feat: Add FIDO2 session support for SCP03 and SCP11 secure channels#428
Merged
DennisDyallo merged 7 commits intodevelopfrom Mar 19, 2026
Merged
feat: Add FIDO2 session support for SCP03 and SCP11 secure channels#428DennisDyallo merged 7 commits intodevelopfrom
DennisDyallo merged 7 commits intodevelopfrom
Conversation
Enable Fido2Session to accept ScpKeyParameters for encrypted communication over NFC. Add FIDO2 to the SCP03 feature gate, integration tests for both SCP03 and SCP11b with NFC transport, and skip conditions for devices that don't expose FIDO2 over SmartCard. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Document that FIDO2 over SCP requires NFC since USB FIDO2 uses HID which is incompatible with SCP's SmartCard-layer protocol. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
Test Results: Windows 2 files 2 suites 15s ⏱️ Results for commit 1abf558. ♻️ This comment has been updated with latest results. |
Contributor
Test Results: Ubuntu 2 files 2 suites 54s ⏱️ Results for commit 1abf558. ♻️ This comment has been updated with latest results. |
Contributor
Test Results: MacOS 4 files 4 suites 28s ⏱️ Results for commit 1abf558. ♻️ This comment has been updated with latest results. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Secure Channel Protocol (SCP03/SCP11) support to Fido2Session so FIDO2 operations can run over an encrypted/authenticated SmartCard (NFC) channel, and introduces integration tests covering FIDO2-over-SCP scenarios.
Changes:
- Updated
Fido2Sessionconstructor to accept optionalScpKeyParametersfor SCP03/SCP11-protected sessions and expanded XML docs accordingly. - Updated feature detection to treat FIDO2 as a valid application when evaluating SCP03 support.
- Added SCP03/SCP11 integration tests that attempt to create a
Fido2Sessionover SCP and read authenticator info.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Fido2Session.cs |
Public API updated to accept SCP parameters and documented FIDO2-over-SCP usage/constraints. |
Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeatureExtensions.cs |
Feature detection updated so SCP03 checks can include FIDO2 as a supported application. |
Yubico.YubiKey/tests/integration/Yubico/YubiKey/Fido2/FidoIntegrationTestBase.cs |
Updated test session creation to use a named argument after constructor signature change. |
Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp03Tests.cs |
Added an NFC-focused integration test for FIDO2 over SCP03. |
Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11Tests.cs |
Added an integration test for FIDO2 over SCP11b. |
Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11Tests.cs
Outdated
Show resolved
Hide resolved
Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp03Tests.cs
Outdated
Show resolved
Hide resolved
Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp03Tests.cs
Outdated
Show resolved
Hide resolved
… tests Move keyParameters to last position in Fido2Session constructor to preserve backwards compatibility with existing (device, token) callers. Fix FIDO2 SCP tests: force NFC transport, remove Fw5Fips+NFC conflict with GetDevice assertion, check AvailableNfcCapabilities instead of AvailableUsbCapabilities. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds the ability to establish SCP03/SCP11 secure channels for FIDO2 sessions over NFC (SmartCard), and introduces/updates integration coverage to validate FIDO2 operations over SCP.
Changes:
- Extend
Fido2Sessionconstruction to accept optionalScpKeyParametersfor SCP03/SCP11-protected communication. - Update feature detection so SCP03 capability checks consider FIDO2 support.
- Add integration tests validating
authenticatorGetInfoworks for FIDO2 sessions established over SCP03 and SCP11 on NFC (SmartCard).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Yubico.YubiKey/src/Yubico/YubiKey/Fido2/Fido2Session.cs | Adds optional SCP key parameters to Fido2Session and updates constructor documentation. |
| Yubico.YubiKey/src/Yubico/YubiKey/YubiKeyFeatureExtensions.cs | Adjusts SCP03 feature detection to include FIDO2 as a relevant application capability. |
| Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp03Tests.cs | Adds an integration test covering FIDO2 AuthenticatorInfo retrieval over SCP03 on NFC (SmartCard). |
| Yubico.YubiKey/tests/integration/Yubico/YubiKey/Scp/Scp11Tests.cs | Adds an integration test covering FIDO2 AuthenticatorInfo retrieval over SCP11b on NFC (SmartCard). |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
jdmoreira
approved these changes
Mar 18, 2026
DennisDyallo
changed the title
FIDO2+SCP now works over USB CCID on firmware 5.8+ in addition to NFC. Updates docs, integration tests (SCP03 MakeCredential, SCP11b), and adds sandbox probe plugin for USB CCID testing. Pre-5.8 keys gracefully skip with firmware version checks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
Minimum allowed line rate is |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request adds support for establishing Secure Channel Protocol (SCP03, SCP11) for FIDO2 sessions. On firmware 5.8+, this works over both USB CCID (SmartCard) and NFC. On pre-5.8 firmware, NFC is required.
Summary
Fido2Sessionconstructor to accept an optionalScpKeyParametersargument, enabling encrypted/authenticated communication using SCP protocols (SCP03 or SCP11)YubiKeyCapabilities.Fido2to the SCP03 feature gate inYubiKeyFeatureExtensionsTransport support
Changes
FIDO2 Session:
Fido2Sessionconstructor accepts optionalScpKeyParametersfor SCP channel establishmentFidoIntegrationTestBaseto use named parameter forpersistentPinUvAuthTokenFeature Detection:
YubiKeyCapabilities.Fido2toYubiKeyFeature.Scp03capability checkIntegration Tests (SCP03):
Scp03_Fido2Session_GetAuthenticatorInfo_Succeeds— NFC and USB CCID (5.8+)Scp03_Fido2Session_MakeCredential_Over_UsbCcid_Succeeds— full credential creation over SCP03Scp03_Fido2Session_Pre58_UsbCcid_Skips_Gracefully— validates skip behavior on pre-5.8Integration Tests (SCP11):
Scp11b_App_Fido2Session_GetAuthenticatorInfo_Succeeds— NFC and USB CCID (5.8+)Fixes: YESDK-1558
Type of change
How has this been tested?
Test configuration:
Checklist:
dotnet formatto format my code