The keys attested on iOS can be used to sign any payload (clientData) but the signature format is decided by Apple and it is not possible to choose the algorithm or how to compose the signature.
From their documentation the signature is given by the concatenation of a payload (clientData) and the authenticatorData which is a field generated during the attestation phase by the Apple SDK. This implies that a key certified on hardware cannot be used to sign a JWS as established by the relevant RFC.
Do you have any ideas on how to use this non-compliant signature field with JWS signature?
For example, given a payload of the type: "customPayload"the signature obtained from Apple is of the type:
where the signature field is the signature of authenticatorData concatenated with the sha256 of the payload.
⚠️ Please note, this only applies to keys that require attestation from Apple . For the other keys however saved in secure hardware the problem does not arise
peppelinux
commented
5 months ago
The keys attested on iOS can be used to sign any payload (clientData) but the signature format is decided by Apple and it is not possible to choose the algorithm or how to compose the signature.
generateAssertion(_:clientDataHash:completionHandler:)From their documentation the signature is given by the concatenation of a payload (clientData) and the authenticatorData which is a field generated during the attestation phase by the Apple SDK. This implies that a key certified on hardware cannot be used to sign a JWS as established by the relevant RFC.
Do you have any ideas on how to use this non-compliant signature field with JWS signature?
For example, given a payload of the type:
"customPayload"the signature obtained from Apple is of the type:where the
signaturefield is the signature ofauthenticatorDataconcatenated with the sha256 of the payload.