fido2.mds3

Attributes

EntryFilter
LookupFilter

Classes

Version	A data class with members also accessible as a JSON-serializable Mapping.
RogueListEntry	A data class with members also accessible as a JSON-serializable Mapping.
BiometricStatusReport	A data class with members also accessible as a JSON-serializable Mapping.
CodeAccuracyDescriptor	A data class with members also accessible as a JSON-serializable Mapping.
BiometricAccuracyDescriptor	A data class with members also accessible as a JSON-serializable Mapping.
PatternAccuracyDescriptor	A data class with members also accessible as a JSON-serializable Mapping.
VerificationMethodDescriptor	A data class with members also accessible as a JSON-serializable Mapping.
RgbPaletteEntry	A data class with members also accessible as a JSON-serializable Mapping.
DisplayPngCharacteristicsDescriptor	A data class with members also accessible as a JSON-serializable Mapping.
EcdaaTrustAnchor	A data class with members also accessible as a JSON-serializable Mapping.
AuthenticatorStatus	Status of an Authenitcator.
StatusReport	A data class with members also accessible as a JSON-serializable Mapping.
ExtensionDescriptor	A data class with members also accessible as a JSON-serializable Mapping.
MetadataStatement	A data class with members also accessible as a JSON-serializable Mapping.
MetadataBlobPayloadEntry	A data class with members also accessible as a JSON-serializable Mapping.
MetadataBlobPayload	A data class with members also accessible as a JSON-serializable Mapping.
MdsAttestationVerifier	MDS3 implementation of an AttestationVerifier.

Functions

filter_revoked(entry)	Filters out any revoked metadata entry.
filter_attestation_key_compromised(entry, ...)	Denies any attestation that has a compromised attestation key.
parse_blob(blob, trust_root)	Parse a FIDO MDS3 blob and verifies its signature.

Module Contents

class fido2.mds3.Version

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

major: int

minor: int

class fido2.mds3.RogueListEntry

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

sk: bytes

date: int

class fido2.mds3.BiometricStatusReport

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

cert_level: int

modality: str

effective_date: int

certification_descriptor: str

certificate_number: str

certification_policy_version: str

certification_requirements_version: str

class fido2.mds3.CodeAccuracyDescriptor

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

base: int

min_length: int

max_retries: int | None = None

block_slowdown: int | None = None

class fido2.mds3.BiometricAccuracyDescriptor

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

self_attested_frr: float | None

self_attested_far: float | None

max_templates: int | None = None

max_retries: int | None = None

block_slowdown: int | None = None

class fido2.mds3.PatternAccuracyDescriptor

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

min_complexity: int

max_retries: int | None = None

block_slowdown: int | None = None

class fido2.mds3.VerificationMethodDescriptor

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

user_verification_method: str | None = None

ca_desc: CodeAccuracyDescriptor | None = None

ba_desc: BiometricAccuracyDescriptor | None = None

pa_desc: PatternAccuracyDescriptor | None = None

class fido2.mds3.RgbPaletteEntry

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

r: int

g: int

b: int

class fido2.mds3.DisplayPngCharacteristicsDescriptor

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

width: int

height: int

bit_depth: int

color_type: int

compression: int

filter: int

interlace: int

plte: Sequence[RgbPaletteEntry] | None = None

class fido2.mds3.EcdaaTrustAnchor

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

x: str

y: str

c: str

sx: str

sy: str

g1_curve: str

class fido2.mds3.AuthenticatorStatus

Bases: str, enum.Enum

Status of an Authenitcator.

NOT_FIDO_CERTIFIED = 'NOT_FIDO_CERTIFIED'

FIDO_CERTIFIED = 'FIDO_CERTIFIED'

USER_VERIFICATION_BYPASS = 'USER_VERIFICATION_BYPASS'

ATTESTATION_KEY_COMPROMISE = 'ATTESTATION_KEY_COMPROMISE'

USER_KEY_REMOTE_COMPROMISE = 'USER_KEY_REMOTE_COMPROMISE'

USER_KEY_PHYSICAL_COMPROMISE = 'USER_KEY_PHYSICAL_COMPROMISE'

UPDATE_AVAILABLE = 'UPDATE_AVAILABLE'

REVOKED = 'REVOKED'

SELF_ASSERTION_SUBMITTED = 'SELF_ASSERTION_SUBMITTED'

FIDO_CERTIFIED_L1 = 'FIDO_CERTIFIED_L1'

FIDO_CERTIFIED_L1plus = 'FIDO_CERTIFIED_L1plus'

FIDO_CERTIFIED_L2 = 'FIDO_CERTIFIED_L2'

FIDO_CERTIFIED_L2plus = 'FIDO_CERTIFIED_L2plus'

FIDO_CERTIFIED_L3 = 'FIDO_CERTIFIED_L3'

FIDO_CERTIFIED_L3plus = 'FIDO_CERTIFIED_L3plus'

class fido2.mds3.StatusReport

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

status: AuthenticatorStatus

effective_date: datetime.date | None

authenticator_version: int | None = None

certificate: bytes | None

url: str | None = None

certification_descriptor: str | None = None

certificate_number: str | None = None

certification_policy_version: str | None = None

certification_requirements_version: str | None = None

class fido2.mds3.ExtensionDescriptor

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

fail_if_unknown: bool

id: str

tag: int | None = None

data: str | None = None

class fido2.mds3.MetadataStatement

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

description: str

authenticator_version: int

schema: int

upv: Sequence[Version]

attestation_types: Sequence[str]

user_verification_details: Sequence[Sequence[VerificationMethodDescriptor]]

key_protection: Sequence[str]

matcher_protection: Sequence[str]

attachment_hint: Sequence[str]

tc_display: Sequence[str]

attestation_root_certificates: Sequence[bytes]

legal_header: str | None = None

aaid: str | None = None

aaguid: fido2.webauthn.Aaguid | None

attestation_certificate_key_identifiers: Sequence[bytes] | None

alternative_descriptions: Mapping[str, str] | None = None

protocol_family: str | None = None

authentication_algorithms: Sequence[str] | None = None

public_key_alg_and_encodings: Sequence[str] | None = None

is_key_restricted: bool | None = None

is_fresh_user_verification_required: bool | None = None

crypto_strength: int | None = None

operating_env: str | None = None

tc_display_content_type: str | None = None

tc_display_png_characteristics: Sequence[DisplayPngCharacteristicsDescriptor] | None

ecdaa_trust_anchors: Sequence[EcdaaTrustAnchor] | None = None

icon: str | None = None

supported_extensions: Sequence[ExtensionDescriptor] | None = None

authenticator_get_info: Mapping[str, Any] | None = None

class fido2.mds3.MetadataBlobPayloadEntry

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

status_reports: Sequence[StatusReport]

time_of_last_status_change: datetime.date

aaid: str | None = None

aaguid: fido2.webauthn.Aaguid | None

attestation_certificate_key_identifiers: Sequence[bytes] | None

metadata_statement: MetadataStatement | None = None

biometric_status_reports: Sequence[BiometricStatusReport] | None = None

rogue_list_url: str | None

rogue_list_hash: bytes | None

class fido2.mds3.MetadataBlobPayload

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

legal_header: str

no: int

next_update: datetime.date

entries: Sequence[MetadataBlobPayloadEntry]

fido2.mds3.EntryFilter

fido2.mds3.LookupFilter

fido2.mds3.filter_revoked(entry)

Filters out any revoked metadata entry.

This filter will remove any metadata entry which has a status_report with the REVOKED status.

Parameters:

entry (MetadataBlobPayloadEntry)

Return type:

bool

fido2.mds3.filter_attestation_key_compromised(entry, certificate_chain)

Denies any attestation that has a compromised attestation key.

This filter checks the status reports of a metadata entry and ensures the attestation isn’t signed by a key which is marked as compromised.

Parameters:

• entry (MetadataBlobPayloadEntry)

• certificate_chain (Sequence[bytes])

Return type:

bool

class fido2.mds3.MdsAttestationVerifier(blob, entry_filter=filter_revoked, attestation_filter=filter_attestation_key_compromised, attestation_types=None)

Bases: fido2.attestation.AttestationVerifier

MDS3 implementation of an AttestationVerifier.

The entry_filter is an optional predicate used to filter which metadata entries to include in the lookup for verification. By default, a filter that removes any entries that have a status report indicating the authenticator is REVOKED is used. See: filter_revoked

The attestation_filter is an optional predicate used to filter metadata entries while performing attestation validation, and may take into account the Authenticators attestation trust_chain. By default, a filter that will fail any verification that has a trust_chain where one of the certificates is marked as compromised by the metadata statement is used. See: filter_attestation_key_compromised

NOTE: The attestation_filter is not used when calling find_entry_by_aaguid nor find_entry_by_chain as no attestation is being verified!

Setting either filter (including setting it to None) will replace it, removing the default behavior.

Parameters:

• blob (MetadataBlobPayload) – The MetadataBlobPayload to query for device metadata.

• entry_filter (Optional[EntryFilter]) – An optional filter to exclude entries from lookup.

• attestation_filter (Optional[LookupFilter]) – An optional filter to fail verification for a given attestation.

• attestation_types (Optional[Sequence[fido2.attestation.Attestation]]) – A list of Attestation types to support.

find_entry_by_aaguid(aaguid)

Find an entry by AAGUID.

Returns a MetadataBlobPayloadEntry with a matching aaguid field, if found. This method does not take the attestation_filter into account.

Parameters:

aaguid (fido2.webauthn.Aaguid)

Return type:

Optional[MetadataBlobPayloadEntry]

find_entry_by_chain(certificate_chain)

Find an entry by trust chain.

Returns a MetadataBlobPayloadEntry containing an attestationCertificateKeyIdentifier which matches one of the certificates in the given chain, if found. This method does not take the attestation_filter into account.

Parameters:

certificate_chain (Sequence[bytes])

Return type:

Optional[MetadataBlobPayloadEntry]

ca_lookup(attestation_result, auth_data)

Lookup a CA certificate to be used to verify a trust path.

Parameters:

• attestation_result – The result of the attestation

• auth_data – The AuthenticatorData from the registration

find_entry(attestation_object, client_data_hash)

Lookup a Metadata entry based on an Attestation.

Returns the first Metadata entry matching the given attestation and verifies it, including checking it against the attestation_filter.

Parameters:

• attestation_object (fido2.webauthn.AttestationObject)

• client_data_hash (bytes)

Return type:

Optional[MetadataBlobPayloadEntry]

fido2.mds3.parse_blob(blob, trust_root)

Parse a FIDO MDS3 blob and verifies its signature.

See https://fidoalliance.org/metadata/ for details on obtaining the blob, as well as the CA certificate used to sign it.

The resulting MetadataBlobPayload can be used to lookup metadata entries for specific Authenticators, or used with the MdsAttestationVerifier to verify that the attestation from a WebAuthn registration is valid and included in the metadata blob.

NOTE: If trust_root is None, the signature of the blob will NOT be verified!

Parameters:

• blob (bytes)

• trust_root (Optional[bytes])

Return type:

MetadataBlobPayload