webauthn_rp package¶
Submodules¶
webauthn_rp.attesters module¶
-
webauthn_rp.attesters.
attest
(att_stmt: webauthn_rp.types.AttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]¶ -
webauthn_rp.attesters.
attest
(att_stmt: webauthn_rp.types.FIDOU2FAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]] -
webauthn_rp.attesters.
attest
(att_stmt: webauthn_rp.types.AndroidKeyAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]] -
webauthn_rp.attesters.
attest
(att_stmt: webauthn_rp.types.NoneAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]] Attest an attestation object.
- Parameters
att_stmt (AttestationStatement) – The attestation statment.
att_obj (AttestationObject) – The attestation object.
auth_data (bytes) – The raw authenticator data.
client_data_hash (bytes) – The client data hash.
- Returns
The attestation type and trusted path.
References
-
webauthn_rp.attesters.
attest_android_key
(att_stmt: webauthn_rp.types.AndroidKeyAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]¶ Attest an android key.
- Parameters
att_stmt (AndroidKeyAttestationStatement) – The attestation statment.
att_obj (AttestationObject) – The attestation object.
auth_data (bytes) – The raw authenticator data.
client_data_hash (bytes) – The client data hash.
- Returns
The attestation type and trusted path.
References
-
webauthn_rp.attesters.
attest_fido_u2f
(att_stmt: webauthn_rp.types.FIDOU2FAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]¶ Attest a FIDO U2F key.
- Parameters
att_stmt (FIDOU2FAttestationStatement) – The attestation statment.
att_obj (AttestationObject) – The attestation object.
auth_data (bytes) – The raw authenticator data.
client_data_hash (bytes) – The client data hash.
- Returns
The attestation type and trusted path.
References
-
webauthn_rp.attesters.
attest_none
(att_stmt: webauthn_rp.types.NoneAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]¶ Don’t perform any attestation.
- Parameters
att_stmt (NoneAttestationStatement) – The attestation statment.
att_obj (AttestationObject) – The attestation object.
auth_data (bytes) – The raw authenticator data.
client_data_hash (bytes) – The client data hash.
- Returns
The attestation type and trusted path.
References
webauthn_rp.backends module¶
-
class
webauthn_rp.backends.
CredentialsBackend
(registrar: webauthn_rp.registrars.CredentialsRegistrar)¶ Bases:
object
A backend to manage the registration and authentication of credentials.
- The process of registering a credential involves:
Creating a CredentialCreationOptions object (possibly using a
builder).
Converting the options to JSON using the jsonify converter.
Sending the JSON options to the user’s client.
Getting a JSON PublicKeyCredential from the user’s client.
Parsing the JSON PublicKeyCredential using
parse_public_key_credential.
Finally, calling CredentialsBackend.handle_credential_attestation.
- The process of authenticating a credential is similarly:
Creating a CredentialRequestOptions object (possibly using a builder).
Converting the options to JSON using the jsonify converter.
Sending the JSON options to the user’s client.
Getting a JSON PublicKeyCredential from the user’s client.
Parsing the JSON PublicKeyCredential using
parse_public_key_credential.
Finally, calling CredentialsBackend.handle_credential_assertion.
-
registrar
¶ The RP credentials registrar.
- Type
Initialize the credentials backend with a registrar.
- Parameters
registrar (CredentialsRegistrar) – The RP credentials registrar.
-
handle_credential_assertion
(*, credential: webauthn_rp.types.PublicKeyCredential, expected_challenge: bytes, expected_origin: Union[str, Collection[str]], rp: Optional[webauthn_rp.types.PublicKeyCredentialRpEntity] = None, user: Optional[webauthn_rp.types.PublicKeyCredentialUserEntity] = None, allow_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None, token_binding: Optional[webauthn_rp.types.TokenBinding] = None, require_user_verification: bool = False, expected_extensions: Optional[Set[webauthn_rp.types.ExtensionIdentifier]] = None, ignore_clone_error: bool = False) → None¶ Handle authentication using a user’s credential.
- Parameters
credential (PublicKeyCredential) – The public key credential generated by the user’s client containing an authenticator assertion response.
expected_challenge (bytes) – The initial challenge sent to the user’s client.
expected_origin (Union[str, Collection[str]]) – The exact origin to use for the RP or a collection of allowed origins.
rp (PublicKeyCredentialRpEntity) – The optional RP to enforce when authenticating the user (if not supplied an RP must be part of the credential data returned for the user by the credentials registrar).
user (PublicKeyCredentialUserEntity) – The optional user to be authenticated (if not supplied a user handle must exist in the authenticator assertion response).
allow_credentials (Optional[Sequence[PublicKeyCredentialDescriptor]]) – An optional specification of the credentials that the user authenticating is allowed to use.
token_binding (Optional[TokenBinding]) – The optional token binding to check for.
require_user_verification (bool) – Whether to require user verification.
expected_extensions (Optional[Set[ExtensionIdentifier]]) – The set of extensions that are required to be present.
ignore_clone_error (bool) – Whether or not to ignore a signature count error that indicates a possible authenticator clone.
- Raises
ClientDataTypeError – The type of the client data is invalid.
ChallengeError – The user’s challenge and the expected challenge don’t match.
DecodingError – There is an error in decoding some data.
ParserError – There is an error in parsing some data.
OriginError – There is an issue with a provided web origin.
TokenBindingError – There is a mismatch in the provided and the user’s token binding.
RPIDError – The provided and the user’s RP IDs don’t match.
UserPresenceError – The user was not present during authentication.
UserVerificationError – The user did not perform verification but the require_user_verification parameter is True.
ExtensionError – An expected extension is missing.
RegistrationError – There is an issue registering the user with the credentials registrar.
CredentialDataError – The CredentialData for the given user could not be retrieved by the registrar.
CredentialNotAllowedError – A set of allowed credentials is provided and the user’s credential is not in that set.
UserIDError – There is a mismatch in the provided user’s ID and the user ID belonging to the user that the credentials registrar has associated with the credential.
UserHandleError – There is a mismatch in the user handle present in the authenticator assertion response and the user ID belonging to the user that the credentials registrar has associated with the credential.
RPNotFoundError – An RP was not provided and could not be retrieved from the credentials registrar.
SignatureCountError – The signature count of the credential indicates that the authenticator could potentially have been cloned.
InternalError – An unexpected internal error occurred.
-
handle_credential_attestation
(*, credential: webauthn_rp.types.PublicKeyCredential, user: webauthn_rp.types.PublicKeyCredentialUserEntity, rp: webauthn_rp.types.PublicKeyCredentialRpEntity, expected_challenge: bytes, expected_origin: Union[str, Collection[str]], token_binding: Optional[webauthn_rp.types.TokenBinding] = None, require_user_verification: bool = False, expected_extensions: Optional[Set[webauthn_rp.types.ExtensionIdentifier]] = None) → None¶ Handle the attestation of a user’s credential.
- Parameters
credential (PublicKeyCredential) – The public key credential generated by the user’s client containing an authenticator attestation response.
user (PublicKeyCredentialUserEntity) – The user to be registered.
rp (PublicKeyCredentialRpEntity) – The RP to use to register the user.
expected_challenge (bytes) – The initial challenge sent to the user’s client.
expected_origin (Union[str, Collection[str]]) – The exact origin to use for the RP or a collection of allowed origins.
token_binding (Optional[TokenBinding]) – The optional token binding to check for.
require_user_verification (bool) – Whether to require user verification.
expected_extensions (Optional[Set[ExtensionIdentifier]]) – The set of extensions that are required to be present.
- Raises
ClientDataTypeError – The type of the client data is invalid.
ChallengeError – The user’s challenge and the expected challenge don’t match.
DecodingError – There is an error in decoding some data.
ParserError – There is an error in parsing some data.
OriginError – There is an issue with a provided web origin.
TokenBindingError – There is a mismatch in the provided and the user’s token binding.
RPIDError – The provided and the user’s RP IDs don’t match.
UserPresenceError – The user was not present during authentication.
UserVerificationError – The user did not perform verification but the require_user_verification parameter is True.
ExtensionError – An expected extension is missing.
RegistrationError – There is an issue registering the user with the credentials registrar.
InternalError – An unexpected internal error occurred.
webauthn_rp.builders module¶
-
class
webauthn_rp.builders.
CredentialCreationOptionsBuilder
(*, rp: Optional[webauthn_rp.types.PublicKeyCredentialRpEntity] = None, pub_key_cred_params: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialParameters]] = None, timeout: Optional[int] = None, authenticator_selection: Optional[webauthn_rp.types.AuthenticatorSelectionCriteria] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs] = None, attestation: Optional[webauthn_rp.types.AttestationConveyancePreference] = <AttestationConveyancePreference.NONE: 'none'>, exclude_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None)¶ Bases:
object
A CredentialCreationOptions builder.
Using a builder can allow for saving shared build parameters and simplify the construction of option data types which can have a number of nested attributes.
After initializing the builder, each time an attribute is updated using one of the provided setter functions, a new copy of the builder is returned and the original is left unmodified.
In the following example, builder, and builder_n would be different:
>>> builder = CredentialCreationOptionsBuilder() >>> builder_n = builder.rp(...).attestation(...)
Initialize the builder’s attributes.
- Parameters
rp (Optional[PublicKeyCredentialRpEntity]) – The Relying Party being used.
(Optional[Sequence[ (exclude_credentials) – PublicKeyCredentialParameters]]): The public key credential parameters used to create the credential.
timeout (Optional[int]) – The timeout to create the credential.
authenticator_selection (Optional[AuthenticatorSelectionCriteria]) – The specific criteria to enforce on the created authenticator.
extensions (Optional[AuthenticationExtensionsClientInputs]) – Any extension inputs to provide to the authenticator.
attestation (Optional[AttestationConveyancePreference]) – The preference to enforce on allowed authenticator attestations.
(Optional[Sequence[ – PublicKeyCredentialDescriptor]]): An optional list of credentials to exclude from use.
-
attestation
(attestation: webauthn_rp.types.AttestationConveyancePreference) → webauthn_rp.builders.CredentialCreationOptionsBuilder¶ Set the attestation conveyance preference.
- Parameters
attestation (Optional[AttestationConveyancePreference]) – The preference to enforce on allowed authenticator attestations.
- Returns
A new CredentialCreationOptionsBuilder copy.
-
authenticator_selection
(authenticator_selection: Optional[webauthn_rp.types.AuthenticatorSelectionCriteria]) → webauthn_rp.builders.CredentialCreationOptionsBuilder¶ Set the authenticator selection.
- authenticator_selection (Optional[AuthenticatorSelectionCriteria]):
The specific criteria to enforce on the created authenticator.
- Returns
A new CredentialCreationOptionsBuilder copy.
-
build
(*, user: webauthn_rp.types.PublicKeyCredentialUserEntity, challenge: bytes) → webauthn_rp.types.CredentialCreationOptions¶ Build a CredentialCreationOptions instance.
- Parameters
user (PublicKeyCredentialUserEntity) – The user whose credential is being requested.
challenge (bytes) – The challenge to provide to the user’s credential.
- Returns
An instance of CredentialCreationOptions.
- Raises
BuilderError – If a required attribute has not been set yet.
-
exclude_credentials
(exclude_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]]) → webauthn_rp.builders.CredentialCreationOptionsBuilder¶ Set the public key credentials to exclude from use.
