Passwords are stored in the non-volatile Flash memory of the device, in the
application space. The manager can store up to 64 passwords (this can be
increased in the source code, at the cost of application size). Each password is
stored on an individual 64 bytes flash page, to allow atomic insertion and
deletion (see nvm::Collection
in the NanoS Rust SDK).
Each 64 bytes password entry is divided in two 32 bytes blocks: one for the password name, and the other for the password itself. The name and password can be of variable size, up to 32 bytes each. The 32 bytes blocks are padded with zeros. ASCII characters should be stored (UTF8 may work except for the last character if it ends with a null byte).
All APDUs use the class 0x80
.
INS | Name | Description |
---|---|---|
0x01 | GetVersion | Returns version string |
0x02 | GetSize | Returns the number of stored passwords |
0x03 | Add | Add a new password |
0x04 | GetName | Returns name of the n-th password |
0x05 | GetByName | Return the password with the given name |
0x06 | DeleteByName | Delete the password with the given name |
0x07 | Export | Start password export procedure |
0x08 | ExportNext | Export the next password |
0x09 | Import | Start password import procedure |
0x0a | ImportNext | Import the next password |
0x0b | Clear | Remove all passwords |
0x0c | Quit | Quit application |
0x0d | ShowOnScreen | Show the password with the given name on the screen |
0x0e | HasName | Indicate if a password with the given name is stored or not |
Returns version string, for instance "1.0.0".
Returns the number of passwords stored. User consent is not required for this operation.
The device sends the result encoded in big-endian with 4-bytes.
Add a new password in the internal collection. This operation requires user consent.
The P1 field can be:
- 0: password is passed in the Data field
- 1: password is randomly generated by the device.
The Data field of the command must have the 32 bytes for the name (padded with zeros) and 32 bytes for the password (padded with zeros) if device generation is not requested.
Returns the name of the n-th password stored. User consent is not required for this operation.
The Data field of the APDU must contain the password index, encoded in big-endian with 4 bytes
Returns the password with the given name. This operation requires user consent.
The Data field of the APDU must contain the password name on 32-bytes (padded with zeros).
The device responds with the 32-bytes password (padded with zeros).
Delete the password with the given name. This operation requires user consent.
The Data field of the APDU must contain the password name on 32-bytes (padded with zeros).
Starts export procedure. This operation requires user consent.
The P1 field can be:
- 0: passwords are exported in plaintext. A warning message is displayed to the user. Any device can import the returned data.
- 1: passwords are returned encrypted and MACed. Only a device with the same seed can import the returned data.
Once the export procedure has been started, each password must be retrieved with the ExportNext command. The export procedure ends when all passwords have been readout.
Export the next password during the export procedure. User consent is not required for this operation (verified during Export).
If plaintext mode is selected, the device responds with the name and password blocks (2 * 32 bytes) in plaintext.
If encrypted export mode is selected, the device responds with a 16-bytes nonce, followed by encrypted name and password, and finally a 16-bytes MAC used to verify integrity during import.
Starts the import procedure. This operation requires user consent.
The P1 field can be:
- 0: passwords are imported in plaintext.
- 1: passwords are imported encrypted and MAC is verified.
The Data field must contain the number of passwords to be imported, encoded in big-endian with 4 bytes.
Once the import procedure has been started, each password must be imported with the ImportNext command. The import procedure ends when all passwords have been imported, or if a MAC verification fails.
Import the next password during the import procedure. User consent is not required for this operation (verified during Import).
The Data field must contain the Data blob received during export. It can be in plaintext if the plaintext mode has been selected, or encrypted.
Remove all password. User consent is not required for this operation.
Quit application to return to the dashboard. User consent is not required for this operation.
Display on the device the password with the given name. This operation requires user consent.
The Data field of the APDU must contain the password name on 32-bytes (padded with zeros).
Tell if a password with the given name exists. This operation does not require user consent.
The Data field of the APDU must contain the password name on 32-bytes (padded with zeros).
The response data field is one byte long. The response byte is 0x01 if the password exists, 0x00 otherwise.