HID Report Descriptor parsing

106 views
Skip to first unread message

Tom Thorogood

unread,
Mar 13, 2021, 5:16:34 AMMar 13
to FIDO Dev (fido-dev)

Hi all,

I'm working on a FIDO2 client library written in pure-Go and I'm coming up against some of the difficulties of HID Report Descriptors and the various os-specific USB HID implementations. The CTAP spec isn't exactly clear or specific about a number of different things, and both USB and HID has a lot of complexity.

If anyone is able to clarify a few things for me, that would be most appreciated. They're all related to the "HID device implementation" section.
  1. The spec says: "During CTAPHID device discovery, all HID devices present in the system are examined and devices that match this usage pages and usage are then considered to be CTAPHID devices." Can the FIDO/CTAPHID usage page and usage appear anywhere in the report descriptor or do they always have to be top-level (i.e. not in a collection)?
  2. The spec provides an example HID Report Descriptor, but it's not clear how close authenticators are required to match this. They're allowed to specify different Report Counts, but are they allowed to change any other fields or add any new fields or collections?
  3. The spec says: "The CTAPHID just provides two "raw" reports, which basically map directly to the IN and OUT endpoints." Are CTAPHID devices only allowed to include the two reports in their descriptor or are they allowed to bundle those with other reports? I notice that YubiKey's in particular list the CTAPHID reports as their own HID device and leave the YubiKey-specific keyboard reports in a separate HID device.
  4. Are CTAPHID devices allowed to use numbered reports? (That is reports containing the Report Id HID Item). I've noticed that many implementations (like libfido2) don't support numbered reports and supporting them does add quite a bit of complexity to the USB HID implementations.
It would be great if the "HID device implementation" section could be more detailed in future spec versions. I've noticed a lot of variation in HID Report Descriptor parsing across various implementations, so this is a seemingly underspecified section and those differences could manifest as incompatibilities in the future.

Thanks in advance.

hami zahedi

unread,
May 26, 2021, 2:50:35 PMMay 26
to FIDO Dev (fido-dev), me+g...@tomthorogood.co.uk
Hello .
How are you?

Thank you for your good explanation
I have problems with this
Which is related to the separation of the USB descriptor layer with the ctaphid command descriptor layer.

Please help me with the communication low level and explain more.

Thanks.
Reply all
Reply to author
Forward
0 new messages