Class: IosAppAttest::Validators::AppIdentityValidator

Inherits:

BaseValidator

• Object
• BaseValidator
• IosAppAttest::Validators::AppIdentityValidator

Defined in:

lib/ios_app_attest/validators/app_identity_validator.rb

Overview

Validates app identity using authentication data

This validator is responsible for verifying the application identity by checking the authentication data from the attestation object. It validates the relying party ID hash, sign count, AAGUID, and credential ID.

Examples:

validator = IosAppAttest::Validators::AppIdentityValidator.new(config)
validator.validate(auth_data, key_id)

Instance Attribute Summary

Attributes inherited from BaseValidator

#config, #logger

Instance Method Summary

• #validate(auth_data, key_id) ⇒ Object

  Verify app identity using authentication data.

Methods inherited from BaseValidator

#initialize

Constructor Details

This class inherits a constructor from IosAppAttest::Validators::BaseValidator

Instance Method Details

#validate(auth_data, key_id) ⇒ Object

Verify app identity using authentication data

This method performs the following validations:

1. Unpacks the authentication data to extract required components

2. Verifies the relying party ID hash matches the configured app ID

3. Ensures the sign count is zero (required for initial attestation)

4. Validates the AAGUID matches the expected Apple App Attest value

5. Verifies the credential ID matches the provided key ID

Parameters:

• auth_data (String) —

  The authentication data from the attestation object

• key_id (String) —

  The key ID from attestation parameters

Raises:

• (IosAppAttest::AppIdentityError) —

  If any app identity verification check fails

# File 'lib/ios_app_attest/validators/app_identity_validator.rb', line 27

def validate(auth_data, key_id)
  rp_id_hash, sign_count, aaguid, credential_id = unpack_auth_data(auth_data)
  
  # Verify relying party ID hash
  unless rp_id_hash == sha256.digest(app_id)
    raise IosAppAttest::AppIdentityError, 'App ID verification failed'
  end
  
  # Verify sign count is zero (first attestation)
  unless sign_count.zero?
    raise IosAppAttest::AppIdentityError, 'Sign counter must be zero for initial attestation'
  end
  
  # Verify AAGUID
  unless validate_aaguid(aaguid)
    raise IosAppAttest::AppIdentityError, 'Invalid AAGUID for App Attestation'
  end
  
  # Verify credential ID matches key ID
  unless key_id == Base64.strict_encode64(credential_id)
    raise IosAppAttest::AppIdentityError, 'Credential ID does not match key ID'
  end
end