Skip to content

feat: Validate CTAPHID response framing#504

Merged
DennisDyallo merged 6 commits into
yubikit-composite-device-newfrom
yubikit-ctaphid-sequence-wrap
Jul 1, 2026
Merged

feat: Validate CTAPHID response framing#504
DennisDyallo merged 6 commits into
yubikit-composite-device-newfrom
yubikit-ctaphid-sequence-wrap

Conversation

@DennisDyallo

Copy link
Copy Markdown
Collaborator

Summary

  • Validate CTAPHID response init and continuation channel IDs.
  • Reject init packets in continuation position and malformed short init packets.
  • Preserve seven-bit continuation sequence wrap semantics.

Verification

  • dotnet toolchain.cs -- test --project Core --filter "FullyQualifiedName~FidoHidProtocolTests"
  • dotnet toolchain.cs -- test --integration --project Fido2 --smoke --filter "Category!=RequiresUserPresence"
  • Read-only review: no findings

@DennisDyallo DennisDyallo changed the title Validate CTAPHID response framing feat: Validate CTAPHID response framing Jun 24, 2026
@DennisDyallo DennisDyallo requested a review from Copilot June 26, 2026 12:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens CTAP HID response parsing in FidoHidProtocol by validating response framing (channel IDs, init/continuation packet type, and continuation sequence), and adds unit tests to exercise these framing validation paths.

Changes:

  • Added validation for CTAP HID init response packets (minimum length, channel ID match, init bit set).
  • Added validation for CTAP HID continuation packets (minimum length, channel ID match, init bit clear, expected sequence with 7-bit semantics).
  • Introduced new unit tests covering channel/sequence mismatches, malformed short init packets, and init-vs-continuation framing errors.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/Core/src/Protocols/Fido/Hid/FidoHidProtocol.cs Adds init/continuation response framing validation and keep-alive handling adjustments during response receive.
src/Core/tests/Yubico.YubiKit.Core.UnitTests/Protocols/Fido/Hid/FidoHidProtocolTests.cs Adds unit tests validating continuation sequence masking and various malformed/incorrect response framing cases.

Comment thread src/Core/src/Protocols/Fido/Hid/FidoHidProtocol.cs

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

Comment thread src/Core/src/Protocols/Fido/Hid/FidoHidProtocol.cs
Comment thread src/Core/src/Protocols/Fido/Hid/FidoHidProtocol.cs Outdated
Comment thread src/Core/src/Protocols/Fido/Hid/FidoHidProtocol.cs Outdated
Base automatically changed from yubikit-performance to yubikit-composite-device-new July 1, 2026 10:46
@DennisDyallo DennisDyallo marked this pull request as ready for review July 1, 2026 11:00
@DennisDyallo DennisDyallo merged commit a91fe73 into yubikit-composite-device-new Jul 1, 2026
3 checks passed
@DennisDyallo DennisDyallo deleted the yubikit-ctaphid-sequence-wrap branch July 1, 2026 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Development

Successfully merging this pull request may close these issues.

2 participants