verifyKeyAttestation
Same as verifyKeyAttestation, but taking an encoded (either ANSI X9.63 or DER) publix key as a byte array
See also
Deprecated
This uses the legacy attestation format, which is not future-proof, makes too few guarantees wrt. encoding, guesses the platform based on the number of elements in the attestation proof, etc.
Replace with
AttestationService.verifyAttestation(attestationProof, challenge)Verifies key attestation for both Android and Apple devices.
Succeeds if attestation data structures of the client (in attestationProof) can be verified and expectedChallenge matches the attestation challenge. For Android clients, this function makes sure that keyToBeAttested matches the key contained in the attestation certificate. For iOS this key needs to be specified explicitly anyhow to emulate key attestation
Return
KeyAttestation containing the attested public key on success or null in case of failure (see KeyAttestation)
Parameters
On Android, this is simply the certificate chain from the attestation certificate (i.e. the certificate corresponding to the key to be attested) up to one of the Google hardware attestation root * certificates. on iOS this must contain the AppAttest attestation statement at index 0 and an assertion at index 1, which, is verified for integrity and to match keyToBeAttested. The signature counter in the attestation must be 0 and the signature counter in the assertion must be 1.
Passing a public key created in the same app on the iDevice's secure hardware as clientData to create an assertion effectively emulates Android's key attestation: Attesting such a secondary key through an assertion, proves that it was also created within the same app, on the same device, resulting in an attested key, which can then be used for general-purpose crypto. BEWARE: supports only EC key on iOS (either the ANSI X9.63 encoded or DER encoded). The key can be passed in either encoding to the secure enclave for assertion/attestation