Server Conformance Make Credential Response

16 views
Skip to first unread message

Jo Stevens

unread,
Nov 23, 2022, 12:13:08 PM11/23/22
to FIDO Dev (fido-dev)
Hi Guys, I hope this is the right forum for this.

I'm running through the Fido Server Conformance tools and I've got one failing test

Server-ServerAuthenticatorAttestationResponse-Resp-5 Test server processing "packed" FULL attestation

F-10 Send ServerAuthenticatorAttestationResponse with FULL "packed" attestation, with attStmt.x5c containing full chain, and check that server returns an error

The test passes where it should fail.

Could someone help explain why this should fail? A Full attestation means it requires a chain and a full chain means to me it's a valid chain. Very difficult to isolate and debug any of these tests so I'm a little stuck.

Thanks,
Jo

Shane Weeden

unread,
Nov 23, 2022, 2:16:47 PM11/23/22
to Jo Stevens, FIDO Dev (fido-dev)
I am aware of this test and personally think the test case is overly restrictive and wrong. That said, I believe I can at least explain what is happening.

According to section 6.1 of https://datatracker.ietf.org/doc/html/rfc5280:
"A certificate MUST NOT appear more than once in a prospective
   certification path."

In that test case, the rootCA is included in the x5c of the attestation response. You then try find a trust root from matching metadata.My understanding is that the test authors believe this constitutes a duplicate certificate in the certification path because the CA appears twice at the end.

Clearly the authors of the Java certificate validation code I am using don’t think so, because if you take a trust chain that includes a CA, and match it against a copy of that CA, then it works without error. 
Similarly if you take a self-signed cert you can do the same thing.

Anyway, that’s what I believe is happening.

Regards,
Shane.




--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e7ea9785-295e-4c01-b3c2-3a715ce7dc85n%40fidoalliance.org.

Reply all
Reply to author
Forward
0 new messages