fido2.ctap2.extensions

Classes

`ExtensionProcessor`	Base class for CTAP2 extension processing.
`RegistrationExtensionProcessor`	Processing state for a CTAP2 extension, for single use.
`AuthenticationExtensionProcessor`	Processing state for a CTAP2 extension, for single use.
`Ctap2Extension`	Base class for CTAP2 extensions.
`HMACGetSecretInput`	Client inputs for hmac-secret.
`HMACGetSecretOutput`	Client outputs for hmac-secret.
`AuthenticatorExtensionsPRFValues`	Salt values for use with prf.
`AuthenticatorExtensionsPRFInputs`	Client inputs for prf.
`AuthenticatorExtensionsPRFOutputs`	Client outputs for prf.
`HmacSecretExtension`	Implements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions.
`AuthenticatorExtensionsLargeBlobInputs`	Client inputs for largeBlob.
`AuthenticatorExtensionsLargeBlobOutputs`	Client outputs for largeBlob.
`LargeBlobExtension`	Implements the Large Blob storage (largeBlob) WebAuthn extension.
`CredBlobExtension`	Implements the Credential Blob (credBlob) CTAP2 extension.
`CredProtectExtension`	Implements the Credential Protection CTAP2 extension.
`MinPinLengthExtension`	Implements the Minimum PIN Length (minPinLength) CTAP2 extension.
`CredentialPropertiesOutput`	Client outputs for credProps.
`CredPropsExtension`	Implements the Credential Properties (credProps) WebAuthn extension.
`PaymentCurrencyAmount`	A data class with members also accessible as a JSON-serializable Mapping.
`PaymentCredentialInstrument`	A data class with members also accessible as a JSON-serializable Mapping.
`AuthenticationExtensionsPaymentInputs`	Client inputs for payment.
`ThirdPartyPaymentExtension`	Implements the Third Party Payment (thirdPartyPayment) CTAP2.2 extension.

Module Contents

class fido2.ctap2.extensions.ExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]

Bases: abc.ABC

Base class for CTAP2 extension processing.

See: RegistrationExtensionProcessor and AuthenticationExtensionProcessor.

Parameters:

permissions (fido2.ctap2.pin.ClientPin.PERMISSION)
inputs (dict[str, Any] | None)
outputs (dict[str, Any] | None)

permissions

class fido2.ctap2.extensions.RegistrationExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]

Bases: ExtensionProcessor

Processing state for a CTAP2 extension, for single use.

The ExtensionProcessor holds state and logic for client processing of an extension, for a registration (MakeCredential) call.

Parameters:

permissions (fido2.ctap2.pin.ClientPin.PERMISSION) – PinUvAuthToken permissions required by the extension.
inputs (dict[str, Any] | None) – Default authenticator inputs, if prepare_inputs is not overridden.
outputs (dict[str, Any] | None) – Default client outputs, if prepare_outputs is not overridden.

prepare_inputs(pin_token)[source]

Prepare authenticator extension inputs, to be passed to the Authenenticator.

Parameters:: pin_token (bytes | None)
Return type:: dict[str, Any] | None

prepare_outputs(response, pin_token)[source]

Prepare client extension outputs, to be returned to the caller.

Parameters:

response (fido2.ctap2.base.AttestationResponse)
pin_token (bytes | None)

Return type:

dict[str, Any] | None

class fido2.ctap2.extensions.AuthenticationExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]

Bases: ExtensionProcessor

Processing state for a CTAP2 extension, for single use.

The ExtensionProcessor holds state and logic for client processing of an extension, for an authentication (GetAssertion) call.

Parameters:

permissions (fido2.ctap2.pin.ClientPin.PERMISSION) – PinUvAuthToken permissions required by the extension.
inputs (dict[str, Any] | None) – Default authenticator inputs, if prepare_inputs is not overridden.
outputs (dict[str, Any] | None) – Default client outputs, if prepare_outputs is not overridden.

prepare_inputs(selected, pin_token)[source]

Prepare authenticator extension inputs, to be passed to the Authenenticator.

