FIDO Alliance Metadata Service in a package

Navigation

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

python-fido-mds

FIDO Alliance Metadata Service (MDS) in a Python package with WebAuthn attestation verification.

License Python

Overview

This package provides:

  • FIDO Metadata Service (MDS) - Bundled and regularly updated FIDO Alliance authenticator metadata
  • Attestation Verification - Comprehensive WebAuthn attestation format support
  • Type Safety - Full Pydantic models for type-safe metadata and attestation handling
  • Production Ready - Used in production environments for WebAuthn authentication

Features

FIDO Metadata Service

  • Regularly updated authenticator metadata from FIDO Alliance
  • Certificate chain verification
  • Metadata statement validation
  • Support for status reports

Attestation Format Support

  • Android Key - Complete KeyMint 4.0+ implementation with security validations

From python-fido2:

  • Packed - Standard packed attestation format
  • TPM - Trusted Platform Module attestation
  • Android SafetyNet - Legacy Android attestation (via fido2 library)
  • Apple Anonymous - Apple device attestation
  • FIDO U2F - Universal 2nd Factor attestation
  • None - Self attestation

Installation

pip install fido-mds

Development Installation

# Clone the repository
git clone https://github.com/SUNET/python-fido-mds.git
cd python-fido-mds

# Create and activate virtual environment
python3 -m venv .venv
source .venv/bin/activate  # On Windows: venv\Scripts\activate

# Install in editable mode with development dependencies
pip install -e ".[dev]"

# Or using uv (faster)
uv pip install -e ".[dev]"

# Verify installation
pytest src
make reformat
make typecheck

This installs:

  • All runtime dependencies (fido2, pydantic, cryptography, pyOpenSSL, asn1crypto)
  • All development tools (pytest, pytest-cov, ruff, mypy)

Quick Start

Basic Attestation Verification

from fido_mds import FidoMetadataStore
from fido_mds.models.webauthn import Attestation
from fido2.utils import websafe_decode

# Initialize metadata store
mds = FidoMetadataStore()

# Parse attestation object and client data
attestation = Attestation.from_base64(attestation_object_b64)
client_data = websafe_decode(client_data_b64)

# Verify attestation
try:
    result = mds.verify_attestation(attestation, client_data)
    print(f"✅ Attestation verified: {result}")
except Exception as e:
    print(f"❌ Verification failed: {e}")

Android Key Attestation

from fido_mds.models.attestation import AndroidKeyAttestation
import hashlib

# Create verifier
verifier = AndroidKeyAttestation()

# Prepare data
client_data_hash = hashlib.sha256(client_data).digest()

# Verify
result = verifier.verify(
    statement=attestation.attestation_obj.att_stmt,
    auth_data=attestation.attestation_obj.auth_data,
    client_data_hash=client_data_hash
)

Documentation

  • DEVELOPMENT.md - Comprehensive development guide including:
    • Setup and installation
    • Development workflow
    • Testing guidelines
    • Code quality standards
    • Architecture overview
    • Special LLM section for AI-assisted development

Architecture

fido-mds/
├── models/
│   ├── attestation.py    # Attestation format implementations
│   ├── fido_mds.py       # FIDO MDS models
│   └── webauthn.py       # WebAuthn models
├── data/                 # Bundled metadata
├── tests/                # Test suite
│   ├── data.py          # Test attestation objects
│   └── test_*.py        # Test modules
├── helpers.py           # Utility functions
└── metadata_store.py    # Main API

Requirements

  • Python 3.10 or higher (tested with 3.13.3)
  • fido2 >= 2.0.0
  • pydantic >= 2.0
  • cryptography
  • pyOpenSSL
  • asn1crypto (for Android Key attestation)

Development

Running Tests

# Activate virtualenv
source /path/to/virtualenv/bin/activate

# Run all tests
make test

# Run specific test
pytest src/fido_mds/tests/test_verify.py -v

Code Quality

# Format code
make reformat

# Type checking
make typecheck

# Run all checks
make reformat && make typecheck && make test

See DEVELOPMENT.md for detailed development guidelines.

WebAuthn Specification Compliance

This package implements attestation verification according to:

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes with tests
  4. Run all quality checks (make reformat && make typecheck && make test)
  5. Submit a pull request

See DEVELOPMENT.md for detailed contribution guidelines.

