Merge pull request #9 from dany74q/upgrade-to-fido-1.0.0

Upgrade to fido2 1.0.0, add support for Python 3.10 by migrating winrt -> winsdk

Author: dany74q

.github/workflows/CD-pre-release.yml

@@ -17,10 +17,10 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v2
-      - name: Set up Python 3.9
+      - name: Set up Python 3.10
         uses: actions/setup-python@v2
         with:
-          python-version: 3.9
+          python-version: '3.10'
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip

.github/workflows/CD.yml

@@ -17,10 +17,10 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v2
-      - name: Set up Python 3.9
+      - name: Set up Python 3.10
         uses: actions/setup-python@v2
         with:
-          python-version: 3.9
+          python-version: '3.10'
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip

.github/workflows/CI.yml

@@ -15,7 +15,7 @@ jobs:
       max-parallel: 12
       matrix:
         os: [macos-latest, windows-latest, ubuntu-latest]
-        python-version: [3.6, 3.7, 3.8, 3.9]
+        python-version: ['3.7', '3.8', '3.9', '3.10']
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python ${{ matrix.python-version }}

.pre-commit-config.yaml

@@ -1,9 +1,9 @@
 default_language_version:
-  python: python3.6
+  python: python3.7
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.2.0
+    rev: v4.3.0
     hooks:
       - id: check-added-large-files
       - id: check-ast
@@ -13,6 +13,6 @@ repos:
       - id: trailing-whitespace
       - id: fix-encoding-pragma
   - repo: https://github.com/psf/black
-    rev: 20.8b1
+    rev: 21.12b0
     hooks:
       - id: black

.readthedocs.yml

@@ -4,6 +4,6 @@ sphinx:
   configuration: docs/conf.py
 
 python:
-  version: 3.8
+  version: '3.8'
   install:
   - requirements: docs/requirements.txt

CHANGES.rst

@@ -1,4 +1,11 @@
+2.0
+====
+This release contains breaking changes for dependents on fido2 <= v1.0.0:
+- Bumped min Python version from 3.6 to 3.7
+- Upgraded to fido2 v1.0.0, which had numerous breaking changes
+- Migrated from winrt to winsdk to support Python 3.10
+
 1.0
 ===
 
-Initial release based on Keyring 21.4.0.
+Initial release based on Keyring 21.4.0.

ctap_keyring_device/ctap_credential_maker.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-from typing import Type
+from typing import Type, Union
 from uuid import uuid4, uuid5, NAMESPACE_OID
 
 from fido2.cose import CoseKey
@@ -9,12 +9,12 @@
 
 
 class CtapCredentialMaker:
-    """ This class makes a new credential (key-pair) from the given COSE key type """
+    """This class makes a new credential (key-pair) from the given COSE key type"""
 
     def __init__(self, cose_key_cls: Type[CoseKey]):
         self._cose_key_cls = cose_key_cls
 
-    def make_credential(self, user_id: str) -> Credential:
+    def make_credential(self, user_id: Union[str, bytes]) -> Credential:
         """
         Generates a new credential, with a 32-byte id consisting of:
         - uuid5(NAMESPACE_OID, user_id)
@@ -25,6 +25,9 @@ def make_credential(self, user_id: str) -> Credential:
         """
         assert user_id
 
+        if isinstance(user_id, bytes):
+            user_id = user_id.decode('utf-8')
+
         private_key = CtapPrivateKeyWrapper.create(self._cose_key_cls)
         key_password = uuid4().bytes
         user_uuid = uuid5(NAMESPACE_OID, user_id).bytes

ctap_keyring_device/ctap_keyring_device.py

@@ -4,7 +4,7 @@
 from hashlib import sha256
 from threading import Event
 from types import FunctionType
-from typing import List, Optional
+from typing import List, Optional, Mapping, Any
 
 import keyring
 from cryptography.hazmat.primitives import serialization
@@ -15,13 +15,11 @@
 from fido2 import webauthn
 from fido2.attestation import PackedAttestation
 from fido2.ctap import CtapError
-from fido2.ctap2 import (
+from fido2.ctap2 import AssertionResponse, AttestationResponse, Info
+from fido2.webauthn import (
+    Aaguid,
     AttestedCredentialData,
     AuthenticatorData,
-    AttestationObject,
-    AssertionResponse,
-)
-from fido2.webauthn import (
     PublicKeyCredentialDescriptor,
     PublicKeyCredentialType,
     PublicKeyCredentialUserEntity,
@@ -71,27 +69,28 @@ class CtapKeyringDevice(ctap.CtapDevice):
 
