Noting this down in case anyone else spends a few hours bisecting the issue like I did – this means that, for example:
FIDO_EXT_HMAC_SECRET is accepted but doesn't do anything,
a cert created with fido_cred_set_extensions(cert, FIDO_EXT_HMAC_SECRET); fido_dev_make_cred(dev, cred, nullptr); fido_cred_verify(cred) will fail to verify,
fido_assert_set_extensions(assertion, FIDO_EXT_HMAC_SECRET) will make fido_assert_verify(assertion, 0, COSE_ES256, pubkey_parsed) fail,
fido_dev_get_assert(dev, assertion, nullptr); fido_assert_verify(assertion, 0, COSE_ES256, pubkey_parsed) fails as well.
It wasn't obvious this were the case because the systemd FIDO2 driver uses this extension unconditionally, and both YubiKeys and my Somu support it.
Noting this down in case anyone else spends a few hours bisecting the issue like I did – this means that, for example:
FIDO_EXT_HMAC_SECRETis accepted but doesn't do anything, a cert created withfido_cred_set_extensions(cert, FIDO_EXT_HMAC_SECRET); fido_dev_make_cred(dev, cred, nullptr); fido_cred_verify(cred)will fail to verify,fido_assert_set_extensions(assertion, FIDO_EXT_HMAC_SECRET)will makefido_assert_verify(assertion, 0, COSE_ES256, pubkey_parsed)fail,fido_dev_get_assert(dev, assertion, nullptr); fido_assert_verify(assertion, 0, COSE_ES256, pubkey_parsed)fails as well.It wasn't obvious this were the case because the systemd FIDO2 driver uses this extension unconditionally, and both YubiKeys and my Somu support it.