You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Location:src/transport/nfc/channel.rs:255-304 (cbor_send). Contains a literal // FIXME check for SW_UPDATE? and a commented-out keepalive block.
Behavior: After the final NFCCTAP_MSG fragment the response goes straight into CborResponse::try_from. There is no loop on (sw1 == 0x91) that issues NFCCTAP_GETRESPONSE (CLA=0x80, INS=0x11). The library's existing 0x61xx loop in handle() is the ISO 7816 GET RESPONSE mechanism for response continuation, not the CTAP2 keepalive.
Impact: Any CTAP2 NFC operation that takes long enough for the authenticator to emit a keepalive (on-token UV, large credential lists, biometric capture) is misinterpreted.
SELECT issued as Case 3 APDU (no Le)
Spec ref: CTAP 2.2 §11.3.1 + ISO 7816-4 §5.1.1.
Location:src/transport/nfc/channel.rs:147 calling command::select_file(...) from the apdu crate, which emits new_with_payload(...) without an Le.
Behavior: SELECT for AID A0 00 00 06 47 2F 00 01 is sent as 00 A4 04 00 08 A0 00 00 06 47 2F 00 01 with no trailing Le. FIDO authenticators that strictly enforce Case 4 will reject with SW=6700/6A87. Most authenticators are lenient.
Impact: Interop hazard with stricter authenticator firmwares and chip-on-card implementations.
apdu_send discards SW1/SW2
Spec ref: FIDO U2F NFC §3 (response status word semantics).
Location:src/transport/nfc/channel.rs:239-246.
Behavior:apdu_send wraps the response in ApduResponse::new_success(&resp) and discards the actual SW1/SW2. Non-9000 SWs are surfaced as NfcError::Apdu(_) → TransportError::InvalidFraming, losing the distinction between applet-not-selected (6A82), user-presence-required (6985), invalid-key-handle (6A80), etc.
Impact: CTAP1 user-presence retry loop in proto/ctap1/protocol.rs:111-135 is unreachable on NFC (it relies on ApduResponseStatus::UserPresenceTestFailed).
Missing CTAP2 keepalive (
SW=0x91xx → NFCCTAP_GETRESPONSE)src/transport/nfc/channel.rs:255-304(cbor_send). Contains a literal// FIXME check for SW_UPDATE?and a commented-out keepalive block.CborResponse::try_from. There is no loop on(sw1 == 0x91)that issues NFCCTAP_GETRESPONSE (CLA=0x80, INS=0x11). The library's existing 0x61xx loop inhandle()is the ISO 7816 GET RESPONSE mechanism for response continuation, not the CTAP2 keepalive.SELECT issued as Case 3 APDU (no Le)
src/transport/nfc/channel.rs:147callingcommand::select_file(...)from theapducrate, which emitsnew_with_payload(...)without an Le.A0 00 00 06 47 2F 00 01is sent as00 A4 04 00 08 A0 00 00 06 47 2F 00 01with no trailing Le. FIDO authenticators that strictly enforce Case 4 will reject with SW=6700/6A87. Most authenticators are lenient.apdu_senddiscards SW1/SW2src/transport/nfc/channel.rs:239-246.apdu_sendwraps the response inApduResponse::new_success(&resp)and discards the actual SW1/SW2. Non-9000 SWs are surfaced asNfcError::Apdu(_) → TransportError::InvalidFraming, losing the distinction between applet-not-selected (6A82), user-presence-required (6985), invalid-key-handle (6A80), etc.proto/ctap1/protocol.rs:111-135is unreachable on NFC (it relies onApduResponseStatus::UserPresenceTestFailed).