Skip to content

Commit 33e06cb

Browse files
BryanJacobsBryanJacobs
committed
Documentation
1 parent 7e1edc2 commit 33e06cb

File tree

2 files changed

+16
-3
lines changed

2 files changed

+16
-3
lines changed

docs/FAQ.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,12 +74,15 @@ a getAssertion call is made with an `allowList` given, CTAP2.0 says that the
7474
authenticator should iterate through assertions generated with the matching
7575
credentials from the allowlist. CTAP2.1 says the authenticator should pick one
7676
matching credential, return an assertion generated with it, and ignore any
77-
other matches.
77+
other matches.
7878

7979
This implementation allows toggling either behavior by flipping a boolean in the
8080
code, but because one or the other must be chosen, it can't be both fully CTAP2.0
8181
compatible and CTAP2.1 compatible at the same time.
8282

83+
Another more minor difference is that CTAP2.0 allows PINs of 64 bytes or longer.
84+
This authenticator and CTAP2.1 cap PINs at 63 bytes long.
85+
8386
## Why don't you implement U2F/CTAP1?
8487

8588
U2F doesn't support PINs, and requires an attestation certificate.
@@ -107,7 +110,8 @@ It will store:
107110
- the credential ID (an AES256 encrypted blob of the RP ID SHA-256
108111
hash and the credential private key)
109112
- up to 32 characters of the RP ID, again AES256 encrypted
110-
- a max 64-character-long user ID, again AES256 encrypted
113+
- a max 64-byte-long user ID, again AES256 encrypted
114+
- the 64-byte public key associated with the credential, again AES256 encrypted
111115
- the length of the RP ID, unencrypted
112116
- the length of the user ID, unencrypted
113117
- a boolean set to true on the first credential from a given RP ID, used

src/main/java/us/q3q/fido2/FIDO2Applet.java

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3153,6 +3153,16 @@ private void handleEnumerateCreds(APDU apdu, short bufferIdx, short startCredIdx
31533153
sendErrorByte(apdu, FIDOConstants.CTAP2_ERR_NO_CREDENTIALS);
31543154
}
31553155

3156+
/**
3157+
* Pack a credential ID (CBOR-wrapped) into a target buffer
3158+
*
3159+
* @param credBuffer Buffer containing credential ID
3160+
* @param credOffset Offset of credential ID in input buffer
3161+
* @param writeBuffer Output buffer into which to write CBOR
3162+
* @param writeOffset Write index into output buffer
3163+
*
3164+
* @return New write index into output buffer, after writing credential CBOR
3165+
*/
31563166
private short packCredentialId(byte[] credBuffer, short credOffset, byte[] writeBuffer, short writeOffset) {
31573167
writeBuffer[writeOffset++] = (byte) 0xA2; // map: two entries
31583168

@@ -3163,7 +3173,6 @@ private short packCredentialId(byte[] credBuffer, short credOffset, byte[] write
31633173
writeOffset = Util.arrayCopyNonAtomic(credBuffer, credOffset,
31643174
writeBuffer, writeOffset, CREDENTIAL_ID_LEN);
31653175

3166-
31673176
writeBuffer[writeOffset++] = 0x64; // string - four bytes long
31683177
writeBuffer[writeOffset++] = 0x74; // t
31693178
writeBuffer[writeOffset++] = 0x79; // y

0 commit comments

Comments
 (0)