

I used to have access to the server tests github repo (fido2-server-conformance-module) but that seems to have been revoked. In any case I have an old copy of the repo, and the test for
"P-3 Send a valid ServerAuthenticatorAttestationResponse with "tpm" attestation pubArea.nameAlg is not matching algorithm used for generate attested.name, and check that server succeeds" defined around line 82 of the file ./tests/Server/MakeCredential/Server-ServerAuthenticatorAttestationResponse-Resp-9.js is invalid.

After many discussions involving the original author Yuri Ackermann, @dturnerx , and TPM SME Monty Wiseman it has been determined that the algorithm identifier in certInfo is authoritative, and that in public area should always be the same.

For discussion of the matter see:
w3c/webauthn#1925
w3c/webauthn#2193

Please remove this test case.

@iirachek
Copy link

The affected test case was removed in the v1.7.22

@iirachek iirachek added DONE Has been implemented as part of one of the published releases and removed Awaiting Release Is ready and is awaiting merge for the next release labels Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
DONE Has been implemented as part of one of the published releases
Projects
None yet
Development

No branches or pull requests

2 participants