Apple device integration

AppleClientData

Apple's APIs accept a clientDataHash (SHA-256 of arbitrary bytes) that gets bound into the resulting attestation/assertion.

CDDL reference for AppleClientData

AppleClientData = [
    nonce: bstr     ; The complete nonce used for attestation
]

On iOS, the device must hash a CBOR-encoded AppleClientData array and pass the result as clientDataHash:

AppleClientData = [ nonce: bstr ]
clientDataHash  = SHA-256(CBOR_encode(AppleClientData))

Where nonce is the final nonce (see Final nonce composition) — the same value the Attestation API will reconstruct on the verify side. The Attestation API recomputes this clientDataHash and checks that the assertion / attestation was produced over it.

info

AppleClientData is not a field of XitAttestationToken — it is an internal structure the device uses to derive clientDataHash. It is documented here because device integrators need to construct it correctly for verification to succeed.