Fix nonce validation
The attestation certificate contains the nonce as raw bytes in the extension 1.2.840.113635.100.8.11.1
This commit is contained in:
Mariano Cano
parent
e02a190fa7
commit
2ab1e6658e
1 changed files with 5 additions and 7 deletions
|
|
@ -346,12 +346,10 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate nonce with SHA-256 of the token
|
// Validate nonce with SHA-256 of the token.
|
||||||
//
|
if len(data.Nonce) != 0 {
|
||||||
// TODO(mariano): validate this
|
|
||||||
if data.Nonce != "" {
|
|
||||||
sum := sha256.Sum256([]byte(ch.Token))
|
sum := sha256.Sum256([]byte(ch.Token))
|
||||||
if data.Nonce != hex.EncodeToString(sum[:]) {
|
if subtle.ConstantTimeCompare(data.Nonce, sum[:]) != 1 {
|
||||||
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "challenge token does not match"))
|
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "challenge token does not match"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -408,7 +406,7 @@ var (
|
||||||
)
|
)
|
||||||
|
|
||||||
type appleAttestationData struct {
|
type appleAttestationData struct {
|
||||||
Nonce string
|
Nonce []byte
|
||||||
SerialNumber string
|
SerialNumber string
|
||||||
UDID string
|
UDID string
|
||||||
SEPVersion string
|
SEPVersion string
|
||||||
|
|
@ -474,7 +472,7 @@ func doAppleAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *At
|
||||||
case ext.Id.Equal(oidAppleSecureEnclaveProcessorOSVersion):
|
case ext.Id.Equal(oidAppleSecureEnclaveProcessorOSVersion):
|
||||||
data.SEPVersion = string(ext.Value)
|
data.SEPVersion = string(ext.Value)
|
||||||
case ext.Id.Equal(oidAppleNonce):
|
case ext.Id.Equal(oidAppleNonce):
|
||||||
data.Nonce = string(ext.Value)
|
data.Nonce = ext.Value
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue