o sh~@sDddlmZddlmZmZmZddlmZmZddl m Z ddl m Z m Z mZddlmZmZmZmZmZdd lmZmZdd lmZdd lmZmZmZmZmZdd l Z dd l!Z!Gd dde j"Z#Gddde#Z$Gddde#Z%Gddde j"Z&edddGdddeZ'edddGdddeZ(ddZ)edddGdddeZ*edddGd d!d!eZ+edddGd"d#d#eZ,Gd$d%d%e&Z-edddGd&d'd'eZ.edddGd(d)d)eZ/Gd*d+d+e&Z0Gd,d-d-e&Z1Gd.d/d/e&Z2Gd0d1d1e&Z3edddGd2d3d3eZ4Gd4d5d5e&Z5d S)6) annotations)AttestationResponseAssertionResponseCtap2) ClientPin PinProtocol) LargeBlobs)sha256websafe_encode_JsonDataObject)PublicKeyCredentialDescriptor"PublicKeyCredentialCreationOptions!PublicKeyCredentialRequestOptionsAuthenticatorSelectionCriteriaResidentKeyRequirement)Enumunique) dataclass)DictTupleAnyOptionalMappingNc@s(eZdZdZedddfd d d ZdS) ExtensionProcessorzBase class for CTAP2 extension processing. See: :class:`RegistrationExtensionProcessor` and :class:`AuthenticationExtensionProcessor`. rN permissionsClientPin.PERMISSIONinputsOptional[Dict[str, Any]]outputscCs||_||_||_dSN)r_inputs_outputs)selfrrr r%Q/var/www/html/env_mimamsha/lib/python3.10/site-packages/fido2/ctap2/extensions.py__init__7s zExtensionProcessor.__init__)rrrrr r)__name__ __module__ __qualname____doc__r PERMISSIONr'r%r%r%r&r0s rc@s$eZdZdZd ddZdd d Zd S)RegistrationExtensionProcessoraProcessing state for a CTAP2 extension, for single use. The ExtensionProcessor holds state and logic for client processing of an extension, for a registration (MakeCredential) call. :param permissions: PinUvAuthToken permissions required by the extension. :param inputs: Default authenticator inputs, if prepare_inputs is not overridden. :param outputs: Default client outputs, if prepare_outputs is not overridden. pin_tokenOptional[bytes]returnrcC|jSzLPrepare authenticator extension inputs, to be passed to the Authenenticator.r"r$r.r%r%r&prepare_inputsMsz-RegistrationExtensionProcessor.prepare_inputsresponsercCr1z?Prepare client extension outputs, to be returned to the caller.r#r$r6r.r%r%r&prepare_outputsQz.RegistrationExtensionProcessor.prepare_outputsN)r.r/r0r)r6rr.r/r0rr(r)r*r+r5r:r%r%r%r&r-Bs r-c@s$eZdZdZddd Zdd d ZdS) AuthenticationExtensionProcessoraProcessing state for a CTAP2 extension, for single use. The ExtensionProcessor holds state and logic for client processing of an extension, for an authentication (GetAssertion) call. :param permissions: PinUvAuthToken permissions required by the extension. :param inputs: Default authenticator inputs, if prepare_inputs is not overridden. :param outputs: Default client outputs, if prepare_outputs is not overridden. selected'Optional[PublicKeyCredentialDescriptor]r.r/r0rcCr1r2r3)r$r>r.r%r%r&r5er;z/AuthenticationExtensionProcessor.prepare_inputsr6rcCr1r7r8r9r%r%r&r:mr;z0AuthenticationExtensionProcessor.prepare_outputsN)r>r?r.r/r0r)r6rr.r/r0rr<r%r%r%r&r=Zs r=c@seZdZUdZdZded<d7d8ddZed9d d Zd7d:ddZ d;ddZ dd!d"Z d?d$d%Zd@d+d,Zd=d-d.Zd>d/d0Zd?d1d2ZdAd5d6ZdS)BCtap2ExtensionaQBase class for CTAP2 extensions. As of python-fido2 1.2 these instances can be used for multiple requests and should be invoked via the make_credential and get_assertion