fix: start adding back apple checks (bcgov#7)

Signed-off-by: Jason C. Leach <[email protected]>
fullboar · Nov 16, 2023 · d2220be · d2220be
1 parent d92da68
commit d2220be
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 8 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1 +1,5 @@
 *.mov
+*secret*
+*secrets*
+*key*
+__pycache__
diff --git a/.gitignore b/.gitignore
@@ -7,7 +7,15 @@ coverage
 .DS_Store
 logs.txt
 attestation.json
-.env
-__pycache__/
 expo-attestation
-oauth.json
+oauth.json
+__pycache__
+
+# Ignore all .env files and secrets
+.env
+*key*
+*secret*
+*secrets*
+
+# Ignore merge artifacts
+*.orig
diff --git a/src/apple.py b/src/apple.py
@@ -93,10 +93,12 @@ def verify_x5c_certificates(attestation_object):
 
         if intermediate_certificate_is_valid is None and credential_certificate_is_valid is None:
             print('The certificates are signed by the ROOT certificate.')
+            return True
 
     except InvalidSignature as e:
         print("The certificates are NOT signed by the ROOT certificate.")
         print(e)
+        return False
 
 
 def extract_attestation_object_extension(attestation_object, oid='1.2.840.113635.100.8.2'):
@@ -129,14 +131,29 @@ def create_hash_from_pub_key(cred_certificate):
     # Print the hash as a hexadecimal string
     return hash_hex
 
-def verify_attestation_statement(attestation_object):
+def verify_attestation_statement(attestation_object, nonce):
+    # decode the attestation object is expecting attestation_object
+    # to be JSON.
+
+    # print(f"object = {attestation_object}")
+    apple_attestation_object = decode_apple_attestation_object(attestation_object['attestation_object'])
+    if not apple_attestation_object:
+        return False
+
+    # 1. Verify that the x5c array contains the intermediate and leaf
+    # certificates for App Attest, starting from the credential certificate in the first
+    # data buffer in the array (credcert). Verify the validity of the certificates using
+    # Apple’s App Attest root certificate.
+
+    verify_x5c_status = verify_x5c_certificates(apple_attestation_object)
+    if not verify_x5c_status:
+        return False
+
     return True
 
 def main():
     load_dotenv()
 
-    server_side_nonce = '1234567890'
-
     with open("attestation.json", "r") as f:
         attestation_as_json = json.load(f)
 

diff --git a/src/controller.py b/src/controller.py
@@ -8,18 +8,26 @@
 
 app = Flask(__name__)
 
+nonce = secrets.token_hex(16)
+
 def handle_connection(connection_id):
     print("handle_connection")
 
+    # TODO(jl): This needs to be a global nonce so that iOS
+    # can verify the challenge response. Must be cached so it can
+    # be unique for each connection in the future.
+    global nonce
+
     connection = get_connection(connection_id)
+    print(f"fetched connection = {connection}")
     if connection['rfc23_state'] != 'completed':
         print("connection is not completed")
         return
 
     with open('../fixtures/request_attestation.json', 'r') as f:
         request_attestation = json.load(f)
 
-    request_attestation['nonce'] = secrets.token_hex(16)
+    request_attestation['nonce'] = nonce # secrets.token_hex(16)
     json_str = json.dumps(request_attestation)
     base64_str = base64.b64encode(json_str.encode('utf-8')).decode('utf-8')
 
@@ -53,10 +61,12 @@ def handle_request_issuance_action(connection_id, content):
 def handle_challenge_response(connection_id, content):
     print("handle_attestation_challenge")
 
+    global nonce
+
     platform = content.get('platform')
 
     if platform == 'apple':
-        is_valid_challenge = verify_attestation_statement(content)
+        is_valid_challenge = verify_attestation_statement(content, nonce)
         if is_valid_challenge:
             print("valid apple challenge")
             offer_attestation_credential(connection_id)