     SUPPORTED_CTAP_VERSIONS = ['FIDO_2_0']
     MAX_MSG_SIZE = 1 << 20
-    AAGUID = b'pasten-ctap-1337'
+    AAGUID = Aaguid(b'pasten-ctap-1337')
 
     def __init__(self):
-        self.capabilities = hid.CAPABILITY.CBOR
-
         self._ctap2_cmd_to_handler = {
             ctap2.Ctap2.CMD.MAKE_CREDENTIAL: self.make_credential,
             ctap2.Ctap2.CMD.GET_ASSERTION: self.get_assertion,
             ctap2.Ctap2.CMD.GET_NEXT_ASSERTION: self.get_next_assertion,
             ctap2.Ctap2.CMD.GET_INFO: self.get_info,
         }
 
-        self._info = ctap2.Info.create(
-            self.SUPPORTED_CTAP_VERSIONS,
+        self._info = Info(
+            versions=self.SUPPORTED_CTAP_VERSIONS,
+            extensions=[],
             aaguid=self.AAGUID,
             options={
                 CtapOptions.PLATFORM_DEVICE: True,
                 CtapOptions.RESIDENT_KEY: True,
                 CtapOptions.USER_PRESENCE: True,
                 CtapOptions.USER_VERIFICATION: True,
+                CtapOptions.CLIENT_PIN: True,
             },
+            pin_uv_protocols=[ctap2.PinProtocolV2.VERSION],
             max_msg_size=self.MAX_MSG_SIZE,
             transports=[webauthn.AuthenticatorTransport.INTERNAL],
             algorithms=cose.CoseKey.supported_algorithms(),
@@ -100,6 +99,10 @@ def __init__(self):
         self._next_assertions_ctx: Optional[CtapGetNextAssertionContext] = None
         self._user_verifier = CtapUserVerifierFactory.create()
 
+    @property
+    def capabilities(self) -> int:
+        return hid.CAPABILITY.CBOR
+
     @classmethod
     def list_devices(cls):
         if isinstance(keyring.get_keyring(), FailKeyring):
@@ -117,7 +120,7 @@ def call(
         # noinspection PyBroadException
         try:
             res = self._call(cmd, data, event, on_keepalive)
-            return self._wrap_err_code(CtapError.ERR.SUCCESS) + res
+            return self._wrap_err_code(CtapError.ERR.SUCCESS) + cbor.encode(res)
         except CtapError as e:
             return self._wrap_err_code(e.code)
         except Exception:
@@ -147,7 +150,7 @@ def _call(
 
         # noinspection PyBroadException
         try:
-            ctap2_req: dict = cbor.decode(data[1:])
+            ctap2_req: Mapping[Any, Any] = cbor.decode(data[1:])
         except Exception:
             raise CtapError(CtapError.ERR.INVALID_CBOR)
 
@@ -161,10 +164,10 @@ def _call(
     def _wrap_err_code(err: CtapError.ERR) -> bytes:
         return err.to_bytes(1, 'big')
 
-    def get_info(self) -> ctap2.Info:
+    def get_info(self) -> Info:
         return self._info
 
-    def make_credential(self, make_credential_request: dict) -> AttestationObject:
+    def make_credential(self, make_credential_request: dict) -> AttestationResponse:
         # noinspection PyBroadException
         request = CtapMakeCredentialRequest.create(make_credential_request)
         if (
@@ -189,10 +192,10 @@ def make_credential(self, make_credential_request: dict) -> AttestationObject:
         )
 
         attestation_statement = {'alg': cred.algorithm, 'sig': signature}
-        attestation_object = AttestationObject.create(
+        attestation_response = AttestationResponse(
             PackedAttestation.FORMAT, authenticator_data, attestation_statement
         )
-        return attestation_object
+        return attestation_response
 