methods. Subclasses are instantiated for a single request, if the Authenticator supports the extension. From python-fido2 2.0 the following methods will be fully removed: get_create_permissions, process_create_input, process_create_output, process_create_input_with_permissions, get_get_permissions, process_get_input, process_get_output, process_get_input_with_permissions. The following changes will also be made: :func:`__init__` will no longer allow passing a ctap2 instance. :func:`is_supported` will require a ctap2 instance to be passed. :attr:`NAME` and :attr:`ctap` will be removed. NstrNAMEctapOptional[Ctap2]cCs|rtdt||_dS)Nz5Calling __init__ with a Ctap2 instance is deprecated.)warningswarnDeprecationWarning_ctapr$rCr%r%r&r's  zCtap2Extension.__init__r0rcCs|j}|s td|S)NzDAccessed self.ctap when no ctap instance has been passed to __init__)rH ValueErrorrIr%r%r&rCs zCtap2Extension.ctapboolcCs4|stdt|p |j}|std|j|jjvS)z?Whether or not the extension is supported by the authenticator.z.Processorcs(}|du|_|jrj|iSdSr!)process_create_input _has_inputrB)r$r. processedextrr%r&r5  z@Ctap2Extension.make_credential..Processor.prepare_inputscs|jr ||}|SdSr!)rVprocess_create_output)r$r6r.rWrYrQr%r&r:s zACtap2Extension.make_credential..Processor.prepare_outputsNr(r)r*r5r:r%rYrrQr%r& Processorsr_)rErFrGdictrNrHr-get_create_permissionsr$rCrPrQr_r%r^r&make_credentials  zCtap2Extension.make_credentialr*Optional[AuthenticationExtensionProcessor]crT)z5Start client extension processing for authentication.zDThis extension does not override get_assertion, which is deprecated.cs2eZdZUded<fddZfddZdS)z/Ctap2Extension.get_assertion..ProcessorrKrVcs(}|du|_|jrj|iSdSr!)process_get_inputrVrB)r$r>r.rWrXr%r&r5rZz>Ctap2Extension.get_assertion..Processor.prepare_inputscs|jr ||SdSr!)rVprocess_get_outputr9r\r%r&r:sz?Ctap2Extension.get_assertion..Processor.prepare_outputsN)r(r)r*__annotations__r5r:r%r^r%r&r_s r_)rErFrGr`rNrHr=get_get_permissionsrbr%r^r& get_assertions  zCtap2Extension.get_assertionrDict[str, Any]rcC tdS)zGet PinUvAuthToken permissions required for Registration. .. deprecated:: 1.2.0 Implement :func:`make_credential` instead. rrr,r$rr%r%r&ras z%Ctap2Extension.get_create_permissionsrcCdS)zReturns a value to include in the authenticator extension input, or None. .. deprecated:: 1.2.0 Implement :func:`make_credential` instead. Nr%rmr%r%r&rUz#Ctap2Extension.process_create_input Tuple[Any, ClientPin.PERMISSION]cC tdt||||fS)z^ .. deprecated:: 1.2.0 Implement :func:`make_credential` instead. z1This method is deprecated, use make_credential().)rErFrGrUrarmr%r%r&%process_create_input_with_permissionssz4Ctap2Extension.process_create_input_with_permissionsattestation_responsertokenr/rcCrn)zReturn client extension output given attestation_response, or None. .. deprecated:: 1.2.0 Implement :func:`make_credential` instead. Nr%)r$rsrtrQr%r%r&r[  z$Ctap2Extension.process_create_outputcCrk)[ .. deprecated:: 1.2.0 Implement :func:`get_assertion` instead. rrlrmr%r%r&rhs