Browser rejects signature due to invalid response

[szszszsz]

Frequency: always with a given account, set up with a couple of FIDO2 tokens registered; not reproducible later on another accounts / after all tokens are removed from the account and added later;
Browsers tested on the same service/account and failing: Chromium 83, Brave 1.13.86 (Chromium: 85.0.4183.102), Vivaldi 3.3;
Browsers working on the same service/account: Firefox;
Priority: low (due to the rare occurrence)

Chromium browser reported bad response from the FIDO2 authenticator, as a cause of rejecting signature from the device. The direct cause is not known due to lack of complete log. The conditions for that check are listed below in the browser's source code, and had to be tested one by one shall the problem would reproduce again.
Usual Webauthn test pages were working on all browsers.

There is also the error message logged into the .xsession-error.log:

[10317:10317:0918/102449.524418:ERROR:device_event_log_impl.cc(208)]
[10:24:49.524] FIDO: get_assertion_request_handler.cc:470
Failing assertion request due to bad response from hid:
97534517-353c-424d-88a5-e6c34da2bf3d

Note: to take logs under Chromium run:

chromium-browser --enable-logging=stderr --v=1 2>&1 > chromium.log

Mentioned browser's conditions:
https://github.com/chromium/chromium/blob/894fb9eb56c6cbda65e3c3ae9ada6d4cb5850cc9/device/fido/get_assertion_request_handler.cc#L82-L158

[szszszsz]

Reproduced locally while testing with webauthn.io, user id xxx (could be found in RK Store data structure). Attaching flash dump for further investigation. Commit: 2.2.0.nitrokey-6-g554c864.

flash_dump.zip

Chrome Google Chrome 89.0.4385.0 dev run with:

• google-chrome-unstable --enable-logging --v=1 --log-level=0 --enable-logging=stderr 2>&1 | grep device_event_log_impl.cc
• Windows: run previous through cmd.exe, add "--no-sandbox", and replace grep with find

Chrome log (click me)

