I'm working on a FIDO2 client library written in pure-Go and I'm coming up against some of the difficulties of HID Report Descriptors and the various os-specific USB HID implementations. The CTAP spec isn't exactly clear or specific about a number of different things, and both USB and HID has a lot of complexity.
If anyone is able to clarify a few things for me, that would be most appreciated. They're all related to the "HID device implementation" section.
- The spec says: "During CTAPHID
device discovery, all HID devices present in the system are
examined and devices that match this usage pages and usage are
then considered to be CTAPHID devices." Can the FIDO/CTAPHID usage page and usage appear anywhere in the report descriptor or do they always have to be top-level (i.e. not in a collection)?
- The spec provides an example HID Report Descriptor, but it's not clear how close authenticators are required to match this. They're allowed to specify different Report Counts, but are they allowed to change any other fields or add any new fields or collections?
- The spec says: "The CTAPHID just provides two "raw" reports, which
basically map directly to the IN and OUT endpoints." Are CTAPHID devices only allowed to include the two reports in their descriptor or are they allowed to bundle those with other reports? I notice that YubiKey's in particular list the CTAPHID reports as their own HID device and leave the YubiKey-specific keyboard reports in a separate HID device.
- Are CTAPHID devices allowed to use numbered reports? (That is reports containing the Report Id HID Item). I've noticed that many implementations (like libfido2) don't support numbered reports and supporting them does add quite a bit of complexity to the USB HID implementations.
It would be great if the "HID device implementation" section could be more detailed in future spec versions. I've noticed a lot of variation in HID Report Descriptor parsing across various implementations, so this is a seemingly underspecified section and those differences could manifest as incompatibilities in the future.
Thanks in advance.