fido2.attestation

Submodules

Exceptions

`InvalidData`	Attestation contains invalid data.
`InvalidSignature`	The signature of the attestation could not be verified.
`UnsupportedType`	The attestation format is not supported.
`UntrustedAttestation`	The CA of the attestation is not trusted.

Classes

`AndroidSafetynetAttestation`	Implements verification of a specific attestation type.
`AppleAttestation`	Implements verification of a specific attestation type.
`Attestation`	Implements verification of a specific attestation type.
`AttestationResult`	The result of verifying an attestation.
`AttestationType`	Supported attestation types.
`AttestationVerifier`	Base class for verifying attestation.
`NoneAttestation`	Implements verification of a specific attestation type.
`UnsupportedAttestation`	Implements verification of a specific attestation type.
`PackedAttestation`	Implements verification of a specific attestation type.
`TpmAttestation`	Implements verification of a specific attestation type.
`FidoU2FAttestation`	Implements verification of a specific attestation type.

Functions

verify_x509_chain(chain)

Verifies a chain of certificates.

Package Contents

class fido2.attestation.AndroidSafetynetAttestation(allow_rooted=False)[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

Parameters:: allow_rooted (bool)

FORMAT = 'android-safetynet'

allow_rooted = False

verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:: An AttestationResult if successful.

class fido2.attestation.AppleAttestation[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'apple'

verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:: An AttestationResult if successful.

class fido2.attestation.Attestation[source]

Bases: abc.ABC

Implements verification of a specific attestation type.

abstractmethod verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

Parameters:

statement (Mapping[str, Any])
auth_data (fido2.webauthn.AuthenticatorData)
client_data_hash (bytes)

Return type:

AttestationResult

static for_type(fmt)[source]

Get an Attestation subclass type for the given format.

Parameters:: fmt (str)
Return type:: type[Attestation]

class fido2.attestation.AttestationResult[source]

The result of verifying an attestation.

attestation_type: AttestationType

trust_path: list[bytes]

class fido2.attestation.AttestationType[source]

Bases: enum.IntEnum

Supported attestation types.

BASIC = 1

SELF = 2

ATT_CA = 3

ANON_CA = 4

NONE = 0

class fido2.attestation.AttestationVerifier(attestation_types=None)[source]

Bases: abc.ABC

Base class for verifying attestation.

Override the ca_lookup method to provide a trusted root certificate used to verify the trust path from the attestation.

Parameters:: attestation_types (Sequence[Attestation] | None)

abstractmethod ca_lookup(attestation_result, auth_data)[source]

Lookup a CA certificate to be used to verify a trust path.

Parameters:

attestation_result (AttestationResult) – The result of the attestation
auth_data (fido2.webauthn.AuthenticatorData) – The AuthenticatorData from the registration

Return type:

bytes | None

verify_attestation(attestation_object, client_data_hash)[source]

Verify attestation.

Parameters:

attestation_object (fido2.webauthn.AttestationObject) – dict containing attestation data.
client_data_hash (bytes) – SHA256 hash of the ClientData bytes.

Return type:

None

exception fido2.attestation.InvalidData[source]

Bases: InvalidAttestation

Attestation contains invalid data.

exception fido2.attestation.InvalidSignature[source]

Bases: InvalidAttestation

The signature of the attestation could not be verified.

class fido2.attestation.NoneAttestation[source]

Bases: Attestation

Implements verification of a specific attestation type.

FORMAT = 'none'

verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:: An AttestationResult if successful.

class fido2.attestation.UnsupportedAttestation(fmt=None)[source]

Bases: Attestation

Implements verification of a specific attestation type.

fmt = None

verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:: An AttestationResult if successful.

exception fido2.attestation.UnsupportedType(auth_data, fmt=None)[source]

Bases: InvalidAttestation

The attestation format is not supported.

auth_data

fmt = None

exception fido2.attestation.UntrustedAttestation[source]

Bases: InvalidAttestation

The CA of the attestation is not trusted.

fido2.attestation.verify_x509_chain(chain)[source]

Verifies a chain of certificates.

Checks that the first item in the chain is signed by the next, and so on. The first item is the leaf, the last is the root.

Parameters:: chain (list[bytes])
Return type:: None

class fido2.attestation.PackedAttestation[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'packed'

verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:: An AttestationResult if successful.

class fido2.attestation.TpmAttestation[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'tpm'

verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:: An AttestationResult if successful.

class fido2.attestation.FidoU2FAttestation[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'fido-u2f'

verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:: An AttestationResult if successful.

static verify_signature(app_param, client_param, key_handle, public_key, cert_bytes, signature)[source]