fido2.ctap2.extensions
Classes
Base class for CTAP2 extension processing. |
|
Processing state for a CTAP2 extension, for single use. |
|
Processing state for a CTAP2 extension, for single use. |
|
Base class for CTAP2 extensions. |
|
Client inputs for hmac-secret. |
|
Client outputs for hmac-secret. |
|
Salt values for use with prf. |
|
Client inputs for prf. |
|
Client outputs for prf. |
|
Implements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions. |
|
Client inputs for largeBlob. |
|
Client outputs for largeBlob. |
|
Implements the Large Blob storage (largeBlob) WebAuthn extension. |
|
Implements the Credential Blob (credBlob) CTAP2 extension. |
|
Implements the Credential Protection CTAP2 extension. |
|
Implements the Minimum PIN Length (minPinLength) CTAP2 extension. |
|
Client outputs for credProps. |
|
Implements the Credential Properties (credProps) WebAuthn extension. |
Module Contents
- class fido2.ctap2.extensions.ExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]
Bases:
abc.ABCBase class for CTAP2 extension processing.
See:
RegistrationExtensionProcessorandAuthenticationExtensionProcessor.- Parameters:
permissions (fido2.ctap2.pin.ClientPin.PERMISSION)
inputs (Optional[Dict[str, Any]])
outputs (Optional[Dict[str, Any]])
- permissions
- class fido2.ctap2.extensions.RegistrationExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]
Bases:
ExtensionProcessorProcessing state for a CTAP2 extension, for single use.
The ExtensionProcessor holds state and logic for client processing of an extension, for a registration (MakeCredential) call.
- Parameters:
permissions (fido2.ctap2.pin.ClientPin.PERMISSION) – PinUvAuthToken permissions required by the extension.
inputs (Optional[Dict[str, Any]]) – Default authenticator inputs, if prepare_inputs is not overridden.
outputs (Optional[Dict[str, Any]]) – Default client outputs, if prepare_outputs is not overridden.
- prepare_inputs(pin_token)[source]
Prepare authenticator extension inputs, to be passed to the Authenenticator.
- prepare_outputs(response, pin_token)[source]
Prepare client extension outputs, to be returned to the caller.
- Parameters:
response (fido2.ctap2.base.AttestationResponse)
pin_token (Optional[bytes])
- Return type:
Optional[Dict[str, Any]]
- class fido2.ctap2.extensions.AuthenticationExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]
Bases:
ExtensionProcessorProcessing state for a CTAP2 extension, for single use.
The ExtensionProcessor holds state and logic for client processing of an extension, for an authentication (GetAssertion) call.
- Parameters:
permissions (fido2.ctap2.pin.ClientPin.PERMISSION) – PinUvAuthToken permissions required by the extension.
inputs (Optional[Dict[str, Any]]) – Default authenticator inputs, if prepare_inputs is not overridden.
outputs (Optional[Dict[str, Any]]) – Default client outputs, if prepare_outputs is not overridden.
- prepare_inputs(selected, pin_token)[source]
Prepare authenticator extension inputs, to be passed to the Authenenticator.
- Parameters:
selected (Optional[fido2.webauthn.PublicKeyCredentialDescriptor])
pin_token (Optional[bytes])
- Return type:
Optional[Dict[str, Any]]
- prepare_outputs(response, pin_token)[source]
Prepare client extension outputs, to be returned to the caller.
- Parameters:
response (fido2.ctap2.base.AssertionResponse)
pin_token (Optional[bytes])
- Return type:
Optional[Dict[str, Any]]
- class fido2.ctap2.extensions.Ctap2Extension(ctap=None)[source]
Bases:
abc.ABCBase class for CTAP2 extensions.
As of python-fido2 1.2 these instances can be used for multiple requests and should be invoked via the make_credential and get_assertion methods. Subclasses are instantiated for a single request, if the Authenticator supports the extension.
- From python-fido2 2.0 the following methods will be fully removed:
get_create_permissions, process_create_input, process_create_output, process_create_input_with_permissions, get_get_permissions, process_get_input, process_get_output, process_get_input_with_permissions.
- The following changes will also be made:
__init__()will no longer allow passing a ctap2 instance.is_supported()will require a ctap2 instance to be passed.NAMEandctapwill be removed.
- Parameters:
ctap (Optional[fido2.ctap2.base.Ctap2])
- property ctap: fido2.ctap2.base.Ctap2
- Return type:
- is_supported(ctap=None)[source]
Whether or not the extension is supported by the authenticator.
