2

I'm working through implementing the algorithm outlined by apple here for authenticating a player given a public key and signature, and I don't quite understand what they mean by

Verify with the appropriate signing authority that Apple signed the public key.

Once I've downloaded the .cer file, with NodeJS I can do something like this:

const publicKey = new X509Certificate(response.data)
console.log(publicKey.subject)

which will indeed show that the organization is Apple. If you look at some other implementations of this algorithm, it seems people are just checking "hey, is this a valid cert?", but not actually confirming with the signing authority.

In this case, the issuer of the certificate (I assume that a certificate authority is this is analogous with signing authority, but please correct me if I'm wrong) is DigiCert, Inc., so it seems like we'd almost have to somehow make some API call to them and ask "Hey, did you guys grant Apple this specific public key?"

Is this what apple means by "verify with the appropriate signing authority that Apple signed the public key."? Or am I getting signing authority confused and certificate authority confused?

Thanks!

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
Evan
  • 1,892
  • 2
  • 19
  • 40
  • 1
    The issuer (and thus its signer) of a certificate is called a certificate authority. There is no signer authority. You verify the signature by going through the normal certificate chain verification process. – President James K. Polk Jan 13 '23 at 13:18
  • Ugh, trying to answer this question but the Apple documentation is not very helpful to be honest. In the end you need to have the full chain towards a trusted (root) certificate, after which you can call methods such as [`SecTrustCreateWithCertificates`](https://developer.apple.com/documentation/security/1401555-sectrustcreatewithcertificates) and then perform the validation as described in that document. Only if necessary should you have to download and include the CA certificate in the certificates provided. Don't include the root cert, it should already be trusted in the system. – Maarten Bodewes Jan 13 '23 at 16:01
  • @PresidentJamesK.Polk what do you mean "the normal certificate chain verification process?" i.e., how would you recommend I verify that Apple signed the public key? – Evan Jan 14 '23 at 02:04
  • like what does Apple even mean by "Verify with the appropriate signing authority that Apple signed the public key" and is this necessary? – Evan Jan 14 '23 at 02:10
  • Forget about "signed public key", it's a certificate. An adversary can send you the signed data *and* their own public key, which is why you need to verify it. – Maarten Bodewes Jan 14 '23 at 04:00

0 Answers0