class WebAuthn::AttestationStatement::Apple

def attestation_type
  WebAuthn::AttestationStatement::ATTESTATION_TYPE_ANONCA
end

def cred_cert
  attestation_certificate
end

def default_root_certificates
  [ROOT_CERTIFICATE]
end

def valid?(authenticator_data, client_data_hash)
  valid_nonce?(authenticator_data, client_data_hash) &&
    matching_public_key?(authenticator_data) &&
    trustworthy? &&
    [attestation_type, attestation_trust_path]
end

def valid_nonce?(authenticator_data, client_data_hash)
  extension = cred_cert&.find_extension(NONCE_EXTENSION_OID)
  if extension
    sequence = OpenSSL::ASN1.decode(extension.value_der)
    sequence.tag == OpenSSL::ASN1::SEQUENCE &&
      sequence.value.size == 1 &&
      sequence.value[0].value[0].value ==
        OpenSSL::Digest::SHA256.digest(authenticator_data.data + client_data_hash)
  end
end