devicecheck 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f390b2f4f12838ea2fdcda13f66b7921908d7abee05345924d7d69dd64181b97
+  data.tar.gz: 9faa3df7dd33770d1dca907ffa41d38ab31d38964d826a067ca9ddb6e15ee5e0
+SHA512:
+  metadata.gz: 36d6ef82465760fee953e0b4d626b495f3b487428be068101a99f1c2bcb41d99575f8a45517848a61dd9ac00158ebb4e871b4d72ac331bbf659d2410ff4b559c
+  data.tar.gz: f9aeaed2c53257775775c03e10872af43b4c829fb09e99151abe66285f7555dc53946e783f242eb0c6a5713c8f64f1806b1e0584838895070996c888af78cf0f

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,29 @@
+inherit_from: .rubocop_todo.yml
+
+require:
+  - rubocop-rake
+  - rubocop-rspec
+  - rubocop-performance
+  - rubocop-thread_safety
+
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 3.2
+
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: single_quotes
+
+Style/StringLiteralsInInterpolation:
+  Enabled: true
+  EnforcedStyle: single_quotes
+
+Layout/LineLength:
+  Max: 120
+
+Style/Documentation:
+  Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - spec/**/*

data/.rubocop_todo.yml

@@ -0,0 +1,27 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2024-03-18 07:21:43 UTC using RuboCop version 1.62.1.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 23
+# Configuration parameters: AllowSubject.
+RSpec/MultipleMemoizedHelpers:
+  Max: 24
+
+# Offense count: 21
+# Configuration parameters: EnforcedStyle, IgnoreSharedExamples.
+# SupportedStyles: always, named_only
+RSpec/NamedSubject:
+  Exclude:
+    - 'spec/devicecheck/assertion_spec.rb'
+    - 'spec/devicecheck/attestation_spec.rb'
+    - 'spec/devicecheck/data/authenticator_data_spec.rb'
+    - 'spec/devicecheck/validators/certificate_chain_validator_spec.rb'
+
+# Offense count: 7
+# Configuration parameters: AllowedGroups.
+RSpec/NestedGroups:
+  Max: 5

data/.yardopts

@@ -0,0 +1 @@
+-mmarkdown

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## [1.0.0] - 2024-07-16
+
+- Initial release

data/CODE-OF-CONDUCT.md

@@ -0,0 +1,84 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement. All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior,  harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
+available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.

data/CONTRIBUTING.md

@@ -0,0 +1,105 @@
+# Contributing
+
+We love pull requests from everyone. By participating in this project,
+you agree to abide by the our [code of conduct](code_of_conduct).
+
+Here are some ways *you* can contribute:
+
+* by using alpha, beta, and prerelease versions
+* by reporting bugs
+* by suggesting new features
+* by writing or editing documentation
+* by writing specifications
+* by writing code (**no patch is too small**: fix typos, add comments, clean up inconsistent whitespace)
+* by refactoring code
+* by closing [issues]
+* by reviewing patches
+
+## Submitting an Issue
+
+* We use the [GitHub issue tracker][issues] to track bugs and features.
+* Before submitting a bug report or feature request, check to make sure it hasn't
+  already been submitted.
+  
+* When submitting a bug report, please include a gist that includes a
+  stack trace and any details that may be necessary to reproduce the
+  bug, including your gem version, Ruby version, and operating system.
+  Ideally, a bug report should include a pull request with failing
+  specs.
+
+## Cleaning up issues
+
+* Issues that have no response from the submitter will be closed after
+  30 days.
+* Issues will be closed once they're assumed to be fixed or
+  answered. If the maintainer is wrong, it can be opened again.
+* If your issue is closed by mistake, please understand and explain the issue.
+  We will happily reopen the issue.
+
+## Submitting a Pull Request
+
+1. [Fork][fork] the [official repository][repo].
+1. [Create a topic branch.][branch]
+1. Implement your feature or bug fix.
+1. Add, commit, and push your changes.
+1. [Submit a pull request.][pr]
+
+### Notes
+
+* Please add tests if you changed code. Contributions without tests
+  won't be accepted.
+* If you don't know how to add tests, please put in a PR and leave a
+  comment asking for help. We love helping!
+* Please don't update the Gem version.
+
+## Setting Up
+
+After checking out the repo, run `bundle install` to install
+dependencies. Then, run `rake spec` to run the tests.  You can also
+run `bin/console` for an interactive prompt that will allow you to
+experiment.
+
+To install this gem onto your local machine, run `bundle exec rake
+install`.
+
+## Running the test suite
+
+The default rake task will run the full test suite and lint:
+
+```sh
+bundle exec rake
+```
+
+To run an individual rspec test, you can provide a path and line number:
+
+```sh
+bundle exec rspec spec/path/to/spec.rb:123
+```
+
+## Formatting and Style
+
+Our style guide is defined in `.rubocop.yml`.
+
+To run the linter:
+
+```sh
+bundle exec rubocop
+```
+
+To run the linter with auto correct:
+
+```sh
+bundle exec rubocop -A
+```
+
+Inspired by [factory_bot] and [activeinteractor].
+
+[code_of_conduct]: CODE-OF-CONDUCT.md
+[repo]: https://github.com/catawiki/devicecheck-ruby/tree/main
+[issues]: https://github.com/catawiki/devicecheck-ruby/issues
+[fork]: https://help.github.com/articles/fork-a-repo/
+[branch]: https://help.github.com/articles/creating-and-deleting-branches-within-your-repository/
+[pr]: https://help.github.com/articles/using-pull-requests/
+[gist]: https://gist.github.com/
+[factory_bot]: https://github.com/thoughtbot/factory_bot/blob/master/CONTRIBUTING.md
+[activeinteractor]: https://github.com/aaronmallen/activeinteractor/tree/main/CONTRIBUTING.md

