o shO"@sddlmZddlmZmZddlmZmZddlm Z ddl m Z ddl m Z mZmZddlmZdd lmZdd lmZdd lmZmZmZmZmZmZdd lZGd ddeZ Gddde Z!Gddde ZGddde Z"Gddde Z#eGdddeZ$eGdddZ%ddZ&e&d/d!d"Z'Gd#d$d$ej(Z)Gd%d&d&e)Z*Gd'd(d(e)Z+d)d*Z,d+d,Z-Gd-d.d.ej(Z.d S)0) annotations)AuthenticatorDataAttestationObject)IntEnumunique)x509)default_backend)paddingecrsa)InvalidSignature) dataclasswraps)ListTypeMappingSequenceOptionalAnyNc@eZdZdZdS)InvalidAttestationz.Base exception for attestation-related errors.N__name__ __module__ __qualname____doc__rrQ/var/www/html/env_mimamsha/lib/python3.10/site-packages/fido2/attestation/base.pyr+rc@r) InvalidDataz"Attestation contains invalid data.Nrrrrrr!/r r!c@r)r z7The signature of the attestation could not be verified.Nrrrrrr 3r r c@r)UntrustedAttestationz)The CA of the attestation is not trusted.Nrrrrrr"7r r"cs"eZdZdZdfdd ZZS)UnsupportedTypez(The attestation format is not supported.Ncs,t|r d|dnd||_||_dS)NzAttestation format "z" is not supportedz)This attestation format is not supported!)super__init__ auth_datafmt)selfr&r' __class__rrr%>s zUnsupportedType.__init__N)rrrrr% __classcell__rrr)rr#;sr#c@s$eZdZdZdZdZdZdZdZdS)AttestationTypezSupported attestation types.rrN) rrrrBASICSELFATT_CAANON_CANONErrrrr-Hsr-c@s"eZdZUdZded<ded<dS)AttestationResultz'The result of verifying an attestation.r-attestation_type List[bytes] trust_pathN)rrrr__annotations__rrrrr6Ss  r6cstfdd}|S)zDUtility decoractor to wrap common exceptions related to InvalidData.c s8z|i|WStttfy}zt|d}~wwr+) ValueErrorKeyError IndexErrorr!)argskwargsefrrinner^s zcatch_builtins..innerr)rBrCrrArcatch_builtins[srDchainr8returnNonecCsdd|D}|d}|rd|}|d}|}zosz%verify_x509_chain..rNzUnsupported signature key type)pop public_key isinstancer RSAPublicKeysignature_hash_algorithmverify signaturetbs_certificate_bytesr PKCS1v15r EllipticCurvePublicKeyECDSAr;_InvalidSignaturer )rEcertscertchildpubrrrverify_x509_chainhs8       r\c@s.eZdZdZejdd d ZedddZdS) Attestationz7Implements verification of a specific attestation type. statementMapping[str, Any]r&rclient_data_hashbytesrFr6cCsdS)z^Verifies attestation statement. :return: An AttestationResult if successful. Nrr(r^r&r`rrrrQszAttestation.verifyr'strType[Attestation]cs>tD]}t|ddkr|SqGfdddt}|S)z6Get an Attestation subclass type for the given format.FORMATNcseZdZfddZZS)z9Attestation.for_type..TypedUnsupportedAttestationcstdSr+)r$r%)r()r*r'rrr%zBAttestation.for_type..TypedUnsupportedAttestation.__init__)rrrr%r,rr'r)rTypedUnsupportedAttestationsrh)r]__subclasses__getattrUnsupportedAttestation)r'clsrhrrgrfor_types zAttestation.for_typeN)r^r_r&rr`rarFr6)r'rcrFrd) rrrrabcabstractmethodrQ staticmethodrmrrrrr]s   r]c@seZdZdddZddZdS)rkNcCs ||_dSr+rg)r(r'rrrr%s zUnsupportedAttestation.__init__cCs t||jr+)r#r'rbrrrrQs zUnsupportedAttestation.verifyr+)rrrr%rQrrrrrks  rkc@seZdZdZddZdS)NoneAttestationnonecCs|ikrtdttjgS)Nz*None Attestation requires empty statement.)r!r6r-r5rbrrrrQs zNoneAttestation.verifyN)rrrrerQrrrrrqs rqcCsT|jtjjkr tdz|jtj}|jj rtdWdStj y)tdw)Nz+Attestation certificate must use version 3!z+Attestation certificate must have CA=false!z4Attestation certificate must have Basic Constraints!) versionrVersionv3r! extensionsget_extension_for_classBasicConstraintsvaluecaExtensionNotFound)rYbcrrr_validate_cert_commonsr}cCsddtDS)NcSs"g|] }t|dddkr|qS)rerr)rj)rIrlrrrrKs z)_default_attestations..)r]rirrrr_default_attestationssr~c@s>eZdZdZddddZejdd dZdddZddZ dS)AttestationVerifierzBase class for verifying attestation. Override the ca_lookup method to provide a trusted root certificate used to verify the trust path from the attestation. Nattestation_typesOptional[Sequence[Attestation]]cCs|pt|_dSr+)r~_attestation_types)r(rrrrr%rfzAttestationVerifier.__init__attestation_resultr6r&rrFOptional[bytes]cCst)zLookup a CA certificate to be used to verify a trust path. :param attestation_result: The result of the attestation :param auth_data: The AuthenticatorData from the registration )NotImplementedError)r(rr&rrr ca_lookups zAttestationVerifier.ca_lookupattestation_objectrr`rarGc Cst|j}|jD]}t|dd|jkr|}nq||j|j|}|||j}|s.tdz t |j |gWdSt yI}zt|d}~ww)zVerify attestation. :param attestation_object: dict containing attestation data. :param client_data_hash: SHA256 hash of the ClientData bytes. reNzNo root found for Authenticator) rkr'rrjrQatt_stmtr&rr"r\r9r )r(rr` att_verifieratresultrzr@rrrverify_attestations(  z&AttestationVerifier.verify_attestationcGs|j|dS)z?Allows passing an instance to Fido2Server as verify_attestationN)r)r(r>rrr__call__szAttestationVerifier.__call__r+)rr)rr6r&rrFr)rrr`rarFrG) rrrrr%rnrorrrrrrrrs   !r)rEr8rFrG)/ __future__rwebauthnrrenumrr cryptographyrcryptography.hazmat.backendsr )cryptography.hazmat.primitives.asymmetricr r r cryptography.exceptionsr rW dataclassesr functoolsrtypingrrrrrrrn Exceptionrr!r"r#r-r6rDr\ABCr]rkrqr}r~rrrrrs:          "