class WebAuthn::AttestationStatement::Apple

def valid_nonce?(authenticator_data, client_data_hash)
  extension = cred_cert&.find_extension(NONCE_EXTENSION_OID)
  if extension
    sequence = OpenSSL::ASN1.decode(extension.value_der)
    sequence.tag == OpenSSL::ASN1::SEQUENCE &&
      sequence.value.size == 1 &&
      sequence.value[0].value[0].value ==
        OpenSSL::Digest::SHA256.digest(authenticator_data.data + client_data_hash)
  end
end