From ef2d6db86d26c579ea161f722e3d155d9f8cd9db Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Thu, 7 Mar 2024 18:35:35 +0100
Subject: [PATCH 01/64] feat: add ios app attestation

---
 .gitignore                                    |   1 +
 .../project.pbxproj                           |  32 +++-
 .../xcshareddata/IDEWorkspaceChecks.plist     |   8 +
 example/ios/Podfile.lock                      |  10 +-
 example/package.json                          |   4 +-
 example/src/App.tsx                           | 143 +++++++++++++++--
 example/src/components/ButtonWithLoader.tsx   |  40 +++++
 ios/IntegrityError.swift                      |  54 +++++++
 ios/IoReactNativeIntegrity.mm                 |  12 +-
 ios/IoReactNativeIntegrity.swift              | 146 +++++++++++++++++-
 pagopa-io-react-native-integrity.podspec      |   2 +-
 src/__tests__/index.test.tsx                  |  63 +++++++-
 src/index.tsx                                 |  25 ++-
 yarn.lock                                     |   9 ++
 14 files changed, 519 insertions(+), 30 deletions(-)
 create mode 100644 example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
 create mode 100644 example/src/components/ButtonWithLoader.tsx
 create mode 100644 ios/IntegrityError.swift

diff --git a/.gitignore b/.gitignore
index d3b53df..f559641 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,6 +28,7 @@ DerivedData
 *.ipa
 *.xcuserstate
 project.xcworkspace
+.xcode.env.local
 
 # Android/IJ
 #
diff --git a/example/ios/IoReactNativeIntegrityExample.xcodeproj/project.pbxproj b/example/ios/IoReactNativeIntegrityExample.xcodeproj/project.pbxproj
index c1e3241..2d61c3b 100644
--- a/example/ios/IoReactNativeIntegrityExample.xcodeproj/project.pbxproj
+++ b/example/ios/IoReactNativeIntegrityExample.xcodeproj/project.pbxproj
@@ -413,12 +413,13 @@
 			baseConfigurationReference = 5B7EB9410499542E8C5724F5 /* Pods-IoReactNativeIntegrityExample-IoReactNativeIntegrityExampleTests.debug.xcconfig */;
 			buildSettings = {
 				BUNDLE_LOADER = "$(TEST_HOST)";
+				DEVELOPMENT_TEAM = M2X5YQ4BJ7;
 				GCC_PREPROCESSOR_DEFINITIONS = (
 					"DEBUG=1",
 					"$(inherited)",
 				);
 				INFOPLIST_FILE = IoReactNativeIntegrityExampleTests/Info.plist;
-				IPHONEOS_DEPLOYMENT_TARGET = 13.4;
+				IPHONEOS_DEPLOYMENT_TARGET = 14.0;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/Frameworks",
@@ -441,8 +442,9 @@
 			buildSettings = {
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				COPY_PHASE_STRIP = NO;
+				DEVELOPMENT_TEAM = M2X5YQ4BJ7;
 				INFOPLIST_FILE = IoReactNativeIntegrityExampleTests/Info.plist;
-				IPHONEOS_DEPLOYMENT_TARGET = 13.4;
+				IPHONEOS_DEPLOYMENT_TARGET = 14.0;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/Frameworks",
@@ -466,8 +468,10 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CURRENT_PROJECT_VERSION = 1;
+				DEVELOPMENT_TEAM = M2X5YQ4BJ7;
 				ENABLE_BITCODE = NO;
 				INFOPLIST_FILE = IoReactNativeIntegrityExample/Info.plist;
+				IPHONEOS_DEPLOYMENT_TARGET = 14.0;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/Frameworks",
@@ -493,7 +497,9 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CURRENT_PROJECT_VERSION = 1;
+				DEVELOPMENT_TEAM = M2X5YQ4BJ7;
 				INFOPLIST_FILE = IoReactNativeIntegrityExample/Info.plist;
+				IPHONEOS_DEPLOYMENT_TARGET = 14.0;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/Frameworks",
@@ -544,7 +550,7 @@
 				COPY_PHASE_STRIP = NO;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_TESTABILITY = YES;
-				"EXCLUDED_ARCHS[sdk=iphonesimulator*]" = "";
+				"EXCLUDED_ARCHS[sdk=iphonesimulator*]" = i386;
 				GCC_C_LANGUAGE_STANDARD = gnu99;
 				GCC_DYNAMIC_NO_PIC = NO;
 				GCC_NO_COMMON_BLOCKS = YES;
@@ -560,7 +566,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
-				IPHONEOS_DEPLOYMENT_TARGET = 13.4;
+				IPHONEOS_DEPLOYMENT_TARGET = 14.0;
 				LD_RUNPATH_SEARCH_PATHS = (
 					/usr/lib/swift,
 					"$(inherited)",
@@ -572,6 +578,7 @@
 				);
 				MTL_ENABLE_DEBUG_INFO = YES;
 				ONLY_ACTIVE_ARCH = YES;
+				OTHER_CFLAGS = "$(inherited)";
 				OTHER_CPLUSPLUSFLAGS = (
 					"$(OTHER_CFLAGS)",
 					"-DFOLLY_NO_CONFIG",
@@ -579,7 +586,13 @@
 					"-DFOLLY_USE_LIBCPP=1",
 					"-DFOLLY_CFG_NO_COROUTINES=1",
 				);
+				OTHER_LDFLAGS = (
+					"$(inherited)",
+					" ",
+				);
+				REACT_NATIVE_PATH = "${PODS_ROOT}/../../node_modules/react-native";
 				SDKROOT = iphoneos;
+				USE_HERMES = true;
 			};
 			name = Debug;
 		};
@@ -616,7 +629,7 @@
 				COPY_PHASE_STRIP = YES;
 				ENABLE_NS_ASSERTIONS = NO;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
-				"EXCLUDED_ARCHS[sdk=iphonesimulator*]" = "";
+				"EXCLUDED_ARCHS[sdk=iphonesimulator*]" = i386;
 				GCC_C_LANGUAGE_STANDARD = gnu99;
 				GCC_NO_COMMON_BLOCKS = YES;
 				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
@@ -625,7 +638,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
-				IPHONEOS_DEPLOYMENT_TARGET = 13.4;
+				IPHONEOS_DEPLOYMENT_TARGET = 14.0;
 				LD_RUNPATH_SEARCH_PATHS = (
 					/usr/lib/swift,
 					"$(inherited)",
@@ -636,6 +649,7 @@
 					"\"$(inherited)\"",
 				);
 				MTL_ENABLE_DEBUG_INFO = NO;
+				OTHER_CFLAGS = "$(inherited)";
 				OTHER_CPLUSPLUSFLAGS = (
 					"$(OTHER_CFLAGS)",
 					"-DFOLLY_NO_CONFIG",
@@ -643,7 +657,13 @@
 					"-DFOLLY_USE_LIBCPP=1",
 					"-DFOLLY_CFG_NO_COROUTINES=1",
 				);
+				OTHER_LDFLAGS = (
+					"$(inherited)",
+					" ",
+				);
+				REACT_NATIVE_PATH = "${PODS_ROOT}/../../node_modules/react-native";
 				SDKROOT = iphoneos;
+				USE_HERMES = true;
 				VALIDATE_PRODUCT = YES;
 			};
 			name = Release;
diff --git a/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist b/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
new file mode 100644
index 0000000..18d9810
--- /dev/null
+++ b/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>IDEDidComputeMac32BitWarning</key>
+	<true/>
+</dict>
+</plist>
diff --git a/example/ios/Podfile.lock b/example/ios/Podfile.lock
index 5f68d5a..404bd9d 100644
--- a/example/ios/Podfile.lock
+++ b/example/ios/Podfile.lock
@@ -1115,6 +1115,8 @@ PODS:
     - React-jsi (= 0.73.5)
     - React-logger (= 0.73.5)
     - React-perflogger (= 0.73.5)
+  - RNSha256 (1.4.10):
+    - React-Core
   - SocketRocket (0.6.1)
   - Yoga (1.14.0)
 
@@ -1192,6 +1194,7 @@ DEPENDENCIES:
   - React-runtimescheduler (from `../node_modules/react-native/ReactCommon/react/renderer/runtimescheduler`)
   - React-utils (from `../node_modules/react-native/ReactCommon/react/utils`)
   - ReactCommon/turbomodule/core (from `../node_modules/react-native/ReactCommon`)
+  - RNSha256 (from `../node_modules/react-native-sha256`)
   - Yoga (from `../node_modules/react-native/ReactCommon/yoga`)
 
 SPEC REPOS:
@@ -1308,6 +1311,8 @@ EXTERNAL SOURCES:
     :path: "../node_modules/react-native/ReactCommon/react/utils"
   ReactCommon:
     :path: "../node_modules/react-native/ReactCommon"
+  RNSha256:
+    :path: "../node_modules/react-native-sha256"
   Yoga:
     :path: "../node_modules/react-native/ReactCommon/yoga"
 
@@ -1330,7 +1335,7 @@ SPEC CHECKSUMS:
   hermes-engine: 1d1835b2cc54c381909d94d1b3c8e0a2f1a94a0e
   libevent: 4049cae6c81cdb3654a443be001fb9bdceff7913
   OpenSSL-Universal: ebc357f1e6bc71fa463ccb2fe676756aff50e88c
-  pagopa-io-react-native-integrity: 429be694f02e0b01ad2a707938edac3de34a7110
+  pagopa-io-react-native-integrity: f6f51e45065ccc7e3116be86069ff04c7cfe1be7
   RCT-Folly: 7169b2b1c44399c76a47b5deaaba715eeeb476c0
   RCTRequired: 2544c0f1081a5fa12e108bb8cb40e5f4581ccd87
   RCTTypeSafety: 50efabe2b115c11ed03fbf3fd79e2f163ddb5d7c
@@ -1372,8 +1377,9 @@ SPEC CHECKSUMS:
   React-runtimescheduler: 814b644a5f456c7df1fba7bcd9914707152527c6
   React-utils: 987a4526a2fc0acdfaf87888adfe0bf9d0452066
   ReactCommon: 2947b0bffd82ea0e58ca7928881152d4c6dae9af
+  RNSha256: e1bc64e9e50b293d5282bb4caa1b2043931f1c9d
   SocketRocket: f32cd54efbe0f095c4d7594881e52619cfe80b17
-  Yoga: 9e6a04eacbd94f97d94577017e9f23b3ab41cf6c
+  Yoga: a716eea57d0d3430219c0a5a233e1e93ee931eb7
 
 PODFILE CHECKSUM: fd9c38ef526dee311429a7a1ecc7347bb228ae7f
 
diff --git a/example/package.json b/example/package.json
index 0e7a370..7dc435f 100644
--- a/example/package.json
+++ b/example/package.json
@@ -10,8 +10,10 @@
     "build:ios": "cd ios && xcodebuild -workspace IoReactNativeIntegrityExample.xcworkspace -scheme IoReactNativeIntegrityExample -configuration Debug -sdk iphonesimulator CC=clang CPLUSPLUS=clang++ LD=clang LDPLUSPLUS=clang++ GCC_OPTIMIZATION_LEVEL=0 GCC_PRECOMPILE_PREFIX_HEADER=YES ASSETCATALOG_COMPILER_OPTIMIZATION=time DEBUG_INFORMATION_FORMAT=dwarf COMPILER_INDEX_STORE_ENABLE=NO"
   },
   "dependencies": {
+    "buffer": "^6.0.3",
     "react": "18.2.0",
-    "react-native": "0.73.5"
+    "react-native": "0.73.5",
+    "react-native-sha256": "^1.4.10"
   },
   "devDependencies": {
     "@babel/core": "^7.20.0",
diff --git a/example/src/App.tsx b/example/src/App.tsx
index 71a5d0f..537208e 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -1,19 +1,130 @@
 import * as React from 'react';
+import { Buffer } from 'buffer';
+import { sha256 } from 'react-native-sha256';
+import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
+import {
+  generateHardwareKey,
+  getAttestation,
+  isAttestationServiceAvailable,
+  generateHardwareSignatureWithAssertion,
+} from '@pagopa/io-react-native-integrity';
+import ButtonWithLoader from './components/ButtonWithLoader';
 
-import { StyleSheet, View, Text } from 'react-native';
-import { multiply } from '@pagopa/io-react-native-integrity';
+const challenge = 'challengeFromServer';
 
 export default function App() {
-  const [result, setResult] = React.useState<number | undefined>();
+  const [hardwareKeyTag, setHardwareKeyTag] = React.useState<
+    string | undefined
+  >('');
+  const [attestation, setAttestation] = React.useState<string | undefined>('');
+  const [decodedAttestation, setDecodedAttestation] = React.useState<
+    string | undefined
+  >('');
+  const [isServiceAvailable, setIsServiceAvailable] =
+    React.useState<boolean>(false);
+  const [debugLog, setDebugLog] = React.useState<string>('.. >');
 
   React.useEffect(() => {
-    multiply(3, 7).then(setResult);
+    isAttestationServiceAvailable()
+      .then((result) => {
+        setIsServiceAvailable(result);
+      })
+      .catch((error) => {
+        setDebugLog(error);
+      });
   }, []);
 
+  const getHardwareKey = async () => {
+    if (hardwareKeyTag === '' || hardwareKeyTag === undefined) {
+      setHardwareKeyTag(undefined);
+      const hardwareKey = await generateHardwareKey();
+      setHardwareKeyTag(hardwareKey);
+      setDebugLog(hardwareKey);
+    } else {
+      setDebugLog(hardwareKeyTag);
+    }
+  };
+
+  const requestAttestation = async () => {
+    setAttestation(undefined);
+    if (hardwareKeyTag) {
+      const result = await getAttestation(challenge, hardwareKeyTag);
+      setAttestation(result);
+      setDebugLog(result);
+    }
+  };
+
+  const decodeAttestation = () => {
+    // decode attestation from base64 to string
+    setDecodedAttestation(undefined);
+    if (attestation) {
+      const attestationDecoded = Buffer.from(attestation, 'base64').toString(
+        'hex'
+      );
+      setDecodedAttestation(attestationDecoded);
+      setDebugLog(attestationDecoded);
+    }
+  };
+
+  const getHardwareSignatureWithAssertion = async () => {
+    // this is a mocked jwk for ephimeral public key, in a production
+    // environment the ephimeral key must be generated by the client
+    // every time a WTE must be required
+    const jwk = {
+      crv: 'P-256',
+      kty: 'EC',
+      x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
+      y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
+      kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
+    };
+
+    const clientData = {
+      challenge: challenge,
+      jwk: jwk,
+    };
+
+    if (hardwareKeyTag) {
+      const clientDataHash = await sha256(JSON.stringify(clientData));
+
+      const result = await generateHardwareSignatureWithAssertion(
+        clientDataHash,
+        hardwareKeyTag
+      );
+      setDebugLog(result);
+    }
+  };
+
   return (
-    <View style={styles.container}>
-      <Text>Result: {result}</Text>
-    </View>
+    <SafeAreaView style={styles.container}>
+      <Text style={styles.h1}>Integrity Check Demo App</Text>
+      {isServiceAvailable ? (
+        <>
+          <ButtonWithLoader
+            title="Generate Hardware Key"
+            onPress={() => getHardwareKey()}
+            loading={hardwareKeyTag === undefined}
+          />
+          <ButtonWithLoader
+            title="Get attestation"
+            onPress={() => requestAttestation()}
+            loading={attestation === undefined}
+          />
+          <ButtonWithLoader
+            title="Decode Attestation"
+            onPress={() => decodeAttestation()}
+            loading={decodedAttestation === undefined}
+          />
+          <ButtonWithLoader
+            title="Generate Hardware Signature"
+            onPress={() => getHardwareSignatureWithAssertion()}
+            loading={decodedAttestation === undefined}
+          />
+        </>
+      ) : null}
+      <ScrollView style={styles.debug}>
+        <Text>{debugLog}</Text>
+      </ScrollView>
+    </SafeAreaView>
   );
 }
 
@@ -21,11 +132,19 @@ const styles = StyleSheet.create({
   container: {
     flex: 1,
     alignItems: 'center',
-    justifyContent: 'center',
   },
-  box: {
-    width: 60,
-    height: 60,
-    marginVertical: 20,
+  h1: {
+    fontWeight: 'bold',
+    fontSize: 32,
+    textAlign: 'center',
+    marginTop: 50,
+    marginBottom: 50,
+  },
+  debug: {
+    width: '100%',
+    height: 300,
+    position: 'absolute',
+    bottom: 0,
+    backgroundColor: '#eaeaea',
   },
 });
diff --git a/example/src/components/ButtonWithLoader.tsx b/example/src/components/ButtonWithLoader.tsx
new file mode 100644
index 0000000..26a65ef
--- /dev/null
+++ b/example/src/components/ButtonWithLoader.tsx
@@ -0,0 +1,40 @@
+import React from 'react';
+import { ActivityIndicator, Button, StyleSheet, View } from 'react-native';
+
+type Props = {
+  /**
+   * The title of the button
+   */
+  title: string;
+  /**
+   * The action to perform when the button is pressed
+   */
+  onPress: () => void;
+  /**
+   * Whether the button is in a loading state
+   */
+  loading?: boolean;
+};
+
+/**
+ * A button component with a loader that can be shown when the button is in a loading state.
+ * The loader is a spinner showed at the right of the button title.
+ */
+const ButtonWithLoader = (props: Props) => {
+  return (
+    <View style={styles.container}>
+      <Button
+        title={props.title}
+        onPress={props.onPress}
+        disabled={props.loading}
+      />
+      {props.loading && <ActivityIndicator />}
+    </View>
+  );
+};
+
+const styles = StyleSheet.create({
+  container: { flexDirection: 'row', alignItems: 'center' },
+});
+
+export default ButtonWithLoader;
diff --git a/ios/IntegrityError.swift b/ios/IntegrityError.swift
new file mode 100644
index 0000000..92c3497
--- /dev/null
+++ b/ios/IntegrityError.swift
@@ -0,0 +1,54 @@
+//
+//  IntegrityError.swift
+//  pagopa-io-react-native-integrity
+//
+//  Created by Mario Perrotta on 07/03/24.
+//
+
+enum IntegrityError: Error {
+    case generationKeyFailed
+    case unsupportedService
+    case attestationError
+    case unsupportedIOSVersion
+    case challengeError
+    case clientDataEncoding
+    case generationAssertionFailed
+    
+    var code: String {
+        switch self {
+          case .generationKeyFailed:
+              return "generation_key_failed"
+          case .unsupportedService:
+              return "unsupported_service"
+          case .attestationError:
+              return "attestation_error"
+          case .unsupportedIOSVersion:
+              return "unsupported_ios_version"
+          case .challengeError:
+              return "challenge_error"
+          case .clientDataEncoding:
+              return "client_data_encoding_error"
+          case .generationAssertionFailed:
+              return "generation_assertion_failed"
+        }
+    }
+    
+    var message: String {
+        switch self {
+          case .generationKeyFailed:
+              return "Generation key failed."
+          case .unsupportedService:
+              return "Unsupported service."
+          case .attestationError:
+              return "Attestation error during generation."
+          case .unsupportedIOSVersion:
+              return "App attest service requires iOS 14 or above."
+          case .challengeError:
+              return "Error getting challenge data"
+          case .clientDataEncoding:
+              return "Error encoding client data"
+          case .generationAssertionFailed:
+              return "Generation Assertion failed"
+        }
+    }
+}
diff --git a/ios/IoReactNativeIntegrity.mm b/ios/IoReactNativeIntegrity.mm
index 0b5c652..87baeaf 100644
--- a/ios/IoReactNativeIntegrity.mm
+++ b/ios/IoReactNativeIntegrity.mm
@@ -2,7 +2,17 @@
 
 @interface RCT_EXTERN_MODULE(IoReactNativeIntegrity, NSObject)
 
-RCT_EXTERN_METHOD(multiply:(float)a withB:(float)b
+RCT_EXTERN_METHOD(isAttestationServiceAvailable:(RCTPromiseResolveBlock)resolve
+                 withRejecter:(RCTPromiseRejectBlock)reject)
+
+RCT_EXTERN_METHOD(generateHardwareKey:(RCTPromiseResolveBlock)resolve
+                 withRejecter:(RCTPromiseRejectBlock)reject)
+
+RCT_EXTERN_METHOD(getAttestation:(NSString)challenge withHardwareKeyTag:(NSString)hardwareKeyTag
+                 withResolver:(RCTPromiseResolveBlock)resolve
+                 withRejecter:(RCTPromiseRejectBlock)reject)
+
+RCT_EXTERN_METHOD(generateHardwareSignatureWithAssertion:(NSString)clientData withHardwareKeyTag:(NSString)hardwareKeyTag
                  withResolver:(RCTPromiseResolveBlock)resolve
                  withRejecter:(RCTPromiseRejectBlock)reject)
 
diff --git a/ios/IoReactNativeIntegrity.swift b/ios/IoReactNativeIntegrity.swift
index 694a52e..8c3cc2a 100644
--- a/ios/IoReactNativeIntegrity.swift
+++ b/ios/IoReactNativeIntegrity.swift
@@ -1,8 +1,146 @@
+import DeviceCheck
+import CryptoKit
+
+/// A class to interact with the DeviceCheck and CryptoKit frameworks to ensure the integrity of the device and app.
 @objc(IoReactNativeIntegrity)
 class IoReactNativeIntegrity: NSObject {
-
-  @objc(multiply:withB:withResolver:withRejecter:)
-  func multiply(a: Float, b: Float, resolve:RCTPromiseResolveBlock,reject:RCTPromiseRejectBlock) -> Void {
-    resolve(a*b)
+  
+  /// Private function to rejects a promise with a specified error.
+  /// - Parameters:
+  ///   - reject: The promise reject block to call when rejecting a promise.
+  ///   - error: The error to use for rejection, providing an error code and message.
+  private func rejectPromise(_ reject: @escaping RCTPromiseRejectBlock, withError error: IntegrityError) {
+    reject(error.code, error.message, nil)
+  }
+  
+  /// Determines if the DeviceCheck App Attestation Service is available on the device.
+  /// - Parameters:
+  ///   - resolve: The promise resolve block to call with the result.
+  ///   - reject: The promise reject block to call in case of an error.
+  @objc(isAttestationServiceAvailable:withRejecter:)
+  func isAttestationServiceAvailable(resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
+    guard #available(iOS 14.0, *) else {
+      self.rejectPromise(reject, withError: .unsupportedIOSVersion)
+      return
+    }
+    
+    if DCAppAttestService.shared.isSupported {
+      resolve(true)
+    } else {
+      self.rejectPromise(reject, withError: .unsupportedService)
+    }
+  }
+  
+  /// Generates a hardware key using the DeviceCheck App Attestation Service.
+  /// - Parameters:
+  ///   - resolve: The promise resolve block to call with the hardware key tag.
+  ///   - reject: The promise reject block to call in case of an error.
+  @objc(generateHardwareKey:withRejecter:)
+  func generateHardwareKey(resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
+    
+    guard #available(iOS 14.0, *) else {
+      self.rejectPromise(reject, withError: .unsupportedIOSVersion)
+      return
+    }
+    
+    if DCAppAttestService.shared.isSupported {
+      let service = DCAppAttestService.shared
+      
+      service.generateKey { hardwareKeyTag, error in
+          
+        guard error == nil else {
+          self.rejectPromise(reject, withError: .generationKeyFailed)
+          return
+        }
+          
+        resolve(hardwareKeyTag)
+          
+      }
+    } else {
+      self.rejectPromise(reject, withError: .unsupportedService)
+    }
+  }
+  
+  /// Requests an attestation of the hardware key for a given challenge.
+  /// - Parameters:
+  ///   - challenge: A string representing the challenge for which the attestation is requested.
+  ///   - hardwareKeyTag: A string representing the hardware key tag to be attested.
+  ///   - resolve: The promise resolve block to call with the attestation result.
+  ///   - reject: The promise reject block to call in case of an error.
+  @objc(getAttestation:withHardwareKeyTag:withResolver:withRejecter:)
+  func getAttestation(challenge: String, hardwareKeyTag: String, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
+    
+    guard #available(iOS 14.0, *) else {
+      self.rejectPromise(reject, withError: .unsupportedIOSVersion)
+      return
+    }
+    
+    if DCAppAttestService.shared.isSupported {
+      let service = DCAppAttestService.shared
+      
+      // Safely encode the challenge string to data and generate a hash.
+      guard let challengeData = challenge.data(using: .utf8) else {
+          self.rejectPromise(reject, withError: .challengeError)
+          return
+      }
+      let hash = Data(SHA256.hash(data: challengeData))
+      
+      // Request attestation with the generated hash and handle the response
+      service.attestKey(hardwareKeyTag, clientDataHash: hash) {attestation, error in
+            
+        guard error == nil else {
+          self.rejectPromise(reject, withError: .attestationError)
+          return
+        }
+        
+        let encodedAttestation = attestation?.base64EncodedString()
+          resolve(encodedAttestation)
+        }
+        
+    } else {
+      self.rejectPromise(reject, withError: .unsupportedService)
+    }
+  }
+  
+  /// Requests an hardwareSignature with assertion for a given clientData and hardwareKeyTag.
+  /// - Parameters:
+  ///   - clientData: A string representing the clientData (challange+publicJwkEphimeralKey)).
+  ///   - hardwareKeyTag: A string representing the hardware key tag to be attested.
+  ///   - resolve: The promise resolve block to call with the attestation result.
+  ///   - reject: The promise reject block to call in case of an error.
+  @objc(generateHardwareSignatureWithAssertion:withHardwareKeyTag:withResolver:withRejecter:)
+  func generateHardwareSignatureWithAssertion(clientData: String, hardwareKeyTag: String, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
+    
+    guard #available(iOS 14.0, *) else {
+      self.rejectPromise(reject, withError: .unsupportedIOSVersion)
+      return
+    }
+    
+    if DCAppAttestService.shared.isSupported {
+      let service = DCAppAttestService.shared
+      
+      // Safely encode the clientData string to data and generate a hash.
+      guard let encodedClientData = clientData.data(using: .utf8) else {
+        self.rejectPromise(reject, withError: .clientDataEncoding)
+        return
+      }
+      
+      let clientDataHash = Data(SHA256.hash(data: encodedClientData))
+      
+      service.generateAssertion(hardwareKeyTag, clientDataHash: clientDataHash) { assertion, error in
+        
+        guard error == nil else {
+          self.rejectPromise(reject, withError: .generationAssertionFailed)
+          return
+        }
+        
+        let encodedAssertion = assertion?.base64EncodedString()
+        resolve(encodedAssertion)
+        
+      }
+    } else {
+      self.rejectPromise(reject, withError: .unsupportedService)
+    }
   }
+  
 }
diff --git a/pagopa-io-react-native-integrity.podspec b/pagopa-io-react-native-integrity.podspec
index 55a93d9..4878d83 100644
--- a/pagopa-io-react-native-integrity.podspec
+++ b/pagopa-io-react-native-integrity.podspec
@@ -12,7 +12,7 @@ Pod::Spec.new do |s|
   s.authors      = package["author"]
 
   s.platforms    = { :ios => min_ios_version_supported }
-  s.source       = { :git => "https://github.com/LazyAfternoons/pagopa-io-react-native-integrity.git", :tag => "#{s.version}" }
+  s.source       = { :git => "https://github.com/pagopa/io-react-native-integrity.git", :tag => "#{s.version}" }
 
   s.source_files = "ios/**/*.{h,m,mm,swift}"
 
diff --git a/src/__tests__/index.test.tsx b/src/__tests__/index.test.tsx
index bf84291..ef56709 100644
--- a/src/__tests__/index.test.tsx
+++ b/src/__tests__/index.test.tsx
@@ -1 +1,62 @@
-it.todo('write a test');
+import { NativeModules } from 'react-native';
+import {
+  generateHardwareKey,
+  getAttestation,
+  isAttestationServiceAvailable,
+  generateHardwareSignatureWithAssertion,
+} from '..';
+
+jest.mock('react-native', () => ({
+  NativeModules: {
+    IoReactNativeIntegrity: {
+      isAttestationServiceAvailable: jest.fn(),
+      generateHardwareKey: jest.fn(),
+      getAttestation: jest.fn(),
+      generateHardwareSignatureWithAssertion: jest.fn(),
+    },
+  },
+  Platform: {
+    select: jest.fn(),
+  },
+}));
+
+describe('Test integrity check function exposed by main package', () => {
+  it('isAttestationServiceAvailable it should be called correctly', async () => {
+    const spy = jest.spyOn(
+      NativeModules.IoReactNativeIntegrity,
+      'isAttestationServiceAvailable'
+    );
+    await isAttestationServiceAvailable();
+    expect(spy).toHaveBeenCalled();
+  });
+
+  it('generateHardwareKey it should be called correctly', async () => {
+    const spy = jest.spyOn(
+      NativeModules.IoReactNativeIntegrity,
+      'generateHardwareKey'
+    );
+    await generateHardwareKey();
+    expect(spy).toHaveBeenCalled();
+  });
+
+  it('getAttestation it should be called correctly', async () => {
+    const spy = jest.spyOn(
+      NativeModules.IoReactNativeIntegrity,
+      'getAttestation'
+    );
+    await getAttestation('challenge', 'hardwareKeyTag');
+    expect(spy).toHaveBeenCalledWith('challenge', 'hardwareKeyTag');
+  });
+
+  it('generateHardwareSignatureWithAssertion it should be called correctly', async () => {
+    const spy = jest.spyOn(
+      NativeModules.IoReactNativeIntegrity,
+      'generateHardwareSignatureWithAssertion'
+    );
+    await generateHardwareSignatureWithAssertion(
+      'clientData',
+      'hardwareKeyTag'
+    );
+    expect(spy).toHaveBeenCalledWith('clientData', 'hardwareKeyTag');
+  });
+});
diff --git a/src/index.tsx b/src/index.tsx
index ed57c88..19b5d01 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -17,6 +17,27 @@ const IoReactNativeIntegrity = NativeModules.IoReactNativeIntegrity
       }
     );
 
-export function multiply(a: number, b: number): Promise<number> {
-  return IoReactNativeIntegrity.multiply(a, b);
+export function isAttestationServiceAvailable(): Promise<boolean> {
+  return IoReactNativeIntegrity.isAttestationServiceAvailable();
+}
+
+export function generateHardwareKey(): Promise<string> {
+  return IoReactNativeIntegrity.generateHardwareKey();
+}
+
+export function getAttestation(
+  challenge: string,
+  hardwareKeyTag: string
+): Promise<string> {
+  return IoReactNativeIntegrity.getAttestation(challenge, hardwareKeyTag);
+}
+
+export function generateHardwareSignatureWithAssertion(
+  clientData: string,
+  hardwareKeyTag: string
+): Promise<string> {
+  return IoReactNativeIntegrity.generateHardwareSignatureWithAssertion(
+    clientData,
+    hardwareKeyTag
+  );
 }
diff --git a/yarn.lock b/yarn.lock
index 441a195..ebc847d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2558,8 +2558,10 @@ __metadata:
     "@react-native/metro-config": 0.73.5
     "@react-native/typescript-config": 0.73.1
     babel-plugin-module-resolver: ^5.0.0
+    buffer: ^6.0.3
     react: 18.2.0
     react-native: 0.73.5
+    react-native-sha256: ^1.4.10
   languageName: unknown
   linkType: soft
 
@@ -10760,6 +10762,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"react-native-sha256@npm:^1.4.10":
+  version: 1.4.10
+  resolution: "react-native-sha256@npm:1.4.10"
+  checksum: db49be891c2eece1de582215637c463fc5636fce7d58c2e78f1e60d6847eb121d3233f12c5793f43a193df6a79852eec459ef1a7e34c70133146a9fe332f055b
+  languageName: node
+  linkType: hard
+
 "react-native@npm:0.73.5":
   version: 0.73.5
   resolution: "react-native@npm:0.73.5"

From 18bedbe9a7d1ae08a437cf60508c0934f50088b5 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Fri, 8 Mar 2024 09:56:10 +0100
Subject: [PATCH 02/64] chore: update

---
 example/src/App.tsx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/example/src/App.tsx b/example/src/App.tsx
index 537208e..5637378 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -83,6 +83,10 @@ export default function App() {
       jwk: jwk,
     };
 
