forked from TrueCloudLab/certificates
Fix nonce validation
The attestation certificate contains the nonce as raw bytes in the extension 1.2.840.113635.100.8.11.1
This commit is contained in:
parent
e02a190fa7
commit
2ab1e6658e
1 changed files with 5 additions and 7 deletions
|
@ -346,12 +346,10 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
|
|||
return err
|
||||
}
|
||||
|
||||
// Validate nonce with SHA-256 of the token
|
||||
//
|
||||
// TODO(mariano): validate this
|
||||
if data.Nonce != "" {
|
||||
// Validate nonce with SHA-256 of the token.
|
||||
if len(data.Nonce) != 0 {
|
||||
sum := sha256.Sum256([]byte(ch.Token))
|
||||
if data.Nonce != hex.EncodeToString(sum[:]) {
|
||||
if subtle.ConstantTimeCompare(data.Nonce, sum[:]) != 1 {
|
||||
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "challenge token does not match"))
|
||||
}
|
||||
}
|
||||
|
@ -408,7 +406,7 @@ var (
|
|||
)
|
||||
|
||||
type appleAttestationData struct {
|
||||
Nonce string
|
||||
Nonce []byte
|
||||
SerialNumber string
|
||||
UDID string
|
||||
SEPVersion string
|
||||
|
@ -474,7 +472,7 @@ func doAppleAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *At
|
|||
case ext.Id.Equal(oidAppleSecureEnclaveProcessorOSVersion):
|
||||
data.SEPVersion = string(ext.Value)
|
||||
case ext.Id.Equal(oidAppleNonce):
|
||||
data.Nonce = string(ext.Value)
|
||||
data.Nonce = ext.Value
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue