o shO@s~ddlmZddlmZddlmZddlmZmZddl m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZddlmZddl m!Z"dd l#m$Z$dd l%m&Z&dd l'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/dd l0Z0dd l1Z1e12e3Z4e+e e5gd fZ6e+e7ge8fZ9d1ddZ:d2ddZ; d3d4ddZGd(d)d)Z?d7d-d.Z@Gd/d0d0e?ZAd S)8) annotations verify_rp_id)CoseKey)websafe_encodewebsafe_decode)CollectedClientDataAuthenticatorDataAttestationObjectAttestedCredentialDataAttestationConveyancePreferencePublicKeyCredentialRpEntityPublicKeyCredentialUserEntityAuthenticatorSelectionCriteriaPublicKeyCredentialDescriptorPublicKeyCredentialTypePublicKeyCredentialParameters"PublicKeyCredentialCreationOptions!PublicKeyCredentialRequestOptionsUserVerificationRequirementResidentKeyRequirementAuthenticatorAttachmentRegistrationResponseAuthenticationResponseCredentialCreationOptionsCredentialRequestOptions) constant_time)InvalidSignature)replace)urlparse)SequenceMappingOptionalCallableUnionTupleAnyoverloadNrp_idstrreturn VerifyOrigincs fddS)Nc t|SNror)G/var/www/html/env_mimamsha/lib/python3.10/site-packages/fido2/server.pyI z'_verify_origin_for_rp..r2r1r2r1r3_verify_origin_for_rpHs r6 challengeOptional[bytes]bytescCs@|dur td}|St|tstdt|dkrtd|S)N z)Custom challenge must be of type 'bytes'.z&Custom challenge length must be >= 16.)osurandom isinstancer9 TypeErrorlen ValueError)r7r2r2r3_validata_challengeLs   rB credentialr rcCsttj|j|S)aConverts an AttestedCredentialData to a PublicKeyCredentialDescriptor. :param credential: AttestedCredentialData containing the credential ID to use. :param transports: Optional list of AuthenticatorTransport strings to add to the descriptor. :return: A descriptor of the credential, for use with register_begin or authenticate_begin. :rtype: PublicKeyCredentialDescriptor )rr PUBLIC_KEY credential_id)rC transportsr2r2r3 to_descriptorWs rGcredsPOptional[Sequence[Union[AttestedCredentialData, PublicKeyCredentialDescriptor]]]1Optional[Sequence[PublicKeyCredentialDescriptor]]cCs|durdSdd|DS)NcSs(g|]}t|tr t|nt|qSr2)r>r rGr from_dict).0cr2r2r3 os  z%_wrap_credentials..r2)rHr2r2r3_wrap_credentialshs rOattestation_objectr client_data_hashNonecCsdS)zIgnore attestation.Nr2)rPrQr2r2r3_ignore_attestationysrSc@seZdZdZ   d8d9d d Z      d:d;ddZedd?d)d*Zed@d.d/Z edAd4d/Z d5d/Z e dBd6d7Z dS)C Fido2Servera@FIDO2 server. :param rp: Relying party data as `PublicKeyCredentialRpEntity` instance. :param attestation: (optional) Requirement on authenticator attestation. :param verify_origin: (optional) Alternative function to validate an origin. :param verify_attestation: (optional) function to validate attestation, which is invoked with attestation_object and client_data_hash. It should return nothing and raise an exception on failure. By default, attestation is ignored. Attestation is also ignored if `attestation` is set to `none`. Nrpr attestation)Optional[AttestationConveyancePreference] verify_originOptional[VerifyOrigin]verify_attestationOptional[VerifyAttestation]cCsbt||_|p t|jj|_d|_t||_ddt D|_ |p$t |_ td|jdS)NcSsg|]}ttj|qSr2)rrrD)rLalgr2r2r3rNs z(Fido2Server.__init__..z Fido2Server initialized for RP: )rrKrUr6id_verifytimeoutr rVrsupported_algorithmsallowed_algorithmsrS_verify_attestationloggerdebug)selfrUrVrXrZr2r2r3__init__s   zFido2Server.__init__userr credentialsrIresident_key_requirement Optional[ResidentKeyRequirement]user_verification%Optional[UserVerificationRequirement]authenticator_attachment!Optional[AuthenticatorAttachment]r7r8r+%Tuple[CredentialCreationOptions, Any]c Cs|jstdt|}t|}|||} tdddd|p gDtt |j t |||j|j |t|||frAt|||nd|j| | fS)avReturn a PublicKeyCredentialCreationOptions registration object and the internal state dictionary that needs to be passed as is to the corresponding `register_complete` call. :param user: The dict containing the user data. :param credentials: The list of previously registered credentials, these can be of type AttestedCredentialData, or PublicKeyCredentialDescriptor. :param resident_key_requirement: The desired RESIDENT_KEY_REQUIREMENT level. :param user_verification: The desired USER_VERIFICATION level. :param authenticator_attachment: The desired AUTHENTICATOR_ATTACHMENT or None to not provide a preference (and get both types). :param challenge: A custom challenge to sign and verify or None to use OS-specific random bytes. :return: Registration data, internal state.z!Server has no allowed algorithms.z1Starting new registration, existing credentials: , cs|]}|jVqdSr.r]hexrLdr2r2r3 z-Fido2Server.register_begin..N)rarArBrO_make_internal_statercrdjoinrrrUrrKr_anyrrV) rergrhrirkrmr7 extensions descriptorsstater2r2r3register_beginsH  zFido2Server.register_beginresponse.Union[RegistrationResponse, Mapping[str, Any]]r cCdSr.r2)rer}rr2r2r3register_completeszFido2Server.register_complete client_datar rPr cCrr.r2)rer}rrPr2r2r3rc Osd}t|dkr|s|d}n t|dhkr|s|d}|r,t|}|jj}|jj}n1ddg}tt||} i|| } t|t| @sMt| t|krQt d| |d}| |d}|j t j j krhtd||jsrtd tt|d |jstd t|jj|jjstd |jstd |dtjkr|jstd|jdtjfvrt !d|j"|#||j$|j} | j%dusJt &d| j%j'(| S)aLVerify the correctness of the registration data received from the client. :param state: The state data returned by the corresponding `register_begin`. :param client_data: The client data. :param attestation_object: The attestation object. :return: The authenticator data NrrrrrPz1incorrect arguments passed to register_complete()&Incorrect type in CollectedClientData.&Invalid origin in CollectedClientData.r7Wrong challenge in response.Wrong RP ID hash in response.User Present flag not set.rkz;User verification required, but User Verified flag not set.zVerifying attestation of type zNew credential registered: ))r@setrrKrrrPdictzipr?typer TYPECREATErAr^originrbytes_eqrr7rUid_hash auth_data rp_id_hashis_user_presentrREQUIREDis_user_verifiedrVr NONErcrdfmtrbhashcredential_datainforErs) rer}argskwargsr registrationrrPnamesposdatarr2r2r3rs^            $Tuple[CredentialRequestOptions, Any]cCsnt|}t|}|||}|durtdntdddd|Dtt||j|j j ||||fS)aRReturn a PublicKeyCredentialRequestOptions assertion object and the internal state dictionary that needs to be passed as is to the corresponding `authenticate_complete` call. :param credentials: The list of previously registered credentials, these can be of type AttestedCredentialData, or PublicKeyCredentialDescriptor. :param user_verification: The desired USER_VERIFICATION level. :param challenge: A custom challenge to sign and verify or None to use OS-specific random bytes. :return: Assertion data, internal state.Nz/Starting new authentication without credentialsz.Starting new authentication, for credentials: rpcsrqr.rrrtr2r2r3rvNrwz1Fido2Server.authenticate_begin..) rBrOrxrcrdryrrr_rUr])rerhrkr7r{r|r}r2r2r3authenticate_begin3s,   zFido2Server.authenticate_begin Sequence[AttestedCredentialData]0Union[AuthenticationResponse, Mapping[str, Any]]r cCrr.r2)rer}rhrr2r2r3authenticate_complete_rz!Fido2Server.authenticate_completerEr9r signaturecCrr.r2)rer}rhrErrrr2r2r3rhs c Osd}t|dkr|s|d}n t|dhkr|s|d}|r3t|}|j}|jj}|jj} |jj} n=gd} t t | |} i|| } t|t| @sTt| t| krXt d| | d}| | d}| | d} | | d} |j t jjkr{td ||jstd t|d |jkrtd t|jj| jstd | std|dtjkr| std|D]-}|j|krz |j | |j!| Wn t"ytdwt#$d|%|Sqtd)aVerify the correctness of the assertion data received from the client. :param state: The state data returned by the corresponding `register_begin`. :param credentials: The list of previously registered credentials. :param credential_id: The credential id from the client response. :param client_data: The client data. :param auth_data: The authenticator data. :param signature: The signature provided by the client.Nrrr)rErrrz5incorrect arguments passed to authenticate_complete()rrr7rrrrkz;User verification required, but user verified flag not set.zInvalid signature.zCredential authenticated: zUnknown credential ID.)&r@rrrKr]rrauthenticator_datarrrr?rr rGETrAr^rrr7rrrUrrrrrrrE public_keyverifyr_InvalidSignaturercrrs)rer}rhrrrauthenticationrErrrrrrcredr2r2r3rts^             cCst||dS)Nr7rk)rrr2r2r3rxsz Fido2Server._make_internal_state)NNN)rUrrVrWrXrYrZr[)NNNNNN)rgrrhrIrirjrkrlrmrnr7r8r+ro)rrr+r )rr rPr r+r )NNNN)rhrIrkrlr7r8r+r)rhrrrr+r ) rhrrEr9rr rr rr9r+r )r7r9rkrl) __name__ __module__ __qualname____doc__rfr~r(rrr staticmethodrxr2r2r2r3rTs<  D  E ,   ?rTapp_idrboolcCs<t|}|j}|jdkr|j|fdkrdS|sdSt||S)a+Checks if a FIDO U2F App ID is usable for a given origin. :param app_id: The App ID to validate. :param origin: The origin of the request. :return: True if the App ID is usable by the origin, False if not. .. deprecated:: 1.2.0 This will be removed in python-fido2 2.0. https)http localhostF)r hostnameschemer)rrurlrr2r2r3 verify_app_ids  rcsJeZdZdZ ddfd d Zfd d Zfd dZfddZZS)U2FFido2ServeraLFido2Server which can be used with existing U2F credentials. This Fido2Server can be used with existing U2F credentials by using the WebAuthn appid extension, as well as with new WebAuthn credentials. See https://www.w3.org/TR/webauthn/#sctn-appid-extension for details. :param app_id: The appId which was used for U2F registration. :param verify_u2f_origin: (optional) Alternative function to validate an origin for U2F credentials. For other parameters, see Fido2Server. .. deprecated:: 1.2.0 This will be removed in python-fido2 2.0. Nrr*rUrverify_u2f_originrYcshtj|g|Ri||r||d<nfdd|d<|_ttt|dg|Ri||_dS)NrXcr-r.)rr/rr2r3r4r5z)U2FFido2Server.__init__..)r])superrf_app_idrTrrrK_app_id_server)rerrUrrr __class__rr3rfs  zU2FFido2Server.__init__c0|j|did<tj|i|\}}||fS)Nr{ appidExclude)r setdefaultrr~rerrreqr}rr2r3r~zU2FFido2Server.register_begincr)Nr{appid)rrrrrrr2r3rrz!U2FFido2Server.authenticate_begincs:z tj|i|WSty|jj|i|YSwr.)rrrAr)rerrrr2r3rs  z$U2FFido2Server.authenticate_completer.)rr*rUrrrY) rrrrrfr~rr __classcell__r2r2rr3rs  r)r)r*r+r,)r7r8r+r9r.)rCr r+r)rHrIr+rJ)rPr rQr9r+rR)rr*rr*r+r)B __future__rrpidrcoserutilsrrwebauthnr r r r r rrrrrrrrrrrrrrrcryptography.hazmat.primitivesrcryptography.exceptionsrr dataclassesr urllib.parser typingr!r"r#r$r%r&r'r(r<logging getLoggerrrcr9VerifyAttestationr*rr,r6rBrGrOrSrTrrr2r2r2r3s4   X    (      A