mirror of https://github.com/Yubico/python-fido2
Add enterprise attestation.
This commit is contained in:
parent
70808bd093
commit
abe66f1385
|
@ -43,6 +43,7 @@ from .webauthn import (
|
|||
UserVerificationRequirement,
|
||||
AuthenticatorAttestationResponse,
|
||||
AuthenticatorAssertionResponse,
|
||||
AttestationConveyancePreference,
|
||||
)
|
||||
from .cose import ES256
|
||||
from .rpid import verify_rp_id
|
||||
|
@ -326,12 +327,14 @@ class _Ctap1ClientBackend(_ClientBackend):
|
|||
extensions,
|
||||
rk,
|
||||
user_verification,
|
||||
enterprise_attestation,
|
||||
event,
|
||||
):
|
||||
if (
|
||||
rk
|
||||
or user_verification == UserVerificationRequirement.REQUIRED
|
||||
or ES256.ALGORITHM not in [p.alg for p in key_params]
|
||||
or enterprise_attestation
|
||||
):
|
||||
raise CtapError(CtapError.ERR.UNSUPPORTED_OPTION)
|
||||
|
||||
|
@ -553,6 +556,7 @@ class _Ctap2ClientBackend(_ClientBackend):
|
|||
extensions,
|
||||
rk,
|
||||
user_verification,
|
||||
enterprise_attestation,
|
||||
event,
|
||||
):
|
||||
if exclude_list:
|
||||
|
@ -609,6 +613,7 @@ class _Ctap2ClientBackend(_ClientBackend):
|
|||
options,
|
||||
pin_auth,
|
||||
pin_protocol.VERSION if pin_protocol else None,
|
||||
enterprise_attestation,
|
||||
event=event,
|
||||
on_keepalive=on_keepalive,
|
||||
)
|
||||
|
@ -717,6 +722,9 @@ class Fido2Client(WebAuthnClient, _BaseClient):
|
|||
):
|
||||
super().__init__(origin, verify)
|
||||
|
||||
# TODO: Decide how to configure this list.
|
||||
self._enterprise_rpid_list: Optional[Sequence[str]] = None
|
||||
|
||||
try:
|
||||
self._backend: _ClientBackend = _Ctap2ClientBackend(
|
||||
device, user_interaction, extension_types
|
||||
|
@ -769,6 +777,16 @@ class Fido2Client(WebAuthnClient, _BaseClient):
|
|||
)
|
||||
|
||||
selection = options.authenticator_selection or AuthenticatorSelectionCriteria()
|
||||
enterprise_attestation = None
|
||||
if options.attestation == AttestationConveyancePreference.ENTERPRISE:
|
||||
if self.info.options.get("ep"):
|
||||
if self._enterprise_rpid_list is not None:
|
||||
# Platform facilitated
|
||||
if rp.id in self._enterprise_rpid_list:
|
||||
enterprise_attestation = 2
|
||||
else:
|
||||
# Vendor facilitated
|
||||
enterprise_attestation = 1
|
||||
|
||||
try:
|
||||
return self._backend.do_make_credential(
|
||||
|
@ -780,6 +798,7 @@ class Fido2Client(WebAuthnClient, _BaseClient):
|
|||
options.extensions,
|
||||
selection.require_resident_key,
|
||||
selection.user_verification,
|
||||
enterprise_attestation,
|
||||
event,
|
||||
)
|
||||
except CtapError as e:
|
||||
|
|
|
@ -337,6 +337,7 @@ class Ctap2:
|
|||
options: Optional[Mapping[str, Any]] = None,
|
||||
pin_uv_param: Optional[bytes] = None,
|
||||
pin_uv_protocol: Optional[int] = None,
|
||||
enterprise_attestation: Optional[int] = None,
|
||||
*,
|
||||
event: Optional[Event] = None,
|
||||
on_keepalive: Optional[Callable[[int], None]] = None,
|
||||
|
@ -371,6 +372,7 @@ class Ctap2:
|
|||
options,
|
||||
pin_uv_param,
|
||||
pin_uv_protocol,
|
||||
enterprise_attestation,
|
||||
),
|
||||
event=event,
|
||||
on_keepalive=on_keepalive,
|
||||
|
|
|
@ -96,6 +96,13 @@ class Config:
|
|||
pin_uv_param = None
|
||||
return self.ctap.config(sub_cmd, params, pin_uv_protocol, pin_uv_param)
|
||||
|
||||
def enable_enterprise_attestation(self) -> None:
|
||||
"""Enables Enterprise Attestation.
|
||||
|
||||
If already enabled, this command is ignored.
|
||||
"""
|
||||
self._call(Config.CMD.ENABLE_ENTERPRISE_ATT)
|
||||
|
||||
def toggle_always_uv(self) -> None:
|
||||
"""Toggle the alwaysUV setting.
|
||||
|
||||
|
|
|
@ -153,6 +153,7 @@ class TestFido2Client(unittest.TestCase):
|
|||
None,
|
||||
None,
|
||||
None,
|
||||
None,
|
||||
event=mock.ANY,
|
||||
on_keepalive=mock.ANY,
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue