fido2.ctap2.base

Classes

`Info`	Binary CBOR encoded response data returned by the CTAP2 GET_INFO command.
`AttestationResponse`	Binary CBOR encoded attestation object.
`AssertionResponse`	Binary CBOR encoded assertion response.
`Ctap2`	Implementation of the CTAP2 specification.

Functions

args(*params)

Constructs a dict from a list of arguments for sending a CBOR command.

Module Contents

fido2.ctap2.base.args(*params)[source]

Constructs a dict from a list of arguments for sending a CBOR command. None elements will be omitted.

Parameters:: params – Arguments, in order, to add to the command.
Returns:: The input parameters as a dict.
Return type:: Dict[int, Any]

class fido2.ctap2.base.Info[source]

Bases: _CborDataObject

Binary CBOR encoded response data returned by the CTAP2 GET_INFO command.

Parameters:

_ – The binary content of the Info data.

Variables:

versions – The versions supported by the authenticator.
extensions – The extensions supported by the authenticator.
aaguid – The AAGUID of the authenticator.
options – The options supported by the authenticator.
max_msg_size – The max message size supported by the authenticator.
pin_uv_protocols – The PIN/UV protocol versions supported by the authenticator.
max_creds_in_list – Max number of credentials supported in list at a time.
max_cred_id_length – Max length of Credential ID supported.
transports – List of supported transports.
algorithms – List of supported algorithms for credential creation.
data – The Info members, in the form of a dict.

versions: List[str]

extensions: List[str]

aaguid: fido2.webauthn.Aaguid

options: Dict[str, bool]

max_msg_size: int = 1024

pin_uv_protocols: List[int]

max_creds_in_list: int | None = None

max_cred_id_length: int | None = None

transports: List[str]

algorithms: List[Dict[str, Any]] | None = None

max_large_blob: int | None = None

force_pin_change: bool = False

min_pin_length: int = 4

firmware_version: int | None = None

max_cred_blob_length: int | None = None

max_rpids_for_min_pin: int = 0

preferred_platform_uv_attempts: int | None = None

uv_modality: int | None = None

certifications: Dict | None = None

remaining_disc_creds: int | None = None

vendor_prototype_config_commands: List[int] | None = None

class fido2.ctap2.base.AttestationResponse[source]

Bases: _CborDataObject

Binary CBOR encoded attestation object.

Parameters:

_ (bytes) – The binary representation of the attestation object.

Variables:

fmt – The type of attestation used.
auth_data – The attested authenticator data.
att_stmt – The attestation statement.

fmt: str

auth_data: fido2.webauthn.AuthenticatorData

att_stmt: Dict[str, Any]

ep_att: bool | None = None

large_blob_key: bytes | None = None

class fido2.ctap2.base.AssertionResponse[source]

Bases: _CborDataObject

Binary CBOR encoded assertion response.

Parameters:

_ – The binary representation of the assertion response.

Variables:

credential – The credential used for the assertion.
auth_data – The authenticator data part of the response.
signature – The digital signature of the assertion.
user – The user data of the credential.
number_of_credentials – The total number of responses available (only set for the first response, if > 1).

credential: Mapping[str, Any]

auth_data: fido2.webauthn.AuthenticatorData

signature: bytes

user: Dict[str, Any] | None = None

number_of_credentials: int | None = None

user_selected: bool | None = None

large_blob_key: bytes | None = None

verify(client_param, public_key)[source]

Verify the digital signature of the response with regard to the client_param, using the given public key.

Parameters:

client_param (bytes) – SHA256 hash of the ClientData used for the request.
public_key (fido2.cose.CoseKey) – The public key of the credential, to verify.

classmethod from_ctap1(app_param, credential, authentication)[source]

Create an AssertionResponse from a CTAP1 SignatureData instance.

Parameters:

app_param (bytes) – SHA256 hash of the RP ID used for the CTAP1 request.
credential (Mapping[str, Any]) – Credential used for the CTAP1 request (from the allowList).
authentication – The CTAP1 signature data.

Returns:

The assertion response.

Return type:

AssertionResponse

class fido2.ctap2.base.Ctap2(device, strict_cbor=True)[source]

Implementation of the CTAP2 specification.

Parameters:

device (fido2.ctap.CtapDevice) – A CtapHidDevice handle supporting CTAP2.
strict_cbor (bool) – Validate that CBOR returned from the Authenticator is canonical, defaults to True.

class CMD[source]

Bases: enum.IntEnum

Enum where members are also (and must be) ints

MAKE_CREDENTIAL = 1

GET_ASSERTION = 2

GET_INFO = 4

CLIENT_PIN = 6

RESET = 7

GET_NEXT_ASSERTION = 8

BIO_ENROLLMENT = 9

CREDENTIAL_MGMT = 10

SELECTION = 11

LARGE_BLOBS = 12

CONFIG = 13

BIO_ENROLLMENT_PRE = 64

CREDENTIAL_MGMT_PRE = 65

device

property info: Info

Get a cached Info object which can be used to determine capabilities.

Return type:: Info
Returns:: The response of calling GetAuthenticatorInfo.

send_cbor(cmd, data=None, *, event=None, on_keepalive=None)[source]

Sends a CBOR message to the device, and waits for a response.

Parameters:

cmd (int) – The command byte of the request.
data (Optional[Mapping[int, Any]]) – The payload to send (to be CBOR encoded).
event (Optional[threading.Event]) – Optional threading.Event used to cancel the request.
on_keepalive (Optional[Callable[[int], None]]) – Optional function called when keep-alive is sent by the authenticator.

Return type:

Mapping[int, Any]

get_info()[source]

CTAP2 getInfo command.

Returns:: Information about the authenticator.
Return type:: Info

client_pin(pin_uv_protocol, sub_cmd, key_agreement=None, pin_uv_param=None, new_pin_enc=None, pin_hash_enc=None, permissions=None, permissions_rpid=None, *, event=None, on_keepalive=None)[source]

CTAP2 clientPin command, used for various PIN operations.

This method is not intended to be called directly. It is intended to be used by an instance of the PinProtocolV1 class.

Parameters:

pin_uv_protocol (int) – The PIN/UV protocol version to use.
sub_cmd (int) – A clientPin sub command.
key_agreement (Optional[Mapping[int, Any]]) – The keyAgreement parameter.
pin_uv_param (Optional[bytes]) – The pinAuth parameter.
new_pin_enc (Optional[bytes]) – The newPinEnc parameter.
pin_hash_enc (Optional[bytes]) – The pinHashEnc parameter.
permissions (Optional[int]) – The permissions parameter.
permissions_rpid (Optional[str]) – The permissions RPID parameter.
event (Optional[threading.Event]) – Optional threading.Event used to cancel the request.
on_keepalive (Optional[Callable[[int], None]]) – Optional callback function to handle keep-alive messages from the authenticator.

Returns:

The response of the command, decoded.

Return type:

Mapping[int, Any]

reset(*, event=None, on_keepalive=None)[source]

CTAP2 reset command, erases all credentials and PIN.

Parameters:

event (Optional[threading.Event]) – Optional threading.Event object used to cancel the request.
on_keepalive (Optional[Callable[[int], None]]) – Optional callback function to handle keep-alive messages from the authenticator.

Return type:

None

make_credential(client_data_hash, rp, user, key_params, exclude_list=None, extensions=None, options=None, pin_uv_param=None, pin_uv_protocol=None, enterprise_attestation=None, *, event=None, on_keepalive=None)[source]

CTAP2 makeCredential operation.

Parameters:

client_data_hash (bytes) – SHA256 hash of the ClientData.
rp (Mapping[str, Any]) – PublicKeyCredentialRpEntity parameters.
user (Mapping[str, Any]) – PublicKeyCredentialUserEntity parameters.
key_params (List[Mapping[str, Any]]) – List of acceptable credential types.
exclude_list (Optional[List[Mapping[str, Any]]]) – Optional list of PublicKeyCredentialDescriptors.
extensions (Optional[Mapping[str, Any]]) – Optional dict of extensions.
options (Optional[Mapping[str, Any]]) – Optional dict of options.
pin_uv_param (Optional[bytes]) – Optional PIN/UV auth parameter.
pin_uv_protocol (Optional[int]) – The version of PIN/UV protocol used, if any.
enterprise_attestation (Optional[int]) – Whether or not to request Enterprise Attestation.
event (Optional[threading.Event]) – Optional threading.Event used to cancel the request.
on_keepalive (Optional[Callable[[int], None]]) – Optional callback function to handle keep-alive messages from the authenticator.

Returns:

The new credential.

Return type:

AttestationResponse

get_assertion(rp_id, client_data_hash, allow_list=None, extensions=None, options=None, pin_uv_param=None, pin_uv_protocol=None, *, event=None, on_keepalive=None)[source]

CTAP2 getAssertion command.

