WillSmartYubico/test_enterprise_attestation.py

## test_enterprise_attestation.py
# Copyright (c) 2021 Yubico AB
# All rights reserved.
#
#   Redistribution and use in source and binary forms, with or
#   without modification, are permitted provided that the following
#   conditions are met:
#
#    1. Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#    2. Redistributions in binary form must reproduce the above
#       copyright notice, this list of conditions and the following
#       disclaimer in the documentation and/or other materials provided
#       with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

"""
This example shows how to request and decode an Enterprise Attestation (EA) attestation from an authenticator.

It connects to the first FIDO device found (starts from USB, then looks into NFC),
creates a new credential for it while requesting EA, and then unpacks and decodes the attestation certificate.
It does *not* validate the certificate or certificate chain in any way.
On Windows, the native WebAuthn API will be used.
"""
from fido2.hid import CtapHidDevice
from fido2.client import Fido2Client, WindowsClient, UserInteraction
from fido2.server import Fido2Server
from fido2.attestation import AttestationVerifier
from base64 import b64decode
from getpass import getpass
import sys
import ctypes

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.x509 import UnrecognizedExtension

import asn1
from uuid import UUID

if len( sys.argv ) > 1:
    RPID =  sys.argv[1]
else:
    RPID = input("RPID to test:")


YUBICO_FIDO_DEVICE_TYPE = {
    '1.3.6.1.4.1.41482.1.1': 'YubiKey U2F PlayStore devices (NXP-based)',
    '1.3.6.1.4.1.41482.1.2': 'YubiKey NEO (NXP-based)',
    '1.3.6.1.4.1.41482.1.3': 'YubiKey Plus (Infineon-based)',
    '1.3.6.1.4.1.41482.1.4': 'YubiKey Edge (Infineon-based)',
    '1.3.6.1.4.1.41482.1.5': 'YubiKey 4 USB (Infineon-based) [2015-11-03]',
    '1.3.6.1.4.1.41482.1.6': 'YubiKey NFC Preview (Infineon-based) [2018-04-12]',
    '1.3.6.1.4.1.41482.1.7': 'YubiKey 5 [2018-09-14]',
    '1.3.6.1.4.1.41482.1.8': 'YubiKey 5 Ci Lightning preview [2019-02-08]',
    '1.3.6.1.4.1.41482.1.9': 'YubiKey Bio',
    }

YUBICO_ATTESTATION_OIDS = {
    'Firmware version':                     '1.3.6.1.4.1.41482.13.1',
    'Enterprise Attestation Serial Number': '1.3.6.1.4.1.45724.1.1.2',
    'Yubico FIDO Device Type':              '1.3.6.1.4.1.41482.2',
    'Transports':                           '1.3.6.1.4.1.45724.2.1.1',
    'AAGUID':                               '1.3.6.1.4.1.45724.1.1.4',
    'FIPS Certificate':                     '1.3.6.1.4.1.41482.12',
    }


YUBICO_FIPS_CERTIFICATES = {
    1: 'YubiKey Standard and YubiKey Nano Certificate #2267',
    2: 'YubiKey (4) FIPS Certificate #3204',
    3: 'YubiKey (4) FIPS Certificate #3517',
    4: 'YubiKey 5 FIPS Certificate #3907 (Level 1)',
    5: 'YubiKey 5 FIPS Certificate #3914 (Level 2)',
    6: 'YubiHSM 2 Certificate #3916',
    7: 'YubiKey 5 FIPS Certificate #3914 (Level 2) update',
    }

def decodefirmwareversion(raw):
    decoder = asn1.Decoder()
    decoder.start(raw)
    tag, value = decoder.read()
    major = value[0]
    minor = value[1]
    patch = value[2]
    return major, minor, patch

def decodeserial(raw):
    decoder = asn1.Decoder()
    decoder.start(raw)
    tag, value = decoder.read()
    sn = str(int.from_bytes(value, byteorder='big', signed=False))
    return sn

def decodetransports(raw):
    #b'\x03\x02\x040'
    assert(raw[0] == 3)
    assert(raw[1] == 2)

    #by shifting right and then left by raw[2] bytes, ensure that the "unused" bits in the bit string are always 0.  Probably not needed.
    transportflags =  (raw[3] >> raw[2]) << raw[2]
    transports = []

    # Order for possibletransports in important, and must follow this
    # https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-authenticator-transports-extension-v1.2-ps-20170411.html
    possibletransports = ["Bluetooth Classic","BLE","USB","NFC","USB (Internal)"]

    # test the 1st bit in the bitstring, if it's a 1, label it with the transport name and then shift left
    for possible in possibletransports:
        #print(possible, transportflags)
        if (transportflags & 0x80):
            transports.append(possible)
        transportflags = (transportflags << 1) & 0xff
    return transports

def decodeaaguid(raw):
    decoder = asn1.Decoder()
    decoder.start(raw)
    tag, value = decoder.read()
    aaguid = UUID(int=int.from_bytes(value, 'big'))
    return aaguid


# Handle user interaction
class CliInteraction(UserInteraction):
    def prompt_up(self):
        print("\nTouch your authenticator device now...\n")

    def request_pin(self, permissions, rd_id):
        return getpass("Enter PIN: ")

    def request_uv(self, permissions, rd_id):
        print("User Verification required.")
        return True


if WindowsClient.is_available() and not ctypes.windll.shell32.IsUserAnAdmin():
    # Enterprise Attestation is currently not supported by python-fido2 while using the Windows WebAuthn API
    # https://github.com/Yubico/python-fido2/blob/edcb00bc327453cfcf549ef4f12cc25a88b6b0a4/fido2/win_api.py#L814
    # client = WindowsClient("https://"+RPID)
    raise Exception("Enterprise Attestation is currently not supported by python-fido2 while using the Windows WebAuthn API, please run as administrator.")
else:
    # Locate a device
    dev = next(CtapHidDevice.list_devices(), None)
    if dev is not None:
        print("Use USB HID channel.")
    else:
        try:
            from fido2.pcsc import CtapPcscDevice

            dev = next(CtapPcscDevice.list_devices(), None)
            print("Use NFC channel.")
        except Exception as e:
            print("NFC channel search error:", e)

    if not dev:
        print("No FIDO device found")
        sys.exit(1)

    # Set up a FIDO 2 client using the origin provided on the command line
    client = Fido2Client(dev, ("https://"+RPID), user_interaction=CliInteraction())

server = Fido2Server(
    {"id": RPID, "name": "Example RP"},
    attestation="enterprise"
)

user = {"id": b"user_id", "name": "A. User"}

# Prepare parameters for makeCredential
create_options, state = server.register_begin(
    user, user_verification="discouraged", authenticator_attachment="cross-platform",
)

# Create a credential
result = client.make_credential(create_options["publicKey"])

# Complete registration
auth_data = server.register_complete(
    state, result.client_data, result.attestation_object
)

print("New credential created.  Attestation received.")

cert = x509.load_der_x509_certificate(result.attestation_object.att_stmt['x5c'][0], default_backend())

# Test for EA, and get SN
try:
    #oid = '1.3.6.1.4.1.45724.1.1.2'
    #description = 'Enterprise Attestation Serial Number:'
    extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["Enterprise Attestation Serial Number"])).value.value
    sn = decodeserial(extension)
    #print(oid, description, sn)
    attestationtype="Enterprise"
except:
    attestationtype="Direct"

# Yubico Firmware Version
try:
    #oid='1.3.6.1.4.1.41482.13.1'
    extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["Firmware version"])).value.value
    major, minor, patch = decodefirmwareversion(extension)
except:
    major = False

# Yubico Device Type
try:
    extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["Yubico FIDO Device Type"])).value.value
    devicetype = YUBICO_FIDO_DEVICE_TYPE[extension.decode()]
except:
    devicetype = False

# Transports
try:
    extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["Transports"])).value.value
    transports = decodetransports(extension)
except:
    transports = False

# AAGUID
try:
    extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["AAGUID"])).value.value
    aaguid = decodeaaguid(extension)
except:
    aaguid = False

# FIPS Certificate
try:
    extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["FIPS Certificate"])).value.value
    aaguid = decodeaaguid(extension)
except:
    aaguid = False


print("Attestation Certificate Subject:", cert.subject.rfc4514_string())
print("Attestation Certificate Issuer :", cert.issuer.rfc4514_string())
print("Attestation Type:              :", attestationtype)
if attestationtype=="Enterprise":
    print("Serial Number                  :", sn)
if major and minor and patch:
    print("Yubico Firmware Version        : ", major, ".", minor, ".", patch, sep = '')
if devicetype:
    print("Yubico Device Type             :", devicetype)
if transports:
    print("Yubico Device Transports       :", transports)
if aaguid:
    print("AAGUID                         :", aaguid)

for extension in cert.extensions:
    if extension.oid.dotted_string not in YUBICO_ATTESTATION_OIDS.values():
        if type(extension.value) is x509.UnrecognizedExtension:
            print("Unknown Extension:", extension.oid.dotted_string)

print("Attestation Object",result.attestation_object.hex())
	# Copyright (c) 2021 Yubico AB
	# All rights reserved.
	#
	# Redistribution and use in source and binary forms, with or
	# without modification, are permitted provided that the following
	# conditions are met:
	#
	# 1. Redistributions of source code must retain the above copyright
	# notice, this list of conditions and the following disclaimer.
	# 2. Redistributions in binary form must reproduce the above
	# copyright notice, this list of conditions and the following
	# disclaimer in the documentation and/or other materials provided
	# with the distribution.
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
	# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	# POSSIBILITY OF SUCH DAMAGE.

