Compare commits
No commits in common. "342bf9fb410fc50ca8f226e64d941e704dce3e16" and "4abe754fac2bdde696f322d112fb2a2a0f170ce8" have entirely different histories.
342bf9fb41
...
4abe754fac
144
credblobex.py
144
credblobex.py
@ -1,144 +0,0 @@
|
|||||||
# Copyright (c) 2018 Yubico AB
|
|
||||||
# All rights reserved.
|
|
||||||
#
|
|
||||||
# Redistribution and use in source and binary forms, with or
|
|
||||||
# without modification, are permitted provided that the following
|
|
||||||
# conditions are met:
|
|
||||||
#
|
|
||||||
# 1. Redistributions of source code must retain the above copyright
|
|
||||||
# notice, this list of conditions and the following disclaimer.
|
|
||||||
# 2. Redistributions in binary form must reproduce the above
|
|
||||||
# copyright notice, this list of conditions and the following
|
|
||||||
# disclaimer in the documentation and/or other materials provided
|
|
||||||
# with the distribution.
|
|
||||||
#
|
|
||||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
||||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
||||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
||||||
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
||||||
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
||||||
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
||||||
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
||||||
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
||||||
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
|
||||||
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
# POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
|
|
||||||
"""
|
|
||||||
Connects to the first FIDO device found (starts from USB, then looks into NFC),
|
|
||||||
creates a new credential for it, and authenticates the credential.
|
|
||||||
This works with both FIDO 2.0 devices as well as with U2F devices.
|
|
||||||
On Windows, the native WebAuthn API will be used.
|
|
||||||
"""
|
|
||||||
from fido2.hid import CtapHidDevice
|
|
||||||
from fido2.client import Fido2Client, WindowsClient, UserInteraction
|
|
||||||
from fido2.server import Fido2Server
|
|
||||||
from getpass import getpass
|
|
||||||
import sys
|
|
||||||
import ctypes
|
|
||||||
|
|
||||||
try:
|
|
||||||
from fido2.pcsc import CtapPcscDevice
|
|
||||||
except ImportError:
|
|
||||||
CtapPcscDevice = None
|
|
||||||
|
|
||||||
|
|
||||||
def enumerate_devices():
|
|
||||||
for dev in CtapHidDevice.list_devices():
|
|
||||||
yield dev
|
|
||||||
if CtapPcscDevice:
|
|
||||||
for dev in CtapPcscDevice.list_devices():
|
|
||||||
yield dev
|
|
||||||
|
|
||||||
|
|
||||||
# Handle user interaction
|
|
||||||
class CliInteraction(UserInteraction):
|
|
||||||
def prompt_up(self):
|
|
||||||
print("\nTouch your authenticator device now...\n")
|
|
||||||
|
|
||||||
def request_pin(self, permissions, rd_id):
|
|
||||||
return getpass("Enter PIN: ")
|
|
||||||
|
|
||||||
def request_uv(self, permissions, rd_id):
|
|
||||||
print("User Verification required.")
|
|
||||||
return True
|
|
||||||
|
|
||||||
|
|
||||||
uv = "discouraged"
|
|
||||||
|
|
||||||
if WindowsClient.is_available() and not ctypes.windll.shell32.IsUserAnAdmin():
|
|
||||||
# Use the Windows WebAuthn API if available, and we're not running as admin
|
|
||||||
client = WindowsClient("https://example.com")
|
|
||||||
else:
|
|
||||||
# Locate a device
|
|
||||||
for dev in enumerate_devices():
|
|
||||||
client = Fido2Client(
|
|
||||||
dev, "https://example.com", user_interaction=CliInteraction()
|
|
||||||
)
|
|
||||||
if client.info.options.get("rk"):
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
print("No Authenticator with support for resident key found!")
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
# Prefer UV if supported
|
|
||||||
if client.info.options.get("uv"):
|
|
||||||
uv = "preferred"
|
|
||||||
print("Authenticator supports User Verification")
|
|
||||||
|
|
||||||
|
|
||||||
server = Fido2Server({"id": "example.com", "name": "Example RP"}, attestation="direct")
|
|
||||||
|
|
||||||
user = {"id": b"user_id", "name": "A. User"}
|
|
||||||
|
|
||||||
# Prepare parameters for makeCredential
|
|
||||||
create_options, state = server.register_begin(
|
|
||||||
user,
|
|
||||||
resident_key_requirement="required",
|
|
||||||
user_verification=uv,
|
|
||||||
authenticator_attachment="cross-platform",
|
|
||||||
)
|
|
||||||
|
|
||||||
# Create a credential
|
|
||||||
result = client.make_credential(create_options["publicKey"])
|
|
||||||
|
|
||||||
|
|
||||||
# Complete registration
|
|
||||||
auth_data = server.register_complete(
|
|
||||||
state, result.client_data, result.attestation_object
|
|
||||||
)
|
|
||||||
credentials = [auth_data.credential_data]
|
|
||||||
|
|
||||||
print("New credential created!")
|
|
||||||
|
|
||||||
print("CLIENT DATA:", result.client_data)
|
|
||||||
print("ATTESTATION OBJECT:", result.attestation_object)
|
|
||||||
print()
|
|
||||||
print("CREDENTIAL DATA:", auth_data.credential_data)
|
|
||||||
|
|
||||||
|
|
||||||
# Prepare parameters for getAssertion
|
|
||||||
request_options, state = server.authenticate_begin(user_verification=uv)
|
|
||||||
|
|
||||||
# Authenticate the credential
|
|
||||||
selection = client.get_assertion(request_options["publicKey"])
|
|
||||||
result = selection.get_response(0) # There may be multiple responses, get the first.
|
|
||||||
|
|
||||||
print("USER ID:", result.user_handle)
|
|
||||||
|
|
||||||
# Complete authenticator
|
|
||||||
server.authenticate_complete(
|
|
||||||
state,
|
|
||||||
credentials,
|
|
||||||
result.credential_id,
|
|
||||||
result.client_data,
|
|
||||||
result.authenticator_data,
|
|
||||||
result.signature,
|
|
||||||
)
|
|
||||||
|
|
||||||
print("Credential authenticated!")
|
|
||||||
|
|
||||||
print("CLIENT DATA:", result.client_data)
|
|
||||||
print()
|
|
||||||
print("AUTHENTICATOR DATA:", result.authenticator_data)
|
|
137
credentailsex.py
137
credentailsex.py
@ -1,137 +0,0 @@
|
|||||||
# Copyright (c) 2018 Yubico AB
|
|
||||||
# All rights reserved.
|
|
||||||
#
|
|
||||||
# Redistribution and use in source and binary forms, with or
|
|
||||||
# without modification, are permitted provided that the following
|
|
||||||
# conditions are met:
|
|
||||||
#
|
|
||||||
# 1. Redistributions of source code must retain the above copyright
|
|
||||||
# notice, this list of conditions and the following disclaimer.
|
|
||||||
# 2. Redistributions in binary form must reproduce the above
|
|
||||||
# copyright notice, this list of conditions and the following
|
|
||||||
# disclaimer in the documentation and/or other materials provided
|
|
||||||
# with the distribution.
|
|
||||||
#
|
|
||||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
||||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
||||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
||||||
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
||||||
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
||||||
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
||||||
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
||||||
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
||||||
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
|
||||||
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
||||||
# POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
|
|
||||||
"""
|
|
||||||
Connects to the first FIDO device found (starts from USB, then looks into NFC),
|
|
||||||
creates a new credential for it, and authenticates the credential.
|
|
||||||
This works with both FIDO 2.0 devices as well as with U2F devices.
|
|
||||||
On Windows, the native WebAuthn API will be used.
|
|
||||||
"""
|
|
||||||
from fido2.hid import CtapHidDevice
|
|
||||||
from fido2.client import Fido2Client, WindowsClient, UserInteraction
|
|
||||||
from fido2.server import Fido2Server
|
|
||||||
from getpass import getpass
|
|
||||||
import sys
|
|
||||||
import ctypes
|
|
||||||
|
|
||||||
|
|
||||||
# Handle user interaction
|
|
||||||
class CliInteraction(UserInteraction):
|
|
||||||
def prompt_up(self):
|
|
||||||
print("\nTouch your authenticator device now...\n")
|
|
||||||
|
|
||||||
def request_pin(self, permissions, rd_id):
|
|
||||||
return getpass("Enter PIN: ")
|
|
||||||
|
|
||||||
def request_uv(self, permissions, rd_id):
|
|
||||||
print("User Verification required.")
