Missing support for authenticators using NFC Protocol T=0 in contacted mode

[jcBeaupre]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email [email protected]

FIRST PRE CHECK

• I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• FIDO2 Server
• CTAP2.0
• CTAP2.1
• UAF 1.1
• U2F 1.1
• U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• Security Key / FIDO2 / U2F authenticators
• Server
• UAF Client-ASM-Authenticator combo
• UAF Client
• UAF ASM-Authenticator

If you are platform authenticator vendor, please email [email protected]

What is the version of the tool are you using?

v1.7.11

What is the OS and the version are you running?

For desktop tools

• OSX
• Windows
• Linux

For UAF mobile tools

• iOS
• Android

Issue description

We can use the conformance tool in NFC contactless mode with our smart card authenticator with no issues since it is using Protocol T=2, but we fail to run any test when we use contacted mode.

As you can see in the screenshot below, the conformance tool selects the Protocol T=1 when we insert our smart card, but alas, our current cards do not support T=1, they can only use T=0 in contacted.

Also, you can see in the transactions that when the conformance tool sends it's SELECT cmd, our smart card authenticator responds with a SW1-SW2 of: 0x61-0x08. According to Protocol T=0 (ISO7816-3), the authenticator expects a GET RESPONSE, but the conformance tool miss interpret it and resends the SELECT cmd. The communication then goes in an infinite loop.

I hope this is enough information for the maintainers. If not, do not hesitate to let me know what information you would need, or if you want me to test a fix on my side, it will be my pleasure to help!

Expected behavior

The tool can communicate with authenticators in contacted that only implement Protocol T=0

Reproduction steps

• Use a authenticator that only supports Protocol T=0 in contacted.
• Insert it in reader
• Run any test

[yackermann]

@jcBeaupre that one is much harder since I do not have any authenticators working in T=0 mode. *(

Do you have any idea what commercially available devices are T=0 only?

[jcBeaupre]

Hey @herrjemand, sorry for the delaid response here.

While we are developing on one, we don't know of other FIDO2 smart card authenticators using T=0 that are commercially available 😞.

However, since the problem occurs on the applet SELECT specifically you can probably reproduce the error with a dummy FIDO2 applet on any T=0 smart card or even with a smart card emulator such as https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html.

We would be happy to provide a dummy test applet if you decide to go that route!

[tetardo76]

Hello,

If that can help to have the test suite updated to support T=0, I would be happy to provide some T=0 cards with a FIDO 2.1 implementation. Would that be of interest ?

Best Regards
Mehdi SOUMHI