Enhance the test suite to detect potential server errors when the same challenge is used for different users

[DavidGonzalezPineiro]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email [email protected]

FIRST PRE CHECK

• I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• FIDO2 Server
• CTAP2.0
• CTAP2.1
• UAF 1.1
• U2F 1.1
• U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• Security Key / FIDO2 / U2F authenticators
• Server
• UAF Client-ASM-Authenticator combo
• UAF Client
• UAF ASM-Authenticator

If you are platform authenticator vendor, please email [email protected]

What is the version of the tool are you using?

v1.7.19-1

What is the OS and the version are you running?

For desktop tools

• OSX
• Windows
• Linux

For UAF mobile tools

• iOS
• Android

Issue description

Enhancing the test suite to verify that the assertion returns an error when different users use the same challenge could be beneficial.

After passing the certification testing tools with 100% accuracy on all the test suite, we identified that a false positive might be possible in the FIDO2 Interop tests.

The test case is as follows:

1. Register two users by performing a MakeCredential with RK (USER1, USER2).
2. Perform a GetAssertion with RK:
   2.1. Perform a POST assertion/options request with USER1.
   2.2. Perform a POST assertion/result request with USER2.

If the server does not handle the challenges correctly, the test result may be a false positive. It would be beneficial to include a test in the certification testing tool to check this behavior.