z"Ctap2Extension.get_get_permissionscCrn)zReturns a value to include in the authenticator extension input, or None. .. deprecated:: 1.2.0 Implement :func:`get_assertion` instead. Nr%rmr%r%r&re roz Ctap2Extension.process_get_inputcCrq)rvz/This method is deprecated, use get_assertion().)rErFrGrerhrmr%r%r&"process_get_input_with_permissions)sz1Ctap2Extension.process_get_input_with_permissionsassertion_responsercCrn)zReturn client extension output given assertion_response, or None. .. deprecated:: 1.2.0 Implement :func:`get_assertion` instead. Nr%)r$rxrtrQr%r%r&rf5ruz!Ctap2Extension.process_get_outputr!)rCrD)r0r)rCrDr0rK)rCrrPrrQrRr0rS)rCrrPrrQrRr0rd)rrjr0r)rrjr0r)rrjr0rp)rsrrtr/rQrRr0r)rxrrtr/rQrRr0r)r(r)r*r+rBrgr'propertyrCrOrcrirarUrrr[rhrerwrfr%r%r%r&r@ws"      ! !     r@FT)eqfrozenc@&eZdZUdZded<dZded<dS)HMACGetSecretInputzClient inputs for hmac-secret.bytessalt1Nr/salt2)r(r)r*r+rgrr%r%r%r&r}C r}c@r|)HMACGetSecretOutputzClient outputs for hmac-secret.r~output1Nr/output2)r(r)r*r+rgrr%r%r%r&rKrrcCs td|S)Ns WebAuthn PRF)r )secretr%r%r& _prf_saltSs rc@r|) AuthenticatorExtensionsPRFValueszSalt values for use with prf.r~firstNr/second)r(r)r*r+rgrr%r%r%r&rWrrc@*eZdZUdZdZded<dZded<dS) AuthenticatorExtensionsPRFInputszClient inputs for prf.N*Optional[AuthenticatorExtensionsPRFValues]evalz8Optional[Mapping[str, AuthenticatorExtensionsPRFValues]]eval_by_credential)r(r)r*r+rrgrr%r%r%r&r_  rc@r)!AuthenticatorExtensionsPRFOutputszClient outputs for prf.NOptional[bool]enabledrresults)r(r)r*r+rrgrr%r%r%r&rgrrcsZeZdZdZdZdZdfdd Zdd Zd d Zd d Z ddZ ddZ ddZ Z S)HmacSecretExtensiona Implements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions. The hmac-secret extension is not directly available to clients by default, instead the prf extension is used. https://www.w3.org/TR/webauthn-3/#prf-extension https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-hmac-secret-extension :param allow_hmac_secret: Set to True to allow hmac-secret, in addition to prf. z hmac-secret NFcs,t||rtdt||_||_dS)Nz_Initializing HmacSecretExtension with pin_protocol is deprecated, pin_protocol will be ignored.)superr'rErFrGrQ_allow_hmac_secret)r$rCrQallow_hmac_secret __class__r%r&r's  zHmacSecretExtension.__init__cs`|jpi}|ddu|jo|ddu}||r,s|r.Gfdddt}|SdSdS)NprfhmacCreateSecretTcs eZdZddZfddZdS)z6HmacSecretExtension.make_credential..ProcessorcS tjdiSNT)rrBr4r%r%r&r5 zEHmacSecretExtension.make_credential..Processor.prepare_inputscs4|jjpi}|tjd}rdt|diSd|iS)NFr)rr) auth_datarNgetrrBr)r$r6r.rNrrr%r&r:s  zFHmacSecretExtension.make_credential..Processor.prepare_outputsNr]r%rr%r&r_sr_)rNrrrOr-)r$rCrPrQrhmacr_r%rr&rcs z#HmacSecretExtension.make_credentialcsjpi}t|d|jrt|dndrC||rEs%rGt|\Gfdddt }|SdSdSdS)Nr hmacGetSecretcs2eZdZfddZfddZdS)z5HmacSecretExtension.get_assertion..Processingc srHj}j}|r2j}|stddd|D}||s#td|r2t|j}||vr2||}|s6dSt|j|j durDt|j ndf}ndusNJj j pTdf}t |dt jkrl|drpt |dt jksptd|d|d} | } t j| | jd iS) Nz+evalByCredentials requires allowCredentialscSsh|]}t|jqSr%)r