Parameters:

selected (fido2.webauthn.PublicKeyCredentialDescriptor | None)
pin_token (bytes | None)

Return type:

dict[str, Any] | None

prepare_outputs(response, pin_token)[source]

Prepare client extension outputs, to be returned to the caller.

Parameters:

response (fido2.ctap2.base.AssertionResponse)
pin_token (bytes | None)

Return type:

dict[str, Any] | None

class fido2.ctap2.extensions.Ctap2Extension[source]

Bases: abc.ABC

Base class for CTAP2 extensions.

As of python-fido2 1.2 these instances can be used for multiple requests and should be invoked via the make_credential and get_assertion methods. Subclasses are instantiated for a single request, if the Authenticator supports the extension.

abstractmethod is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

Parameters:: ctap (fido2.ctap2.base.Ctap2)
Return type:: bool

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

Parameters:

ctap (fido2.ctap2.base.Ctap2)
options (fido2.webauthn.PublicKeyCredentialCreationOptions)
pin_protocol (fido2.ctap2.pin.PinProtocol | None)

Return type:

RegistrationExtensionProcessor | None

get_assertion(ctap, options, pin_protocol)[source]

Start client extension processing for authentication.

Parameters:

ctap (fido2.ctap2.base.Ctap2)
options (fido2.webauthn.PublicKeyCredentialRequestOptions)
pin_protocol (fido2.ctap2.pin.PinProtocol | None)

Return type:

AuthenticationExtensionProcessor | None

class fido2.ctap2.extensions.HMACGetSecretInput[source]

Bases: fido2.utils._JsonDataObject

Client inputs for hmac-secret.

salt1: bytes

salt2: bytes | None = None

class fido2.ctap2.extensions.HMACGetSecretOutput[source]

Bases: fido2.utils._JsonDataObject

Client outputs for hmac-secret.

output1: bytes

output2: bytes | None = None

class fido2.ctap2.extensions.AuthenticatorExtensionsPRFValues[source]

Bases: fido2.utils._JsonDataObject

Salt values for use with prf.

first: bytes

second: bytes | None = None

class fido2.ctap2.extensions.AuthenticatorExtensionsPRFInputs[source]

Bases: fido2.utils._JsonDataObject

Client inputs for prf.

eval: AuthenticatorExtensionsPRFValues | None = None

eval_by_credential: Mapping[str, AuthenticatorExtensionsPRFValues] | None = None

class fido2.ctap2.extensions.AuthenticatorExtensionsPRFOutputs[source]

Bases: fido2.utils._JsonDataObject

Client outputs for prf.

enabled: bool | None = None

results: AuthenticatorExtensionsPRFValues | None = None

class fido2.ctap2.extensions.HmacSecretExtension(allow_hmac_secret=False)[source]

Bases: Ctap2Extension

Implements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions.

The hmac-secret extension is not directly available to clients by default, instead the prf extension is used.

https://www.w3.org/TR/webauthn-3/#prf-extension

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-hmac-secret-extension

Parameters:: allow_hmac_secret – Set to True to allow hmac-secret, in addition to prf.

NAME = 'hmac-secret'

MC_NAME = 'hmac-secret-mc'

SALT_LEN = 32

is_supported(ctap)[source]: Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]: Start client extension processing for registration.

get_assertion(ctap, options, pin_protocol)[source]: Start client extension processing for authentication.

class fido2.ctap2.extensions.AuthenticatorExtensionsLargeBlobInputs[source]

Bases: fido2.utils._JsonDataObject

Client inputs for largeBlob.

support: str | None = None

read: bool | None = None

write: bytes | None = None

class fido2.ctap2.extensions.AuthenticatorExtensionsLargeBlobOutputs[source]

Bases: fido2.utils._JsonDataObject

Client outputs for largeBlob.

supported: bool | None = None

blob: bytes | None = None

written: bool | None = None

class fido2.ctap2.extensions.LargeBlobExtension[source]

Bases: Ctap2Extension

Implements the Large Blob storage (largeBlob) WebAuthn extension.

https://www.w3.org/TR/webauthn-3/#sctn-large-blob-extension

NAME = 'largeBlobKey'

is_supported(ctap)[source]: Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]: Start client extension processing for registration.

get_assertion(ctap, options, pin_protocol)[source]: Start client extension processing for authentication.

class fido2.ctap2.extensions.CredBlobExtension[source]

Bases: Ctap2Extension

Implements the Credential Blob (credBlob) CTAP2 extension.

