FIDO Alliance Metadata Service in a package

Navigation

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

python-fido-mds

FIDO Alliance Metadata Service (MDS) in a Python package with WebAuthn attestation verification.

License Python

Overview

This package provides:

  • FIDO Metadata Service (MDS) - Bundled and regularly updated FIDO Alliance authenticator metadata
  • Attestation Verification - Comprehensive WebAuthn attestation format support
  • Type Safety - Full Pydantic models for type-safe metadata and attestation handling
  • Production Ready - Used in production environments for WebAuthn authentication

Features

FIDO Metadata Service

  • Regularly updated authenticator metadata from FIDO Alliance
  • Certificate chain verification
  • Metadata statement validation
  • Support for status reports

Attestation Format Support

  • Android Key - Complete KeyMint 4.0+ implementation with security validations

From python-fido2:

  • Packed - Standard packed attestation format
  • TPM - Trusted Platform Module attestation
  • Android SafetyNet - Legacy Android attestation (via fido2 library)
  • Apple Anonymous - Apple device attestation
  • FIDO U2F - Universal 2nd Factor attestation
  • None - Self attestation

Installation

pip install fido-mds

Development Installation

# Clone the repository
git clone https://github.com/SUNET/python-fido-mds.git
cd python-fido-mds

# Create and activate virtual environment
python3 -m venv .venv
source .venv/bin/activate  # On Windows: venv\Scripts\activate

# Install in editable mode with development dependencies
pip install -e ".[dev]"

# Or using uv (faster)
uv pip install -e ".[dev]"

# Verify installation
pytest src
make reformat
make typecheck

This installs:

  • All runtime dependencies (fido2, pydantic, cryptography, pyOpenSSL, asn1crypto)
  • All development tools (pytest, pytest-cov, ruff, mypy)

Quick Start

Basic Attestation Verification

from fido_mds import FidoMetadataStore
from fido_mds.models.webauthn import Attestation
from fido2.utils import websafe_decode

# Initialize metadata store
mds = FidoMetadataStore()

# Parse attestation object and client data
attestation = Attestation.from_base64(attestation_object_b64)
client_data = websafe_decode(client_data_b64)

# Verify attestation
try:
    result = mds.verify_attestation(attestation, client_data)
    print(f"✅ Attestation verified: {result}")
except Exception as e:
    print(f"❌ Verification failed: {e}")

Android Key Attestation

from fido_mds.models.attestation import AndroidKeyAttestation
import hashlib

# Create verifier
verifier = AndroidKeyAttestation()

# Prepare data
client_data_hash = hashlib.sha256(client_data).digest()

# Verify
result = verifier.verify(
    statement=attestation.attestation_obj.att_stmt,
    auth_data=attestation.attestation_obj.auth_data,
    client_data_hash=client_data_hash
)

Documentation

  • DEVELOPMENT.md - Comprehensive development guide including:
    • Setup and installation
    • Development workflow
    • Testing guidelines
    • Code quality standards
    • Architecture overview
    • Special LLM section for AI-assisted development

Architecture

fido-mds/
├── models/
│   ├── attestation.py    # Attestation format implementations
│   ├── fido_mds.py       # FIDO MDS models
│   └── webauthn.py       # WebAuthn models
├── data/                 # Bundled metadata
├── tests/                # Test suite
│   ├── data.py          # Test attestation objects
│   └── test_*.py        # Test modules
├── helpers.py           # Utility functions
└── metadata_store.py    # Main API

Requirements

  • Python 3.10 or higher (tested with 3.13.3)
  • fido2 >= 2.0.0
  • pydantic >= 2.0
  • cryptography
  • pyOpenSSL
  • asn1crypto (for Android Key attestation)

Development

Running Tests

# Activate virtualenv
source /path/to/virtualenv/bin/activate

# Run all tests
make test

# Run specific test
pytest src/fido_mds/tests/test_verify.py -v

Code Quality

# Format code
make reformat

# Type checking
make typecheck

# Run all checks
make reformat && make typecheck && make test

See DEVELOPMENT.md for detailed development guidelines.

WebAuthn Specification Compliance

This package implements attestation verification according to:

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes with tests
  4. Run all quality checks (make reformat && make typecheck && make test)
  5. Submit a pull request

See DEVELOPMENT.md for detailed contribution guidelines.

Testing

The test suite includes real attestation objects from various authenticators:

  • Android Key: Google Pixel 8a, Samsung Tab S10+
  • FIDO U2F: YubiKey 4/5
  • Packed: YubiKey 5, Samsung Galaxy devices
  • Apple Anonymous: iPhone, MacBook with Touch ID
  • TPM: Windows Hello, Surface devices

All test data is sourced from actual WebAuthn registrations to ensure real-world compatibility.

Test Coverage

# Run all tests
make test  # 15/15 passing

# Run specific test file
pytest src/fido_mds/tests/test_verify.py -v

# Test with coverage (optional, requires pytest-cov)
# pip install pytest-cov
# pytest src --cov=fido_mds --cov-report=html

License

BSD 3-Clause License. See LICENSE file for details.

Credits

References

Changelog

October 2025

Complete Android Key Attestation Implementation

  • Full KeyDescription parsing - Complete ASN.1 structure parsing with proper error handling
  • Origin validation - Tag 702 (KM_ORIGIN_GENERATED) verification in hardwareEnforced
  • Purpose validation - Tag 1 (KM_PURPOSE_SIGN) verification in hardwareEnforced
  • Security field validation - Tag 600 (allApplications) rejection with correct DER encoding
  • Certificate chain validation - Public key matching against Google Hardware Attestation roots
  • Full structure scanning - Removed arbitrary byte limits, scans complete AuthorizationLists
  • WebAuthn compliance - Follows WebAuthn Level 2 and Android Key Attestation specifications

Security Improvements

  • 🔒 Fixed allApplications detection - Correct DER encoding (0xBF 0x84 0x58) instead of wrong pattern
  • 🔒 Public key matching - Validates root certificates by public key, not just subject name
  • 🔒 Complete field scanning - Removed dangerous [:50] and [:100] byte limits
  • 🔒 Certificate re-issuance handling - Properly handles Google root certificate updates

Test Coverage

  • ✅ Google Pixel 8a (Android Key attestation)
  • ✅ Samsung Tab S10+ (Android Key attestation)
  • ✅ YubiKey 4/5 (FIDO U2F and Packed)
  • ✅ Apple devices (iPhone, MacBook)
  • ✅ TPM attestation

Documentation

  • ✅ Comprehensive DEVELOPMENT.md with LLM-specific guidelines
  • ✅ Updated README with detailed Android Key attestation features
  • ✅ Architecture documentation
  • ✅ Security validation documentation

Support

For issues, questions, or contributions:

Note: This package bundles FIDO Alliance metadata. Please ensure you comply with the FIDO Alliance Metadata Service Terms of Use.

Project details

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

This version

2026.4

2026.3

2026.2

2026.1

2025.12

2025.11

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fido_mds-2026.4.tar.gz (3.2 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fido_mds-2026.4-py3-none-any.whl (3.2 MB view details)

Uploaded Python 3

File details

Details for the file fido_mds-2026.4.tar.gz.

File metadata

  • Download URL: fido_mds-2026.4.tar.gz
  • Upload date:
  • Size: 3.2 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for fido_mds-2026.4.tar.gz
Algorithm Hash digest
SHA256 b659eec4b36237828dff3b70800fcb6dee46ab96562785c3edbea26c0100f984
MD5 41374764c71d9bda0b21b8ab671000cc
BLAKE2b-256 16beab62bfc35bda5006524a26df22d0ab16ae268ff34df7857f7a858fa451be

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido_mds-2026.4.tar.gz:

Publisher: publish-to-pypi.yml on SUNET/python-fido-mds

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file fido_mds-2026.4-py3-none-any.whl.

File metadata

  • Download URL: fido_mds-2026.4-py3-none-any.whl
  • Upload date:
  • Size: 3.2 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for fido_mds-2026.4-py3-none-any.whl
Algorithm Hash digest
SHA256 4757cbf05c2fb6d98dfc351a76dfed859c0a2164614c08c47e52a88bddbbd666
MD5 2300d16c8008ac701472ce136dc999e3
BLAKE2b-256 73ae5fca3f3215f52a5f030bcccecf4600615a28212a39803b416fb75e4ad875

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido_mds-2026.4-py3-none-any.whl:

Publisher: publish-to-pypi.yml on SUNET/python-fido-mds

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page