data/Gemfile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devicecheck.gemspec
+gemspec
+
+gem 'rake'
+gem 'rspec'
+gem 'rubocop'
+gem 'rubocop-performance'
+gem 'rubocop-rake'
+gem 'rubocop-rspec'
+gem 'rubocop-thread_safety'
+gem 'simplecov'
+gem 'yard'

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Catawiki B.V.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,83 @@
+# Devicecheck
+
+## Usage
+
+This gem provides the core functionality to verify attestations and assertions as generated by Apple's Devicecheck system. You should be familiar with how to [validate apps on the server side](https://developer.apple.com/documentation/devicecheck/validating-apps-that-connect-to-your-server) and [establishing your app's integrity](https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity).
+
+### Attestation
+
+The mobile client must provide the following parameters:
+
+1. Key ID, encoded in "strict" Base64 format;
+2. Attestation Object, encoded in "strict" Base64;
+3. Challenge - unique one time challenge that must be provided by the server first.
+
+Initialize the attestation service by providing your app ID and which environment are you testing.
+
+```ruby
+attestation = Devicecheck::Attestation.new(
+  app_id: 'com.example.random-app',
+  environment: :production)
+```
+
+Call the `attest` method, passing the three parameters listed above.
+
+```
+pkey, receipt = attestation.attest(key_id:, attestation_object:, challenge:)
+```
+
+If there are issues with the provided parameters, a `RuntimeError` with the problem found will be raised. Otherwise the function returns both the public key of the credential data, DER-encoded and a receipt.  The receipt can be later used to [check for fraud](https://developer.apple.com/documentation/devicecheck/assessing-fraud-risk). You must store both the public key and receipts associated with the unique app that you are attesting.
+
+On the app side, the `challenge` needs to be SHA256-hashed and it is passed as the `clientDataHash` of the `attestKey` function.
+
+### Assertion
+
+From the Apple docs:
+
+> After successful attestation, your server can require the associated client to accompany server requests with an assertion object. Each verified assertion reestablishes the legitimacy of the client. You typically require this for requests that access sensitive or premium content.
+
+Initialize the assertion service by providing both the App ID and the DER-encoded key that is associated with that App instance that was previously saved after it was attested.
+
+```ruby
+assertion = Devicecheck::Assertion.new(
+  app_id: 'com.example.random-app', 
+  pkey_der: <some-key>)
+```
+
+Before calling an endpoint with sensitive data, the app must obtain a one time unique value from the server, which will call `challenge`. Then, it will compute an assertion by embedding this challenge into the `client_data` that will be sent to the endpoint later on.
+
+For example, if `client_data` is:
+
+```
+{ "new_score": 100 }
+```
+
+Then it must embed the challenge into this data, for example:
+
+```
+{ "new_score": 100, "challenge": "..." }
+```
+
+Note that using JSON is just an example. The client data can simply be a string that is augmented with the challenge.  It depends on the use case and the interface must be established between the mobile app and the server.
+
+Then, when calling the protected endpoint, the app must provide, along with the augmented client data, the assertion generated by the `generateAssertion` function from the Devicecheck service from Apple.
+
+The endpoint will then call this library with the following parameters:
+
+1. Client Data (augmented with the challenge);
+1. Client Data challenge - copy of the challenge that is embedded in Client Data;
+1. Assertion Object;
+1. Expected challenge - the challenge that was previously sent, to be compared with what was provided by the client;
+1. Current assertion counter associated with this app - 0 if this is the first assertion.
+
+We explictily request both `Client Data` and `Client Data challenge` because this library makes no assumption of the format of `Client Data` and would not know how to extract it otherwise.
+
+```ruby
+assertion.assert(client_data:,
+                 client_data_challenge:,
+                 expected_challenge:,
+                 assertion_object:,
+                 count: 0)
+```
+
+If the assertion is valid, the function will return the count of assertions so far -- this must be stored associated with the app.  Later invocations of this method must provide the current count.

