FIDO Confirmation Testing Attestation Trust issue
311 views
Skip to first unread message
Abhijai K P
Oct 23, 2025, 11:15:43 AMOct 23
to FIDO Dev (fido-dev), Abhijai K P
Hi,
I have implemented an mds3 FIDO server using Yubico webauthn library for passkey web authentication in my project.
After implementation, I've started testing the server with the FIDO conformance tool.
But for MakeCredential Response server test, Some tests are failing.
It throws an error : Registration verification failed: java.lang.IllegalArgumentException: Failed to derive trust for attestation key.
I've downloaded, extracted, and put into the folder example/fido-conformance-mds by clicking the button "Download Test Metadata" in the tool.
I have imported all the metadata files to the server (com.yubico.fido.metadata.MetadataBLOBPayload)
Created trustsource from (com.yubico.fido.metadata.FidoMetadataService)
Test : P-5 Send a valid ServerAuthenticatorAttestationResponse with SELF "packed" attestation, for "ALG_SIGN_RSASSA_PKCSV15_SHA256_RAW" aka "RS256" algorithm, and check that server succeeds
What is the issue here? am I missing something?
Need the solution ASAP.
I have implemented an mds3 FIDO server using Yubico webauthn library for passkey web authentication in my project.
After implementation, I've started testing the server with the FIDO conformance tool.
But for MakeCredential Response server test, Some tests are failing.
It throws an error : Registration verification failed: java.lang.IllegalArgumentException: Failed to derive trust for attestation key.
I've downloaded, extracted, and put into the folder example/fido-conformance-mds by clicking the button "Download Test Metadata" in the tool.
I have imported all the metadata files to the server (com.yubico.fido.metadata.MetadataBLOBPayload)
Created trustsource from (com.yubico.fido.metadata.FidoMetadataService)
Test : P-5 Send a valid ServerAuthenticatorAttestationResponse with SELF "packed" attestation, for "ALG_SIGN_RSASSA_PKCSV15_SHA256_RAW" aka "RS256" algorithm, and check that server succeeds
What is the issue here? am I missing something?
Need the solution ASAP.
พี่ลู่ก็ คือแบบมัน
Dec 8, 2025, 3:48:54 AMDec 8
to Abhijai K P, FIDO Dev (fido-dev)
ในวันที่ พฤ. 23 ต.ค. 2025 22:15 น. Abhijai K P <abh...@techversantinfo.com> เขียนว่า:
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/a07adcb5-d267-4955-95ae-3d8063a0f4dan%40fidoalliance.org.
Mohd Azrial Bin Mohd Saini
Dec 10, 2025, 5:40:09 AMDec 10
to พี่ลู่ก็ คือแบบมัน, Abhijai K P, FIDO Dev (fido-dev)
Hi Abhijai,
Regarding the FIDO conformance test failure "Failed to derive trust for attestation key" during the MakeCredential Response test, particularly for the SELF "packed" attestation (RS256):
This error indicates that the server cannot properly validate the attestation certificate chain provided by the conformance tool's test authenticator against your configured trust sources (the metadata from FidoMetadataService).
While you have imported the test metadata, the issue may be related to one of the following common causes for "packed" attestation:
1. Trust Anchor Configuration: Ensure that the root certificate for the test metadata is correctly loaded and trusted by your FidoMetadataService instance. The test metadata frequently uses specific test root certificates that must be explicitly trusted by the server for these particular conformance tests.
2. Attestation Certificate Format: Verify that the attestation certificate received in the attStmt is being parsed correctly by the Yubico library, especially when dealing with the raw RS256 format specified in the test (ALG_SIGN_RSASSA_PKCSV15_SHA256_RAW).
3. Metadata Cache/Refresh: If the server is caching production metadata, ensure it is completely refreshed or replaced with only the test metadata blob when running the conformance tool.
Since this specific test uses a SELF attestation with "packed" format, the server is expected to:
1. Extract the attestation public key from the authData.
2. Verify the signature in attStmt using the extracted key.
3. Check if the key is trusted, which, in a conformance test environment, means checking against the test metadata.
Please double-check the exact implementation steps for integrating the "Download Test Metadata" files into the Yubico library's MetadataBLOBPayload and FidoMetadataService to ensure all necessary trust anchors are recognized.
Best regards,
Az
Regarding the FIDO conformance test failure "Failed to derive trust for attestation key" during the MakeCredential Response test, particularly for the SELF "packed" attestation (RS256):
This error indicates that the server cannot properly validate the attestation certificate chain provided by the conformance tool's test authenticator against your configured trust sources (the metadata from FidoMetadataService).
While you have imported the test metadata, the issue may be related to one of the following common causes for "packed" attestation:
1. Trust Anchor Configuration: Ensure that the root certificate for the test metadata is correctly loaded and trusted by your FidoMetadataService instance. The test metadata frequently uses specific test root certificates that must be explicitly trusted by the server for these particular conformance tests.
2. Attestation Certificate Format: Verify that the attestation certificate received in the attStmt is being parsed correctly by the Yubico library, especially when dealing with the raw RS256 format specified in the test (ALG_SIGN_RSASSA_PKCSV15_SHA256_RAW).
3. Metadata Cache/Refresh: If the server is caching production metadata, ensure it is completely refreshed or replaced with only the test metadata blob when running the conformance tool.
Since this specific test uses a SELF attestation with "packed" format, the server is expected to:
1. Extract the attestation public key from the authData.
2. Verify the signature in attStmt using the extracted key.
3. Check if the key is trusted, which, in a conformance test environment, means checking against the test metadata.
Please double-check the exact implementation steps for integrating the "Download Test Metadata" files into the Yubico library's MetadataBLOBPayload and FidoMetadataService to ensure all necessary trust anchors are recognized.
Best regards,
Az
Mohd Azrial Bin Mohd Saini
Dec 10, 2025, 9:10:15 AMDec 10
to MMB, พี่ลู่ก็ คือแบบมัน, Abhijai K P, FIDO Dev (fido-dev)
- Abhijai asked for help with a FIDO conformance test error: "Failed to derive trust for attestation key."
- Az suggested common causes like test metadata trust anchor configuration and proper parsing of the attestation certificate.o
On Wed, 10 Dec 2025 at 7:55 PM, MMB <m702...@gmail.com> wrote:
Hey good brother I self teaching myself how to but if I did something wrong let me know and if possible school me how to thanks
Mohd Azrial Bin Mohd Saini
Dec 10, 2025, 10:56:22 AMDec 10
to MMB, พี่ลู่ก็ คือแบบมัน, Abhijai K P, FIDO Dev (fido-dev)
- Abhijai asked for help resolving a FIDO conformance test error about attestation trust failure.
- Az suggested checking test metadata trust anchors and attestation certificate parsing as potential causes.
MMB
Dec 11, 2025, 4:51:59 AMDec 11
to Mohd Azrial Bin Mohd Saini, พี่ลู่ก็ คือแบบมัน, Abhijai K P, FIDO Dev (fido-dev)
Hey good brother I self teaching myself how to but if I did something wrong let me know and if possible school me how to thanks
On Wed, Dec 10, 2025 at 5:40 AM Mohd Azrial Bin Mohd Saini <m.azri...@gmail.com> wrote:
MMB
Dec 11, 2025, 4:52:13 AMDec 11
to Mohd Azrial Bin Mohd Saini, พี่ลู่ก็ คือแบบมัน, Abhijai K P, FIDO Dev (fido-dev)
How do I fix this?
Reply all
Reply to author
Forward
0 new messages