BryanJacobs
diff --git a/‎README.md‎
Lines changed: 4 additions & 4 deletions b/‎README.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/FAQ.md‎
Lines changed: 2 additions & 1 deletion b/‎docs/FAQ.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/main/java/us/q3q/fido2/CannedCBOR.java‎
Lines changed: 8 additions & 3 deletions b/‎src/main/java/us/q3q/fido2/CannedCBOR.java‎
Lines changed: 8 additions & 3 deletions
@@ -2,7 +2,7 @@
 
 ## Overview
 
-This repository contains sources for a FIDO2 CTAP2 compatible(-ish)
+This repository contains sources for a FIDO2 CTAP2.1 compatible(-ish)
 applet targeting the Javacard Classic system, version 3.0.4. In a
 nutshell, this lets you take a smartcard, install an app onto it,
 and have it work as a FIDO2 authenticator device with a variety of
@@ -59,15 +59,15 @@ I suggest [reading the FAQ](docs/FAQ.md) and perhaps [the security model](docs/s
 |--------------------------------|---------------------------------------------------------|
 | CTAP1/U2F                      | Not implemented                                         |
 | CTAP2.0 core                   | Implemented, many caveats                               |
-| CTAP2.1 core                   | Incomplete - missing PIN token permissions              |
+| CTAP2.1 core                   | Implemented, many caveats                               |
 | Resident keys                  | Implemented, default 50 slots                           |
 | User Presence                  | User always considered present: not standards compliant |
 | Self attestation               | Implemented                                             |
 | Attestation certificates       | Not implemented                                         |
 | ECDSA (SecP256r1)              | Implemented                                             |
-| Other crypto like ed25519      | Not implemented                                         |
+| Other crypto, like ed25519     | Not implemented                                         |
 | CTAP2.0 hmac-secret extension  | Implemented                                             |
-| CTAP2.1 hmac-secret extension  | Implemented with one secret, requiring UV, not two      |
+| CTAP2.1 hmac-secret extension  | Implemented with one secret (requiring UV) not two      |
 | CTAP2.1 alwaysUv option        | Implemented                                             |
 | CTAP2.1 credProtect option     | Implemented, one caveat                                 |
 | CTAP2.1 PIN Protocol 1         | Implemented                                             |
 
@@ -60,7 +60,8 @@ Thirdly, the CTAP API requires user presence detection, but there's really no
 way to do that on Javacard 3.0.4. We can't even use the "presence timeout"
 that is described in the spec for NFC devices. So you're always treated as
 being present, which is to some extent offset by the fact that anything real
-requires you type your PIN (if one is set)...
+requires you type your PIN (if one is set)... Additionally, this app will not
+clear CTAP2.1 PIN token permissions on use.
 
 So set a PIN, and unplug your card when you're not using it.
 
 
@@ -23,10 +23,12 @@ public abstract class CannedCBOR {
             FIDOConstants.CTAP2_OK,
             (byte) 0xA8, // Map - eight keys
                 0x01, // map key: versions
-                    (byte) 0x81, // array - one item
+                    (byte) 0x82, // array - two items
                         0x68, // string - eight bytes long
                         0x46, 0x49, 0x44, 0x4F, 0x5F, 0x32, 0x5F, 0x30, // FIDO_2_0
-                0x02, // map key: extensions
+                        0x68, // string - eight bytes long
+                        0x46, 0x49, 0x44, 0x4F, 0x5F, 0x32, 0x5F, 0x31, // FIDO_2_1
+            0x02, // map key: extensions
                     (byte) 0x82, // array - two items
                         0x6B, // string - eleven bytes long
                             0x63, 0x72, 0x65, 0x64, 0x50, 0x72, 0x6F, 0x74, 0x65, 0x63, 0x74, // credProtect
@@ -36,7 +38,7 @@ public abstract class CannedCBOR {
                         0x50, // byte string, 16 bytes long
                         0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // aaguid
                 0x04, // map key: options
-                    (byte) 0xA5, // map: five entries
+                    (byte) 0xA6, // map: six entries
                         0x62, // string: two bytes long
                             0x72, 0x6B, // rk
                             (byte) 0xF5, // true
@@ -52,6 +54,9 @@ public abstract class CannedCBOR {
     static final byte[] MAKE_CRED_UV_NOT_REQD = {
             0x6D, 0x61, 0x6B, 0x65, 0x43, 0x72, 0x65, 0x64, 0x55, 0x76, 0x4E, 0x6F, 0x74, 0x52, 0x71, 0x64
     };
+    static final byte[] PIN_UV_AUTH_TOKEN = {
+            0x70, 0x69, 0x6E, 0x55, 0x76, 0x41, 0x75, 0x74, 0x68, 0x54, 0x6F, 0x6B, 0x65, 0x6E
+    };
     static final byte[] MAKE_CREDENTIAL_RESPONSE_PREAMBLE = {
             0x00, // status - OK!
             (byte) 0xA3, // Map - three keys