	"""
	This example shows how to request and decode an Enterprise Attestation (EA) attestation from an authenticator.

	It connects to the first FIDO device found (starts from USB, then looks into NFC),
	creates a new credential for it while requesting EA, and then unpacks and decodes the attestation certificate.
	It does not validate the certificate or certificate chain in any way.
	On Windows, the native WebAuthn API will be used.
	"""
	from fido2.hid import CtapHidDevice
	from fido2.client import Fido2Client, WindowsClient, UserInteraction
	from fido2.server import Fido2Server
	from fido2.attestation import AttestationVerifier
	from base64 import b64decode
	from getpass import getpass
	import sys
	import ctypes

	from cryptography import x509
	from cryptography.hazmat.backends import default_backend
	from cryptography.x509 import UnrecognizedExtension

	import asn1
	from uuid import UUID

	if len( sys.argv ) > 1:
	RPID = sys.argv[1]
	else:
	RPID = input("RPID to test:")


	YUBICO_FIDO_DEVICE_TYPE = {
	'1.3.6.1.4.1.41482.1.1': 'YubiKey U2F PlayStore devices (NXP-based)',
	'1.3.6.1.4.1.41482.1.2': 'YubiKey NEO (NXP-based)',
	'1.3.6.1.4.1.41482.1.3': 'YubiKey Plus (Infineon-based)',
	'1.3.6.1.4.1.41482.1.4': 'YubiKey Edge (Infineon-based)',
	'1.3.6.1.4.1.41482.1.5': 'YubiKey 4 USB (Infineon-based) [2015-11-03]',
	'1.3.6.1.4.1.41482.1.6': 'YubiKey NFC Preview (Infineon-based) [2018-04-12]',
	'1.3.6.1.4.1.41482.1.7': 'YubiKey 5 [2018-09-14]',
	'1.3.6.1.4.1.41482.1.8': 'YubiKey 5 Ci Lightning preview [2019-02-08]',
	'1.3.6.1.4.1.41482.1.9': 'YubiKey Bio',
	}

	YUBICO_ATTESTATION_OIDS = {
	'Firmware version': '1.3.6.1.4.1.41482.13.1',
	'Enterprise Attestation Serial Number': '1.3.6.1.4.1.45724.1.1.2',
	'Yubico FIDO Device Type': '1.3.6.1.4.1.41482.2',
	'Transports': '1.3.6.1.4.1.45724.2.1.1',
	'AAGUID': '1.3.6.1.4.1.45724.1.1.4',
	'FIPS Certificate': '1.3.6.1.4.1.41482.12',
	}


	YUBICO_FIPS_CERTIFICATES = {
	1: 'YubiKey Standard and YubiKey Nano Certificate #2267',
	2: 'YubiKey (4) FIPS Certificate #3204',
	3: 'YubiKey (4) FIPS Certificate #3517',
	4: 'YubiKey 5 FIPS Certificate #3907 (Level 1)',
	5: 'YubiKey 5 FIPS Certificate #3914 (Level 2)',
	6: 'YubiHSM 2 Certificate #3916',
	7: 'YubiKey 5 FIPS Certificate #3914 (Level 2) update',
	}

	def decodefirmwareversion(raw):
	decoder = asn1.Decoder()
	decoder.start(raw)
	tag, value = decoder.read()
	major = value[0]
	minor = value[1]
	patch = value[2]
	return major, minor, patch

	def decodeserial(raw):
	decoder = asn1.Decoder()
	decoder.start(raw)
	tag, value = decoder.read()
	sn = str(int.from_bytes(value, byteorder='big', signed=False))
	return sn

	def decodetransports(raw):
	#b'\x03\x02\x040'
	assert(raw[0] == 3)
	assert(raw[1] == 2)

	#by shifting right and then left by raw[2] bytes, ensure that the "unused" bits in the bit string are always 0. Probably not needed.
	transportflags = (raw[3] >> raw[2]) << raw[2]
	transports = []

	# Order for possibletransports in important, and must follow this
	# https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-authenticator-transports-extension-v1.2-ps-20170411.html
	possibletransports = ["Bluetooth Classic","BLE","USB","NFC","USB (Internal)"]

