@@ -8,7 +8,7 @@ You caught me, I'm a fraud and these are anticipatory questions.
88
99If you don't know what that is, you don't need this.
1010
11- ## What's a JavaCard ?
11+ ## What's a Javacard ?
1212
1313If you don't know what that is, you DEFINITELY don't need this.
1414
@@ -84,3 +84,45 @@ done here. At least it means off-the-shelf rainbow tables probably won't work.
8484## I hear bcrypt or Argon2id is better than PBKDF2
8585
8686Good luck implementing those on a 16-bit microprocessor. I welcome you to try.
87+
88+ ## What does this implementation store for resident keys?
89+
90+ It will store:
91+ - the credential ID (an AES256 encrypted blob of the RP ID SHA-256
92+ hash and the credential private key)
93+ - up to 32 characters of the RP ID, again AES256 encrypted
94+ - a 64-character-long user ID, again AES256 encrypted
95+ - the length of the RP ID, unencrypted
96+ - the length of the user ID, unencrypted
97+ - a boolean set to true on the first credential from a given RP ID, used
98+ to save state when enumerating and counting on-device RPs
99+ - how many distinct RPs have valid keys on the device, unencrypted
100+ - how many total RPs are on the device, unencrypted
101+
102+ This is the minimum to make the credentials management API work. It would
103+ be possible to encrypt the length fields too, they just aren't and I didn't
104+ see it as important.
105+
106+ The default is to have fifty slots for resident keys, which is double what a
107+ Yubikey supports. You can turn this up, with a performance and flash cost, or
108+ turn it down with a performance and flash benefit.
109+
110+ ## Why is the code quality so low?
111+
112+ You're welcome to contribute to improving it. I wrote this for a purpose and
113+ it seems to work for that purpose.
114+
115+ Please remember that this code is written for processors that don't have an
116+ ` int ` type - only ` short ` . Most function calls are a runtime overhead, and
117+ each object allocation comes out of your at-most-2kB of RAM available. You
118+ can't practically use dynamic memory allocation at all, it's just there to tease
119+ you.
120+
121+ The code I wrote may look ugly, and it's certainly not perfect, but it is
122+ reasonably efficient in execution on in-order processors with very limited
123+ stacks.
124+
125+ ## Why is the smartcard giving me OPERATION_DENIED when I try to create a resident key?
126+
127+ You haven't set a PIN. You can turn off this feature in the code, or you can
128+ set a PIN. If I were you, I would use a PIN with resident keys.
0 commit comments