     @classmethod
     def _create_credential(cls, request: CtapMakeCredentialRequest) -> Credential:
@@ -343,12 +346,18 @@ def _get_assertion(
         signature = self._generate_signature(
             authenticator_data, request.client_data_hash, cred.private_key
         )
-        response = AssertionResponse.create(
-            PublicKeyCredentialDescriptor(PublicKeyCredentialType.PUBLIC_KEY, cred.id),
+        response = AssertionResponse(
+            PublicKeyCredentialDescriptor(
+                PublicKeyCredentialType.PUBLIC_KEY,
+                cred.id,
+                transports=[webauthn.AuthenticatorTransport.INTERNAL],
+            ).__dict__,
             authenticator_data,
             signature,
-            user=PublicKeyCredentialUserEntity(cred.user_id, name=''),
-            n_creds=len(ctx.creds),
+            user=PublicKeyCredentialUserEntity(
+                name='', id=cred.user_id.encode('utf-8'), display_name=''
+            ).__dict__,
+            number_of_credentials=len(ctx.creds),
         )
         return response
 

ctap_keyring_device/ctap_private_key_wrapper.py

@@ -18,18 +18,18 @@ class CtapPrivateKeyWrapper(metaclass=abc.ABCMeta):
 
     @abc.abstractmethod
     def get_key(self):
-        """ Returns the wrapped private key """
+        """Returns the wrapped private key"""
         raise NotImplementedError()
 
     @abc.abstractmethod
     def sign(self, data: bytes) -> bytes:
-        """ Signs the given data according to the algorithm """
+        """Signs the given data according to the algorithm"""
         raise NotImplementedError()
 
     @classmethod
     @abc.abstractmethod
     def get_algorithm(cls) -> int:
-        """ One of COSE defined algorithms, see https://www.iana.org/assignments/cose/cose.xhtml """
+        """One of COSE defined algorithms, see https://www.iana.org/assignments/cose/cose.xhtml"""
         raise NotImplementedError()
 
     def get_public_key(self):
@@ -63,7 +63,7 @@ def create(
 
 
 class CtapEs256PrivateKeyWrapper(CtapPrivateKeyWrapper):
-    """ ES256 (ECDSA w/ SHA-256) """
+    """ES256 (ECDSA w/ SHA-256)"""
 
     def __init__(self, key: ec.EllipticCurvePrivateKey = None):
         self._key = key or ec.generate_private_key(curve=ec.SECP256R1())
@@ -90,7 +90,7 @@ def get_key(self):
 
 
 class CtapRs256KeyGeneratorSigner(CtapRsaPrivateKeyWrapper):
-    """ RS256 (RSASSA-PKCS1-v1_5 w/ SHA-256) """
+    """RS256 (RSASSA-PKCS1-v1_5 w/ SHA-256)"""
 
     def sign(self, data: bytes) -> bytes:
         return self._key.sign(data, padding.PKCS1v15(), hashes.SHA256())
@@ -101,7 +101,7 @@ def get_algorithm(cls) -> int:
 
 
 class CtapRs1PrivateKeyWrapper(CtapRsaPrivateKeyWrapper):
-    """ RS1 (RSASSA-PKCS1-v1_5 w/ SHA-1) """
+    """RS1 (RSASSA-PKCS1-v1_5 w/ SHA-1)"""
 
     def sign(self, data: bytes) -> bytes:
         return self._key.sign(data, padding.PKCS1v15(), hashes.SHA1())
@@ -112,7 +112,7 @@ def get_algorithm(cls) -> int:
 
 
 class CtapPs256PrivateKeyWrapper(CtapRsaPrivateKeyWrapper):
-    """ PS256 (RSASSA-PSS w/ SHA-256) """
+    """PS256 (RSASSA-PSS w/ SHA-256)"""
 