- Parameters
(Optional[Sequence[ (exclude_credentials) – PublicKeyCredentialDescriptor]]): An optional list of credentials to exclude from use.
- Returns
A new CredentialCreationOptionsBuilder copy.
-
extensions
(extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs]) → webauthn_rp.builders.CredentialCreationOptionsBuilder¶ Set the authenticator extensions’ client inputs.
- Parameters
extensions (Optional[AuthenticationExtensionsClientInputs]) – Any extension inputs to provide to the authenticator.
- Returns
A new CredentialCreationOptionsBuilder copy.
-
pub_key_cred_params
(pub_key_cred_params: Sequence[webauthn_rp.types.PublicKeyCredentialParameters]) → webauthn_rp.builders.CredentialCreationOptionsBuilder¶ Set the public key credential parameters.
- Parameters
pub_key_cred_params (Sequence[PublicKeyCredentialParameters]]) – The public key credential parameters used to create the credential.
- Returns
A new CredentialCreationOptionsBuilder copy.
-
rp
(rp: webauthn_rp.types.PublicKeyCredentialRpEntity) → webauthn_rp.builders.CredentialCreationOptionsBuilder¶ Set the Relying Party (RP).
- Parameters
rp (PublicKeyCredentialRpEntity) – The Relying Party being used.
- Returns
A new CredentialCreationOptionsBuilder copy.
-
timeout
(timeout: Optional[int]) → webauthn_rp.builders.CredentialCreationOptionsBuilder¶ Set the timeout.
- Parameters
timeout (Optional[int]) – The timeout to create the credential.
- Returns
A new CredentialCreationOptionsBuilder copy.
-
class
webauthn_rp.builders.
CredentialRequestOptionsBuilder
(*, mediation: webauthn_rp.types.CredentialMediationRequirement = <CredentialMediationRequirement.OPTIONAL: 'optional'>, timeout: Optional[int] = None, rp_id: Optional[str] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs] = None, user_verification: Optional[webauthn_rp.types.UserVerificationRequirement] = <UserVerificationRequirement.PREFERRED: 'preferred'>)¶ Bases:
object
A CredentialRequestOptions builder.
Using a builder can allow for saving shared build parameters and simplify the construction of option data types which can have a number of nested attributes.
After initializing the builder, each time an attribute is updated using one of the provided setter functions, a new copy of the builder is returned and the original is left unmodified.
In the following example, builder, and builder_n would be different:
>>> builder = CredentialRequestOptionsBuilder() >>> builder_n = builder.mediation(...).rp_id(...)
Initialize the builder’s attributes.
- Parameters
mediation (CredentialMediationRequirement) – The kind of mediation that should be enforced between the user agent and the user’s authenticator.
timeout (Optional[int]) – The timeout to request the credential.
rp_id (Optional[str]) – The Relying Party ID to use.
extensions (Optional[AuthenticationExtensionsClientInputs]) – Any extension inputs to provide to the authenticator.
user_verification (Optional[UserVerificationRequirement]) – An optional specification of whether or not a user’s verification is required.
-
build
(*, challenge: bytes, allow_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None) → webauthn_rp.types.CredentialRequestOptions¶ Build a CredentialRequestOptions instance.
- Parameters
challenge (bytes) – The challenge to provide to the user’s credential.
(Optional[ (allow_credentials) – Sequence[PublicKeyCredentialDescriptor]]): A optional list of allowed credentials ordered from most preferred to least preferred.
- Returns
An instance of CredentialRequestOptions.
- Raises
BuilderError – If a required attribute has not been set yet.
-
extensions
(extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs]) → webauthn_rp.builders.CredentialRequestOptionsBuilder¶ Set the authenticator extensions’ client inputs.
- Parameters
extensions (Optional[AuthenticationExtensionsClientInputs]) – Any extension inputs to provide to the authenticator.
- Returns
A new CredentialRequestOptionsBuilder copy.
-
mediation
(mediation: webauthn_rp.types.CredentialMediationRequirement) → webauthn_rp.builders.CredentialRequestOptionsBuilder¶ Set credential mediation requirement.
- Parameters
mediation (CredentialMediationRequirement) – The kind of mediation that should be enforced between the user agent and the user’s authenticator.
- Returns
A new CredentialRequestOptionsBuilder copy.
-
rp_id
(rp_id: Optional[str]) → webauthn_rp.builders.CredentialRequestOptionsBuilder¶ Set the Relying Party ID.
- Parameters
rp_id (Optional[str]) – The Relying Party ID to use.
- Returns
A new CredentialRequestOptionsBuilder copy.
-
timeout
(timeout: Optional[int]) → webauthn_rp.builders.CredentialRequestOptionsBuilder¶ Set the timeout.
- Parameters
mediation (PublicKeyCredentialRpEntity) – The Relying Party being used.
- Returns
A new CredentialRequestOptionsBuilder copy.
-
user_verification
(user_verification: Optional[webauthn_rp.types.UserVerificationRequirement]) → webauthn_rp.builders.CredentialRequestOptionsBuilder¶ Set the user verification requirement.
- Parameters
user_verification (Optional[UserVerificationRequirement]) – An optional specification of whether or not a user’s verification is required.
- Returns
A new CredentialRequestOptionsBuilder copy.
webauthn_rp.converters module¶
-
webauthn_rp.converters.
cose_ec2_public_key
(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → bytes¶ Convert an EC2CredentialPublicKey into a COSE key.
- Parameters
credential_public_key (EC2CredentialPublicKey) – The key to convert.
- Returns
The COSE-encoded key bytes.
-
webauthn_rp.converters.
cose_key
(credential_public_key: webauthn_rp.types.CredentialPublicKey) → bytes¶ -
webauthn_rp.converters.
cose_key
(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → bytes -
webauthn_rp.converters.
cose_key
(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → bytes Convert a CredentialPublicKey into a COSE key.
- Parameters
credential_public_key (CredentialPublicKey) – The key to convert.
- Returns
The COSE-encoded key bytes.
-
webauthn_rp.converters.
cose_okp_public_key
(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → bytes¶ Convert an OKPCredentialPublicKey into a COSE key.
- Parameters
credential_public_key (OKPCredentialPublicKey) – The key to convert.
- Returns
The COSE-encoded key bytes.
-
webauthn_rp.converters.
cryptography_ec2_public_key
(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey¶ Convert an EC2CredentialPublicKey into a cryptography EC2PublicKey.
- Parameters
credential_public_key (EC2CredentialPublicKey) – The key to convert.
- Returns
A cryptography EC2PublicKey.
- Raises
UnimplementedError – If the conversion logic for the given type of CredentialPublicKey has not been implemented.
PublicKeyConversionError – If the provided key could not be converted into a valid cryptography EC2PublicKey.
-
webauthn_rp.converters.
cryptography_okp_public_key
(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → Union[cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey]¶ Convert an OKPCredentialPublicKey into a cryptography OKPPublicKey.
- Parameters
credential_public_key (EC2CredentialPublicKey) – The key to convert.
- Returns
A cryptography EC2PublicKey.
- Raises
UnimplementedError – If the conversion logic for the given type of CredentialPublicKey has not been implemented.
PublicKeyConversionError – If the provided key could not be converted into a valid cryptography EC2PublicKey.
-
webauthn_rp.converters.
cryptography_public_key
(credential_public_key: webauthn_rp.types.CredentialPublicKey) → Union[cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey]¶ -
webauthn_rp.converters.
cryptography_public_key
(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey -
webauthn_rp.converters.
cryptography_public_key
(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → Union[cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey] Convert a CredentialPublicKey into a cryptography PublicKey.
- Parameters
credential_public_key (CredentialPublicKey) – The key to convert.
- Returns
A cryptography PublicKey.
- Raises
UnimplementedError – If the conversion logic for the given type of CredentialPublicKey has not been implemented.
-
webauthn_rp.converters.
jsonify
(data: Any, convert_case: bool = True) → Optional[Union[dict, list, bool, int, float, str]]¶ Convert a Python object into a JSON value.
- Parameters
data (Any) – The object to convert.
convert_case (bool) – Whether to convert the attribute names of the object into camel case from snake case.
- Returns
A JSONValue.
- Raises
JSONConversionError – If the provided data cannot be converted into valid JSON.
UnimplementedError – If the conversion logic for the given data type has not been implemented.
webauthn_rp.errors module¶
-
exception
webauthn_rp.errors.
AttestationError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an invalid attestation statement.
-
exception
webauthn_rp.errors.
BackendError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an error in a backend.
-
exception
webauthn_rp.errors.
BuilderError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for a builder error.
-
exception
webauthn_rp.errors.
ChallengeError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an invalid challenge.
-
exception
webauthn_rp.errors.
ClientDataTypeError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an invalid client data type.
-
exception
webauthn_rp.errors.
ConverterError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an error during data type conversion.
-
exception
webauthn_rp.errors.
CredentialDataError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an unretrievable CredentialData.
-
exception
webauthn_rp.errors.
CredentialNotAllowedError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for the use of disallowed credential.
-
exception
webauthn_rp.errors.
DecodingError
¶ Bases:
webauthn_rp.errors.ParserError
Raised for an error decoding raw data.
-
exception
webauthn_rp.errors.
ExtensionError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for a missing extension.
-
exception
webauthn_rp.errors.
InternalError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an unexpected internal error.
-
exception
webauthn_rp.errors.
JSONConversionError
¶ Bases:
webauthn_rp.errors.ConverterError
Raised for an error converting data into JSON.
-
exception
webauthn_rp.errors.
OriginError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an invalid web origin.
-
exception
webauthn_rp.errors.
ParserError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an error parsing raw data.
-
exception
webauthn_rp.errors.
PublicKeyConversionError
¶ Bases:
webauthn_rp.errors.ConverterError
Raised for an error converting a CredentialPublicKey.
-
exception
webauthn_rp.errors.
RPIDError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an invalid Relying Party ID.
-
exception
webauthn_rp.errors.
RPIDHashError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for a mismatching Relying Party ID hash.
-
exception
webauthn_rp.errors.
RPNotFoundError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for a missing Relying Party configuration.
-
exception
webauthn_rp.errors.
RegistrationError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an error during registration.
-
exception
webauthn_rp.errors.
SignatureCountError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an invalid signature count.
-
exception
webauthn_rp.errors.
TokenBindingError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an error in token binding.
-
exception
webauthn_rp.errors.
UnimplementedError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an attempt to use an unimplemented feature.
-
exception
webauthn_rp.errors.
UserHandleError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an invalid user handle.
-
exception
webauthn_rp.errors.
UserIDError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for an invalid user ID.
-
exception
webauthn_rp.errors.
UserPresenceError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for a missing user presence bit when it is required.
-
exception
webauthn_rp.errors.
UserVerificationError
¶ Bases:
webauthn_rp.errors.BackendError
Raised for a missing user verification bit when it is required.
-
exception
webauthn_rp.errors.
ValidationError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an error validating the format of a CredentialPublicKey.
-
exception
webauthn_rp.errors.
VerificationError
¶ Bases:
webauthn_rp.errors.WebAuthnRPError
Raised for an error verifying a signature using a CredentialPublicKey.
-
exception
webauthn_rp.errors.
WebAuthnRPError
¶ Bases:
Exception
The base error for all exceptions raised by the library.
webauthn_rp.parsers module¶
-
webauthn_rp.parsers.
parse_android_key_attestation_statement
(att_stmt: Dict) → webauthn_rp.types.AndroidKeyAttestationStatement¶ Parse a JSON Android key attestation statement.
- Parameters
att_stmt (Dict) – The JSON attestation statement.
- Returns
An AndroidKeyAttestationStatement instance.
- Raises
ParserError – Could not correctly parse the attestation statement.
References
-
webauthn_rp.parsers.
parse_android_safetynet_attestation_statement
(att_stmt: Dict) → webauthn_rp.types.AndroidSafetyNetAttestationStatement¶ Parse a JSON Android SafetyNet attestation statement.
- Parameters
att_stmt (Dict) – The JSON attestation statement.
- Returns
An AndroidSafetyNetAttestationStatement instance.
- Raises
ParserError – Could not correctly parse the attestation statement.
References
-
webauthn_rp.parsers.
parse_attestation_object
(attestation_object: bytes) → Tuple[webauthn_rp.types.AttestationObject, Dict]¶ Parse the raw CBOR-encoded attestation object.
- Parameters
attestation_object (bytes) – The raw authenticator data bytes.
- Returns
A 2-tuple where the first element is the parsed AttestationObject instance and the second element is its raw CBOR-decoded dictionary.
- Raises
ParserError – Could not correctly parse the authenticator data.
DecodingError – Could not decode raw CBOR data.
References
-
webauthn_rp.parsers.
parse_authenticator_data
(auth_data: bytes) → webauthn_rp.types.AuthenticatorData¶ Parse the raw authenticator data.
- Parameters
auth_data (bytes) – The raw authenticator data bytes.
- Returns
An instance of AuthenticatorData.
- Raises
ParserError – Could not correctly parse the authenticator data.
DecodingError – Could not decode raw CBOR data.
References
-
webauthn_rp.parsers.
parse_client_data
(client_data_JSON: bytes) → webauthn_rp.types.CollectedClientData¶ Parse the raw UTF-8-encoded client data JSON.
- Parameters
client_data_JSON (bytes) – The UTF-8-encoded client data JSON.
- Returns
A CollectedClientData instance.
- Raises
ParserError – Could not correctly parse the client data JSON.
References
-
webauthn_rp.parsers.
parse_cose_key
(credential_public_key: Union[Dict, bytes]) → webauthn_rp.types.CredentialPublicKey¶ Parse the CBOR-encoded, or decoded, credential public key.
- Parameters
credential_public_key (Union[Dict, bytes]) – A CBOR-encoded public key or a CBOR-decoded dictionary of a credential public key.
- Returns
An instance of CredentialPublicKey.
- Raises
ParserError – Could not correctly parse the credential public key.
DecodingError – Could not decode the raw CBOR data.
References
-
webauthn_rp.parsers.
parse_ec2_public_key
(credential_public_key: Dict) → webauthn_rp.types.EC2CredentialPublicKey¶ Parse a JSON EC2 credential public key into an EC2CredentialPublicKey.
- Parameters
credential_public_key (Dict) – The JSON EC2 credential public key generated by a user agent.
- Returns
An EC2CredentialPublicKey instance.
- Raises
ParserError – Could not correctly parse the data.
References
-
webauthn_rp.parsers.
parse_extensions
(extensions: Dict) → webauthn_rp.types.AuthenticationExtensionsClientOutputs¶ Parse an authenticator’s JSON extension outputs.
- Parameters
extensions (Dict) – The JSON extension client outputs generated by a user agent and the user’s authenticator.
- Returns
An AuthenticationExtensionsClientOutputs instance.
- Raises
ParserError – Could not correctly parse the extension data.
References
-
webauthn_rp.parsers.
parse_fido_u2f_attestation_statement
(att_stmt: Dict) → webauthn_rp.types.FIDOU2FAttestationStatement¶ Parse a JSON FIDO U2F attestation statement.
- Parameters
att_stmt (Dict) – The JSON attestation statement.
- Returns
A FIDOU2FAttestationStatement instance.
- Raises
ParserError – Could not correctly parse the attestation statement.
References
-
webauthn_rp.parsers.
parse_none_attestation_statement
(att_stmt: Dict) → webauthn_rp.types.NoneAttestationStatement¶ Parse a JSON NONE attestation statement.
- Parameters
att_stmt (Dict) – The JSON attestation statement.
- Returns
A NoneAttestationStatement instance.
- Raises
ParserError – Could not correctly parse the attestation statement.
References
-
webauthn_rp.parsers.
parse_okp_public_key
(credential_public_key: Dict) → webauthn_rp.types.OKPCredentialPublicKey¶ Parse a JSON OKP credential public key into an OKPCredentialPublicKey.
- Parameters
credential_public_key (Dict) – The JSON OKP credential public key generated by a user agent.
- Returns
An OKPCredentialPublicKey instance.
- Raises
ParserError – Could not correctly parse the data.
References
-
webauthn_rp.parsers.
parse_origin
(origin: str) → webauthn_rp.types.Origin¶ Parse an origin string into the Origin tuple.
- Parameters
origin (str) – An origin as defined in the HTML specification.
- Returns
An Origin tuple.
References
-
webauthn_rp.parsers.
parse_packed_attestation_statement
(att_stmt: Dict) → webauthn_rp.types.PackedAttestationStatement¶ Parse a JSON packed attestation statement.
- Parameters
att_stmt (Dict) – The JSON attestation statement.
- Returns
A PackedAttestationStatement instance.
- Raises
ParserError – Could not correctly parse the attestation statement.
References
-
webauthn_rp.parsers.
parse_public_key_credential
(data: Dict) → webauthn_rp.types.PublicKeyCredential¶ Parse a JSON public key credential into a PublicKeyCredential.
Note that data that was originally bytes is expected to have been encoded using standard base64.
- Parameters
data (Dict) – The JSON public key credential generated by a user agent.
- Returns
A PublicKeyCredential instance.
- Raises
ParserError – Could not correctly parse the data.
DecodingError – Could not decode base64-encoded data.
-
webauthn_rp.parsers.
parse_tpm_attestation_statement
(att_stmt: Dict) → webauthn_rp.types.TPMAttestationStatement¶ Parse a JSON TPM attestation statement.
- Parameters
att_stmt (Dict) – The JSON attestation statement.
- Returns
A TPMAttestationStatement instance.
- Raises
ParserError – Could not correctly parse the attestation statement.
References
webauthn_rp.registrars module¶
-
class
webauthn_rp.registrars.
CredentialData
(credential_public_key: webauthn_rp.types.CredentialPublicKey, signature_count: Optional[int], user_entity: webauthn_rp.types.PublicKeyCredentialUserEntity, rp_entity: Optional[webauthn_rp.types.PublicKeyCredentialRpEntity] = None)¶ Bases:
tuple
Information stored about a specific user credential.
-
credential_public_key
¶ The public key associated with a particular credential.
- Type
-
signature_count
¶ The current signature count of a credential if one has been registered. It should be None if it has not been initialized yet (right after the creation of a credential).
- Type
Optional[int]
-
user_entity
¶ The user that owns the credential.
-
rp_entity
¶ The optional Relying Party that is associated with this credential.
- Type
Optional[PublicKeyCredentialRpEntity]
Create new instance of CredentialData(credential_public_key, signature_count, user_entity, rp_entity)
-
property
credential_public_key
¶ Alias for field number 0
-
property
rp_entity
¶ Alias for field number 3
-
property
signature_count
¶ Alias for field number 1
-
property
user_entity
¶ Alias for field number 2
-
-
class
webauthn_rp.registrars.
CredentialsRegistrar
¶ Bases:
object
A registrar for public key credentials.
This class specifies the interface between the CredentialsBackend and the Relying Party’s credentials storage and processing layer.
The provided methods will be invoked by the CredentialsBackend at specific points during the user registration and user authentication phases.
-
get_credential_data
(credential_id: bytes) → Optional[webauthn_rp.registrars.CredentialData]¶ Gets the CredentialData associated with a specific credential.
- Parameters
credential_id (bytes) – The probabilistically-unique credential ID.
- Returns
The CredentialData associated with the given ID or None if it does not exist.
References
-
register_credential_assertion
(credential: webauthn_rp.types.PublicKeyCredential, authenticator_data: webauthn_rp.types.AuthenticatorData, user: webauthn_rp.types.PublicKeyCredentialUserEntity, rp: webauthn_rp.types.PublicKeyCredentialRpEntity) → Any¶ Registers the attempted assertion of a credential by a user.
This is the last step in the user authentication ceremony which was initiated by the user agent. Successful completion indicates that the any necessary state related to the user’s credential was updated and the authentication process can finish.
- Parameters
credential (PublicKeyCredential) – The public key credential associated with the given user and Relying Party.
authenticator_data (AuthenticatorData) – The parsed authenticator data.
user (PublicKeyCredentialUserEntity) – The user associated with the public key credential.
rp (PublicKeyCredentialRpEntity) – The Relying Party associated with the public key credential.
- Returns
None for success and anything else to indicate an error.
-
register_credential_attestation
(credential: webauthn_rp.types.PublicKeyCredential, att: webauthn_rp.types.AttestationObject, att_type: webauthn_rp.types.AttestationType, user: webauthn_rp.types.PublicKeyCredentialUserEntity, rp: webauthn_rp.types.PublicKeyCredentialRpEntity, trusted_path: Optional[Sequence[cryptography.x509.base.Certificate]] = None) → Any¶ Registers the attempted attestation of a credential by a user.
This is the last step in the user registration ceremony which was initiated by the user agent. Successful completion indicates that the user’s credential has been stored and is ready for authentication.
- Parameters
credential (PublicKeyCredential) – The public key credential to associate with a user and Relying Party.
att (AttestationObject) – The attestation object associated with the given public key credential.
att_type (AttestationType) – The type of attestation that was confirmed by the CredentialsBackend.
user (PublicKeyCredentialUserEntity) – The user to associate with the public key credential.
rp (PublicKeyCredentialRpEntity) – The Relying Party to associate with the public key credential.
trusted_path (Optional[TrustedPath]) – The optional trusted path for the credential and attestation object provided by the CredentialsBackend.
- Returns
None for success and anything else to indicate an error.
-
webauthn_rp.types module¶
-
webauthn_rp.types.
AAGUID
¶ alias of
bytes
-
class
webauthn_rp.types.
AndroidKeyAttestationStatement
(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, x5c: Sequence[bytes])¶ Bases:
webauthn_rp.types.AttestationStatement
The Android Key Attestation Statement.
-
alg
¶ A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
-
sig
¶ A byte string containing the attestation signature.
- Type
bytes
-
x5c
¶ The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate MUST be the first element in the array.
- Type
Sequence[bytes]
References
-
-
class
webauthn_rp.types.
AndroidSafetyNetAttestationStatement
(*, ver: str, response: bytes)¶ Bases:
webauthn_rp.types.AttestationStatement
The Android SafetyNet Attestation Statement.
-
ver
¶ The version number of Google Play Services responsible for providing the SafetyNet API.
- Type
str
-
response
¶ The UTF-8 encoded result of the getJwsResult() call of the SafetyNet API. This value is a JWS object (see SafetyNet online documentation) in Compact Serialization.
- Type
bytes
References
-
-
class
webauthn_rp.types.
AttestationConveyancePreference
(value)¶ Bases:
enum.Enum
WebAuthn Relying Parties may use AttestationConveyancePreference to specify their preference regarding attestation conveyance during credential generation.
-
NONE
¶ This value indicates that the Relying Party is not interested in authenticator attestation. For example, in order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a roundtrip to an Attestation CA.
- Type
str
-
INDIRECT
¶ This value indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.
- Type
str
-
DIRECT
¶ This value indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator.
- Type
str
References
-
DIRECT
= 'direct'¶
-
INDIRECT
= 'indirect'¶
-
NONE
= 'none'¶
-
-
class
webauthn_rp.types.
AttestationObject
(*, auth_data: webauthn_rp.types.AuthenticatorData, fmt: webauthn_rp.types.AttestationStatementFormatIdentifier, att_stmt: webauthn_rp.types.AttestationStatement)¶ Bases:
object
Authenticators MUST also provide some form of attestation. The basic requirement is that the authenticator can produce, for each credential public key, an attestation statement verifiable by the WebAuthn Relying Party. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar data providing provenance information for the attestation public key, enabling the Relying Party to make a trust decision. However, if an attestation key pair is not available, then the authenticator MUST perform self attestation of the credential public key with the corresponding credential private key. All this information is returned by authenticators any time a new public key credential is generated, in the overall form of an attestation object.
-
auth_data
¶ The authenticator data.
- Type
-
fmt
¶ The format of the attestation statement.
-
att_stmt
¶ The attestation statement.
- Type
AttestationStatment
References
-
-
class
webauthn_rp.types.
AttestationStatement
(*, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, sig: Optional[bytes] = None)¶ Bases:
object
An important component of the attestation object is the attestation statement. This is a specific type of signed data object, containing statements about a public key credential itself and the authenticator that created it. It contains an attestation signature created using the key of the attesting authority (except for the case of self attestation, when it is created using the credential private key). In order to correctly interpret an attestation statement, a Relying Party needs to understand these two aspects of attestation:
1. The attestation statement format is the manner in which the signature is represented and the various contextual bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the syntax of the statement. Various existing components and OS platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. 2. The attestation type defines the semantics of attestation statements and their underlying trust models. Specifically, it defines how a Relying Party establishes trust in a particular attestation statement, after verifying that it is cryptographically valid.
-
alg
¶ A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
- Type
Optional[COSEAlgorithmIdentifier]
-
sig
¶ A byte string containing the attestation signature.
- Type
Optional[bytes]
References
-
-
class
webauthn_rp.types.
AttestationStatementFormatIdentifier
(value)¶ Bases:
enum.Enum
Attestation statement formats are identified by a string, called an attestation statement format identifier, chosen by the author of the attestation statement format.
-
PACKED
¶ This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is implementable by authenticators with limited resources (e.g., secure elements).
- Type
str
-
TPM
¶ This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic engine.
- Type
str
-
ANDROID_KEY
¶ When the authenticator in question is a platform-provided Authenticator on the Android “N” or later platform, the attestation statement is based on the Android key attestation. In these cases, the attestation statement is produced by a component running in a secure operating environment, but the authenticator data for the attestation is produced outside this environment. The WebAuthn Relying Party is expected to check that the authenticator data claimed to have been used for the attestation is consistent with the fields of the attestation certificate’s extension data.
- Type
str
-
ANDROID_SAFETYNET
¶ When the authenticator in question is a platform-provided Authenticator on certain Android platforms, the attestation statement is based on the SafetyNet API. In this case the authenticator data is completely controlled by the caller of the SafetyNet API (typically an application running on the Android platform) and the attestation statement only provides some statements about the health of the platform and the identity of the calling application. This attestation does not provide information regarding provenance of the authenticator and its associated data. Therefore platform-provided authenticators SHOULD make use of the Android Key Attestation when available, even if the SafetyNet API is also present.
- Type
str
-
FIDO_U2F
¶ This attestation statement format is used with FIDO U2F authenticators.
- Type
str
-
NONE
¶ The none attestation statement format is used to replace any authenticator-provided attestation statement when a WebAuthn Relying Party indicates it does not wish to receive attestation information.
- Type
str
References
-
ANDROID_KEY
= 'android-key'¶
-
ANDROID_SAFETYNET
= 'android-safetynet'¶
-
FIDO_U2F
= 'fido-u2f'¶
-
NONE
= 'none'¶
-
PACKED
= 'packed'¶
-
TPM
= 'tpm'¶
-
-
class
webauthn_rp.types.
AttestationType
(value)¶ Bases:
enum.Enum
WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust models.
-
BASIC
¶ In the case of basic attestation, the authenticator’s attestation key pair is specific to an authenticator model. Thus, authenticators of the same model often share the same attestation key pair.
- Type
str
-
SELF
¶ In the case of self attestation, also known as surrogate basic attestation, the Authenticator does not have any specific attestation key. Instead it uses the credential private key to create the attestation signature. Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.
- Type
str
-
ATTCA
¶ In this case, an authenticator is based on a Trusted Platform Module (TPM) and holds an authenticator-specific “endorsement key” (EK). This key is used to securely communicate with a trusted third party, the Attestation CA (formerly known as a “Privacy CA”). The authenticator can generate multiple attestation identity key pairs (AIK) and requests an Attestation CA to issue an AIK certificate for each. Using this approach, such an authenticator can limit the exposure of the EK (which is a global correlation handle) to Attestation CA(s). AIKs can be requested for each authenticator-generated public key credential individually, and conveyed to Relying Parties as attestation certificates.
- Type
str
-
ECDAA
¶ In this case, the Authenticator receives direct anonymous attestation (DAA) credentials from a single DAA-Issuer. These DAA credentials are used along with blinding to sign the attested credential data. The concept of blinding avoids the DAA credentials being misused as global correlation handle. WebAuthn supports DAA using elliptic curve cryptography and bilinear pairings, called ECDAA in this specification. Consequently we denote the DAA-Issuer as ECDAA-Issuer.
- Type
str
-
NONE
¶ In this case, no attestation information is available.
- Type
str
-
UNCERTAIN
¶ In this case, the attestation type is uncertain.
- Type
str
References
-
ATTCA
= 'AttCA'¶
-
BASIC
= 'Basic'¶
-
ECDAA
= 'ECDAA'¶
-
NONE
= 'None'¶
-
SELF
= 'Self'¶
-
UNCERTAIN
= 'Uncertain'¶
-
-
class
webauthn_rp.types.
AttestedCredentialData
(aaguid: bytes, credential_id_length: int, credential_id: bytes, credential_public_key: Optional[webauthn_rp.types.CredentialPublicKey] = None)¶ Bases:
object
Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation object for a given credential.
-
aaguid
¶ The AAGUID of the authenticator. Each authenticator has an AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type of authenticator SHOULD be randomly generated to ensure this. The Relying Party MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and strength of key protection, using information from other sources.
- Type
bytes
-
credential_id_length
¶ Byte length of Credential ID, parsed from a 16-bit unsigned big-endian integer.
- Type
int
-
credential_id
¶ A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions.
- Type
bytes
-
credential_public_key
¶ The credential public key encoded in COSE_Key format. The COSE_Key-encoded credential public key MUST contain the “alg” parameter and MUST NOT contain any other OPTIONAL parameters. The “alg” parameter MUST contain a COSEAlgorithmIdentifier value. The encoded credential public key MUST also contain any additional REQUIRED parameters stipulated by the relevant key type specification, i.e., REQUIRED for the key type “kty” and algorithm “alg”.
- Type
Optional[CredentialPublicKey]
References
-
-
class
webauthn_rp.types.
AuthenticationExtensionsClientInputs
(*, appid: Optional[str] = None, tx_auth_simple: Optional[str] = None, tx_auth_generic: Optional[webauthn_rp.types.TxAuthGenericArg] = None, authn_sel: Optional[Sequence[bytes]] = None, exts: Optional[bool] = None, uvi: Optional[bool] = None, loc: Optional[bool] = None, uvm: Optional[bool] = None, biometric_perf_bounds: Optional[webauthn_rp.types.AuthenticatorBiometricPerfBounds] = None)¶ Bases:
object
This is an object containing the client extension input values for zero or more WebAuthn extensions.
-
appid
¶ A single string specifying a FIDO AppID.
- Type
Optional[str]
-
tx_auth_simple
¶ A single string prompt.
- Type
Optional[str]
-
tx_auth_generic
¶ An object containing generic inputs.
- Type
Optional[TxAuthGenericArg]
-
authn_sel
¶ A sequence of AAGUIDs. Each AAGUID corresponds to an authenticator model that is acceptable to the Relying Party for this credential creation. The list is ordered by decreasing preference.
An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.
- Type
Optional[AuthenticatorSelectionList]
-
exts
¶ The Boolean value true to indicate that this extension is requested by the Relying Party.
- Type
Optional[bool]
-
uvi
¶ The Boolean value true to indicate that this extension is requested by the Relying Party.
- Type
Optional[bool]
-
loc
¶ The Boolean value true to indicate that this extension is requested by the Relying Party.
- Type
Optional[bool]
-
uvm
¶ The Boolean value true to indicate that this extension is requested by the Relying Party.
- Type
Optional[bool]
-
biometric_perf_bounds
¶ The biometric performance bounds.
- Type
Optional[AuthenticatorBiometricPerfBounds]
References
-
-
class
webauthn_rp.types.
AuthenticationExtensionsClientOutputs
(*, appid: Optional[bool] = None, tx_auth_simple: Optional[str] = None, tx_auth_generic: Optional[bytes] = None, authn_sel: Optional[bool] = None, exts: Optional[Sequence[str]] = None, uvi: Optional[bytes] = None, loc: Optional[webauthn_rp.types.Coordinates] = None, uvm: Optional[Sequence[Sequence[int]]] = None, biometric_perf_bounds: Optional[bool] = None)¶ Bases:
object
This is an object containing the client extension output values for zero or more WebAuthn extensions.
-
appid
¶ If true, the AppID was used and thus, when verifying an assertion, the Relying Party MUST expect the rpIdHash to be the hash of the AppID, not the RP ID.
- Type
Optional[bool]
-
tx_auth_simple
¶ The authenticator extension output string UTF-8 decoded into a string.
- Type
Optional[str]
-
tx_auth_generic
¶ A generic byte string.
- Type
Optional[bytes]
-
authn_sel
¶ Returns the value true to indicate to the Relying Party that the extension was acted upon.
- Type
Optional[AuthenticatorSelectionList]
-
exts
¶ Returns the list of supported extensions as an array of extension identifier strings.
- Type
Optional[AuthenticationExtensionsSupported]
-
uvi
¶ Returns the authenticator extension output as a byte string.
- Type
Optional[bytes]
-
loc
¶ Returns an object that encodes the location information in the authenticator extension output as a Coordinates value.
- Type
Optional[Coordinates]
-
uvm
¶ Returns a sequence of UvmEntry objects which are 3-element arrays of numbers that encode the factors in the authenticator extension output.
- Type
Optional[UvmEntries]
-
biometric_perf_bounds
¶ Returns the value true to indicate to the Relying Party that the extension was acted upon.
- Type
Optional[bool]
References
-
-
class
webauthn_rp.types.
AuthenticatorAssertionResponse
(*, client_data_JSON: bytes, authenticator_data: bytes, signature: bytes, user_handle: Optional[bytes] = None)¶ Bases:
webauthn_rp.types.AuthenticatorResponse
The AuthenticatorAssertionResponse interface represents an authenticator’s response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party’s challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction.
-
client_data_JSON
¶ This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either navigator.credentials.create() or navigator.credentials.get().
- Type
bytes
-
authenticator_data
¶ This attribute contains the authenticator data returned by the authenticator.
- Type
bytes
-
signature
¶ This attribute contains the raw signature returned from the authenticator.
- Type
bytes
-
user_handle
¶ This attribute contains the user handle returned from the authenticator, or null if the authenticator did not return a user handle.
- Type
Optional[bytes]
References
-
-
class
webauthn_rp.types.
AuthenticatorAttachment
(value)¶ Bases:
enum.Enum
This enumeration’s values describe authenticators’ attachment modalities. Relying Parties use this for two purposes:
to express a preferred authenticator attachment modality when calling navigator.credentials.create() to create a credential, and
to inform the client of the Relying Party’s best belief about how to locate the managing authenticators of the credentials listed in allowCredentials when calling navigator.credentials.get() (on the client side).
-
PLATFORM
¶ This value indicates platform attachment.
- Type
str
-
CROSS_PLATFORM
¶ This value indicates cross-platform attachment.
- Type
str
References
-
CROSS_PLATFORM
= 'cross-platform'¶
-
PLATFORM
= 'platform'¶
-
class
webauthn_rp.types.
AuthenticatorAttestationResponse
(*, client_data_JSON: bytes, attestation_object: bytes)¶ Bases:
webauthn_rp.types.AuthenticatorResponse
The AuthenticatorAttestationResponse represents the authenticator’s response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration.
-
client_data_JSON
¶ This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either navigator.credentials.create() or navigator.credentials.get().
- Type
bytes
-
attestation_object
¶ This attribute contains an attestation object, which is opaque to, and cryptographically protected against tampering by, the client. The attestation object contains both authenticator data and an attestation statement. The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the attestation statement are determined by the attestation statement format used by the authenticator. It also contains any additional information that the Relying Party’s server requires to validate the attestation statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data.
- Type
bytes
References
-
-
class
webauthn_rp.types.
AuthenticatorBiometricPerfBounds
(*, FAR: float, FRR: float)¶ Bases:
object
Biometric performance bounds.
-
FAR
¶ The maximum false acceptance rate for a biometric authenticator allowed by the Relying Party.
- Type
float
-
FRR
¶ The maximum false rejection rate for a biometric authenticator allowed by the Relying Party.
- Type
float
References
w3.org/TR/webauthn/#sctn-authenticator-biometric-criteria-extension
-
-
class
webauthn_rp.types.
AuthenticatorData
(*, rp_id_hash: bytes, flags: int, sign_count: int, attested_credential_data: Optional[webauthn_rp.types.AttestedCredentialData] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientOutputs] = None)¶ Bases:
object
The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party’s assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.
-
rp_id_hash
¶ SHA-256 hash of the RP ID the credential is scoped to.
- Type
bytes
-
flags
¶ 8 flag bits for the authenticator data.
- Type
int
-
sign_count
¶ Signature counter parsed from a 32-bit unsigned big-endian integer.
- Type
int
-
attested_credential_data
¶ The attested credential data.
- Type
Optional[AttestedCredentialData]
-
extensions
¶ Extension-defined authenticator data.
- Type
Optional[AuthenticationExtensionsClientOutputs]
References
-
-
class
webauthn_rp.types.
AuthenticatorDataFlag
(value)¶ Bases:
enum.Enum
The authenticator data bit flags.
-
UP
¶ User is present.
- Type
int
-
RFU1
¶ Reserved for future use.
- Type
int
-
UV
¶ User is verified.
- Type
int
-
RFU2
¶ Reserved for future use.
- Type
int
-
AT
¶ Attested credential data included.
- Type
int
-
ED
¶ Extension data is included in the authenticator data.
- Type
int
References
-
AT
= 64¶
-
ED
= 128¶
-
RFU1
= 2¶
-
RFU2
= 56¶
-
UP
= 1¶
-
UV
= 4¶
-
-
class
webauthn_rp.types.
AuthenticatorResponse
(*, client_data_JSON: bytes)¶ Bases:
object
Authenticators respond to Relying Party requests by returning an object derived from an AuthenticatorResponse.
-
client_data_JSON
¶ This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either navigator.credentials.create() or navigator.credentials.get().
- Type
bytes
References
-
-
class
webauthn_rp.types.
AuthenticatorSelectionCriteria
(*, authenticator_attachment: Optional[webauthn_rp.types.AuthenticatorAttachment] = None, require_resident_key: bool = False, user_verification: webauthn_rp.types.UserVerificationRequirement = <UserVerificationRequirement.PREFERRED: 'preferred'>)¶ Bases:
object
WebAuthn Relying Parties may use the AuthenticatorSelectionCriteria to specify their requirements regarding authenticator attributes.
-
authenticator_attachment
¶ If this member is present, eligible authenticators are filtered to only authenticators attached with the specified Authenticator Attachment Enumeration (enum AuthenticatorAttachment).
-
require_resident_key
¶ This member describes the Relying Party’s requirements regarding resident credentials. If the parameter is set to true, the authenticator MUST create a client-side-resident public key credential source when creating a public key credential.
- Type
bool
-
user_verification
¶ This member describes the Relying Party’s requirements regarding user verification for the navigator.credentials.create() operation (on the client side). Eligible authenticators are filtered to only those capable of satisfying this requirement.
References
-
-
class
webauthn_rp.types.
AuthenticatorTransport
(value)¶ Bases:
enum.Enum
Authenticators may implement various transports for communicating with clients. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the WebAuthn Relying Party’s best belief as to how an authenticator may be reached. A Relying Party may obtain a list of transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of this specification to define that mechanism.
-
USB
¶ Indicates the respective authenticator can be contacted over removable USB.
- Type
str
-
NFC
¶ Indicates the respective authenticator can be contacted over Near Field Communication (NFC).
- Type
str
-
BLE
¶ Indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).
- Type
str
-
INTERNAL
¶ Indicates the respective authenticator is contacted using a client device-specific transport. These authenticators are not removable from the client device.
- Type
str
References
-
BLE
= 'ble'¶
-
INTERNAL
= 'internal'¶
-
NFC
= 'nfc'¶
-
USB
= 'usb'¶
-
-
class
webauthn_rp.types.
COSEAlgorithmIdentifier
(value: Union[int, str])¶ Bases:
object
A COSEAlgorithmIdentifier’s value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry.
This Enum only contains algorithms that are internally supported. It can be extended upon further support. As Web Authentication mainly performs signing and verification, only algorithms that pertain to those operations are considered.
References
-
class
webauthn_rp.types.
COSEKeyOperation
(value: Union[int, str])¶ Bases:
object
A metaclass for the COSEKeyOperation Name and Value Enums.
Both the Name and Value Enums share the following documentation.
The COSEKeyOperation object specifies the type of operations that are permitted for the COSE Key.
-
SIGN
¶ The key is used to create signatures. Requires private key fields.
-
VERIFY
¶ The key is used for verification of signatures.
-
ENCRYPT
¶ The key is used for key transport encryption.
-
DECRYPT
¶ The key is used for key transport decryption. Requires private key fields.
-
WRAP_KEY
¶ The key is used for key wrapping.
-
UNWRAP_KEY
¶ The key is used for key unwrapping. Requires private key fields.
-
DERIVE_KEY
¶ The key is used for deriving keys. Requires private key fields.
-
DERIVE_BITS
¶ The key is used for deriving bits not to be used as a key. Requires private key fields.
-
MAC_CREATE
¶ The key is used for creating MACs.
-
MAC_VERIFY
¶ The key is used for validating MACs.
References
-
-
class
webauthn_rp.types.
COSEKeyType
(value: Union[int, str])¶ Bases:
object
A metaclass for the COSEKeyOperation Name and Value Enums.
Both the Name and Value Enums share the following documentation.
The COSEKeyType object defines a way to hold a single key object. It is still required that the members of individual key types be defined.
-
OKP
¶ Octet Key Pair
-
EC2
¶ Elliptic Curve Keys with X, Y Coordinate pair
-
SYMMETRIC
¶ Symmetric Keys
References
-
-
class
webauthn_rp.types.
CollectedClientData
(*, type: str, challenge: str, origin: str, token_binding: Optional[webauthn_rp.types.TokenBinding] = None)¶ Bases:
object
The client data represents the contextual bindings of both the WebAuthn Relying Party and the client.
-
type
¶ This member contains the string “webauthn.create” when creating new credentials, and “webauthn.get” when getting an assertion from an existing credential. The purpose of this member is to prevent certain types of signature confusion attacks (where an attacker substitutes one legitimate signature for another).
- Type
str
-
challenge
¶ This member contains the base64url encoding of the challenge provided by the Relying Party.
- Type
str
-
origin
¶ This member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in the syntax defined by RFC6454.
- Type
str
-
token_binding
¶ This OPTIONAL member contains information about the state of the Token Binding protocol used when the client was communicating with the Relying Party. Its absence that the client doesn’t support token binding.
- Type
Optional[TokenBinding]
References
-
-
class
webauthn_rp.types.
Coordinates
(*, latitude: float, longitude: float, altitude: Optional[float] = None, accuracy: float, altitude_accuracy: Optional[float] = None, heading: Optional[float] = None, speed: Optional[float] = None)¶ Bases:
object
The geographic coordinate reference system used by the attributes in this interface is the World Geodetic System (2d) [WGS84]. No other reference system is supported.
-
latitude
¶ Geographic latitude specified in decimal degrees.
- Type
float
-
longitude
¶ Geographic longitude specified in decimal degrees.
- Type
float
-
altitude
¶ Denotes the height of the position, specified in meters above the ellipsoid established by http://earth-info.nga.mil/GandG/publications/tr8350.2/wgs84fin.pdf. If the implementation cannot provide altitude information, the value of this attribute must be null.
- Type
Optional[float]
-
accuracy
¶ Denotes the accuracy level of the latitude and longitude coordinates. It is specified in meters and must be supported by all implementations. The value of the accuracy attribute must be a non-negative real number.
- Type
float
-
altitude_accuracy
¶ Specified in meters. If the implementation cannot provide altitude information, the value of this attribute must be null. Otherwise, the value must be a non-negative real number.
- Type
Optional[float]
-
heading
¶ Denotes the direction of travel of the hosting device and is specified in degrees, where 0° ≤ heading < 360°, counting clockwise relative to the true north. If the implementation cannot provide heading information, the value of this attribute must be null. If the hosting device is stationary (i.e. the value of the speed attribute is 0), then the value of the heading attribute must be NaN.
- Type
Optional[float]
-
speed
¶ Denotes the magnitude of the horizontal component of the hosting device’s current velocity and is specified in meters per second. If the implementation cannot provide speed information, the value of this attribute must be null. Otherwise, the value of the speed attribute must be a non-negative real number.
- Type
Optional[float]
-
Notes
¶ The accuracy and altitude_accuracy values returned by an implementation should correspond to a 95% confidence level.
-
-
class
webauthn_rp.types.
Credential
(*, id: str, type: str)¶ Bases:
object
A credential is an object which allows a developer to make an authentication decision for a particular action.
-
id
¶ The credential’s identifier. The requirements for the identifier are distinct for each type of credential. It might represent a username for username/password tuples, for example.
- Type
str
-
type
¶ Specifies the credential type represented by this object.
- Type
str
References
-
-
class
webauthn_rp.types.
CredentialCreationOptions
(*, public_key: webauthn_rp.types.PublicKeyCredentialCreationOptions)¶ Bases:
object
The object used for registration of credentials using the navigator.credentials.create() function on the client side.
-
public_key
¶ The creation options for the public key credential.
References
-
-
class
webauthn_rp.types.
CredentialMediationRequirement
(value)¶ Bases:
enum.Enum
When making a request via get(options), developers can set a case-by-case requirement for user mediation by choosing the appropriate CredentialMediationRequirement enum value.
-
SILENT
¶ User mediation is suppressed for the given operation. If the operation can be performed without user involvement, wonderful. If user involvement is necessary, then the operation will return null rather than involving the user.
- Type
str
-
OPTIONAL
¶ If credentials can be handed over for a given operation without user mediation, they will be. If user mediation is required, then the user agent will involve the user in the decision.
- Type
str
-
REQUIRED
¶ The user agent will not hand over credentials without user mediation, even if the prevent silent access flag is unset for an origin.
- Type
str
References
-
OPTIONAL
= 'optional'¶
-
REQUIRED
= 'required'¶
-
SILENT
= 'silent'¶
-
-
class
webauthn_rp.types.
CredentialPublicKey
(*, kty: Union[webauthn_rp.types.COSEKeyType.Name, webauthn_rp.types.COSEKeyType.Value], kid: Optional[bytes] = None, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, key_ops: Optional[Sequence[Union[webauthn_rp.types.COSEKeyOperation.Name, webauthn_rp.types.COSEKeyOperation.Value]]] = None, base_IV: Optional[bytes] = None)¶ Bases:
object
The credential public key encoded in COSE_Key format.
-
kty
¶ This parameter is used to identify the family of keys for this structure, and thus the set of key type specific parameters to be found. This parameter MUST be present in a key object. Implementations MUST verify that the key type is appropriate for the algorithm being processed. The key type MUST be included as part of the trust decision process.
- Type
Union[COSEKeyType.Name, COSEKeyType.Value]
-
kid
¶ This parameter is used to give an identifier for a key. The identifier is not structured and can be anything from a user provided string to a value computed on the public portion of the key. This field is intended for matching against a ‘kid’ parameter in a message in order to filter down the set of keys that need to be checked.
- Type
Optional[bytes]
-
alg (Optional[
Union[COSEAlgorithmIdentifier.Name, COSEAlgorithmIdentifier.Value]]): This parameter is used to restrict the algorithm that is used with the key. If this parameter is present in the key structure, the application MUST verify that this algorithm matches the algorithm for which the key is being used. If the algorithms do not match, then this key object MUST NOT be used to perform the cryptographic operation. Note that the same key can be in a different key structure with a different or no algorithm specified, however this is considered to be a poor security practice.
-
key_ops (Optional[
Sequence[Union[COSEKeyOperation.Name, COSEKeyOperation.Value]]]): This parameter is defined to restrict the set of operations that a key is to be used for. Algorithms define the values of key ops that are permitted to appear and are required for specific operations.
-
base_IV
¶ This parameter is defined to carry the base portion of an IV. This field provides the ability to associate a partial IV with a key that is then modified on a per message basis with the partial IV. Extreme care needs to be taken when using a Base IV in an application. Many encryption algorithms lose security if the same IV is used twice.
- Type
Optional[bytes]
References
-
-
class
webauthn_rp.types.
CredentialRequestOptions
(*, mediation: webauthn_rp.types.CredentialMediationRequirement = <CredentialMediationRequirement.OPTIONAL: 'optional'>, public_key: webauthn_rp.types.PublicKeyCredentialRequestOptions)¶ Bases:
object
The object used to obtain assertions using the navigator.credentials.get() function on the client side.
-
mediation
¶ Specifies the mediation requirements for a given credential request.
-
public_key
¶ The request options for the public key credential.
References
-
-
class
webauthn_rp.types.
EC2CredentialPublicKey
(*, kty: Union[webauthn_rp.types.COSEKeyType.Name, webauthn_rp.types.COSEKeyType.Value], kid: Optional[bytes] = None, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, key_ops: Optional[Sequence[Union[webauthn_rp.types.COSEKeyOperation.Name, webauthn_rp.types.COSEKeyOperation.Value]]] = None, base_IV: Optional[bytes] = None, x: bytes, y: bytes, crv: Union[webauthn_rp.types.EC2Curve.Name, webauthn_rp.types.EC2Curve.Value])¶ Bases:
webauthn_rp.types.CredentialPublicKey
The Elliptic Curve Cryptography (EC2) credential public key encoded in COSE_Key format.
-
kty
¶ This parameter is used to identify the family of keys for this structure, and thus the set of key type specific parameters to be found. This parameter MUST be present in a key object. Implementations MUST verify that the key type is appropriate for the algorithm being processed. The key type MUST be included as part of the trust decision process.
- Type
Union[COSEKeyType.Name, COSEKeyType.Value]
-
kid
¶ This parameter is used to give an identifier for a key. The identifier is not structured and can be anything from a user provided string to a value computed on the public portion of the key. This field is intended for matching against a ‘kid’ parameter in a message in order to filter down the set of keys that need to be checked.
- Type
Optional[bytes]
-
alg (Optional[
Union[COSEAlgorithmIdentifier.Name, COSEAlgorithmIdentifier.Value]]): This parameter is used to restrict the algorithm that is used with the key. If this parameter is present in the key structure, the application MUST verify that this algorithm matches the algorithm for which the key is being used. If the algorithms do not match, then this key object MUST NOT be used to perform the cryptographic operation. Note that the same key can be in a different key structure with a different or no algorithm specified, however this is considered to be a poor security practice.
-
key_ops (Optional[
Sequence[Union[COSEKeyOperation.Name, COSEKeyOperation.Value]]]): This parameter is defined to restrict the set of operations that a key is to be used for. Algorithms define the values of key ops that are permitted to appear and are required for specific operations.
-
base_IV
¶ his parameter is defined to carry the base portion of an IV. This field provides the ability to associate a partial IV with a key that is then modified on a per message basis with the partial IV. Extreme care needs to be taken when using a Base IV in an application. Many encryption algorithms lose security if the same IV is used twice.
- Type
Optional[bytes]
-
x
¶ The Elliptic Curve X Coordinate.
- Type
bytes
-
y
¶ The Elliptic Curve Y Coordinate.
- Type
bytes
-
crv
¶ The Elliptic Curve Identifier.
- Type
Union[EC2Curve.Name, EC2Curve.Value]
References
-
-
class
webauthn_rp.types.
EC2Curve
(value: Union[int, str])¶ Bases:
object
A metaclass for the EC2Curve Name and Value Enums.
Both the Name and Value Enums share the following documentation.
-
P_256
¶ NIST P-256 also known as secp256r1.
-
P_384
¶ NIST P-384 also known as secp384r1.
-
P_521
¶ NIST P-521 also known as secp521r1.
References
-
-
webauthn_rp.types.
EC2PrivateKey
¶ alias of
cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey
-
webauthn_rp.types.
EC2PublicKey
¶ alias of
cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey
-
class
webauthn_rp.types.
ExtensionIdentifier
(value)¶ Bases:
enum.Enum
The string identifier of supported extensions.
-
APPID
¶ This extension allows WebAuthn Relying Parties that have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion. The FIDO APIs use an alternative identifier for Relying Parties called an AppID [FIDO-APPID], and any credentials created using those APIs will be scoped to that identifier. Without this extension, they would need to be re-registered in order to be scoped to an RP ID.
This extension does not allow FIDO-compatible credentials to be created. Thus, credentials created with WebAuthn are not backwards compatible with the FIDO JavaScript APIs.
- Type
str
-
TX_AUTH_SIMPLE
¶ This extension allows for a simple form of transaction authorization. A Relying Party can specify a prompt string, intended for display on a trusted device on the authenticator.
- Type
str
-
TX_AUTH_GENERIC
¶ This extension allows images to be used as transaction authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance.
- Type
str
-
AUTHN_SEL
¶ This extension allows a WebAuthn Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential. It is intended primarily for Relying Parties that wish to tightly control the experience around credential creation.
- Type
str
-
EXTS
¶ This extension enables the WebAuthn Relying Party to determine which extensions the authenticator supports.
- Type
str
-
UVI
¶ This extension enables use of a user verification index.
- Type
str
-
LOC
¶ This extension provides the authenticator’s current location to the WebAuthn Relying Party.
- Type
str
-
UVM
¶ This extension enables use of a user verification method.
- Type
str
-
BIOMETRIC_PERF_BOUNDS
¶ This extension allows WebAuthn Relying Parties to specify the desired performance bounds for selecting biometric authenticators as candidates to be employed in a registration ceremony.
- Type
str
References
-
APPID
= 'appid'¶
-
AUTHN_SEL
= 'authnSel'¶
-
BIOMETRIC_PERF_BOUNDS
= 'biometricPerfBounds'¶
-
EXTS
= 'exts'¶
-
LOC
= 'loc'¶
-
TX_AUTH_GENERIC
= 'txAuthGeneric'¶
-
TX_AUTH_SIMPLE
= 'txAuthSimple'¶
-
UVI
= 'uvi'¶
-
UVM
= 'uvm'¶
-
property
key
¶
-
-
class
webauthn_rp.types.
FIDOU2FAttestationStatement
(*, sig: bytes, x5c: Sequence[bytes])¶ Bases:
webauthn_rp.types.AttestationStatement
The FIDO U2F Attestation Statement.
-
sig
¶ The attestation signature. The signature was calculated over the (raw) U2F registration response message received by the client from the authenticator.
- Type
bytes
-
x5c
¶ A single element array containing the attestation certificate in X.509 format.
- Type
Sequence[bytes]
References
-
-
class
webauthn_rp.types.
NoneAttestationStatement
(*, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, sig: Optional[bytes] = None)¶ Bases:
webauthn_rp.types.AttestationStatement
The None Attestation Statement. Consists of an empty object.
References
-
class
webauthn_rp.types.
OKPCredentialPublicKey
(*, kty: Union[webauthn_rp.types.COSEKeyType.Name, webauthn_rp.types.COSEKeyType.Value], kid: Optional[bytes] = None, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, key_ops: Optional[Sequence[Union[webauthn_rp.types.COSEKeyOperation.Name, webauthn_rp.types.COSEKeyOperation.Value]]] = None, base_IV: Optional[bytes] = None, crv: Union[webauthn_rp.types.OKPCurve.Name, webauthn_rp.types.OKPCurve.Value], x: bytes)¶ Bases:
webauthn_rp.types.CredentialPublicKey
The Octet Key Pair (OKP) credential public key encoded in COSE_Key format.
-
kty
¶ This parameter is used to identify the family of keys for this structure, and thus the set of key type specific parameters to be found. This parameter MUST be present in a key object. Implementations MUST verify that the key type is appropriate for the algorithm being processed. The key type MUST be included as part of the trust decision process.
- Type
Union[COSEKeyType.Name, COSEKeyType.Value]
-
kid
¶ This parameter is used to give an identifier for a key. The identifier is not structured and can be anything from a user provided string to a value computed on the public portion of the key. This field is intended for matching against a ‘kid’ parameter in a message in order to filter down the set of keys that need to be checked.
