More type fixes

Yubico · Nov 20, 2024 · 023e880 · 023e880
1 parent 3c0612a
commit 023e880
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 18 deletions.
diff --git a/fido2/attestation/base.py b/fido2/attestation/base.py
@@ -108,18 +108,22 @@ def verify_x509_chain(chain: List[bytes]) -> None:
         pub = cert.public_key()
         try:
             if isinstance(pub, rsa.RSAPublicKey):
+                assert child.signature_hash_algorithm is not None  # nosec
                 pub.verify(
                     child.signature,
                     child.tbs_certificate_bytes,
                     padding.PKCS1v15(),
                     child.signature_hash_algorithm,
                 )
             elif isinstance(pub, ec.EllipticCurvePublicKey):
+                assert child.signature_hash_algorithm is not None  # nosec
                 pub.verify(
                     child.signature,
                     child.tbs_certificate_bytes,
                     ec.ECDSA(child.signature_hash_algorithm),
                 )
+            else:
+                raise ValueError("Unsupported signature key type")
         except _InvalidSignature:
             raise InvalidSignature()
 

diff --git a/fido2/attestation/tpm.py b/fido2/attestation/tpm.py
@@ -78,7 +78,7 @@ class TpmAlgHash(IntEnum):
     SHA384 = 0x000C
     SHA512 = 0x000D
 
-    def _hash_alg(self) -> hashes.Hash:
+    def _hash_alg(self) -> hashes.HashAlgorithm:
         if self == TpmAlgHash.SHA1:
             return hashes.SHA1()  # nosec
         elif self == TpmAlgHash.SHA256:
@@ -88,7 +88,7 @@ def _hash_alg(self) -> hashes.Hash:
         elif self == TpmAlgHash.SHA512:
             return hashes.SHA512()
 
-        return NotImplementedError(f"_hash_alg is not implemented for {self!r}")
+        raise NotImplementedError(f"_hash_alg is not implemented for {self!r}")
 
 
 @dataclass

diff --git a/fido2/cose.py b/fido2/cose.py
@@ -30,8 +30,8 @@
 from .utils import bytes2int, int2bytes
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import ec, rsa, padding, ed25519
-from typing import Sequence, Type, Mapping, Any, Union, TypeVar
+from cryptography.hazmat.primitives.asymmetric import ec, rsa, padding, ed25519, types
+from typing import Sequence, Type, Mapping, Any, TypeVar
 
 
 class CoseKey(dict):
@@ -53,8 +53,7 @@ def verify(self, message: bytes, signature: bytes) -> None:
 
     @classmethod
     def from_cryptography_key(
-        cls: Type[T_CoseKey],
-        public_key: Union[rsa.RSAPublicKey, ec.EllipticCurvePublicKey],
+        cls: Type[T_CoseKey], public_key: types.PublicKeyTypes
     ) -> T_CoseKey:
         """Converts a PublicKey object from Cryptography into a COSE key.
 
@@ -132,6 +131,7 @@ def verify(self, message, signature):
 
     @classmethod
     def from_cryptography_key(cls, public_key):
+        assert isinstance(public_key, ec.EllipticCurvePublicKey)  # nosec
         pn = public_key.public_numbers()
         return cls(
             {
@@ -168,6 +168,7 @@ def verify(self, message, signature):
 
     @classmethod
     def from_cryptography_key(cls, public_key):
+        assert isinstance(public_key, ec.EllipticCurvePublicKey)  # nosec
         pn = public_key.public_numbers()
         return cls(
             {
@@ -195,6 +196,7 @@ def verify(self, message, signature):
 
     @classmethod
     def from_cryptography_key(cls, public_key):
+        assert isinstance(public_key, ec.EllipticCurvePublicKey)  # nosec
         pn = public_key.public_numbers()
         return cls(
             {
@@ -218,6 +220,7 @@ def verify(self, message, signature):
 
     @classmethod
     def from_cryptography_key(cls, public_key):
+        assert isinstance(public_key, rsa.RSAPublicKey)  # nosec
         pn = public_key.public_numbers()
         return cls({1: 3, 3: cls.ALGORITHM, -1: int2bytes(pn.n), -2: int2bytes(pn.e)})
 
@@ -240,6 +243,7 @@ def verify(self, message, signature):
 
     @classmethod
     def from_cryptography_key(cls, public_key):
+        assert isinstance(public_key, rsa.RSAPublicKey)  # nosec
         pn = public_key.public_numbers()
         return cls({1: 3, 3: cls.ALGORITHM, -1: int2bytes(pn.n), -2: int2bytes(pn.e)})
 
@@ -254,6 +258,7 @@ def verify(self, message, signature):
 