Parameters:

rp_id (str) – The RP ID of the credential.
client_data_hash (bytes) – SHA256 hash of the ClientData used.
allow_list (Optional[List[Mapping[str, Any]]]) – Optional list of PublicKeyCredentialDescriptors.
extensions (Optional[Mapping[str, Any]]) – Optional dict of extensions.
options (Optional[Mapping[str, Any]]) – Optional dict of options.
pin_uv_param (Optional[bytes]) – Optional PIN/UV auth parameter.
pin_uv_protocol (Optional[int]) – The version of PIN/UV protocol used, if any.
event (Optional[threading.Event]) – Optional threading.Event used to cancel the request.
on_keepalive (Optional[Callable[[int], None]]) – Optional callback function to handle keep-alive messages from the authenticator.

Returns:

The new assertion.

Return type:

AssertionResponse

get_next_assertion()[source]

CTAP2 getNextAssertion command.

Returns:: The next available assertion response.
Return type:: AssertionResponse

get_assertions(*args, **kwargs)[source]

Convenience method to get list of assertions.

See get_assertion and get_next_assertion for details.

Return type:: List[AssertionResponse]

credential_mgmt(sub_cmd, sub_cmd_params=None, pin_uv_protocol=None, pin_uv_param=None)[source]

CTAP2 credentialManagement command, used to manage resident credentials.

NOTE: This implements the current draft version of the CTAP2 specification and should be considered highly experimental.

This method is not intended to be called directly. It is intended to be used by an instance of the CredentialManagement class.

Parameters:

sub_cmd (int) – A CredentialManagement sub command.
sub_cmd_params (Optional[Mapping[int, Any]]) – Sub command specific parameters.
pin_uv_protocol (Optional[int]) – PIN/UV auth protocol version used.
pin_uv_param (Optional[bytes]) – PIN/UV Auth parameter.

Return type:

Mapping[int, Any]

bio_enrollment(modality=None, sub_cmd=None, sub_cmd_params=None, pin_uv_protocol=None, pin_uv_param=None, get_modality=None, *, event=None, on_keepalive=None)[source]

CTAP2 bio enrollment command. Used to provision/enumerate/delete bio enrollments in the authenticator.

NOTE: This implements the current draft version of the CTAP2 specification and should be considered highly experimental.

This method is not intended to be called directly. It is intended to be used by an instance of the BioEnrollment class.

Parameters:

modality (Optional[int]) – The user verification modality being used.
sub_cmd (Optional[int]) – A BioEnrollment sub command.
sub_cmd_params (Optional[Mapping[int, Any]]) – Sub command specific parameters.
pin_uv_protocol (Optional[int]) – PIN/UV protocol version used.
pin_uv_param (Optional[bytes]) – PIN/UV auth param.
get_modality (Optional[bool]) – Get the user verification type modality.
event (Optional[threading.Event])
on_keepalive (Optional[Callable[[int], None]])

Return type:

Mapping[int, Any]

selection(*, event=None, on_keepalive=None)[source]

CTAP2 authenticator selection command.

This command allows the platform to let a user select a certain authenticator by asking for user presence.

Parameters:

event (Optional[threading.Event]) – Optional threading.Event used to cancel the request.
on_keepalive (Optional[Callable[[int], None]]) – Optional callback function to handle keep-alive messages from the authenticator.

Return type:

None

large_blobs(offset, get=None, set=None, length=None, pin_uv_param=None, pin_uv_protocol=None)[source]

CTAP2 authenticator large blobs command.

This command is used to read and write the large blob array.

This method is not intended to be called directly. It is intended to be used by an instance of the LargeBlobs class.

Parameters:

offset (int) – The offset of where to start reading/writing data.
get (Optional[int]) – Optional (max) length of data to read.
set (Optional[bytes]) – Optional data to write.
length (Optional[int]) – Length of the payload in set.
pin_uv_protocol (Optional[int]) – PIN/UV protocol version used.
pin_uv_param (Optional[bytes]) – PIN/UV auth param.

Return type:

Mapping[int, Any]

config(sub_cmd, sub_cmd_params=None, pin_uv_protocol=None, pin_uv_param=None)[source]

CTAP2 authenticator config command.

This command is used to configure various authenticator features through the use of its subcommands.

This method is not intended to be called directly. It is intended to be used by an instance of the Config class.

Parameters:

sub_cmd (int) – A Config sub command.
sub_cmd_params (Optional[Mapping[int, Any]]) – Sub command specific parameters.
pin_uv_protocol (Optional[int]) – PIN/UV auth protocol version used.
pin_uv_param (Optional[bytes]) – PIN/UV Auth parameter.

Return type:

Mapping[int, Any]