- Type
Optional[bytes]
-
alg (Optional[
Union[COSEAlgorithmIdentifier.Name, COSEAlgorithmIdentifier.Value]]): This parameter is used to restrict the algorithm that is used with the key. If this parameter is present in the key structure, the application MUST verify that this algorithm matches the algorithm for which the key is being used. If the algorithms do not match, then this key object MUST NOT be used to perform the cryptographic operation. Note that the same key can be in a different key structure with a different or no algorithm specified, however this is considered to be a poor security practice.
-
key_ops (Optional[
Sequence[Union[COSEKeyOperation.Name, COSEKeyOperation.Value]]]): This parameter is defined to restrict the set of operations that a key is to be used for. Algorithms define the values of key ops that are permitted to appear and are required for specific operations.
-
base_IV
¶ his parameter is defined to carry the base portion of an IV. This field provides the ability to associate a partial IV with a key that is then modified on a per message basis with the partial IV. Extreme care needs to be taken when using a Base IV in an application. Many encryption algorithms lose security if the same IV is used twice.
- Type
Optional[bytes]
-
x
¶ The Elliptic Curve X Coordinate.
- Type
bytes
-
y
¶ The Elliptic Curve Y Coordinate.
- Type
bytes
-
crv
¶ The Elliptic Curve Identifier.
- Type
Union[OKPCurve.Name, OKPCurve.Value]
References
-
-
class
webauthn_rp.types.
OKPCurve
(value: Union[int, str])¶ Bases:
object
A metaclass for the OKPCurve Name and Value Enums.
Both the Name and Value Enums share the following documentation.
-
ED25519
¶ Ed25519 for use with EdDSA only.
-
ED448
¶ Ed448 for use with EdDSA only.
References
-
-
class
webauthn_rp.types.
Origin
(scheme: str, hostname: str, port: int)¶ Bases:
tuple
An origin as defined by the standard.
References
Create new instance of Origin(scheme, hostname, port)
-
property
hostname
¶ Alias for field number 1
-
property
port
¶ Alias for field number 2
-
property
scheme
¶ Alias for field number 0
-
property
-
class
webauthn_rp.types.
PackedAttestationStatement
(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes)¶ Bases:
webauthn_rp.types.AttestationStatement
The Packed Attestation Statement.
-
alg
¶ A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
-
sig
¶ A byte string containing the attestation signature.
- Type
bytes
References
-
-
class
webauthn_rp.types.
PackedECDAAAttestationStatement
(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, ecdaa_key_id: bytes)¶ Bases:
webauthn_rp.types.PackedAttestationStatement
The Packed ECDAA Attestation Statement.
-
alg
¶ A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
-
sig
¶ A byte string containing the attestation signature.
- Type
bytes
-
ecdaa_key_id
¶ The identifier of the ECDAA-Issuer public key. This is the BigNumberToB encoding of the component “c” of the ECDAA-Issuer public key.
- Type
bytes
References
-
-
class
webauthn_rp.types.
PackedX509AttestationStatement
(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, x5c: Sequence[bytes])¶ Bases:
webauthn_rp.types.PackedAttestationStatement
The Packed X.509 Attestation Statement.
-
alg
¶ A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
-
sig
¶ A byte string containing the attestation signature.
- Type
bytes
-
x5c
¶ The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate MUST be the first element in the array.
- Type
Sequence[bytes]
References
-
-
class
webauthn_rp.types.
PublicKeyCredential
(*, id: str, type: str, raw_id: bytes, response: webauthn_rp.types.AuthenticatorResponse)¶ Bases:
webauthn_rp.types.Credential
PublicKeyCredential inherits from Credential, and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested.
-
id
¶ The credential’s identifier. The requirements for the identifier are distinct for each type of credential. It might represent a username for username/password tuples, for example.
- Type
str
-
type
¶ Specifies the credential type represented by this object.
- Type
str
-
raw_id
¶ This attribute is the raw credential id.
- Type
bytes
-
response
¶ This attribute contains the authenticator’s response to the client’s request to either create a public key credential, or generate an authentication assertion. If the PublicKeyCredential is created in response to navigator.credentials.create(), this attribute’s value will be an AuthenticatorAttestationResponse, otherwise, the PublicKeyCredential was created in response to navigator.credentials.get(), and this attribute’s value will be an AuthenticatorAssertionResponse.
References
-
-
class
webauthn_rp.types.
PublicKeyCredentialCreationOptions
(*, rp: webauthn_rp.types.PublicKeyCredentialRpEntity, user: webauthn_rp.types.PublicKeyCredentialUserEntity, challenge: bytes, pub_key_cred_params: Sequence[webauthn_rp.types.PublicKeyCredentialParameters], timeout: Optional[int] = None, authenticator_selection: Optional[webauthn_rp.types.AuthenticatorSelectionCriteria] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs] = None, attestation: webauthn_rp.types.AttestationConveyancePreference = <AttestationConveyancePreference.NONE: 'none'>, exclude_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None)¶ Bases:
object
Options for Credential Creation
-
rp
¶ This member contains data about the Relying Party responsible for the request.
-
user
¶ This member contains data about the user account for which the Relying Party is requesting attestation.
-
challenge
¶ This member contains a challenge intended to be used for generating the newly created credential’s attestation object.
- Type
bytes
-
pub_key_cred_params
¶ This member contains information about the desired properties of the credential to be created. The sequence is ordered from most preferred to least preferred. The client makes a best-effort to create the most preferred credential that it can.
- Type
Sequence[PublicKeyCredentialParameters]
-
timeout
¶ This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and MAY be overridden by the client.
- Type
int
-
authenticator_selection
¶ This member is intended for use by Relying Parties that wish to select the appropriate authenticators to participate in the navigator.credentials.create() operation (on the client side).
-
extensions
¶ This member contains additional parameters requesting additional processing by the client and authenticator. For example, the caller may request that only authenticators with certain capabilities be used to create the credential, or that particular information be returned in the attestation object.
-
attestation
¶ This member is intended for use by Relying Parties that wish to express their preference for attestation conveyance.
-
exclude_credentials
¶ This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator. The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.
- Type
Sequence[PublicKeyCredentialDescriptor]
References
-
-
class
webauthn_rp.types.
PublicKeyCredentialDescriptor
(*, type: webauthn_rp.types.PublicKeyCredentialType, id: bytes, transports: Optional[Sequence[webauthn_rp.types.AuthenticatorTransport]] = None)¶ Bases:
object
The PublicKeyCredentialDescriptor contains the attributes that are specified by a caller when referring to a public key credential as an input parameter to the navigator.credentials.create() or navigator.credentials.get() methods (on the client side). It mirrors the fields of the PublicKeyCredential object returned by the latter methods.
-
type
¶ This member contains the type of the public key credential the caller is referring to.
-
id
¶ This member contains the credential ID of the public key credential the caller is referring to.
- Type
bytes
-
transports
¶ This OPTIONAL member contains a hint as to how the client might communicate with the managing authenticator of the public key credential the caller is referring to.
- Type
Optional[Sequence[AuthenticatorTransport]]
References
-
-
class
webauthn_rp.types.
PublicKeyCredentialEntity
(*, name: str, icon: Optional[str] = None)¶ Bases:
object
The PublicKeyCredentialEntity describes a user account, or a WebAuthn Relying Party, which a public key credential is associated with or scoped to, respectively.
-
name
¶ A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents:
When inherited by PublicKeyCredentialRpEntity it is a human-palatable identifier for the Relying Party, intended only for display.
When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier for a user account. It is intended only for display, i.e., aiding the user in determining the difference between user accounts with similar displayNames.
- Type
str
-
icon
¶ A serialized URL which resolves to an image associated with the entity. For example, this could be a user’s avatar or a Relying Party’s logo. This URL MUST be an a priori authenticated URL. Authenticators MUST accept and store a 128-byte minimum length for an icon member’s value. Authenticators MAY ignore an icon member’s value if its length is greater than 128 bytes. The URL’s scheme MAY be “data” to avoid fetches of the URL, at the cost of needing more storage.
- Type
str
References
-
-
class
webauthn_rp.types.
PublicKeyCredentialParameters
(*, type: webauthn_rp.types.PublicKeyCredentialType, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value])¶ Bases:
object
PublicKeyCredentialParameters is used to supply additional parameters when creating a new credential.
-
type
¶ This member specifies the type of credential to be created.
-
alg
¶ This member specifies the cryptographic signature algorithm with which the newly generated credential will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
References
-
-
class
webauthn_rp.types.
PublicKeyCredentialRequestOptions
(*, challenge: bytes, timeout: Optional[int] = None, rp_id: Optional[str] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs] = None, allow_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None, user_verification: Optional[webauthn_rp.types.UserVerificationRequirement] = <UserVerificationRequirement.PREFERRED: 'preferred'>)¶ Bases:
object
The PublicKeyCredentialRequestOptions object supplies navigator.credentials.get() with the data it needs to generate an assertion (on the client side). Its challenge member MUST be present, while its other members are OPTIONAL.
-
challenge
¶ This member represents a challenge that the selected authenticator signs, along with other data, when producing an authentication assertion.
- Type
bytes
-
timeout
¶ This OPTIONAL member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. The value is treated as a hint, and MAY be overridden by the client.
- Type
Optional[int]
-
rp_id
¶ This OPTIONAL member specifies the relying party identifier claimed by the caller. If omitted, its value will be the CredentialsContainer object’s relevant settings object’s origin’s effective domain.
- Type
Optional[str]
-
extensions
¶
-
allow_credentials
¶ This OPTIONAL member contains a list of PublicKeyCredentialDescriptor objects representing public key credentials acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most preferred credential, and so on down the list).
- Type
Optional[Sequence[PublicKeyCredentialDescriptor]]
-
user_verification
¶ This OPTIONAL member describes the Relying Party’s requirements regarding user verification for the navigator.credentials.get() operation (on the client side). Eligible authenticators are filtered to only those capable of satisfying this requirement.
- Type
Optional[UserVerificationRequirement]
References
-
-
class
webauthn_rp.types.
PublicKeyCredentialRpEntity
(*, name: str, icon: Optional[str] = None, id: str)¶ Bases:
webauthn_rp.types.PublicKeyCredentialEntity
The PublicKeyCredentialRpEntity is used to supply additional Relying Party attributes when creating a new credential.
-
name
¶ A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents:
When inherited by PublicKeyCredentialRpEntity it is a human-palatable identifier for the Relying Party, intended only for display.
When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier for a user account. It is intended only for display, i.e., aiding the user in determining the difference between user accounts with similar displayNames.
- Type
str
-
icon
¶ A serialized URL which resolves to an image associated with the entity. For example, this could be a user’s avatar or a Relying Party’s logo. This URL MUST be an a priori authenticated URL. Authenticators MUST accept and store a 128-byte minimum length for an icon member’s value. Authenticators MAY ignore an icon member’s value if its length is greater than 128 bytes. The URL’s scheme MAY be “data” to avoid fetches of the URL, at the cost of needing more storage.
- Type
str
-
id
¶ A unique identifier for the Relying Party entity. By default, the RP ID for a WebAuthn operation is set to the caller’s origin’s effective domain. This default MAY be overridden by the caller, as long as the caller-specified RP ID value is a registrable domain suffix of or is equal to the caller’s origin’s effective domain.
- Type
str
References
-
-
class
webauthn_rp.types.