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'yard'
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+YARD::Rake::YardocTask.new
+
+task default: %i[spec rubocop yard]

data/SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported                |
+| ------- | ------------------------ |
+| 1.0.0   | :rocket:                 |
+
+- :rocket: - Currently addressing feature requests
+- :beetle: - Currently addressing bug reports
+- :lock:   - Currently addressing security reports
+- :x:      - No longer supported
+
+## Reporting a Vulnerability
+
+To report a security vulnerability please create a security report on the [GitHub issue tracker][issues] tracker.
+Security issues will be triaged as soon as possible. We also welcome pull requests, please see our
+[contributing guidelines][contributing] for more information on how to contribute.
+
+Inspired by [activeinteractor]
+
+[issues]: https://github.com/catawiki/devicecheck-ruby/issues
+[contributing]: https://github.com/catawiki/devicecheck-ruby/blob/master/CONTRIBUTING.md
+[activeinteractor]: https://github.com/aaronmallen/activeinteractor

data/devicecheck.gemspec

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require_relative 'lib/devicecheck/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'devicecheck'
+  spec.version = Devicecheck::VERSION
+  spec.authors = ['Fabricio Chalub']
+  spec.email = ['opensource@catawiki.nl']
+  spec.license = 'MIT'
+  spec.homepage = 'https://github.com/catawiki/devicecheck-ruby'
+  spec.description = 'Pure Ruby implementation of the Apple App Attestation server side verifier'
+  spec.summary = 'Apple App Attestation (aka DeviceCheck) support for Ruby.'
+  spec.required_ruby_version = '>= 3.2'
+
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/catawiki/devicecheck-ruby/issues',
+    'changelog_uri' => 'https://github.com/catawiki/devicecheck-ruby/CHANGELOG.md',
+    'documentation_uri' => 'https://rubydoc.info/github/catawiki/devicecheck-ruby',
+    'source_code_uri' => 'https://github.com/catawiki/devicecheck-ruby',
+    'rubygems_mfa_required' => 'true'
+  }
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) || f.start_with?(*%w[bin/ test/ spec/ features/ .git .circleci appveyor])
+    end
+  end
+  spec.bindir = 'exe'
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'base64', '~> 0.2.0'
+  spec.add_dependency 'cbor', '~> 0.5.9'
+  spec.add_dependency 'openssl', '~> 3'
+
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+  spec.metadata['rubygems_mfa_required'] = 'true'
+end