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-credBlob-extension

NAME = 'credBlob'

is_supported(ctap)[source]: Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]: Start client extension processing for registration.

get_assertion(ctap, options, pin_protocol)[source]: Start client extension processing for authentication.

class fido2.ctap2.extensions.CredProtectExtension[source]

Bases: Ctap2Extension

Implements the Credential Protection CTAP2 extension.

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-credProtect-extension

class POLICY(*args, **kwds)[source]

Bases: enum.Enum

Create a collection of name/value pairs.

Example enumeration:

>>> class Color(Enum):
...     RED = 1
...     BLUE = 2
...     GREEN = 3

Access them by:

attribute access:
```
>>> Color.RED
<Color.RED: 1>
```
value lookup:
```
>>> Color(1)
<Color.RED: 1>
```
name lookup:
```
>>> Color['RED']
<Color.RED: 1>
```

Enumerations can be iterated over, and know how many members they have:

>>> len(Color)
3

>>> list(Color)
[<Color.RED: 1>, <Color.BLUE: 2>, <Color.GREEN: 3>]

Methods can be added to enumerations, and members can have their own attributes – see the documentation for details.

OPTIONAL = 'userVerificationOptional'

OPTIONAL_WITH_LIST = 'userVerificationOptionalWithCredentialIDList'

REQUIRED = 'userVerificationRequired'

NAME = 'credProtect'

is_supported(ctap)[source]: Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]: Start client extension processing for registration.

class fido2.ctap2.extensions.MinPinLengthExtension[source]

Bases: Ctap2Extension

Implements the Minimum PIN Length (minPinLength) CTAP2 extension.

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-minpinlength-extension

NAME = 'minPinLength'

is_supported(ctap)[source]: Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]: Start client extension processing for registration.

class fido2.ctap2.extensions.CredentialPropertiesOutput[source]

Bases: fido2.utils._JsonDataObject

Client outputs for credProps.

rk: bool | None = None

class fido2.ctap2.extensions.CredPropsExtension[source]

Bases: Ctap2Extension

Implements the Credential Properties (credProps) WebAuthn extension.

https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension

NAME = 'credProps'

is_supported(ctap)[source]: Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]: Start client extension processing for registration.

class fido2.ctap2.extensions.PaymentCurrencyAmount[source]

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

currency: str

value: str

class fido2.ctap2.extensions.PaymentCredentialInstrument[source]

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

display_name: str

icon: str

icon_must_be_shown: bool = True

class fido2.ctap2.extensions.AuthenticationExtensionsPaymentInputs[source]

Bases: fido2.utils._JsonDataObject

Client inputs for payment.

is_payment: bool | None = None

rp_id: str | None = None

top_origin: str | None = None

payee_name: str | None = None

payee_origin: str | None = None

total: PaymentCurrencyAmount | None = None

instrument: PaymentCredentialInstrument | None = None

class fido2.ctap2.extensions.ThirdPartyPaymentExtension[source]

Bases: Ctap2Extension

Implements the Third Party Payment (thirdPartyPayment) CTAP2.2 extension.

https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-thirdPartyPayment-extension

Note that most of the processing for the WebAuthn extension needs to be done by the client, see: https://www.w3.org/TR/secure-payment-confirmation/#sctn-collectedclientpaymentdata-dictionary

As such, this extension is not included in the default extensions list, and should not be used without a client that supports the WebAuthn payment extension.

NAME = 'thirdPartyPayment'

is_supported(ctap)[source]: Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]: Start client extension processing for registration.

get_assertion(ctap, options, pin_protocol)[source]: Start client extension processing for authentication.