- Parameters:
ctap (Optional[fido2.ctap2.base.Ctap2])
- Return type:
- make_credential(ctap, options, pin_protocol)[source]
Start client extension processing for registration.
- Parameters:
ctap (fido2.ctap2.base.Ctap2)
pin_protocol (Optional[fido2.ctap2.pin.PinProtocol])
- Return type:
Optional[RegistrationExtensionProcessor]
- get_assertion(ctap, options, pin_protocol)[source]
Start client extension processing for authentication.
- Parameters:
ctap (fido2.ctap2.base.Ctap2)
pin_protocol (Optional[fido2.ctap2.pin.PinProtocol])
- Return type:
Optional[AuthenticationExtensionProcessor]
- get_create_permissions(inputs)[source]
Get PinUvAuthToken permissions required for Registration.
Deprecated since version 1.2.0: Implement
make_credential()instead.- Parameters:
inputs (Dict[str, Any])
- Return type:
- process_create_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.- Parameters:
inputs (Dict[str, Any])
- Return type:
Any
- process_create_input_with_permissions(inputs)[source]
Deprecated since version 1.2.0: Implement
make_credential()instead.- Parameters:
inputs (Dict[str, Any])
- Return type:
Tuple[Any, fido2.ctap2.pin.ClientPin.PERMISSION]
- process_create_output(attestation_response, token, pin_protocol)[source]
Return client extension output given attestation_response, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.- Parameters:
attestation_response (fido2.ctap2.base.AttestationResponse)
token (Optional[bytes])
pin_protocol (Optional[fido2.ctap2.pin.PinProtocol])
- Return type:
Optional[Dict[str, Any]]
- get_get_permissions(inputs)[source]
Deprecated since version 1.2.0: Implement
get_assertion()instead.- Parameters:
inputs (Dict[str, Any])
- Return type:
- process_get_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
get_assertion()instead.- Parameters:
inputs (Dict[str, Any])
- Return type:
Any
- process_get_input_with_permissions(inputs)[source]
Deprecated since version 1.2.0: Implement
get_assertion()instead.- Parameters:
inputs (Dict[str, Any])
- Return type:
Tuple[Any, fido2.ctap2.pin.ClientPin.PERMISSION]
- process_get_output(assertion_response, token, pin_protocol)[source]
Return client extension output given assertion_response, or None.
Deprecated since version 1.2.0: Implement
get_assertion()instead.- Parameters:
assertion_response (fido2.ctap2.base.AssertionResponse)
token (Optional[bytes])
pin_protocol (Optional[fido2.ctap2.pin.PinProtocol])
- Return type:
Optional[Dict[str, Any]]
- class fido2.ctap2.extensions.HMACGetSecretInput[source]
Bases:
fido2.utils._JsonDataObjectClient inputs for hmac-secret.
- class fido2.ctap2.extensions.HMACGetSecretOutput[source]
Bases:
fido2.utils._JsonDataObjectClient outputs for hmac-secret.
- class fido2.ctap2.extensions.AuthenticatorExtensionsPRFValues[source]
Bases:
fido2.utils._JsonDataObjectSalt values for use with prf.
- class fido2.ctap2.extensions.AuthenticatorExtensionsPRFInputs[source]
Bases:
fido2.utils._JsonDataObjectClient inputs for prf.
- eval: AuthenticatorExtensionsPRFValues | None = None
- eval_by_credential: Mapping[str, AuthenticatorExtensionsPRFValues] | None = None
- class fido2.ctap2.extensions.AuthenticatorExtensionsPRFOutputs[source]
Bases:
fido2.utils._JsonDataObjectClient outputs for prf.
- results: AuthenticatorExtensionsPRFValues | None = None
- class fido2.ctap2.extensions.HmacSecretExtension(ctap=None, pin_protocol=None, allow_hmac_secret=False)[source]
Bases:
Ctap2ExtensionImplements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions.
The hmac-secret extension is not directly available to clients by default, instead the prf extension is used.
https://www.w3.org/TR/webauthn-3/#prf-extension
- Parameters:
allow_hmac_secret – Set to True to allow hmac-secret, in addition to prf.
- NAME = 'hmac-secret'
- SALT_LEN = 32
- pin_protocol
- make_credential(ctap, options, pin_protocol)[source]
Start client extension processing for registration.
- get_assertion(ctap, options, pin_protocol)[source]
Start client extension processing for authentication.
- process_create_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.
- process_create_output(attestation_response, *args, **kwargs)[source]
Return client extension output given attestation_response, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.