Testing

The test suite includes real attestation objects from various authenticators:

  • Android Key: Google Pixel 8a, Samsung Tab S10+
  • FIDO U2F: YubiKey 4/5
  • Packed: YubiKey 5, Samsung Galaxy devices
  • Apple Anonymous: iPhone, MacBook with Touch ID
  • TPM: Windows Hello, Surface devices

All test data is sourced from actual WebAuthn registrations to ensure real-world compatibility.

Test Coverage

# Run all tests
make test  # 15/15 passing

# Run specific test file
pytest src/fido_mds/tests/test_verify.py -v

# Test with coverage (optional, requires pytest-cov)
# pip install pytest-cov
# pytest src --cov=fido_mds --cov-report=html

License

BSD 3-Clause License. See LICENSE file for details.

Credits

References

Changelog

October 2025

Complete Android Key Attestation Implementation

  • Full KeyDescription parsing - Complete ASN.1 structure parsing with proper error handling
  • Origin validation - Tag 702 (KM_ORIGIN_GENERATED) verification in hardwareEnforced
  • Purpose validation - Tag 1 (KM_PURPOSE_SIGN) verification in hardwareEnforced
  • Security field validation - Tag 600 (allApplications) rejection with correct DER encoding
  • Certificate chain validation - Public key matching against Google Hardware Attestation roots
  • Full structure scanning - Removed arbitrary byte limits, scans complete AuthorizationLists
  • WebAuthn compliance - Follows WebAuthn Level 2 and Android Key Attestation specifications

Security Improvements

  • 🔒 Fixed allApplications detection - Correct DER encoding (0xBF 0x84 0x58) instead of wrong pattern
  • 🔒 Public key matching - Validates root certificates by public key, not just subject name
  • 🔒 Complete field scanning - Removed dangerous [:50] and [:100] byte limits
  • 🔒 Certificate re-issuance handling - Properly handles Google root certificate updates

Test Coverage

  • ✅ Google Pixel 8a (Android Key attestation)
  • ✅ Samsung Tab S10+ (Android Key attestation)
  • ✅ YubiKey 4/5 (FIDO U2F and Packed)
  • ✅ Apple devices (iPhone, MacBook)
  • ✅ TPM attestation

Documentation

  • ✅ Comprehensive DEVELOPMENT.md with LLM-specific guidelines
  • ✅ Updated README with detailed Android Key attestation features
  • ✅ Architecture documentation
  • ✅ Security validation documentation

Support

For issues, questions, or contributions:

Note: This package bundles FIDO Alliance metadata. Please ensure you comply with the FIDO Alliance Metadata Service Terms of Use.

Project details

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

2026.4

2026.3

2026.2

This version

2026.1

2025.12

2025.11

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fido_mds-2026.1.tar.gz (3.1 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fido_mds-2026.1-py3-none-any.whl (3.2 MB view details)

Uploaded Python 3

File details

Details for the file fido_mds-2026.1.tar.gz.

File metadata

  • Download URL: fido_mds-2026.1.tar.gz
  • Upload date:
  • Size: 3.1 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for fido_mds-2026.1.tar.gz
Algorithm Hash digest
SHA256 b1434c2aef48925601a3963c14adc85ca2789f5ceabdf5df7bb871afdd83cf53
MD5 176d6d643413a82b6903342e54fc0906
BLAKE2b-256 ce6e95796e48bd9d2bcfd60f524fbaffd003466b1f9de344e1b94e446ea97b5a

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido_mds-2026.1.tar.gz:

Publisher: publish-to-pypi.yml on SUNET/python-fido-mds

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file fido_mds-2026.1-py3-none-any.whl.

File metadata

  • Download URL: fido_mds-2026.1-py3-none-any.whl
  • Upload date:
  • Size: 3.2 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for fido_mds-2026.1-py3-none-any.whl
Algorithm Hash digest
SHA256 1f6de450f3dc8823b3f50c05b7e2f3685e2b266a193033c1107b28a3182e4104
MD5 aa83324c73559376625be20d0a5ede41
BLAKE2b-256 1e79ee381f36b9f95f6adf0eca77c4c59efe66d294e314bcb4549c1092c44adc

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido_mds-2026.1-py3-none-any.whl:

Publisher: publish-to-pypi.yml on SUNET/python-fido-mds

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page