	# test the 1st bit in the bitstring, if it's a 1, label it with the transport name and then shift left
	for possible in possibletransports:
	#print(possible, transportflags)
	if (transportflags & 0x80):
	transports.append(possible)
	transportflags = (transportflags << 1) & 0xff
	return transports

	def decodeaaguid(raw):
	decoder = asn1.Decoder()
	decoder.start(raw)
	tag, value = decoder.read()
	aaguid = UUID(int=int.from_bytes(value, 'big'))
	return aaguid


	# Handle user interaction
	class CliInteraction(UserInteraction):
	def prompt_up(self):
	print("\nTouch your authenticator device now...\n")

	def request_pin(self, permissions, rd_id):
	return getpass("Enter PIN: ")

	def request_uv(self, permissions, rd_id):
	print("User Verification required.")
	return True


	if WindowsClient.is_available() and not ctypes.windll.shell32.IsUserAnAdmin():
	# Enterprise Attestation is currently not supported by python-fido2 while using the Windows WebAuthn API
	# https://github.com/Yubico/python-fido2/blob/edcb00bc327453cfcf549ef4f12cc25a88b6b0a4/fido2/win_api.py#L814
	# client = WindowsClient("https://"+RPID)
	raise Exception("Enterprise Attestation is currently not supported by python-fido2 while using the Windows WebAuthn API, please run as administrator.")
	else:
	# Locate a device
	dev = next(CtapHidDevice.list_devices(), None)
	if dev is not None:
	print("Use USB HID channel.")
	else:
	try:
	from fido2.pcsc import CtapPcscDevice

	dev = next(CtapPcscDevice.list_devices(), None)
	print("Use NFC channel.")
	except Exception as e:
	print("NFC channel search error:", e)

	if not dev:
	print("No FIDO device found")
	sys.exit(1)

	# Set up a FIDO 2 client using the origin provided on the command line
	client = Fido2Client(dev, ("https://"+RPID), user_interaction=CliInteraction())

	server = Fido2Server(
	{"id": RPID, "name": "Example RP"},
	attestation="enterprise"
	)

	user = {"id": b"user_id", "name": "A. User"}

	# Prepare parameters for makeCredential
	create_options, state = server.register_begin(
	user, user_verification="discouraged", authenticator_attachment="cross-platform",
	)

	# Create a credential
	result = client.make_credential(create_options["publicKey"])

	# Complete registration
	auth_data = server.register_complete(
	state, result.client_data, result.attestation_object
	)

	print("New credential created. Attestation received.")

	cert = x509.load_der_x509_certificate(result.attestation_object.att_stmt['x5c'][0], default_backend())

	# Test for EA, and get SN
	try:
	#oid = '1.3.6.1.4.1.45724.1.1.2'
	#description = 'Enterprise Attestation Serial Number:'
	extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["Enterprise Attestation Serial Number"])).value.value
	sn = decodeserial(extension)
	#print(oid, description, sn)
	attestationtype="Enterprise"
	except:
	attestationtype="Direct"

	# Yubico Firmware Version
	try:
	#oid='1.3.6.1.4.1.41482.13.1'
	extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["Firmware version"])).value.value
	major, minor, patch = decodefirmwareversion(extension)
	except:
	major = False

	# Yubico Device Type
	try:
	extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["Yubico FIDO Device Type"])).value.value
	devicetype = YUBICO_FIDO_DEVICE_TYPE[extension.decode()]
	except:
	devicetype = False

	# Transports
	try:
	extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["Transports"])).value.value
	transports = decodetransports(extension)
	except:
	transports = False

	# AAGUID
	try:
	extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["AAGUID"])).value.value
	aaguid = decodeaaguid(extension)
	except:
	aaguid = False

	# FIPS Certificate
	try:
	extension = cert.extensions.get_extension_for_oid(x509.ObjectIdentifier(YUBICO_ATTESTATION_OIDS["FIPS Certificate"])).value.value
	aaguid = decodeaaguid(extension)
	except:
	aaguid = False


	print("Attestation Certificate Subject:", cert.subject.rfc4514_string())
	print("Attestation Certificate Issuer :", cert.issuer.rfc4514_string())
	print("Attestation Type: :", attestationtype)
	if attestationtype=="Enterprise":
	print("Serial Number :", sn)
	if major and minor and patch:
	print("Yubico Firmware Version : ", major, ".", minor, ".", patch, sep = '')
	if devicetype:
	print("Yubico Device Type :", devicetype)
	if transports:
	print("Yubico Device Transports :", transports)
	if aaguid:
	print("AAGUID :", aaguid)

	for extension in cert.extensions:
	if extension.oid.dotted_string not in YUBICO_ATTESTATION_OIDS.values():
	if type(extension.value) is x509.UnrecognizedExtension:
	print("Unknown Extension:", extension.oid.dotted_string)

	print("Attestation Object",result.attestation_object.hex())