|
|
||||||
return True
|
|
||||||
|
|
||||||
|
|
||||||
uv = "discouraged"
|
|
||||||
|
|
||||||
if WindowsClient.is_available() and not ctypes.windll.shell32.IsUserAnAdmin():
|
|
||||||
# Use the Windows WebAuthn API if available, and we're not running as admin
|
|
||||||
client = WindowsClient("https://example.com")
|
|
||||||
else:
|
|
||||||
# Locate a device
|
|
||||||
dev = next(CtapHidDevice.list_devices(), None)
|
|
||||||
if dev is not None:
|
|
||||||
print("Use USB HID channel.")
|
|
||||||
else:
|
|
||||||
try:
|
|
||||||
from fido2.pcsc import CtapPcscDevice
|
|
||||||
|
|
||||||
dev = next(CtapPcscDevice.list_devices(), None)
|
|
||||||
print("Use NFC channel.")
|
|
||||||
except Exception as e:
|
|
||||||
print("NFC channel search error:", e)
|
|
||||||
|
|
||||||
if not dev:
|
|
||||||
print("No FIDO device found")
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
# Set up a FIDO 2 client using the origin https://example.com
|
|
||||||
client = Fido2Client(dev, "https://example.com", user_interaction=CliInteraction())
|
|
||||||
|
|
||||||
# Prefer UV if supported and configured
|
|
||||||
if client.info.options.get("uv") or client.info.options.get("pinUvAuthToken"):
|
|
||||||
uv = "preferred"
|
|
||||||
print("Authenticator supports User Verification")
|
|
||||||
|
|
||||||
|
|
||||||
server = Fido2Server({"id": "example.com", "name": "Example RP"}, attestation="direct")
|
|
||||||
|
|
||||||
user = {"id": b"user_id", "name": "A. User"}
|
|
||||||
|
|
||||||
|
|
||||||
# Prepare parameters for makeCredential
|
|
||||||
create_options, state = server.register_begin(
|
|
||||||
user, user_verification=uv, authenticator_attachment="cross-platform"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Create a credential
|
|
||||||
result = client.make_credential(create_options["publicKey"])
|
|
||||||
|
|
||||||
# Complete registration
|
|
||||||
auth_data = server.register_complete(
|
|
||||||
state, result.client_data, result.attestation_object
|
|
||||||
)
|
|
||||||
credentials = [auth_data.credential_data]
|
|
||||||
|
|
||||||
print("New credential created!")
|
|
||||||
|
|
||||||
print("CLIENT DATA:", result.client_data)
|
|
||||||
print("ATTESTATION OBJECT:", result.attestation_object)
|
|
||||||
print()
|
|
||||||
print("CREDENTIAL DATA:", auth_data.credential_data)
|
|
||||||
|
|
||||||
|
|
||||||
# Prepare parameters for getAssertion
|
|
||||||
request_options, state = server.authenticate_begin(credentials, user_verification=uv)
|
|
||||||
|
|
||||||
# Authenticate the credential
|
|
||||||
result = client.get_assertion(request_options["publicKey"])
|
|
||||||
|
|
||||||
# Only one cred in allowCredentials, only one response.
|
|
||||||
result = result.get_response(0)
|
|
||||||
|
|
||||||
# Complete authenticator
|
|
||||||
server.authenticate_complete(
|
|
||||||
state,
|
|
||||||
credentials,
|
|
||||||
result.credential_id,
|
|
||||||
result.client_data,
|
|
||||||
result.authenticator_data,
|
|
||||||
result.signature,
|
|
||||||
)
|
|
||||||
|
|
||||||
print("Credential authenticated!")
|
|
||||||
|
|
||||||
print("CLIENT DATA:", result.client_data)
|
|
||||||
print()
|
|
||||||
print("AUTH DATA:", result.authenticator_data)
|
|
Loading…
Reference in New Issue
Block a user