[202564:202564:0120/172206.309653:VERBOSE1:device_event_log_impl.cc(216)] [17:22:06.309] FIDO: EVENT: get_assertion_request_handler.cc:309 Starting GetAssertion flow
[202564:202564:0120/172206.311611:VERBOSE1:device_event_log_impl.cc(216)] [17:22:06.311] FIDO: DEBUG: fido_device.cc:49 Sending CTAP2 AuthenticatorGetInfo request to authenticator.
[202564:202564:0120/172206.385733:VERBOSE1:device_event_log_impl.cc(216)] [17:22:06.385] FIDO: DEBUG: device_response_converter.cc:223 -> {1: ["U2F_V2", "FIDO_2_0", "FIDO_2_1_PRE"], 2: ["credProtect", "hmac-secret"], 3: h'C39EFBA6FCF44C3E828BFC4A6115A0FF', 4: {"rk": true, "up": true, "plat": false, "clientPin": true, "credentialMgmtPreview": true}, 5: 1200, 6: [1], 7: 20, 8: 128}
[202564:202564:0120/172206.385760:VERBOSE1:device_event_log_impl.cc(216)] [17:22:06.385] FIDO: DEBUG: device_response_converter.cc:246 Unexpected protocol version received.
[202564:202564:0120/172206.385788:VERBOSE1:device_event_log_impl.cc(216)] [17:22:06.385] FIDO: DEBUG: fido_device.cc:80 The device supports the CTAP2 protocol.
[202564:202564:0120/172206.385811:VERBOSE1:device_event_log_impl.cc(216)] [17:22:06.385] FIDO: DEBUG: ctap2_device_operation.h:85 <- 6 {1: 1, 2: 1}
[202564:202564:0120/172206.393892:VERBOSE1:device_event_log_impl.cc(216)] [17:22:06.393] FIDO: DEBUG: ctap2_device_operation.h:183 -> {3: 8}
[202564:202564:0120/172208.060085:VERBOSE1:device_event_log_impl.cc(216)] [17:22:08.060] FIDO: DEBUG: ctap2_device_operation.h:85 <- 6 {1: 1, 2: 2}
[202564:202564:0120/172208.213725:VERBOSE1:device_event_log_impl.cc(216)] [17:22:08.213] FIDO: DEBUG: ctap2_device_operation.h:183 -> {1: {1: 2, 3: -25, -1: 1, -2: h'A27F0D28A265C36FB86C26F95C7288E5698A5B018F975E8D2D5241B1FFEF6056', -3: h'5F10C71A22CC3D66B3EC7F3C3F7D509CDA1B681540A61850543F40DB11B7E860'}}
[202564:202564:0120/172208.214094:VERBOSE1:device_event_log_impl.cc(216)] [17:22:08.214] FIDO: DEBUG: ctap2_device_operation.h:85 <- 6 {1: 1, 2: 5, 3: {1: 2, 3: -25, -1: 1, -2: h'EC1CD0A8EAC5C0CBB3F7AF6110BF28F0118A1BCBE112077A288F76F47081C46F', -3: h'F76E67AE6857960E03B9C25ABC2EBAA35FB2716295944FF633DEB1EE06741030'}, 6: h'41E3E30916CA81200111E710C46F18CE'}
[202564:202564:0120/172208.417792:VERBOSE1:device_event_log_impl.cc(216)] [17:22:08.417] FIDO: DEBUG: ctap2_device_operation.h:183 -> {2: h'9E20813117805BADD5456C2229CF3D27'}
[202564:202564:0120/172208.418865:VERBOSE1:device_event_log_impl.cc(216)] [17:22:08.418] FIDO: DEBUG: ctap2_device_operation.h:85 <- 2 {1: "webauthn.io", 2: h'60034EBCD90D24D2D735E30D070BA29C1C865399FD713AC8918250F087151CBC', 3: [{"id": h'F70A4CAE8EBBF4C6D5A29C46ABFBD3EEA6DEEFAF609D1C40F69B71A5166A5E2847C874A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF001010000', "type": "public-key"}, {"id": h'4752E60F9D6B98AA90AEB26E7449781A3515329D016F1A643C22D82085C9652AAAE474A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF001010000', "type": "public-key"}, {"id": h'BFB91717FFFC7EA33EFC8F815A60E0224F489EFE9DB03444240CA290728B3CDAD66F74A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF001010000', "type": "public-key"}, {"id": h'3E84C5A64DB2779A6C1743D38E97D7A0E79426B28DDD2D199CA82891C3638DEBF2B3C1ACD97D52D68AEB1C898CD47564', "type": "public-key"}, {"id": h'36A3E3C86D39D4E4B0704CEEC2EA88723ACAA7AA23B4D970FC5A606B788E89462F1574A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF0E6040000', "type": "public-key"}, {"id": h'616038D4F4F3FDE82959AC95EB0C67A467C62C9A09CFB14D1E99525F950A673056CC74A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF0D8080000', "type": "public-key"}, {"id": h'C773AF55648B9CF626688DC25AEF5EB1BF20369CCCD5E992C1A98ECFD0C91334C38574A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF0D9080000', "type": "public-key"}, {"id": h'4D7BC98AD7824543B1CC9E561348534121A54E895B424B65A8CBF0FD1EAD9BFB7A7C74A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF0F1080000', "type": "public-key"}, {"id": h'525F593A1839D04766C7CABB01FF4F46E39D8A078722ACB1C0C071706929030D679874A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF01E090000', "type": "public-key"}], 6: h'92EED11C45E72414F0708E9F10FEA1AE', 7: 1}
[202564:202564:0120/172211.213854:VERBOSE1:device_event_log_impl.cc(216)] [17:22:11.213] FIDO: DEBUG: ctap2_device_operation.h:183 -> {1: {"id": h'525F593A1839D04766C7CABB01FF4F46E39D8A078722ACB1C0C071706929030D679874A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF01E090000', "type": "public-key"}, 2: h'74A6EA9213C99C2F74B22492B320CF40262A94C1A950A0397F29250B60841EF005000009BF', 3: h'3046022100D573DAFF442019C15AE05DE6369A230A06E65186E124FD0E4895FE11F0C0D9C1022100A01F4831CD2C8987E51FF51123303B39D23DBA76B40C0535AE311626F9B7F568', 5: 4}
[202564:202564:0120/172211.213900:ERROR:device_event_log_impl.cc(214)] [17:22:11.213] FIDO: get_assertion_request_handler.cc:628 Failing assertion request due to bad response from usb-20a0:42b1

[szszszsz]

To do:

• write down taking logs from Chrome into Readme or additional file