ios

package

v0.1.14 Latest Latest Go to latest Published: Jan 20, 2026 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kacy/device-attestation

Links

Open Source Insights

Documentation ¶

Overview ¶

Package ios provides iOS App Attest verification.

This package implements Apple's App Attest verification flow for both attestation (initial key registration) and assertion (ongoing request signing).

See: https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

Index ¶

Variables
type AssertionRequest
type AssertionResult
type AttestationRequest
type AttestationResult
type Config
type KeyStore
type MemoryKeyStore
- func NewMemoryKeyStore() *MemoryKeyStore
type StoredKey
type Verifier
- func NewVerifier(cfg Config) (*Verifier, error)
- func (v *Verifier) VerifyAssertion(ctx context.Context, req *AssertionRequest) (*AssertionResult, error)
- func (v *Verifier) VerifyAttestation(ctx context.Context, req *AttestationRequest) (*AttestationResult, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrKeyNotFound = errors.New("key not found")
	ErrKeyExists   = errors.New("key already exists")
)

Common errors for KeyStore implementations.

View Source

var (
	ErrInvalidAttestation = errors.New("invalid attestation")
	ErrInvalidAssertion   = errors.New("invalid assertion")
	ErrVerificationFailed = errors.New("verification failed")
	ErrInvalidBundleID    = errors.New("invalid bundle ID")
	ErrInvalidKeyID       = errors.New("invalid key ID")
	ErrInvalidChallenge   = errors.New("invalid challenge")
	ErrCounterReplay      = errors.New("assertion counter replay detected")
	ErrKeyStoreRequired   = errors.New("key store required for assertion verification")
)

Common errors.

Functions ¶

This section is empty.

Types ¶

type AssertionRequest ¶

type AssertionRequest struct {
	// Assertion is the base64-encoded assertion object.
	Assertion string

	// ClientData is the client data that was signed.
	ClientData []byte

	// KeyID is the key identifier.
	KeyID string

	// BundleID is the app bundle identifier.
	BundleID string
}

AssertionRequest represents an assertion verification request.

type AssertionResult ¶

type AssertionResult struct {
	// Valid indicates whether the assertion was verified successfully.
	Valid bool

	// KeyID is the verified key identifier.
	KeyID string

	// Counter is the new assertion counter value.
	Counter uint32

	// Timestamp is when the verification was performed.
	Timestamp time.Time
}

AssertionResult represents the result of assertion verification.

type AttestationRequest ¶

type AttestationRequest struct {
	// Attestation is the base64-encoded attestation object.
	Attestation string

	// Challenge is the server-generated challenge.
	Challenge string

	// KeyID is the key identifier from DCAppAttestService.generateKey.
	KeyID string

	// BundleID is the app bundle identifier.
	BundleID string
}

AttestationRequest represents an attestation verification request.

type AttestationResult ¶

type AttestationResult struct {
	// Valid indicates whether the attestation was verified successfully.
	Valid bool

	// KeyID is the verified key identifier.
	KeyID string

	// PublicKey is the attested public key (for storage).
	PublicKey *ecdsa.PublicKey

	// Receipt is the attestation receipt (for fraud assessment).
	Receipt []byte

	// Timestamp is when the verification was performed.
	Timestamp time.Time
}

AttestationResult represents the result of attestation verification.

type Config ¶

type Config struct {
	// BundleIDs is the list of allowed app bundle identifiers.
	BundleIDs []string

	// TeamID is your Apple Developer Team ID.
	TeamID string

	// ChallengeTimeout is the maximum age of a challenge (default: 5 minutes).
	ChallengeTimeout time.Duration

	// KeyStore for storing attestation public keys.
	// Required for assertion verification.
	KeyStore KeyStore

	// Production indicates whether to use production or development environment.
	// Default is true (production).
	Production bool

	// SkipCertificateVerification skips the certificate chain verification.
	// WARNING: Only use this for development/testing. Never in production!
	SkipCertificateVerification bool
}

Config holds configuration for iOS App Attest verification.

type KeyStore ¶

type KeyStore interface {
	// Store saves a public key for the given key ID.
	Store(ctx context.Context, keyID string, key *StoredKey) error

	// Load retrieves a public key by key ID.
	Load(ctx context.Context, keyID string) (*StoredKey, error)

	// Delete removes a public key by key ID.
	Delete(ctx context.Context, keyID string) error

	// IncrementCounter atomically increments and returns the new counter value.
	IncrementCounter(ctx context.Context, keyID string) (uint32, error)
}

KeyStore defines the interface for storing and retrieving attestation public keys. Implementations should be thread-safe.

type MemoryKeyStore ¶

type MemoryKeyStore struct {
	// contains filtered or unexported fields
}

MemoryKeyStore is an in-memory implementation of KeyStore. Suitable for testing and development. For production, use a persistent store.

func NewMemoryKeyStore ¶

func NewMemoryKeyStore() *MemoryKeyStore

NewMemoryKeyStore creates a new in-memory key store.

func (*MemoryKeyStore) Delete ¶

func (s *MemoryKeyStore) Delete(ctx context.Context, keyID string) error

Delete removes a public key by key ID.

func (*MemoryKeyStore) IncrementCounter ¶

func (s *MemoryKeyStore) IncrementCounter(ctx context.Context, keyID string) (uint32, error)

IncrementCounter atomically increments and returns the new counter value.

func (*MemoryKeyStore) Load ¶

func (s *MemoryKeyStore) Load(ctx context.Context, keyID string) (*StoredKey, error)

Load retrieves a public key by key ID.

func (*MemoryKeyStore) Store ¶

func (s *MemoryKeyStore) Store(ctx context.Context, keyID string, key *StoredKey) error

Store saves a public key for the given key ID.

type StoredKey ¶

type StoredKey struct {
	// KeyID is the unique identifier for this key.
	KeyID string

	// PublicKey is the ECDSA public key from the attestation.
	PublicKey *ecdsa.PublicKey

	// BundleID is the app bundle identifier associated with this key.
	BundleID string

	// TeamID is the Apple Team ID.
	TeamID string

	// Counter is the assertion counter for replay protection.
	Counter uint32

	// CreatedAt is when the key was first attested.
	CreatedAt time.Time

	// LastUsedAt is when the key was last used for an assertion.
	LastUsedAt time.Time
}

StoredKey represents a stored attestation public key with metadata.

type Verifier ¶

type Verifier struct {
	// contains filtered or unexported fields
}

Verifier verifies iOS App Attest attestations and assertions.

func NewVerifier ¶

func NewVerifier(cfg Config) (*Verifier, error)

NewVerifier creates a new iOS App Attest verifier.

func (*Verifier) VerifyAssertion ¶

func (v *Verifier) VerifyAssertion(ctx context.Context, req *AssertionRequest) (*AssertionResult, error)

VerifyAssertion verifies an iOS App Attest assertion.

func (*Verifier) VerifyAttestation ¶

func (v *Verifier) VerifyAttestation(ctx context.Context, req *AttestationRequest) (*AttestationResult, error)

VerifyAttestation verifies an iOS App Attest attestation.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL