FIDO Alliance Metadata Service in a package

Navigation

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

python-fido-mds

FIDO Alliance Metadata Service (MDS) in a Python package with WebAuthn attestation verification.

License Python

Overview

This package provides:

  • FIDO Metadata Service (MDS) - Bundled and regularly updated FIDO Alliance authenticator metadata
  • Attestation Verification - Comprehensive WebAuthn attestation format support
  • Type Safety - Full Pydantic models for type-safe metadata and attestation handling
  • Production Ready - Used in production environments for WebAuthn authentication

Features

FIDO Metadata Service

  • Regularly updated authenticator metadata from FIDO Alliance
  • Certificate chain verification
  • Metadata statement validation
  • Support for status reports

Attestation Format Support

  • Android Key - Complete KeyMint 4.0+ implementation with security validations

From python-fido2:

  • Packed - Standard packed attestation format
  • TPM - Trusted Platform Module attestation
  • Android SafetyNet - Legacy Android attestation (via fido2 library)
  • Apple Anonymous - Apple device attestation
  • FIDO U2F - Universal 2nd Factor attestation
  • None - Self attestation

Installation

pip install fido-mds

Development Installation

# Clone the repository
git clone https://github.com/SUNET/python-fido-mds.git
cd python-fido-mds

# Create and activate virtual environment
python3 -m venv .venv
source .venv/bin/activate  # On Windows: venv\Scripts\activate

# Install in editable mode with development dependencies
pip install -e ".[dev]"

# Or using uv (faster)
uv pip install -e ".[dev]"

# Verify installation
pytest src
make reformat
make typecheck

This installs:

  • All runtime dependencies (fido2, pydantic, cryptography, pyOpenSSL, asn1crypto)
  • All development tools (pytest, pytest-cov, ruff, mypy)

Quick Start

Basic Attestation Verification

from fido_mds import FidoMetadataStore
from fido_mds.models.webauthn import Attestation
from fido2.utils import websafe_decode

# Initialize metadata store
mds = FidoMetadataStore()

# Parse attestation object and client data
attestation = Attestation.from_base64(attestation_object_b64)
client_data = websafe_decode(client_data_b64)

# Verify attestation
try:
    result = mds.verify_attestation(attestation, client_data)
    print(f"✅ Attestation verified: {result}")
except Exception as e:
    print(f"❌ Verification failed: {e}")

Android Key Attestation

from fido_mds.models.attestation import AndroidKeyAttestation
import hashlib

# Create verifier
verifier = AndroidKeyAttestation()

# Prepare data
client_data_hash = hashlib.sha256(client_data).digest()

# Verify
result = verifier.verify(
    statement=attestation.attestation_obj.att_stmt,
    auth_data=attestation.attestation_obj.auth_data,
    client_data_hash=client_data_hash
)

Documentation

  • DEVELOPMENT.md - Comprehensive development guide including:
    • Setup and installation
    • Development workflow
    • Testing guidelines
    • Code quality standards
    • Architecture overview
    • Special LLM section for AI-assisted development

Architecture

fido-mds/
├── models/
│   ├── attestation.py    # Attestation format implementations
│   ├── fido_mds.py       # FIDO MDS models
│   └── webauthn.py       # WebAuthn models
├── data/                 # Bundled metadata
├── tests/                # Test suite
│   ├── data.py          # Test attestation objects
│   └── test_*.py        # Test modules
├── helpers.py           # Utility functions
└── metadata_store.py    # Main API

Requirements

  • Python 3.10 or higher (tested with 3.13.3)
  • fido2 >= 2.0.0
  • pydantic >= 2.0
  • cryptography
  • pyOpenSSL
  • asn1crypto (for Android Key attestation)

Development

Running Tests

# Activate virtualenv
source /path/to/virtualenv/bin/activate

# Run all tests
make test

# Run specific test
pytest src/fido_mds/tests/test_verify.py -v

Code Quality

# Format code
make reformat

# Type checking
make typecheck

# Run all checks
make reformat && make typecheck && make test

See DEVELOPMENT.md for detailed development guidelines.

WebAuthn Specification Compliance

This package implements attestation verification according to:

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes with tests
  4. Run all quality checks (make reformat && make typecheck && make test)
  5. Submit a pull request

See DEVELOPMENT.md for detailed contribution guidelines.

Testing

The test suite includes real attestation objects from various authenticators:

  • Android Key: Google Pixel 8a, Samsung Tab S10+
  • FIDO U2F: YubiKey 4/5
  • Packed: YubiKey 5, Samsung Galaxy devices
  • Apple Anonymous: iPhone, MacBook with Touch ID
  • TPM: Windows Hello, Surface devices

All test data is sourced from actual WebAuthn registrations to ensure real-world compatibility.

Test Coverage

# Run all tests
make test  # 15/15 passing

# Run specific test file
pytest src/fido_mds/tests/test_verify.py -v

# Test with coverage (optional, requires pytest-cov)
# pip install pytest-cov
# pytest src --cov=fido_mds --cov-report=html

License

BSD 3-Clause License. See LICENSE file for details.

Credits

References

Changelog

October 2025

Complete Android Key Attestation Implementation

  • Full KeyDescription parsing - Complete ASN.1 structure parsing with proper error handling
  • Origin validation - Tag 702 (KM_ORIGIN_GENERATED) verification in hardwareEnforced
  • Purpose validation - Tag 1 (KM_PURPOSE_SIGN) verification in hardwareEnforced
  • Security field validation - Tag 600 (allApplications) rejection with correct DER encoding
  • Certificate chain validation - Public key matching against Google Hardware Attestation roots
  • Full structure scanning - Removed arbitrary byte limits, scans complete AuthorizationLists
  • WebAuthn compliance - Follows WebAuthn Level 2 and Android Key Attestation specifications

Security Improvements

  • 🔒 Fixed allApplications detection - Correct DER encoding (0xBF 0x84 0x58) instead of wrong pattern
  • 🔒 Public key matching - Validates root certificates by public key, not just subject name
  • 🔒 Complete field scanning - Removed dangerous [:50] and [:100] byte limits
  • 🔒 Certificate re-issuance handling - Properly handles Google root certificate updates

Test Coverage

  • ✅ Google Pixel 8a (Android Key attestation)
  • ✅ Samsung Tab S10+ (Android Key attestation)
  • ✅ YubiKey 4/5 (FIDO U2F and Packed)
  • ✅ Apple devices (iPhone, MacBook)
  • ✅ TPM attestation

Documentation

  • ✅ Comprehensive DEVELOPMENT.md with LLM-specific guidelines
  • ✅ Updated README with detailed Android Key attestation features
  • ✅ Architecture documentation
  • ✅ Security validation documentation

Support

For issues, questions, or contributions:

Note: This package bundles FIDO Alliance metadata. Please ensure you comply with the FIDO Alliance Metadata Service Terms of Use.

Project details

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

2026.4

2026.3

2026.2

2026.1

This version

2025.12

2025.11

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fido_mds-2025.12.tar.gz (3.0 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fido_mds-2025.12-py3-none-any.whl (3.1 MB view details)

Uploaded Python 3

File details

Details for the file fido_mds-2025.12.tar.gz.

File metadata

  • Download URL: fido_mds-2025.12.tar.gz
  • Upload date:
  • Size: 3.0 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for fido_mds-2025.12.tar.gz
Algorithm Hash digest
SHA256 4f2f60964d74d2be936df8d218cbe39354bb0e370e554d696e34c89af08e6b2c
MD5 ef10e89d29c058834bc0a48d4ec28f7f
BLAKE2b-256 0bb5d0c88440c05dc0be008fd74d2fae18f73c54125a611d8dd6fa0dc008e1ed

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido_mds-2025.12.tar.gz:

Publisher: publish-to-pypi.yml on SUNET/python-fido-mds

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file fido_mds-2025.12-py3-none-any.whl.

File metadata

  • Download URL: fido_mds-2025.12-py3-none-any.whl
  • Upload date:
  • Size: 3.1 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for fido_mds-2025.12-py3-none-any.whl
Algorithm Hash digest
SHA256 24acf054384f491f41a505a0689050ef54acf1cee11e7c4fa8df93875cc4825c
MD5 cb9e8512097b3134b1b79bee1754a82d
BLAKE2b-256 1191307893949bba950bb755f7195ac8414400018ebe51650a76c5334e11a262

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido_mds-2025.12-py3-none-any.whl:

Publisher: publish-to-pypi.yml on SUNET/python-fido-mds

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page