feat: Apple App Attestation proof-of-concept. #385
Conversation
This is not production ready, and not tested in a real end-to-end scenario. Pending items: 1. check how to pass the key id to the class within the gem architecture 2. check assertion
|
I'm not familiar with Apple App Attest, it sounds familiar in purpose to Android Key Attestation? Historically the preference has been to keep code supporting various attestation formats mostly outside of this gem, especially if they can be used in stand-alone context. It seems Apple App Attest uses the WebAuthn format but can be used in non-FIDO cases as well. If that's correct, poking around in https://github.com/cedarcode/webauthn-ruby/tree/master/lib/webauthn/attestation_statement and the related gems these files use can provide clues. |
|
Thanks for the feedback -- indeed it is Apple's way of asserting that a particular app was not tampered with. I think going the standalone route also makes sense and will resolve some of the impedance mismatch that we're facing during this POC phase. I did notice that other webauthn libraries have implemented support for this format (sometimes with reservations like yours), so that added to the confusion. Examples: fido2-net-lib, webauthn4j. |
We're looking into using this gem with Apple App attestation support, so I implemented the
app-appattestformat. This is just a proof-of-concept code, we haven't tested it end-to-end, only manually.The format and its validations are described here.
I would love to hear your feedback on this and also your opinion on two aspects that I had to deal with:
However there is no way to distinguish between development and production environment -- I added a new configuration to the
RelyingPartyclass for that.At this point in the class we have no access to the key identifier, so I have no idea how to support it -- any ideas?
Let me know your thoughts, thanks!