fido2.attestation

Submodules

• fido2.attestation.android
• fido2.attestation.apple
• fido2.attestation.base
• fido2.attestation.packed
• fido2.attestation.tpm
• fido2.attestation.u2f

Exceptions

InvalidData	Attestation contains invalid data.
InvalidSignature	The signature of the attestation could not be verified.
UnsupportedType	The attestation format is not supported.
UntrustedAttestation	The CA of the attestation is not trusted.

Classes

Attestation	Implements verification of a specific attestation type.
NoneAttestation	Implements verification of a specific attestation type.
AttestationType	Supported attestation types.
AttestationResult	The result of verifying an attestation.
UnsupportedAttestation	Implements verification of a specific attestation type.
AttestationVerifier	Base class for verifying attestation.
AppleAttestation	Implements verification of a specific attestation type.
AndroidSafetynetAttestation	Implements verification of a specific attestation type.
PackedAttestation	Implements verification of a specific attestation type.
FidoU2FAttestation	Implements verification of a specific attestation type.
TpmAttestation	Implements verification of a specific attestation type.

Functions

verify_x509_chain(chain)

Verifies a chain of certificates.

Package Contents

class fido2.attestation.Attestation

Bases: abc.ABC

Implements verification of a specific attestation type.

abstract verify(statement, auth_data, client_data_hash)

Verifies attestation statement.

Returns:

An AttestationResult if successful.

Parameters:

• statement (Mapping[str, Any])

• auth_data (fido2.webauthn.AuthenticatorData)

• client_data_hash (bytes)

Return type:

AttestationResult

static for_type(fmt)

Get an Attestation subclass type for the given format.

Parameters:

fmt (str)

Return type:

Type[Attestation]

class fido2.attestation.NoneAttestation

Bases: Attestation

Implements verification of a specific attestation type.

FORMAT = 'none'

verify(statement, auth_data, client_data_hash)

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.AttestationType

Bases: enum.IntEnum

Supported attestation types.

BASIC = 1

SELF = 2

ATT_CA = 3

ANON_CA = 4

NONE = 0

class fido2.attestation.AttestationResult

The result of verifying an attestation.

attestation_type: AttestationType

trust_path: List[bytes]

exception fido2.attestation.InvalidData

Bases: InvalidAttestation

Attestation contains invalid data.

exception fido2.attestation.InvalidSignature

Bases: InvalidAttestation

The signature of the attestation could not be verified.

exception fido2.attestation.UnsupportedType(auth_data, fmt=None)

Bases: InvalidAttestation

The attestation format is not supported.

auth_data

fmt

class fido2.attestation.UnsupportedAttestation(fmt=None)

Bases: Attestation

Implements verification of a specific attestation type.

fmt

verify(statement, auth_data, client_data_hash)

Verifies attestation statement.

Returns:

An AttestationResult if successful.

exception fido2.attestation.UntrustedAttestation

Bases: InvalidAttestation

The CA of the attestation is not trusted.

fido2.attestation.verify_x509_chain(chain)

Verifies a chain of certificates.

Checks that the first item in the chain is signed by the next, and so on. The first item is the leaf, the last is the root.

Parameters:

chain (List[bytes])

Return type:

None

class fido2.attestation.AttestationVerifier(attestation_types=None)

Bases: abc.ABC

Base class for verifying attestation.

Override the ca_lookup method to provide a trusted root certificate used to verify the trust path from the attestation.

Parameters:

attestation_types (Optional[Sequence[Attestation]])

abstract ca_lookup(attestation_result, auth_data)

Lookup a CA certificate to be used to verify a trust path.

Parameters:

• attestation_result (AttestationResult) – The result of the attestation

• auth_data (fido2.webauthn.AuthenticatorData) – The AuthenticatorData from the registration

Return type:

Optional[bytes]

verify_attestation(attestation_object, client_data_hash)

Verify attestation.

Parameters:

• attestation_object (fido2.webauthn.AttestationObject) – dict containing attestation data.

• client_data_hash (bytes) – SHA256 hash of the ClientData bytes.

Return type:

None

__call__(*args)

Allows passing an instance to Fido2Server as verify_attestation

class fido2.attestation.AppleAttestation

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'apple'

verify(statement, auth_data, client_data_hash)

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.AndroidSafetynetAttestation(allow_rooted=False)

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

Parameters:

allow_rooted (bool)

FORMAT = 'android-safetynet'

allow_rooted

verify(statement, auth_data, client_data_hash)

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.PackedAttestation

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'packed'

verify(statement, auth_data, client_data_hash)

Verifies attestation statement.

Returns:

An AttestationResult if successful.

class fido2.attestation.FidoU2FAttestation

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'fido-u2f'

verify(statement, auth_data, client_data_hash)

Verifies attestation statement.

Returns:

An AttestationResult if successful.

static verify_signature(app_param, client_param, key_handle, public_key, cert_bytes, signature)

class fido2.attestation.TpmAttestation

Bases: fido2.attestation.base.Attestation

Implements verification of a specific attestation type.

FORMAT = 'tpm'

verify(statement, auth_data, client_data_hash)

Verifies attestation statement.

Returns:

An AttestationResult if successful.