data/lib/devicecheck/assertion.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+# Copyright 2024 Catawiki B.V.
+#
+# Licensed under the MIT License (the "License");
+#
+# you may not use this file except in compliance with the License.
+#
+# You may obtain a copy of the License at
+#
+#     https://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Devicecheck
+  class Assertion
+    # Initialize the assertion service by providing both the App ID
+    # and the DER-encoded key that is associated with that App
+    # instance that was previously saved after it was attested.
+    def initialize(app_id:, pkey_der:)
+      @app_id = app_id
+      @pkey = OpenSSL::PKey.read(pkey_der)
+      @sha256 = OpenSSL::Digest.new('SHA256')
+    end
+
+    # Verifies an assertion generated by the `generateAssertion`
+    # method from DCAppAttestService.
+    #
+    # The app must obtain a one time unique value from the server,
+    # which we will call `challenge`. Then, it will compute an
+    # assertion by embedding this challenge into the `client_data`.
+    #
+    # For example, if `client_data` is:
+    #
+    # ```
+    # { "new_score": 100 }
+    # ```
+    #
+    # Then it must embed the challenge into this data, for example:
+    #
+    # ```
+    # { "new_score": 100, "challenge": "..." }
+    # ```
+    #
+    # Note that using JSON strings is just an example. It depends on
+    # the use case and the interface must be established between the
+    # mobile app and the server.  This is why we expect another
+    # parameter (`client_data_challenge`) that contains the embedded
+    # challenge value, since this library does not make any
+    # assumption on the format or contents of `client_data`.
+    #
+    # @param client_data [String] client data (with embedded
+    #  challenge)
+    # @param client_data_challenge [String] client data challenge -
+    #  copy of the challenge that is embedded in client data
+    # @param assertion_object [String] Base64-encoded assertion
+    #  object
+    # @param expected_challenge [String] the challenge that was
+    #  previously sent, to be compared with what was provided by the
+    #  client
+    # @param count [Integer] current assertion counter associated with
+    #  this app - 0 if this is the first assertion
+    #
+    # @return [Integer] the authenticator `counter` value, to be stored for later use
+    def assert(client_data:, client_data_challenge:, expected_challenge:, assertion_object:, count: 0)
+      decoded_assertion_object = CBOR.decode(Base64.strict_decode64(assertion_object))
+
+      signature = decoded_assertion_object['signature']
+      authenticator_data = decoded_assertion_object['authenticatorData']
+
+      (rp_id_hash, _, sign_count,) = Data::AuthenticatorData.unpack(authenticator_data)
+
+      validate_signature!(signature, client_data, authenticator_data)
+
+      validate_rp_id!(rp_id_hash)
+
+      raise 'Failed count check' if sign_count < count
+      raise 'Failed challenge check' unless client_data_challenge == expected_challenge
+
+      sign_count
+    end
+
+    private
+
+    attr_reader :app_id, :pkey, :sha256
+
+    def validate_signature!(signature, client_data, authenticator_data)
+      client_data_hash = sha256.digest(client_data)
+
+      nonce = sha256.digest(authenticator_data + client_data_hash)
+
+      raise 'Failed signature check' unless pkey.verify(sha256, signature, nonce)
+    end
+
+    def validate_rp_id!(rp_id_hash)
+      raise 'Failed RP ID check' unless rp_id_hash == sha256.digest(app_id)
+    end
+  end
+end

