Closed Ilushkanama closed 2 years ago
Hi @Ilushkanama 👋 !
Thank you for the report!
I think it makes sense to go for the easy fix right now, although I agree that we'll probably have to come up with something if the certificate keeps changing. In the meantime, I'll make sure that we monitor the certificate every week or so in case it changes again so we don't have to wait for another issue reporting it to update it.
Having said that, feel free to open the PR to fix this! If not I will try to do it as soon as possible.
Anyway, glad to hear that you are giving a try to the Apple Attest support!
Hey @santiagorodriguez96,
Certificate monitoring would be great, and thank you for not overcomplicating things.
Hey again @Ilushkanama, sorry for the late response!
I realized that the ROOT_CERTIFICATE
from version this gem is not really outdated, it's just a different certificate altogether. Here you can see a list with both of them: the one that we use on this gem Apple WebAuthn Root CA
and the one that you suggested Apple_App_Attestation_Root_CA
.
Then I gave it a try to the Apple Attestation Format from the v2.5
and I it is working for me 🙂
I was testing on a Safari browser using the TouchID of my MacBook.
After that I changed ROOT_CERTIFICATE
to be the one you were suggesting and the verification it's failing for me with AttestationStatementVerificationError
.
I couldn't find any information in the Webauthn specification regarding which root certificate should be used to validate the certificate chain, but in the PR in which the Apple Attestation Format
was added to the specification they were implying that the one we are using on this gem Apple WebAuthn Root CA
is the correct one – take a look at this thread.
Would you be so kind to give more detail about the error you are getting? Maybe something like the gem version, the security key that you are using or what are you doing in the Relaying Party to indicate that you want to receive an attestation statement. That would be really helpful.
Thanks! 🙂
Closing due to inactivity. Feel free to reopen in case you want to follow up @Ilushkanama
Hello and thank you for this library, especially for the Apple App Attest support.
Seems like App Attest
ROOT_CERTIFICATE
is outdated — it differs from the certificate at Apple's website. This causes valid attest data to not pass thetrustworthy?
check.The easiest way to fix it is to update the
ROOT_CERTIFICATE
value. I can create a PR with such update, but it may not be the best solution in case Apple keeps updating certificates.