As per https://github.com/veehaitch/devicecheck-appattest/blob/main/src/main/kotlin/ch/veehait/devicecheck/appattest/attestation/AttestationValidator.kt#L268, the error message indicates, that a misconfiguration of development or production stage is not an issue, when in fact mixing up the stages can trigger this exception.

I am getting this below error when i try to validate attestation locally .
Path does not chain with any of the trust anchors

Hi,

I want to use the library in a java backend code.
How can I differentiate the possible exceptions in attestation and assertion phase, since the exception classes are internal?
Is it possible to make exception classes visible outside?

Hi!

I do not fully grasp some of the intricacies of how the validateAsync function of AttestationValidatorImpl works with couroutines:

1 .What happens id any of lauched child coroutines take longer than the slowes the aysnc produces results? I'd assume that validateAsync returns successfully, not having completed all checks. Is that correct?
2. Any of the launched coroutines throwing an exception should cause the function as a whole to throw an exceptions, since launch is not used to create a root coroutine. Is that the reason for encapsulating the whole body in a coroutineScope?

Otherwise the code is easily comprehensible and a breeze to compare with Apple's documentation!

I really appreciate the creation and maintenance of this library! I am using it in a Java implementation but ran into an issue in AttestationValidator.kt verifyAuthenticatorData: the "AAGUID does match neither" exception is being thrown. I find that the values being compared are similar to: expected=12300456-4242-1234-1464-6571236c6f70 and actual=12300456-4242-1234-1400-000000000000 (not the real values).

Observe that the first 16-bytes of the two values are equivalent, as expected. But, the comparison is on the whole 36-bytes on this line: authenticatorData.attestedCredentialData.aaguid != appleAppAttestEnvironment.aaguid.

The comment on Extensions.kt ByteArray.toUUID() function agrees with the Apple documentation "Create a UUID from a [ByteArray] of a length no more than 16 bytes, padded with zeros, if necessary." So, the intention is clear. But, my implementation shows that the actual UUID is padded with zeroes but the expected AAGUID is not padded with zeroes, so the comparison fails.

I patched the library to compare only the first 16-bytes and that makes my attestations work! So, I am pleased about that.

But, do you think the root cause is because I am using the library from Java? What is the proper way to fix it?

Library is not available in public maven repo as of now.

Is there any plans to push lib to maven repo ?

Hi

Do you have any insight into how AssertionChallengeValidator should be implemented. The Apple docs does not got into any useful detail here.

        // 5. Verify that the receipt’s creation time, given in field 12, is no more than five minutes old.
        //    This helps to thwart replay attacks.
        if (notAfter.isAfter(receiptPayload.creationTime.value)) {
            throw ReceiptException.InvalidPayload("Receipt's creation time is after $notAfter")
        }

right message should be: "Receipt's creation time is before $notAfter"

(yeah, message still not very easy-understandable. best i have in mind - "Receipt's creation time is older than $maxAge")

Bouncy castle -jdk15on is not maintained anymore., instead -jdk18on should be used.

The issue here is, introducing any other BC variant into the classpath causes major breakage,
Exceptions like Could not initialize class org.bouncycastle.cms.CMSSignedData happen. Apparently some bouncy-castle-internal algorithm identifiers and/or SPI wirings have changed and BC tries to load algorithm combinations, which do not exist, like sphincs with sha2, for example.

An switch/update to bcpkix-jdk18on should fix everything.

Is there any documentation to integrate this on my server? Or some example of it?