Yubico/libfido2

Pin and Touch not working simultaneously in libfido2

VedaviBalaji opened this issue · 8 comments

What version of libfido2 are you using?
1.13.0

What operating system are you running?
macOS Ventura 13.3.1

What application are you using in conjunction with libfido2?
Using webauthn.io and native messaging using Chromium

How does the problem manifest itself?
I am unable to get PIN and touch to work simultaneously.
Trying to perform registration using my YubiKey 5C Nano device.
I have a YubiKey 5C Nano device with PIN set. Product details - YubiKey OTP+FIDO+CCID.

I tried to use fido_dev_make_cred(device, cred, pin) , this returns a FIDO_ERR_SUCCESS but the attstmt and authdata are null. AFAIK, this device requires a touch to generate credentials, however, the UV support is FALSE and when fido_dev_make_cred is called, it bypasses the wait for touch and returns SUCCESS.
If the pin is not configures and passed as NULL in fido_dev_make_cred, the device waits for the touch and the data are generated properly.

If I set the UV to fido_opt_t_FIDO_OPT_TRUE, it fails with UNSUPPORTED error, but that is because the fido_dev_supports_uv returns false.

Is the problem reproducible?
Yes. Code snippet is available in this stackoverflow qs.
https://stackoverflow.com/questions/76144744/fido-dev-make-cred-returns-success-but-attstmt-and-authdata-are-null

What are the steps that lead to the problem?
Set the pin and long touch configured. Use libfido2 rust library to make a credential passing the PIN as a non-null UTF-8 string to the fido_dev_make_cred method.

Does the problem happen with different authenticators?
Happens with Yubikey only if the PIN is configured.

Please include the output of fido2-token -L.

fido2-token -L
$ fido2-token -L
ioreg://4295330919: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)

Please include the output of fido2-token -I.

fido2-token -I
$ fido2-token -I <device>
proto: 0x02
major: 0x05
minor: 0x04
build: 0x03
caps: 0x0d (wink, cbor, nomsg)
version strings: FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
transport strings: usb
algorithms: es256 (public-key), eddsa (public-key)
aaguid: ee882879721c491397753dfcce97072a
options: rk, up, noplat, clientPin, credentialMgmtPreview
fwversion: 0x50403
maxmsgsiz: 1200
maxcredcntlst: 8
maxcredlen: 128
maxlargeblob: 0
minpinlen: 8
pin protocols: 2, 1
pin retries: 8
pin change required: false
uv retries: undefined

Please include the output of FIDO_DEBUG=1.

FIDO_DEBUG=1
$ export FIDO_DEBUG=1
$ <command1>
$ <command2>
(...)
$ <commandn>
16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] run_manifest: found 1 hid device

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:218] found 1 fido devices
16:54:49 [TRACE] (1) NativeHost: [src/main.rs:227] Device 0, Path:ioreg://4295330919, name: YubiKey OTP+FIDO+CCID, manufacturer: Yubico
16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_tx: dev=0x7fc1e43043a0, cmd=0x06

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_tx: buf=0x7fc1e43043a0, len=8

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: e5 da de 5b cc 3f 0b 68

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_rx: dev=0x7fc1e43043a0, cmd=0x06, ms=-1

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] rx_preamble: buf=0x7ff7b345b4d0, len=64

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: ff ff ff ff 86 00 11 e5 da de 5b cc 3f 0b 68 53

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 6e 64 56 02 05 04 03 0d 00 00 00 00 00 00 00 00

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] rx: payload_len=17

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_rx: buf=0x7fc1e43043a8, len=17

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: e5 da de 5b cc 3f 0b 68 53 6e 64 56 02 05 04 03

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 0d

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_dev_get_cbor_info_tx: dev=0x7fc1e43043a0

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_tx: dev=0x7fc1e43043a0, cmd=0x10

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_tx: buf=0x7ff7b345b517, len=1

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 04

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_dev_get_cbor_info_rx: dev=0x7fc1e43043a0, ci=0x7fc1e4205da0, ms=-1

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_rx: dev=0x7fc1e43043a0, cmd=0x10, ms=-1

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] rx_preamble: buf=0x7ff7b345b490, len=64

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 53 6e 64 56 90 00 c1 00 ac 01 82 68 46 49 44 4f

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 5f 32 5f 30 6c 46 49 44 4f 5f 32 5f 31 5f 50 52

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: 45 02 82 6b 63 72 65 64 50 72 6f 74 65 63 74 6b

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 68 6d 61 63 2d 73 65 63 72 65 74 03 50 ee 88 28

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] rx: payload_len=193

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] rx: buf=0x7ff7b345b490, len=64

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 53 6e 64 56 00 79 72 1c 49 13 97 75 3d fc ce 97

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 07 2a 04 a5 62 72 6b f5 62 75 70 f5 64 70 6c 61

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: 74 f4 69 63 6c 69 65 6e 74 50 69 6e f5 75 63 72

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 65 64 65 6e 74 69 61 6c 4d 67 6d 74 50 72 65 76

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] rx: buf=0x7ff7b345b490, len=64

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 53 6e 64 56 01 69 65 77 f5 05 19 04 b0 06 82 02

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 01 07 08 08 18 80 09 81 63 75 73 62 0a 82 a2 63

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: 61 6c 67 26 64 74 79 70 65 6a 70 75 62 6c 69 63

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 2d 6b 65 79 a2 63 61 6c 67 27 64 74 79 70 65 6a

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] rx: buf=0x7ff7b345b490, len=64

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 53 6e 64 56 02 70 75 62 6c 69 63 2d 6b 65 79 0d

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 08 0e 1a 00 05 04 03 00 00 00 00 00 00 00 00 00

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_rx: buf=0x7fc1e5008200, len=193

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 00 ac 01 82 68 46 49 44 4f 5f 32 5f 30 6c 46 49

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 44 4f 5f 32 5f 31 5f 50 52 45 02 82 6b 63 72 65

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: 64 50 72 6f 74 65 63 74 6b 68 6d 61 63 2d 73 65

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 63 72 65 74 03 50 ee 88 28 79 72 1c 49 13 97 75

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0064: 3d fc ce 97 07 2a 04 a5 62 72 6b f5 62 75 70 f5

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0080: 64 70 6c 61 74 f4 69 63 6c 69 65 6e 74 50 69 6e

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0096: f5 75 63 72 65 64 65 6e 74 69 61 6c 4d 67 6d 74

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0112: 50 72 65 76 69 65 77 f5 05 19 04 b0 06 82 02 01

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0128: 07 08 08 18 80 09 81 63 75 73 62 0a 82 a2 63 61

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0144: 6c 67 26 64 74 79 70 65 6a 70 75 62 6c 69 63 2d

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0160: 6b 65 79 a2 63 61 6c 67 27 64 74 79 70 65 6a 70

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0176: 75 62 6c 69 63 2d 6b 65 79 0d 08 0e 1a 00 05 04

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0192: 03

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=1200

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_tx: dev=0x7fc1e43043a0, cmd=0x10

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] fido_tx: buf=0x7fc1e420d540, len=98

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 01 a6 01 58 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: 1b 78 52 b8 55 02 a1 62 69 64 69 6c 6f 63 61 6c

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 68 6f 73 74 03 a2 62 69 64 41 01 64 6e 61 6d 65

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0064: 65 64 75 6d 6d 79 04 81 a2 63 61 6c 67 26 64 74

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0080: 79 70 65 6a 70 75 62 6c 69 63 2d 6b 65 79 08 40

16:54:49 [TRACE] (1) NativeHost: [src/main.rs:28] 0096: 09 02
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] fido_dev_authkey_tx: dev=0x7fc1e43043a0

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] fido_tx: dev=0x7fc1e43043a0, cmd=0x10

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] fido_tx: buf=0x7fc1e4409470, len=6

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 06 a2 01 02 02 02

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] fido_dev_authkey_rx: dev=0x7fc1e43043a0, authkey=0x7fc1e44097b0, ms=-1

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] fido_rx: dev=0x7fc1e43043a0, cmd=0x10, ms=-1

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] rx_preamble: buf=0x7ff7b345b390, len=64

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 53 6e 64 56 90 00 51 00 a1 01 a5 01 02 03 38 18

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 20 01 21 58 20 a9 98 47 da 3a cc 4f bf 17 14 40

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: b8 68 1f 86 3d fa b9 b1 54 72 58 64 15 4b 77 f1

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: d5 d9 1e 79 f5 22 58 20 19 13 97 a4 47 aa 76 39

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] rx: payload_len=81

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] rx: buf=0x7ff7b345b390, len=64

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 53 6e 64 56 00 32 c8 f2 bf 90 10 a3 1d 36 cb f1

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: af 3d 2c 58 5f fc d9 da d6 6c d8 07 14 00 00 00

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] fido_rx: buf=0x7fc1e680a000, len=81

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0000: 00 a1 01 a5 01 02 03 38 18 20 01 21 58 20 a9 98

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0016: 47 da 3a cc 4f bf 17 14 40 b8 68 1f 86 3d fa b9

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0032: b1 54 72 58 64 15 4b 77 f1 d5 d9 1e 79 f5 22 58

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0048: 20 19 13 97 a4 47 aa 76 39 32 c8 f2 bf 90 10 a3

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0064: 1d 36 cb f1 af 3d 2c 58 5f fc d9 da d6 6c d8 07

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] 0080: 14

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] hkdf_sha256: EVP_PKEY_CTX

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] kdf: hkdf

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] do_ecdh: kdf

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] fido_do_ecdh: do_ecdh

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:28] fido_dev_make_cred_tx: fido_do_ecdh

16:54:54 [TRACE] (1) NativeHost: [src/main.rs:454] fido_dev_make_cred
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:455] fido_dev_make_cred status "FIDO_ERR_SUCCESS"
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:468] fido_dev_make_cred SUCCESS!
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:473] ATT len=0
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:478] AUTH len=0
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:488] ID len=0
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:493] PUBKEY len=0
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:502] CLIENTDATAHASH from cred len=32
[46, 0, 116, 229, 76, 232, 216, 32, 129, 122, 36, 51, 247, 28, 142, 87, 7, 86, 223, 83, 106, 254, 157, 61, 242, 13, 197, 199, 109, 65, 103, 248]
16:54:54 [TRACE] (1) NativeHost: [src/main.rs:512] CLIENTDATAHASH from computed client data len=32
[46, 0, 116, 229, 76, 232, 216, 32, 129, 122, 36, 51, 247, 28, 142, 87, 7, 86, 223, 83, 106, 254, 157, 61, 242, 13, 197, 199, 109, 65, 103, 248]

Thank you! Something seems to be failing in https://github.com/Yubico/libfido2/blob/main/src/ecdh.c#L61; I'm not sure why. It's also unclear why fido_dev_make_cred() is returning FIDO_OK. Is the binding you're using opensource?

Yes its open source.
I installed libfido using brew install libfido2

And I build my rust library using:
$ export FIDO2_LIB_DIR=/usr/local/Cellar/libfido2/1.13.0/lib
$ cargo rustc -- -L /usr/local/opt/openssl/lib -l framework=CoreFoundation -l framework=IOKit

Yes its open source.

Can you point us at it? From a quick look, it does not appear to be https://github.com/PvdBerg1998/libfido2.

I installed libfido using brew install libfido

There does not appear to be a package called libfido in Homebrew. Did you mean libfido2, or did you install a package from a tap (third-party Homebrew repository)?

And I build my rust library using:
$ export FIDO2_LIB_DIR=/usr/local/Cellar/libfido2/1.13.0/lib
$ cargo rustc -- -L /usr/local/opt/openssl/lib -l framework=CoreFoundation -l framework=IOKit

The difference in prefix is a bit suspicious. Can you use otool -L to verify that libfido2 is linked against the same libcrypto as your application?

Sorry, yes I used
$ brew install libfido2

$brew info libfido2
/usr/local/Cellar/libfido2/1.13.0

$ otool -L myfidoapp

        /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1971.0.0)
	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
	/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
	/usr/local/opt/libcbor/lib/libcbor.0.10.dylib (compatibility version 0.10.0, current version 0.10.2)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
	**/usr/local/opt/openssl@3/lib/libcrypto.3.dylib (compatibility version 3.0.0, current version 3.0.0)**
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1319.100.3)

$ otool -L /usr/local/Cellar/libfido2/1.13.0/bin/fido2-cred

        **/usr/local/opt/openssl@1.1/lib/libcrypto.1.1.dylib (compatibility version 1.1.0, current version 1.1.0)**
	/usr/local/Cellar/libfido2/1.13.0/lib/libfido2.1.dylib (compatibility version 1.0.0, current version 1.13.0)
	/usr/local/opt/libcbor/lib/libcbor.0.10.dylib (compatibility version 0.10.0, current version 0.10.2)
	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1953.255.0)
	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1319.0.0)

Yes, the openssl was different. I used cargo rustc -- -L /usr/local/opt/openssl@1.1/lib -l framework=CoreFoundation -l framework=IOKit and it looks like its working. I will test a bit more, but thanks for helping me debug. :)

Edit:
Weirdly if the PIN is wrong it still returns a FIDO_ERR_SUCCESS but data are null.

LDVG commented

Weirdly if the PIN is wrong it still returns a FIDO_ERR_SUCCESS but data are null.

Could you please provide information on:

  1. What Rust bindings you are using; and
  2. Another trace of this new behavior with FIDO_DEBUG=1 enabled.
LDVG commented

Something else I just spotted in your code snippet over at StackOverflow:

let r = libfido2::fido_cred_set_pin_minlen(cred, 9);

if has_pin {
    let r = libfido2::fido_dev_make_cred(device, cred, _cptr);
} else {
    let r = libfido2::fido_dev_make_cred(device, cred, std::ptr::null() as *const i8);
}

if r != libfido2::FIDO_OK {
     // ...
}

You are shadowing the r variable in the if-statement's body. Once that scope ends, the inner shadowing ends and r returns to being the result of the fido_cred_set_pin_minlen() call. This is likely to be the cause of your confusing fido_dev_make_cred() return values.

If this is the root cause of your problem, the above request for additional information will not be necessary.

LDVG commented

Closing in understanding that the issue was resolved / questions answered.

Hello,
Thanks for helping me debug.
I am trying to debug a similar error that fails fido_dev_make_cred with FIDO_ERR_INTERNAL.

...
fido_rx: buf=0x7fd3a7160e00, len=0
fido_tx: dev=0x600003901b00, cmd=0x03
fido_tx: buf=0x6000020f7d58, len=73
0000: 00 01 00 00 00 00 40 e3 b0 c4 42 98 fc 1c 14 9a
0016: fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4
0032: 95 99 1b 78 52 b8 55 49 96 0d e5 88 0e 8c 68 74
0048: 34 17 0f 64 76 60 5b 8f e4 ae b9 a2 86 32 c7 99
0064: 5c f3 ba 83 1d 97 63 00 00
fido_rx: dev=0x60000391c990, cmd=0x03, ms=50
fido_hid_read: read: Resource temporarily unavailable
rx: rx_preamble
u2f_get_touch_status: fido_rx
fido_rx: dev=0x60000391c750, cmd=0x10, ms=50
rx_preamble: buf=0x7ff7bfc2d750, len=64
0000: 5a 25 7f b3 90 00 01 31 00 00 00 00 00 00 00 00
0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=1
fido_rx: buf=0x7fd3a5901200, len=1
0000: 31
es256_sk_create: EVP_PKEY_paramgen
fido_do_ecdh: es256_derive_pk
fido_dev_make_cred_tx: fido_do_ecdh
fido_tx: dev=0x60000391c750, cmd=0x11
fido_tx: buf=0x0, len=0

