Class: IosAppAttest::Verifier

Inherits:

Object

• Object
• IosAppAttest::Verifier

Defined in:

lib/ios_app_attest/verifier.rb

Overview

Verifies iOS App Attestation tokens

The Verifier class is responsible for validating iOS App Attestation tokens received from iOS clients. It performs a series of validation steps to ensure the attestation is genuine and comes from a valid Apple device.

Examples:

Basic usage

verifier = IosAppAttest::Verifier.new(attestation_params)
public_key, receipt = verifier.verify

With Redis for nonce validation

verifier = IosAppAttest::Verifier.new(
  attestation_params,
  redis_client: redis
)
public_key, receipt = verifier.verify

Instance Attribute Summary

• #attestation_params ⇒ Object readonly

  Returns the value of attribute attestation_params.

• #logger ⇒ Object readonly

  Returns the value of attribute logger.

• #redis_client ⇒ Object readonly

  Returns the value of attribute redis_client.

Instance Method Summary

• #initialize(attestation_params, redis_client: nil, logger: nil) ⇒ Verifier constructor

  Initialize the verifier with attestation parameters.

• #verify ⇒ Array<String>

  Verify the app attestation.

Constructor Details

#initialize(attestation_params, redis_client: nil, logger: nil) ⇒ Verifier

Initialize the verifier with attestation parameters

Parameters:

• attestation_params (Hash) —

  The attestation parameters from the client

• redis_client (Object) (defaults to: nil) —

  Redis client for nonce verification (optional)

• logger (Object) (defaults to: nil) —

  Logger instance (optional)

# File 'lib/ios_app_attest/verifier.rb', line 31

def initialize(attestation_params, redis_client: nil, logger: nil)
  @attestation_params = attestation_params
  @redis_client = redis_client
  @logger = logger
  initialize_validators
end

Instance Attribute Details

#attestation_params ⇒ Object (readonly)

Returns the value of attribute attestation_params.

# File 'lib/ios_app_attest/verifier.rb', line 25

def attestation_params
  @attestation_params
end

#logger ⇒ Object (readonly)

Returns the value of attribute logger.

# File 'lib/ios_app_attest/verifier.rb', line 25

def logger
  @logger
end

#redis_client ⇒ Object (readonly)

Returns the value of attribute redis_client.

# File 'lib/ios_app_attest/verifier.rb', line 25

def redis_client
  @redis_client
end

Instance Method Details

#verify ⇒ Array<String>

Verify the app attestation

This method performs a complete verification of the iOS App Attestation token. It validates the attestation structure, certificate chain, challenge nonce, and app identity. If all validations pass, it returns the public key and receipt.

Returns:

• (Array<String>) —

  An array containing [public_key, receipt] if verification succeeds

Raises:

• (VerificationError) —

  If verification fails for any reason

• (NonceError) —

  If nonce validation fails

• (CertificateError) —

  If certificate validation fails

• (ChallengeError) —

  If challenge validation fails

• (AppIdentityError) —

  If app identity validation fails

• (AttestationError) —

  If attestation format is invalid

# File 'lib/ios_app_attest/verifier.rb', line 51

def verify
  begin
    # Step 1: Decode the attestation object
    attestation = decode_attestation
    
    # Step 2: Validate the challenge nonce if Redis client is provided
    if redis_client
      challenge_validator.validate_nonce(challenge_id, challenge_decrypted)
    end
    
    # Step 3: Validate the attestation structure and format
    attestation_validator.validate(attestation)
    
    # Step 4: Extract auth_data and receipt
    auth_data = attestation_validator.extract_auth_data(attestation)
    @receipt = attestation_validator.extract_receipt(attestation)
    
    # Step 5: Validate the certificate chain and get the credential certificate
    cred_cert = certificate_validator.validate(attestation)
    
    # Step 6: Validate the challenge
    challenge_validator.validate_challenge(cred_cert, challenge_decrypted, auth_data)
    
    # Step 7: Validate the key ID
    challenge_validator.validate_key_id(cred_cert, key_id)
    
    # Step 8: Validate the certificate sequence structure
    certificate_validator.validate_sequence(cred_cert)
    
    # Step 9: Verify the app identity
    app_identity_validator.validate(auth_data, key_id)
    
    # Step 10: Extract the public key
    @public_key = certificate_validator.extract_public_key(cred_cert)
  rescue IosAppAttest::Error => error
    # Re-raise IosAppAttest errors directly
    log_error("IosAppAttest verification failed: #{error}")
    raise error
  rescue StandardError => error
    # Wrap other errors in VerificationError
    log_error("IosAppAttest verification failed: #{error}")
    raise VerificationError, "Attestation verification failed: #{error.message}"
  end
  
  [public_key, receipt]
end