Version 0.5.1 doesn't show the keys properly

[jancespivo]

Environment

• OS: Arch Linux
• age-plugin-yubikey version: 0.5.1

What were you trying to do

age-plugin-yubikey -i

What happened

no keys are detected

This is behavior prior the 0.5.1:

$ age-plugin-yubikey -i
#       Serial: <redacted>, Slot: 1
#         Name:
#      Created: Wed, 18 Mar 2026 20:44:52 +0000
#   PIN policy: Unknown
# Touch policy: Unknown
#    Recipient: age1yubikey1<redacted>
AGE-PLUGIN-YUBIKEY-<redacted>

$ age-plugin-yubikey --list-all
#       Serial: <redacted>, Slot: 1
#         Name:
#      Created: Wed, 18 Mar 2026 20:44:52 +0000
#   PIN policy: Unknown
# Touch policy: Unknown
age1yubikey1<redacted>

The behavior of 0.5.1:

$ age-plugin-yubikey -i

$ age-plugin-yubikey --list-all

Findings:

The key is rejected because the cert has critical extension that is not treated as known in this line:

age-plugin-yubikey/src/key.rs

Line 476 in cafbc75

.any(|ext| ext.critical && !known_oids.contains(&ext.oid))

The critical extension is:

Basic Constraints 2.5.29.19

and textually in the cert:

X509v3 Basic Constraints: critical
                CA:TRUE

Imo it is completely fine, so I've added 2.5.29.19 to known oids. It prints out the identity, but strangely the recipient is not the same as in the version 0.5.0:

$ cargo run -- -i
    Finished dev [unoptimized + debuginfo] target(s) in 0.08s
     Running `<redacted>/age-plugin-yubikey/target/debug/age-plugin-yubikey -i`
#       Serial: <redacted>, Slot: 1
#         Name:
#      Created: Wed, 18 Mar 2026 20:44:52 +0000
#   PIN policy: Unknown
# Touch policy: Unknown
#    Recipient: age1tag1<THIS IS COMPLETELY DIFFERENT>
AGE-PLUGIN-YUBIKEY-<redacted>

The recipient now has also different prefix. The AGE-PLUGIN-YUBIKEY-<redacted> is the same in both versions.