FIDO Alliance Metadata Service in a package

Navigation

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

python-fido-mds

FIDO Alliance Metadata Service (MDS) in a Python package with WebAuthn attestation verification.

License Python

Overview

This package provides:

  • FIDO Metadata Service (MDS) - Bundled and regularly updated FIDO Alliance authenticator metadata
  • Attestation Verification - Comprehensive WebAuthn attestation format support
  • Type Safety - Full Pydantic models for type-safe metadata and attestation handling
  • Production Ready - Used in production environments for WebAuthn authentication

Features

FIDO Metadata Service

  • Regularly updated authenticator metadata from FIDO Alliance
  • Certificate chain verification
  • Metadata statement validation
  • Support for status reports

Attestation Format Support

  • Android Key - Complete KeyMint 4.0+ implementation with security validations

From python-fido2:

  • Packed - Standard packed attestation format
  • TPM - Trusted Platform Module attestation
  • Android SafetyNet - Legacy Android attestation (via fido2 library)
  • Apple Anonymous - Apple device attestation
  • FIDO U2F - Universal 2nd Factor attestation
  • None - Self attestation

Installation

pip install fido-mds

Development Installation

# Clone the repository
git clone https://github.com/SUNET/python-fido-mds.git
cd python-fido-mds

# Create and activate virtual environment
python3 -m venv .venv
source .venv/bin/activate  # On Windows: venv\Scripts\activate

# Install in editable mode with development dependencies
pip install -e ".[dev]"

# Or using uv (faster)
uv pip install -e ".[dev]"

# Verify installation
pytest src
make reformat
make typecheck

This installs:

  • All runtime dependencies (fido2, pydantic, cryptography, pyOpenSSL, asn1crypto)
  • All development tools (pytest, pytest-cov, ruff, mypy)

Quick Start

Basic Attestation Verification

from fido_mds import FidoMetadataStore
from fido_mds.models.webauthn import Attestation
from fido2.utils import websafe_decode

# Initialize metadata store
mds = FidoMetadataStore()

# Parse attestation object and client data
attestation = Attestation.from_base64(attestation_object_b64)
client_data = websafe_decode(client_data_b64)

# Verify attestation
try:
    result = mds.verify_attestation(attestation, client_data)
    print(f"✅ Attestation verified: {result}")
except Exception as e:
    print(f"❌ Verification failed: {e}")

Android Key Attestation

from fido_mds.models.attestation import AndroidKeyAttestation
import hashlib

# Create verifier
verifier = AndroidKeyAttestation()

# Prepare data
client_data_hash = hashlib.sha256(client_data).digest()

# Verify
result = verifier.verify(
    statement=attestation.attestation_obj.att_stmt,
    auth_data=attestation.attestation_obj.auth_data,
    client_data_hash=client_data_hash
)

Documentation

  • DEVELOPMENT.md - Comprehensive development guide including:
    • Setup and installation
    • Development workflow
    • Testing guidelines
    • Code quality standards
    • Architecture overview
    • Special LLM section for AI-assisted development

Architecture

fido-mds/
├── models/
│   ├── attestation.py    # Attestation format implementations
│   ├── fido_mds.py       # FIDO MDS models
│   └── webauthn.py       # WebAuthn models
├── data/                 # Bundled metadata
├── tests/                # Test suite
│   ├── data.py          # Test attestation objects
│   └── test_*.py        # Test modules
├── helpers.py           # Utility functions
└── metadata_store.py    # Main API

Requirements

  • Python 3.10 or higher (tested with 3.13.3)
  • fido2 >= 2.0.0
  • pydantic >= 2.0
  • cryptography
  • pyOpenSSL
  • asn1crypto (for Android Key attestation)

Development

Running Tests

# Activate virtualenv
source /path/to/virtualenv/bin/activate

# Run all tests
make test

# Run specific test
pytest src/fido_mds/tests/test_verify.py -v

Code Quality

# Format code
make reformat

# Type checking
make typecheck

# Run all checks
make reformat && make typecheck && make test

See DEVELOPMENT.md for detailed development guidelines.

WebAuthn Specification Compliance

This package implements attestation verification according to:

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes with tests
  4. Run all quality checks (make reformat && make typecheck && make test)
  5. Submit a pull request

See DEVELOPMENT.md for detailed contribution guidelines.

