Therefore when calculating an attestation for a supplemental public key, the inputs are:
For authData, substitute the concatenation of the byte string h’737570706c656d656e74616c5075624b657973206174746573746174696f6e2e00ffffffff' and the value of aaguid from the extension output.
For hash, substitute the concatenation of the spk and nonce fields from the extension output. (The nonce MAY be empty.)
However, this is incompatible with most of the attestation verification procedures since most of them extract one or more fields from the authData argument:
(If x5c is present:) If attestnCert contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid in authenticatorData.
The AAGUID does exist in its normal location in the modified authData argument, but the AT flag is set to zero, so implementations may refuse to access it and/or reject the data structure due to unknown trailing bytes.
(If x5c is not present:) Validate that alg matches the algorithm of the credentialPublicKey in authenticatorData.
Verify that the public key specified by the parameters and unique fields of pubArea is identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
fido-u2f attestation: (probably not very relevant to supplementalPubKeys, but still)
Extract the claimed rpIdHash from authenticatorData, and the claimed credentialId and credentialPublicKey from authenticatorData.attestedCredentialData.
So existing implementations of these verification procedures may fail to verify a supplementalPubKeys attestation. The extension may need to specify modifications to the verification procedures, or adjust the extension's signing procedure to take arguments with the same structure as the original signing procedures.
The
supplementalPubKeysextension states for its attestation signing procedure:However, this is incompatible with most of the attestation verification procedures since most of them extract one or more fields from the
authDataargument:packedattestation:authDataargument, but theATflag is set to zero, so implementations may refuse to access it and/or reject the data structure due to unknown trailing bytes.tpmattestation:android-keyattestation: (Perhaps not relevant tosupplementalPubKeys?)android-safetynetattestation seems to be compatible.fido-u2fattestation: (probably not very relevant tosupplementalPubKeys, but still)appleattestation:So existing implementations of these verification procedures may fail to verify a supplementalPubKeys attestation. The extension may need to specify modifications to the verification procedures, or adjust the extension's signing procedure to take arguments with the same structure as the original signing procedures.