Closed mnelsonwhite closed 1 year ago
Hi
I'm not the author, but I think it should be simple validation that challenge from request data equals to challenge which has been created before. We shouldn't use any field like assertion, ecPublicKey etc. for implement it. And we can just use a lambda expression to get serverChallenge from request. But as we can see in "Assert your app’s validity as necessary" challenge is present inside cleintData so it could be helpful.
I hope that the author will correct me if I was wrong.
A simple implementation doing a contentEquals
between challenge and expected challenge can be found here.
A simple implementation doing a
contentEquals
between challenge and expected challenge can be found here.
Consider comparing in constant time to mitigate side channels (e.g., use constantTimeAreEqual
from Bouncy Castle).
I hope, the comments here did give you some advice, @mnelsonwhite.
Hi
Do you have any insight into how
AssertionChallengeValidator
should be implemented. The Apple docs does not got into any useful detail here.