veehaitch / devicecheck-appattest

Server-side library to validate the authenticity of Apple App Attest artifacts, written in Kotlin.
Apache License 2.0
66 stars 8 forks source link

Implementation of `AssertionChallengeValidator` #32

Closed mnelsonwhite closed 1 year ago

mnelsonwhite commented 1 year ago

Hi

Do you have any insight into how AssertionChallengeValidator should be implemented. The Apple docs does not got into any useful detail here.

Roket132 commented 1 year ago

Hi

I'm not the author, but I think it should be simple validation that challenge from request data equals to challenge which has been created before. We shouldn't use any field like assertion, ecPublicKey etc. for implement it. And we can just use a lambda expression to get serverChallenge from request. But as we can see in "Assert your app’s validity as necessary" challenge is present inside cleintData so it could be helpful.

I hope that the author will correct me if I was wrong.

JesusMcCloud commented 1 year ago

A simple implementation doing a contentEquals between challenge and expected challenge can be found here.

veehaitch commented 1 year ago

A simple implementation doing a contentEquals between challenge and expected challenge can be found here.

Consider comparing in constant time to mitigate side channels (e.g., use constantTimeAreEqual from Bouncy Castle).

I hope, the comments here did give you some advice, @mnelsonwhite.