Class: Devicecheck::Attestation

Inherits:

Object

• Object
• Devicecheck::Attestation

Defined in:

lib/devicecheck/attestation.rb

Constant Summary

AAGUID_DEVELOPMENT =

AAGUID for development environments

'appattestdevelop'

AAGUID_PRODUCTION =

AAGUID for production environments

"appattest\0\0\0\0\0\0\0"

Instance Method Summary

• #attest(key_id:, attestation_object:, challenge:) ⇒ Array

  Verifies the attestation generated by DCAppAttestService.

• #initialize(app_id:, environment:) ⇒ Attestation constructor

  Initialize the attestation service by providing your app ID and which environment are you testing.

Constructor Details

#initialize(app_id:, environment:) ⇒ Attestation

Initialize the attestation service by providing your app ID and which environment are you testing.

Parameters:

• app_id (String) —

  your App ID

• environment (Symbol) —

  :production or :development

# File 'lib/devicecheck/attestation.rb', line 39

def initialize(app_id:, environment:)
  @app_id = app_id
  @environment = environment
  @sha256 = OpenSSL::Digest.new('SHA256')
end

Instance Method Details

#attest(key_id:, attestation_object:, challenge:) ⇒ Array

Verifies the attestation generated by DCAppAttestService. All Base64 encoded strings should be sent in strict format (RFC 4648).

Parameters:

• key_id (String) —

  Base64-encoded format of the public key ID

• attestation_object (String) —

  Base64-encoded of the attestation object generated by the attestKey method of DCAppAttestService

• challenge (String) —

  challenge originally provided by the server

Returns:

• (Array) —

  An array containing:

  • the verified public key in DER format
  • the receipt from the attestation statement, which can be used later to request a fraud assessment metric from Apple.

  If the key cannot be verified, a runtime error will be raised containing details about the failed check.

# File 'lib/devicecheck/attestation.rb', line 61

def attest(key_id:, attestation_object:, challenge:)
  decoded_attestation_object = CBOR.decode(Base64.strict_decode64(attestation_object))

  att_stmt = decoded_attestation_object['attStmt']
  auth_data = decoded_attestation_object['authData']

  cred_cert = validate_certificates! att_stmt

  validate_challenge! challenge, auth_data, cred_cert
  validate_key_id! key_id, cred_cert
  validate_auth_data! key_id, auth_data

  [cred_cert.public_key.to_der, att_stmt['receipt']]
end