Can we maybe not die from non-canonical CBOR?

[My1]

currently playing around a bit and tried few of the example scripts on a GoTrust Idem Card

https://www.gotrustid.com/idem-card

and well upon running get_info.py the script immediately dies due to the CBOR not being canonical

my1@my1-qb:~$ python3 python-fido2/examples/get_info.py 
CONNECT: CtapPcscDevice(REINER SCT cyberJack RFID basis 00 00)
CTAPHID protocol version: 2
Traceback (most recent call last):
  File "python-fido2/examples/get_info.py", line 58, in <module>
    info = ctap2.get_info()
  File "/home/my1/.local/lib/python3.6/site-packages/fido2/ctap2.py", line 755, in get_info
    return self.send_cbor(CTAP2.CMD.GET_INFO, parse=Info)
  File "/home/my1/.local/lib/python3.6/site-packages/fido2/ctap2.py", line 656, in send_cbor
    "Got: {}\n".format(enc_h) + "Expected: {}".format(exp_h)
ValueError: Non-canonical CBOR from Authenticator.
Got: b'a60182684649444f5f325f30665532465f563202816b686d61632d73656372657403509f0d8150baa54c009299ad62c8bb4e8704a464706c6174f462726bf569636c69656e7450696ef5627570f505190400068101'
Expected: b'a60182684649444f5f325f30665532465f563202816b686d61632d73656372657403509f0d8150baa54c009299ad62c8bb4e8704a462726bf5627570f564706c6174f469636c69656e7450696ef505190400068101'

considering there are actual authenticators flying around that dont nesecarily run canonical and unsurprisigly cannot be updated (a bad trend Yubico as far as I can see started as one of the first well known FIDO devices), it would kinda break stuff if canonical is enforced.

for now all of the other CTAP2 capable devices I am currently possessing which are

• Yubikey 5 (Fido 2.0)
• Blue Yubi with NFC (Fido 2.1)
• eWBM Goldengate G310 (FIDO2.1)
• Solokeys Solo (on both Fido 2.0 and 2.1 firmwares)
• Hypersecu HyperFido Pro mini (Fido 2.0)

do NOT seem to have this problem U2F devices as far as the script says dont even do CBOR so they are out all the way

my1@my1-qb:~$ python3 python-fido2/examples/get_info.py 
CONNECT: CtapHidDevice(/dev/hidraw0)
CTAPHID protocol version: 2
Device does not support CBOR
WINK sent!

[dainnilsson]

Canonical CBOR is specified by the standard and thus any Authenticator not conforming to this is in violation of that. Some client implementations might still accept this while others might not, and some clients may change how they handle this in the future. We've explicitly chosen to be strict by default to better allow for catching these type of errors in Authenticators sooner rather than later (the sooner they can address the problem, the better), and that is unlikely to change.

You can disable this, however, by specifying strict_cbor=False to the constructor of the CTAP2 class.

[My1]

kinda hilarious (sarcastically. actually it's just sad af) tho that a device can bear a certified mark and break the spec tho