     @classmethod
     def from_cryptography_key(cls, public_key):
+        assert isinstance(public_key, ed25519.Ed25519PublicKey)  # nosec
         return cls(
             {
                 1: 1,
@@ -277,6 +282,7 @@ def verify(self, message, signature):
 
     @classmethod
     def from_cryptography_key(cls, public_key):
+        assert isinstance(public_key, rsa.RSAPublicKey)  # nosec
         pn = public_key.public_numbers()
         return cls({1: 3, 3: cls.ALGORITHM, -1: int2bytes(pn.n), -2: int2bytes(pn.e)})
 
@@ -296,6 +302,7 @@ def verify(self, message, signature):
 
     @classmethod
     def from_cryptography_key(cls, public_key):
+        assert isinstance(public_key, ec.EllipticCurvePublicKey)  # nosec
         pn = public_key.public_numbers()
         return cls(
             {

diff --git a/fido2/ctap1.py b/fido2/ctap1.py
@@ -80,7 +80,7 @@ class RegistrationData(bytes):
     certificate: bytes
     signature: bytes
 
-    def __init__(self, _):
+    def __init__(self, _: bytes):
         super().__init__()
 
         reader = ByteBuffer(self)
@@ -145,7 +145,7 @@ class SignatureData(bytes):
     counter: int
     signature: bytes
 
-    def __init__(self, _):
+    def __init__(self, _: bytes):
         super().__init__()
 
         reader = ByteBuffer(self)

diff --git a/fido2/features.py b/fido2/features.py
@@ -82,6 +82,7 @@ def warn(self) -> None:
             )
 
 
+# TODO 2.0: Remove this feature
 webauthn_json_mapping = _Feature(
     "webauthn_json_mapping",
     """JSON values for WebAuthn data class Mapping interface.

diff --git a/fido2/mds3.py b/fido2/mds3.py
@@ -409,20 +409,21 @@ def find_entry_by_chain(
                 return self._ski_table[ski]
         return None
 
-    def ca_lookup(self, result, auth_data):
+    def ca_lookup(self, attestation_result, auth_data):
+        assert auth_data.credential_data is not None  # nosec
         aaguid = auth_data.credential_data.aaguid
         if aaguid:
             logging.debug(f"Using AAGUID: {aaguid} to look up metadata")
             entry = self.find_entry_by_aaguid(aaguid)
         else:
             logging.debug("Using trust_path chain to look up metadata")
-            entry = self.find_entry_by_chain(result.trust_path)
+            entry = self.find_entry_by_chain(attestation_result.trust_path)
 
         if entry:
             logging.debug(f"Found entry: {entry}")
 
             # Check attestation filter
-            if not self._attestation_filter(entry, result.trust_path):
+            if not self._attestation_filter(entry, attestation_result.trust_path):
                 logging.debug("Matched entry did not pass attestation filter")
                 return None
 
@@ -434,7 +435,7 @@ def ca_lookup(self, result, auth_data):
                 return None
 
             issuer = x509.load_der_x509_certificate(
-                result.trust_path[-1], default_backend()
+                attestation_result.trust_path[-1], default_backend()
             ).issuer
 
             for root in entry.metadata_statement.attestation_root_certificates:
@@ -444,7 +445,7 @@ def ca_lookup(self, result, auth_data):
                 if subject == issuer:
                     _last_entry.set(entry)
                     return root
-            logger.info(f"No attestation root matching subject: {subject}")
+            logger.info(f"No attestation root matching subject: {issuer}")
         return None
 
     def find_entry(

diff --git a/fido2/utils.py b/fido2/utils.py
@@ -235,25 +235,30 @@ def _parse_value(cls, t, value):
 
         # Handle list of values
         if issubclass(getattr(t, "__origin__", object), Sequence):
-            t = t.__args__[0]
+            t = getattr(t, "__args__")[0]
             return [cls._parse_value(t, v) for v in value]
 
         # Handle Mappings
         elif issubclass(getattr(t, "__origin__", object), Mapping) and isinstance(
             value, Mapping
         ):
-            t_k, t_v = t.__args__
+            t_k, t_v = getattr(t, "__args__")
             return {
                 cls._parse_value(t_k, k): cls._parse_value(t_v, v)
                 for k, v in value.items()
             }
 
         # Check if type has from_dict
-        if hasattr(t, "from_dict"):
-            return t.from_dict(value)
+        from_dict = getattr(t, "from_dict", None)
+        if from_dict:
+            return from_dict(value)
 
         # Convert to enum values, other wrappers
-        return t(value)
+        wrap = getattr(t, "__call__", None)
+        if wrap:
+            return wrap(value)
+
+        raise ValueError(f"Unparseable value of type {type(value)} for {t}")
 
     @overload
     @classmethod