fido2.attestation

Submodules

Exceptions

InvalidData

Attestation contains invalid data.

InvalidSignature

The signature of the attestation could not be verified.

UnsupportedType

The attestation format is not supported.

UntrustedAttestation

The CA of the attestation is not trusted.

Classes

AndroidSafetynetAttestation

Implements verification of a specific attestation type.

AppleAttestation

Implements verification of a specific attestation type.

Attestation

Implements verification of a specific attestation type.

AttestationResult

The result of verifying an attestation.

AttestationType

Supported attestation types.

AttestationVerifier

Base class for verifying attestation.

NoneAttestation

Implements verification of a specific attestation type.

UnsupportedAttestation

Implements verification of a specific attestation type.

PackedAttestation

Implements verification of a specific attestation type.

TpmAttestation

Implements verification of a specific attestation type.

FidoU2FAttestation

Implements verification of a specific attestation type.

Functions

verify_x509_chain(chain)

Verifies a chain of certificates.

Package Contents

class fido2.attestation.AndroidSafetynetAttestation(allow_rooted=False)[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

Parameters:

allow_rooted (bool)

FORMAT = 'android-safetynet'
allow_rooted = False
verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.AppleAttestation[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'apple'
verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.Attestation[source]

Bases: abc.ABC

Implements verification of a specific attestation type.

abstractmethod verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

Parameters:
Return type:

AttestationResult

static for_type(fmt)[source]

Get an Attestation subclass type for the given format.

Parameters:

fmt (str)

Return type:

type[Attestation]

class fido2.attestation.AttestationResult[source]

The result of verifying an attestation.

attestation_type: AttestationType
trust_path: list[bytes]
class fido2.attestation.AttestationType[source]

Bases: enum.IntEnum

Supported attestation types.

BASIC = 1
SELF = 2
ATT_CA = 3
ANON_CA = 4
NONE = 0
class fido2.attestation.AttestationVerifier(attestation_types=None)[source]

Bases: abc.ABC

Base class for verifying attestation.

Override the ca_lookup method to provide a trusted root certificate used to verify the trust path from the attestation.

Parameters:

attestation_types (Sequence[Attestation] | None)

abstractmethod ca_lookup(attestation_result, auth_data)[source]

Lookup a CA certificate to be used to verify a trust path.

Parameters:
Return type:

bytes | None

verify_attestation(attestation_object, client_data_hash)[source]

Verify attestation.

Parameters:
Return type:

None

exception fido2.attestation.InvalidData[source]

Bases: InvalidAttestation

Attestation contains invalid data.

exception fido2.attestation.InvalidSignature[source]

Bases: InvalidAttestation

The signature of the attestation could not be verified.

class fido2.attestation.NoneAttestation[source]

Bases: Attestation

Implements verification of a specific attestation type.

FORMAT = 'none'
verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.UnsupportedAttestation(fmt=None)[source]

Bases: Attestation

Implements verification of a specific attestation type.

fmt = None
verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

exception fido2.attestation.UnsupportedType(auth_data, fmt=None)[source]

Bases: InvalidAttestation

The attestation format is not supported.

auth_data
fmt = None
exception fido2.attestation.UntrustedAttestation[source]

Bases: InvalidAttestation

The CA of the attestation is not trusted.

fido2.attestation.verify_x509_chain(chain)[source]

Verifies a chain of certificates.

Checks that the first item in the chain is signed by the next, and so on. The first item is the leaf, the last is the root.

Parameters:

chain (list[bytes])

Return type:

None

class fido2.attestation.PackedAttestation[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'packed'
verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.TpmAttestation[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'tpm'
verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.FidoU2FAttestation[source]

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'fido-u2f'
verify(statement, auth_data, client_data_hash)[source]

Verifies attestation statement.

Returns:

An AttestationResult if successful.

static verify_signature(app_param, client_param, key_handle, public_key, cert_bytes, signature)[source]