diff options
| author | Matthew Miller <matthew@millerti.me> | 2020-10-07 11:06:37 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2020-10-07 11:06:37 -0700 |
| commit | d263d4f9274fe32eba586f30f3c52c7ba3469a99 (patch) | |
| tree | 2f674710d33720e8bd6f2dcddebd8804c276a862 | |
| parent | 9f3fc61ae5a2a6b1647d1ba22ac7b6df14a83791 (diff) | |
Brute force nonce extraction from cert extension
| -rw-r--r-- | packages/server/src/attestation/verifications/verifyApple.ts | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/packages/server/src/attestation/verifications/verifyApple.ts b/packages/server/src/attestation/verifications/verifyApple.ts index 905ad96..1516741 100644 --- a/packages/server/src/attestation/verifications/verifyApple.ts +++ b/packages/server/src/attestation/verifications/verifyApple.ts @@ -52,7 +52,14 @@ export default async function verifyApple(options: Options): Promise<boolean> { const nonceToHash = Buffer.concat([authData, clientDataHash]); const nonce = toHash(nonceToHash, 'SHA256'); - const extNonce = Buffer.from(extCertNonce.extnValue); + /** + * Ignore the first six ASN.1 structure bytes that define the nonce as an OCTET STRING. Should + * trim off <Buffer 30 24 a1 22 04 20> + * + * TODO: Try and get @peculiar (GitHub) to add a schema for "1.2.840.113635.100.8.2" when we + * find out where it's defined (doesn't seem to be publicly documented at the moment...) + */ + const extNonce = Buffer.from(extCertNonce.extnValue).slice(6); if (!nonce.equals(extNonce)) { console.log('nonce:', nonce.toString('hex')); |