o shצ@sddlmZddlmZddlmZmZddlmZm Z m Z ddl m Z m Z mZddlmZmZddlmZmZdd lmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$dd l%m&Z&dd l'm(Z(dd l)m*Z*dd l+m,Z,m-Z-ddl.m/Z/ddl0m1Z1ddl2m3Z3m4Z4ddl5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>ddl?Z?ddl@Z@ddlAZAeABeCZDGdddeEZFeFfddZGGdddeFZHddZIGdddZJGdddZKGdd d e>jLZMd?d#d$ZNGd%d&d&ZOd'd(ZPGd)d*d*e>jLZQGd+d,d,eQZRGd-d.d.eKZSe=d@d2d3ZTe=dAd5d3ZTd6d3ZTGd7d8d8eQZUGd9d:d:eMeJZVe?WXd;krRzddd>eMeJZ_dS)B) annotations)STATUS) CtapDevice CtapError)Ctap1APDU ApduError)Ctap2AssertionResponseInfo) ClientPin PinProtocol)Ctap2Extension AuthenticationExtensionProcessor)AaguidAttestationObjectCollectedClientDataPublicKeyCredentialRpEntityPublicKeyCredentialDescriptor"PublicKeyCredentialCreationOptions!PublicKeyCredentialRequestOptions%AuthenticationExtensionsClientOutputsAuthenticatorSelectionCriteriaUserVerificationRequirement AuthenticatorAttestationResponseAuthenticatorAssertionResponseAttestationConveyancePreferenceResidentKeyRequirement_as_cbor)ES256) verify_rp_id)sha256)IntEnumunique)replace)urlparse)TimerEvent)TypeAnyCallableOptionalMappingSequenceTupleoverloadNc@s6eZdZdZeGdddeZd ddZddZdS) ClientErrorzBase error raised by clients.c@s.eZdZdZdZdZdZdZdZd dd Z dS) zClientError.ERRzError codes for ClientError.rNcCs t||SN)r1)selfcauser9G/var/www/html/env_mimamsha/lib/python3.10/site-packages/fido2/client.py__call___s zClientError.ERR.__call__r6) __name__ __module__ __qualname____doc__ OTHER_ERROR BAD_REQUESTCONFIGURATION_UNSUPPORTEDDEVICE_INELIGIBLETIMEOUTr;r9r9r9r:ERRUsrENcCst||_||_dSr6)r1rEcoder8r7rFr8r9r9r:__init__bs  zClientError.__init__cCs(d|j}|jr|d|jd7}|S)NzClient error: {0} - {0.name}z (cause: ))formatrFr8)r7rr9r9r:__repr__fs zClientError.__repr__r6) r<r=r>r?r$r#rErHrLr9r9r9r:r1Rs  r1cCs|jtjjtjjfvrtjj}na|jtjjtjjtjj fvr#tjj }nN|jtjj tjj tjj fvr6tjj}n;|jtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjfvrmtjj}ntjj}|||Sr6) rFrrECREDENTIAL_EXCLUDEDNO_CREDENTIALSr1rCKEEPALIVE_CANCELACTION_TIMEOUTUSER_ACTION_TIMEOUTrDUNSUPPORTED_ALGORITHMUNSUPPORTED_OPTIONKEY_STORE_FULLrBINVALID_COMMANDCBOR_UNEXPECTED_TYPE INVALID_CBORMISSING_PARAMETERINVALID_OPTION PUAT_REQUIRED PIN_INVALID PIN_BLOCKED PIN_NOT_SETPIN_POLICY_VIOLATIONPIN_TOKEN_EXPIREDPIN_AUTH_INVALIDPIN_AUTH_BLOCKEDREQUEST_TOO_LARGEOPERATION_DENIEDrAr@)eerr_clscer9r9r:_ctap2client_errmsD     rgcs*eZdZdZejjdffdd ZZS)PinRequiredErrorz=Raised when a call cannot be completed without providing PIN.zPIN required but not providedcst||dSr6)superrHrG __class__r9r:rHszPinRequiredError.__init__) r<r=r>r?r1rErArH __classcell__r9r9rjr:rhsrhc Os|pt}|sRz||i|WSty>}z!|jtjkr.|r(|tjd}||nt j |WYd}~nd}~wt yM}zt |d}~ww|r t j r6)r(is_setr rFrUSE_NOT_SATISFIEDrUPNEEDEDwaitr1rEr@rrgrD) poll_delayevent on_keepalivefuncargskwargsrdr9r9r: _call_pollings&       rwc@s&eZdZd ddZddZd d Zd S) _BaseClientoriginstrverifyCallable[[str, str], bool]cCs||_||_dSr6)ry_verify)r7ryr{r9r9r:rHs z_BaseClient.__init__cCs6z |||jr WdSWn tyYnwtjr6)r}ry Exceptionr1rErA)r7rp_idr9r9r: _verify_rp_ids  z_BaseClient._verify_rp_idcCstj||j|dS)N)typery challenge)rcreatery)r7typrr9r9r:_build_client_datas z_BaseClient._build_client_dataNryrzr{r|)r<r=r>rHrrr9r9r9r:rxs  rxc@s<eZdZdZ ddddZdd d ZdddZdddZdS)AssertionSelectionzGetAssertion result holding one or more assertions. Since multiple assertions may be retured by Fido2Client.get_assertion, this result is returned which can be used to select a specific response to get. N client_datar assertionsSequence[AssertionResponse]cCs||_||_||_dSr6) _client_data _assertions_extension_results)r7rrextension_resultsr9r9r:rHs zAssertionSelection.__init__returncC|jS)zIGet the raw AssertionResponses available to inspect before selecting one.)rr7r9r9r:get_assertionsz!AssertionSelection.get_assertions assertionr Optional[Mapping[str, Any]]cCrr6)r)r7rr9r9r:_get_extension_resultssz)AssertionSelection._get_extension_resultsindexintrc CsH|j|}t|j|j|j|jr|jdnd|jr|jdnd||S)zGet a single response.idN)rrr auth_data signatureuser credentialr)r7rrr9r9r: get_responses zAssertionSelection.get_responser6)rrrr)rr)rr rr)rrrr)r<r=r>r?rHrrrr9r9r9r:rs rc@s8eZdZdZej ddd d Zej ddd dZdS)WebAuthnClientzMBase class for a WebAuthn client, supporting registration and authentication.NoptionsrrrOptional[Event]rrcCt)Creates a credential. :param options: PublicKeyCredentialCreationOptions data. :param threading.Event event: (optional) Signal to abort the operation. NotImplementedErrorr7rrrr9r9r:make_credential zWebAuthnClient.make_credentialrrcCr)Get an assertion. :param options: PublicKeyCredentialRequestOptions data. :param threading.Event event: (optional) Signal to abort the operation. rrr9r9r: get_assertionrzWebAuthnClient.get_assertionr6rrrrrrrrrrrrrr)r<r=r>r?abcabstractmethodrrr9r9r9r:rs rrSequence[Type[Ctap2Extension]]cCsddtDS)NcSsg|] }t|s|qSr9)inspect isabstract).0clsr9r9r: s  z'_default_extensions..)r__subclasses__r9r9r9r:_default_extensions src@s.eZdZdZdddZdd d Zdd dZdS)UserInteractionzProvides user interaction to the Client. Users of Fido2Client should subclass this to implement asking the user to perform specific actions, such as entering a PIN or touching theirrNonecCtddS)z@Called when the authenticator is awaiting a user presence check.zUser Presence check required.Nloggerinforr9r9r: prompt_upszUserInteraction.prompt_up permissionsClientPin.PERMISSIONr Optional[str]cCr)zkCalled when the client requires a PIN from the user. Should return a PIN, or None/Empty to cancel.z7PIN requested, but UserInteraction does not support it.Nrr7rrr9r9r: request_pin zUserInteraction.request_pinboolcCr)zxCalled when the client is about to request UV from the user. Should return True if allowed, or False to cancel.zUser Verification requested.Trrr9r9r: request_uv#rzUserInteraction.request_uvN)rr)rrrrrr)rrrrrr)r<r=r>r?rrrr9r9r9r:rs    rcsfdd}|S)Ncs|tjkr dSdSr6)rror)statususer_interactionr9r:rs.s  z%_user_keepalive..on_keepaliver9)rrsr9rr:_user_keepalive-s rc@sFeZdZUded<ejdddZejdddZejdddZdS)_ClientBackendr rrrrrrcCrr6rr7rrr9r9r: selection8rz_ClientBackend.selectionrrrrrprrrzenterprise_rpid_listOptional[Sequence[str]]r(rcCrr6r)r7rrrrrrrr9r9r:do_make_credential<s z!_ClientBackend.do_make_credentialrrcCrr6r)r7rrrrrr9r9r:do_get_assertionHsz_ClientBackend.do_get_assertionNrrrrr)rrrrrrrrzrrrrr(rr) rrrrrrzrrr(rr) r<r=r>__annotations__rrrrrr9r9r9r:r5s    rc@s.eZdZdddZddZd d Zd d Zd S)_Ctap1ClientBackenddevicerrrcCs2t||_tdggtjd|_d|_t||_dS)NU2F_V2versions extensionsaaguidg?) rctap1r rNONEr _poll_delayr _on_keepalive)r7rrr9r9r:rHTs z_Ctap1ClientBackend.__init__cCst|j|d|jjdddS)N )rwrrregisterrr9r9r:rZsz_Ctap1ClientBackend.selectionc Cs6|j}|j}|jp t} | j} | j} | s)| tjks)tj dd|Dvs)|j t j kr/t t jjt|} d} |p:gD]=}|j}z|j| | |dtjtyx}z|jtjkrnt|j||j|jj| | tjWYd}~q;d}~wwt !| t|j||j|jj|j"| }t#|t $|j%|j&|j't(iS)NcSsg|]}|jqSr9)alg)rpr9r9r:rvsz:_Ctap1ClientBackend.do_make_credential..rT))pub_key_cred_paramsexclude_credentialsauthenticator_selectionrrequire_resident_keyuser_verificationrREQUIREDr ALGORITHM attestationr ENTERPRISErrErSr"encoderr authenticater1r@r rFrrnrwrrrrCr from_ctap1hashrrfmtratt_stmtr)r7rrrrrrr key_params exclude_listrrkr app_param dummy_paramcred key_handlerdatt_objr9r9r:rds`             z&_Ctap1ClientBackend.do_make_credentialc Cs|j}|j}|tjks |sttjjt|}|j }|D];} zt |j ||j |j j||| j} t|| | g} t|| WStyY} z| jtjjkrOWYd} ~ qd} ~ wwtjr6)allow_credentialsrrrrrErSr"rrrwrrrrrr rrr1rFrDrC) r7rrrrr allow_listrr client_paramr auth_resprrdr9r9r:rs4     z$_Ctap1ClientBackend.do_get_assertionN)rrrr)r<r=r>rHrrrr9r9r9r:rSs   rHrrlr9r9rjr:rs rvaluesr.listcCdSr6r9r r9r9r: _cbor_listrrcCr r6r9r r9r9r:rrcCs|sdSdd|DS)NcSsg|]}t|qSr9)r)rvr9r9r:rsz_cbor_list..r9r r9r9r:rsc@sXeZdZdd d Zdd d ZddZddZddZddZddZ ddZ ddZ dS)_Ctap2ClientBackendrrrrextension_typesrrSequence[Ctap2Extension]cCs*t||_|jj|_||_||_||_dSr6)r ctap2r_extension_typesrr)r7rrrrr9r9r:rHs   z_Ctap2ClientBackend.__init__rcs jrjSfddjDS)Ncsg|]}|jqSr9)r)rrrr9r:rsz7_Ctap2ClientBackend._get_extensions..)rrrr9rr:_get_extensionssz#_Ctap2ClientBackend._get_extensionsc s |jjrfddD|jjpdfddtdtD}d}|r3|||} |j} nd} d} |D]I} z-|jj||t | dddi| | ||d } t| dkr\| dWSt d i| dj WSt y} z| j t jjkr}WYd} ~ q9d} ~ wwdS) Ncsg|] }t|jkr|qSr9)lenr)rc)max_lenr9r:rsz5_Ctap2ClientBackend._filter_creds..rcsg|] }||qSr9r9)ri) cred_list max_credsr9r:rsrrupFrrrsr9)rmax_cred_id_lengthmax_creds_in_listrangerrVERSIONrrrrrrrFrErN)r7rr pin_protocolrrrrschunksclient_data_hashpin_authversionchunkrrdr9)rrrr: _filter_credssH     z!_Ctap2ClientBackend._filter_credsc Csd|jjvr|jj|ddSz|jjddddddddd d gd |d WdStyJ}z|jtjjtjj tjj fvrEWYd}~dSd}~ww) NFIDO_2_1)rrrz example.com)rnamesdummydummyz public-keyi)rr) pin_uv_paramrr) rrrrrrrFrEr]r[r`r7rrrdr9r9r:r,s*   z_Ctap2ClientBackend.selectioncstfdddD}tfdddD}tjj|@dk}|tjjtjjB@}|tjks<|tjkr5|s<jj drF|sDt j ddS|rS|rSjj d sSdS|rY|rYdSd S) Nc3s|] }|jjvVqdSr6)rrrkrr9r: Ds  z5_Ctap2ClientBackend._should_use_uv..)uv clientPin bioEnrollc3s|] }jj|VqdSr6)rrgetr0rr9r:r2Gs ralwaysUvz*User verification not configured/supportedTmakeCredUvNotRqdF)anyr PERMISSIONMAKE_CREDENTIAL GET_ASSERTIONrr PREFERREDrrr6r1rErB)r7rr uv_supported uv_configuredmcadditional_permsr9rr:_should_use_uvCs4     z"_Ctap2ClientBackend._should_use_uvcCs|jjdr(t|jr|j||r|||||Sn |r(|j||r(dS|jjdrB|j||}|r?| |||St t j d)Nr3r4z User verification not configured)rrr6r is_token_supportedrr get_uv_tokenr get_pin_tokenrhr1rErB)r7 client_pinrrrrrsallow_internal_uvpinr9r9r: _get_tokenbs$ z_Ctap2ClientBackend._get_tokenc Csj|j|_d}d}|||r1t|j|} |tjjtjjB@dk} || ||||| }|s1d}||fS)NFrT) rget_inforrBr r:r;r<rI) r7r#rrrrrrsr internal_uvrFrGr9r9r:_get_auth_params|s(    z$_Ctap2ClientBackend._get_auth_paramscs |j |j|j|jpt jt jd|jt j kr3 j j dr3|dur1 |vr0dndtjD]}|j j jvrD|nq6dtjjrStjjOg D]}| j|} | ro | | jOqY fdd} jj} d} z| \} }WnBty}z6|jtjjkrtj krtj!WYd}~qt"| dd}|jtjj#kr|r| s| $|d} WYd}~qd}~wwi}z D]} | %| |}|dur|&|qWnt'y}zt(j)|d}~wwt*t+,| j-| j.| j/t0|S) Nepr2rc sf  \}}r  |}nd}i}z D]}||}|r.