id).0cr%r%r& szWHmacSecretExtension.get_assertion..Processing.prepare_inputs..z&evalByCredentials contains invalid keyrrInvalid salt lengthrr )rrallow_credentialsrJ issupersetr rrrrrrlenrSALT_LENencrypt authenticaterBVERSION) r$r>r.secretsby_creds allow_listidskeysaltssalt_enc salt_auth)r key_agreementrPrQr shared_secretr%r&r5sR      zDHmacSecretExtension.get_assertion..Processing.prepare_inputscsv|jjpi}|tj}|r&j|}|dtj}|tjdp$d}ndSr4dtt ||diSdt ||iS)Nr)rr) rrNrrrBprotocoldecryptrrrr)r$r6r.rNvalue decryptedrr) client_pinrrr%r&r:s  zEHmacSecretExtension.get_assertion..Processing.prepare_outputsNr]r%rrrrPrQrrr%r& Processings9r) rNr from_dictrrr}rOr_get_shared_secretr=)r$rCrPrQrrr%rr&ris    P z!HmacSecretExtension.get_assertioncC"|r |ddurdSdSdS)NrTrOrrmr%r%r&rUz(HmacSecretExtension.process_create_inputcOs|jj|jd}d|iS)NFr)rrNrrB)r$rsargskwargsrr%r%r&r[sz)HmacSecretExtension.process_create_outputcCs|sdSt|d}|sdS|j|jpdf}t|dtjkr0|dr4t|dtjks4t d|j s;t dt |j |j }| \}|_|j durR|j|_ |j |j|d|d}|j |j|}||||j jdS)NrrrrrrLr)rOr}rrrrrrrrJrHrrQrrrrrr)r$r get_secretrrrrrr%r%r&re s0 z%HmacSecretExtension.process_get_inputcOs\|jj|j}|jdusJ|j|j|}|dtj}|tjdp&d}dt ||iS)Nr) rrNrrBrQrrrrr)r$rxrrrrrrr%r%r&rf)s z&HmacSecretExtension.process_get_output)NNF)r(r)r*r+rBrr'rcrirUr[rerf __classcell__r%r%rr&ros  ` rc@s6eZdZUdZdZded<dZded<dZded<dS) &AuthenticatorExtensionsLargeBlobInputszClient inputs for largeBlob.Nz Optional[str]supportrreadr/write)r(r)r*r+rrgrrr%r%r%r&r3   rc@s6eZdZUdZdZded<dZded<dZded<dS)'AuthenticatorExtensionsLargeBlobOutputszClient outputs for largeBlob.Nr supportedr/blobwritten)r(r)r*r+rrgrrr%r%r%r&r<rrcs^eZdZdZdZdfdd ZddZdd Zd d Zd d Z ddZ ddZ ddZ Z S)LargeBlobExtensionz Implements the Large Blob storage (largeBlob) WebAuthn extension. https://www.w3.org/TR/webauthn-3/#sctn-large-blob-extension largeBlobKeyNcs2|p|j}|dus Jt|o|jjddS)N largeBlobsF)rHrrOrMrPrrIrr%r&rONs  zLargeBlobExtension.is_supportedcCsh|jpi}t|d}|r2|js|jrtd|jdkr'||s'tdGdddt }|SdS)N largeBlobInvalid set of parametersrequired1Authenticator does not support large blob storagec@seZdZddZddZdS)z5LargeBlobExtension.make_credential..ProcessorcSrr)rrBr4r%r%r&r5]rzDLargeBlobExtension.make_credential..Processor.prepare_inputscSdt|jdudiSNr)rrlarge_blob_keyr9r%r%r&r:`zELargeBlobExtension.make_credential..Processor.prepare_outputsNr]r%r%r%r&r_\s r_) rNrrrrrrJrrOr-)r$rCrPrQrdatar_r%r%r&rcSs   z"LargeBlobExtension.make_credentialcs|jpi}t|drDjsjrjrtd|s%tdGfdddt }|jr9t j j nt dt jdidSdS) NrrrcseZdZfddZdS)z3LargeBlobExtension.get_assertion..Processorcsf|j}|r/jrt}||}dt|diSjr1t|}||jdtddiSdSdS)NrrTr)rrr get_blobrrput_blob)r$r6r.blob_key large_blobsrrCrrQr%r&r:ss$   zCLargeBlobExtension.get_assertion..Processor.prepare_outputsN)r(r)r*r:r%rr%r&r_rsr_rTr)rNrrrrrrrJrOr=rr,LARGE_BLOB_WRITErrB)r$rCrPrQrr_r%rr&riis   z LargeBlobExtension.get_assertioncCsJt|d}|r#|js|jrtd|jdkr!