+    // Between Android and iOS there is a difference for the generation of hardwareSignature
+    // and assertion as on iOS both are generated directly from the SDK via generateAssertion
+    // while on Android the hardwareSignature must be generated via the signature functions and
+    // the assertion must be retrieved from the backend via an integrityToken.
     if (hardwareKeyTag) {
       const clientDataHash = await sha256(JSON.stringify(clientData));
 

From fa2bf5de7d3eb6a4f78e9ab3986adfb317018fd4 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Fri, 8 Mar 2024 14:52:23 +0100
Subject: [PATCH 03/64] chore: update

---
 example/src/App.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/src/App.tsx b/example/src/App.tsx
index 5637378..79125ce 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -119,7 +119,7 @@ export default function App() {
             loading={decodedAttestation === undefined}
           />
           <ButtonWithLoader
-            title="Generate Hardware Signature"
+            title="Generate HS and Assertion"
             onPress={() => getHardwareSignatureWithAssertion()}
             loading={decodedAttestation === undefined}
           />

From 01c773276e7f86d28b4fa8eb7ae4da6ba09ff8d8 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Sat, 9 Mar 2024 10:18:47 +0100
Subject: [PATCH 04/64] chore: update

---
 example/ios/Podfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/ios/Podfile.lock b/example/ios/Podfile.lock
index 404bd9d..53d9fc9 100644
--- a/example/ios/Podfile.lock
+++ b/example/ios/Podfile.lock
@@ -1335,7 +1335,7 @@ SPEC CHECKSUMS:
   hermes-engine: 1d1835b2cc54c381909d94d1b3c8e0a2f1a94a0e
   libevent: 4049cae6c81cdb3654a443be001fb9bdceff7913
   OpenSSL-Universal: ebc357f1e6bc71fa463ccb2fe676756aff50e88c
-  pagopa-io-react-native-integrity: f6f51e45065ccc7e3116be86069ff04c7cfe1be7
+  pagopa-io-react-native-integrity: dc1de6afe65dc17df6974a5bdfa68cf354a0b5a5
   RCT-Folly: 7169b2b1c44399c76a47b5deaaba715eeeb476c0
   RCTRequired: 2544c0f1081a5fa12e108bb8cb40e5f4581ccd87
   RCTTypeSafety: 50efabe2b115c11ed03fbf3fd79e2f163ddb5d7c

From e73647afce62e5f05e81b321cf0e952ddb7b80d2 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Sat, 9 Mar 2024 18:07:43 +0100
Subject: [PATCH 05/64] feat: add backend for local development

---
 .gitignore                                    |   3 +
 backend/.env.local                            |   3 +
 backend/README.md                             |   1 +
 backend/nodemon.json                          |   6 +
 backend/package.json                          |  34 +
 backend/src/index.ts                          |  93 +++
 backend/src/verifyAssertion.ts                |  96 +++
 backend/src/verifyAttestation.ts              | 219 ++++++
 backend/tsconfig.json                         |  18 +
 example/.env.local                            |   1 +
 example/babel.config.js                       |  11 +
 example/env.d.ts                              |   3 +
 .../IoReactNativeIntegrityExample/Info.plist  |   2 +-
 example/package.json                          |   1 +
 example/src/App.tsx                           | 100 ++-
 package.json                                  |   6 +-
 yarn.lock                                     | 630 +++++++++++++++++-
 17 files changed, 1187 insertions(+), 40 deletions(-)
 create mode 100644 backend/.env.local
 create mode 100644 backend/README.md
 create mode 100644 backend/nodemon.json
 create mode 100644 backend/package.json
 create mode 100644 backend/src/index.ts
 create mode 100644 backend/src/verifyAssertion.ts
 create mode 100644 backend/src/verifyAttestation.ts
 create mode 100644 backend/tsconfig.json
 create mode 100644 example/.env.local
 create mode 100644 example/env.d.ts

diff --git a/.gitignore b/.gitignore
index f559641..e5eee2f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -77,3 +77,6 @@ android/keystores/debug.keystore
 
 # generated by bob
 lib/
+
+# Others
+.env
diff --git a/backend/.env.local b/backend/.env.local
new file mode 100644
index 0000000..8aef389
--- /dev/null
+++ b/backend/.env.local
@@ -0,0 +1,3 @@
+PORT =
+BUNDLE_IDENTIFIER = '';
+TEAM_IDENTIFIER = '';
diff --git a/backend/README.md b/backend/README.md
new file mode 100644
index 0000000..0519ecb
--- /dev/null
+++ b/backend/README.md
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/backend/nodemon.json b/backend/nodemon.json
new file mode 100644
index 0000000..3d850a5
--- /dev/null
+++ b/backend/nodemon.json
@@ -0,0 +1,6 @@
+{
+  "watch": ["src"],
+  "ext": ".ts,.js",
+  "ignore": [],
+  "exec": "npx ts-node ./src/index.ts"
+}
diff --git a/backend/package.json b/backend/package.json
new file mode 100644
index 0000000..ae18bc3
--- /dev/null
+++ b/backend/package.json
@@ -0,0 +1,34 @@
+{
+  "name": "@pagopa/io-react-native-integrity-backend",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "start:dev": "npx nodemon",
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "build": "rimraf ./build && tsc",
+    "start": "npm run build && node build/index.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "devDependencies": {
+    "@types/dotenv": "^8.2.0",
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.11.25",
+    "@types/uuid": "^9.0.8",
+    "nodemon": "^3.1.0",
+    "rimraf": "^5.0.5",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.4.2"
+  },
+  "dependencies": {
+    "asn1js": "^3.0.5",
+    "body-parser": "^1.20.2",
+    "cbor": "^9.0.2",
+    "dotenv": "^16.4.5",
+    "express": "^4.18.3",
+    "pkijs": "^3.0.15",
+    "uuid": "^9.0.1"
+  }
+}
diff --git a/backend/src/index.ts b/backend/src/index.ts
new file mode 100644
index 0000000..03ced41
--- /dev/null
+++ b/backend/src/index.ts
@@ -0,0 +1,93 @@
+import express from 'express';
+import { v4 as uuid } from 'uuid';
+import dotenv from 'dotenv';
+import verifyAttestation from './verifyAttestation';
+import bodyParser from 'body-parser';
+import verifyAssertion from './verifyAssertion';
+
+dotenv.config();
+const app = express();
+app.use(bodyParser.json());
+app.use(bodyParser.urlencoded({ extended: false }));
+
+const port = process.env.PORT || 3000;
+const nonce = uuid();
+let attestation: any = null;
+
+const BUNDLE_IDENTIFIER = process.env.BUNDLE_IDENTIFIER || '';
+const TEAM_IDENTIFIER = process.env.TEAM_IDENTIFIER || '';
+
+app.get('/attest/nonce', (_, res) => {
+  console.debug(`challange was requested, returning ${nonce}`);
+  res.send(JSON.stringify({ nonce }));
+});
+
+app.post(`/attest/verify`, (req, res) => {
+  try {
+    console.debug(`verify was requested: ${JSON.stringify(req.body, null, 2)}`);
+    if (nonce !== req.body.challenge) {
+      throw new Error('Invalid challenge');
+    }
+
+    const result = verifyAttestation({
+      attestation: Buffer.from(req.body.attestation, 'base64'),
+      challenge: req.body.challenge,
+      keyId: req.body.hardwareKeyTag,
+      bundleIdentifier: BUNDLE_IDENTIFIER,
+      teamIdentifier: TEAM_IDENTIFIER,
+      allowDevelopmentEnvironment: true,
+    });
+
+    // store the attestation for later use
+    attestation = {
+      keyId: req.body.hardwareKeyTag,
+      publicKey: result.publicKey,
+      signCount: 0,
+    };
+
+    res.json({ result: 'ok' });
+  } catch (error) {
+    console.error(error);
+    res.status(401).send({ error: 'Unauthorized' });
+  }
+});
+
+app.post(`/assertion/verify`, (req, res) => {
+  try {
+    const { hardwareKeyTag, assertion } = req.body;
+
+    if (hardwareKeyTag === undefined || assertion === undefined) {
+      throw new Error('Invalid authentication');
+    }
+
+    if (nonce !== req.body.challenge) {
+      throw new Error('Invalid challenge');
+    }
+
+    if (!attestation) {
+      throw new Error('No attestation found');
+    }
+
+    console.log(req.body.payload);
+    const result = verifyAssertion({
+      assertion: assertion,
+      payload: req.body.payload,
+      publicKey: attestation.publicKey,
+      bundleIdentifier: BUNDLE_IDENTIFIER,
+      teamIdentifier: TEAM_IDENTIFIER,
+      signCount: attestation.signCount,
+    });
+
+    console.log(result);
+    console.debug(`Received message: ${JSON.stringify(req.body)}`);
+
+    res.send({ result: 'ok' });
+  } catch (error) {
+    console.error(error);
+    res.status(401).send({ error: 'Unauthorized' });
+  }
+});
+
+app.listen(port, () => {
+  console.log(`[server]: Server is running at http://localhost:3000`);
+});
diff --git a/backend/src/verifyAssertion.ts b/backend/src/verifyAssertion.ts
new file mode 100644
index 0000000..1d869b5
--- /dev/null
+++ b/backend/src/verifyAssertion.ts
@@ -0,0 +1,96 @@
+import * as cbor from 'cbor';
+import { createHash, createVerify } from 'crypto';
+
+export type VerifyAssertionParams = {
+  assertion: string;
+  payload: Buffer;
+  publicKey: string;
+  bundleIdentifier: string;
+  teamIdentifier: string;
+  signCount: number;
+};
+
+/**
+ * A function to verify an assertion from a hardware key.
+ * @param params
+ * @returns
+ */
+const verifyAssertion = (params: VerifyAssertionParams) => {
+  const {
+    assertion,
+    payload,
+    publicKey,
+    bundleIdentifier,
+    teamIdentifier,
+    signCount,
+  } = params;
+
+  if (!bundleIdentifier) {
+    throw new Error('bundleIdentifier is required');
+  }
+
+  if (!teamIdentifier) {
+    throw new Error('teamIdentifier is required');
+  }
+
+  if (!assertion) {
+    throw new Error('assertion is required');
+  }
+
+  if (!payload) {
+    throw new Error('payload is required');
+  }
+
+  if (!publicKey) {
+    throw new Error('publicKey is required');
+  }
+
+  // 1. Decode the assertion from base64 to string
+  let decodedAssertion;
+  try {
+    const decodedAssertionString = Buffer.from(assertion, 'base64').toString(
+      'hex'
+    );
+    decodedAssertion = cbor.decodeAllSync(decodedAssertionString)[0];
+  } catch (e) {
+    throw new Error('invalid assertion');
+  }
+
+  const { signature, authenticatorData } = decodedAssertion;
+
+  // 2. Compute the SHA256 hash of the client data, and store it as clientDataHash.
+  const clientDataHash = createHash('sha256').update(payload).digest();
+
+  // 3. Compute the SHA256 hash of the concatenation of the authenticator
+  // data and the client data hash, and store it as nonce.
+  const nonce = createHash('sha256')
+    .update(Buffer.concat([authenticatorData, clientDataHash]))
+    .digest();
+
+  // 4. Verify the signature using the public key and nonce.
+  const verifier = createVerify('SHA256');
+  verifier.update(nonce);
+  if (!verifier.verify(publicKey, signature)) {
+    throw new Error('invalid signature');
+  }
+
+  // 5. Compute the SHA256 hash of your app’s App ID, and verify that it’s the same as the authenticator data’s RP ID hash.
+  const appIdHash = createHash('sha256')
+    .update(`${teamIdentifier}.${bundleIdentifier}`)
+    .digest('base64');
+  const rpiIdHash = authenticatorData.subarray(0, 32).toString('base64');
+
+  if (appIdHash !== rpiIdHash) {
+    throw new Error('appId does not match');
+  }
+
+  // 6. Verify that the authenticator data’s counter field is larger than the stored signCount.
+  const nextSignCount = authenticatorData.subarray(33, 37).readInt32BE();
+  if (nextSignCount <= signCount) {
+    throw new Error('invalid signCount');
+  }
+
+  return { signCount: nextSignCount };
+};
+
+export default verifyAssertion;
diff --git a/backend/src/verifyAttestation.ts b/backend/src/verifyAttestation.ts
new file mode 100644
index 0000000..9a1b6ae
--- /dev/null
+++ b/backend/src/verifyAttestation.ts
@@ -0,0 +1,219 @@
+import * as cbor from 'cbor';
+import { createHash, X509Certificate } from 'crypto';
+import * as asn1js from 'asn1js';
+import * as pkijs from 'pkijs';
+
+const APPLE_APP_ATTESTATION_ROOT_CA = new X509Certificate(
+  '-----BEGIN CERTIFICATE-----\nMIICITCCAaegAwIBAgIQC/O+DvHN0uD7jG5yH2IXmDAKBggqhkjOPQQDAzBSMSYwJAYDVQQDDB1BcHBsZSBBcHAgQXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yMDAzMTgxODMyNTNaFw00NTAzMTUwMDAwMDBaMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlvbiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERTHhmLW07ATaFQIEVwTtT4dyctdhNbJhFs/Ii2FdCgAHGbpphY3+d8qjuDngIN3WVhQUBHAoMeQ/cLiP1sOUtgjqK9auYen1mMEvRq9Sk3Jm5X8U62H+xTD3FE9TgS41o0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSskRBTM72+aEH/pwyp5frq5eWKoTAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDaAAwZQIwQgFGnByvsiVbpTKwSga0kP0e8EeDS4+sQmTvb7vn53O5+FRXgeLhpJ06ysC5PrOyAjEAp5U4xDgEgllF7En3VcE3iexZZtKeYnpqtijVoyFraWVIyd/dganmrduC1bmTBGwD\n-----END CERTIFICATE-----'
+);
+
+const APPATTESTDEVELOP = Buffer.from('appattestdevelop').toString('hex');
+const APPATTESTPROD = Buffer.concat([
+  Buffer.from('appattest'),
+  Buffer.from([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]),
+]).toString('hex');
+
+export type VerifyAttestationParams = {
+  attestation: Buffer;
+  challenge: Buffer;
+  keyId: string;
+  bundleIdentifier: string;
+  teamIdentifier: string;
+  allowDevelopmentEnvironment: boolean;
+};
+
+const verifyAttestation = (params: VerifyAttestationParams) => {
+  const {
+    attestation,
+    challenge,
+    keyId,
+    bundleIdentifier,
+    teamIdentifier,
+    allowDevelopmentEnvironment,
+  } = params;
+
+  if (!bundleIdentifier) {
+    throw new Error('bundleIdentifier is required');
+  }
+
+  if (!teamIdentifier) {
+    throw new Error('teamIdentifier is required');
+  }
+
+  if (!attestation) {
+    throw new Error('attestation is required');
+  }
+
+  if (!challenge) {
+    throw new Error('challenge is required');
+  }
+
+  if (!keyId) {
+    throw new Error('keyId is required');
+  }
+
+  let decodedAttestations;
+
+  try {
+    decodedAttestations = cbor.decodeAllSync(attestation);
+  } catch (e) {
+    throw new Error('invalid attestation');
+  }
+
+  if (decodedAttestations.length !== 1) {
+    throw new Error('number of decoded attestations is not 1');
+  }
+
+  const decodedAttestation = decodedAttestations[0];
+
+  if (
+    decodedAttestation.fmt !== 'apple-appattest' ||
+    decodedAttestation.attStmt?.x5c?.length !== 2 ||
+    !decodedAttestation.attStmt?.receipt ||
+    !decodedAttestation.authData ||
+    !Buffer.isBuffer(decodedAttestation.attStmt.x5c[0]) ||
+    !Buffer.isBuffer(decodedAttestation.attStmt.x5c[1]) ||
+    !Buffer.isBuffer(decodedAttestation.attStmt.receipt) ||
+    !Buffer.isBuffer(decodedAttestation.authData)
+  ) {
+    throw new Error('invalid attestation');
+  }
+
+  const { authData, attStmt } = decodedAttestation;
+
+  // https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server
+  // 1. Verify that the attestation statement’s x5c field contains two certificates, the first of which is the
+  //    sub CA certificate and the second of which is the client certificate.
+  let certificates;
+  try {
+    certificates = attStmt.x5c.map((data: any) => new X509Certificate(data));
+  } catch (e) {
+    throw new Error('invalid certificate');
+  }
+
+  const subCaCertificate = certificates.find(
+    (certificate: any) =>
+      certificate.subject.indexOf('Apple App Attestation CA 1') !== -1
+  );
+
+  if (!subCaCertificate) {
+    throw new Error('no sub CA certificate found');
+  }
+
+  if (!subCaCertificate.verify(APPLE_APP_ATTESTATION_ROOT_CA.publicKey)) {
+    throw new Error(
+      'sub CA certificate is not signed by Apple App Attestation Root CA'
+    );
+  }
+
+  const clientCertificate = certificates.find(
+    (certificate: any) =>
+      certificate.subject.indexOf('Apple App Attestation CA 1') === -1
+  );
+
+  if (!clientCertificate) {
+    throw new Error('no client CA certificate found');
+  }
+
+  if (!clientCertificate.verify(subCaCertificate.publicKey)) {
+    throw new Error(
+      'client CA certificate is not signed by Apple App Attestation CA 1'
+    );
+  }
+
+  // 2. Create clientDataHash as the SHA256 hash of the one-time challenge your server sends to your
+  //    app before performing the attestation, and append that hash to the end of the authenticator
+  //    data (authData from the decoded object).
+  const clientDataHash = createHash('sha256').update(challenge).digest();
+
+  const nonceData = Buffer.concat([
+    decodedAttestation.authData,
+    clientDataHash,
+  ]);
+
+  // 3. Generate a new SHA256 hash of the composite item to create nonce.
+  const nonce = createHash('sha256').update(nonceData).digest('hex');
+
+  // 4. Obtain the value of the credCert extension with OID 1.2.840.113635.100.8.2, which is a DER-encoded ASN.1
+  //    sequence. Decode the sequence and extract the single octet string that it contains. Verify that the
+  //    string equals nonce.
+  const asn1 = asn1js.fromBER(clientCertificate.raw);
+  const certificate = new pkijs.Certificate({ schema: asn1.result });
+  const extension = certificate.extensions?.find(
+    (e) => e.extnID === '1.2.840.113635.100.8.2'
+  );
+  try {
+    const actualNonce = Buffer.from(
+      extension?.parsedValue.valueBlock.value[0].valueBlock.value[0].valueBlock
+        .valueHex
+    ).toString('hex');
+    if (actualNonce !== nonce) {
+      throw new Error('nonce does not match');
+    }
+  } catch {
+    throw new Error('nonce does not match');
+  }
+
+  // 5. Create the SHA256 hash of the public key in credCert, and verify that it matches the key identifier from your app
+  // const publicKey = await certificate.getPublicKey()
+  const publicKey = Buffer.from(
+    certificate.subjectPublicKeyInfo.subjectPublicKey.valueBlock.valueHex
+  );
+  const publicKeyHash = createHash('sha256')
+    .update(publicKey.toString('hex'), 'hex') // Convert publicKey to hexadecimal string
+    .digest('base64');
+  if (publicKeyHash !== keyId) {
+    throw new Error('keyId does not match');
+  }
+
+  // 6. Compute the SHA256 hash of your app’s App ID, and verify that it’s the same as the authenticator data’s RP ID hash.
+  const appIdHash = createHash('sha256')
+    .update(`${teamIdentifier}.${bundleIdentifier}`)
+    .digest('base64');
+  const rpiIdHash = authData.subarray(0, 32).toString('base64');
+
+  if (appIdHash !== rpiIdHash) {
+    throw new Error('appId does not match');
+  }
+
+  // 7. Verify that the authenticator data’s counter field equals 0.
+  const signCount = authData.subarray(33, 37).readInt32BE();
+  /* istanbul ignore if */
+  if (signCount !== 0) {
+    throw new Error('signCount is not 0');
+  }
+
+  // 8. Verify that the authenticator data’s aaguid field is either appattestdevelop if operating in the development
+  //    environment, or appattest followed by seven 0x00 bytes if operating in the production environment.
+  const aaguid = authData.subarray(37, 53).toString('hex');
+
+  /* istanbul ignore if */
+  if (aaguid !== APPATTESTDEVELOP && aaguid !== APPATTESTPROD) {
+    throw new Error('aaguid is not valid');
+  }
+
+  if (aaguid === APPATTESTDEVELOP && !allowDevelopmentEnvironment) {
+    throw new Error('development environment is not allowed');
+  }
+
+  // 9. Verify that the authenticator data’s credentialId field is the same as the key identifier.
+  const credentialIdLength = authData.subarray(53, 55).readInt16BE();
+  const credentialId = authData.subarray(55, 55 + credentialIdLength);
+
+  /* istanbul ignore if */
+  if (credentialId.toString('base64') !== keyId) {
+    throw new Error('credentialId does not match');
+  }
+
+  return {
+    keyId,
+    publicKey: clientCertificate.publicKey.export({
+      type: 'spki',
+      format: 'pem',
+    }),
+    receipt: decodedAttestation.attStmt.receipt,
+    environment: aaguid === APPATTESTPROD ? 'production' : 'development',
+  };
+};
+
+export default verifyAttestation;
diff --git a/backend/tsconfig.json b/backend/tsconfig.json
new file mode 100644
index 0000000..42c9a23
--- /dev/null
+++ b/backend/tsconfig.json
@@ -0,0 +1,18 @@
+{
+  "compilerOptions": {
+    "target": "es2016" /* Set the JavaScript language version for emitted JavaScript and include compatible library declarations. */,
+    "lib": [
+      "es6"
+    ] /* Specify a set of bundled library declaration files that describe the target runtime environment. */,
+    "module": "commonjs" /* Specify what module code is generated. */,
+    "rootDir": "src" /* Specify the root folder within your source files. */,
+    "resolveJsonModule": true /* Enable importing .json files. */,
+    "allowJs": true /* Allow JavaScript files to be a part of your program. Use the 'checkJS' option to get errors from these files. */,
+    "outDir": "build" /* Specify an output folder for all emitted files. */,
+    "esModuleInterop": true /* Emit additional JavaScript to ease support for importing CommonJS modules. This enables 'allowSyntheticDefaultImports' for type compatibility. */,
+    "forceConsistentCasingInFileNames": true /* Ensure that casing is correct in imports. */,
+    "strict": true /* Enable all strict type-checking options. */,
+    "noImplicitAny": true /* Enable error reporting for expressions and declarations with an implied 'any' type. */,
+    "skipLibCheck": true /* Skip type checking all .d.ts files. */
+  }
+}
diff --git a/example/.env.local b/example/.env.local
new file mode 100644
index 0000000..7848848
--- /dev/null
+++ b/example/.env.local
@@ -0,0 +1 @@
+BACKEND_ADDRESS = ""
\ No newline at end of file
diff --git a/example/babel.config.js b/example/babel.config.js
index d9addbb..a493786 100644
--- a/example/babel.config.js
+++ b/example/babel.config.js
@@ -13,5 +13,16 @@ module.exports = {
         },
       },
     ],
+    [
+      'module:react-native-dotenv',
+      {
+        envName: 'APP_ENV',
+        moduleName: '@env',
+        path: '.env',
+        safe: false,
+        allowUndefined: true,
+        verbose: false,
+      },
+    ],
   ],
 };
diff --git a/example/env.d.ts b/example/env.d.ts
new file mode 100644
index 0000000..e29c264
--- /dev/null
+++ b/example/env.d.ts
@@ -0,0 +1,3 @@
+declare module '@env' {
+  export const BACKEND_ADDRESS: string;
+}
diff --git a/example/ios/IoReactNativeIntegrityExample/Info.plist b/example/ios/IoReactNativeIntegrityExample/Info.plist
index a88fe56..c1dfb30 100644
--- a/example/ios/IoReactNativeIntegrityExample/Info.plist
+++ b/example/ios/IoReactNativeIntegrityExample/Info.plist
@@ -28,7 +28,7 @@
 	<dict>
 	  <!-- Do not change NSAllowsArbitraryLoads to true, or you will risk app rejection! -->
 		<key>NSAllowsArbitraryLoads</key>
-		<false/>
+		<true/>
 		<key>NSAllowsLocalNetworking</key>
 		<true/>
 	</dict>
diff --git a/example/package.json b/example/package.json
index 7dc435f..7e3682a 100644
--- a/example/package.json
+++ b/example/package.json
@@ -13,6 +13,7 @@
     "buffer": "^6.0.3",
     "react": "18.2.0",
     "react-native": "0.73.5",
+    "react-native-dotenv": "^3.4.11",
     "react-native-sha256": "^1.4.10"
   },
   "devDependencies": {
diff --git a/example/src/App.tsx b/example/src/App.tsx
index 79125ce..63f4484 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -1,6 +1,5 @@
 import * as React from 'react';
 import { Buffer } from 'buffer';
-import { sha256 } from 'react-native-sha256';
 import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
 import {
   generateHardwareKey,
@@ -8,15 +7,27 @@ import {
   isAttestationServiceAvailable,
   generateHardwareSignatureWithAssertion,
 } from '@pagopa/io-react-native-integrity';
+import { BACKEND_ADDRESS } from '@env';
 import ButtonWithLoader from './components/ButtonWithLoader';
 
-const challenge = 'challengeFromServer';
+// this is a mocked jwk for ephimeral public key, in a production
+// environment the ephimeral key must be generated by the client
+// every time a WTE must be required
+const jwk = {
+  crv: 'P-256',
+  kty: 'EC',
+  x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
+  y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
+  kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
+};
 
 export default function App() {
+  const [challenge, setChallenge] = React.useState<string>('');
   const [hardwareKeyTag, setHardwareKeyTag] = React.useState<
     string | undefined
   >('');
   const [attestation, setAttestation] = React.useState<string | undefined>('');
+  const [assertion, setAssertion] = React.useState<string | undefined>('');
   const [decodedAttestation, setDecodedAttestation] = React.useState<
     string | undefined
   >('');
@@ -45,10 +56,27 @@ export default function App() {
     }
   };
 
+  const getChallengeFromServer = async () => {
+    // contact server run on local at port 3000 to get
+    // the challenge to be used for the attestation
+    try {
+      const response = await fetch(`${BACKEND_ADDRESS}/attest/nonce`);
+      const result = await response.json();
+      console.log(result);
+      return result.nonce;
+    } catch (error) {
+      console.error(error);
+      return '';
+    }
+  };
+
   const requestAttestation = async () => {
     setAttestation(undefined);
     if (hardwareKeyTag) {
-      const result = await getAttestation(challenge, hardwareKeyTag);
+      // get challenge from server
+      const nonce = await getChallengeFromServer();
+      setChallenge(nonce);
+      const result = await getAttestation(nonce, hardwareKeyTag);
       setAttestation(result);
       setDebugLog(result);
     }
@@ -66,35 +94,61 @@ export default function App() {
     }
   };
 
-  const getHardwareSignatureWithAssertion = async () => {
-    // this is a mocked jwk for ephimeral public key, in a production
-    // environment the ephimeral key must be generated by the client
-    // every time a WTE must be required
-    const jwk = {
-      crv: 'P-256',
-      kty: 'EC',
-      x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
-      y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
-      kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
-    };
+  const verifyAttestation = async () => {
+    // verify attestation on the server with POST
+    // and body of challenge, attestation and keyId
+    const result = await fetch(`${BACKEND_ADDRESS}/attest/verify`, {
+      method: 'POST',
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        challenge: challenge,
+        attestation: attestation,
+        hardwareKeyTag: hardwareKeyTag,
+      }),
+    });
+    const response = await result.json();
+    setDebugLog(JSON.stringify(response));
+  };
+
+  const verifyAssertion = async () => {
+    // verify attestation on the server with POST
+    // and body of challenge, attestation and keyId
+    const result = await fetch(`${BACKEND_ADDRESS}/assertion/verify`, {
+      method: 'POST',
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        challenge: challenge,
+        assertion: assertion,
+        hardwareKeyTag: hardwareKeyTag,
+        payload: JSON.stringify({ challenge: challenge, jwk: jwk }),
+      }),
+    });
+    const response = await result.json();
+    setDebugLog(JSON.stringify(response));
+  };
 
+  const getHardwareSignatureWithAssertion = async () => {
     const clientData = {
       challenge: challenge,
       jwk: jwk,
     };
-
     // Between Android and iOS there is a difference for the generation of hardwareSignature
     // and assertion as on iOS both are generated directly from the SDK via generateAssertion
     // while on Android the hardwareSignature must be generated via the signature functions and
     // the assertion must be retrieved from the backend via an integrityToken.
     if (hardwareKeyTag) {
-      const clientDataHash = await sha256(JSON.stringify(clientData));
-
       const result = await generateHardwareSignatureWithAssertion(
-        clientDataHash,
+        JSON.stringify(clientData),
         hardwareKeyTag
       );
       setDebugLog(result);
+      setAssertion(result);
     }
   };
 
