fido2.ctap1

Exceptions

ApduError

An Exception thrown when a response APDU doesn't have an OK (0x9000)

Classes

APDU

APDU response codes.

RegistrationData

Binary response data for a CTAP1 registration.

SignatureData

Binary response data for a CTAP1 authentication.

Ctap1

Implementation of the CTAP1 specification.

Module Contents

class fido2.ctap1.APDU[source]

Bases: enum.IntEnum

APDU response codes.

OK = 36864
USE_NOT_SATISFIED = 27013
WRONG_DATA = 27264
exception fido2.ctap1.ApduError(code, data=b'')[source]

Bases: Exception

An Exception thrown when a response APDU doesn’t have an OK (0x9000) status.

Parameters:

  • code (int) – APDU response code.

  • data (bytes) – APDU response body.

code
data
__repr__()[source]

Return repr(self).

class fido2.ctap1.RegistrationData(_)[source]

Bases: bytes

Binary response data for a CTAP1 registration.

Parameters:

_ (bytes) – The binary contents of the response data.

Variables:

  • public_key – Binary representation of the credential public key.

  • key_handle – Binary key handle of the credential.

  • certificate – Attestation certificate of the authenticator, DER encoded.

  • signature – Attestation signature.

public_key: bytes
key_handle: bytes
certificate: bytes
signature: bytes
property b64: str

Websafe base64 encoded string of the RegistrationData.

Return type:

str

verify(app_param, client_param)[source]

Verify the included signature with regard to the given app and client params.

Parameters:

  • app_param (bytes) – SHA256 hash of the app ID used for the request.

  • client_param (bytes) – SHA256 hash of the ClientData used for the request.

Return type:

None

classmethod from_b64(data)[source]

Parse a RegistrationData from a websafe base64 encoded string.

Parameters:

data (str) – Websafe base64 encoded string.

Returns:

The decoded and parsed RegistrationData.

Return type:

RegistrationData

class fido2.ctap1.SignatureData(_)[source]

Bases: bytes

Binary response data for a CTAP1 authentication.

Parameters:

_ (bytes) – The binary contents of the response data.

Variables:

  • user_presence – User presence byte.

  • counter – Signature counter.

  • signature – Cryptographic signature.

user_presence: int
counter: int
signature: bytes
property b64: str

str: Websafe base64 encoded string of the SignatureData.

Return type:

str

verify(app_param, client_param, public_key)[source]

Verify the included signature with regard to the given app and client params, using the given public key.

Parameters:

  • app_param (bytes) – SHA256 hash of the app ID used for the request.

  • client_param (bytes) – SHA256 hash of the ClientData used for the request.

  • public_key (bytes) – Binary representation of the credential public key.

Return type:

None

classmethod from_b64(data)[source]

Parse a SignatureData from a websafe base64 encoded string.

Parameters:

data (str) – Websafe base64 encoded string.

Returns:

The decoded and parsed SignatureData.

Return type:

SignatureData

class fido2.ctap1.Ctap1(device)[source]

Implementation of the CTAP1 specification.

Parameters:

device (fido2.ctap.CtapDevice) – A CtapHidDevice handle supporting CTAP1.

class INS[source]

Bases: enum.IntEnum

Enum where members are also (and must be) ints

REGISTER = 1
AUTHENTICATE = 2
VERSION = 3
device
send_apdu(cla=0, ins=0, p1=0, p2=0, data=b'')[source]

Packs and sends an APDU for use in CTAP1 commands. This is a low-level method mainly used internally. Avoid calling it directly if possible, and use the get_version, register, and authenticate methods if possible instead.

Parameters:

  • cla (int) – The CLA parameter of the request.

  • ins (int) – The INS parameter of the request.

  • p1 (int) – The P1 parameter of the request.

  • p2 (int) – The P2 parameter of the request.

  • data (bytes) – The body of the request.

Returns:

The response APDU data of a successful request.

Raise:

ApduError

Return type:

bytes

get_version()[source]

Get the U2F version implemented by the authenticator. The only version specified is “U2F_V2”.

Returns:

A U2F version string.

Return type:

str

register(client_param, app_param)[source]

Register a new U2F credential.

Parameters:

  • client_param (bytes) – SHA256 hash of the ClientData used for the request.

  • app_param (bytes) – SHA256 hash of the app ID used for the request.

Returns:

The registration response from the authenticator.

Return type:

RegistrationData

authenticate(client_param, app_param, key_handle, check_only=False)[source]

Authenticate a previously registered credential.

Parameters:

  • client_param (bytes) – SHA256 hash of the ClientData used for the request.

  • app_param (bytes) – SHA256 hash of the app ID used for the request.

  • key_handle (bytes) – The binary key handle of the credential.

  • check_only (bool) – True to send a “check-only” request, which is used to determine if a key handle is known.

Returns:

The authentication response from the authenticator.

Return type:

SignatureData