Update asycnssh to use version 2 of the fido2 package

Author: ronf

asyncssh/sk.py

@@ -128,7 +128,9 @@ def _ctap2_enroll(dev: 'CtapHidDevice', alg: int, application: str,
 def _win_enroll(alg: int, application: str, user: str) -> Tuple[bytes, bytes]:
     """Enroll a new security key using Windows WebAuthn API"""
 
-    client = WindowsClient(application, verify=_verify_rp_id)
+    data_collector = DefaultClientDataCollector(origin=application,
+                                                verify=_verify_rp_id)
+    client = WindowsClient(data_collector)
 
     rp = {'id': application, 'name': application}
     user_cred = {'id': user.encode('utf-8'), 'name': user}
@@ -137,7 +139,8 @@ def _win_enroll(alg: int, application: str, user: str) -> Tuple[bytes, bytes]:
                'pubKeyCredParams': key_params}
 
     result = client.make_credential(options)
-    cdata = result.attestation_object.auth_data.credential_data
+    response = result.response
+    cdata = response.attestation_object.auth_data.credential_data
 
     # pylint: disable=no-member
     return _decode_public_key(alg, cdata.public_key), cdata.credential_id
@@ -188,17 +191,20 @@ def _win_sign(data: bytes, application: str,
               key_handle: bytes) -> Tuple[int, int, bytes, bytes]:
     """Sign a message with a security key using Windows WebAuthn API"""
 
-    client = WindowsClient(application, verify=_verify_rp_id)
+    data_collector = DefaultClientDataCollector(origin=application,
+                                                verify=_verify_rp_id)
+    client = WindowsClient(data_collector)
 
     creds = [{'type': 'public-key', 'id': key_handle}]
     options = {'challenge': data, 'rpId': application,
                'allowCredentials': creds}
 
     result = client.get_assertion(options).get_response(0)
-    auth_data = result.authenticator_data
+    response = result.response
+    auth_data = response.authenticator_data
 
     return auth_data.flags, auth_data.counter, \
-           result.signature, bytes(result.client_data)
+           response.signature, bytes(response.client_data)
 
 
 def sk_webauthn_prefix(data: bytes, application: str) -> bytes:
@@ -327,21 +333,16 @@ def sk_get_resident(application: str, user: Optional[str],
 
 
 try:
-    from fido2.client import WindowsClient
+    from fido2.client import DefaultClientDataCollector
     from fido2.ctap import CtapError
     from fido2.ctap1 import Ctap1, APDU, ApduError
     from fido2.ctap2 import Ctap2, ClientPin, PinProtocolV1
     from fido2.ctap2 import CredentialManagement
     from fido2.hid import CtapHidDevice
 
     sk_available = True
-
-    sk_use_webauthn = WindowsClient.is_available() and \
-                      hasattr(ctypes, 'windll') and \
-                      not ctypes.windll.shell32.IsUserAnAdmin()
 except (ImportError, OSError, AttributeError): # pragma: no cover
     sk_available = False
-    sk_use_webauthn = False
 
     def _sk_not_available(*args: object, **kwargs: object) -> NoReturn:
         """Report that security key support is unavailable"""
@@ -351,3 +352,13 @@ def _sk_not_available(*args: object, **kwargs: object) -> NoReturn:
     sk_enroll = _sk_not_available
     sk_sign = _sk_not_available
     sk_get_resident = _sk_not_available
+
+try:
+    from fido2.client.windows import WindowsClient
+
+    sk_use_webauthn = WindowsClient.is_available() and \
+                      hasattr(ctypes, 'windll') and \
+                      not ctypes.windll.shell32.IsUserAnAdmin()
+except ImportError:
+    WindowsClient = None
+    sk_use_webauthn = False

pyproject.toml

@@ -35,7 +35,7 @@ dynamic = ['version']
 
 [project.optional-dependencies]
 bcrypt    = ['bcrypt >= 3.1.3']
-fido2     = ['fido2 >= 0.9.2, < 2']
+fido2     = ['fido2 >= 2']
 gssapi    = ['gssapi >= 1.2.0']
 libnacl   = ['libnacl >= 1.4.2']
 pkcs11    = ['python-pkcs11 >= 0.7.0']

tests/sk_stub.py

@@ -93,6 +93,13 @@ def __init__(self, attestation_object):
         self.attestation_object = attestation_object
 
 
+class _RegistrationResponse:
+    """Security key registration response"""
+
+    def __init__(self, attestation_response):
+        self.response = attestation_response
+
+
 class _AuthenticatorData:
     """Security key authenticator data in aseertion"""
 
@@ -110,6 +117,13 @@ def __init__(self, client_data, auth_data, signature):
         self.signature = signature
 
 
+class _AuthenticationResponse:
+    """Security key authentication response"""
+
+    def __init__(self, response):
+        self.response = response
+
+
 class _AssertionSelection:
     """Security key assertion response list"""
 
@@ -261,9 +275,9 @@ def get_assertions(self, application, message_hash, allow_creds, options):
 class WindowsClient(_CtapStub):
     """Stub for unit testing U2F security keys via Windows WebAuthn"""
 
-    def __init__(self, origin, verify):
-        self._origin = origin
-        self._verify = verify
+    def __init__(self, data_collector):
+        self._origin = data_collector._origin
+        self._verify = data_collector._verify
 
     def make_credential(self, options):
         """Make a credential using Windows WebAuthN API"""
@@ -275,8 +289,9 @@ def make_credential(self, options):
         public_key, key_handle = self._enroll(alg)
 
         cdata = _CredentialData(alg, public_key, key_handle)
+        attestation_object = _Credential(_CredentialAuthData(cdata))
 
-        return _AttestationResponse(_Credential(_CredentialAuthData(cdata)))
+        return _RegistrationResponse(_AttestationResponse(attestation_object))
 
     def get_assertion(self, options):
         """Get assertion using Windows WebAuthN API"""
@@ -297,7 +312,8 @@ def get_assertion(self, options):
                                          key_handle, flags)
 
         auth_data = _AuthenticatorData(flags, counter)
-        assertion = _AssertionResponse(data, auth_data, sig)
+        response = _AssertionResponse(data, auth_data, sig)
+        assertion = _AuthenticationResponse(response)
 
         return _AssertionSelection([assertion])