@@ -123,6 +177,16 @@ export default function App() {
             onPress={() => getHardwareSignatureWithAssertion()}
             loading={decodedAttestation === undefined}
           />
+          <ButtonWithLoader
+            title="VerifyAttestation"
+            onPress={() => verifyAttestation()}
+            loading={decodedAttestation === undefined}
+          />
+          <ButtonWithLoader
+            title="VerifyAssertion"
+            onPress={() => verifyAssertion()}
+            loading={decodedAttestation === undefined}
+          />
         </>
       ) : null}
       <ScrollView style={styles.debug}>
diff --git a/package.json b/package.json
index 6b638ce..47fa56e 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,8 @@
     "!**/.*"
   ],
   "scripts": {
-    "example": "yarn workspace @pagopa/io-react-native-integrity-example",
+    "example": "yarn workspace @pagopa/io-react-native-integrity-example start",
+    "backend": "yarn workspace @pagopa/io-react-native-integrity-backend start",
     "test": "jest",
     "typecheck": "tsc --noEmit",
     "lint": "eslint \"**/*.{js,ts,tsx}\"",
@@ -81,7 +82,8 @@
     "react-native": "*"
   },
   "workspaces": [
-    "example"
+    "example",
+    "backend"
   ],
   "packageManager": "yarn@3.6.1",
   "jest": {
diff --git a/yarn.lock b/yarn.lock
index ebc847d..7478bce 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2547,6 +2547,28 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@pagopa/io-react-native-integrity-backend@workspace:backend":
+  version: 0.0.0-use.local
+  resolution: "@pagopa/io-react-native-integrity-backend@workspace:backend"
+  dependencies:
+    "@types/dotenv": ^8.2.0
+    "@types/express": ^4.17.21
+    "@types/node": ^20.11.25
+    "@types/uuid": ^9.0.8
+    asn1js: ^3.0.5
+    body-parser: ^1.20.2
+    cbor: ^9.0.2
+    dotenv: ^16.4.5
+    express: ^4.18.3
+    nodemon: ^3.1.0
+    pkijs: ^3.0.15
+    rimraf: ^5.0.5
+    ts-node: ^10.9.2
+    typescript: ^5.4.2
+    uuid: ^9.0.1
+  languageName: unknown
+  linkType: soft
+
 "@pagopa/io-react-native-integrity-example@workspace:example":
   version: 0.0.0-use.local
   resolution: "@pagopa/io-react-native-integrity-example@workspace:example"
@@ -2561,6 +2583,7 @@ __metadata:
     buffer: ^6.0.3
     react: 18.2.0
     react-native: 0.73.5
+    react-native-dotenv: ^3.4.11
     react-native-sha256: ^1.4.10
   languageName: unknown
   linkType: soft
@@ -3186,6 +3209,58 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/body-parser@npm:*":
+  version: 1.19.5
+  resolution: "@types/body-parser@npm:1.19.5"
+  dependencies:
+    "@types/connect": "*"
+    "@types/node": "*"
+  checksum: 1e251118c4b2f61029cc43b0dc028495f2d1957fe8ee49a707fb940f86a9bd2f9754230805598278fe99958b49e9b7e66eec8ef6a50ab5c1f6b93e1ba2aaba82
+  languageName: node
+  linkType: hard
+
+"@types/connect@npm:*":
+  version: 3.4.38
+  resolution: "@types/connect@npm:3.4.38"
+  dependencies:
+    "@types/node": "*"
+  checksum: 7eb1bc5342a9604facd57598a6c62621e244822442976c443efb84ff745246b10d06e8b309b6e80130026a396f19bf6793b7cecd7380169f369dac3bfc46fb99
+  languageName: node
+  linkType: hard
+
+"@types/dotenv@npm:^8.2.0":
+  version: 8.2.0
+  resolution: "@types/dotenv@npm:8.2.0"
+  dependencies:
+    dotenv: "*"
+  checksum: a1f524da7dc18b09bdb6c2613b9abbbe8ca575621cce4625efc7f98daf2ba07c7dbab622c9bb394507a12c5c515f9cbbbba4aeec17b801c88faeb8e8e656d460
+  languageName: node
+  linkType: hard
+
+"@types/express-serve-static-core@npm:^4.17.33":
+  version: 4.17.43
+  resolution: "@types/express-serve-static-core@npm:4.17.43"
+  dependencies:
+    "@types/node": "*"
+    "@types/qs": "*"
+    "@types/range-parser": "*"
+    "@types/send": "*"
+  checksum: 08e940cae52eb1388a7b5f61d65f028e783add77d1854243ae920a6a2dfb5febb6acaafbcf38be9d678b0411253b9bc325893c463a93302405f24135664ab1e4
+  languageName: node
+  linkType: hard
+
+"@types/express@npm:^4.17.21":
+  version: 4.17.21
+  resolution: "@types/express@npm:4.17.21"
+  dependencies:
+    "@types/body-parser": "*"
+    "@types/express-serve-static-core": ^4.17.33
+    "@types/qs": "*"
+    "@types/serve-static": "*"
+  checksum: fb238298630370a7392c7abdc80f495ae6c716723e114705d7e3fb67e3850b3859bbfd29391463a3fb8c0b32051847935933d99e719c0478710f8098ee7091c5
+  languageName: node
+  linkType: hard
+
 "@types/graceful-fs@npm:^4.1.3":
   version: 4.1.9
   resolution: "@types/graceful-fs@npm:4.1.9"
@@ -3202,6 +3277,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/http-errors@npm:*":
+  version: 2.0.4
+  resolution: "@types/http-errors@npm:2.0.4"
+  checksum: 1f3d7c3b32c7524811a45690881736b3ef741bf9849ae03d32ad1ab7062608454b150a4e7f1351f83d26a418b2d65af9bdc06198f1c079d75578282884c4e8e3
+  languageName: node
+  linkType: hard
+
 "@types/istanbul-lib-coverage@npm:*, @types/istanbul-lib-coverage@npm:^2.0.0, @types/istanbul-lib-coverage@npm:^2.0.1":
   version: 2.0.6
   resolution: "@types/istanbul-lib-coverage@npm:2.0.6"
@@ -3244,6 +3326,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/mime@npm:*":
+  version: 3.0.4
+  resolution: "@types/mime@npm:3.0.4"
+  checksum: a6139c8e1f705ef2b064d072f6edc01f3c099023ad7c4fce2afc6c2bf0231888202adadbdb48643e8e20da0ce409481a49922e737eca52871b3dc08017455843
+  languageName: node
+  linkType: hard
+
+"@types/mime@npm:^1":
+  version: 1.3.5
+  resolution: "@types/mime@npm:1.3.5"
+  checksum: e29a5f9c4776f5229d84e525b7cd7dd960b51c30a0fb9a028c0821790b82fca9f672dab56561e2acd9e8eed51d431bde52eafdfef30f643586c4162f1aecfc78
+  languageName: node
+  linkType: hard
+
 "@types/minimist@npm:^1.2.0, @types/minimist@npm:^1.2.2":
   version: 1.2.5
   resolution: "@types/minimist@npm:1.2.5"
@@ -3267,6 +3363,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/node@npm:^20.11.25":
+  version: 20.11.25
+  resolution: "@types/node@npm:20.11.25"
+  dependencies:
+    undici-types: ~5.26.4
+  checksum: bdb29da3f3dc687a0104cb70e30b5277d9df8f22843a4ed94835762683a95a8a0ea0c2ed0cf96f6eeff348491dd50dd9b20307d08f71ba7cb489d54a81cbbfec
+  languageName: node
+  linkType: hard
+
 "@types/normalize-package-data@npm:^2.4.0":
   version: 2.4.4
   resolution: "@types/normalize-package-data@npm:2.4.4"
@@ -3288,6 +3393,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/qs@npm:*":
+  version: 6.9.12
+  resolution: "@types/qs@npm:6.9.12"
+  checksum: 76be8068091058987bb49aca59e9714ff856661cdc2340499f9d502c78950ac08e7ecbca256c8a72c4c83714bce30e6aaad13f9f739e8c0c436c0eedb2a2627c
+  languageName: node
+  linkType: hard
+
+"@types/range-parser@npm:*":
+  version: 1.2.7
+  resolution: "@types/range-parser@npm:1.2.7"
+  checksum: 95640233b689dfbd85b8c6ee268812a732cf36d5affead89e806fe30da9a430767af8ef2cd661024fd97e19d61f3dec75af2df5e80ec3bea000019ab7028629a
+  languageName: node
+  linkType: hard
+
 "@types/react@npm:^18.2.44":
   version: 18.2.60
   resolution: "@types/react@npm:18.2.60"
@@ -3313,6 +3432,27 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/send@npm:*":
+  version: 0.17.4
+  resolution: "@types/send@npm:0.17.4"
+  dependencies:
+    "@types/mime": ^1
+    "@types/node": "*"
+  checksum: cf4db48251bbb03cd6452b4de6e8e09e2d75390a92fd798eca4a803df06444adc94ed050246c94c7ed46fb97be1f63607f0e1f13c3ce83d71788b3e08640e5e0
+  languageName: node
+  linkType: hard
+
+"@types/serve-static@npm:*":
+  version: 1.15.5
+  resolution: "@types/serve-static@npm:1.15.5"
+  dependencies:
+    "@types/http-errors": "*"
+    "@types/mime": "*"
+    "@types/node": "*"
+  checksum: 0ff4b3703cf20ba89c9f9e345bc38417860a88e85863c8d6fe274a543220ab7f5f647d307c60a71bb57dc9559f0890a661e8dc771a6ec5ef195d91c8afc4a893
+  languageName: node
+  linkType: hard
+
 "@types/stack-utils@npm:^2.0.0":
   version: 2.0.3
   resolution: "@types/stack-utils@npm:2.0.3"
@@ -3320,6 +3460,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/uuid@npm:^9.0.8":
+  version: 9.0.8
+  resolution: "@types/uuid@npm:9.0.8"
+  checksum: b8c60b7ba8250356b5088302583d1704a4e1a13558d143c549c408bf8920535602ffc12394ede77f8a8083511b023704bc66d1345792714002bfa261b17c5275
+  languageName: node
+  linkType: hard
+
 "@types/yargs-parser@npm:*":
   version: 21.0.3
   resolution: "@types/yargs-parser@npm:21.0.3"
@@ -3485,6 +3632,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"abbrev@npm:1":
+  version: 1.1.1
+  resolution: "abbrev@npm:1.1.1"
+  checksum: a4a97ec07d7ea112c517036882b2ac22f3109b7b19077dc656316d07d308438aac28e4d9746dc4d84bf6b1e75b4a7b0a5f3cb30592419f128ca9a8cee3bcfa17
+  languageName: node
+  linkType: hard
+
 "abbrev@npm:^2.0.0":
   version: 2.0.0
   resolution: "abbrev@npm:2.0.0"
@@ -3501,7 +3655,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"accepts@npm:^1.3.7, accepts@npm:~1.3.5, accepts@npm:~1.3.7":
+"accepts@npm:^1.3.7, accepts@npm:~1.3.5, accepts@npm:~1.3.7, accepts@npm:~1.3.8":
   version: 1.3.8
   resolution: "accepts@npm:1.3.8"
   dependencies:
@@ -3685,7 +3839,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"anymatch@npm:^3.0.3":
+"anymatch@npm:^3.0.3, anymatch@npm:~3.1.2":
   version: 3.1.3
   resolution: "anymatch@npm:3.1.3"
   dependencies:
@@ -3735,6 +3889,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"array-flatten@npm:1.1.1":
+  version: 1.1.1
+  resolution: "array-flatten@npm:1.1.1"
+  checksum: a9925bf3512d9dce202112965de90c222cd59a4fbfce68a0951d25d965cf44642931f40aac72309c41f12df19afa010ecadceb07cfff9ccc1621e99d89ab5f3b
+  languageName: node
+  linkType: hard
+
 "array-ify@npm:^1.0.0":
   version: 1.0.0
   resolution: "array-ify@npm:1.0.0"
@@ -3842,6 +4003,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"asn1js@npm:^3.0.5":
+  version: 3.0.5
+  resolution: "asn1js@npm:3.0.5"
+  dependencies:
+    pvtsutils: ^1.3.2
+    pvutils: ^1.1.3
+    tslib: ^2.4.0
+  checksum: 3b6af1bbadd5762ef8ead5daf2f6bda1bc9e23bc825c4dcc996aa1f9521ad7390a64028565d95d98090d69c8431f004c71cccb866004759169d7c203cf9075eb
+  languageName: node
+  linkType: hard
+
 "ast-types@npm:0.15.2":
   version: 0.15.2
   resolution: "ast-types@npm:0.15.2"
@@ -4079,6 +4251,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"binary-extensions@npm:^2.0.0":
+  version: 2.2.0
+  resolution: "binary-extensions@npm:2.2.0"
+  checksum: ccd267956c58d2315f5d3ea6757cf09863c5fc703e50fbeb13a7dc849b812ef76e3cf9ca8f35a0c48498776a7478d7b4a0418e1e2b8cb9cb9731f2922aaad7f8
+  languageName: node
+  linkType: hard
+
 "bl@npm:^4.1.0":
   version: 4.1.0
   resolution: "bl@npm:4.1.0"
@@ -4101,6 +4280,26 @@ __metadata:
   languageName: node
   linkType: hard
 
+"body-parser@npm:1.20.2, body-parser@npm:^1.20.2":
+  version: 1.20.2
+  resolution: "body-parser@npm:1.20.2"
+  dependencies:
+    bytes: 3.1.2
+    content-type: ~1.0.5
+    debug: 2.6.9
+    depd: 2.0.0
+    destroy: 1.2.0
+    http-errors: 2.0.0
+    iconv-lite: 0.4.24
+    on-finished: 2.4.1
+    qs: 6.11.0
+    raw-body: 2.5.2
+    type-is: ~1.6.18
+    unpipe: 1.0.0
+  checksum: 14d37ec638ab5c93f6099ecaed7f28f890d222c650c69306872e00b9efa081ff6c596cd9afb9930656aae4d6c4e1c17537bea12bb73c87a217cb3cfea8896737
+  languageName: node
+  linkType: hard
+
 "boxen@npm:^7.0.0":
   version: 7.1.1
   resolution: "boxen@npm:7.1.1"
@@ -4145,7 +4344,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"braces@npm:^3.0.2":
+"braces@npm:^3.0.2, braces@npm:~3.0.2":
   version: 3.0.2
   resolution: "braces@npm:3.0.2"
   dependencies:
@@ -4220,6 +4419,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"bytes@npm:3.1.2":
+  version: 3.1.2
+  resolution: "bytes@npm:3.1.2"
+  checksum: e4bcd3948d289c5127591fbedf10c0b639ccbf00243504e4e127374a15c3bc8eed0d28d4aaab08ff6f1cf2abc0cce6ba3085ed32f4f90e82a5683ce0014e1b6e
+  languageName: node
+  linkType: hard
+
+"bytestreamjs@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "bytestreamjs@npm:2.0.1"
+  checksum: db4cb039794675a0ec1f097d228e4897378cdf5f794dca04fc3bff63efb466524fcfac95e59e89e928822a80fad7574734c02b8eace9e841d8599da43c82768a
+  languageName: node
+  linkType: hard
+
 "cacache@npm:^18.0.0":
   version: 18.0.2
   resolution: "cacache@npm:18.0.2"
@@ -4358,6 +4571,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"cbor@npm:^9.0.2":
+  version: 9.0.2
+  resolution: "cbor@npm:9.0.2"
+  dependencies:
+    nofilter: ^3.1.0
+  checksum: 925edae7bf964be5a26dba1b7ba6311ac12b6a66234dc958958997a0576cdc740632dc19852a5b84d8a75101936bea1fe122dc22539d6e11f4539c731853ba2e
+  languageName: node
+  linkType: hard
+
 "chalk@npm:5.2.0":
   version: 5.2.0
   resolution: "chalk@npm:5.2.0"
@@ -4407,6 +4629,25 @@ __metadata:
   languageName: node
   linkType: hard
 
+"chokidar@npm:^3.5.2":
+  version: 3.6.0
+  resolution: "chokidar@npm:3.6.0"
+  dependencies:
+    anymatch: ~3.1.2
+    braces: ~3.0.2
+    fsevents: ~2.3.2
+    glob-parent: ~5.1.2
+    is-binary-path: ~2.1.0
+    is-glob: ~4.0.1
+    normalize-path: ~3.0.0
+    readdirp: ~3.6.0
+  dependenciesMeta:
+    fsevents:
+      optional: true
+  checksum: d2f29f499705dcd4f6f3bbed79a9ce2388cf530460122eed3b9c48efeab7a4e28739c6551fd15bec9245c6b9eeca7a32baa64694d64d9b6faeb74ddb8c4a413d
+  languageName: node
+  linkType: hard
+
 "chownr@npm:^2.0.0":
   version: 2.0.0
   resolution: "chownr@npm:2.0.0"
@@ -4750,6 +4991,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"content-disposition@npm:0.5.4":
+  version: 0.5.4
+  resolution: "content-disposition@npm:0.5.4"
+  dependencies:
+    safe-buffer: 5.2.1
+  checksum: afb9d545e296a5171d7574fcad634b2fdf698875f4006a9dd04a3e1333880c5c0c98d47b560d01216fb6505a54a2ba6a843ee3a02ec86d7e911e8315255f56c3
+  languageName: node
+  linkType: hard
+
+"content-type@npm:~1.0.4, content-type@npm:~1.0.5":
+  version: 1.0.5
+  resolution: "content-type@npm:1.0.5"
+  checksum: 566271e0a251642254cde0f845f9dd4f9856e52d988f4eb0d0dcffbb7a1f8ec98de7a5215fc628f3bce30fe2fb6fd2bc064b562d721658c59b544e2d34ea2766
+  languageName: node
+  linkType: hard
+
 "conventional-changelog-angular@npm:^5.0.12":
   version: 5.0.13
   resolution: "conventional-changelog-angular@npm:5.0.13"
@@ -4985,6 +5242,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"cookie-signature@npm:1.0.6":
+  version: 1.0.6
+  resolution: "cookie-signature@npm:1.0.6"
+  checksum: f4e1b0a98a27a0e6e66fd7ea4e4e9d8e038f624058371bf4499cfcd8f3980be9a121486995202ba3fca74fbed93a407d6d54d43a43f96fd28d0bd7a06761591a
+  languageName: node
+  linkType: hard
+
+"cookie@npm:0.5.0":
+  version: 0.5.0
+  resolution: "cookie@npm:0.5.0"
+  checksum: 1f4bd2ca5765f8c9689a7e8954183f5332139eb72b6ff783d8947032ec1fdf43109852c178e21a953a30c0dd42257828185be01b49d1eb1a67fd054ca588a180
+  languageName: node
+  linkType: hard
+
 "core-js-compat@npm:^3.31.0, core-js-compat@npm:^3.34.0":
   version: 3.36.0
   resolution: "core-js-compat@npm:3.36.0"
@@ -5162,7 +5433,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"debug@npm:4, debug@npm:^4.1.0, debug@npm:^4.1.1, debug@npm:^4.3.1, debug@npm:^4.3.2, debug@npm:^4.3.4":
+"debug@npm:4, debug@npm:^4, debug@npm:^4.1.0, debug@npm:^4.1.1, debug@npm:^4.3.1, debug@npm:^4.3.2, debug@npm:^4.3.4":
   version: 4.3.4
   resolution: "debug@npm:4.3.4"
   dependencies:
@@ -5476,6 +5747,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"dotenv@npm:*, dotenv@npm:^16.4.5":
+  version: 16.4.5
+  resolution: "dotenv@npm:16.4.5"
+  checksum: 301a12c3d44fd49888b74eb9ccf9f07a1f5df43f489e7fcb89647a2edcd84c42d6bc349dc8df099cd18f07c35c7b04685c1a4f3e6a6a9e6b30f8d48c15b7f49c
+  languageName: node
+  linkType: hard
+
 "eastasianwidth@npm:^0.2.0":
   version: 0.2.0
   resolution: "eastasianwidth@npm:0.2.0"
@@ -6208,6 +6486,45 @@ __metadata:
   languageName: node
   linkType: hard
 
+"express@npm:^4.18.3":
+  version: 4.18.3
+  resolution: "express@npm:4.18.3"
+  dependencies:
+    accepts: ~1.3.8
+    array-flatten: 1.1.1
+    body-parser: 1.20.2
+    content-disposition: 0.5.4
+    content-type: ~1.0.4
+    cookie: 0.5.0
+    cookie-signature: 1.0.6
+    debug: 2.6.9
+    depd: 2.0.0
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    etag: ~1.8.1
+    finalhandler: 1.2.0
+    fresh: 0.5.2
+    http-errors: 2.0.0
+    merge-descriptors: 1.0.1
+    methods: ~1.1.2
+    on-finished: 2.4.1
+    parseurl: ~1.3.3
+    path-to-regexp: 0.1.7
+    proxy-addr: ~2.0.7
+    qs: 6.11.0
+    range-parser: ~1.2.1
+    safe-buffer: 5.2.1
+    send: 0.18.0
+    serve-static: 1.15.0
+    setprototypeof: 1.2.0
+    statuses: 2.0.1
+    type-is: ~1.6.18
+    utils-merge: 1.0.1
+    vary: ~1.1.2
+  checksum: 3d7fc8762a81dee0adf0b604f11627db2af082c5f2234e78a4aa8134f22c51f96c6282063f2f8b87f5dbc70679a3087caccb93b6107e324c6feb3a70960a5864
+  languageName: node
+  linkType: hard
+
 "external-editor@npm:^3.0.3":
   version: 3.1.0
   resolution: "external-editor@npm:3.1.0"
@@ -6342,6 +6659,21 @@ __metadata:
   languageName: node
   linkType: hard
 
+"finalhandler@npm:1.2.0":
+  version: 1.2.0
+  resolution: "finalhandler@npm:1.2.0"
+  dependencies:
+    debug: 2.6.9
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    on-finished: 2.4.1
+    parseurl: ~1.3.3
+    statuses: 2.0.1
+    unpipe: ~1.0.0
+  checksum: 92effbfd32e22a7dff2994acedbd9bcc3aa646a3e919ea6a53238090e87097f8ef07cced90aa2cc421abdf993aefbdd5b00104d55c7c5479a8d00ed105b45716
+  languageName: node
+  linkType: hard
+
 "find-babel-config@npm:^2.0.0":
   version: 2.0.0
   resolution: "find-babel-config@npm:2.0.0"
@@ -6475,6 +6807,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"forwarded@npm:0.2.0":
+  version: 0.2.0
+  resolution: "forwarded@npm:0.2.0"
+  checksum: fd27e2394d8887ebd16a66ffc889dc983fbbd797d5d3f01087c020283c0f019a7d05ee85669383d8e0d216b116d720fc0cef2f6e9b7eb9f4c90c6e0bc7fd28e6
+  languageName: node
+  linkType: hard
+
 "fresh@npm:0.5.2":
   version: 0.5.2
   resolution: "fresh@npm:0.5.2"
@@ -6540,7 +6879,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fsevents@npm:^2.3.2":
+"fsevents@npm:^2.3.2, fsevents@npm:~2.3.2":
   version: 2.3.3
   resolution: "fsevents@npm:2.3.3"
   dependencies:
@@ -6550,7 +6889,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fsevents@patch:fsevents@^2.3.2#~builtin<compat/fsevents>":
+"fsevents@patch:fsevents@^2.3.2#~builtin<compat/fsevents>, fsevents@patch:fsevents@~2.3.2#~builtin<compat/fsevents>":
   version: 2.3.3
   resolution: "fsevents@patch:fsevents@npm%3A2.3.3#~builtin<compat/fsevents>::version=2.3.3&hash=df0bf1"
   dependencies:
@@ -6737,7 +7076,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"glob-parent@npm:^5.1.2":
+"glob-parent@npm:^5.1.2, glob-parent@npm:~5.1.2":
   version: 5.1.2
   resolution: "glob-parent@npm:5.1.2"
   dependencies:
@@ -6755,7 +7094,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"glob@npm:^10.2.2, glob@npm:^10.3.10":
+"glob@npm:^10.2.2, glob@npm:^10.3.10, glob@npm:^10.3.7":
   version: 10.3.10
   resolution: "glob@npm:10.3.10"
   dependencies:
@@ -7158,7 +7497,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"iconv-lite@npm:^0.4.24":
+"iconv-lite@npm:0.4.24, iconv-lite@npm:^0.4.24":
   version: 0.4.24
   resolution: "iconv-lite@npm:0.4.24"
   dependencies:
@@ -7183,6 +7522,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"ignore-by-default@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "ignore-by-default@npm:1.0.1"
+  checksum: 441509147b3615e0365e407a3c18e189f78c07af08564176c680be1fabc94b6c789cad1342ad887175d4ecd5225de86f73d376cec8e06b42fd9b429505ffcf8a
+  languageName: node
+  linkType: hard
+
 "ignore@npm:^5.0.5, ignore@npm:^5.2.0, ignore@npm:^5.2.4":
   version: 5.3.1
   resolution: "ignore@npm:5.3.1"
@@ -7359,6 +7705,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"ipaddr.js@npm:1.9.1":
+  version: 1.9.1
+  resolution: "ipaddr.js@npm:1.9.1"
+  checksum: f88d3825981486f5a1942414c8d77dd6674dd71c065adcfa46f578d677edcb99fda25af42675cb59db492fdf427b34a5abfcde3982da11a8fd83a500b41cfe77
+  languageName: node
+  linkType: hard
+
 "is-absolute@npm:^1.0.0":
   version: 1.0.0
   resolution: "is-absolute@npm:1.0.0"
@@ -7414,6 +7767,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"is-binary-path@npm:~2.1.0":
+  version: 2.1.0
+  resolution: "is-binary-path@npm:2.1.0"
+  dependencies:
+    binary-extensions: ^2.0.0
+  checksum: 84192eb88cff70d320426f35ecd63c3d6d495da9d805b19bc65b518984b7c0760280e57dbf119b7e9be6b161784a5a673ab2c6abe83abb5198a432232ad5b35c
+  languageName: node
+  linkType: hard
+
 "is-boolean-object@npm:^1.1.0":
   version: 1.1.2
   resolution: "is-boolean-object@npm:1.1.2"
@@ -7551,7 +7913,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"is-glob@npm:^4.0.0, is-glob@npm:^4.0.1, is-glob@npm:^4.0.3":
+"is-glob@npm:^4.0.0, is-glob@npm:^4.0.1, is-glob@npm:^4.0.3, is-glob@npm:~4.0.1":
   version: 4.0.3
   resolution: "is-glob@npm:4.0.3"
   dependencies:
@@ -9111,6 +9473,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"media-typer@npm:0.3.0":
+  version: 0.3.0
+  resolution: "media-typer@npm:0.3.0"
+  checksum: af1b38516c28ec95d6b0826f6c8f276c58aec391f76be42aa07646b4e39d317723e869700933ca6995b056db4b09a78c92d5440dc23657e6764be5d28874bba1
+  languageName: node
+  linkType: hard
+
 "memoize-one@npm:^5.0.0":
   version: 5.2.1
   resolution: "memoize-one@npm:5.2.1"
@@ -9157,6 +9526,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"merge-descriptors@npm:1.0.1":
+  version: 1.0.1
+  resolution: "merge-descriptors@npm:1.0.1"
+  checksum: 5abc259d2ae25bb06d19ce2b94a21632583c74e2a9109ee1ba7fd147aa7362b380d971e0251069f8b3eb7d48c21ac839e21fa177b335e82c76ec172e30c31a26
+  languageName: node
+  linkType: hard
+
 "merge-stream@npm:^2.0.0":
   version: 2.0.0
   resolution: "merge-stream@npm:2.0.0"
@@ -9171,6 +9547,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"methods@npm:~1.1.2":
+  version: 1.1.2
+  resolution: "methods@npm:1.1.2"
+  checksum: 0917ff4041fa8e2f2fda5425a955fe16ca411591fbd123c0d722fcf02b73971ed6f764d85f0a6f547ce49ee0221ce2c19a5fa692157931cecb422984f1dcd13a
+  languageName: node
+  linkType: hard
+
 "metro-babel-transformer@npm:0.80.6":
   version: 0.80.6
   resolution: "metro-babel-transformer@npm:0.80.6"
@@ -9406,7 +9789,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"mime-types@npm:2.1.35, mime-types@npm:^2.1.27, mime-types@npm:~2.1.34":
+"mime-types@npm:2.1.35, mime-types@npm:^2.1.27, mime-types@npm:~2.1.24, mime-types@npm:~2.1.34":
   version: 2.1.35
   resolution: "mime-types@npm:2.1.35"
   dependencies:
@@ -9792,6 +10175,33 @@ __metadata:
   languageName: node
   linkType: hard
 
+"nodemon@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "nodemon@npm:3.1.0"
+  dependencies:
+    chokidar: ^3.5.2
+    debug: ^4
+    ignore-by-default: ^1.0.1
+    minimatch: ^3.1.2
+    pstree.remy: ^1.1.8
+    semver: ^7.5.3
+    simple-update-notifier: ^2.0.0
+    supports-color: ^5.5.0
+    touch: ^3.1.0
+    undefsafe: ^2.0.5
+  bin:
+    nodemon: bin/nodemon.js
+  checksum: 0b721f66ee60d9bf092f6101965bc65769698fa2921d0283d90bbf3f0906aa4f3ac77316682375bd7f09c91679fddb131aa39f9fc839fea57061bbc8e81b60e3
+  languageName: node
+  linkType: hard
+
+"nofilter@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "nofilter@npm:3.1.0"
+  checksum: 58aa85a5b4b35cbb6e42de8a8591c5e338061edc9f3e7286f2c335e9e9b9b8fa7c335ae45daa8a1f3433164dc0b9a3d187fa96f9516e04a17a1f9ce722becc4f
+  languageName: node
+  linkType: hard
+
 "nopt@npm:^7.0.0":
   version: 7.2.0
   resolution: "nopt@npm:7.2.0"
@@ -9803,6 +10213,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"nopt@npm:~1.0.10":
+  version: 1.0.10
+  resolution: "nopt@npm:1.0.10"
+  dependencies:
+    abbrev: 1
+  bin:
+    nopt: ./bin/nopt.js
+  checksum: f62575aceaa3be43f365bf37a596b89bbac2e796b001b6d2e2a85c2140a4e378ff919e2753ccba959c4fd344776fc88c29b393bc167fa939fb1513f126f4cd45
+  languageName: node
+  linkType: hard
+
 "normalize-package-data@npm:^2.3.2, normalize-package-data@npm:^2.5.0":
   version: 2.5.0
   resolution: "normalize-package-data@npm:2.5.0"
@@ -9827,7 +10248,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"normalize-path@npm:^3.0.0":
+"normalize-path@npm:^3.0.0, normalize-path@npm:~3.0.0":
   version: 3.0.0
   resolution: "normalize-path@npm:3.0.0"
   checksum: 88eeb4da891e10b1318c4b2476b6e2ecbeb5ff97d946815ffea7794c31a89017c70d7f34b3c2ebf23ef4e9fc9fb99f7dffe36da22011b5b5c6ffa34f4873ec20
@@ -10359,6 +10780,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"path-to-regexp@npm:0.1.7":
+  version: 0.1.7
+  resolution: "path-to-regexp@npm:0.1.7"
+  checksum: 69a14ea24db543e8b0f4353305c5eac6907917031340e5a8b37df688e52accd09e3cebfe1660b70d76b6bd89152f52183f28c74813dbf454ba1a01c82a38abce
+  languageName: node
+  linkType: hard
+
 "path-type@npm:^3.0.0":
   version: 3.0.0
   resolution: "path-type@npm:3.0.0"
@@ -10382,7 +10810,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"picomatch@npm:^2.0.4, picomatch@npm:^2.2.3, picomatch@npm:^2.3.1":
+"picomatch@npm:^2.0.4, picomatch@npm:^2.2.1, picomatch@npm:^2.2.3, picomatch@npm:^2.3.1":
   version: 2.3.1
   resolution: "picomatch@npm:2.3.1"
   checksum: 050c865ce81119c4822c45d3c84f1ced46f93a0126febae20737bd05ca20589c564d6e9226977df859ed5e03dc73f02584a2b0faad36e896936238238b0446cf
@@ -10444,6 +10872,19 @@ __metadata:
   languageName: node
   linkType: hard
 