     def sign(self, data: bytes) -> bytes:
         return self._key.sign(
@@ -129,7 +129,7 @@ def get_algorithm(cls) -> int:
 
 
 class CtapEdDsaPrivateKeyWrapper(CtapPrivateKeyWrapper):
-    """ EDDSA (Edwards-Curve DSA) """
+    """EDDSA (Edwards-Curve DSA)"""
 
     def __init__(self, key: Ed25519PrivateKey = None):
         self._key = key or ed25519.Ed25519PrivateKey.generate()

ctap_keyring_device/ctap_strucs.py

@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 import base64
+from timeit import default_timer as timer
 from typing import List
 
 from cryptography.hazmat.primitives import serialization
@@ -14,8 +15,6 @@
 
 from ctap_keyring_device.ctap_private_key_wrapper import CtapPrivateKeyWrapper
 
-from timeit import default_timer as timer
-
 
 class CtapOptions:
     PLATFORM_DEVICE = 'plat'
@@ -26,7 +25,7 @@ class CtapOptions:
 
 
 class Credential:
-    """ Represents a ctap-saved credential - with a credential id, private key, and a COSE algorithm. """
+    """Represents a ctap-saved credential - with a credential id, private key, and a COSE algorithm."""
 
     def __init__(self, credential_id: bytes, private_key: CtapPrivateKeyWrapper):
         self.id = credential_id
@@ -72,7 +71,7 @@ def encoded(self) -> str:
 
 
 class CtapMakeCredentialRequest:
-    """ Represents the cbor encoded MAKE_CREDENTIAL request """
+    """Represents the cbor encoded MAKE_CREDENTIAL request"""
 
     CLIENT_DATA_HASH_KEY = 1
     RP_KEY = 2
@@ -119,16 +118,16 @@ def create(cls, make_credential_request: dict):
         # noinspection PyProtectedMember
         return CtapMakeCredentialRequest(
             client_data_hash=make_credential_request.get(cls.CLIENT_DATA_HASH_KEY),
-            rp=PublicKeyCredentialRpEntity._wrap(
+            rp=PublicKeyCredentialRpEntity.from_dict(
                 make_credential_request.get(cls.RP_KEY)
             ),
-            user=PublicKeyCredentialUserEntity._wrap(
-                make_credential_request.get(cls.USER_KEY)
+            user=PublicKeyCredentialUserEntity.from_dict(
+                make_credential_request.get(cls.USER_KEY),
             ),
-            public_key_credential_params=PublicKeyCredentialParameters._wrap_list(
+            public_key_credential_params=PublicKeyCredentialParameters._deserialize_list(
                 make_credential_request.get(cls.PUBLIC_KEY_CREDENTIAL_PARAMS_KEY)
             ),
-            exclude_list=PublicKeyCredentialDescriptor._wrap_list(
+            exclude_list=PublicKeyCredentialDescriptor._deserialize_list(
                 make_credential_request.get(cls.EXCLUDE_LIST_KEY)
             ),
             extensions=make_credential_request.get(cls.EXTENSIONS_KEY),
@@ -139,7 +138,7 @@ def create(cls, make_credential_request: dict):
 
 
 class CtapGetAssertionRequest:
-    """ Represents the cbor encoded GET_ASSERTION request """
+    """Represents the cbor encoded GET_ASSERTION request"""
 
     RP_ID_KEY = 1
     CLIENT_DATA_HASH_KEY = 2
@@ -178,7 +177,7 @@ def create(cls, get_assertion_req: dict):
         return CtapGetAssertionRequest(
             rp_id=get_assertion_req.get(cls.RP_ID_KEY),
             client_data_hash=get_assertion_req.get(cls.CLIENT_DATA_HASH_KEY),
-            allow_list=PublicKeyCredentialDescriptor._wrap_list(
+            allow_list=PublicKeyCredentialDescriptor._deserialize_list(
                 get_assertion_req.get(cls.ALLOW_LIST_KEY)
             ),
             extensions=get_assertion_req.get(cls.EXTENSIONS_KEY),