Testing

The test suite includes real attestation objects from various authenticators:

  • Android Key: Google Pixel 8a, Samsung Tab S10+
  • FIDO U2F: YubiKey 4/5
  • Packed: YubiKey 5, Samsung Galaxy devices
  • Apple Anonymous: iPhone, MacBook with Touch ID
  • TPM: Windows Hello, Surface devices

All test data is sourced from actual WebAuthn registrations to ensure real-world compatibility.

Test Coverage

# Run all tests
make test  # 15/15 passing

# Run specific test file
pytest src/fido_mds/tests/test_verify.py -v

# Test with coverage (optional, requires pytest-cov)
# pip install pytest-cov
# pytest src --cov=fido_mds --cov-report=html

License

BSD 3-Clause License. See LICENSE file for details.

Credits

References

Changelog

October 2025

Complete Android Key Attestation Implementation

  • Full KeyDescription parsing - Complete ASN.1 structure parsing with proper error handling
  • Origin validation - Tag 702 (KM_ORIGIN_GENERATED) verification in hardwareEnforced
  • Purpose validation - Tag 1 (KM_PURPOSE_SIGN) verification in hardwareEnforced
  • Security field validation - Tag 600 (allApplications) rejection with correct DER encoding
  • Certificate chain validation - Public key matching against Google Hardware Attestation roots
  • Full structure scanning - Removed arbitrary byte limits, scans complete AuthorizationLists
  • WebAuthn compliance - Follows WebAuthn Level 2 and Android Key Attestation specifications

Security Improvements

  • 🔒 Fixed allApplications detection - Correct DER encoding (0xBF 0x84 0x58) instead of wrong pattern
  • 🔒 Public key matching - Validates root certificates by public key, not just subject name
  • 🔒 Complete field scanning - Removed dangerous [:50] and [:100] byte limits
  • 🔒 Certificate re-issuance handling - Properly handles Google root certificate updates

Test Coverage

  • ✅ Google Pixel 8a (Android Key attestation)
  • ✅ Samsung Tab S10+ (Android Key attestation)
  • ✅ YubiKey 4/5 (FIDO U2F and Packed)
  • ✅ Apple devices (iPhone, MacBook)
  • ✅ TPM attestation

Documentation

  • ✅ Comprehensive DEVELOPMENT.md with LLM-specific guidelines
  • ✅ Updated README with detailed Android Key attestation features
  • ✅ Architecture documentation
  • ✅ Security validation documentation

Support

For issues, questions, or contributions:

Note: This package bundles FIDO Alliance metadata. Please ensure you comply with the FIDO Alliance Metadata Service Terms of Use.

Project details

Verified details

These details have been verified by PyPI
Project links
Owner
GitHub Statistics

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

2026.4

2026.3

This version

2026.2

2026.1

2025.12

2025.11

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fido_mds-2026.2.tar.gz (3.2 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fido_mds-2026.2-py3-none-any.whl (3.2 MB view details)

Uploaded Python 3

File details

Details for the file fido_mds-2026.2.tar.gz.

File metadata

  • Download URL: fido_mds-2026.2.tar.gz
  • Upload date:
  • Size: 3.2 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for fido_mds-2026.2.tar.gz
Algorithm Hash digest
SHA256 313b7458c709bd344f59d02480057d5e5979a3a93d170cd9939d2a795b3f9f6d
MD5 2b101921315058b2fd3e52dbeb7ed925
BLAKE2b-256 a449fac5b8b09c16f38154496d6f8808065a50e2d262b4fa00c2294de1452d65

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido_mds-2026.2.tar.gz:

Publisher: publish-to-pypi.yml on SUNET/python-fido-mds

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file fido_mds-2026.2-py3-none-any.whl.

File metadata

  • Download URL: fido_mds-2026.2-py3-none-any.whl
  • Upload date:
  • Size: 3.2 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for fido_mds-2026.2-py3-none-any.whl
Algorithm Hash digest
SHA256 1a266198bcfa044bc47d074fe47abe1fe47906e0af7e0dd5d1af921635b733c8
MD5 70b304dcc02410a16d8ddfa56c44576b
BLAKE2b-256 234e5548071796fdb2ae6669d0bb6ef0d7cdd2df5c828f399cff575f1ecf60e6

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido_mds-2026.2-py3-none-any.whl:

Publisher: publish-to-pypi.yml on SUNET/python-fido-mds

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page