+"pkijs@npm:^3.0.15":
+  version: 3.0.15
+  resolution: "pkijs@npm:3.0.15"
+  dependencies:
+    asn1js: ^3.0.5
+    bytestreamjs: ^2.0.0
+    pvtsutils: ^1.3.2
+    pvutils: ^1.1.3
+    tslib: ^2.4.0
+  checksum: b9db0d98585bc0fc6f56d5cccf2df4a9f110e6abeb3fbabd2e412dc73d1dde318b360f7d7149fca26ad728d8a358827a9b97e06524e76e11e2a45e9cc9e9deaa
+  languageName: node
+  linkType: hard
+
 "possible-typed-array-names@npm:^1.0.0":
   version: 1.0.0
   resolution: "possible-typed-array-names@npm:1.0.0"
@@ -10588,6 +11029,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"proxy-addr@npm:~2.0.7":
+  version: 2.0.7
+  resolution: "proxy-addr@npm:2.0.7"
+  dependencies:
+    forwarded: 0.2.0
+    ipaddr.js: 1.9.1
+  checksum: 29c6990ce9364648255454842f06f8c46fcd124d3e6d7c5066df44662de63cdc0bad032e9bf5a3d653ff72141cc7b6019873d685708ac8210c30458ad99f2b74
+  languageName: node
+  linkType: hard
+
 "proxy-agent@npm:6.2.1":
   version: 6.2.1
   resolution: "proxy-agent@npm:6.2.1"
@@ -10611,6 +11062,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"pstree.remy@npm:^1.1.8":
+  version: 1.1.8
+  resolution: "pstree.remy@npm:1.1.8"
+  checksum: 5cb53698d6bb34dfb278c8a26957964aecfff3e161af5fbf7cee00bbe9d8547c7aced4bd9cb193bce15fb56e9e4220fc02a5bf9c14345ffb13a36b858701ec2d
+  languageName: node
+  linkType: hard
+
 "pump@npm:^3.0.0":
   version: 3.0.0
   resolution: "pump@npm:3.0.0"
@@ -10644,6 +11102,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"pvtsutils@npm:^1.3.2":
+  version: 1.3.5
+  resolution: "pvtsutils@npm:1.3.5"
+  dependencies:
+    tslib: ^2.6.1
+  checksum: e734516b3cb26086c18bd9c012fefe818928a5073178842ab7e62885a090f1dd7bda9c7bb8cd317167502cb8ec86c0b1b0ccd71dac7ab469382a4518157b0d12
+  languageName: node
+  linkType: hard
+
+"pvutils@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "pvutils@npm:1.1.3"
+  checksum: 2ee26a9e5176c348977d6ec00d8ee80bff62f51743b1c5fe8abeeb4c5d29d9959cdfe0ce146707a9e6801bce88190fed3002d720b072dc87d031c692820b44c9
+  languageName: node
+  linkType: hard
+
 "q@npm:^1.5.1":
   version: 1.5.1
   resolution: "q@npm:1.5.1"
@@ -10651,6 +11125,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"qs@npm:6.11.0":
+  version: 6.11.0
+  resolution: "qs@npm:6.11.0"
+  dependencies:
+    side-channel: ^1.0.4
+  checksum: 6e1f29dd5385f7488ec74ac7b6c92f4d09a90408882d0c208414a34dd33badc1a621019d4c799a3df15ab9b1d0292f97c1dd71dc7c045e69f81a8064e5af7297
+  languageName: node
+  linkType: hard
+
 "queue-microtask@npm:^1.2.2":
   version: 1.2.3
   resolution: "queue-microtask@npm:1.2.3"
@@ -10688,6 +11171,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"raw-body@npm:2.5.2":
+  version: 2.5.2
+  resolution: "raw-body@npm:2.5.2"
+  dependencies:
+    bytes: 3.1.2
+    http-errors: 2.0.0
+    iconv-lite: 0.4.24
+    unpipe: 1.0.0
+  checksum: ba1583c8d8a48e8fbb7a873fdbb2df66ea4ff83775421bfe21ee120140949ab048200668c47d9ae3880012f6e217052690628cf679ddfbd82c9fc9358d574676
+  languageName: node
+  linkType: hard
+
 "rc@npm:1.2.8":
   version: 1.2.8
   resolution: "rc@npm:1.2.8"
@@ -10762,6 +11257,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"react-native-dotenv@npm:^3.4.11":
+  version: 3.4.11
+  resolution: "react-native-dotenv@npm:3.4.11"
+  dependencies:
+    dotenv: ^16.4.5
+  peerDependencies:
+    "@babel/runtime": ^7.20.6
+  checksum: 3ebac2c2ed79dd7e4920fd3fc2da9187413b7190231618e4858b46c47833677838b96d531afe7bd5c4b0a60454dba40cb8708722210df5d522e30aefbf41da05
+  languageName: node
+  linkType: hard
+
 "react-native-sha256@npm:^1.4.10":
   version: 1.4.10
   resolution: "react-native-sha256@npm:1.4.10"
@@ -10940,6 +11446,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"readdirp@npm:~3.6.0":
+  version: 3.6.0
+  resolution: "readdirp@npm:3.6.0"
+  dependencies:
+    picomatch: ^2.2.1
+  checksum: 1ced032e6e45670b6d7352d71d21ce7edf7b9b928494dcaba6f11fba63180d9da6cd7061ebc34175ffda6ff529f481818c962952004d273178acd70f7059b320
+  languageName: node
+  linkType: hard
+
 "readline@npm:^1.3.0":
   version: 1.3.0
   resolution: "readline@npm:1.3.0"
@@ -11328,6 +11843,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"rimraf@npm:^5.0.5":
+  version: 5.0.5
+  resolution: "rimraf@npm:5.0.5"
+  dependencies:
+    glob: ^10.3.7
+  bin:
+    rimraf: dist/esm/bin.mjs
+  checksum: d66eef829b2e23b16445f34e73d75c7b7cf4cbc8834b04720def1c8f298eb0753c3d76df77325fad79d0a2c60470525d95f89c2475283ad985fd7441c32732d1
+  languageName: node
+  linkType: hard
+
 "rimraf@npm:~2.6.2":
   version: 2.6.3
   resolution: "rimraf@npm:2.6.3"
@@ -11392,7 +11918,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"safe-buffer@npm:~5.2.0":
+"safe-buffer@npm:5.2.1, safe-buffer@npm:~5.2.0":
   version: 5.2.1
   resolution: "safe-buffer@npm:5.2.1"
   checksum: b99c4b41fdd67a6aaf280fcd05e9ffb0813654894223afb78a31f14a19ad220bba8aba1cb14eddce1fcfb037155fe6de4e861784eb434f7d11ed58d1e70dd491
@@ -11525,7 +12051,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"serve-static@npm:^1.13.1":
+"serve-static@npm:1.15.0, serve-static@npm:^1.13.1":
   version: 1.15.0
   resolution: "serve-static@npm:1.15.0"
   dependencies:
@@ -11648,6 +12174,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"simple-update-notifier@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "simple-update-notifier@npm:2.0.0"
+  dependencies:
+    semver: ^7.5.3
+  checksum: 9ba00d38ce6a29682f64a46213834e4eb01634c2f52c813a9a7b8873ca49cdbb703696f3290f3b27dc067de6d9418b0b84bef22c3eb074acf352529b2d6c27fd
+  languageName: node
+  linkType: hard
+
 "sisteransi@npm:^1.0.5":
   version: 1.0.5
   resolution: "sisteransi@npm:1.0.5"
@@ -12089,7 +12624,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"supports-color@npm:^5.3.0":
+"supports-color@npm:^5.3.0, supports-color@npm:^5.5.0":
   version: 5.5.0
   resolution: "supports-color@npm:5.5.0"
   dependencies:
@@ -12281,6 +12816,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"touch@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "touch@npm:3.1.0"
+  dependencies:
+    nopt: ~1.0.10
+  bin:
+    nodetouch: ./bin/nodetouch.js
+  checksum: e0be589cb5b0e6dbfce6e7e077d4a0d5f0aba558ef769c6d9c33f635e00d73d5be49da6f8631db302ee073919d82b5b7f56da2987feb28765c95a7673af68647
+  languageName: node
+  linkType: hard
+
 "tr46@npm:~0.0.3":
   version: 0.0.3
   resolution: "tr46@npm:0.0.3"
@@ -12302,7 +12848,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ts-node@npm:^10.8.1":
+"ts-node@npm:^10.8.1, ts-node@npm:^10.9.2":
   version: 10.9.2
   resolution: "ts-node@npm:10.9.2"
   dependencies:
@@ -12347,7 +12893,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tslib@npm:^2.0.1, tslib@npm:^2.1.0, tslib@npm:^2.6.2":
+"tslib@npm:^2.0.1, tslib@npm:^2.1.0, tslib@npm:^2.4.0, tslib@npm:^2.6.1, tslib@npm:^2.6.2":
   version: 2.6.2
   resolution: "tslib@npm:2.6.2"
   checksum: 329ea56123005922f39642318e3d1f0f8265d1e7fcb92c633e0809521da75eeaca28d2cf96d7248229deb40e5c19adf408259f4b9640afd20d13aecc1430f3ad
@@ -12517,6 +13063,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"type-is@npm:~1.6.18":
+  version: 1.6.18
+  resolution: "type-is@npm:1.6.18"
+  dependencies:
+    media-typer: 0.3.0
+    mime-types: ~2.1.24
+  checksum: 2c8e47675d55f8b4e404bcf529abdf5036c537a04c2b20177bcf78c9e3c1da69da3942b1346e6edb09e823228c0ee656ef0e033765ec39a70d496ef601a0c657
+  languageName: node
+  linkType: hard
+
 "typed-array-buffer@npm:^1.0.1":
   version: 1.0.2
   resolution: "typed-array-buffer@npm:1.0.2"
@@ -12595,6 +13151,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"typescript@npm:^5.4.2":
+  version: 5.4.2
+  resolution: "typescript@npm:5.4.2"
+  bin:
+    tsc: bin/tsc
+    tsserver: bin/tsserver
+  checksum: 96d80fde25a09bcb04d399082fb27a808a9e17c2111e43849d2aafbd642d835e4f4ef0de09b0ba795ec2a700be6c4c2c3f62bf4660c05404c948727b5bbfb32a
+  languageName: node
+  linkType: hard
+
 "typescript@patch:typescript@^4.6.4 || ^5.2.2#~builtin<compat/typescript>, typescript@patch:typescript@^5.2.2#~builtin<compat/typescript>":
   version: 5.3.3
   resolution: "typescript@patch:typescript@npm%3A5.3.3#~builtin<compat/typescript>::version=5.3.3&hash=14eedb"
@@ -12605,6 +13171,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"typescript@patch:typescript@^5.4.2#~builtin<compat/typescript>":
+  version: 5.4.2
+  resolution: "typescript@patch:typescript@npm%3A5.4.2#~builtin<compat/typescript>::version=5.4.2&hash=14eedb"
+  bin:
+    tsc: bin/tsc
+    tsserver: bin/tsserver
+  checksum: c1b669146bca5529873aae60870e243fa8140c85f57ca32c42f898f586d73ce4a6b4f6bb02ae312729e214d7f5859a0c70da3e527a116fdf5ad00c9fc733ecc6
+  languageName: node
+  linkType: hard
+
 "uglify-js@npm:^3.1.4":
   version: 3.17.4
   resolution: "uglify-js@npm:3.17.4"
@@ -12633,6 +13209,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"undefsafe@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "undefsafe@npm:2.0.5"
+  checksum: f42ab3b5770fedd4ada175fc1b2eb775b78f609156f7c389106aafd231bfc210813ee49f54483d7191d7b76e483bc7f537b5d92d19ded27156baf57592eb02cc
+  languageName: node
+  linkType: hard
+
 "undici-types@npm:~5.26.4":
   version: 5.26.5
   resolution: "undici-types@npm:5.26.5"
@@ -12719,7 +13302,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"unpipe@npm:~1.0.0":
+"unpipe@npm:1.0.0, unpipe@npm:~1.0.0":
   version: 1.0.0
   resolution: "unpipe@npm:1.0.0"
   checksum: 4fa18d8d8d977c55cb09715385c203197105e10a6d220087ec819f50cb68870f02942244f1017565484237f1f8c5d3cd413631b1ae104d3096f24fdfde1b4aa2
@@ -12799,6 +13382,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"uuid@npm:^9.0.1":
+  version: 9.0.1
+  resolution: "uuid@npm:9.0.1"
+  bin:
+    uuid: dist/bin/uuid
+  checksum: 39931f6da74e307f51c0fb463dc2462807531dc80760a9bff1e35af4316131b4fc3203d16da60ae33f07fdca5b56f3f1dd662da0c99fea9aaeab2004780cc5f4
+  languageName: node
+  linkType: hard
+
 "v8-compile-cache-lib@npm:^3.0.1":
   version: 3.0.1
   resolution: "v8-compile-cache-lib@npm:3.0.1"

From 783018b2119f1f1695664dfcf988501cf0bf296d Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Sun, 10 Mar 2024 18:41:21 +0100
Subject: [PATCH 06/64] chore: update

---
 backend/package.json |  5 ++---
 backend/src/index.ts | 27 +++++++++++++++++++++------
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/backend/package.json b/backend/package.json
index ae18bc3..0c1cfe2 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -4,10 +4,9 @@
   "description": "",
   "main": "index.js",
   "scripts": {
-    "start:dev": "npx nodemon",
+    "start": "npx nodemon",
     "test": "echo \"Error: no test specified\" && exit 1",
-    "build": "rimraf ./build && tsc",
-    "start": "npm run build && node build/index.js"
+    "build": "rimraf ./build && tsc"
   },
   "keywords": [],
   "author": "",
diff --git a/backend/src/index.ts b/backend/src/index.ts
index 03ced41..35688f3 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -17,11 +17,23 @@ let attestation: any = null;
 const BUNDLE_IDENTIFIER = process.env.BUNDLE_IDENTIFIER || '';
 const TEAM_IDENTIFIER = process.env.TEAM_IDENTIFIER || '';
 
+/**
+ * This endpoint is used to get the nonce for the attestation process.
+ * The nonce is a random string that is used to prevent replay attacks.
+ * The nonce is generated on the server and sent to the client.
+ * The client then sends the nonce back to the server as part of the attestation process.
+ */
 app.get('/attest/nonce', (_, res) => {
   console.debug(`challange was requested, returning ${nonce}`);
   res.send(JSON.stringify({ nonce }));
 });
 
+/**
+ * This endpoint is used to verify the attestation.
+ * The client sends the attestation and the challenge back to the server.
+ * The server then verifies the attestation and stores the public key for later use.
+ * The server also stores the keyId and the signCount.
+ */
 app.post(`/attest/verify`, (req, res) => {
   try {
     console.debug(`verify was requested: ${JSON.stringify(req.body, null, 2)}`);
@@ -42,16 +54,21 @@ app.post(`/attest/verify`, (req, res) => {
     attestation = {
       keyId: req.body.hardwareKeyTag,
       publicKey: result.publicKey,
-      signCount: 0,
+      signCount: 0, // is this be set incrementally?
     };
 
-    res.json({ result: 'ok' });
+    res.json({ result });
   } catch (error) {
     console.error(error);
     res.status(401).send({ error: 'Unauthorized' });
   }
 });
-
+/**
+ * This endpoint is used to verify the assertion.
+ * The client sends the assertion and the challenge back to the server.
+ * The server then verifies the assertion using the stored public key.
+ * The server also verifies the signCount and stores the new signCount.
+ */
 app.post(`/assertion/verify`, (req, res) => {
   try {
     const { hardwareKeyTag, assertion } = req.body;
@@ -68,7 +85,6 @@ app.post(`/assertion/verify`, (req, res) => {
       throw new Error('No attestation found');
     }
 
-    console.log(req.body.payload);
     const result = verifyAssertion({
       assertion: assertion,
       payload: req.body.payload,
@@ -78,10 +94,9 @@ app.post(`/assertion/verify`, (req, res) => {
       signCount: attestation.signCount,
     });
 
-    console.log(result);
     console.debug(`Received message: ${JSON.stringify(req.body)}`);
 
-    res.send({ result: 'ok' });
+    res.send({ result });
   } catch (error) {
     console.error(error);
     res.status(401).send({ error: 'Unauthorized' });

From c74e8e9aaf2c4172da924d07ce8a88b4a0741c56 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Sun, 10 Mar 2024 18:53:34 +0100
Subject: [PATCH 07/64] chore: update

---
 example/src/App.tsx | 23 +++--------------------
 package.json        |  2 +-
 2 files changed, 4 insertions(+), 21 deletions(-)

diff --git a/example/src/App.tsx b/example/src/App.tsx
index 79125ce..c52b493 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -1,5 +1,4 @@
 import * as React from 'react';
-import { Buffer } from 'buffer';
 import { sha256 } from 'react-native-sha256';
 import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
 import {
@@ -17,7 +16,7 @@ export default function App() {
     string | undefined
   >('');
   const [attestation, setAttestation] = React.useState<string | undefined>('');
-  const [decodedAttestation, setDecodedAttestation] = React.useState<
+  const [hsWithAssertion, setHsWithAssertion] = React.useState<
     string | undefined
   >('');
   const [isServiceAvailable, setIsServiceAvailable] =
@@ -54,18 +53,6 @@ export default function App() {
     }
   };
 
-  const decodeAttestation = () => {
-    // decode attestation from base64 to string
-    setDecodedAttestation(undefined);
-    if (attestation) {
-      const attestationDecoded = Buffer.from(attestation, 'base64').toString(
-        'hex'
-      );
-      setDecodedAttestation(attestationDecoded);
-      setDebugLog(attestationDecoded);
-    }
-  };
-
   const getHardwareSignatureWithAssertion = async () => {
     // this is a mocked jwk for ephimeral public key, in a production
     // environment the ephimeral key must be generated by the client
@@ -94,6 +81,7 @@ export default function App() {
         clientDataHash,
         hardwareKeyTag
       );
+      setHsWithAssertion(result);
       setDebugLog(result);
     }
   };
@@ -113,15 +101,10 @@ export default function App() {
             onPress={() => requestAttestation()}
             loading={attestation === undefined}
           />
-          <ButtonWithLoader
-            title="Decode Attestation"
-            onPress={() => decodeAttestation()}
-            loading={decodedAttestation === undefined}
-          />
           <ButtonWithLoader
             title="Generate HS and Assertion"
             onPress={() => getHardwareSignatureWithAssertion()}
-            loading={decodedAttestation === undefined}
+            loading={hsWithAssertion === undefined}
           />
         </>
       ) : null}
diff --git a/package.json b/package.json
index 6b638ce..7015f99 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
     "!**/.*"
   ],
   "scripts": {
-    "example": "yarn workspace @pagopa/io-react-native-integrity-example",
+    "example": "yarn workspace @pagopa/io-react-native-integrity-example start",
     "test": "jest",
     "typecheck": "tsc --noEmit",
     "lint": "eslint \"**/*.{js,ts,tsx}\"",

From 63b062a08ad5e2af8b87248f92ed01e365e4755a Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 11 Mar 2024 18:58:43 +0100
Subject: [PATCH 08/64] chore: update

---
 example/src/App.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example/src/App.tsx b/example/src/App.tsx
index c6dad33..f6cd015 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -163,12 +163,12 @@ export default function App() {
           <ButtonWithLoader
             title="VerifyAttestation"
             onPress={() => verifyAttestation()}
-            loading={attestation === undefined}
+            loading={false}
           />
           <ButtonWithLoader
             title="VerifyAssertion"
             onPress={() => verifyAssertion()}
-            loading={assertion === undefined}
+            loading={false}
           />
         </>
       ) : null}

From b4307d6bef15d6dee664bfb91040c4b7e320d31a Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 11 Mar 2024 19:01:40 +0100
Subject: [PATCH 09/64] chore: update

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 7015f99..6b638ce 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,7 @@
     "!**/.*"
   ],
   "scripts": {
-    "example": "yarn workspace @pagopa/io-react-native-integrity-example start",
+    "example": "yarn workspace @pagopa/io-react-native-integrity-example",
     "test": "jest",
     "typecheck": "tsc --noEmit",
     "lint": "eslint \"**/*.{js,ts,tsx}\"",

From dff1ae224cc7b6a24318c5dfc1d84e9a13904197 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Wed, 13 Mar 2024 15:08:18 +0100
Subject: [PATCH 10/64] feat: add standard integrity check request

---
 android/build.gradle                          |   2 +
 .../IoReactNativeIntegrityModule.kt           | 108 +++++++++++++++++-
 example/src/App.tsx                           |  95 +++++++++++++--
 example/src/components/ButtonWithLoader.tsx   |  40 +++++++
 src/index.tsx                                 |  30 +++++
 5 files changed, 258 insertions(+), 17 deletions(-)
 create mode 100644 example/src/components/ButtonWithLoader.tsx

diff --git a/android/build.gradle b/android/build.gradle
index 979f818..8c0f2da 100644
--- a/android/build.gradle
+++ b/android/build.gradle
@@ -90,5 +90,7 @@ dependencies {
   //noinspection GradleDynamicVersion
   implementation "com.facebook.react:react-native:+"
   implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
+  implementation 'com.google.android.play:integrity:1.3.0'
+  implementation 'com.google.android.gms:play-services-base:18.3.0'
 }
 
diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index 3bf72ca..e51b4f2 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -1,25 +1,123 @@
 package com.pagopa.ioreactnativeintegrity
 
+import com.facebook.react.bridge.Promise
 import com.facebook.react.bridge.ReactApplicationContext
 import com.facebook.react.bridge.ReactContextBaseJavaModule
 import com.facebook.react.bridge.ReactMethod
-import com.facebook.react.bridge.Promise
+import com.facebook.react.bridge.WritableMap
+import com.facebook.react.bridge.WritableNativeMap
+import com.google.android.gms.common.GoogleApiAvailability
+import com.google.android.gms.tasks.Task
+import com.google.android.play.core.integrity.IntegrityManagerFactory
+import com.google.android.play.core.integrity.StandardIntegrityManager
+import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityToken
+import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityTokenProvider
+import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityTokenRequest
+
 
 class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
   ReactContextBaseJavaModule(reactContext) {
 
+  private lateinit var integrityTokenProvider: StandardIntegrityTokenProvider
+
   override fun getName(): String {
     return NAME
   }
 
-  // Example method
-  // See https://reactnative.dev/docs/native-modules-android
+  /**
+   * Function which returns a resolved promise with a boolean value indicating whether or not
+   * Google Play Services is available on the device or not.
+   * isGooglePlayServicesAvailable returns status code indicating whether there was an error.
+   * Can be one of following in [com.google.android.gms.common.ConnectionResult]:
+   * SUCCESS: 0,
+   * SERVICE_MISSING:1,
+   * SERVICE_UPDATING: 18
+   * SERVICE_VERSION_UPDATE_REQUIRED: 2
+   * SERVICE_DISABLED: 3
+   * SERVICE_INVALID: 9
+   * We map SUCCESS, SERVICE_UPDATING, SERVICE_VERSION_UPDATE_REQUIRED (0, 18, 2) to true.
+   * SERVICE_MISSING, SERVICE_DISABLED and SERVICE_INVALID (1,3,9) to false.
+   * [Source](https://developers.google.com/android/reference/com/google/android/gms/common/GoogleApiAvailability#isGooglePlayServicesAvailable(android.content.Context))
+   * @param promise - the React Native promise to be resolved.
+   * @return a resolved promise which is true if Google Play Services is available, false otherwise.
+   */
   @ReactMethod
-  fun multiply(a: Double, b: Double, promise: Promise) {
-    promise.resolve(a * b)
+  fun isPlayServicesAvailable (promise: Promise){
+    val result = when (GoogleApiAvailability.getInstance().isGooglePlayServicesAvailable(reactApplicationContext)) {
+      0, 18, 2 -> true
+      else -> false
+    }
+    promise.resolve(result)
+  }
+
+  @ReactMethod
+  fun prepare(cloudProjectNumber: String, promise: Promise) {
+    try {
+      val cpn = cloudProjectNumber.toLong()
+      val standardIntegrityManager: StandardIntegrityManager =
+        IntegrityManagerFactory.createStandard(reactApplicationContext)
+      standardIntegrityManager.prepareIntegrityToken(
+        StandardIntegrityManager.PrepareIntegrityTokenRequest.builder()
+          .setCloudProjectNumber(cpn)
+          .build()
+      )
+        .addOnSuccessListener { integrityTokenProvider = it; promise.resolve(null) }
+        .addOnFailureListener { promise.reject(it) }
+    }catch (_: NumberFormatException){
+      ModuleException.WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT.reject(promise)
+    }catch (e: Exception){
+      ModuleException.PREPARE_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e)))
+    }
+  }
+
+  @ReactMethod
+  fun requestToken(requestHash: String?, promise: Promise) {
+    try {
+      val integrityTokenResponse: Task<StandardIntegrityToken> = integrityTokenProvider.request(
+        StandardIntegrityTokenRequest.builder()
+          .setRequestHash(requestHash)
+          .build()
+      )
+      integrityTokenResponse
+        .addOnSuccessListener { response -> promise.resolve((response.token())) }
+        .addOnFailureListener { exception -> promise.reject(exception) }
+    }catch(_: UninitializedPropertyAccessException){
+        ModuleException.PREPARE_NOT_CALLED.reject(promise)
+    }
+    catch (e: Exception){
+      ModuleException.REQUEST_TOKEN_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e)))
+    }
+  }
+
+  private fun getExceptionMessageOrEmpty(e: Exception): String{
+    return e.message ?: ""
   }
 
   companion object {
     const val NAME = "IoReactNativeIntegrity"
+    const val ERROR_USER_INFO_KEY = "error"
+
+    private enum class ModuleException(
+      val ex: Exception
+    ) {
+      WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT(Exception("WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT")),
+      PREPARE_FAILED(Exception("PREPARE_TOKEN_EXCEPTION")),
+      PREPARE_NOT_CALLED(Exception("PREPARE_NOT_CALLED")),
+      REQUEST_TOKEN_FAILED(Exception("REQUEST_TOKEN_FAILED"));
+
+      fun reject(
+        promise: Promise, vararg args: Pair<String, String>
+      ) {
+        exMap(*args).let {
+          promise.reject(it.first, ex.message, it.second)
+        }
+      }
+
+      private fun exMap(vararg args: Pair<String, String>): Pair<String, WritableMap> {
+        val writableMap = WritableNativeMap()
+        args.forEach { writableMap.putString(it.first, it.second) }
+        return Pair(this.ex.message ?: "UNKNOWN", writableMap)
+      }
+    }
   }
 }
diff --git a/example/src/App.tsx b/example/src/App.tsx
index 71a5d0f..356838d 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -1,19 +1,82 @@
 import * as React from 'react';
+import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
+import {
+  isPlayServicesAvailable,
+  prepare,
+  requestToken,
+} from '@pagopa/io-react-native-integrity';
+import ButtonWithLoader from './components/ButtonWithLoader';
 
-import { StyleSheet, View, Text } from 'react-native';
-import { multiply } from '@pagopa/io-react-native-integrity';
+const GOOGLE_CLOUD_PROJECT_NUMBER = '1234567890';
 
 export default function App() {
-  const [result, setResult] = React.useState<number | undefined>();
+  const [isServiceAvailable, setIsServiceAvailable] =
+    React.useState<boolean>(false);
+  const [isPrepareLoading, setIsPrepareLoading] =
+    React.useState<boolean>(false);
+  const [isRequestTokenLoading, setIsRequestTokenLoading] =
+    React.useState<boolean>(false);
+  const [debugLog, setDebugLog] = React.useState<string>('.. >');
 
   React.useEffect(() => {
-    multiply(3, 7).then(setResult);
+    isPlayServicesAvailable()
+      .then((result) => {
+        setIsServiceAvailable(result);
+      })
+      .catch((error) => {
+        setDebugLog(error);
+      });
   }, []);
 
+  const prepareCallback = async () => {
+    if (isServiceAvailable) {
+      try {
+        setIsPrepareLoading(true);
+        await prepare(GOOGLE_CLOUD_PROJECT_NUMBER);
+        setIsPrepareLoading(false);
+      } catch (e) {
+        setIsPrepareLoading(false);
+        setDebugLog(`${e}`);
+      }
+    }
+  };
+
+  const requestTokenCallback = async () => {
+    if (isServiceAvailable) {
+      try {
+        setIsRequestTokenLoading(true);
+        const rq = await requestToken();
+
+        setIsRequestTokenLoading(false);
+        setDebugLog(rq);
+      } catch (e) {
+        setIsRequestTokenLoading(false);
+        setDebugLog(`${e}`);
+      }
+    }
+  };
+
   return (
-    <View style={styles.container}>
-      <Text>Result: {result}</Text>
-    </View>
+    <SafeAreaView style={styles.container}>
+      <Text style={styles.h1}>Integrity Check Demo App</Text>
+      {isServiceAvailable ? (
+        <>
+          <ButtonWithLoader
+            title="Prepare"
+            onPress={() => prepareCallback()}
+            loading={isPrepareLoading}
+          />
+          <ButtonWithLoader
+            title="Get attestation"
+            onPress={() => requestTokenCallback()}
+            loading={isRequestTokenLoading}
+          />
+        </>
+      ) : null}
+      <ScrollView style={styles.debug}>
+        <Text>{debugLog}</Text>
+      </ScrollView>
+    </SafeAreaView>
   );
 }
 
@@ -21,11 +84,19 @@ const styles = StyleSheet.create({
   container: {
     flex: 1,
     alignItems: 'center',
-    justifyContent: 'center',
   },
-  box: {
-    width: 60,
-    height: 60,
-    marginVertical: 20,
+  h1: {
+    fontWeight: 'bold',
+    fontSize: 32,
+    textAlign: 'center',
+    marginTop: 50,
+    marginBottom: 50,
+  },
+  debug: {
+    width: '100%',
+    height: 300,
+    position: 'absolute',
+    bottom: 0,
+    backgroundColor: '#eaeaea',
   },
 });
diff --git a/example/src/components/ButtonWithLoader.tsx b/example/src/components/ButtonWithLoader.tsx
new file mode 100644
index 0000000..26a65ef
--- /dev/null
+++ b/example/src/components/ButtonWithLoader.tsx
@@ -0,0 +1,40 @@
+import React from 'react';
+import { ActivityIndicator, Button, StyleSheet, View } from 'react-native';
+
+type Props = {
+  /**
+   * The title of the button
+   */
+  title: string;
+  /**
+   * The action to perform when the button is pressed
+   */
+  onPress: () => void;
+  /**
+   * Whether the button is in a loading state
+   */
+  loading?: boolean;
+};
+
+/**
+ * A button component with a loader that can be shown when the button is in a loading state.
+ * The loader is a spinner showed at the right of the button title.
+ */
+const ButtonWithLoader = (props: Props) => {
+  return (
+    <View style={styles.container}>
+      <Button
+        title={props.title}
+        onPress={props.onPress}
+        disabled={props.loading}
+      />
+      {props.loading && <ActivityIndicator />}
+    </View>
+  );
+};
+
+const styles = StyleSheet.create({
+  container: { flexDirection: 'row', alignItems: 'center' },
+});
+
+export default ButtonWithLoader;
diff --git a/src/index.tsx b/src/index.tsx
index ed57c88..5b42635 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -20,3 +20,33 @@ const IoReactNativeIntegrity = NativeModules.IoReactNativeIntegrity
 export function multiply(a: number, b: number): Promise<number> {
   return IoReactNativeIntegrity.multiply(a, b);
 }
+
+export function isPlayServicesAvailable(): Promise<boolean> {
+  return IoReactNativeIntegrity.isPlayServicesAvailable();
+}
+
+export function prepare(cloudProjectNumber: string): Promise<void> {
+  return IoReactNativeIntegrity.prepare(cloudProjectNumber);
+}
+
+export function requestToken(requestHash?: string): Promise<string> {
+  return IoReactNativeIntegrity.requestToken(requestHash);
+}
+type IntegrityErrorCodesAndroid =
+  | 'WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT'
+  | 'PREPARE_FAILED'
+  | 'PREPARE_NOT_CALLED'
+  | 'REQUEST_TOKEN_FAILED';
+
+export type IntegrityErrorCodes = IntegrityErrorCodesAndroid;
+
+/**
+ * Error type returned by a rejected promise.
+ *
+ * If additional error information are available,
+ * they are stored in the {@link CryptoError["info"]} field.
+ */
+export type IntegrityError = {
+  message: IntegrityErrorCodes;
+  info: Record<string, string>;
+};

From 3dfeebf89207d6d32c69400d4ea0ff6687be31cb Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Wed, 13 Mar 2024 17:09:51 +0100
Subject: [PATCH 11/64] chore: update

---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index f559641..a02647a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -77,3 +77,6 @@ android/keystores/debug.keystore
 
 # generated by bob
 lib/
+
+# Env
+.env
\ No newline at end of file

From daf904762a69131386c3b60958eb5226475ca19c Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Wed, 13 Mar 2024 17:41:17 +0100
Subject: [PATCH 12/64] chore: update

---
 ios/IntegrityError.swift         | 54 --------------------
 ios/IoReactNativeIntegrity.swift | 85 +++++++++++++++++++++++---------
 src/index.tsx                    | 61 +++++++++++++++++++++++
 3 files changed, 124 insertions(+), 76 deletions(-)
 delete mode 100644 ios/IntegrityError.swift

diff --git a/ios/IntegrityError.swift b/ios/IntegrityError.swift
deleted file mode 100644
index 92c3497..0000000
--- a/ios/IntegrityError.swift
+++ /dev/null
@@ -1,54 +0,0 @@
-//
-//  IntegrityError.swift
-//  pagopa-io-react-native-integrity
-//
-//  Created by Mario Perrotta on 07/03/24.
-//
-
-enum IntegrityError: Error {
-    case generationKeyFailed
-    case unsupportedService
-    case attestationError
-    case unsupportedIOSVersion
-    case challengeError
-    case clientDataEncoding
-    case generationAssertionFailed
-    
-    var code: String {
-        switch self {
-          case .generationKeyFailed:
-              return "generation_key_failed"
-          case .unsupportedService:
-              return "unsupported_service"
-          case .attestationError:
-              return "attestation_error"
-          case .unsupportedIOSVersion:
-              return "unsupported_ios_version"
-          case .challengeError:
-              return "challenge_error"
-          case .clientDataEncoding:
-              return "client_data_encoding_error"
-          case .generationAssertionFailed:
-              return "generation_assertion_failed"
-        }
-    }
-    
-    var message: String {
-        switch self {
-          case .generationKeyFailed:
-              return "Generation key failed."
-          case .unsupportedService:
-              return "Unsupported service."
-          case .attestationError:
-              return "Attestation error during generation."
-          case .unsupportedIOSVersion:
-              return "App attest service requires iOS 14 or above."
-          case .challengeError:
-              return "Error getting challenge data"
-          case .clientDataEncoding:
-              return "Error encoding client data"
-          case .generationAssertionFailed:
-              return "Generation Assertion failed"
-        }
-    }
-}
diff --git a/ios/IoReactNativeIntegrity.swift b/ios/IoReactNativeIntegrity.swift
index 8c3cc2a..85d8ddd 100644
--- a/ios/IoReactNativeIntegrity.swift
+++ b/ios/IoReactNativeIntegrity.swift
@@ -4,14 +4,7 @@ import CryptoKit
 /// A class to interact with the DeviceCheck and CryptoKit frameworks to ensure the integrity of the device and app.
 @objc(IoReactNativeIntegrity)
 class IoReactNativeIntegrity: NSObject {
-  
-  /// Private function to rejects a promise with a specified error.
-  /// - Parameters:
-  ///   - reject: The promise reject block to call when rejecting a promise.
-  ///   - error: The error to use for rejection, providing an error code and message.
-  private func rejectPromise(_ reject: @escaping RCTPromiseRejectBlock, withError error: IntegrityError) {
-    reject(error.code, error.message, nil)
-  }
+  private typealias ME = ModuleException
   
