appattest-rs

appattest-rs是一个Rust模块，用于验证在iOS设备上运行的App的Attestations和Assertions，确保应用的完整性和真实性。

概述

appattest-rs 是一个基于Rust的实现，可以将Apple的App Attestation机制集成到您的服务器端应用程序中。这允许您验证与您的服务器通信的应用程序是真实的且未被修改。此crate特别适用于通过利用Apple的DeviceCheck功能来增强iOS应用程序的安全性。

flowchart LR
    A[Start] --> B[Decode Base64 CBOR Data]
    B --> C{Is Decoding Successful?}
    C -->|Yes| D[Create Assertion or Attestation Object]
    C -->|No| E[Decoding Failure and Exit]

    D --> F{Verify Assertion/Attestation}
    F -->|Yes| G[Verification Successful]
    F -->|No| H[Verification Failure]

    G --> I[End Process]
    H --> I

    style A fill:#f9f,stroke:#333,stroke-width:2px,color:black
    style I fill:#ccf,stroke:#333,stroke-width:2px,color:black
    style G fill:#cfc,stroke:#393,stroke-width:2px,color:black
    style H fill:#f99,stroke:#933,stroke-width:2px,color:black
    style E fill:#f99,stroke:#933,stroke-width:2px,color:black

特性

• App Attestations验证：确保从iOS设备收到的Attestations有效且符合Apple的指南。
• Assertion验证：验证iOS应用程序所做的Assertions，以确认其真实性。

使用方法

验证Attestations

use appattest_rs::attestation::Attestation;

fn main() {
    let app_id = "<APPLE_TEAM_ID>.<APPLE_APP_ID>"; // replace this with yours. E.g 9000738U8.auth.iphone.com
    let key_id = "ZSSh9dOqo0iEvnNOtTGIHaue8n4RN/Dd8FiYFphsKTI=";
    let challenge = "5b3b2303-e650-4a56-a9ec-33e3e2a90d14";
    let base64_cbor_data = "o2NmbXRv...";

    let attestation_result = Attestation::from_base64(base64_cbor_data);
    match attestation_result {
        Ok(attestation) => {
            match attestation.verify(challenge, app_id, key_id) {
                Ok(_) => println!("Verification successful!"),
                Err(e) => println!("Verification failed: {:?}", e),
            }
        },
        Err(e) => println!("Failed to decode and create attestation: {:?}", e),
    }
}

验证Assertions

use appattest_rs::assertion::Assertion;
use base64::{engine::general_purpose, Engine};

fn main() {
    let client_data_json = r#"{"challenge": "5b3b2303-e650-4a56-a9ec-33e3e2a90d14"}"#.as_bytes().to_vec();
    let app_id = "<APPLE_TEAM_ID>.<APPLE_APP_ID>"; // replace this with yours. E.g 9000738U8.auth.iphone.com
    let public_key_base64 = "BLROJkpk8NoHVHAnkLOKWUrc4MhyMkATpDyDwjEk82o+uf+KCQiDoHZdlcJ1ff5HPgK7Jd/pTA3cyKOq5MYM6Gs=";
    let public_key_byte = general_purpose::STANDARD.decode(public_key_base64).expect("unable to decode public key");
    let previous_counter = 0;
    let stored_challenge = "5b3b2303-e650-4a56-a9ec-33e3e2a90d14";
    let base64_cbor_data = "omlzaWdu....";

    let assertion_result = Assertion::from_base64(base64_cbor_data);
    match assertion_result {
        Ok(assertion) => {
            match assertion.verify(client_data_json, app_id, public_key_byte, previous_counter, stored_challenge) {
                Ok(_) => println!("Verification successful!"),
                Err(e) => println!("Verification failed: {:?}", e),
            }
        },
        Err(e) => println!("Failed to decode and create assertion: {:?}", e),
    }
}

参考

有关更详细的文档，请访问以下资源

• Apple开发者：验证连接到您的服务器的应用程序
• WWDC 2021 - Session 10244