I'm trying to setup device attestation. I believe I have everything setup correctly but the final step of signature validation never succeeds. I've added validation on the client side for debugging and it doesn't validate using CryptoKit.
After the assertion is created, I try to validate it:
assertion = try await DCAppAttestService.shared.generateAssertion(keyId, clientDataHash: clientDataHash)
await validateAssertionLocallyForDebugging(keyId: keyId, assertionObject: assertion, clientDataHash: clientDataHash)
In the validateAssertionLocallyForDebugging method, I extract all the data from the CBOR assertionObject and then setup the parameters to validate the signature, using the key that was created from the original attestation flow, but it fails every time. I'm getting the public key from the server using a temporary debugging API.
let publicKeyData = Data(base64Encoded: publicKeyB64)!
let p256PublicKey = try P256.Signing.PublicKey(derRepresentation: publicKeyData)
let ecdsaSignature = try P256.Signing.ECDSASignature(derRepresentation: signature)
let digestToVerify = SHA256.hash(data: authenticatorData + clientDataHash)
print(" - Recreated Digest to Verify: \(Data(digestToVerify).hexDescription)")
if p256PublicKey.isValidSignature(ecdsaSignature, for: digestToVerify) {
print("[DEBUG] SUCCESS: Local signature validation passed!")
} else {
print("[DEBUG] FAILED: Local signature validation failed.")
}
I have checked my .entitlements file and it is set to development. I have checked the keyId and verified the public key. I have verified the public key X,Y, the RP ID Hash, COSE data, and pretty much anything else I could think of. I've also tried using Gemini and Claude to debug this and that just sends me in circles of trying hashed, unhashed, and double hashed clientData. I'm doing this from Xcode on an M3 macbook air to an iPhone 16 Pro Max. Do you have any ideas on why the signature is not validating with everything else appears to be working? Thanks