tests/device/test_config.py::test_always_uv[PinProtocolV2] Wrong Implementation

[tahaelbadaoui]

tests/device/test_config.py::test_always_uv[PinProtocolV1/V2] :

To describe what the test scenarios does it toogleAlwaysUv() via AuthenticatorConfig(0x0D) to set the AlwaysUv to true it's done and after that it send a getPinUvAuthTokenUsingUvWithPermissions | 0x06 and after that a makeCred with PinUVAuthParam based on the sharedSecret on the token requested before and it's valid since it's done with Uv and the makeCredential pass which respect the ctap2 specficiation which is normal cause the token is get and valid :

INFO apdu:conftest.py:298 >> 801080006406a50102020603a501020338182001215820936f68ade5eb21a28dfb0e26e3d2a28cc90407920adf0152bc653cb5906fb1d722582000bef8ee444ea9e8cebf6d80f6995ab3fef9881c046a060de7055d6921fe544909010a6b6578616d706c652e636f6d00
INFO apdu:conftest.py:300 << 00a102583084e455d48837380cf10636ac14558532d6c27583b339003a7b6726f211468da0b07ef147087c9e482ac6a035bd80dad9 SW=9000

{1: 2, 2: 6, 3: {1: 2, 3: -25, -1: 1, -2: h'936F68ADE5EB21A28DFB0E26E3D2A28CC90407920ADF0152BC653CB5906FB1D7', -3:
h'00BEF8EE444EA9E8CEBF6D80F6995AB3FEF9881C046A060DE7055D6921FE5449'}, 9: 1, 10: "example.com"}

But the test is expecting PIN_INVALID which is a ctap2_err raised on the getPinToken clientPin subcommand in case we do getPinUvAuthTokenUsingPinWithPermissions | 0x09 but the test scenario doesn't do it instead getPinUvAuthTokenUsingUvWithPermissions is done so don't see why it's expecting the test to raise a PIN_INVALID ?

apdu.log

def test_always_uv(ctap2, pin_protocol, device, printer):
always_uv = ctap2.info.options.get("alwaysUv")
if always_uv is None:
pytest.skip("AlwaysUv not supported")

    # Toggle on, if off
    if not always_uv:
        config = get_config(ctap2, pin_protocol)
        config.toggle_always_uv()

    assert ctap2.get_info().options["alwaysUv"] is True

    rp = {"id": "example.com", "name": "Example RP"}
    server = Fido2Server(rp)
    user = {"id": b"user_id", "name": "A. User"}

    create_options, state = server.register_begin(user, user_verification="discouraged")

    # Create a credential
    client = Fido2Client(
        device,
        client_data_collector=DefaultClientDataCollector("https://example.com"),
        user_interaction=CliInteraction(printer, "WrongPin"),
    )

    # Should require PIN due to alwaysUV and fail

  with pytest.raises(ClientError, match="PIN_INVALID"):

E Failed: DID NOT RAISE <class 'fido2.client.ClientError'>

[dainnilsson]

The test expects the Authenticator to be in a newly reset state (and should fail otherwise), where no forms of authentication are configured. The test will configure a PIN, but will not configure additional methods of UV, thus uv should be unconfigured in GetInfo, and the Fido2Client should use GET_TOKEN_USING_PIN, not GET_TOKEN_USING_UV.

[tahaelbadaoui]

@dainnilsson okey i see but the resetAuthenticator it's an open command in the cas of Yubikey Authenticators it reset also the template of fingerprints but in our case it doesn't so for this reason it's not passing .

[dainnilsson]

Yeah, I see what you mean. I think several of the tests assume that reset will in fact clear any registered fingerprints. Are there other tests that fail in a similar way for you?

[tahaelbadaoui]

@dainnilsson i don't think that there are some other tests related to reset that fail the same way as this one