From 2ab1e6658ed9f7e5c980987da28b9a79fa4635fc Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Tue, 9 Aug 2022 15:06:52 -0700
Subject: [PATCH] Fix nonce validation

The attestation certificate contains the nonce as raw bytes in the
extension 1.2.840.113635.100.8.11.1
---
 acme/challenge.go | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/acme/challenge.go b/acme/challenge.go
index 7f5a55cd..52be0ecd 100644
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -346,12 +346,10 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 			return err
 		}
 
-		// Validate nonce with SHA-256 of the token
-		//
-		// TODO(mariano): validate this
-		if data.Nonce != "" {
+		// Validate nonce with SHA-256 of the token.
+		if len(data.Nonce) != 0 {
 			sum := sha256.Sum256([]byte(ch.Token))
-			if data.Nonce != hex.EncodeToString(sum[:]) {
+			if subtle.ConstantTimeCompare(data.Nonce, sum[:]) != 1 {
 				return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "challenge token does not match"))
 			}
 		}
@@ -408,7 +406,7 @@ var (
 )
 
 type appleAttestationData struct {
-	Nonce        string
+	Nonce        []byte
 	SerialNumber string
 	UDID         string
 	SEPVersion   string
@@ -474,7 +472,7 @@ func doAppleAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *At
 		case ext.Id.Equal(oidAppleSecureEnclaveProcessorOSVersion):
 			data.SEPVersion = string(ext.Value)
 		case ext.Id.Equal(oidAppleNonce):
-			data.Nonce = string(ext.Value)
+			data.Nonce = ext.Value
 		}
 	}