JSPM

@motebit/crypto-appattest

1.0.4
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 452
  • Score
    100M100P100Q89184F
  • License Apache-2.0

Apache-2.0 verifier for Apple App Attest hardware-attestation credentials — offline chain verification against the pinned Apple App Attest root CA. Plugs into @motebit/crypto's HardwareAttestationVerifiers dispatcher to validate iOS device-attested motebit identities.

Package Exports

  • @motebit/crypto-appattest

Readme

@motebit/crypto-appattest

Offline Apache-2.0 verifier for Apple App Attest hardware-attestation credentials.

npm i @motebit/crypto-appattest

Plugs into @motebit/crypto's HardwareAttestationVerifiers dispatcher as the deviceCheck verifier — called when a credential declares platform: "device_check".

Usage

import { verify } from "@motebit/crypto";
import { deviceCheckVerifier } from "@motebit/crypto-appattest";

const result = await verify(credential, {
  hardwareAttestation: {
    deviceCheck: deviceCheckVerifier({ expectedBundleId: "com.motebit.app" }),
  },
});

What it verifies

  1. The CBOR attestation object Apple emits from DCAppAttestService.attestKey.
  2. The leaf + intermediate X.509 chain against the pinned Apple App Attest root CA — every non-leaf must carry basicConstraints.cA === true, every signature verified, every cert within its validity window, terminal cert DER byte-equal to the pinned root.
  3. The receipt extension OID 1.2.840.113635.100.8.2 binds SHA256(authData || clientDataHash).
  4. authData.rpIdHash === SHA256(bundleId) (bundle binding).
  5. Identity binding. The transmitted clientDataHash must equal SHA-256(canonicalJson({ motebit_id, device_id, identity_public_key, attested_at, platform: "device_check", version: "1" })) — the same body the iOS mint path signs over. A malicious native client that substitutes any other body fails here.

Why pinned

A verifier that dynamically fetches CA certificates has no sovereign story. The pinned root is the self-attesting contract — third parties audit APPLE_APPATTEST_ROOT_PEM and know what chain this library accepts. Zero network; chain path, clock-skew, and OID extraction are all deterministic from Apple's published spec.

License

Apache-2.0 — see LICENSE and NOTICE.

"Motebit" is a trademark. The Apache License grants rights to this software, not to any Motebit trademarks, logos, or branding. You may not use Motebit branding in a way that suggests endorsement or affiliation without written permission.