Google Git
Sign in
quiche/quiche.git/1f2aaae3359d145d683ade659e735109ef69df20^!/.
commit
1f2aaae3359d145d683ade659e735109ef69df20
[log]
author
QUICHE team <quiche-dev@google.com>
Mon Apr 06 16:26:18 2026 -0700
committer
Copybara-Service <copybara-worker@google.com>
Mon Apr 06 16:26:54 2026 -0700
tree
30fb9e79dbc9b6e11161dbff5703cbbc8166f41a
parent
89c30b2c4d30b961ca3d681314be93daca3453d0 [diff]
Add nonce to iOS attestation and enforce one-time use.

This change introduces a nonce field in the IosAttestationData proto. The server now checks if the provided nonce has been used before, rejecting requests with reused nonces. The nonce is also included in the content bindings when calling IosGuard's Decode RPC.

PiperOrigin-RevId: 895555506

diff --git a/quiche/blind_sign_auth/proto/attestation.proto b/quiche/blind_sign_auth/proto/attestation.proto
index 31e31ea..7ab2f56 100644
--- a/quiche/blind_sign_auth/proto/attestation.proto
+++ b/quiche/blind_sign_auth/proto/attestation.proto

@@ -111,6 +111,9 @@
 
   // Device ID for quota checking.
   string device_id = 3;
+
+  // Nonce returned from the server and added to the content bindings.
+  bytes nonce = 4;
 }
 
 message AttestationData {