fido2.ctap2.extensions
Classes
Base class for CTAP2 extension processing. |
|
Processing state for a CTAP2 extension, for single use. |
|
Processing state for a CTAP2 extension, for single use. |
|
Base class for CTAP2 extensions. |
|
Client inputs for hmac-secret. |
|
Client outputs for hmac-secret. |
|
Salt values for use with prf. |
|
Client inputs for prf. |
|
Client outputs for prf. |
|
Implements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions. |
|
Client inputs for largeBlob. |
|
Client outputs for largeBlob. |
|
Implements the Large Blob storage (largeBlob) WebAuthn extension. |
|
Implements the Credential Blob (credBlob) CTAP2 extension. |
|
Implements the Credential Protection CTAP2 extension. |
|
Implements the Minimum PIN Length (minPinLength) CTAP2 extension. |
|
Client outputs for credProps. |
|
Implements the Credential Properties (credProps) WebAuthn extension. |
|
A data class with members also accessible as a JSON-serializable Mapping. |
|
A data class with members also accessible as a JSON-serializable Mapping. |
|
Client inputs for payment. |
|
Implements the Third Party Payment (thirdPartyPayment) CTAP2.2 extension. |
Module Contents
- class fido2.ctap2.extensions.ExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]
Bases:
abc.ABC
Base class for CTAP2 extension processing.
See:
RegistrationExtensionProcessor
andAuthenticationExtensionProcessor
.- Parameters:
permissions (fido2.ctap2.pin.ClientPin.PERMISSION)
- permissions
- class fido2.ctap2.extensions.RegistrationExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]
Bases:
ExtensionProcessor
Processing state for a CTAP2 extension, for single use.
The ExtensionProcessor holds state and logic for client processing of an extension, for a registration (MakeCredential) call.
- Parameters:
permissions (fido2.ctap2.pin.ClientPin.PERMISSION) – PinUvAuthToken permissions required by the extension.
inputs (dict[str, Any] | None) – Default authenticator inputs, if prepare_inputs is not overridden.
outputs (dict[str, Any] | None) – Default client outputs, if prepare_outputs is not overridden.
- class fido2.ctap2.extensions.AuthenticationExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]
Bases:
ExtensionProcessor
Processing state for a CTAP2 extension, for single use.
The ExtensionProcessor holds state and logic for client processing of an extension, for an authentication (GetAssertion) call.
- Parameters:
permissions (fido2.ctap2.pin.ClientPin.PERMISSION) – PinUvAuthToken permissions required by the extension.
inputs (dict[str, Any] | None) – Default authenticator inputs, if prepare_inputs is not overridden.
outputs (dict[str, Any] | None) – Default client outputs, if prepare_outputs is not overridden.
- prepare_inputs(selected, pin_token)[source]
Prepare authenticator extension inputs, to be passed to the Authenenticator.
- Parameters:
selected (fido2.webauthn.PublicKeyCredentialDescriptor | None)
pin_token (bytes | None)
- Return type:
- class fido2.ctap2.extensions.Ctap2Extension[source]
Bases:
abc.ABC
Base class for CTAP2 extensions.
As of python-fido2 1.2 these instances can be used for multiple requests and should be invoked via the make_credential and get_assertion methods. Subclasses are instantiated for a single request, if the Authenticator supports the extension.
- abstractmethod is_supported(ctap)[source]
Whether or not the extension is supported by the authenticator.
- Parameters:
ctap (fido2.ctap2.base.Ctap2)
- Return type:
- make_credential(ctap, options, pin_protocol)[source]
Start client extension processing for registration.
- Parameters:
ctap (fido2.ctap2.base.Ctap2)
pin_protocol (fido2.ctap2.pin.PinProtocol | None)
- Return type:
- get_assertion(ctap, options, pin_protocol)[source]
Start client extension processing for authentication.
- Parameters:
ctap (fido2.ctap2.base.Ctap2)
pin_protocol (fido2.ctap2.pin.PinProtocol | None)
- Return type:
- class fido2.ctap2.extensions.HMACGetSecretInput[source]
Bases:
fido2.utils._JsonDataObject
Client inputs for hmac-secret.
- class fido2.ctap2.extensions.HMACGetSecretOutput[source]
Bases:
fido2.utils._JsonDataObject
Client outputs for hmac-secret.
- class fido2.ctap2.extensions.AuthenticatorExtensionsPRFValues[source]
Bases:
fido2.utils._JsonDataObject
Salt values for use with prf.
- class fido2.ctap2.extensions.AuthenticatorExtensionsPRFInputs[source]
Bases:
fido2.utils._JsonDataObject
Client inputs for prf.
- eval: AuthenticatorExtensionsPRFValues | None = None
- eval_by_credential: Mapping[str, AuthenticatorExtensionsPRFValues] | None = None
- class fido2.ctap2.extensions.AuthenticatorExtensionsPRFOutputs[source]
Bases:
fido2.utils._JsonDataObject
Client outputs for prf.
- results: AuthenticatorExtensionsPRFValues | None = None
- class fido2.ctap2.extensions.HmacSecretExtension(allow_hmac_secret=False)[source]
Bases:
Ctap2Extension
Implements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions.
The hmac-secret extension is not directly available to clients by default, instead the prf extension is used.
https://www.w3.org/TR/webauthn-3/#prf-extension
- Parameters:
allow_hmac_secret – Set to True to allow hmac-secret, in addition to prf.
- NAME = 'hmac-secret'
- MC_NAME = 'hmac-secret-mc'
- SALT_LEN = 32
- class fido2.ctap2.extensions.AuthenticatorExtensionsLargeBlobInputs[source]
Bases:
fido2.utils._JsonDataObject
Client inputs for largeBlob.
- class fido2.ctap2.extensions.AuthenticatorExtensionsLargeBlobOutputs[source]
Bases:
fido2.utils._JsonDataObject
Client outputs for largeBlob.
- class fido2.ctap2.extensions.LargeBlobExtension[source]
Bases:
Ctap2Extension
Implements the Large Blob storage (largeBlob) WebAuthn extension.
https://www.w3.org/TR/webauthn-3/#sctn-large-blob-extension
- NAME = 'largeBlobKey'
- class fido2.ctap2.extensions.CredBlobExtension[source]
Bases:
Ctap2Extension
Implements the Credential Blob (credBlob) CTAP2 extension.
- NAME = 'credBlob'
- class fido2.ctap2.extensions.CredProtectExtension[source]
Bases:
Ctap2Extension
Implements the Credential Protection CTAP2 extension.
- class POLICY(*args, **kwds)[source]
Bases:
enum.Enum
Create a collection of name/value pairs.
Example enumeration:
>>> class Color(Enum): ... RED = 1 ... BLUE = 2 ... GREEN = 3
Access them by:
attribute access:
>>> Color.RED <Color.RED: 1>
value lookup:
>>> Color(1) <Color.RED: 1>
name lookup:
>>> Color['RED'] <Color.RED: 1>
Enumerations can be iterated over, and know how many members they have:
>>> len(Color) 3
>>> list(Color) [<Color.RED: 1>, <Color.BLUE: 2>, <Color.GREEN: 3>]
Methods can be added to enumerations, and members can have their own attributes – see the documentation for details.
- OPTIONAL = 'userVerificationOptional'
- OPTIONAL_WITH_LIST = 'userVerificationOptionalWithCredentialIDList'
- REQUIRED = 'userVerificationRequired'
- NAME = 'credProtect'
- class fido2.ctap2.extensions.MinPinLengthExtension[source]
Bases:
Ctap2Extension
Implements the Minimum PIN Length (minPinLength) CTAP2 extension.
- NAME = 'minPinLength'
- class fido2.ctap2.extensions.CredentialPropertiesOutput[source]
Bases:
fido2.utils._JsonDataObject
Client outputs for credProps.
- class fido2.ctap2.extensions.CredPropsExtension[source]
Bases:
Ctap2Extension
Implements the Credential Properties (credProps) WebAuthn extension.
https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension
- NAME = 'credProps'
- class fido2.ctap2.extensions.PaymentCurrencyAmount[source]
Bases:
fido2.utils._JsonDataObject
A data class with members also accessible as a JSON-serializable Mapping.
- class fido2.ctap2.extensions.PaymentCredentialInstrument[source]
Bases:
fido2.utils._JsonDataObject
A data class with members also accessible as a JSON-serializable Mapping.
- class fido2.ctap2.extensions.AuthenticationExtensionsPaymentInputs[source]
Bases:
fido2.utils._JsonDataObject
Client inputs for payment.
- total: PaymentCurrencyAmount | None = None
- instrument: PaymentCredentialInstrument | None = None
- class fido2.ctap2.extensions.ThirdPartyPaymentExtension[source]
Bases:
Ctap2Extension
Implements the Third Party Payment (thirdPartyPayment) CTAP2.2 extension.
Note that most of the processing for the WebAuthn extension needs to be done by the client, see: https://www.w3.org/TR/secure-payment-confirmation/#sctn-collectedclientpaymentdata-dictionary
As such, this extension is not included in the default extensions list, and should not be used without a client that supports the WebAuthn payment extension.
- NAME = 'thirdPartyPayment'