- process_get_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
get_assertion()instead.
- process_get_output(assertion_response, *args, **kwargs)[source]
Return client extension output given assertion_response, or None.
Deprecated since version 1.2.0: Implement
get_assertion()instead.
- class fido2.ctap2.extensions.AuthenticatorExtensionsLargeBlobInputs[source]
Bases:
fido2.utils._JsonDataObjectClient inputs for largeBlob.
- class fido2.ctap2.extensions.AuthenticatorExtensionsLargeBlobOutputs[source]
Bases:
fido2.utils._JsonDataObjectClient outputs for largeBlob.
- class fido2.ctap2.extensions.LargeBlobExtension(ctap=None)[source]
Bases:
Ctap2ExtensionImplements the Large Blob storage (largeBlob) WebAuthn extension.
https://www.w3.org/TR/webauthn-3/#sctn-large-blob-extension
- Parameters:
ctap (Optional[fido2.ctap2.base.Ctap2])
- NAME = 'largeBlobKey'
- make_credential(ctap, options, pin_protocol)[source]
Start client extension processing for registration.
- get_assertion(ctap, options, pin_protocol)[source]
Start client extension processing for authentication.
- process_create_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.
- process_create_output(attestation_response, *args, **kwargs)[source]
Return client extension output given attestation_response, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.
- get_get_permissions(inputs)[source]
Deprecated since version 1.2.0: Implement
get_assertion()instead.
- process_get_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
get_assertion()instead.
- process_get_output(assertion_response, token, pin_protocol)[source]
Return client extension output given assertion_response, or None.
Deprecated since version 1.2.0: Implement
get_assertion()instead.
- class fido2.ctap2.extensions.CredBlobExtension(ctap=None)[source]
Bases:
Ctap2ExtensionImplements the Credential Blob (credBlob) CTAP2 extension.
- Parameters:
ctap (Optional[fido2.ctap2.base.Ctap2])
- NAME = 'credBlob'
- make_credential(ctap, options, pin_protocol)[source]
Start client extension processing for registration.
- get_assertion(ctap, options, pin_protocol)[source]
Start client extension processing for authentication.
- process_create_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.
- process_get_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
get_assertion()instead.
- class fido2.ctap2.extensions.CredProtectExtension(ctap=None)[source]
Bases:
Ctap2ExtensionImplements the Credential Protection CTAP2 extension.
- Parameters:
ctap (Optional[fido2.ctap2.base.Ctap2])
- class POLICY(*args, **kwds)[source]
Bases:
enum.EnumCreate a collection of name/value pairs.
Example enumeration:
>>> class Color(Enum): ... RED = 1 ... BLUE = 2 ... GREEN = 3
Access them by:
attribute access:
>>> Color.RED <Color.RED: 1>
value lookup:
>>> Color(1) <Color.RED: 1>
name lookup:
>>> Color['RED'] <Color.RED: 1>
Enumerations can be iterated over, and know how many members they have:
>>> len(Color) 3
>>> list(Color) [<Color.RED: 1>, <Color.BLUE: 2>, <Color.GREEN: 3>]
Methods can be added to enumerations, and members can have their own attributes – see the documentation for details.
- OPTIONAL = 'userVerificationOptional'
- OPTIONAL_WITH_LIST = 'userVerificationOptionalWithCredentialIDList'
- REQUIRED = 'userVerificationRequired'
- NAME = 'credProtect'
- make_credential(ctap, options, pin_protocol)[source]
Start client extension processing for registration.
- process_create_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.
- class fido2.ctap2.extensions.MinPinLengthExtension(ctap=None)[source]
Bases:
Ctap2ExtensionImplements the Minimum PIN Length (minPinLength) CTAP2 extension.
- Parameters:
ctap (Optional[fido2.ctap2.base.Ctap2])
- NAME = 'minPinLength'
- make_credential(ctap, options, pin_protocol)[source]
Start client extension processing for registration.
- process_create_input(inputs)[source]
Returns a value to include in the authenticator extension input, or None.
Deprecated since version 1.2.0: Implement
make_credential()instead.
- class fido2.ctap2.extensions.CredentialPropertiesOutput[source]
Bases:
fido2.utils._JsonDataObjectClient outputs for credProps.
- class fido2.ctap2.extensions.CredPropsExtension(ctap=None)[source]
Bases:
Ctap2ExtensionImplements the Credential Properties (credProps) WebAuthn extension.
https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension
- Parameters:
ctap (Optional[fido2.ctap2.base.Ctap2])
- NAME = 'credProps'