According to the documentation - https://github.com/w3c/webauthn/pull/1491 of Apple's Anonymous Attestation Statement Format (fmt="apple"),
the nonce generated from the authenticatorData the clientDataHash is embedded in an extension with OID ( 1.2.840.113635.100.8.2 ) in the certificate for the credential public key.
If I try to validate a response generated after using touchID from my browser on my iOS14 device, I get a 38-byte value:
414:d=5 hl=2 l= 9 prim: OBJECT :1.2.840.113635.100.8.2
425:d=5 hl=2 l= 38 prim: OCTET STRING [HEX DUMP]:3024A1220420D9052FED7AA782C1B416C59B0AE15F309A336E22984E32505307A6339DDE52FD
How can this be a SHA-256 hash value?
joostvandijk
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Last seen
User for
From
Utrecht, Netherlands