From dd3b4f6bba2df325b8e55d81614b141748b9d84c Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 20 Mar 2026 18:59:06 +0100
Subject: [PATCH 1/2] Test alg and dkalg attributes of ARKG public seeds

---
 tests/device/test_sign_extension_v4.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/device/test_sign_extension_v4.py b/tests/device/test_sign_extension_v4.py
index 1b16e87b..a1ee15e7 100644
--- a/tests/device/test_sign_extension_v4.py
+++ b/tests/device/test_sign_extension_v4.py
@@ -248,6 +248,8 @@ def get_assertion(
 def if_arkg(algorithm, public_key):
     if algorithm == -65539:
         arkg_pub_seed = public_key
+        assert arkg_pub_seed[3] == -65700, "Expected alg: ARKG-P256"
+        assert arkg_pub_seed[-3] == -9, "Expected dkalg: ESP256"
         arkg_ikm = os.urandom(32)
         arkg_ctx = b"python-fido2.test_sign_extension_v4"
         return arkg_pub_seed.derive_public_key(arkg_ikm, arkg_ctx)

From 12cd1f90af69e88c1242b7ba642fb7348ccd13f7 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Fri, 20 Mar 2026 20:28:48 +0100
Subject: [PATCH 2/2] Test that unkown additional arguments are allowed

---
 tests/device/test_sign_extension_v4.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/tests/device/test_sign_extension_v4.py b/tests/device/test_sign_extension_v4.py
index a1ee15e7..d8b43350 100644
--- a/tests/device/test_sign_extension_v4.py
+++ b/tests/device/test_sign_extension_v4.py
@@ -590,6 +590,23 @@ def test_assert_missing_args(ctap2, on_keepalive, credential_cache, sign):
     assert exc_info.value.code == CtapError.ERR.MISSING_PARAMETER
 
 
+def test_assert_unknown_args(ctap2, on_keepalive, credential_cache, sign):
+    cred = credential_cache.make_cred_or_skip(
+        lambda cred: cred.algorithm == arkg.ARKG_P256_ESP256 and cred.flags == 0b000,
+        [arkg.ARKG_P256_ESP256],
+    )
+    tbs = os.urandom(32)
+    public_key, args = if_arkg(cred.algorithm, cred.public_key)
+    if args is None:
+        pytest.skip("Algorithm does not use additional arguments")
+
+    response1 = sign(cred, tbs, additional_args=args)
+    assert response1 is not None
+
+    response2 = sign(cred, tbs, additional_args={**args, 42: 1337})
+    assert response2 is not None
+
+
 def test_assert_up_required(ctap2, on_keepalive, credential_cache, sign):
     cred = credential_cache.make_cred_or_skip(
         lambda cred: cred.flags & 0b001 == 0b001,