Implementation of `AssertionChallengeValidator`

Question

Implementation of `AssertionChallengeValidator`

Closed this issue a year ago · 3 comments

Hi

Do you have any insight into how AssertionChallengeValidator should be implemented. The Apple docs does not got into any useful detail here.

Answer 1 · 2023-02-22T14:59:19.000Z

Hi

I'm not the author, but I think it should be simple validation that challenge from request data equals to challenge which has been created before. We shouldn't use any field like assertion, ecPublicKey etc. for implement it. And we can just use a lambda expression to get serverChallenge from request.
But as we can see in "Assert your app’s validity as necessary" challenge is present inside cleintData so it could be helpful.

I hope that the author will correct me if I was wrong.

Answer 2 · 2023-04-24T16:18:57.000Z

A simple implementation doing a contentEquals between challenge and expected challenge can be found here.

Answer 3 · 2023-04-25T06:29:11.000Z

A simple implementation doing a contentEquals between challenge and expected challenge can be found here.

Consider comparing in constant time to mitigate side channels (e.g., use constantTimeAreEqual from Bouncy Castle).

I hope, the comments here did give you some advice, @mnelsonwhite.