FIDO Conformance Tests are Failing Due to "invalid cert path" exception and "invalid MetadataBLOB signature"

224 views
Skip to first unread message

Thamindu Dilshan Jayawickrama

unread,
Feb 19, 2022, 6:33:40 AM2/19/22
to FIDO Dev (fido-dev)
Hi,

I'm trying to run FIDO conformance self validation tests on an authentication server. The server is using webauthn4j library for attestation validations at registration ceremony.

We've been using an adapter to perform communications between the compliance tool and the authentication server. When running tests, we submit this adapter url to the conformance tool.

I've submitted the adapter url to https://mds3.certinfra.fidoalliance.org/ and obtained 5 mds endpoints. In the server implementation, a list of fidoMDSMetadataBLOBProviders has been created for the obtained urls. When they are performing metadata cert validations, I'm getting "invalid cert path" exception for some url's and exception with the description "MetadataBLOB signature is invalid" for some url's. Some attestation tests are failing due to this issue.

I can't figure out what's happening here. Only thing I did was obtaining the mds endpoints by submitting the adapter url and provide them along with the root certificate to the server implementation. 

Any idea on the issue or what I'm doing wrong?

Thanks in advance.

Regards,
Thamindu

Ackermann Yuriy

unread,
Feb 19, 2022, 7:17:51 AM2/19/22
to Thamindu Dilshan Jayawickrama, FIDO Dev (fido-dev)
Thats an expected behaviour. The tests are checkung that you correctly validate certificate chain

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7f191dba-467b-4ab1-8b74-657ec2cc9f32n%40fidoalliance.org.
--
Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand

Thamindu Dilshan Jayawickrama

unread,
Feb 20, 2022, 12:33:14 PM2/20/22
to FIDO Dev (fido-dev), Ackermann Yuriy, FIDO Dev (fido-dev), Thamindu Dilshan Jayawickrama
But these tests are expected to be passed in the tool. Below are the test cases which are failing when mds validations are implemented.

P1 and P3 of "Server-ServerAuthenticatorAttestationResponse-Resp-9" due to "invalid cert path (Path does not chain with any of the trust anchors)"

Thanks,
Thamindu

Thamindu Dilshan Jayawickrama

unread,
Feb 21, 2022, 12:41:29 AM2/21/22
to FIDO Dev (fido-dev), Thamindu Dilshan Jayawickrama, Ackermann Yuriy, FIDO Dev (fido-dev)
Hi Yuriy,

Thanks for the reply. I think I'm bit unclear on the above reply. Let me explain it again.

Your reply answers the original question. But after implementing mds3 metadata validations at device registration ceremony, P1 and P3 test cases of "Server-ServerAuthenticatorAttestationResponse-Resp-9" (of MakeCredential: Platform) started to fail due to "invalid cert path (Path does not chain with any of the trust anchors)". These two tests were passing before implementing the mds validations.

Do you have any idea what's happening here? I'm using the experimental test tool v1.6.41.

Regards,
Thamindu
Message has been deleted

Ricardo Reis

unread,
Nov 29, 2023, 12:11:55 PM11/29/23
to FIDO Dev (fido-dev), Thamindu Dilshan Jayawickrama, Ackermann Yuriy, FIDO Dev (fido-dev)
Hi again Thamindu,

Did you have any luck passing the P1 test? Thanks

Reply all
Reply to author
Forward
0 new messages