Questions about FIDO 2 attestation verification in iOS14

Questions about FIDO 2 attestation verification in iOS 14


I am currently implementing the FIDO 2 verification logic according to the url below.

https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server


My question is about aaguid and credentialId.


According to the url the aaguid is "An App Attest–specific constan".
And the length of credentialId is 32 bytes.

[Question]
  1. The aaguid delivered from safari was 16 zero bytes. Is it correct to be passed by this value?

  2. The length of credentialId is 20 bytes, not 32 bytes. Is this correct?

[Test Env.]
iOS 14 beta 8
attestationObject : o2NmbXRlYXBwbGVnYXR0U3RtdKJjYWxnJmN4NWOCWQJGMIICQjCCAcmgAwIBAgIGAXR3IfJrMAoGCCqGSM49BAMCMEgxHDAaBgNVBAMME0FwcGxlIFdlYkF1dGhuIENBIDExEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwHhcNMjAwOTEwMDgxOTA3WhcNMjAwOTExMDgyOTA3WjCBkTFJMEcGA1UEAwxAY2E1ZjZjYTQwZTE5OTQ0MTQzZjgzMjRlZTE3ZTliZjM2YmI4Nzk4YTllM2YzOWE4MjM4YjkwNWU3YTdmYmJlMTEaMBgGA1UECwwRQUFBIENlcnRpZmljYXRpb24xEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAShkVB07nrqMlaitq-5wjv8EzSikGdNRWvmTAA2gwYfz-9YTxpHF9UEnsTVTtl1v3Rdip4TUopyW-TYIVXUQ4o1UwUzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEBwQEAwIE8DAzBgkqhkiG92NkCAIEJjAkoSIEIHGCgF2RQrOUtNb3sBPwfRGEPAkN3drdsUJ5xmleeC8lMAoGCCqGSM49BAMCA2cAMGQCMDKVe8HKHbweixHUIHGZgUXYxV-UHxuEiJthFBkMjPrdkwG1Rvi3jExiJLUAiwXygIwctiDkQV1RYncBzpzaGPjQ4gFsilmMul-neygjeVxXAA-rm1FiA0Zh5cj7L6gWWQI4MIICNDCCAbqgAwIBAgIQViVTlcen-0Dr4ijYJghTtjAKBggqhkjOPQQDAzBLMR8wHQYDVQQDDBZBcHBsZSBXZWJBdXRobiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4MzgwMVoXDTMwMDMxMzAwMDAwMFowSDEcMBoGA1UEAwwTQXBwbGUgV2ViQXV0aG4gQ0EgMTETMBEGA1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTB2MBAGByqGSM49AgEGBSuBBAAiA2IABIMuhy8mFJGBAiW59fzWu2N4tfVfP8sEW8c1mTR1VSQRN-bhkhF2XGmh3aBQs41FCDQBpDT7JNES1Ww-HPv8uYkf7AaWCBvvlsvHfIjd2vRqWu4d1RW1r6q5O-nAsmkaNmMGQwEgYDVR0TAQHBAgwBgEBwIBADAfBgNVHSMEGDAWgBQm12TZxXjCWmfRp95rEtAbYHG1zAdBgNVHQ4EFgQU666CxP-hrFtR1M8kYQUAvmO9d4gwDgYDVR0PAQHBAQDAgEGMAoGCCqGSM49BAMDA2gAMGUCMQDdixo0gaX62du052V7hB4UTCe3W4dqQYbCsUdXUDNyJ-lVEV-9kiVDGMuXEg-cMECMCyKYETcIBP5ZvDTSkwwUh4Udlg7Wp18etKyr44zSW4l9DIBb7wxeLB6VxxugOB2hhdXRoRGF0YViYIoFgu94ab-4bEorgfUTSffzT79toCHqWSIC4Kv6KcRFAAAAAAAAAAAAAAAAAAAAAAAAAAAAFMUF1XwkNChen9PxL4d3TozOT554pQECAyYgASFYIKGT9UHTueuoyVqK2r7nD-OwTNKKQZ01Fa-ZMADaDBhIlggP71hPGkcX1QSexNVO2XWdF2KnhNSinJb5NghVdRDg
clientDataJSON : eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiOUlRclR3YXhfaFJNVTlua0FIcEwxZzFvS2NKZUVqUjRxekxNYTNwT1NBVSIsIm9yaWdpbiI6Imh0dHBzOi8vb25lcGFzc2Rldi5yYW9uc2VjdXJlLmNvLmtyOjI4NDQ1In0

The aaguid delivered from safari was 16 zero bytes. Is it correct to be passed by this value?
The length of credentialId is 20 bytes, not 32 bytes. Is this correct?


Quoting that link:

Verify the Attestation

counter (4 bytes) — The number of times your app used the attested key to sign an assertion.
aaguid (16 bytes) — An App Attest–specific constant that indicates whether the attested key belongs to the development or production environment. Apps generate keys using the former during development, and the latter after distribution, as described in com.apple.developer.devicecheck.appattest-environment.
credentialId (32 bytes) — A hash of the public key part of the cryptographic key pair being attested.

So, no, zero bytes does not an identifier make, and, no, not 20 bytes.
Questions about FIDO 2 attestation verification in iOS14
 
 
Q