The NFC reader is unable to enumerate the list of discoverable credentials.

[GN998]

Environment:

OS: Windows 11 / Ubuntu 22.04
Reader: ACR122U-A9 (NFC Reader)
Card: JCOP4 P71
Client: fido2-manage.cpp

When retrieving an extensive list of credentials, the smart card must transmit a large volume of data to the reader. Many NFC readers harbor underlying compatibility bugs when processing response packets that are exactly 256 bytes in length.

Under the ISO/IEC 7816 protocol, if the length field of an APDU response is , it may be interpreted as 256 bytes in some environments, while being incorrectly interpreted as "no data" in others. Many budget NFC reader hardware units fail to handle this length byte correctly, resulting in a total communication breakdown or timeout. 0x00 0x00

Observed Behavior on Ubuntu 22.04:
When I attempt to enumerate discoverable credentials, the process fails with the following error:

CTAP error: 0x27 - OPERATION_DENIED

bug_log.txt

[BryanJacobs]

00000008 [135206291887680] APDU: 80 10 80 00 04 0A A1 01 05 00

This is a credential-management ENUMERATE_CREDS_NEXT command. This command is only valid IMMEDIATELY after an ENUMERATE_CREDS_BEGIN command. But the command preceding this one is a client PIN command:

00000008 [135206291887680] APDU: 80 10 80 00 06 06 A2 01 02 02 02 00

This is invalid. Since the command was a client PIN one, the enumeration state was cleared.

Are you asking me for help with testing some kind of untested client implementation, or is this real behaviour with real known-good (well-tested) software in the real world?

[GN998]

I am using the token2/fido2-manage.cpp client project and have identified the following issues while testing on Windows 11:
CCID Reader (Success): When using a CCID reader with the fido2-manage.cpp client, the JCOP4 P71 can successfully read discoverable credentials (40 credentials found).

NFC Reader (Failure): When using an NFC reader (ACR122U) with the same client, the JCOP4 P71 fails to read discoverable credentials.

Cross-Device Comparison (Success): Under the exact same conditions (NFC reader ACR122U and fido2-manage.cpp client), a YubiKey 5C NFC is able to read discoverable credentials without issue.

Testing on Ubuntu 22.04:
I ran the following scripts on Ubuntu:
test.txt

python test.py --count 20 --users-per-rp 20 --rotate-every 20 --rp-template "abc1.com" --pin 112233 --sleep-ms 200
python test.py --count 1 --users-per-rp 20 --rotate-every 20 --rp-template "abc1.com" --pin 112233 --sleep-ms 200

Ubuntu returns the following error:
CTAP error: 0x27 - OPERATION_DENIED

Previously, I didn't understand the cause and assumed it was a minor issue. However, after performing comparative tests on Windows 11, the discrepancy became clear. Since I am unable to capture detailed logs on Windows 11, I am providing this summary and the Ubuntu error for your analysis.

[GN998]

I forked the project and tried the following AI-assisted fixes, and they are now working correctly.
Sample GN998@5313b3b

[BryanJacobs]

The code change isn't right at all - it will use short buffers on devices/cards that support long ones.

I can have a go at working around the bug you're talking about with the ACR122U by reducing the buffer size to 255, but I'm not going to avoid using eAPDUs entirely.

[GN998]

I can have a go at working around the bug you're talking about with the ACR122U by reducing the buffer size to 255, but I'm not going to avoid using eAPDUs entirely.

Thanks for the reply. I agree with your assessment; we shouldn't abandon eAPDU support.

If we cap short APDUs at 255 while preserving the original eAPDU logic, would adding a check like requestedChunkSize > 0 prevent additional bugs from occurring?

What are your thoughts on this?