FIDO Conformance Tools v1.7.20 || FIDO2 Server question!

50 views
Skip to first unread message

jorge alfonso

unread,
Aug 14, 2024, 2:06:41 PMAug 14
to FIDO Dev (fido-dev)

Hi everyone,

I've encountered a confusing situation with the tool I'm using to generate attestation objects for FIDO2. The tool seems to be assuming that the attestation is "self-attested" (also known as "self-packed"), but it is still including an x5c array in the attestation object. Even the x5c  attestnCert validates the signature (not the public key in the key pair) for the test.

As I understand it, the way to determine the attestation type typically involves checking the presence and content of certain fields:

  • Self-Attestation: If the attestation is self-packed, the attestation statement should generally not include the x5c field. Instead, the attestation uses the authenticator's public key for the signature, indicating that the authenticator is attesting to itself.

  • Attestation with x5c: The presence of an x5c array usually indicates that the attestation is not self-packed. 

Given this understanding, I'm confused about why the tool assumes the attestation is self-packed when it is including the x5c field. How can I correctly identify the attestation type if the tool is making this assumption? Shouldn't the presence of the x5c array override any assumption of self-attestation? 

Has anyone else experienced this issue or can offer some insight into this behavior?

Thanks in advance for your help!


test:

F-2 Send ServerAuthenticatorAttestationResponse with SELF "packed" attestation, that contains full attestation, and check that server returns an error

Alex Seigler

unread,
Aug 14, 2024, 2:28:30 PMAug 14
to jorge alfonso, FIDO Dev (fido-dev)

In that test, you are supposed to use the conformance metadata packed with the tool to determine the authenticator with the supplied aaguid is not capable of producing a full attestation, detecting that a full attestation was supplied, and failing the operation with an appropriate error response.

 

-aseigler

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f0762522-8d19-48c5-b77c-29936d97a356n%40fidoalliance.org.

Reply all
Reply to author
Forward
0 new messages