Skip to content

Android key attestation for POST /a#142

Open
ottodimi wants to merge 34 commits intomainfrom
dmitrytyshchenko/corplat-603-attestation-gateway-face-auth-flow-a-endpoint-android
Open

Android key attestation for POST /a#142
ottodimi wants to merge 34 commits intomainfrom
dmitrytyshchenko/corplat-603-attestation-gateway-face-auth-flow-a-endpoint-android

Conversation

@ottodimi
Copy link
Copy Markdown
Contributor

@ottodimi ottodimi commented Mar 25, 2026

Wire AndroidAttestationService, cert chain verification, and embedded Google hardware attestation roots. Extend BundleIdentifier with certificate_sha256_digest_base64 for attestation signature checks.

@ottodimi ottodimi force-pushed the dmitrytyshchenko/corplat-603-attestation-gateway-face-auth-flow-a-endpoint-ios branch from 6927282 to 70b627f Compare March 26, 2026 18:38
Base automatically changed from dmitrytyshchenko/corplat-603-attestation-gateway-face-auth-flow-a-endpoint-ios to main March 26, 2026 21:03
@ottodimi ottodimi force-pushed the dmitrytyshchenko/corplat-603-attestation-gateway-face-auth-flow-a-endpoint-android branch from 3d6b335 to 75306f7 Compare March 26, 2026 21:07
NnnOooPppEee
NnnOooPppEee reviewed Mar 26, 2026
View reviewed changes
attestation-gateway/src/android/android_cert_chain.rs
}

pub fn from_x509(cert_chain: Vec<X509>) -> eyre::Result<Self, AndroidCertChainError> {
if cert_chain.len() < 2 {
Copy link
Copy Markdown

@NnnOooPppEee NnnOooPppEee Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be at least 3 cert in the chain, but I did not do research on this, do you have a sense of why we chosed 2?

Copy link
Copy Markdown
Contributor Author

@ottodimi ottodimi Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I just instinctively used 2 because I have special treatment for first and last cert in chain. Honestly it could be 1.

@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 27, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: cargo webpki-roots under CDLA-Permissive-2.0

License: CDLA-Permissive-2.0 - the applicable license policy does not allow this license (4) (webpki-roots-1.0.6/Cargo.toml)

License: CDLA-Permissive-2.0 - the applicable license policy does not allow this license (4) (webpki-roots-1.0.6/LICENSE)

From: ?cargo/reqwest@0.12.28cargo/aws-config@1.8.14cargo/aws-sdk-kinesis@1.101.0cargo/aws-sdk-kms@1.102.0cargo/aws-sdk-dynamodb@1.107.0cargo/webpki-roots@1.0.6

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/webpki-roots@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

ottodimi and others added 5 commits April 2, 2026 19:49
@ottodimi
Fix more clippy warnings
6931fae
@ottodimi
Fix more clippy warnings
416f50d
@ottodimi
Merge branch 'main' into dmitrytyshchenko/corplat-603-attestation-gat…
9a82b92 
…eway-face-auth-flow-a-endpoint-android
@ottodimi
Merge branch 'dmitrytyshchenko/corplat-603-attestation-gateway-face-a…
6161b57 
…uth-flow-a-endpoint-android' of github.com:worldcoin/attestation-gateway into dmitrytyshchenko/corplat-603-attestation-gateway-face-auth-flow-a-endpoint-android
@ottodimi
Fix merge issue
608e4a6
@ottodimi ottodimi requested a review from NnnOooPppEee April 2, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paolodamico paolodamico Awaiting requested review from paolodamico

@NnnOooPppEee NnnOooPppEee Awaiting requested review from NnnOooPppEee

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ottodimi @NnnOooPppEee