PublicKeyCredentialType
(value)¶ Bases:
enum.Enum
This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and attestation structures according to the type of the authenticator.
-
PUBLIC_KEY
¶ The only credential type.
- Type
str
References
-
PUBLIC_KEY
= 'public-key'¶
-
-
class
webauthn_rp.types.
PublicKeyCredentialUserEntity
(*, name: str, icon: Optional[str] = None, id: bytes, display_name: str)¶ Bases:
webauthn_rp.types.PublicKeyCredentialEntity
The PublicKeyCredentialUserEntity is used to supply additional user account attributes when creating a new credential.
-
name
¶ A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents:
When inherited by PublicKeyCredentialRpEntity it is a human-palatable identifier for the Relying Party, intended only for display.
When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier for a user account. It is intended only for display, i.e., aiding the user in determining the difference between user accounts with similar displayNames.
- Type
str
-
icon
¶ A serialized URL which resolves to an image associated with the entity. For example, this could be a user’s avatar or a Relying Party’s logo. This URL MUST be an a priori authenticated URL. Authenticators MUST accept and store a 128-byte minimum length for an icon member’s value. Authenticators MAY ignore an icon member’s value if its length is greater than 128 bytes. The URL’s scheme MAY be “data” to avoid fetches of the URL, at the cost of needing more storage.
- Type
str
-
id
¶ The user handle of the user account entity. To ensure secure operation, authentication and authorization decisions MUST be made on the basis of this id member, not the displayName nor name members.
Since the user handle (id) is not considered personally identifying information, the Relying Party SHOULD NOT include personally identifying information, e.g., e-mail addresses or usernames, in the user handle. This includes hash values of personally identifying information, unless the hash function is salted with salt values private to the Relying Party, since hashing does not prevent probing for guessable input values. It is RECOMMENDED to let the user handle be 64 random bytes, and store this value in the user’s account.
- Type
bytes
-
display_name
¶ A human-palatable name for the user account, intended only for display. The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary.
- Type
str
References
-
-
class
webauthn_rp.types.
TPMAttestationStatement
(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, ver: str, cert_info: bytes, pub_area: bytes)¶ Bases:
webauthn_rp.types.AttestationStatement
The TPM Attestation Statement.
-
alg
¶ A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
-
sig
¶ A byte string containing the attestation signature.
- Type
bytes
-
ver
¶ The version of the TPM specification to which the signature conforms.
- Type
str
-
cert_info
¶ The TPMS_ATTEST structure over which the above signature was computed.
- Type
bytes
-
pub_area
¶ The TPMT_PUBLIC structure used by the TPM to represent the credential public key.
- Type
bytes
References
-
-
class
webauthn_rp.types.
TPMECDAAAttestationStatement
(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, ver: str, cert_info: bytes, pub_area: bytes, ecdaa_key_id: bytes)¶ Bases:
webauthn_rp.types.TPMAttestationStatement
The TPM ECDAA Attestation Statement.
-
alg
¶ A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
-
sig
¶ A byte string containing the attestation signature.
- Type
bytes
-
ver
¶ The version of the TPM specification to which the signature conforms.
- Type
str
-
cert_info
¶ The TPMS_ATTEST structure over which the above signature was computed.
- Type
bytes
-
pub_area
¶ The TPMT_PUBLIC structure used by the TPM to represent the credential public key.
- Type
bytes
-
ecdaa_key_id
¶ The identifier of the ECDAA-Issuer public key. This is the BigNumberToB encoding of the component “c” of the ECDAA-Issuer public key.
- Type
bytes
References
-
-
class
webauthn_rp.types.
TPMX509AttestationStatement
(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, ver: str, cert_info: bytes, pub_area: bytes, x5c: Sequence[bytes])¶ Bases:
webauthn_rp.types.TPMAttestationStatement
The TPM X.509 Attestation Statement.
-
alg
¶ A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.
-
sig
¶ A byte string containing the attestation signature.
- Type
bytes
-
ver
¶ The version of the TPM specification to which the signature conforms.
- Type
str
-
cert_info
¶ The TPMS_ATTEST structure over which the above signature was computed.
- Type
bytes
-
pub_area
¶ The TPMT_PUBLIC structure used by the TPM to represent the credential public key.
- Type
bytes
-
x5c
¶ The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate MUST be the first element in the array.
- Type
Sequence[bytes]
References
-
-
class
webauthn_rp.types.
TokenBinding
(*, status: webauthn_rp.types.TokenBindingStatus, id: Optional[str] = None)¶ Bases:
object
TokenBinding contains information about the state of the Token Binding protocol used when the client was communicating with the Relying Party.
-
status
¶ The status of the Token Binding.
- Type
-
id
¶ This member MUST be present if status is present, and MUST be a base64url encoding of the Token Binding ID that was used when the client was communicating with the Relying Party.
- Type
str
References
-
-
class
webauthn_rp.types.
TokenBindingStatus
(value)¶ Bases:
enum.Enum
The status of a Token Binding.
-
SUPPORTED
¶ Indicates the client supports token binding, but it was not negotiated when communicating with the Relying Party.
- Type
str
-
PRESENT
¶ Indicates token binding was used when communicating with the Relying Party. In this case, the id member MUST be present.
- Type
str
References
-
PRESENT
= 'present'¶
-
SUPPORTED
= 'supported'¶
-
-
class
webauthn_rp.types.
TxAuthGenericArg
(*, content_type: str, content: bytes)¶ Bases:
object
The input type of the txAuthGeneric extension.
-
content_type
¶ MIME-Type of the content, e.g., “image/png”
- Type
str
-
content
¶ The byte string data.
- Type
bytes
-
-
class
webauthn_rp.types.
UserVerificationRequirement
(value)¶ Bases:
enum.Enum
A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its needs.
-
REQUIRED
¶ This value indicates that the Relying Party requires user verification for the operation and will fail the operation if the response does not have the UV flag set.
- Type
str
-
PREFERRED
¶ This value indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set.
- Type
str
-
DISCOURAGED
¶ This value indicates that the Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).
- Type
str
References
-
DISCOURAGED
= 'discouraged'¶
-
PREFERRED
= 'preferred'¶
-
REQUIRED
= 'required'¶
-
webauthn_rp.utils module¶
-
webauthn_rp.utils.
camel_to_snake_case
(s: str) → str¶ Convert a camel cased string into snake case.
- Parameters
s (str) – A camel cased string.
- Returns
The snake case converted string.
-
webauthn_rp.utils.
curve_coordinate_byte_length
(crv: Union[types.EC2Curve.Name, types.EC2Curve.Value, types.OKPCurve.Name, types.OKPCurve.Value]) → int¶ Get the fixed number of bytes that an elliptic curve coordinate takes.
- Parameters
(Union['types.EC2Curve.Name' (crv) – ‘types.OKPCurve.Name’, ‘types.OKPCurve.Value’]): The elliptic curve.
'types.EC2Curve.Value' – ‘types.OKPCurve.Name’, ‘types.OKPCurve.Value’]): The elliptic curve.
:param : ‘types.OKPCurve.Name’, ‘types.OKPCurve.Value’]): The elliptic curve.
- Returns
The byte length.
-
webauthn_rp.utils.
ec2_hash_algorithm
(alg: Union[types.COSEAlgorithmIdentifier.Name, types.COSEAlgorithmIdentifier.Value]) → cryptography.hazmat.primitives.hashes.HashAlgorithm¶ Get a HashAlgorithm instance from an algorithm identifier.
- Parameters
(Union['types.COSEAlgorithmIdentifier.Name' (alg) – ‘types.COSEAlgorithmIdentifier.Value’]): A cryptography HashAlgorithm instance for the given algorithm.
- :param‘types.COSEAlgorithmIdentifier.Value’]): A cryptography HashAlgorithm
instance for the given algorithm.
- Returns
A HashAlgorithm instance.
-
webauthn_rp.utils.
snake_to_camel_case
(s: str) → str¶ Convert a snake cased string into camel case.
- Parameters
s (str) – A snake cased string.
- Returns
The camel case converted string.
-
webauthn_rp.utils.
url_base64_decode
(s: str) → bytes¶ Base64 decode a string using URL semantics.
- Parameters
s (str) – The string to decode.
- Returns
The base64-decoded bytes.
References
-
webauthn_rp.utils.
url_base64_encode
(b: bytes) → bytes¶ Base64 encode raw bytes using URL semantics.
- Parameters
b (bytes) – The raw bytes to encode.
- Returns
The base64-encoded bytes.
References
webauthn_rp.validators module¶
-
webauthn_rp.validators.
validate
(credential_public_key: webauthn_rp.types.CredentialPublicKey) → None¶ -
webauthn_rp.validators.
validate
(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → None -
webauthn_rp.validators.
validate
(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → None Validate the format of a CredentialPublicKey.
- Parameters
credential_public_key (CredentialPublicKey) – The credential public key to validate.
- Raises
ValidationError – If the given credential public key is invalid.
UnimplementedError – If the logic to validate the given type of key is not implemented.
-
webauthn_rp.validators.
validate_ec2_public_key
(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → None¶ Validate the format of an EC2CredentialPublicKey.
- Parameters
credential_public_key (EC2CredentialPublicKey) – The credential public key to validate.
- Raises
ValidationError – If the given credential public key is invalid.
UnimplementedError – If the logic to validate the given type of key is not implemented.
-
webauthn_rp.validators.
validate_okp_public_key
(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → None¶ Validate the format of an OKPCredentialPublicKey.
- Parameters
credential_public_key (OKPCredentialPublicKey) – The credential public key to validate.
- Raises
ValidationError – If the given credential public key is invalid.
UnimplementedError – If the logic to validate the given type of key is not implemented.
webauthn_rp.verifiers module¶
-
webauthn_rp.verifiers.
verify
(credential_public_key: webauthn_rp.types.CredentialPublicKey, signature: bytes, data: bytes) → None¶ -
webauthn_rp.verifiers.
verify
(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey, signature: bytes, data: bytes) → None -
webauthn_rp.verifiers.
verify
(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey, signature: bytes, data: bytes) → None Verify a signature over data using a CredentialPublicKey.
- Parameters
credential_public_key (CredentialPublicKey) – The credential public key to use for verification.
signature (bytes) – The signature to verify.
data (bytes) – The data over which to compute the signature.
- Raises
VerificationError – If the provided signature is not correct.
UnimplementedError – If the logic to verify using the given type of key is not implemented.
-
webauthn_rp.verifiers.
verify_ec2_public_key
(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey, signature: bytes, data: bytes) → None¶ Verify the a signature over data using an EC2CredentialPublicKey.
- Parameters
credential_public_key (EC2CredentialPublicKey) – The credential public key to use for verification.
signature (bytes) – The signature to verify.
data (bytes) – The data over which to compute the signature.
- Raises
VerificationError – If the provided signature is not correct.
UnimplementedError – If the logic to verify using the given type of key is not implemented.
-
webauthn_rp.verifiers.
verify_okp_public_key
(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey, signature: bytes, data: bytes) → None¶ Verify the a signature over data using an OKPCredentialPublicKey.
- Parameters
credential_public_key (OKPCredentialPublicKey) – The credential public key to use for verification.
signature (bytes) – The signature to verify.
data (bytes) – The data over which to compute the signature.
- Raises
VerificationError – If the provided signature is not correct.
UnimplementedError – If the logic to verify using the given type of key is not implemented.