|s!tddSdS)NrrrrT)rrrrrrJrrOr$rrr%r%r&rUs z'LargeBlobExtension.process_create_inputcOrrr)r$rsrrr%r%r&r[rz(LargeBlobExtension.process_create_outputcCs,t|d}|r|jrtjjStdS)Nrr)rrrrrr,rrr%r%r&rhs  z&LargeBlobExtension.get_get_permissionscCs^t|d}|r-|js|jr|jrtd|std|jr'd|_dS|j|_dSdS)NrrrT) rrrrrrrJrO_actionrr%r%r&resz$LargeBlobExtension.process_get_inputcCsn|j}|r3|jdurt|j}||}dt|diS|jr5t|j||}|||jdtddiSdSdS)NTrrr)rrr rCrrr)r$rxrtrQrrrr%r%r&rfs    z%LargeBlobExtension.process_get_outputr!)r(r)r*r+rBrOrcrirUr[rhrerfrr%r%rr&rEs(  rc@s4eZdZdZdZddZddZddZd d Zd S) CredBlobExtensionz Implements the Credential Blob (credBlob) CTAP2 extension. https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-credBlob-extension credBlobcCs\|jpi}|r(|d}|jjdusJ|r*t||jjkr,t|j|idSdSdSdS)Nrr)rNrOrrMmax_cred_blob_lengthrr-rB)r$rCrPrQrrr%r%r&rcs  z!CredBlobExtension.make_credentialcCs:|jpi}||r|ddurt|jdidSdSdS)N getCredBlobTr)rNrOrr=rBr$rCrPrQrr%r%r&ris zCredBlobExtension.get_assertioncCsJ|r|d}|jjjdusJ|r!t||jjjkr#|SdSdSdS)Nr)rOrrCrMrr)r$rrr%r%r&rUs z&CredBlobExtension.process_create_inputcCr)NrTrrmr%r%r&rerz#CredBlobExtension.process_get_inputN) r(r)r*r+rBrcrirUrer%r%r%r&rs rc@s8eZdZdZeGdddeZdZddZddZ d S) CredProtectExtensionz Implements the Credential Protection CTAP2 extension. https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-credProtect-extension c@seZdZdZdZdZdS)zCredProtectExtension.POLICYuserVerificationOptional,userVerificationOptionalWithCredentialIDListuserVerificationRequiredN)r(r)r*OPTIONALOPTIONAL_WITH_LISTREQUIREDr%r%r%r&POLICYsr credProtectcCsp|jpi}|d}|r6ttjt|}|dd}|r,||s,|dkr,tdt|j |didSdS)NcredentialProtectionPolicy!enforceCredentialProtectionPolicyFr4Authenticator does not support Credential Protectionrr) rNrlistrrindexrOrJr-rB)r$rCrPrQrpolicyrenforcer%r%r&rcs    z$CredProtectExtension.make_credentialcCsX|d}|r*ttjt|}|dd}|r&|s&|dkr&td|dSdS)NrrFrrr)rrrrrrOrJ)r$rrrrr%r%r&rUs   z)CredProtectExtension.process_create_inputN) r(r)r*r+rrrrBrcrUr%r%r%r&rs rc@s.eZdZdZdZd ddZddZdd ZdS) MinPinLengthExtensionz Implements the Minimum PIN Length (minPinLength) CTAP2 extension. https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-minpinlength-extension minPinLengthNcCs"|p|j}|dus Jd|jjvS)NsetMinPINLength)rHrMrPrIr%r%r&rOs   z"MinPinLengthExtension.is_supportedcCs<|jpi}||r||jdurt|jdidSdSdS)NTr)rNrOrrBr-rr%r%r&rcs z%MinPinLengthExtension.make_credentialcCs$|r||jdurdSdSdSr)rOrrBrmr%r%r&rU$sz*MinPinLengthExtension.process_create_inputr!)r(r)r*r+rBrOrcrUr%r%r%r&rs   rc@seZdZUdZdZded<dS)CredentialPropertiesOutputzClient outputs for credProps.Nrrk)r(r)r*r+r rgr%r%r%r&r)s rc@s&eZdZdZdZdddZddZdS) CredPropsExtensionz Implements the Credential Properties (credProps) WebAuthn extension. https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension credPropsNcCrnrr%rIr%r%r&rO9szCredPropsExtension.is_supportedcCsf|jpi}||jdur1|jpt}|jtjkp%|jtjko%|j j d}t |jt |didSdS)NTr )r )r ) rNrrBauthenticator_selectionr resident_keyrr PREFERREDrMrPr-r)r$rCrPrQr selectionr r%r%r&rc<s     z"CredPropsExtension.make_credentialr!)r(r)r*r+rBrOrcr%r%r%r&r 0s   r )6 __future__rbaserrrpinrrrr utilsr r r webauthnrrrrrenumrr dataclassesrtypingrrrrrabcrEABCrr-r=r@r}rrrrrrrrrrrrrr r%r%r%r&sP    M     E ~#)