This time, I downloaded the libfido.1.13.0 source and manually built it.
$ otool -L fido-cred

	@rpath/libcrypto.1.1.dylib (compatibility version 1.1.0, current version 1.1.0)
	@rpath/libfido2.1.dylib (compatibility version 1.0.0, current version 1.13.0)
	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1770.255.0)
	/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
	@rpath/libz.1.dylib (compatibility version 1.0.0, current version 1.2.13)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.60.1)

and my app
$ otool -L myapp

        /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current 
         version 1690.5.4)
	@rpath/libpcre2-8.0.dylib (compatibility version 12.0.0, current version 12.2.0)
	@rpath/libffi.8.dylib (compatibility version 10.0.0, current version 10.1.0)
	@rpath/libnghttp2.14.dylib (compatibility version 39.0.0, current version 39.0.0)
	@rpath/libsoup-3.0.0.dylib (compatibility version 8.0.0, current version 8.0.0)
	@rpath/libgmodule-2.0.0.dylib (compatibility version 7601.0.0, current version 7601.2.0)
	@rpath/libavcodec.59.18.100.dylib (compatibility version 59.0.0, current version 59.18.100)
	@rpath/libavutil.57.17.100.dylib (compatibility version 57.0.0, current version 57.17.100)
	@rpath/libturbojpeg.0.2.0.dylib (compatibility version 0.0.0, current version 0.2.0)
	@rpath/libsasl2.3.dylib (compatibility version 4.0.0, current version 4.0.0)
	@rpath/libjson-glib-1.0.0.dylib (compatibility version 601.0.0, current version 601.6.0)
	@rpath/libprotobuf-c.1.dylib (compatibility version 2.0.0, current version 2.0.0)
	@rpath/libcrypto.1.1.dylib (compatibility version 1.1.0, current version 1.1.0)
	@rpath/libgio-2.0.0.dylib (compatibility version 7601.0.0, current version 7601.2.0)
	@rpath/libgobject-2.0.0.dylib (compatibility version 7601.0.0, current version 7601.2.0)
	@rpath/libglib-2.0.0.dylib (compatibility version 7601.0.0, current version 7601.2.0)
	@rpath/libintl.8.dylib (compatibility version 11.0.0, current version 11.0.0)
	@rpath/libpangocairo-1.0.0.dylib (compatibility version 5001.0.0, current version 5001.7.0)
	@rpath/libpango-1.0.0.dylib (compatibility version 5001.0.0, current version 5001.7.0)
	@rpath/libharfbuzz.0.dylib (compatibility version 40200.0.0, current version 40200.0.0)
	@rpath/libcairo.2.dylib (compatibility version 11603.0.0, current version 11603.0.0)
	/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 2299.50.120)
	/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1971.0.0)
	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1971.0.0)
	/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1319.100.3)
	/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
	@rpath/libgstreamer-1.0.0.dylib (compatibility version 2203.0.0, current version 2203.0.0)
	@rpath/libgtk-3.0.dylib (compatibility version 2406.0.0, current version 2406.32.0)
	@rpath/libgdk-3.0.dylib (compatibility version 2406.0.0, current version 2406.32.0)
	@rpath/libatk-1.0.0.dylib (compatibility version 23810.0.0, current version 23810.1.0)
	@rpath/libcairo-gobject.2.dylib (compatibility version 11603.0.0, current version 11603.0.0)
	@rpath/libgdk_pixbuf-2.0.0.dylib (compatibility version 4201.0.0, current version 4201.10.0)
	/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 23.0.0)
	/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 169.0.0)

I see that libcbor is not linked as before, but the code works fine for keys without pin. The code is almost the same (it is just part of a another project).

Thanks