||q WntyB}ztj|d}~ww jj d} j t j kpW j t jkoW|}|s_|s_d} ni} |ro|sktjdd| d<|rud| d<j} r|r|| jf} nd} jj| tt dt t|rt|gnd|pd| g| Rd|fS)NrzResident key not supportedTr3NN)rr)rLr)prepare_inputsrrr1rErBrrr6 resident_keyrrr=rrr"rrrr%r) rrK exclude_credextension_inputsr auth_inputrdcan_rkrrr%r&renterprise_attestationrrrrrsrr#rrrr7used_extensionsrrr9r:_do_makesv          z8_Ctap2ClientBackend.do_make_credential.._do_makeFTconnect)1rrrrrrrrrrrrrr6r PROTOCOLSr"pin_uv_protocolsr:r;r<rrrappendrrrrFrErZr DISCOURAGEDrgetattrracloserrrr1rBrrrrrrr)r7rrrrrrrprotordrrXdev reconnectedrrrYrr r9rUr:rs         (H        z&_Ctap2ClientBackend.do_make_credentialc s@|j|j|j tjtjD]}|jjj vr|nqdtj j g D]}| j|}|rB||jOq, f dd}jj} d} z|WSty}z6|jtjjkrz tjkrztj WYd}~qXt| dd} |jtjjkr| r| s| | d} WYd}~qXd}~ww)Nc s \}}r|}nd}i}zD]}|||}|r/||q WntyC}ztj|d}~ww|rJddind}j}r]|r] ||j f} nd} rk|skt dj d}j j||rwt|gnd|p{d|g| Rd} t| |S)Nr3TrNrr)rLr)rOrrr1rErBrrr"rrrrrr) rrK selected_credrRrinputsrdrr%r&r rrrrrsrr#rr7rWrr9r:_do_authZsX       z6_Ctap2ClientBackend.do_get_assertion.._do_authFTrY)rrrrrr rZr"rr[r:r<rrrr\rrrrFrErZrr]rr^rar_) r7rrrrrr`rdrrgrarbrYr9rfr:r:sT     ;    z$_Ctap2ClientBackend.do_get_assertionN)rrrrrrrr)rr) r<r=r>rHrr)rrBrIrLrrr9r9r9r:rs  0 'rcspeZdZdZeeegfd'fdd Zed(ddZ d)d*ddZ d+ddZ d)d,d!d"Z d)d-d%d&Z ZS). Fido2Clienta>WebAuthn-like client implementation. The client allows registration and authentication of WebAuthn credentials against an Authenticator using CTAP (1 or 2). :param device: CtapDevice to use. :param str origin: The origin to use. :param verify: Function to verify an RP ID for a given origin. rrryrzr{r|rrrrrrc sPt||d|_z t|||||_WdSttfy't|||_YdSwr6)rirH_enterprise_rpid_listr_backendrrr)r7rryr{rrrrjr9r:rHs  zFido2Client.__init__rr cCs|jjSr6)rjrrr9r9r:rszFido2Client.infoNrrrrc Cs4z |j|WdSty}zt|d}~wwr6)rjrrrgr/r9r9r:rs zFido2Client.selectionrrcCs8|durt|j}|jdks|jstjd|jS|S)Nhttpsz$RP ID required for non-https origin.)r&ryschemenetlocr1rErA)r7rurlr9r9r: _get_rp_ids zFido2Client._get_rp_idrrrc Cst|}|p t}|jrt|jd|j}d|_||j}| |j }t d|| ||tjj|j}z'z|j|||||j|WW|jrS|SStyc}zt|d}~ww|jrl|ww)rT%Register a new credential for RP ID: N)r from_dictr(timeoutr'setdaemonstartrrorrdebugrrrTYPECREATErrjrricancelrrg)r7rrrtimerrrrrdr9r9r:rs@      zFido2Client.make_credentialrrc Cst|}|p t}|jrt|jd|j}d|_|||j }t d|| || tjj|j}z$z|j||||WW|jrM|SSty]}zt|d}~ww|jrf|ww)rrpTAssert a credential for RP ID: N)rrrr(rsr'rtrurvrorrrwrrrrxGETrrjrrzrrg)r7rrrr{rrrdr9r9r:rs:      zFido2Client.get_assertion) rrryrzr{r|rrrrrr)rr r6r)rrrrzrr)r<r=r>r?r!rrrHpropertyrrrorrrlr9r9rjr:rhs    .rhwindows)WinAPIWebAuthNAuthenticatorAttachment#WebAuthNUserVerificationRequirement'WebAuthNAttestationConveyancePreferenceWebAuthNEnterpriseAttestationcsLeZdZdZeddfdfdd Zedd d ZdddZdddZ Z S) WindowsClientanFido2Client-like class using the Windows WebAuthn API. Note: This class only works on Windows 10 19H1 or later. This is also when Windows started restricting access to FIDO devices, causing the standard client classes to require admin priveleges to run (unlike this one). The make_credential and get_assertion methods are intended to work as a drop-in replacement for the Fido2Client methods of the same name. :param str origin: The origin to use. :param verify: Function to verify an RP ID for a given origin. :param ctypes.wintypes.HWND handle: (optional) Window reference to use. NFryrzr{r|cs>t||t|d|d|_tddggtjd|_d|_dS)NT)return_extensionsallow_hmac_secretrFIDO_2_0r) rirHrapir rrrri)r7ryr{handlerrjr9r:rHUs  zWindowsClient.__init__rrcCstdko tjdkS)Nrr)platformsystemlowerrr'r9r9r9r: is_availablegszWindowsClient.is_availablec Cs>t|}td|jj||jj|tj j |j }|j p$t }tj}|jtjkrLtj}|jjdrK|jdurH|jj|jvrGtj}n tj}nt|jpRd}z+|j|j|j|j||j pcd|j!t"|j#pkdt$|j%prd||j&|j'|| \}}Wnt(y} zt)j*+| d} ~ wwtdt,||t-|S) zCreate a credential using Windows WebAuthN APIs. :param options: PublicKeyCredentialCreationOptions data. :param threading.Event event: (optional) Signal to abort the operation. rqrMNnonerr9 discouragedzNew credential registered).rrrrrwrrrrrrxryrrrrrrrrrANYrrr6riPLATFORM_MANAGEDVENDOR_FACILITATED from_stringrrrrrsrPrauthenticator_attachmentrrrrOSErrorr1rEr@rr) r7rrrrrrVrrrrdr9r9r:rksd         zWindowsClient.make_credentialc Cst|}td|j||j|tjj |j }z!|j |j||j p(dtjt|jp0d|j|j|\}}}}}WntyP} ztj| d} ~ ww|rWd|ind} t|t|||| dgt|S)zGet assertion using Windows WebAuthN APIs. :param options: PublicKeyCredentialRequestOptions data. :param threading.Event event: (optional) Signal to abort the operation. r|rrNr)rrrr)rrrrrwrrrrrxr}rrrrsrrrrrrrrr1rEr@rr r) r7rrrrrrruser_idrrdrr9r9r:rsH    zWindowsClient.get_assertionr)rrr6) r<r=r>r?r!rH staticmethodrrrrlr9r9rjr:rFs  Br)rr)r r.rr )r rrr)` __future__rhidrctaprrrrrr rr r r ctap2.pinr rctap2.extensionsrrwebauthnrrrrrrrrrrrrrrrcoser rpidr!utilsr"enumr#r$ dataclassesr% urllib.parser& threadingr'r(typingr)r*r+r,r-r.r/r0rrrlogging getLoggerr<rr~r1rgrhrwrxrABCrrrrrrrrrrhrrwin_apirrrrrrr9r9r9r:sh  D     (   ' ( o  J