data/lib/devicecheck/attestation.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+# Copyright 2024 Catawiki B.V.
+#
+# Licensed under the MIT License (the "License");
+#
+# you may not use this file except in compliance with the License.
+#
+# You may obtain a copy of the License at
+#
+#     https://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'base64'
+require 'cbor'
+require 'json'
+require 'openssl'
+require 'securerandom'
+
+module Devicecheck
+  class Attestation
+    ##
+    # AAGUID for development environments
+    AAGUID_DEVELOPMENT = 'appattestdevelop'
+    # AAGUID for production environments
+    AAGUID_PRODUCTION = "appattest\0\0\0\0\0\0\0"
+
+    #
+    # Initialize the attestation service by providing your app ID and
+    # which environment are you testing.
+    #
+    # @param app_id [String] your App ID
+    # @param environment [Symbol] `:production` or `:development`
+    def initialize(app_id:, environment:)
+      @app_id = app_id
+      @environment = environment
+      @sha256 = OpenSSL::Digest.new('SHA256')
+    end
+
+    #
+    # Verifies the attestation generated by DCAppAttestService.  All
+    # Base64 encoded strings should be sent in strict format (RFC 4648).
+    #
+    # @param key_id [String] Base64-encoded format of the public key ID
+    # @param attestation_object [String] Base64-encoded of the
+    #  attestation object generated by the `attestKey` method of
+    #  `DCAppAttestService`
+    # @param challenge [String] challenge originally provided by the server
+    # @return [Array] An array containing:
+    #   - the verified public key in DER format
+    #   - the receipt from the attestation statement, which can be used
+    #     later to request a fraud assessment metric from Apple.
+    #
+    #   If the key cannot be verified, a runtime error will be raised
+    #   containing details about the failed check.
+    def attest(key_id:, attestation_object:, challenge:)
+      decoded_attestation_object = CBOR.decode(Base64.strict_decode64(attestation_object))
+
+      att_stmt = decoded_attestation_object['attStmt']
+      auth_data = decoded_attestation_object['authData']
+
+      cred_cert = validate_certificates! att_stmt
+
+      validate_challenge! challenge, auth_data, cred_cert
+      validate_key_id! key_id, cred_cert
+      validate_auth_data! key_id, auth_data
+
+      [cred_cert.public_key.to_der, att_stmt['receipt']]
+    end
+
+    private
+
+    attr_reader :app_id, :environment, :sha256
+
+    def validate_certificates!(att_stmt)
+      cred_cert = Validators::CertificateChainValidator.validate(att_stmt)
+
+      raise 'Failed certificate chain check' unless cred_cert
+
+      cred_cert
+    end
+
+    def validate_challenge!(challenge, auth_data, cred_cert)
+      client_data_hash = sha256.digest(challenge)
+
+      sequence = OpenSSL::ASN1.decode(cred_cert.find_extension('1.2.840.113635.100.8.2').value_der)
+
+      unless valid_sequence?(sequence) &&
+             sequence.value[0].value[0].value ==
+             sha256.digest(auth_data + client_data_hash)
+        raise 'Failed challenge check'
+      end
+    end
+
+    def valid_sequence?(sequence)
+      sequence.tag == OpenSSL::ASN1::SEQUENCE &&
+        sequence.value.size == 1
+    end
+
+    def validate_key_id!(key_id, cred_cert)
+      uncompressed_point_key = cred_cert.public_key.public_key.to_octet_string(:uncompressed)
+
+      return if key_id == Base64.strict_encode64(sha256.digest(uncompressed_point_key))
+
+      raise 'Failed key ID check'
+    end
+
+    def validate_auth_data!(key_id, auth_data)
+      (rp_id_hash, _, sign_count, aaguid, credential_id) = Data::AuthenticatorData.unpack(auth_data)
+
+      raise 'Failed RP ID check' unless rp_id_hash == sha256.digest(app_id)
+      raise 'Failed sign counter = 0 check' unless sign_count.zero?
+      raise 'Failed AAGUID check' unless aaguid == expected_aaguid
+      raise 'Failed credentialId check' unless key_id == Base64.strict_encode64(credential_id)
+    end
+
+    def expected_aaguid
+      case environment
+      when :production
+        AAGUID_PRODUCTION
+      when :development
+        AAGUID_DEVELOPMENT
+      end
+    end
+  end
+end

data/lib/devicecheck/data/authenticator_data.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+# Copyright 2024 Catawiki B.V.
+#
+# Licensed under the MIT License (the "License");
+#
+# you may not use this file except in compliance with the License.
+#
+# You may obtain a copy of the License at
+#
+#     https://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Devicecheck
+  module Data
+    # Unpacks authenticator data according to the [webauthn specification](https://www.w3.org/TR/webauthn-2/#authenticator-data).
+    #
+    # ```
+    # Authenticator data layout:
+    # -------------------------
+    #
+    # rp_id_hash = 32 bytes
+    # flags = 1 byte
+    # sign-count = 4 bytes
+    # aaguid = 16
+    # attestedCredentialData (variable)
+    # - aaguid = 16
+    #   credentialIdLength(L) = 2
+    #   credentialId = L
+    #   credentialPublicKey = variable
+    # extension (variable)
+    # ```
+    class AuthenticatorData
+      def self.unpack(...) = new.unpack(...)
+
+      def unpack(auth_data)
+        (rp_id_hash, flags, sign_count, trailing_bytes) =
+          auth_data.unpack('a32c1N1a*')
+
+        (aaguid, credential_id_length, trailing_bytes) =
+          trailing_bytes.unpack('a16na*')
+
+        (credential_id, credential_public_key) =
+          trailing_bytes.unpack("a#{credential_id_length}a*")
+
+        [rp_id_hash, flags, sign_count, aaguid,
+         credential_id, credential_public_key]
+      end
+    end
+  end
+end

data/lib/devicecheck/validators/certificate_chain_validator.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+# Copyright 2024 Catawiki B.V.
+#
+# Licensed under the MIT License (the "License");
+#
+# you may not use this file except in compliance with the License.
+#
+# You may obtain a copy of the License at
+#
+#     https://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Devicecheck
+  module Validators
+    # Verifies that the x5c array contains the intermediate and leaf
+    # certificates for App Attest, starting from the credential
+    # certificate in the first data buffer in the array
+    # (credcert). Uses Apple’s [App Attest root
+    # certificate](https://www.apple.com/certificateauthority/Apple_App_Attestation_Root_CA.pem).
+    class CertificateChainValidator
+      ROOT_CA =
+        OpenSSL::X509::Certificate.new(<<~PEM)
+          -----BEGIN CERTIFICATE-----
+          MIICITCCAaegAwIBAgIQC/O+DvHN0uD7jG5yH2IXmDAKBggqhkjOPQQDAzBSMSYw
+          JAYDVQQDDB1BcHBsZSBBcHAgQXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwK
+          QXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yMDAzMTgxODMyNTNa
+          Fw00NTAzMTUwMDAwMDBaMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlv
+          biBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9y
+          bmlhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERTHhmLW07ATaFQIEVwTtT4dyctdh
+          NbJhFs/Ii2FdCgAHGbpphY3+d8qjuDngIN3WVhQUBHAoMeQ/cLiP1sOUtgjqK9au
+          Yen1mMEvRq9Sk3Jm5X8U62H+xTD3FE9TgS41o0IwQDAPBgNVHRMBAf8EBTADAQH/
+          MB0GA1UdDgQWBBSskRBTM72+aEH/pwyp5frq5eWKoTAOBgNVHQ8BAf8EBAMCAQYw
+          CgYIKoZIzj0EAwMDaAAwZQIwQgFGnByvsiVbpTKwSga0kP0e8EeDS4+sQmTvb7vn
+          53O5+FRXgeLhpJ06ysC5PrOyAjEAp5U4xDgEgllF7En3VcE3iexZZtKeYnpqtijV
+          oyFraWVIyd/dganmrduC1bmTBGwD
+          -----END CERTIFICATE-----
+        PEM
+
+      def self.validate(...) = new.validate(...)
+
+      def initialize(root_ca: ROOT_CA)
+        @certificates_store = OpenSSL::X509::Store.new.add_cert(root_ca)
+      end
+
+      def validate(att_stmt)
+        certificates =
+          att_stmt['x5c'].map { |c| OpenSSL::X509::Certificate.new(c) }
+
+        cred_cert, *certificate_chain = certificates
+
+        store_context = OpenSSL::X509::StoreContext.new(
+          certificates_store, cred_cert, certificate_chain
+        )
+
+        cred_cert if store_context.verify
+      end
+
+      private
+
+      attr_reader :certificates_store
+    end
+  end
+end

data/lib/devicecheck/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Devicecheck
+  VERSION = '1.0.0'
+end

data/lib/devicecheck.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+# Copyright 2024 Catawiki B.V.
+#
+# Licensed under the MIT License (the "License");
+#
+# you may not use this file except in compliance with the License.
+#
+# You may obtain a copy of the License at
+#
+#     https://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'openssl'
+require 'base64'
+require 'cbor'
+
+require_relative 'devicecheck/version'
+require_relative 'devicecheck/data/authenticator_data'
+require_relative 'devicecheck/validators/certificate_chain_validator'
+require_relative 'devicecheck/attestation'
+require_relative 'devicecheck/assertion'
+
+# {include:file:README.md}
+module Devicecheck
+end

data/sig/devicecheck.rbs

@@ -0,0 +1,4 @@
+module Devicecheck
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,110 @@
+--- !ruby/object:Gem::Specification
+name: devicecheck
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Fabricio Chalub
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-07-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+- !ruby/object:Gem::Dependency
+  name: cbor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.9
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+description: Pure Ruby implementation of the Apple App Attestation server side verifier
+email:
+- opensource@catawiki.nl
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".rubocop.yml"
+- ".rubocop_todo.yml"
+- ".yardopts"
+- CHANGELOG.md
+- CODE-OF-CONDUCT.md
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- SECURITY.md
+- devicecheck.gemspec
+- lib/devicecheck.rb
+- lib/devicecheck/assertion.rb
+- lib/devicecheck/attestation.rb
+- lib/devicecheck/data/authenticator_data.rb
+- lib/devicecheck/validators/certificate_chain_validator.rb
+- lib/devicecheck/version.rb
+- sig/devicecheck.rbs
+homepage: https://github.com/catawiki/devicecheck-ruby
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/catawiki/devicecheck-ruby/issues
+  changelog_uri: https://github.com/catawiki/devicecheck-ruby/CHANGELOG.md
+  documentation_uri: https://rubydoc.info/github/catawiki/devicecheck-ruby
+  source_code_uri: https://github.com/catawiki/devicecheck-ruby
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.10
+signing_key:
+specification_version: 4
+summary: Apple App Attestation (aka DeviceCheck) support for Ruby.
+test_files: []