   /// Determines if the DeviceCheck App Attestation Service is available on the device.
   /// - Parameters:
@@ -20,14 +13,14 @@ class IoReactNativeIntegrity: NSObject {
   @objc(isAttestationServiceAvailable:withRejecter:)
   func isAttestationServiceAvailable(resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
     guard #available(iOS 14.0, *) else {
-      self.rejectPromise(reject, withError: .unsupportedIOSVersion)
+      ME.unsupportedService.reject(reject: reject)
       return
     }
     
     if DCAppAttestService.shared.isSupported {
       resolve(true)
     } else {
-      self.rejectPromise(reject, withError: .unsupportedService)
+      ME.unsupportedService.reject(reject: reject)
     }
   }
   
@@ -39,7 +32,7 @@ class IoReactNativeIntegrity: NSObject {
   func generateHardwareKey(resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
     
     guard #available(iOS 14.0, *) else {
-      self.rejectPromise(reject, withError: .unsupportedIOSVersion)
+      ME.unsupportedIOSVersion.reject(reject: reject)
       return
     }
     
@@ -49,7 +42,7 @@ class IoReactNativeIntegrity: NSObject {
       service.generateKey { hardwareKeyTag, error in
           
         guard error == nil else {
-          self.rejectPromise(reject, withError: .generationKeyFailed)
+          ME.generationKeyFailed.reject(reject: reject, ("error", error?.localizedDescription ?? ""))
           return
         }
           
@@ -57,7 +50,7 @@ class IoReactNativeIntegrity: NSObject {
           
       }
     } else {
-      self.rejectPromise(reject, withError: .unsupportedService)
+      ME.unsupportedService.reject(reject: reject);
     }
   }
   
@@ -71,7 +64,7 @@ class IoReactNativeIntegrity: NSObject {
   func getAttestation(challenge: String, hardwareKeyTag: String, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
     
     guard #available(iOS 14.0, *) else {
-      self.rejectPromise(reject, withError: .unsupportedIOSVersion)
+      ME.unsupportedIOSVersion.reject(reject: reject);
       return
     }
     
@@ -80,8 +73,8 @@ class IoReactNativeIntegrity: NSObject {
       
       // Safely encode the challenge string to data and generate a hash.
       guard let challengeData = challenge.data(using: .utf8) else {
-          self.rejectPromise(reject, withError: .challengeError)
-          return
+        ME.challengeError.reject(reject: reject)
+        return
       }
       let hash = Data(SHA256.hash(data: challengeData))
       
@@ -89,7 +82,7 @@ class IoReactNativeIntegrity: NSObject {
       service.attestKey(hardwareKeyTag, clientDataHash: hash) {attestation, error in
             
         guard error == nil else {
-          self.rejectPromise(reject, withError: .attestationError)
+          ME.attestationError.reject(reject: reject, ("error", error?.localizedDescription ?? ""))
           return
         }
         
@@ -98,7 +91,7 @@ class IoReactNativeIntegrity: NSObject {
         }
         
     } else {
-      self.rejectPromise(reject, withError: .unsupportedService)
+      ME.unsupportedService.reject(reject: reject)
     }
   }
   
@@ -112,7 +105,7 @@ class IoReactNativeIntegrity: NSObject {
   func generateHardwareSignatureWithAssertion(clientData: String, hardwareKeyTag: String, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
     
     guard #available(iOS 14.0, *) else {
-      self.rejectPromise(reject, withError: .unsupportedIOSVersion)
+      ME.unsupportedIOSVersion.reject(reject: reject)
       return
     }
     
@@ -121,7 +114,7 @@ class IoReactNativeIntegrity: NSObject {
       
       // Safely encode the clientData string to data and generate a hash.
       guard let encodedClientData = clientData.data(using: .utf8) else {
-        self.rejectPromise(reject, withError: .clientDataEncoding)
+        ME.clientDataEncodingError.reject(reject: reject)
         return
       }
       
@@ -130,7 +123,7 @@ class IoReactNativeIntegrity: NSObject {
       service.generateAssertion(hardwareKeyTag, clientDataHash: clientDataHash) { assertion, error in
         
         guard error == nil else {
-          self.rejectPromise(reject, withError: .generationAssertionFailed)
+          ME.generationAssertionFailed.reject(reject: reject, ("error", error?.localizedDescription ?? ""))
           return
         }
         
@@ -139,8 +132,56 @@ class IoReactNativeIntegrity: NSObject {
         
       }
     } else {
-      self.rejectPromise(reject, withError: .unsupportedService)
+      ME.unsupportedService.reject(reject: reject)
     }
   }
   
+  /// A private enum to handle exceptions and errors.
+  /// - generationKeyFailed: The hardware key generation failed.
+  /// - unsupportedService: The DeviceCheck App Attestation Service is not supported.
+  /// - attestationError: The attestation request failed.
+  /// - unsupportedIOSVersion: The iOS version is not supported.
+  /// - challengeError: The challenge encoding failed.
+  /// - clientDataEncodingError: The clientData encoding failed.
+  /// - generationAssertionFailed: The assertion generation failed.
+  private enum ModuleException: String, CaseIterable {
+    
+    case generationKeyFailed = "GENERATION_KEY_FAILED"
+    case unsupportedService = "UNSUPPORTED_SERVICE"
+    case attestationError = "ATTESTATION_ERROR"
+    case unsupportedIOSVersion = "UNSUPPORTED_IOS_VERSION"
+    case challengeError = "CHALLANGE_ERROR"
+    case clientDataEncodingError = "CLIENT_DATA_ENCODING_ERROR"
+    case generationAssertionFailed = "GENERATION_ASSERTION_FAILED"
+      
+      func error(userInfo: [String : Any]? = nil) -> NSError {
+        switch self {
+        case .generationKeyFailed:
+          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
+        case .unsupportedService:
+          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
+        case .attestationError:
+          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
+        case .unsupportedIOSVersion:
+          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
+        case .challengeError:
+          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
+        case .clientDataEncodingError:
+          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
+        case .generationAssertionFailed:
+          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
+        }
+      }
+      
+      /// Rejects a promise with the error.
+      /// - Parameters:
+      ///  - reject: The promise reject block to call in case of an error.
+      ///  - moreUserInfo: A list of tuples to add more information to the error.
+      func reject(reject: RCTPromiseRejectBlock, _ moreUserInfo: (String, Any)...) {
+        var userInfo = [String : Any]()
+        moreUserInfo.forEach { userInfo[$0.0] = $0.1 }
+        let error = error(userInfo: userInfo)
+        reject("\(error.code)", error.domain, error)
+      }
+    }
 }
diff --git a/src/index.tsx b/src/index.tsx
index 19b5d01..552d6c0 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -1,5 +1,30 @@
 import { NativeModules, Platform } from 'react-native';
 
+/**
+ * Error codes returned by the iOS module.
+ */
+type IntegrityErrorCodesIOS =
+  | 'GENERATION_KEY_FAILED'
+  | 'UNSUPPORTED_SERVICE'
+  | 'ATTESTATION_ERROR'
+  | 'UNSUPPORTED_IOS_VERSION'
+  | 'CHALLANGE_ERROR'
+  | 'CLIENT_DATA_ENCODING_ERROR'
+  | 'GENERATION_ASSERTION_FAILED';
+
+export type IntegrityErrorCodes = IntegrityErrorCodesIOS;
+
+/**
+ * Error type returned by a rejected promise.
+ *
+ * If additional error information are available,
+ * they are stored in the {@link IntegrityError["userInfo"]} field.
+ */
+export type IntegrityError = {
+  message: IntegrityErrorCodes;
+  userInfo: Record<string, string>;
+};
+
 const LINKING_ERROR =
   `The package '@pagopa/io-react-native-integrity' doesn't seem to be linked. Make sure: \n\n` +
   Platform.select({ ios: "- You have run 'pod install'\n", default: '' }) +
@@ -17,14 +42,40 @@ const IoReactNativeIntegrity = NativeModules.IoReactNativeIntegrity
       }
     );
 
+/**
+ * This function checks if the attestation service is available on the device.
+ *
+ * If it is not possible to retrive the key, the promise is rejected providing an
+ * instance of {@link IntegrityError}.
+ *
+ * @returns a promise that resolves to a boolean.
+ */
 export function isAttestationServiceAvailable(): Promise<boolean> {
   return IoReactNativeIntegrity.isAttestationServiceAvailable();
 }
 
+/**
+ * This function generates a hardware key that can be used into the attestation process.
+ *
+ * If it is not possible to retrive the key, the promise is rejected providing an
+ * instance of {@link IntegrityError}.
+ *
+ * @returns a promise that resolves to a string.
+ */
 export function generateHardwareKey(): Promise<string> {
   return IoReactNativeIntegrity.generateHardwareKey();
 }
 
+/**
+ * This function generates an attestation for the given challenge and hardware key.
+ *
+ * If it is not possible to retrive the attestation, the promise is rejected providing an
+ * instance of {@link IntegrityError}.
+ *
+ * @param challenge challange to be used in the attestation process returned byt a backend service
+ * @param hardwareKeyTag hardware key to be used in the attestation process
+ * @returns a promise that resolves to a string.
+ */
 export function getAttestation(
   challenge: string,
   hardwareKeyTag: string
@@ -32,6 +83,16 @@ export function getAttestation(
   return IoReactNativeIntegrity.getAttestation(challenge, hardwareKeyTag);
 }
 
+/**
+ * This function generates a signature for the given client data given an hardware key.
+ *
+ * If it is not possible to retrive the signature, the promise is rejected providing an
+ * instance of {@link IntegrityError}.
+ *
+ * @param clientData client data to be signed
+ * @param hardwareKeyTag hardware key to be used in the signature process
+ * @returns a promise that resolves to a string.
+ */
 export function generateHardwareSignatureWithAssertion(
   clientData: string,
   hardwareKeyTag: string

From 930e8e41613aa515a65a2e40bc6f706a8b95e267 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Thu, 14 Mar 2024 09:13:42 +0100
Subject: [PATCH 13/64] chore: update

---
 example/ios/Podfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/ios/Podfile.lock b/example/ios/Podfile.lock
index 53d9fc9..7a3b767 100644
--- a/example/ios/Podfile.lock
+++ b/example/ios/Podfile.lock
@@ -1383,4 +1383,4 @@ SPEC CHECKSUMS:
 
 PODFILE CHECKSUM: fd9c38ef526dee311429a7a1ecc7347bb228ae7f
 
-COCOAPODS: 1.14.3
+COCOAPODS: 1.15.2

From 445559b4e4417e7e9a07542e9bacf9dbe2fd3340 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Thu, 14 Mar 2024 09:14:54 +0100
Subject: [PATCH 14/64] fix: syntax

---
 backend/.env.local | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/.env.local b/backend/.env.local
index 8aef389..2d1cb3e 100644
--- a/backend/.env.local
+++ b/backend/.env.local
@@ -1,3 +1,3 @@
 PORT =
-BUNDLE_IDENTIFIER = '';
-TEAM_IDENTIFIER = '';
+BUNDLE_IDENTIFIER = ''
+TEAM_IDENTIFIER = ''

From 5f1988f813636e9e2cc07df0c43fc7516fc9bc87 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Thu, 14 Mar 2024 09:21:06 +0100
Subject: [PATCH 15/64] chore: update

---
 backend/README.md | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/backend/README.md b/backend/README.md
index 0519ecb..ba65823 100644
--- a/backend/README.md
+++ b/backend/README.md
@@ -1 +1,33 @@
- 
\ No newline at end of file
+# Getting Started
+
+### This is a dev server to test integrity check integration with the example app adding verification steps.
+
+## NodeJS
+
+To run the project you need to install the correct version of NodeJS.
+We recommend the use of a virtual environment of your choice. For ease of use, this guide adopts [nodenv](https://github.com/nodenv/nodenv) for NodeJS, [rbenv](https://github.com/rbenv/rbenv) for Ruby.
+
+The node version used in this project is stored in [.node-version](.node-version),
+while the version of Ruby is stored in [.ruby-version](.ruby-version).
+
+## Build the app
+
+```bash
+# Install NodeJS with nodenv, the returned version should match the one in the .node-version file
+$ nodenv install && nodenv version
+
+# Install yarn and rehash to install shims
+$ npm install -g yarn && nodenv rehash
+
+# Install dependencies
+# Run this only during the first setup and when JS dependencies change
+$ yarn install
+```
+
+## Run the app
+
+```bash
+# First edit .env to add a BACKEND_ADDRESS (is required to use real local ip address instead localhost)
+$ cp .env.local env.local
+$ yarn start
+```

From 9d02fa7355cf509445a139ed943f172b4a40ce3b Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Thu, 14 Mar 2024 09:23:37 +0100
Subject: [PATCH 16/64] chore: update

---
 backend/src/index.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/src/index.ts b/backend/src/index.ts
index 35688f3..7f17e22 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -12,8 +12,13 @@ app.use(bodyParser.urlencoded({ extended: false }));
 
 const port = process.env.PORT || 3000;
 const nonce = uuid();
+
+// Please note that this is a simple example and the attestation should be stored in a secure way.
+// Every time the server restarts, the attestation is lost. Every time the app verify the attestation
+// this value be overwritten. This is just a simple example.
 let attestation: any = null;
 
+// The bundle identifier and team identifier are used to verify the attestation and assertion.
 const BUNDLE_IDENTIFIER = process.env.BUNDLE_IDENTIFIER || '';
 const TEAM_IDENTIFIER = process.env.TEAM_IDENTIFIER || '';
 

From c45a51c75efadbbea176056cbf77b5c40c4ed6b5 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 14 Mar 2024 17:24:51 +0100
Subject: [PATCH 17/64] feat: add key attestation method

---
 .../IoReactNativeIntegrityModule.kt           | 180 +++++++++++++++++-
 example/android/build.gradle                  |   2 +-
 example/src/App.tsx                           |  36 +++-
 src/index.tsx                                 |  77 +++++++-
 4 files changed, 270 insertions(+), 25 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index e51b4f2..f243b6f 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -1,5 +1,15 @@
 package com.pagopa.ioreactnativeintegrity
 
+import android.content.pm.PackageManager
+import android.os.Build
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyInfo
+import android.security.keystore.KeyProperties
+import android.security.keystore.KeyProperties.SECURITY_LEVEL_STRONGBOX
+import android.security.keystore.KeyProperties.SECURITY_LEVEL_TRUSTED_ENVIRONMENT
+import android.security.keystore.KeyProperties.SECURITY_LEVEL_UNKNOWN_SECURE
+import android.util.Base64
+import androidx.annotation.RequiresApi
 import com.facebook.react.bridge.Promise
 import com.facebook.react.bridge.ReactApplicationContext
 import com.facebook.react.bridge.ReactContextBaseJavaModule
@@ -13,6 +23,12 @@ import com.google.android.play.core.integrity.StandardIntegrityManager
 import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityToken
 import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityTokenProvider
 import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityTokenRequest
+import java.security.KeyFactory
+import java.security.KeyPair
+import java.security.KeyPairGenerator
+import java.security.KeyStore
+import java.security.PrivateKey
+import java.security.spec.ECGenParameterSpec
 
 
 class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
@@ -20,6 +36,18 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
 
   private lateinit var integrityTokenProvider: StandardIntegrityTokenProvider
 
+  private val keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER)
+
+  /**
+   * Constructor which initializes the keystore engine.
+   */
+  init {
+    keyStore.load(null)
+  }
+
+  /**
+   * Get name of the package, required by React Native bridge.
+   */
   override fun getName(): String {
     return NAME
   }
@@ -37,9 +65,9 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    * SERVICE_INVALID: 9
    * We map SUCCESS, SERVICE_UPDATING, SERVICE_VERSION_UPDATE_REQUIRED (0, 18, 2) to true.
    * SERVICE_MISSING, SERVICE_DISABLED and SERVICE_INVALID (1,3,9) to false.
+   * The promise is resolved to true if Google Play Services is available, to false otherwise.
    * [Source](https://developers.google.com/android/reference/com/google/android/gms/common/GoogleApiAvailability#isGooglePlayServicesAvailable(android.content.Context))
-   * @param promise - the React Native promise to be resolved.
-   * @return a resolved promise which is true if Google Play Services is available, false otherwise.
+   * @param promise the React Native promise to be resolved or reject.
    */
   @ReactMethod
   fun isPlayServicesAvailable (promise: Promise){
@@ -50,8 +78,20 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
     promise.resolve(result)
   }
 
+  /**
+   * Preparation step for a [Play Integrity standard API request](https://developer.android.com/google/play/integrity/standard).
+   * It prepares the integrity token provider before obtaining the integrity verdict.
+   * It should be called well before the moment an integrity verdict is needed, for example
+   * when starting the application. It can also be called time to time to refresh it.
+   * The React Native promise is resolved with an empty payload on success, otherwise
+   * it gets rejected when:
+   * - The preparation fails;
+   * - The provided [cloudProjectNumber] format is incorrect.
+   * @param cloudProjectNumber a Google Cloud project number which is supposed to be composed only by numbers (Long).
+   * @param promise the React Native promise to be resolved or rejected.
+   */
   @ReactMethod
-  fun prepare(cloudProjectNumber: String, promise: Promise) {
+  fun prepareIntegrityToken(cloudProjectNumber: String, promise: Promise) {
     try {
       val cpn = cloudProjectNumber.toLong()
       val standardIntegrityManager: StandardIntegrityManager =
@@ -61,8 +101,8 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
           .setCloudProjectNumber(cpn)
           .build()
       )
-        .addOnSuccessListener { integrityTokenProvider = it; promise.resolve(null) }
-        .addOnFailureListener { promise.reject(it) }
+        .addOnSuccessListener { res -> integrityTokenProvider = res; promise.resolve(null) }
+        .addOnFailureListener { ex -> ModuleException.PREPARE_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))) }
     }catch (_: NumberFormatException){
       ModuleException.WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT.reject(promise)
     }catch (e: Exception){
@@ -70,8 +110,19 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
     }
   }
 
+  /**
+   * Integrity token request step for a [Play Integrity standard API request](https://developer.android.com/google/play/integrity/standard).
+   * It requests an integrity token which is then attached to the request to be protected.
+   * It should be called AFTER [prepareIntegrityToken] has been called and resolved successfully.
+   * The React Native promise is resolved with with the token as payload or rejected when:
+   * - The integrity token request fails;
+   * - The [prepareIntegrityToken] function hasn't been called previously.
+   * @param requestHash a digest of all relevant request parameters (e.g. SHA256) from the user action or server request that is happening.
+   * The max size of this field is 500 bytes. Do not put sensitive information as plain text in this field.
+   * @param promise the React Native promise to be resolved or rejected.
+   */
   @ReactMethod
-  fun requestToken(requestHash: String?, promise: Promise) {
+  fun requestIntegrityToken(requestHash: String?, promise: Promise) {
     try {
       val integrityTokenResponse: Task<StandardIntegrityToken> = integrityTokenProvider.request(
         StandardIntegrityTokenRequest.builder()
@@ -79,8 +130,8 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
           .build()
       )
       integrityTokenResponse
-        .addOnSuccessListener { response -> promise.resolve((response.token())) }
-        .addOnFailureListener { exception -> promise.reject(exception) }
+        .addOnSuccessListener { res -> promise.resolve((res.token())) }
+        .addOnFailureListener { ex -> ModuleException.REQUEST_TOKEN_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))) }
     }catch(_: UninitializedPropertyAccessException){
         ModuleException.PREPARE_NOT_CALLED.reject(promise)
     }
@@ -89,12 +140,120 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
     }
   }
 
+  /**
+   * Checks whether or not a [PrivateKey] is hardware backed (TEE/StrongBox) or not.
+   * Courtesy of @shadowsheep1
+   * @param key the [PrivateKey] to be checked.
+   * @returns true if the key is hardware backed according to its [security level](https://developer.android.com/reference/android/security/keystore/KeyProperties)
+   * with a fallback to the [isInsideSecureHardware](https://developer.android.com/reference/android/security/keystore/KeyInfo#isInsideSecureHardware())
+   * for version codes older than [Build.VERSION_CODES.S].
+   * False otherwise.
+   */
+  private fun isKeyHardwareBacked(key: PrivateKey): Boolean {
+    try {
+      val factory = KeyFactory.getInstance(
+        key.algorithm, KEYSTORE_PROVIDER
+      )
+      val keyInfo = factory.getKeySpec(key, KeyInfo::class.java)
+      return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.S) {
+        //
+        keyInfo.securityLevel == SECURITY_LEVEL_TRUSTED_ENVIRONMENT
+          || keyInfo.securityLevel == SECURITY_LEVEL_STRONGBOX
+          || keyInfo.securityLevel == SECURITY_LEVEL_UNKNOWN_SECURE
+      } else {
+        @Suppress("DEPRECATION") return keyInfo.isInsideSecureHardware
+      }
+    } catch (e: Exception) {
+      return false
+    }
+  }
+
+  /**
+   * Generates an attestation key pair using the [keyStore].
+   * @param keyAlias the key alias to generate.
+   * @param challenge the public key certificate for this key pair will contain an extension that
+   * describes the details of the key's configuration and authorizations, including the
+   * [challenge] value.
+   * If the key is in secure hardware, and if the secure hardware supports attestation,
+   * the certificate will be signed by a chain of certificates rooted at a trustworthy CA key.
+   * Otherwise the chain will be rooted at an untrusted certificate.
+   * @param useStrongBox indicates whether or not the key pair will be stored using StrongBox.
+   * @returns the generated key pair.
+   */
+  @RequiresApi(Build.VERSION_CODES.N)
+  private fun generateAttestationKey(keyAlias: String, challenge: ByteArray, useStrongBox: Boolean): KeyPair {
+      val purposes = KeyProperties.PURPOSE_VERIFY
+      val builder =
+        KeyGenParameterSpec.Builder(keyAlias, purposes)
+          .setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1")) // P-256
+          .setDigests(KeyProperties.DIGEST_SHA256)
+          .setKeySize(256)
+          .setAttestationChallenge(challenge)
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && useStrongBox) {
+        builder.setIsStrongBoxBacked(true)
+      }
+      val keyPairGenerator = KeyPairGenerator.getInstance(
+        KeyProperties.KEY_ALGORITHM_EC, KEYSTORE_PROVIDER
+      )
+      keyPairGenerator.initialize(builder.build())
+      return keyPairGenerator.generateKeyPair()
+  }
+
+  /**
+   * Generates a (Key Attestation)[https://developer.android.com/privacy-and-security/security-key-attestation].
+   * During key attestation, a key pair is generated along with its certificate chain,
+   * which can be used to verify the properties of that key pair.
+   * If the device supports hardware-level key attestation,
+   * the root certificate of the chain is signed using an attestation root key
+   * protected by the device's hardware-backed keystore.
+   * The promise is resolved with the chain or rejected when:
+   * - The device doesn't support key attestation;
+   * - The generated key pair is not hardware backed;
+   * - The [challenge] exceeds the size of 128 bytes;
+   * - The key attestation generation fails.
+   * @param challenge the challenge to be included which has a max size of 128 bytes.
+   * @param keyAlias optional key alias for the generated key pair.
+   * @param promise the React Native promise to be resolved or rejected.
+   */
+  @ReactMethod
+  fun getAttestation(challenge: String, keyAlias: String?, promise: Promise){
+    try{
+      // Remove this block if the minSdkVersion is set to 24
+      if (Build.VERSION.SDK_INT < Build.VERSION_CODES.N) {
+        ModuleException.UNSUPPORTED_DEVICE.reject(promise)
+        return
+      }
+      val alias = keyAlias ?: "attestationKeyAlias"
+      val hasStrongBox = Build.VERSION.SDK_INT >= Build.VERSION_CODES.P &&
+        reactApplicationContext.packageManager.hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE)
+      val keyPair = generateAttestationKey(alias, challenge.toByteArray(), hasStrongBox)
+      if(!isKeyHardwareBacked(keyPair.private)){
+        // We check if the key is hardware backed just to be sure exclude software fallback
+        ModuleException.KEY_IS_NOT_HARDWARE_BACKED.reject(promise)
+        return
+      }
+      val chain = keyStore.getCertificateChain(alias)
+      // The certificate chain consists of an array of certificates, thus we concat them into a string
+      var attestations = arrayOf<String>()
+      chain.forEachIndexed { _, certificate ->
+        val cert = Base64.encodeToString(certificate.encoded, Base64.DEFAULT)
+        attestations += cert
+      }
+      val concatenatedAttestations = attestations.joinToString(",")
+      val encodedAttestation = Base64.encodeToString(concatenatedAttestations.toByteArray(), Base64.DEFAULT)
+      promise.resolve(encodedAttestation)
+    }catch(e: Exception) {
+      ModuleException.REQUEST_ATTESTATION_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e)))
+    }
+  }
+
   private fun getExceptionMessageOrEmpty(e: Exception): String{
     return e.message ?: ""
   }
 
   companion object {
     const val NAME = "IoReactNativeIntegrity"
+    const val KEYSTORE_PROVIDER = "AndroidKeyStore"
     const val ERROR_USER_INFO_KEY = "error"
 
     private enum class ModuleException(
@@ -103,7 +262,10 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
       WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT(Exception("WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT")),
       PREPARE_FAILED(Exception("PREPARE_TOKEN_EXCEPTION")),
       PREPARE_NOT_CALLED(Exception("PREPARE_NOT_CALLED")),
-      REQUEST_TOKEN_FAILED(Exception("REQUEST_TOKEN_FAILED"));
+      REQUEST_TOKEN_FAILED(Exception("REQUEST_TOKEN_FAILED")),
+      REQUEST_ATTESTATION_FAILED(Exception("REQUEST_ATTESTATION_FAILED")),
+      KEY_IS_NOT_HARDWARE_BACKED(Exception("KEY_IS_NOT_HARDWARE_BACKED")),
+      UNSUPPORTED_DEVICE(Exception("UNSUPPORTED_DEVICE"));
 
       fun reject(
         promise: Promise, vararg args: Pair<String, String>
diff --git a/example/android/build.gradle b/example/android/build.gradle
index cb9d623..a60b4f9 100644
--- a/example/android/build.gradle
+++ b/example/android/build.gradle
@@ -1,7 +1,7 @@
 buildscript {
     ext {
         buildToolsVersion = "34.0.0"
-        minSdkVersion = 21
+        minSdkVersion = 23
         compileSdkVersion = 34
         targetSdkVersion = 34
         ndkVersion = "25.1.8937393"
diff --git a/example/src/App.tsx b/example/src/App.tsx
index 356838d..bd79d38 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -1,9 +1,10 @@
 import * as React from 'react';
 import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
 import {
+  getAttestation,
   isPlayServicesAvailable,
-  prepare,
-  requestToken,
+  prepareIntegrityToken,
+  requestIntegrityToken,
 } from '@pagopa/io-react-native-integrity';
 import ButtonWithLoader from './components/ButtonWithLoader';
 
@@ -16,6 +17,8 @@ export default function App() {
     React.useState<boolean>(false);
   const [isRequestTokenLoading, setIsRequestTokenLoading] =
     React.useState<boolean>(false);
+  const [isGetAttestationLoading, setIsGetAttestationLoading] =
+    React.useState<boolean>(false);
   const [debugLog, setDebugLog] = React.useState<string>('.. >');
 
   React.useEffect(() => {
@@ -32,11 +35,11 @@ export default function App() {
     if (isServiceAvailable) {
       try {
         setIsPrepareLoading(true);
-        await prepare(GOOGLE_CLOUD_PROJECT_NUMBER);
+        await prepareIntegrityToken(GOOGLE_CLOUD_PROJECT_NUMBER);
         setIsPrepareLoading(false);
       } catch (e) {
         setIsPrepareLoading(false);
-        setDebugLog(`${e}`);
+        setDebugLog(JSON.stringify(e));
       }
     }
   };
@@ -45,7 +48,9 @@ export default function App() {
     if (isServiceAvailable) {
       try {
         setIsRequestTokenLoading(true);
-        const rq = await requestToken();
+        const rq = await requestIntegrityToken(
+          'lW1DCr5p4nLA2JkYU7BRYzCCByQplBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbn'
+        );
 
         setIsRequestTokenLoading(false);
         setDebugLog(rq);
@@ -56,6 +61,20 @@ export default function App() {
     }
   };
 
+  const getAttestationCallback = async () => {
+    try {
+      setIsGetAttestationLoading(true);
+      const att = await getAttestation(
+        'lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1'
+      );
+      setIsGetAttestationLoading(false);
+      setDebugLog(att);
+    } catch (e) {
+      setIsGetAttestationLoading(false);
+      setDebugLog(`${e}`);
+    }
+  };
+
   return (
     <SafeAreaView style={styles.container}>
       <Text style={styles.h1}>Integrity Check Demo App</Text>
@@ -67,10 +86,15 @@ export default function App() {
             loading={isPrepareLoading}
           />
           <ButtonWithLoader
-            title="Get attestation"
+            title="Get token"
             onPress={() => requestTokenCallback()}
             loading={isRequestTokenLoading}
           />
+          <ButtonWithLoader
+            title="Get attestation"
+            onPress={() => getAttestationCallback()}
+            loading={isGetAttestationLoading}
+          />
         </>
       ) : null}
       <ScrollView style={styles.debug}>
diff --git a/src/index.tsx b/src/index.tsx
index 5b42635..8e548eb 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -17,27 +17,86 @@ const IoReactNativeIntegrity = NativeModules.IoReactNativeIntegrity
       }
     );
 
-export function multiply(a: number, b: number): Promise<number> {
-  return IoReactNativeIntegrity.multiply(a, b);
-}
-
+/**
+ * Checks whether Google Play Services is available on the device or not.
+ * @return a promise resolved to true if Google Play Services is available, to false otherwise.
+ */
 export function isPlayServicesAvailable(): Promise<boolean> {
   return IoReactNativeIntegrity.isPlayServicesAvailable();
 }
 
-export function prepare(cloudProjectNumber: string): Promise<void> {
-  return IoReactNativeIntegrity.prepare(cloudProjectNumber);
+/**
+ * Preparation step for a [Play Integrity standard API request](https://developer.android.com/google/play/integrity/standard).
+ * It prepares the integrity token provider before obtaining the integrity verdict.
+ * It should be called well before the moment an integrity verdict is needed, for example
+ * when starting the application. It can also be called time to time to refresh it.
+ * it gets rejected when:
+ * - The preparation fails;
+ * - The provided [cloudProjectNumber] format is incorrect.
+ * @param cloudProjectNumber a Google Cloud project number which is supposed to be composed only by numbers.
+ * @return a resolved promise when the preparation is successful, rejected otherwise when:
+ * - The preparation fails or;
+ * - The provided cloudProjectNumber format is incorrect.
+ */
+export function prepareIntegrityToken(
+  cloudProjectNumber: string
+): Promise<void> {
+  return IoReactNativeIntegrity.prepareIntegrityToken(cloudProjectNumber);
 }
 
-export function requestToken(requestHash?: string): Promise<string> {
-  return IoReactNativeIntegrity.requestToken(requestHash);
+/**
+ * Integrity token request step for a [Play Integrity standard API request](https://developer.android.com/google/play/integrity/standard).
+ * It requests an integrity token which is then attached to the request to be protected.
+ * It should be called AFTER {@link prepareIntegrityToken} has been called and resolved successfully.
+ * The React Native
+ * @param requestHash a digest of all relevant request parameters (e.g. SHA256) from the user action or server request that is happening.
+ * The max size of this field is 500 bytes. Do not put sensitive information as plain text in this field.
+ * @returns a resolved promise with with the token as payload, rejected otherwise when:
+ * - The integrity token request fails;
+ * - The {@link prepareIntegrityToken} function hasn't been called previously.
+ */
+export function requestIntegrityToken(requestHash?: string): Promise<string> {
+  return IoReactNativeIntegrity.requestIntegrityToken(requestHash);
 }
+
+/**
+ * Generates a (Key Attestation)[https://developer.android.com/privacy-and-security/security-key-attestation].
+ * During key attestation, a key pair is generated along with its certificate chain,
+ * which can be used to verify the properties of that key pair.
+ * If the device supports hardware-level key attestation,
+ * the root certificate of the chain is signed using an attestation root key
+ * protected by the device's hardware-backed keystore.
+ * @param challenge the challenge to be included which has a max size of 128 bytes.
+ * @param keyAlias optional key alias for the generated key pair.
+ * @returns a resolved promise with the attestation chain as payload, rejected otherwise when:
+ * - The device doesn't support key attestation;
+ * - The generated key pair is not hardware backed;
+ * - The [challenge] exceeds the size of 128 bytes;
+ * - The key attestation generation fails.
+ */
+export function getAttestation(
+  challenge: string,
+  keyAlias?: string
+): Promise<string> {
+  return IoReactNativeIntegrity.getAttestation(challenge, keyAlias);
+}
+
+/**
+ * Possible error codes returned by the library on Android when a promise is rejected.
+ */
 type IntegrityErrorCodesAndroid =
   | 'WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT'
   | 'PREPARE_FAILED'
   | 'PREPARE_NOT_CALLED'
-  | 'REQUEST_TOKEN_FAILED';
+  | 'REQUEST_TOKEN_FAILED'
+  | 'REQUEST_ATTESTATION_FAILED'
+  | 'KEY_IS_NOT_HARDWARE_BACKED'
+  | 'UNSUPPORTED_DEVICE';
 
+/**
+ * Type of the error codes returned by the library when a promise is rejected.
+ * It should be a union of Android and iOS error codes.
+ */
 export type IntegrityErrorCodes = IntegrityErrorCodesAndroid;
 
 /**

From 14908a3696077d8e0062579d5907ff206f0addfe Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 15 Mar 2024 12:34:17 +0100
Subject: [PATCH 18/64] chore: add threading

---
 .../IoReactNativeIntegrityModule.kt           | 56 ++++++++++---------
 1 file changed, 29 insertions(+), 27 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index f243b6f..ae922fc 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -217,34 +217,36 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    */
   @ReactMethod
   fun getAttestation(challenge: String, keyAlias: String?, promise: Promise){
-    try{
-      // Remove this block if the minSdkVersion is set to 24
-      if (Build.VERSION.SDK_INT < Build.VERSION_CODES.N) {
-        ModuleException.UNSUPPORTED_DEVICE.reject(promise)
-        return
-      }
-      val alias = keyAlias ?: "attestationKeyAlias"
-      val hasStrongBox = Build.VERSION.SDK_INT >= Build.VERSION_CODES.P &&
-        reactApplicationContext.packageManager.hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE)
-      val keyPair = generateAttestationKey(alias, challenge.toByteArray(), hasStrongBox)
-      if(!isKeyHardwareBacked(keyPair.private)){
-        // We check if the key is hardware backed just to be sure exclude software fallback
-        ModuleException.KEY_IS_NOT_HARDWARE_BACKED.reject(promise)
-        return
-      }
-      val chain = keyStore.getCertificateChain(alias)
-      // The certificate chain consists of an array of certificates, thus we concat them into a string
-      var attestations = arrayOf<String>()
-      chain.forEachIndexed { _, certificate ->
-        val cert = Base64.encodeToString(certificate.encoded, Base64.DEFAULT)
-        attestations += cert
+    Thread {
+      try{
+        // Remove this block if the minSdkVersion is set to 24
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.N) {
+          ModuleException.UNSUPPORTED_DEVICE.reject(promise)
+          return@Thread
+        }
+        val alias = keyAlias ?: "attestationKeyAlias"
+        val hasStrongBox = Build.VERSION.SDK_INT >= Build.VERSION_CODES.P &&
+          reactApplicationContext.packageManager.hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE)
+        val keyPair = generateAttestationKey(alias, challenge.toByteArray(), hasStrongBox)
+        if(!isKeyHardwareBacked(keyPair.private)){
+          // We check if the key is hardware backed just to be sure exclude software fallback
+          ModuleException.KEY_IS_NOT_HARDWARE_BACKED.reject(promise)
+          return@Thread
+        }
+        val chain = keyStore.getCertificateChain(alias)
+        // The certificate chain consists of an array of certificates, thus we concat them into a string
+        var attestations = arrayOf<String>()
+        chain.forEachIndexed { _, certificate ->
+          val cert = Base64.encodeToString(certificate.encoded, Base64.DEFAULT)
+          attestations += cert
+        }
+        val concatenatedAttestations = attestations.joinToString(",")
+        val encodedAttestation = Base64.encodeToString(concatenatedAttestations.toByteArray(), Base64.DEFAULT)
+        promise.resolve(encodedAttestation)
+      }catch(e: Exception) {
+        ModuleException.REQUEST_ATTESTATION_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e)))
       }
-      val concatenatedAttestations = attestations.joinToString(",")
-      val encodedAttestation = Base64.encodeToString(concatenatedAttestations.toByteArray(), Base64.DEFAULT)
-      promise.resolve(encodedAttestation)
-    }catch(e: Exception) {
-      ModuleException.REQUEST_ATTESTATION_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e)))
-    }
+    }.start()
   }
 
   private fun getExceptionMessageOrEmpty(e: Exception): String{

From 4c0d33d57de068bc8134da939ffe3546cc56fe09 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 15 Mar 2024 15:24:35 +0100
Subject: [PATCH 19/64] docs: update docs

---
 .../IoReactNativeIntegrityModule.kt           | 30 ++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index ae922fc..c2f64ef 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -30,7 +30,11 @@ import java.security.KeyStore
 import java.security.PrivateKey
 import java.security.spec.ECGenParameterSpec
 
-
+/**
+ * React Native bridge for Google Play Integrity API and key attestation.
+ * @property integrityTokenProvider the token integrity provider which should be initialized by calling [prepareIntegrityToken]
+ * @property keyStore the key store instance used to generate hardware backed keys and get a key attestation via [getAttestation]
+ */
 class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
   ReactContextBaseJavaModule(reactContext) {
 
@@ -249,6 +253,11 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
     }.start()
   }
 
+  /**
+   * Extracts a message from an [Exception] with an empty string as fallback.
+   * @param e an exception.
+   * @return [e] message field or an empty string otherwise.
+   */
   private fun getExceptionMessageOrEmpty(e: Exception): String{
     return e.message ?: ""
   }
@@ -258,6 +267,12 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
     const val KEYSTORE_PROVIDER = "AndroidKeyStore"
     const val ERROR_USER_INFO_KEY = "error"
 
+    /**
+     * Custom exceptions related to failure points.
+     * Each enum constant encapsulates a specific exception with an associated error message.
+     *
+     * @property ex the exception instance associated with the enum constant.
+     */
     private enum class ModuleException(
       val ex: Exception
     ) {
@@ -269,6 +284,12 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
       KEY_IS_NOT_HARDWARE_BACKED(Exception("KEY_IS_NOT_HARDWARE_BACKED")),
       UNSUPPORTED_DEVICE(Exception("UNSUPPORTED_DEVICE"));
 
+      /**
+       * Rejects the provided promise with the appropriate error message and additional data.
+       *
+       * @param promise the promise to be rejected.
+       * @param args additional key-value pairs of data to be passed along with the error.
+       */
       fun reject(
         promise: Promise, vararg args: Pair<String, String>
       ) {
@@ -277,6 +298,13 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
         }
       }
 
+      /**
+       * Maps the additional key-value pairs of data to a pair containing the error message
+       * and a WritableMap of the additional data.
+       *
+       * @param args additional key-value pairs of data.
+       * @return A pair containing the error message and a WritableMap of the additional data.
+       */
       private fun exMap(vararg args: Pair<String, String>): Pair<String, WritableMap> {
         val writableMap = WritableNativeMap()
         args.forEach { writableMap.putString(it.first, it.second) }

From c6b0ff5ba155e3fbc62d547329eca72e7689432b Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 15 Mar 2024 15:28:33 +0100
Subject: [PATCH 20/64] chore: divide android app from iOS

---
 example/src/AndroidApp.tsx | 126 +++++++++++++++++++++++++++++++++++++
 example/src/App.tsx        | 125 +-----------------------------------
 2 files changed, 129 insertions(+), 122 deletions(-)
 create mode 100644 example/src/AndroidApp.tsx

diff --git a/example/src/AndroidApp.tsx b/example/src/AndroidApp.tsx
new file mode 100644
index 0000000..887b4aa
--- /dev/null
+++ b/example/src/AndroidApp.tsx
@@ -0,0 +1,126 @@
+import * as React from 'react';
+import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
+import {
+  getAttestation,
+  isPlayServicesAvailable,
+  prepareIntegrityToken,
+  requestIntegrityToken,
+} from '@pagopa/io-react-native-integrity';
+import ButtonWithLoader from './components/ButtonWithLoader';
+
+const GOOGLE_CLOUD_PROJECT_NUMBER = '1234567890';
+
+export default function AndroidApp() {
+  const [isServiceAvailable, setIsServiceAvailable] =
+    React.useState<boolean>(false);
+  const [isPrepareLoading, setIsPrepareLoading] =
+    React.useState<boolean>(false);
+  const [isRequestTokenLoading, setIsRequestTokenLoading] =
+    React.useState<boolean>(false);
+  const [isGetAttestationLoading, setIsGetAttestationLoading] =
+    React.useState<boolean>(false);
+  const [debugLog, setDebugLog] = React.useState<string>('.. >');
+
+  React.useEffect(() => {
+    isPlayServicesAvailable()
+      .then((result) => {
+        setIsServiceAvailable(result);
+      })
+      .catch((error) => {
+        setDebugLog(error);
+      });
+  }, []);
+
+  const prepareCallback = async () => {
+    if (isServiceAvailable) {
+      try {
+        setIsPrepareLoading(true);
+        await prepareIntegrityToken(GOOGLE_CLOUD_PROJECT_NUMBER);
+        setIsPrepareLoading(false);
+      } catch (e) {
+        setIsPrepareLoading(false);
+        setDebugLog(JSON.stringify(e));
+      }
+    }
+  };
+
+  const requestTokenCallback = async () => {
+    if (isServiceAvailable) {
+      try {
+        setIsRequestTokenLoading(true);
+        const rq = await requestIntegrityToken(
+          'lW1DCr5p4nLA2JkYU7BRYzCCByQplBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbn'
+        );
+
+        setIsRequestTokenLoading(false);
+        setDebugLog(rq);
+      } catch (e) {
+        setIsRequestTokenLoading(false);
+        setDebugLog(`${e}`);
+      }
+    }
+  };
+
+  const getAttestationCallback = async () => {
+    try {
+      setIsGetAttestationLoading(true);
+      const att = await getAttestation(
+        'lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1'
+      );
+      setIsGetAttestationLoading(false);
+      setDebugLog(att);
+    } catch (e) {
+      setIsGetAttestationLoading(false);
+      setDebugLog(`${e}`);
+    }
+  };
+
+  return (
+    <SafeAreaView style={styles.container}>
+      <Text style={styles.h1}>Integrity Check Demo App</Text>
+      {isServiceAvailable ? (
+        <>
+          <ButtonWithLoader
+            title="Prepare"
+            onPress={() => prepareCallback()}
+            loading={isPrepareLoading}
+          />
+          <ButtonWithLoader
+            title="Get token"
+            onPress={() => requestTokenCallback()}
+            loading={isRequestTokenLoading}
+          />
+          <ButtonWithLoader
+            title="Get attestation"
+            onPress={() => getAttestationCallback()}
+            loading={isGetAttestationLoading}
+          />
+        </>
+      ) : null}
+      <ScrollView style={styles.debug}>
+        <Text>{debugLog}</Text>
+      </ScrollView>
+    </SafeAreaView>
+  );
+}
+
+const styles = StyleSheet.create({
+  container: {
+    flex: 1,
+    alignItems: 'center',
+  },
+  h1: {
+    fontWeight: 'bold',
+    fontSize: 32,
+    textAlign: 'center',
+    marginTop: 50,
+    marginBottom: 50,
+  },
+  debug: {
+    width: '100%',
+    height: 300,
+    position: 'absolute',
+    bottom: 0,
+    backgroundColor: '#eaeaea',
+  },
+});
diff --git a/example/src/App.tsx b/example/src/App.tsx
index bd79d38..1d48af9 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -1,126 +1,7 @@
 import * as React from 'react';
-import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
-import {
-  getAttestation,
-  isPlayServicesAvailable,
-  prepareIntegrityToken,
-  requestIntegrityToken,
-} from '@pagopa/io-react-native-integrity';
-import ButtonWithLoader from './components/ButtonWithLoader';
-
-const GOOGLE_CLOUD_PROJECT_NUMBER = '1234567890';
+import AndroidApp from './AndroidApp';
+import { Platform } from 'react-native';
 
 export default function App() {
-  const [isServiceAvailable, setIsServiceAvailable] =
-    React.useState<boolean>(false);
-  const [isPrepareLoading, setIsPrepareLoading] =
-    React.useState<boolean>(false);
-  const [isRequestTokenLoading, setIsRequestTokenLoading] =
-    React.useState<boolean>(false);
-  const [isGetAttestationLoading, setIsGetAttestationLoading] =
-    React.useState<boolean>(false);
-  const [debugLog, setDebugLog] = React.useState<string>('.. >');
-
-  React.useEffect(() => {
-    isPlayServicesAvailable()
-      .then((result) => {
-        setIsServiceAvailable(result);
-      })
-      .catch((error) => {
-        setDebugLog(error);
-      });
-  }, []);
-
-  const prepareCallback = async () => {
-    if (isServiceAvailable) {
-      try {
-        setIsPrepareLoading(true);
-        await prepareIntegrityToken(GOOGLE_CLOUD_PROJECT_NUMBER);
-        setIsPrepareLoading(false);
-      } catch (e) {
-        setIsPrepareLoading(false);
-        setDebugLog(JSON.stringify(e));
-      }
-    }
-  };
-
-  const requestTokenCallback = async () => {
-    if (isServiceAvailable) {
-      try {
-        setIsRequestTokenLoading(true);
-        const rq = await requestIntegrityToken(
-          'lW1DCr5p4nLA2JkYU7BRYzCCByQplBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbn'
-        );
-
-        setIsRequestTokenLoading(false);
-        setDebugLog(rq);
-      } catch (e) {
-        setIsRequestTokenLoading(false);
-        setDebugLog(`${e}`);
-      }
-    }
-  };
-
-  const getAttestationCallback = async () => {
-    try {
-      setIsGetAttestationLoading(true);
-      const att = await getAttestation(
-        'lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1'
-      );
-      setIsGetAttestationLoading(false);
-      setDebugLog(att);
-    } catch (e) {
-      setIsGetAttestationLoading(false);
-      setDebugLog(`${e}`);
-    }
-  };
-
-  return (
-    <SafeAreaView style={styles.container}>
-      <Text style={styles.h1}>Integrity Check Demo App</Text>
-      {isServiceAvailable ? (
-        <>
-          <ButtonWithLoader
-            title="Prepare"
-            onPress={() => prepareCallback()}
-            loading={isPrepareLoading}
-          />
-          <ButtonWithLoader
-            title="Get token"
-            onPress={() => requestTokenCallback()}
-            loading={isRequestTokenLoading}
-          />
-          <ButtonWithLoader
-            title="Get attestation"
-            onPress={() => getAttestationCallback()}
-            loading={isGetAttestationLoading}
-          />
-        </>
-      ) : null}
-      <ScrollView style={styles.debug}>
-        <Text>{debugLog}</Text>
-      </ScrollView>
-    </SafeAreaView>
-  );
+  return Platform.OS === 'android' ? <AndroidApp /> : <></>;
 }
-
-const styles = StyleSheet.create({
-  container: {
-    flex: 1,
-    alignItems: 'center',
-  },
-  h1: {
-    fontWeight: 'bold',
-    fontSize: 32,
-    textAlign: 'center',
-    marginTop: 50,
-    marginBottom: 50,
-  },
-  debug: {
-    width: '100%',
-    height: 300,
-    position: 'absolute',
-    bottom: 0,
-    backgroundColor: '#eaeaea',
-  },
-});

From 92f46fef46bd542110deff6df0e68ca85cf2f267 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 15 Mar 2024 15:40:49 +0100
Subject: [PATCH 21/64] chore: reject promise if OS is not Android

---
 src/index.tsx | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/index.tsx b/src/index.tsx
index 8e548eb..f8b0ca6 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -18,14 +18,29 @@ const IoReactNativeIntegrity = NativeModules.IoReactNativeIntegrity
     );
 
 /**
+ * Checks whether the current platform is Android or not.
+ * @returns true if the current platform is Android, false otherwise.
+ */
+const isAndroid = () => Platform.OS === 'android';
+
+/**
+ * Error message for functions available only on Android.
+ */
+const NOT_ANDROID_ERROR = 'This function is available only on Android';
+
+/**
+ * ANDROID ONLY
  * Checks whether Google Play Services is available on the device or not.
  * @return a promise resolved to true if Google Play Services is available, to false otherwise.
  */
 export function isPlayServicesAvailable(): Promise<boolean> {
-  return IoReactNativeIntegrity.isPlayServicesAvailable();
+  return isAndroid()
+    ? IoReactNativeIntegrity.isPlayServicesAvailable()
+    : Promise.resolve(false);
 }
 
 /**
+ * ANDROID ONLY
  * Preparation step for a [Play Integrity standard API request](https://developer.android.com/google/play/integrity/standard).
  * It prepares the integrity token provider before obtaining the integrity verdict.
  * It should be called well before the moment an integrity verdict is needed, for example
@@ -41,10 +56,13 @@ export function isPlayServicesAvailable(): Promise<boolean> {
 export function prepareIntegrityToken(
   cloudProjectNumber: string
 ): Promise<void> {
-  return IoReactNativeIntegrity.prepareIntegrityToken(cloudProjectNumber);
+  return isAndroid()
+    ? IoReactNativeIntegrity.prepareIntegrityToken(cloudProjectNumber)
+    : Promise.reject(NOT_ANDROID_ERROR);
 }
 
 /**
+ * ANDROID ONLY
  * Integrity token request step for a [Play Integrity standard API request](https://developer.android.com/google/play/integrity/standard).
  * It requests an integrity token which is then attached to the request to be protected.
  * It should be called AFTER {@link prepareIntegrityToken} has been called and resolved successfully.
@@ -56,10 +74,13 @@ export function prepareIntegrityToken(
  * - The {@link prepareIntegrityToken} function hasn't been called previously.
  */
 export function requestIntegrityToken(requestHash?: string): Promise<string> {
-  return IoReactNativeIntegrity.requestIntegrityToken(requestHash);
+  return isAndroid()
+    ? IoReactNativeIntegrity.requestIntegrityToken(requestHash)
+    : Promise.reject(NOT_ANDROID_ERROR);
 }
 
 /**
+ * ANDROID ONLY
  * Generates a (Key Attestation)[https://developer.android.com/privacy-and-security/security-key-attestation].
  * During key attestation, a key pair is generated along with its certificate chain,
  * which can be used to verify the properties of that key pair.
@@ -78,10 +99,13 @@ export function getAttestation(
   challenge: string,
   keyAlias?: string
 ): Promise<string> {
-  return IoReactNativeIntegrity.getAttestation(challenge, keyAlias);
+  return isAndroid()
+    ? IoReactNativeIntegrity.getAttestation(challenge, keyAlias)
+    : Promise.reject(NOT_ANDROID_ERROR);
 }
 
 /**
+ * ANDROID ONLY
  * Possible error codes returned by the library on Android when a promise is rejected.
  */
 type IntegrityErrorCodesAndroid =

From e707c0e6e8ca64aa60fc0c3a36d48134ceef3668 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 15 Mar 2024 16:04:46 +0100
Subject: [PATCH 22/64] build: fix ios build hopefully

---
 .../xcshareddata/IDEWorkspaceChecks.plist                 | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist

diff --git a/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist b/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
new file mode 100644
index 0000000..18d9810
--- /dev/null
+++ b/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>IDEDidComputeMac32BitWarning</key>
+	<true/>
+</dict>
+</plist>

From 7176e90fe02220c4147a9431c5dd539c8c5e7e04 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 15 Mar 2024 16:13:39 +0100
Subject: [PATCH 23/64] Revert "build: fix ios build hopefully"

This reverts commit e707c0e6e8ca64aa60fc0c3a36d48134ceef3668.
---
 .../xcshareddata/IDEWorkspaceChecks.plist                 | 8 --------
 1 file changed, 8 deletions(-)
 delete mode 100644 example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist

diff --git a/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist b/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
deleted file mode 100644
index 18d9810..0000000
--- a/example/ios/IoReactNativeIntegrityExample.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>IDEDidComputeMac32BitWarning</key>
-	<true/>
-</dict>
-</plist>

From bc84659a8e66dbcb05f3ba29316d8305a569d785 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 18 Mar 2024 14:43:03 +0100
Subject: [PATCH 24/64] chore: update with iosapp

---
 example/src/App.tsx    | 136 +---------------------------------------
 example/src/IosApp.tsx | 137 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 140 insertions(+), 133 deletions(-)
 create mode 100644 example/src/IosApp.tsx

diff --git a/example/src/App.tsx b/example/src/App.tsx
index c52b493..0a55aba 100644
--- a/example/src/App.tsx
+++ b/example/src/App.tsx
@@ -1,137 +1,7 @@
 import * as React from 'react';
-import { sha256 } from 'react-native-sha256';
-import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
-import {
-  generateHardwareKey,
-  getAttestation,
-  isAttestationServiceAvailable,
-  generateHardwareSignatureWithAssertion,
-} from '@pagopa/io-react-native-integrity';
-import ButtonWithLoader from './components/ButtonWithLoader';
-
-const challenge = 'challengeFromServer';
+import { Platform } from 'react-native';
+import IosApp from './IosApp';
 
 export default function App() {
-  const [hardwareKeyTag, setHardwareKeyTag] = React.useState<
-    string | undefined
-  >('');
-  const [attestation, setAttestation] = React.useState<string | undefined>('');
-  const [hsWithAssertion, setHsWithAssertion] = React.useState<
-    string | undefined
-  >('');
-  const [isServiceAvailable, setIsServiceAvailable] =
-    React.useState<boolean>(false);
-  const [debugLog, setDebugLog] = React.useState<string>('.. >');
-
-  React.useEffect(() => {
-    isAttestationServiceAvailable()
-      .then((result) => {
-        setIsServiceAvailable(result);
-      })
-      .catch((error) => {
-        setDebugLog(error);
-      });
-  }, []);
-
-  const getHardwareKey = async () => {
-    if (hardwareKeyTag === '' || hardwareKeyTag === undefined) {
-      setHardwareKeyTag(undefined);
-      const hardwareKey = await generateHardwareKey();
-      setHardwareKeyTag(hardwareKey);
-      setDebugLog(hardwareKey);
-    } else {
-      setDebugLog(hardwareKeyTag);
-    }
-  };
-
-  const requestAttestation = async () => {
-    setAttestation(undefined);
-    if (hardwareKeyTag) {
-      const result = await getAttestation(challenge, hardwareKeyTag);
-      setAttestation(result);
-      setDebugLog(result);
-    }
-  };
-
-  const getHardwareSignatureWithAssertion = async () => {
-    // this is a mocked jwk for ephimeral public key, in a production
-    // environment the ephimeral key must be generated by the client
-    // every time a WTE must be required
-    const jwk = {
-      crv: 'P-256',
-      kty: 'EC',
-      x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
-      y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
-      kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
-    };
-
-    const clientData = {
-      challenge: challenge,
-      jwk: jwk,
-    };
-
-    // Between Android and iOS there is a difference for the generation of hardwareSignature
-    // and assertion as on iOS both are generated directly from the SDK via generateAssertion
-    // while on Android the hardwareSignature must be generated via the signature functions and
-    // the assertion must be retrieved from the backend via an integrityToken.
-    if (hardwareKeyTag) {
-      const clientDataHash = await sha256(JSON.stringify(clientData));
-
-      const result = await generateHardwareSignatureWithAssertion(
-        clientDataHash,
-        hardwareKeyTag
-      );
-      setHsWithAssertion(result);
-      setDebugLog(result);
-    }
-  };
-
-  return (
-    <SafeAreaView style={styles.container}>
-      <Text style={styles.h1}>Integrity Check Demo App</Text>
-      {isServiceAvailable ? (
-        <>
-          <ButtonWithLoader
-            title="Generate Hardware Key"
-            onPress={() => getHardwareKey()}
-            loading={hardwareKeyTag === undefined}
-          />
-          <ButtonWithLoader
-            title="Get attestation"
-            onPress={() => requestAttestation()}
-            loading={attestation === undefined}
-          />
-          <ButtonWithLoader
-            title="Generate HS and Assertion"
-            onPress={() => getHardwareSignatureWithAssertion()}
-            loading={hsWithAssertion === undefined}
-          />
-        </>
-      ) : null}
-      <ScrollView style={styles.debug}>
-        <Text>{debugLog}</Text>
-      </ScrollView>
-    </SafeAreaView>
-  );
+  return Platform.OS === 'ios' ? <IosApp /> : <></>;
 }
-
-const styles = StyleSheet.create({
-  container: {
-    flex: 1,
-    alignItems: 'center',
-  },
-  h1: {
-    fontWeight: 'bold',
-    fontSize: 32,
-    textAlign: 'center',
-    marginTop: 50,
-    marginBottom: 50,
-  },
-  debug: {
-    width: '100%',
-    height: 300,
-    position: 'absolute',
-    bottom: 0,
-    backgroundColor: '#eaeaea',
-  },
-});
diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
new file mode 100644
index 0000000..61b980d
--- /dev/null
+++ b/example/src/IosApp.tsx
@@ -0,0 +1,137 @@
+import * as React from 'react';
+import { sha256 } from 'react-native-sha256';
+import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
+import {
+  generateHardwareKey,
+  getAttestation,
+  isAttestationServiceAvailable,
+  generateHardwareSignatureWithAssertion,
+} from '@pagopa/io-react-native-integrity';
+import ButtonWithLoader from './components/ButtonWithLoader';
+
+const challenge = 'challengeFromServer';
+
+export default function IosApp() {
+  const [hardwareKeyTag, setHardwareKeyTag] = React.useState<
+    string | undefined
+  >('');
+  const [attestation, setAttestation] = React.useState<string | undefined>('');
+  const [hsWithAssertion, setHsWithAssertion] = React.useState<
+    string | undefined
+  >('');
+  const [isServiceAvailable, setIsServiceAvailable] =
+    React.useState<boolean>(false);
+  const [debugLog, setDebugLog] = React.useState<string>('.. >');
+
+  React.useEffect(() => {
+    isAttestationServiceAvailable()
+      .then((result) => {
+        setIsServiceAvailable(result);
+      })
+      .catch((error) => {
+        setDebugLog(error);
+      });
+  }, []);
+
+  const getHardwareKey = async () => {
+    if (hardwareKeyTag === '' || hardwareKeyTag === undefined) {
+      setHardwareKeyTag(undefined);
+      const hardwareKey = await generateHardwareKey();
+      setHardwareKeyTag(hardwareKey);
+      setDebugLog(hardwareKey);
+    } else {
+      setDebugLog(hardwareKeyTag);
+    }
+  };
+
+  const requestAttestation = async () => {
+    setAttestation(undefined);
+    if (hardwareKeyTag) {
+      const result = await getAttestation(challenge, hardwareKeyTag);
+      setAttestation(result);
+      setDebugLog(result);
+    }
+  };
+
+  const getHardwareSignatureWithAssertion = async () => {
+    // this is a mocked jwk for ephimeral public key, in a production
+    // environment the ephimeral key must be generated by the client
+    // every time a WTE must be required
+    const jwk = {
+      crv: 'P-256',
+      kty: 'EC',
+      x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
+      y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
+      kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
+    };
+
+    const clientData = {
+      challenge: challenge,
+      jwk: jwk,
+    };
+
+    // Between Android and iOS there is a difference for the generation of hardwareSignature
+    // and assertion as on iOS both are generated directly from the SDK via generateAssertion
+    // while on Android the hardwareSignature must be generated via the signature functions and
+    // the assertion must be retrieved from the backend via an integrityToken.
+    if (hardwareKeyTag) {
+      const clientDataHash = await sha256(JSON.stringify(clientData));
+
+      const result = await generateHardwareSignatureWithAssertion(
+        clientDataHash,
+        hardwareKeyTag
+      );
+      setHsWithAssertion(result);
+      setDebugLog(result);
+    }
+  };
+
+  return (
+    <SafeAreaView style={styles.container}>
+      <Text style={styles.h1}>Integrity Check Demo App</Text>
+      {isServiceAvailable ? (
+        <>
+          <ButtonWithLoader
+            title="Generate Hardware Key"
+            onPress={() => getHardwareKey()}
+            loading={hardwareKeyTag === undefined}
+          />
+          <ButtonWithLoader
+            title="Get attestation"
+            onPress={() => requestAttestation()}
+            loading={attestation === undefined}
+          />
+          <ButtonWithLoader
+            title="Generate HS and Assertion"
+            onPress={() => getHardwareSignatureWithAssertion()}
+            loading={hsWithAssertion === undefined}
+          />
+        </>
+      ) : null}
+      <ScrollView style={styles.debug}>
+        <Text>{debugLog}</Text>
+      </ScrollView>
+    </SafeAreaView>
+  );
+}
+
+const styles = StyleSheet.create({
+  container: {
+    flex: 1,
+    alignItems: 'center',
+  },
+  h1: {
+    fontWeight: 'bold',
+    fontSize: 32,
+    textAlign: 'center',
+    marginTop: 50,
+    marginBottom: 50,
+  },
+  debug: {
+    width: '100%',
+    height: 300,
+    position: 'absolute',
+    bottom: 0,
+    backgroundColor: '#eaeaea',
+  },
+});

From fdb257882970b4f60d6f1f847ed0305357318408 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 18 Mar 2024 14:46:01 +0100
Subject: [PATCH 25/64] chore: add reject based on platform

---
 src/index.tsx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/index.tsx b/src/index.tsx
index 552d6c0..7ce3331 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -51,7 +51,9 @@ const IoReactNativeIntegrity = NativeModules.IoReactNativeIntegrity
  * @returns a promise that resolves to a boolean.
  */
 export function isAttestationServiceAvailable(): Promise<boolean> {
-  return IoReactNativeIntegrity.isAttestationServiceAvailable();
+  return Platform.OS === 'ios'
+    ? IoReactNativeIntegrity.isAttestationServiceAvailable()
+    : Promise.resolve(false); // TODO: implement for Android
 }
 
 /**

From 83573212df535da28f3b67cefb3f72d85448987b Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 18 Mar 2024 14:47:39 +0100
Subject: [PATCH 26/64] chore: add missing text on unavailable service

---
 example/src/IosApp.tsx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
index 61b980d..e33e1f0 100644
--- a/example/src/IosApp.tsx
+++ b/example/src/IosApp.tsx
@@ -107,7 +107,9 @@ export default function IosApp() {
             loading={hsWithAssertion === undefined}
           />
         </>
-      ) : null}
+      ) : (
+        <Text style={styles.h1}>Attestation Service is not available</Text>
+      )}
       <ScrollView style={styles.debug}>
         <Text>{debugLog}</Text>
       </ScrollView>

From 9183115cbb2353cc318a89eba91b0fc7de54136f Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 18 Mar 2024 15:17:05 +0100
Subject: [PATCH 27/64] chore: update

---
 example/src/IosApp.tsx       |  9 ++++++++-
 src/__tests__/index.test.tsx | 21 +++++++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
index e33e1f0..5415097 100644
--- a/example/src/IosApp.tsx
+++ b/example/src/IosApp.tsx
@@ -108,7 +108,7 @@ export default function IosApp() {
           />
         </>
       ) : (
-        <Text style={styles.h1}>Attestation Service is not available</Text>
+        <Text style={styles.h2}>{'Attestation Service is not available'}</Text>
       )}
       <ScrollView style={styles.debug}>
         <Text>{debugLog}</Text>
@@ -129,6 +129,13 @@ const styles = StyleSheet.create({
     marginTop: 50,
     marginBottom: 50,
   },
+  h2: {
+    fontWeight: 'bold',
+    fontSize: 14,
+    textAlign: 'center',
+    marginTop: 50,
+    marginBottom: 50,
+  },
   debug: {
     width: '100%',
     height: 300,
diff --git a/src/__tests__/index.test.tsx b/src/__tests__/index.test.tsx
index ef56709..2b10054 100644
--- a/src/__tests__/index.test.tsx
+++ b/src/__tests__/index.test.tsx
@@ -1,4 +1,4 @@
-import { NativeModules } from 'react-native';
+import { NativeModules, Platform } from 'react-native';
 import {
   generateHardwareKey,
   getAttestation,
@@ -21,12 +21,29 @@ jest.mock('react-native', () => ({
 }));
 
 describe('Test integrity check function exposed by main package', () => {
-  it('isAttestationServiceAvailable it should be called correctly', async () => {
+  it('should be called correctly on iOS', async () => {
+    Platform.OS = 'ios';
+
+    const spy = jest.spyOn(
+      NativeModules.IoReactNativeIntegrity,
+      'isAttestationServiceAvailable'
+    );
+
+    await isAttestationServiceAvailable();
+
+    expect(spy).toHaveBeenCalled();
+  });
+
+  it('should be called correctly on Android', async () => {
+    Platform.OS = 'android';
+
     const spy = jest.spyOn(
       NativeModules.IoReactNativeIntegrity,
       'isAttestationServiceAvailable'
     );
+
     await isAttestationServiceAvailable();
+
     expect(spy).toHaveBeenCalled();
   });
 

From 15024683b73ccbd55135d111cbf2bdef24479cd4 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 18 Mar 2024 17:46:42 +0100
Subject: [PATCH 28/64] chore: update

---
 example/ios/Podfile.lock | 3 +++
 example/package.json     | 3 ++-
 yarn.lock                | 8 ++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/example/ios/Podfile.lock b/example/ios/Podfile.lock
index cf631e7..b31184f 100644
--- a/example/ios/Podfile.lock
+++ b/example/ios/Podfile.lock
@@ -1115,6 +1115,8 @@ PODS:
     - React-jsi (= 0.73.6)
     - React-logger (= 0.73.6)
     - React-perflogger (= 0.73.6)
+  - RNSha256 (1.4.10):
+    - React-Core
   - SocketRocket (0.6.1)
   - Yoga (1.14.0)
 
@@ -1375,6 +1377,7 @@ SPEC CHECKSUMS:
   React-runtimescheduler: 9636eee762c699ca7c85751a359101797e4c8b3b
   React-utils: d16c1d2251c088ad817996621947d0ac8167b46c
   ReactCommon: 2aa35648354bd4c4665b9a5084a7d37097b89c10
+  RNSha256: e1bc64e9e50b293d5282bb4caa1b2043931f1c9d
   SocketRocket: f32cd54efbe0f095c4d7594881e52619cfe80b17
   Yoga: 805bf71192903b20fc14babe48080582fee65a80
 
diff --git a/example/package.json b/example/package.json
index 828688e..fd1e7d0 100644
--- a/example/package.json
+++ b/example/package.json
@@ -12,7 +12,8 @@
   "dependencies": {
     "buffer": "^6.0.3",
     "react": "18.2.0",
-    "react-native": "0.73.6"
+    "react-native": "0.73.6",
+    "react-native-sha256": "^1.4.10"
   },
   "devDependencies": {
     "@babel/core": "^7.20.0",
diff --git a/yarn.lock b/yarn.lock
index 80a688a..0d84153 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2561,6 +2561,7 @@ __metadata:
     buffer: ^6.0.3
     react: 18.2.0
     react-native: 0.73.6
+    react-native-sha256: ^1.4.10
   languageName: unknown
   linkType: soft
 
@@ -10761,6 +10762,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"react-native-sha256@npm:^1.4.10":
+  version: 1.4.10
+  resolution: "react-native-sha256@npm:1.4.10"
+  checksum: db49be891c2eece1de582215637c463fc5636fce7d58c2e78f1e60d6847eb121d3233f12c5793f43a193df6a79852eec459ef1a7e34c70133146a9fe332f055b
+  languageName: node
+  linkType: hard
+
 "react-native@npm:0.73.6":
   version: 0.73.6
   resolution: "react-native@npm:0.73.6"

From 772f865c2434fefbe61a657da09d2af31e0d3995 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 18 Mar 2024 17:51:42 +0100
Subject: [PATCH 29/64] chore: update

---
 example/src/IosApp.tsx | 127 +++++++++++++++++++++++++++++------------
 1 file changed, 90 insertions(+), 37 deletions(-)

diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
index 5415097..ecbe2e4 100644
--- a/example/src/IosApp.tsx
+++ b/example/src/IosApp.tsx
@@ -1,5 +1,4 @@
 import * as React from 'react';
-import { sha256 } from 'react-native-sha256';
 import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
 import {
   generateHardwareKey,
@@ -7,15 +6,27 @@ import {
   isAttestationServiceAvailable,
   generateHardwareSignatureWithAssertion,
 } from '@pagopa/io-react-native-integrity';
+import { BACKEND_ADDRESS } from '@env';
 import ButtonWithLoader from './components/ButtonWithLoader';
 
-const challenge = 'challengeFromServer';
+// this is a mocked jwk for ephimeral public key, in a production
+// environment the ephimeral key must be generated by the client
+// every time a WTE must be required
+const jwk = {
+  crv: 'P-256',
+  kty: 'EC',
+  x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
+  y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
+  kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
+};
 
-export default function IosApp() {
+export default function App() {
+  const [challenge, setChallenge] = React.useState<string>('');
   const [hardwareKeyTag, setHardwareKeyTag] = React.useState<
     string | undefined
   >('');
   const [attestation, setAttestation] = React.useState<string | undefined>('');
+  const [assertion, setAssertion] = React.useState<string | undefined>('');
   const [hsWithAssertion, setHsWithAssertion] = React.useState<
     string | undefined
   >('');
@@ -44,45 +55,88 @@ export default function IosApp() {
     }
   };
 
+  const getChallengeFromServer = async () => {
+    // contact server run on local at port 3000 to get
+    // the challenge to be used for the attestation
+    try {
+      const response = await fetch(`${BACKEND_ADDRESS}/attest/nonce`);
+      const result = await response.json();
+      console.log(result);
+      return result.nonce;
+    } catch (error) {
+      console.error(error);
+      return '';
+    }
+  };
+
   const requestAttestation = async () => {
     setAttestation(undefined);
     if (hardwareKeyTag) {
-      const result = await getAttestation(challenge, hardwareKeyTag);
+      // get challenge from server
+      const nonce = await getChallengeFromServer();
+      setChallenge(nonce);
+      const result = await getAttestation(nonce, hardwareKeyTag);
       setAttestation(result);
       setDebugLog(result);
     }
   };
 
-  const getHardwareSignatureWithAssertion = async () => {
-    // this is a mocked jwk for ephimeral public key, in a production
-    // environment the ephimeral key must be generated by the client
-    // every time a WTE must be required
-    const jwk = {
-      crv: 'P-256',
-      kty: 'EC',
-      x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
-      y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
-      kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
-    };
+  const verifyAttestation = async () => {
+    // verify attestation on the server with POST
+    // and body of challenge, attestation and keyId
+    const result = await fetch(`${BACKEND_ADDRESS}/attest/verify`, {
+      method: 'POST',
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        challenge: challenge,
+        attestation: attestation,
+        hardwareKeyTag: hardwareKeyTag,
+      }),
+    });
+    const response = await result.json();
+    setDebugLog(JSON.stringify(response));
+  };
+
+  const verifyAssertion = async () => {
+    // verify attestation on the server with POST
+    // and body of challenge, attestation and keyId
+    const result = await fetch(`${BACKEND_ADDRESS}/assertion/verify`, {
+      method: 'POST',
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        challenge: challenge,
+        assertion: assertion,
+        hardwareKeyTag: hardwareKeyTag,
+        payload: JSON.stringify({ challenge: challenge, jwk: jwk }),
+      }),
+    });
+    const response = await result.json();
+    setDebugLog(JSON.stringify(response));
+  };
 
+  const getHardwareSignatureWithAssertion = async () => {
     const clientData = {
       challenge: challenge,
       jwk: jwk,
     };
-
     // Between Android and iOS there is a difference for the generation of hardwareSignature
     // and assertion as on iOS both are generated directly from the SDK via generateAssertion
     // while on Android the hardwareSignature must be generated via the signature functions and
     // the assertion must be retrieved from the backend via an integrityToken.
     if (hardwareKeyTag) {
-      const clientDataHash = await sha256(JSON.stringify(clientData));
-
       const result = await generateHardwareSignatureWithAssertion(
-        clientDataHash,
+        JSON.stringify(clientData),
         hardwareKeyTag
       );
       setHsWithAssertion(result);
       setDebugLog(result);
+      setAssertion(result);
     }
   };
 
@@ -106,10 +160,18 @@ export default function IosApp() {
             onPress={() => getHardwareSignatureWithAssertion()}
             loading={hsWithAssertion === undefined}
           />
+          <ButtonWithLoader
+            title="VerifyAttestation"
+            onPress={() => verifyAttestation()}
+            loading={false}
+          />
+          <ButtonWithLoader
+            title="VerifyAssertion"
+            onPress={() => verifyAssertion()}
+            loading={false}
+          />
         </>
-      ) : (
-        <Text style={styles.h2}>{'Attestation Service is not available'}</Text>
-      )}
+      ) : null}
       <ScrollView style={styles.debug}>
         <Text>{debugLog}</Text>
       </ScrollView>
@@ -120,27 +182,18 @@ export default function IosApp() {
 const styles = StyleSheet.create({
   container: {
     flex: 1,
+    backgroundColor: '#fff',
     alignItems: 'center',
+    justifyContent: 'center',
   },
   h1: {
+    fontSize: 20,
     fontWeight: 'bold',
-    fontSize: 32,
-    textAlign: 'center',
-    marginTop: 50,
-    marginBottom: 50,
-  },
-  h2: {
-    fontWeight: 'bold',
-    fontSize: 14,
-    textAlign: 'center',
-    marginTop: 50,
-    marginBottom: 50,
+    margin: 20,
   },
   debug: {
+    flex: 1,
     width: '100%',
-    height: 300,
-    position: 'absolute',
-    bottom: 0,
-    backgroundColor: '#eaeaea',
+    padding: 20,
   },
 });

From dfb1b09b48d8a8212c36e02112d5f868aac613bc Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Tue, 19 Mar 2024 13:14:16 +0100
Subject: [PATCH 30/64] chore: update

---
 backend/src/index.ts   |  2 +-
 example/src/IosApp.tsx | 12 +++++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/backend/src/index.ts b/backend/src/index.ts
index 7f17e22..65f617d 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -109,5 +109,5 @@ app.post(`/assertion/verify`, (req, res) => {
 });
 
 app.listen(port, () => {
-  console.log(`[server]: Server is running at http://localhost:3000`);
+  console.log(`[server]: Server is running at http://localhost:${port}`);
 });
diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
index ecbe2e4..972dc46 100644
--- a/example/src/IosApp.tsx
+++ b/example/src/IosApp.tsx
@@ -5,6 +5,7 @@ import {
   getAttestation,
   isAttestationServiceAvailable,
   generateHardwareSignatureWithAssertion,
+  type IntegrityError,
 } from '@pagopa/io-react-native-integrity';
 import { BACKEND_ADDRESS } from '@env';
 import ButtonWithLoader from './components/ButtonWithLoader';
@@ -39,8 +40,8 @@ export default function App() {
       .then((result) => {
         setIsServiceAvailable(result);
       })
-      .catch((error) => {
-        setDebugLog(error);
+      .catch((error: IntegrityError) => {
+        setDebugLog(error.message);
       });
   }, []);
 
@@ -173,7 +174,7 @@ export default function App() {
         </>
       ) : null}
       <ScrollView style={styles.debug}>
-        <Text>{debugLog}</Text>
+        <Text style={styles.h2}>{debugLog}</Text>
       </ScrollView>
     </SafeAreaView>
   );
@@ -191,6 +192,11 @@ const styles = StyleSheet.create({
     fontWeight: 'bold',
     margin: 20,
   },
+  h2: {
+    fontSize: 18,
+    fontWeight: 'bold',
+    margin: 10,
+  },
   debug: {
     flex: 1,
     width: '100%',

From 24d782ade3534fbcc31397519006157a93478705 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Tue, 19 Mar 2024 16:16:36 +0100
Subject: [PATCH 31/64] chore: update

---
 example/src/IosApp.tsx | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
index 5415097..e9b2fdb 100644
--- a/example/src/IosApp.tsx
+++ b/example/src/IosApp.tsx
@@ -6,6 +6,7 @@ import {
   getAttestation,
   isAttestationServiceAvailable,
   generateHardwareSignatureWithAssertion,
+  type IntegrityError,
 } from '@pagopa/io-react-native-integrity';
 import ButtonWithLoader from './components/ButtonWithLoader';
 
@@ -28,8 +29,8 @@ export default function IosApp() {
       .then((result) => {
         setIsServiceAvailable(result);
       })
-      .catch((error) => {
-        setDebugLog(error);
+      .catch((error: IntegrityError) => {
+        setDebugLog(error.message);
       });
   }, []);
 

From c26c64b5dda5d85ec19612d331d75ee01ca63b5f Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Tue, 19 Mar 2024 16:22:39 +0100
Subject: [PATCH 32/64] fix: debug styles

---
 example/src/IosApp.tsx | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
index 972dc46..fe4b630 100644
--- a/example/src/IosApp.tsx
+++ b/example/src/IosApp.tsx
@@ -172,7 +172,9 @@ export default function App() {
             loading={false}
           />
         </>
-      ) : null}
+      ) : (
+        <Text style={styles.h2}>{'Attestation Service is not available'}</Text>
+      )}
       <ScrollView style={styles.debug}>
         <Text style={styles.h2}>{debugLog}</Text>
       </ScrollView>
@@ -183,23 +185,27 @@ export default function App() {
 const styles = StyleSheet.create({
   container: {
     flex: 1,
-    backgroundColor: '#fff',
     alignItems: 'center',
-    justifyContent: 'center',
   },
   h1: {
-    fontSize: 20,
     fontWeight: 'bold',
-    margin: 20,
+    fontSize: 32,
+    textAlign: 'center',
+    marginTop: 50,
+    marginBottom: 50,
   },
   h2: {
-    fontSize: 18,
     fontWeight: 'bold',
-    margin: 10,
+    fontSize: 14,
+    textAlign: 'center',
+    marginTop: 50,
+    marginBottom: 50,
   },
   debug: {
-    flex: 1,
     width: '100%',
-    padding: 20,
+    height: 300,
+    position: 'absolute',
+    bottom: 0,
+    backgroundColor: '#eaeaea',
   },
 });

From 7f3274ff4e7f00475fc852672880c6ae5cb8f9c8 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Sat, 9 Mar 2024 18:07:43 +0100
Subject: [PATCH 33/64] feat: add backend for local development

---
 .gitignore                                    |   2 +-
 backend/.env.local                            |   3 +
 backend/README.md                             |   1 +
 backend/nodemon.json                          |   6 +
 backend/package.json                          |  34 +
 backend/src/index.ts                          |  93 +++
 backend/src/verifyAssertion.ts                |  96 +++
 backend/src/verifyAttestation.ts              | 219 ++++++
 backend/tsconfig.json                         |  18 +
 example/.env.local                            |   1 +
 example/babel.config.js                       |  11 +
 example/env.d.ts                              |   3 +
 .../IoReactNativeIntegrityExample/Info.plist  |   2 +-
 example/package.json                          |   1 +
 package.json                                  |   6 +-
 yarn.lock                                     | 630 +++++++++++++++++-
 16 files changed, 1103 insertions(+), 23 deletions(-)
 create mode 100644 backend/.env.local
 create mode 100644 backend/README.md
 create mode 100644 backend/nodemon.json
 create mode 100644 backend/package.json
 create mode 100644 backend/src/index.ts
 create mode 100644 backend/src/verifyAssertion.ts
 create mode 100644 backend/src/verifyAttestation.ts
 create mode 100644 backend/tsconfig.json
 create mode 100644 example/.env.local
 create mode 100644 example/env.d.ts

diff --git a/.gitignore b/.gitignore
index a02647a..37edd28 100644
--- a/.gitignore
+++ b/.gitignore
@@ -79,4 +79,4 @@ android/keystores/debug.keystore
 lib/
 
 # Env
-.env
\ No newline at end of file
+.env
diff --git a/backend/.env.local b/backend/.env.local
new file mode 100644
index 0000000..8aef389
--- /dev/null
+++ b/backend/.env.local
@@ -0,0 +1,3 @@
+PORT =
+BUNDLE_IDENTIFIER = '';
+TEAM_IDENTIFIER = '';
diff --git a/backend/README.md b/backend/README.md
new file mode 100644
index 0000000..0519ecb
--- /dev/null
+++ b/backend/README.md
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/backend/nodemon.json b/backend/nodemon.json
new file mode 100644
index 0000000..3d850a5
--- /dev/null
+++ b/backend/nodemon.json
@@ -0,0 +1,6 @@
+{
+  "watch": ["src"],
+  "ext": ".ts,.js",
+  "ignore": [],
+  "exec": "npx ts-node ./src/index.ts"
+}
diff --git a/backend/package.json b/backend/package.json
new file mode 100644
index 0000000..ae18bc3
--- /dev/null
+++ b/backend/package.json
@@ -0,0 +1,34 @@
+{
+  "name": "@pagopa/io-react-native-integrity-backend",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "start:dev": "npx nodemon",
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "build": "rimraf ./build && tsc",
+    "start": "npm run build && node build/index.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "devDependencies": {
+    "@types/dotenv": "^8.2.0",
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.11.25",
+    "@types/uuid": "^9.0.8",
+    "nodemon": "^3.1.0",
+    "rimraf": "^5.0.5",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.4.2"
+  },
+  "dependencies": {
+    "asn1js": "^3.0.5",
+    "body-parser": "^1.20.2",
+    "cbor": "^9.0.2",
+    "dotenv": "^16.4.5",
+    "express": "^4.18.3",
+    "pkijs": "^3.0.15",
+    "uuid": "^9.0.1"
+  }
+}
diff --git a/backend/src/index.ts b/backend/src/index.ts
new file mode 100644
index 0000000..03ced41
--- /dev/null
+++ b/backend/src/index.ts
@@ -0,0 +1,93 @@
+import express from 'express';
+import { v4 as uuid } from 'uuid';
+import dotenv from 'dotenv';
+import verifyAttestation from './verifyAttestation';
+import bodyParser from 'body-parser';
+import verifyAssertion from './verifyAssertion';
+
+dotenv.config();
+const app = express();
+app.use(bodyParser.json());
+app.use(bodyParser.urlencoded({ extended: false }));
+
+const port = process.env.PORT || 3000;
+const nonce = uuid();
+let attestation: any = null;
+
+const BUNDLE_IDENTIFIER = process.env.BUNDLE_IDENTIFIER || '';
+const TEAM_IDENTIFIER = process.env.TEAM_IDENTIFIER || '';
+
+app.get('/attest/nonce', (_, res) => {
+  console.debug(`challange was requested, returning ${nonce}`);
+  res.send(JSON.stringify({ nonce }));
+});
+
+app.post(`/attest/verify`, (req, res) => {
+  try {
+    console.debug(`verify was requested: ${JSON.stringify(req.body, null, 2)}`);
+    if (nonce !== req.body.challenge) {
+      throw new Error('Invalid challenge');
+    }
+
+    const result = verifyAttestation({
+      attestation: Buffer.from(req.body.attestation, 'base64'),
+      challenge: req.body.challenge,
+      keyId: req.body.hardwareKeyTag,
+      bundleIdentifier: BUNDLE_IDENTIFIER,
+      teamIdentifier: TEAM_IDENTIFIER,
+      allowDevelopmentEnvironment: true,
+    });
+
+    // store the attestation for later use
+    attestation = {
+      keyId: req.body.hardwareKeyTag,
+      publicKey: result.publicKey,
+      signCount: 0,
+    };
+
+    res.json({ result: 'ok' });
+  } catch (error) {
+    console.error(error);
+    res.status(401).send({ error: 'Unauthorized' });
+  }
+});
+
+app.post(`/assertion/verify`, (req, res) => {
+  try {
+    const { hardwareKeyTag, assertion } = req.body;
+
+    if (hardwareKeyTag === undefined || assertion === undefined) {
+      throw new Error('Invalid authentication');
+    }
+
+    if (nonce !== req.body.challenge) {
+      throw new Error('Invalid challenge');
+    }
+
+    if (!attestation) {
+      throw new Error('No attestation found');
+    }
+
+    console.log(req.body.payload);
+    const result = verifyAssertion({
+      assertion: assertion,
+      payload: req.body.payload,
+      publicKey: attestation.publicKey,
+      bundleIdentifier: BUNDLE_IDENTIFIER,
+      teamIdentifier: TEAM_IDENTIFIER,
+      signCount: attestation.signCount,
+    });
+
+    console.log(result);
+    console.debug(`Received message: ${JSON.stringify(req.body)}`);
+
+    res.send({ result: 'ok' });
+  } catch (error) {
+    console.error(error);
+    res.status(401).send({ error: 'Unauthorized' });
+  }
+});
+
+app.listen(port, () => {
+  console.log(`[server]: Server is running at http://localhost:3000`);
+});
diff --git a/backend/src/verifyAssertion.ts b/backend/src/verifyAssertion.ts
new file mode 100644
index 0000000..1d869b5
--- /dev/null
+++ b/backend/src/verifyAssertion.ts
@@ -0,0 +1,96 @@
+import * as cbor from 'cbor';
+import { createHash, createVerify } from 'crypto';
+
+export type VerifyAssertionParams = {
+  assertion: string;
+  payload: Buffer;
+  publicKey: string;
+  bundleIdentifier: string;
+  teamIdentifier: string;
+  signCount: number;
+};
+
+/**
+ * A function to verify an assertion from a hardware key.
+ * @param params
+ * @returns
+ */
+const verifyAssertion = (params: VerifyAssertionParams) => {
+  const {
+    assertion,
+    payload,
+    publicKey,
+    bundleIdentifier,
+    teamIdentifier,
+    signCount,
+  } = params;
+
+  if (!bundleIdentifier) {
+    throw new Error('bundleIdentifier is required');
+  }
+
+  if (!teamIdentifier) {
+    throw new Error('teamIdentifier is required');
+  }
+
+  if (!assertion) {
+    throw new Error('assertion is required');
+  }
+
+  if (!payload) {
+    throw new Error('payload is required');
+  }
+
+  if (!publicKey) {
+    throw new Error('publicKey is required');
+  }
+
+  // 1. Decode the assertion from base64 to string
+  let decodedAssertion;
+  try {
+    const decodedAssertionString = Buffer.from(assertion, 'base64').toString(
+      'hex'
+    );
+    decodedAssertion = cbor.decodeAllSync(decodedAssertionString)[0];
+  } catch (e) {
+    throw new Error('invalid assertion');
+  }
+
+  const { signature, authenticatorData } = decodedAssertion;
+
+  // 2. Compute the SHA256 hash of the client data, and store it as clientDataHash.
+  const clientDataHash = createHash('sha256').update(payload).digest();
+
+  // 3. Compute the SHA256 hash of the concatenation of the authenticator
+  // data and the client data hash, and store it as nonce.
+  const nonce = createHash('sha256')
+    .update(Buffer.concat([authenticatorData, clientDataHash]))
+    .digest();
+
+  // 4. Verify the signature using the public key and nonce.
+  const verifier = createVerify('SHA256');
+  verifier.update(nonce);
+  if (!verifier.verify(publicKey, signature)) {
+    throw new Error('invalid signature');
+  }
+
+  // 5. Compute the SHA256 hash of your app’s App ID, and verify that it’s the same as the authenticator data’s RP ID hash.
+  const appIdHash = createHash('sha256')
+    .update(`${teamIdentifier}.${bundleIdentifier}`)
+    .digest('base64');
+  const rpiIdHash = authenticatorData.subarray(0, 32).toString('base64');
+
+  if (appIdHash !== rpiIdHash) {
+    throw new Error('appId does not match');
+  }
+
+  // 6. Verify that the authenticator data’s counter field is larger than the stored signCount.
+  const nextSignCount = authenticatorData.subarray(33, 37).readInt32BE();
+  if (nextSignCount <= signCount) {
+    throw new Error('invalid signCount');
+  }
+
+  return { signCount: nextSignCount };
+};
+
+export default verifyAssertion;
diff --git a/backend/src/verifyAttestation.ts b/backend/src/verifyAttestation.ts
new file mode 100644
index 0000000..9a1b6ae
--- /dev/null
+++ b/backend/src/verifyAttestation.ts
@@ -0,0 +1,219 @@
+import * as cbor from 'cbor';
+import { createHash, X509Certificate } from 'crypto';
+import * as asn1js from 'asn1js';
+import * as pkijs from 'pkijs';
+
+const APPLE_APP_ATTESTATION_ROOT_CA = new X509Certificate(
+  '-----BEGIN CERTIFICATE-----\nMIICITCCAaegAwIBAgIQC/O+DvHN0uD7jG5yH2IXmDAKBggqhkjOPQQDAzBSMSYwJAYDVQQDDB1BcHBsZSBBcHAgQXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yMDAzMTgxODMyNTNaFw00NTAzMTUwMDAwMDBaMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlvbiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERTHhmLW07ATaFQIEVwTtT4dyctdhNbJhFs/Ii2FdCgAHGbpphY3+d8qjuDngIN3WVhQUBHAoMeQ/cLiP1sOUtgjqK9auYen1mMEvRq9Sk3Jm5X8U62H+xTD3FE9TgS41o0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSskRBTM72+aEH/pwyp5frq5eWKoTAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDaAAwZQIwQgFGnByvsiVbpTKwSga0kP0e8EeDS4+sQmTvb7vn53O5+FRXgeLhpJ06ysC5PrOyAjEAp5U4xDgEgllF7En3VcE3iexZZtKeYnpqtijVoyFraWVIyd/dganmrduC1bmTBGwD\n-----END CERTIFICATE-----'
+);
+
+const APPATTESTDEVELOP = Buffer.from('appattestdevelop').toString('hex');
+const APPATTESTPROD = Buffer.concat([
+  Buffer.from('appattest'),
+  Buffer.from([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]),
+]).toString('hex');
+
+export type VerifyAttestationParams = {
+  attestation: Buffer;
+  challenge: Buffer;
+  keyId: string;
+  bundleIdentifier: string;
+  teamIdentifier: string;
+  allowDevelopmentEnvironment: boolean;
+};
+
+const verifyAttestation = (params: VerifyAttestationParams) => {
+  const {
+    attestation,
+    challenge,
+    keyId,
+    bundleIdentifier,
+    teamIdentifier,
+    allowDevelopmentEnvironment,
+  } = params;
+
+  if (!bundleIdentifier) {
+    throw new Error('bundleIdentifier is required');
+  }
+
+  if (!teamIdentifier) {
+    throw new Error('teamIdentifier is required');
+  }
+
+  if (!attestation) {
+    throw new Error('attestation is required');
+  }
+
+  if (!challenge) {
+    throw new Error('challenge is required');
+  }
+
+  if (!keyId) {
+    throw new Error('keyId is required');
+  }
+
+  let decodedAttestations;
+
+  try {
+    decodedAttestations = cbor.decodeAllSync(attestation);
+  } catch (e) {
+    throw new Error('invalid attestation');
+  }
+
+  if (decodedAttestations.length !== 1) {
+    throw new Error('number of decoded attestations is not 1');
+  }
+
+  const decodedAttestation = decodedAttestations[0];
+
+  if (
+    decodedAttestation.fmt !== 'apple-appattest' ||
+    decodedAttestation.attStmt?.x5c?.length !== 2 ||
+    !decodedAttestation.attStmt?.receipt ||
+    !decodedAttestation.authData ||
+    !Buffer.isBuffer(decodedAttestation.attStmt.x5c[0]) ||
+    !Buffer.isBuffer(decodedAttestation.attStmt.x5c[1]) ||
+    !Buffer.isBuffer(decodedAttestation.attStmt.receipt) ||
+    !Buffer.isBuffer(decodedAttestation.authData)
+  ) {
+    throw new Error('invalid attestation');
+  }
+
+  const { authData, attStmt } = decodedAttestation;
+
+  // https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server
+  // 1. Verify that the attestation statement’s x5c field contains two certificates, the first of which is the
+  //    sub CA certificate and the second of which is the client certificate.
+  let certificates;
+  try {
+    certificates = attStmt.x5c.map((data: any) => new X509Certificate(data));
+  } catch (e) {
+    throw new Error('invalid certificate');
+  }
+
+  const subCaCertificate = certificates.find(
+    (certificate: any) =>
+      certificate.subject.indexOf('Apple App Attestation CA 1') !== -1
+  );
+
+  if (!subCaCertificate) {
+    throw new Error('no sub CA certificate found');
+  }
+
+  if (!subCaCertificate.verify(APPLE_APP_ATTESTATION_ROOT_CA.publicKey)) {
+    throw new Error(
+      'sub CA certificate is not signed by Apple App Attestation Root CA'
+    );
+  }
+
+  const clientCertificate = certificates.find(
+    (certificate: any) =>
+      certificate.subject.indexOf('Apple App Attestation CA 1') === -1
+  );
+
+  if (!clientCertificate) {
+    throw new Error('no client CA certificate found');
+  }
+
+  if (!clientCertificate.verify(subCaCertificate.publicKey)) {
+    throw new Error(
+      'client CA certificate is not signed by Apple App Attestation CA 1'
+    );
+  }
+
+  // 2. Create clientDataHash as the SHA256 hash of the one-time challenge your server sends to your
+  //    app before performing the attestation, and append that hash to the end of the authenticator
+  //    data (authData from the decoded object).
+  const clientDataHash = createHash('sha256').update(challenge).digest();
+
+  const nonceData = Buffer.concat([
+    decodedAttestation.authData,
+    clientDataHash,
+  ]);
+
+  // 3. Generate a new SHA256 hash of the composite item to create nonce.
+  const nonce = createHash('sha256').update(nonceData).digest('hex');
+
+  // 4. Obtain the value of the credCert extension with OID 1.2.840.113635.100.8.2, which is a DER-encoded ASN.1
+  //    sequence. Decode the sequence and extract the single octet string that it contains. Verify that the
+  //    string equals nonce.
+  const asn1 = asn1js.fromBER(clientCertificate.raw);
+  const certificate = new pkijs.Certificate({ schema: asn1.result });
+  const extension = certificate.extensions?.find(
+    (e) => e.extnID === '1.2.840.113635.100.8.2'
+  );
+  try {
+    const actualNonce = Buffer.from(
+      extension?.parsedValue.valueBlock.value[0].valueBlock.value[0].valueBlock
+        .valueHex
+    ).toString('hex');
+    if (actualNonce !== nonce) {
+      throw new Error('nonce does not match');
+    }
+  } catch {
+    throw new Error('nonce does not match');
+  }
+
+  // 5. Create the SHA256 hash of the public key in credCert, and verify that it matches the key identifier from your app
+  // const publicKey = await certificate.getPublicKey()
+  const publicKey = Buffer.from(
+    certificate.subjectPublicKeyInfo.subjectPublicKey.valueBlock.valueHex
+  );
+  const publicKeyHash = createHash('sha256')
+    .update(publicKey.toString('hex'), 'hex') // Convert publicKey to hexadecimal string
+    .digest('base64');
+  if (publicKeyHash !== keyId) {
+    throw new Error('keyId does not match');
+  }
+
+  // 6. Compute the SHA256 hash of your app’s App ID, and verify that it’s the same as the authenticator data’s RP ID hash.
+  const appIdHash = createHash('sha256')
+    .update(`${teamIdentifier}.${bundleIdentifier}`)
+    .digest('base64');
+  const rpiIdHash = authData.subarray(0, 32).toString('base64');
+
+  if (appIdHash !== rpiIdHash) {
+    throw new Error('appId does not match');
+  }
+
+  // 7. Verify that the authenticator data’s counter field equals 0.
+  const signCount = authData.subarray(33, 37).readInt32BE();
+  /* istanbul ignore if */
+  if (signCount !== 0) {
+    throw new Error('signCount is not 0');
+  }
+
+  // 8. Verify that the authenticator data’s aaguid field is either appattestdevelop if operating in the development
+  //    environment, or appattest followed by seven 0x00 bytes if operating in the production environment.
+  const aaguid = authData.subarray(37, 53).toString('hex');
+
+  /* istanbul ignore if */
+  if (aaguid !== APPATTESTDEVELOP && aaguid !== APPATTESTPROD) {
+    throw new Error('aaguid is not valid');
+  }
+
+  if (aaguid === APPATTESTDEVELOP && !allowDevelopmentEnvironment) {
+    throw new Error('development environment is not allowed');
+  }
+
+  // 9. Verify that the authenticator data’s credentialId field is the same as the key identifier.
+  const credentialIdLength = authData.subarray(53, 55).readInt16BE();
+  const credentialId = authData.subarray(55, 55 + credentialIdLength);
+
+  /* istanbul ignore if */
+  if (credentialId.toString('base64') !== keyId) {
+    throw new Error('credentialId does not match');
+  }
+
+  return {
+    keyId,
+    publicKey: clientCertificate.publicKey.export({
+      type: 'spki',
+      format: 'pem',
+    }),
+    receipt: decodedAttestation.attStmt.receipt,
+    environment: aaguid === APPATTESTPROD ? 'production' : 'development',
+  };
+};
+
+export default verifyAttestation;
diff --git a/backend/tsconfig.json b/backend/tsconfig.json
new file mode 100644
index 0000000..42c9a23
--- /dev/null
+++ b/backend/tsconfig.json
@@ -0,0 +1,18 @@
+{
+  "compilerOptions": {
+    "target": "es2016" /* Set the JavaScript language version for emitted JavaScript and include compatible library declarations. */,
+    "lib": [
+      "es6"
+    ] /* Specify a set of bundled library declaration files that describe the target runtime environment. */,
+    "module": "commonjs" /* Specify what module code is generated. */,
+    "rootDir": "src" /* Specify the root folder within your source files. */,
+    "resolveJsonModule": true /* Enable importing .json files. */,
+    "allowJs": true /* Allow JavaScript files to be a part of your program. Use the 'checkJS' option to get errors from these files. */,
+    "outDir": "build" /* Specify an output folder for all emitted files. */,
+    "esModuleInterop": true /* Emit additional JavaScript to ease support for importing CommonJS modules. This enables 'allowSyntheticDefaultImports' for type compatibility. */,
+    "forceConsistentCasingInFileNames": true /* Ensure that casing is correct in imports. */,
+    "strict": true /* Enable all strict type-checking options. */,
+    "noImplicitAny": true /* Enable error reporting for expressions and declarations with an implied 'any' type. */,
+    "skipLibCheck": true /* Skip type checking all .d.ts files. */
+  }
+}
diff --git a/example/.env.local b/example/.env.local
new file mode 100644
index 0000000..7848848
--- /dev/null
+++ b/example/.env.local
@@ -0,0 +1 @@
+BACKEND_ADDRESS = ""
\ No newline at end of file
diff --git a/example/babel.config.js b/example/babel.config.js
index d9addbb..a493786 100644
--- a/example/babel.config.js
+++ b/example/babel.config.js
@@ -13,5 +13,16 @@ module.exports = {
         },
       },
     ],
+    [
+      'module:react-native-dotenv',
+      {
+        envName: 'APP_ENV',
+        moduleName: '@env',
+        path: '.env',
+        safe: false,
+        allowUndefined: true,
+        verbose: false,
+      },
+    ],
   ],
 };
diff --git a/example/env.d.ts b/example/env.d.ts
new file mode 100644
index 0000000..e29c264
--- /dev/null
+++ b/example/env.d.ts
@@ -0,0 +1,3 @@
+declare module '@env' {
+  export const BACKEND_ADDRESS: string;
+}
diff --git a/example/ios/IoReactNativeIntegrityExample/Info.plist b/example/ios/IoReactNativeIntegrityExample/Info.plist
index a88fe56..c1dfb30 100644
--- a/example/ios/IoReactNativeIntegrityExample/Info.plist
+++ b/example/ios/IoReactNativeIntegrityExample/Info.plist
@@ -28,7 +28,7 @@
 	<dict>
 	  <!-- Do not change NSAllowsArbitraryLoads to true, or you will risk app rejection! -->
 		<key>NSAllowsArbitraryLoads</key>
-		<false/>
+		<true/>
 		<key>NSAllowsLocalNetworking</key>
 		<true/>
 	</dict>
diff --git a/example/package.json b/example/package.json
index fd1e7d0..23cc006 100644
--- a/example/package.json
+++ b/example/package.json
@@ -13,6 +13,7 @@
     "buffer": "^6.0.3",
     "react": "18.2.0",
     "react-native": "0.73.6",
+    "react-native-dotenv": "^3.4.11",
     "react-native-sha256": "^1.4.10"
   },
   "devDependencies": {
diff --git a/package.json b/package.json
index 1fe2e25..02ed1d7 100644
--- a/package.json
+++ b/package.json
@@ -26,7 +26,8 @@
     "!**/.*"
   ],
   "scripts": {
-    "example": "yarn workspace @pagopa/io-react-native-integrity-example",
+    "example": "yarn workspace @pagopa/io-react-native-integrity-example start",
+    "backend": "yarn workspace @pagopa/io-react-native-integrity-backend start",
     "test": "jest",
     "typecheck": "tsc --noEmit",
     "lint": "eslint \"**/*.{js,ts,tsx}\"",
@@ -81,7 +82,8 @@
     "react-native": "*"
   },
   "workspaces": [
-    "example"
+    "example",
+    "backend"
   ],
   "packageManager": "yarn@3.6.1",
   "jest": {
diff --git a/yarn.lock b/yarn.lock
index 0d84153..701d758 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2547,6 +2547,28 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@pagopa/io-react-native-integrity-backend@workspace:backend":
+  version: 0.0.0-use.local
+  resolution: "@pagopa/io-react-native-integrity-backend@workspace:backend"
+  dependencies:
+    "@types/dotenv": ^8.2.0
+    "@types/express": ^4.17.21
+    "@types/node": ^20.11.25
+    "@types/uuid": ^9.0.8
+    asn1js: ^3.0.5
+    body-parser: ^1.20.2
+    cbor: ^9.0.2
+    dotenv: ^16.4.5
+    express: ^4.18.3
+    nodemon: ^3.1.0
+    pkijs: ^3.0.15
+    rimraf: ^5.0.5
+    ts-node: ^10.9.2
+    typescript: ^5.4.2
+    uuid: ^9.0.1
+  languageName: unknown
+  linkType: soft
+
 "@pagopa/io-react-native-integrity-example@workspace:example":
   version: 0.0.0-use.local
   resolution: "@pagopa/io-react-native-integrity-example@workspace:example"
@@ -2561,6 +2583,7 @@ __metadata:
     buffer: ^6.0.3
     react: 18.2.0
     react-native: 0.73.6
+    react-native-dotenv: ^3.4.11
     react-native-sha256: ^1.4.10
   languageName: unknown
   linkType: soft
@@ -3186,6 +3209,58 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/body-parser@npm:*":
+  version: 1.19.5
+  resolution: "@types/body-parser@npm:1.19.5"
+  dependencies:
+    "@types/connect": "*"
+    "@types/node": "*"
+  checksum: 1e251118c4b2f61029cc43b0dc028495f2d1957fe8ee49a707fb940f86a9bd2f9754230805598278fe99958b49e9b7e66eec8ef6a50ab5c1f6b93e1ba2aaba82
+  languageName: node
+  linkType: hard
+
+"@types/connect@npm:*":
+  version: 3.4.38
+  resolution: "@types/connect@npm:3.4.38"
+  dependencies:
+    "@types/node": "*"
+  checksum: 7eb1bc5342a9604facd57598a6c62621e244822442976c443efb84ff745246b10d06e8b309b6e80130026a396f19bf6793b7cecd7380169f369dac3bfc46fb99
+  languageName: node
+  linkType: hard
+
+"@types/dotenv@npm:^8.2.0":
+  version: 8.2.0
+  resolution: "@types/dotenv@npm:8.2.0"
+  dependencies:
+    dotenv: "*"
+  checksum: a1f524da7dc18b09bdb6c2613b9abbbe8ca575621cce4625efc7f98daf2ba07c7dbab622c9bb394507a12c5c515f9cbbbba4aeec17b801c88faeb8e8e656d460
+  languageName: node
+  linkType: hard
+
+"@types/express-serve-static-core@npm:^4.17.33":
+  version: 4.17.43
+  resolution: "@types/express-serve-static-core@npm:4.17.43"
+  dependencies:
+    "@types/node": "*"
+    "@types/qs": "*"
+    "@types/range-parser": "*"
+    "@types/send": "*"
+  checksum: 08e940cae52eb1388a7b5f61d65f028e783add77d1854243ae920a6a2dfb5febb6acaafbcf38be9d678b0411253b9bc325893c463a93302405f24135664ab1e4
+  languageName: node
+  linkType: hard
+
+"@types/express@npm:^4.17.21":
+  version: 4.17.21
+  resolution: "@types/express@npm:4.17.21"
+  dependencies:
+    "@types/body-parser": "*"
+    "@types/express-serve-static-core": ^4.17.33
+    "@types/qs": "*"
+    "@types/serve-static": "*"
+  checksum: fb238298630370a7392c7abdc80f495ae6c716723e114705d7e3fb67e3850b3859bbfd29391463a3fb8c0b32051847935933d99e719c0478710f8098ee7091c5
+  languageName: node
+  linkType: hard
+
 "@types/graceful-fs@npm:^4.1.3":
   version: 4.1.9
   resolution: "@types/graceful-fs@npm:4.1.9"
@@ -3202,6 +3277,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/http-errors@npm:*":
+  version: 2.0.4
+  resolution: "@types/http-errors@npm:2.0.4"
+  checksum: 1f3d7c3b32c7524811a45690881736b3ef741bf9849ae03d32ad1ab7062608454b150a4e7f1351f83d26a418b2d65af9bdc06198f1c079d75578282884c4e8e3
+  languageName: node
+  linkType: hard
+
 "@types/istanbul-lib-coverage@npm:*, @types/istanbul-lib-coverage@npm:^2.0.0, @types/istanbul-lib-coverage@npm:^2.0.1":
   version: 2.0.6
   resolution: "@types/istanbul-lib-coverage@npm:2.0.6"
@@ -3244,6 +3326,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/mime@npm:*":
+  version: 3.0.4
+  resolution: "@types/mime@npm:3.0.4"
+  checksum: a6139c8e1f705ef2b064d072f6edc01f3c099023ad7c4fce2afc6c2bf0231888202adadbdb48643e8e20da0ce409481a49922e737eca52871b3dc08017455843
+  languageName: node
+  linkType: hard
+
+"@types/mime@npm:^1":
+  version: 1.3.5
+  resolution: "@types/mime@npm:1.3.5"
+  checksum: e29a5f9c4776f5229d84e525b7cd7dd960b51c30a0fb9a028c0821790b82fca9f672dab56561e2acd9e8eed51d431bde52eafdfef30f643586c4162f1aecfc78
+  languageName: node
+  linkType: hard
+
 "@types/minimist@npm:^1.2.0, @types/minimist@npm:^1.2.2":
   version: 1.2.5
   resolution: "@types/minimist@npm:1.2.5"
@@ -3267,6 +3363,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/node@npm:^20.11.25":
+  version: 20.11.25
+  resolution: "@types/node@npm:20.11.25"
+  dependencies:
+    undici-types: ~5.26.4
+  checksum: bdb29da3f3dc687a0104cb70e30b5277d9df8f22843a4ed94835762683a95a8a0ea0c2ed0cf96f6eeff348491dd50dd9b20307d08f71ba7cb489d54a81cbbfec
+  languageName: node
+  linkType: hard
+
 "@types/normalize-package-data@npm:^2.4.0":
   version: 2.4.4
   resolution: "@types/normalize-package-data@npm:2.4.4"
@@ -3288,6 +3393,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/qs@npm:*":
+  version: 6.9.12
+  resolution: "@types/qs@npm:6.9.12"
+  checksum: 76be8068091058987bb49aca59e9714ff856661cdc2340499f9d502c78950ac08e7ecbca256c8a72c4c83714bce30e6aaad13f9f739e8c0c436c0eedb2a2627c
+  languageName: node
+  linkType: hard
+
+"@types/range-parser@npm:*":
+  version: 1.2.7
+  resolution: "@types/range-parser@npm:1.2.7"
+  checksum: 95640233b689dfbd85b8c6ee268812a732cf36d5affead89e806fe30da9a430767af8ef2cd661024fd97e19d61f3dec75af2df5e80ec3bea000019ab7028629a
+  languageName: node
+  linkType: hard
+
 "@types/react@npm:^18.2.44":
   version: 18.2.60
   resolution: "@types/react@npm:18.2.60"
@@ -3313,6 +3432,27 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/send@npm:*":
+  version: 0.17.4
+  resolution: "@types/send@npm:0.17.4"
+  dependencies:
+    "@types/mime": ^1
+    "@types/node": "*"
+  checksum: cf4db48251bbb03cd6452b4de6e8e09e2d75390a92fd798eca4a803df06444adc94ed050246c94c7ed46fb97be1f63607f0e1f13c3ce83d71788b3e08640e5e0
+  languageName: node
+  linkType: hard
+
+"@types/serve-static@npm:*":
+  version: 1.15.5
+  resolution: "@types/serve-static@npm:1.15.5"
+  dependencies:
+    "@types/http-errors": "*"
+    "@types/mime": "*"
+    "@types/node": "*"
+  checksum: 0ff4b3703cf20ba89c9f9e345bc38417860a88e85863c8d6fe274a543220ab7f5f647d307c60a71bb57dc9559f0890a661e8dc771a6ec5ef195d91c8afc4a893
+  languageName: node
+  linkType: hard
+
 "@types/stack-utils@npm:^2.0.0":
   version: 2.0.3
   resolution: "@types/stack-utils@npm:2.0.3"
@@ -3320,6 +3460,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/uuid@npm:^9.0.8":
+  version: 9.0.8
+  resolution: "@types/uuid@npm:9.0.8"
+  checksum: b8c60b7ba8250356b5088302583d1704a4e1a13558d143c549c408bf8920535602ffc12394ede77f8a8083511b023704bc66d1345792714002bfa261b17c5275
+  languageName: node
+  linkType: hard
+
 "@types/yargs-parser@npm:*":
   version: 21.0.3
   resolution: "@types/yargs-parser@npm:21.0.3"
@@ -3485,6 +3632,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"abbrev@npm:1":
+  version: 1.1.1
+  resolution: "abbrev@npm:1.1.1"
+  checksum: a4a97ec07d7ea112c517036882b2ac22f3109b7b19077dc656316d07d308438aac28e4d9746dc4d84bf6b1e75b4a7b0a5f3cb30592419f128ca9a8cee3bcfa17
+  languageName: node
+  linkType: hard
+
 "abbrev@npm:^2.0.0":
   version: 2.0.0
   resolution: "abbrev@npm:2.0.0"
@@ -3501,7 +3655,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"accepts@npm:^1.3.7, accepts@npm:~1.3.5, accepts@npm:~1.3.7":
+"accepts@npm:^1.3.7, accepts@npm:~1.3.5, accepts@npm:~1.3.7, accepts@npm:~1.3.8":
   version: 1.3.8
   resolution: "accepts@npm:1.3.8"
   dependencies:
@@ -3685,7 +3839,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"anymatch@npm:^3.0.3":
+"anymatch@npm:^3.0.3, anymatch@npm:~3.1.2":
   version: 3.1.3
   resolution: "anymatch@npm:3.1.3"
   dependencies:
@@ -3735,6 +3889,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"array-flatten@npm:1.1.1":
+  version: 1.1.1
+  resolution: "array-flatten@npm:1.1.1"
+  checksum: a9925bf3512d9dce202112965de90c222cd59a4fbfce68a0951d25d965cf44642931f40aac72309c41f12df19afa010ecadceb07cfff9ccc1621e99d89ab5f3b
+  languageName: node
+  linkType: hard
+
 "array-ify@npm:^1.0.0":
   version: 1.0.0
   resolution: "array-ify@npm:1.0.0"
@@ -3842,6 +4003,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"asn1js@npm:^3.0.5":
+  version: 3.0.5
+  resolution: "asn1js@npm:3.0.5"
+  dependencies:
+    pvtsutils: ^1.3.2
+    pvutils: ^1.1.3
+    tslib: ^2.4.0
+  checksum: 3b6af1bbadd5762ef8ead5daf2f6bda1bc9e23bc825c4dcc996aa1f9521ad7390a64028565d95d98090d69c8431f004c71cccb866004759169d7c203cf9075eb
+  languageName: node
+  linkType: hard
+
 "ast-types@npm:0.15.2":
   version: 0.15.2
   resolution: "ast-types@npm:0.15.2"
@@ -4079,6 +4251,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"binary-extensions@npm:^2.0.0":
+  version: 2.2.0
+  resolution: "binary-extensions@npm:2.2.0"
+  checksum: ccd267956c58d2315f5d3ea6757cf09863c5fc703e50fbeb13a7dc849b812ef76e3cf9ca8f35a0c48498776a7478d7b4a0418e1e2b8cb9cb9731f2922aaad7f8
+  languageName: node
+  linkType: hard
+
 "bl@npm:^4.1.0":
   version: 4.1.0
   resolution: "bl@npm:4.1.0"
@@ -4101,6 +4280,26 @@ __metadata:
   languageName: node
   linkType: hard
 
+"body-parser@npm:1.20.2, body-parser@npm:^1.20.2":
+  version: 1.20.2
+  resolution: "body-parser@npm:1.20.2"
+  dependencies:
+    bytes: 3.1.2
+    content-type: ~1.0.5
+    debug: 2.6.9
+    depd: 2.0.0
+    destroy: 1.2.0
+    http-errors: 2.0.0
+    iconv-lite: 0.4.24
+    on-finished: 2.4.1
+    qs: 6.11.0
+    raw-body: 2.5.2
+    type-is: ~1.6.18
+    unpipe: 1.0.0
+  checksum: 14d37ec638ab5c93f6099ecaed7f28f890d222c650c69306872e00b9efa081ff6c596cd9afb9930656aae4d6c4e1c17537bea12bb73c87a217cb3cfea8896737
+  languageName: node
+  linkType: hard
+
 "boxen@npm:^7.0.0":
   version: 7.1.1
   resolution: "boxen@npm:7.1.1"
@@ -4145,7 +4344,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"braces@npm:^3.0.2":
+"braces@npm:^3.0.2, braces@npm:~3.0.2":
   version: 3.0.2
   resolution: "braces@npm:3.0.2"
   dependencies:
@@ -4220,6 +4419,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"bytes@npm:3.1.2":
+  version: 3.1.2
+  resolution: "bytes@npm:3.1.2"
+  checksum: e4bcd3948d289c5127591fbedf10c0b639ccbf00243504e4e127374a15c3bc8eed0d28d4aaab08ff6f1cf2abc0cce6ba3085ed32f4f90e82a5683ce0014e1b6e
+  languageName: node
+  linkType: hard
+
+"bytestreamjs@npm:^2.0.0":
+  version: 2.0.1
+  resolution: "bytestreamjs@npm:2.0.1"
+  checksum: db4cb039794675a0ec1f097d228e4897378cdf5f794dca04fc3bff63efb466524fcfac95e59e89e928822a80fad7574734c02b8eace9e841d8599da43c82768a
+  languageName: node
+  linkType: hard
+
 "cacache@npm:^18.0.0":
   version: 18.0.2
   resolution: "cacache@npm:18.0.2"
@@ -4358,6 +4571,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"cbor@npm:^9.0.2":
+  version: 9.0.2
+  resolution: "cbor@npm:9.0.2"
+  dependencies:
+    nofilter: ^3.1.0
+  checksum: 925edae7bf964be5a26dba1b7ba6311ac12b6a66234dc958958997a0576cdc740632dc19852a5b84d8a75101936bea1fe122dc22539d6e11f4539c731853ba2e
+  languageName: node
+  linkType: hard
+
 "chalk@npm:5.2.0":
   version: 5.2.0
   resolution: "chalk@npm:5.2.0"
@@ -4407,6 +4629,25 @@ __metadata:
   languageName: node
   linkType: hard
 
+"chokidar@npm:^3.5.2":
+  version: 3.6.0
+  resolution: "chokidar@npm:3.6.0"
+  dependencies:
+    anymatch: ~3.1.2
+    braces: ~3.0.2
+    fsevents: ~2.3.2
+    glob-parent: ~5.1.2
+    is-binary-path: ~2.1.0
+    is-glob: ~4.0.1
+    normalize-path: ~3.0.0
+    readdirp: ~3.6.0
+  dependenciesMeta:
+    fsevents:
+      optional: true
+  checksum: d2f29f499705dcd4f6f3bbed79a9ce2388cf530460122eed3b9c48efeab7a4e28739c6551fd15bec9245c6b9eeca7a32baa64694d64d9b6faeb74ddb8c4a413d
+  languageName: node
+  linkType: hard
+
 "chownr@npm:^2.0.0":
   version: 2.0.0
   resolution: "chownr@npm:2.0.0"
@@ -4750,6 +4991,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"content-disposition@npm:0.5.4":
+  version: 0.5.4
+  resolution: "content-disposition@npm:0.5.4"
+  dependencies:
+    safe-buffer: 5.2.1
+  checksum: afb9d545e296a5171d7574fcad634b2fdf698875f4006a9dd04a3e1333880c5c0c98d47b560d01216fb6505a54a2ba6a843ee3a02ec86d7e911e8315255f56c3
+  languageName: node
+  linkType: hard
+
+"content-type@npm:~1.0.4, content-type@npm:~1.0.5":
+  version: 1.0.5
+  resolution: "content-type@npm:1.0.5"
+  checksum: 566271e0a251642254cde0f845f9dd4f9856e52d988f4eb0d0dcffbb7a1f8ec98de7a5215fc628f3bce30fe2fb6fd2bc064b562d721658c59b544e2d34ea2766
+  languageName: node
+  linkType: hard
+
 "conventional-changelog-angular@npm:^5.0.12":
   version: 5.0.13
   resolution: "conventional-changelog-angular@npm:5.0.13"
@@ -4985,6 +5242,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"cookie-signature@npm:1.0.6":
+  version: 1.0.6
+  resolution: "cookie-signature@npm:1.0.6"
+  checksum: f4e1b0a98a27a0e6e66fd7ea4e4e9d8e038f624058371bf4499cfcd8f3980be9a121486995202ba3fca74fbed93a407d6d54d43a43f96fd28d0bd7a06761591a
+  languageName: node
+  linkType: hard
+
+"cookie@npm:0.5.0":
+  version: 0.5.0
+  resolution: "cookie@npm:0.5.0"
+  checksum: 1f4bd2ca5765f8c9689a7e8954183f5332139eb72b6ff783d8947032ec1fdf43109852c178e21a953a30c0dd42257828185be01b49d1eb1a67fd054ca588a180
+  languageName: node
+  linkType: hard
+
 "core-js-compat@npm:^3.31.0, core-js-compat@npm:^3.34.0":
   version: 3.36.0
   resolution: "core-js-compat@npm:3.36.0"
@@ -5162,7 +5433,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"debug@npm:4, debug@npm:^4.1.0, debug@npm:^4.1.1, debug@npm:^4.3.1, debug@npm:^4.3.2, debug@npm:^4.3.4":
+"debug@npm:4, debug@npm:^4, debug@npm:^4.1.0, debug@npm:^4.1.1, debug@npm:^4.3.1, debug@npm:^4.3.2, debug@npm:^4.3.4":
   version: 4.3.4
   resolution: "debug@npm:4.3.4"
   dependencies:
@@ -5476,6 +5747,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"dotenv@npm:*, dotenv@npm:^16.4.5":
+  version: 16.4.5
+  resolution: "dotenv@npm:16.4.5"
+  checksum: 301a12c3d44fd49888b74eb9ccf9f07a1f5df43f489e7fcb89647a2edcd84c42d6bc349dc8df099cd18f07c35c7b04685c1a4f3e6a6a9e6b30f8d48c15b7f49c
+  languageName: node
+  linkType: hard
+
 "eastasianwidth@npm:^0.2.0":
   version: 0.2.0
   resolution: "eastasianwidth@npm:0.2.0"
@@ -6208,6 +6486,45 @@ __metadata:
   languageName: node
   linkType: hard
 
+"express@npm:^4.18.3":
+  version: 4.18.3
+  resolution: "express@npm:4.18.3"
+  dependencies:
+    accepts: ~1.3.8
+    array-flatten: 1.1.1
+    body-parser: 1.20.2
+    content-disposition: 0.5.4
+    content-type: ~1.0.4
+    cookie: 0.5.0
+    cookie-signature: 1.0.6
+    debug: 2.6.9
+    depd: 2.0.0
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    etag: ~1.8.1
+    finalhandler: 1.2.0
+    fresh: 0.5.2
+    http-errors: 2.0.0
+    merge-descriptors: 1.0.1
+    methods: ~1.1.2
+    on-finished: 2.4.1
+    parseurl: ~1.3.3
+    path-to-regexp: 0.1.7
+    proxy-addr: ~2.0.7
+    qs: 6.11.0
+    range-parser: ~1.2.1
+    safe-buffer: 5.2.1
+    send: 0.18.0
+    serve-static: 1.15.0
+    setprototypeof: 1.2.0
+    statuses: 2.0.1
+    type-is: ~1.6.18
+    utils-merge: 1.0.1
+    vary: ~1.1.2
+  checksum: 3d7fc8762a81dee0adf0b604f11627db2af082c5f2234e78a4aa8134f22c51f96c6282063f2f8b87f5dbc70679a3087caccb93b6107e324c6feb3a70960a5864
+  languageName: node
+  linkType: hard
+
 "external-editor@npm:^3.0.3":
   version: 3.1.0
   resolution: "external-editor@npm:3.1.0"
@@ -6342,6 +6659,21 @@ __metadata:
   languageName: node
   linkType: hard
 
+"finalhandler@npm:1.2.0":
+  version: 1.2.0
+  resolution: "finalhandler@npm:1.2.0"
+  dependencies:
+    debug: 2.6.9
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    on-finished: 2.4.1
+    parseurl: ~1.3.3
+    statuses: 2.0.1
+    unpipe: ~1.0.0
+  checksum: 92effbfd32e22a7dff2994acedbd9bcc3aa646a3e919ea6a53238090e87097f8ef07cced90aa2cc421abdf993aefbdd5b00104d55c7c5479a8d00ed105b45716
+  languageName: node
+  linkType: hard
+
 "find-babel-config@npm:^2.0.0":
   version: 2.0.0
   resolution: "find-babel-config@npm:2.0.0"
@@ -6475,6 +6807,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"forwarded@npm:0.2.0":
+  version: 0.2.0
+  resolution: "forwarded@npm:0.2.0"
+  checksum: fd27e2394d8887ebd16a66ffc889dc983fbbd797d5d3f01087c020283c0f019a7d05ee85669383d8e0d216b116d720fc0cef2f6e9b7eb9f4c90c6e0bc7fd28e6
+  languageName: node
+  linkType: hard
+
 "fresh@npm:0.5.2":
   version: 0.5.2
   resolution: "fresh@npm:0.5.2"
@@ -6540,7 +6879,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fsevents@npm:^2.3.2":
+"fsevents@npm:^2.3.2, fsevents@npm:~2.3.2":
   version: 2.3.3
   resolution: "fsevents@npm:2.3.3"
   dependencies:
@@ -6550,7 +6889,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fsevents@patch:fsevents@^2.3.2#~builtin<compat/fsevents>":
+"fsevents@patch:fsevents@^2.3.2#~builtin<compat/fsevents>, fsevents@patch:fsevents@~2.3.2#~builtin<compat/fsevents>":
   version: 2.3.3
   resolution: "fsevents@patch:fsevents@npm%3A2.3.3#~builtin<compat/fsevents>::version=2.3.3&hash=df0bf1"
   dependencies:
@@ -6737,7 +7076,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"glob-parent@npm:^5.1.2":
+"glob-parent@npm:^5.1.2, glob-parent@npm:~5.1.2":
   version: 5.1.2
   resolution: "glob-parent@npm:5.1.2"
   dependencies:
@@ -6755,7 +7094,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"glob@npm:^10.2.2, glob@npm:^10.3.10":
+"glob@npm:^10.2.2, glob@npm:^10.3.10, glob@npm:^10.3.7":
   version: 10.3.10
   resolution: "glob@npm:10.3.10"
   dependencies:
@@ -7158,7 +7497,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"iconv-lite@npm:^0.4.24":
+"iconv-lite@npm:0.4.24, iconv-lite@npm:^0.4.24":
   version: 0.4.24
   resolution: "iconv-lite@npm:0.4.24"
   dependencies:
@@ -7183,6 +7522,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"ignore-by-default@npm:^1.0.1":
+  version: 1.0.1
+  resolution: "ignore-by-default@npm:1.0.1"
+  checksum: 441509147b3615e0365e407a3c18e189f78c07af08564176c680be1fabc94b6c789cad1342ad887175d4ecd5225de86f73d376cec8e06b42fd9b429505ffcf8a
+  languageName: node
+  linkType: hard
+
 "ignore@npm:^5.0.5, ignore@npm:^5.2.0, ignore@npm:^5.2.4":
   version: 5.3.1
   resolution: "ignore@npm:5.3.1"
@@ -7359,6 +7705,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"ipaddr.js@npm:1.9.1":
+  version: 1.9.1
+  resolution: "ipaddr.js@npm:1.9.1"
+  checksum: f88d3825981486f5a1942414c8d77dd6674dd71c065adcfa46f578d677edcb99fda25af42675cb59db492fdf427b34a5abfcde3982da11a8fd83a500b41cfe77
+  languageName: node
+  linkType: hard
+
 "is-absolute@npm:^1.0.0":
   version: 1.0.0
   resolution: "is-absolute@npm:1.0.0"
@@ -7414,6 +7767,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"is-binary-path@npm:~2.1.0":
+  version: 2.1.0
+  resolution: "is-binary-path@npm:2.1.0"
+  dependencies:
+    binary-extensions: ^2.0.0
+  checksum: 84192eb88cff70d320426f35ecd63c3d6d495da9d805b19bc65b518984b7c0760280e57dbf119b7e9be6b161784a5a673ab2c6abe83abb5198a432232ad5b35c
+  languageName: node
+  linkType: hard
+
 "is-boolean-object@npm:^1.1.0":
   version: 1.1.2
   resolution: "is-boolean-object@npm:1.1.2"
@@ -7551,7 +7913,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"is-glob@npm:^4.0.0, is-glob@npm:^4.0.1, is-glob@npm:^4.0.3":
+"is-glob@npm:^4.0.0, is-glob@npm:^4.0.1, is-glob@npm:^4.0.3, is-glob@npm:~4.0.1":
   version: 4.0.3
   resolution: "is-glob@npm:4.0.3"
   dependencies:
@@ -9111,6 +9473,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"media-typer@npm:0.3.0":
+  version: 0.3.0
+  resolution: "media-typer@npm:0.3.0"
+  checksum: af1b38516c28ec95d6b0826f6c8f276c58aec391f76be42aa07646b4e39d317723e869700933ca6995b056db4b09a78c92d5440dc23657e6764be5d28874bba1
+  languageName: node
+  linkType: hard
+
 "memoize-one@npm:^5.0.0":
   version: 5.2.1
   resolution: "memoize-one@npm:5.2.1"
@@ -9157,6 +9526,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"merge-descriptors@npm:1.0.1":
+  version: 1.0.1
+  resolution: "merge-descriptors@npm:1.0.1"
+  checksum: 5abc259d2ae25bb06d19ce2b94a21632583c74e2a9109ee1ba7fd147aa7362b380d971e0251069f8b3eb7d48c21ac839e21fa177b335e82c76ec172e30c31a26
+  languageName: node
+  linkType: hard
+
 "merge-stream@npm:^2.0.0":
   version: 2.0.0
   resolution: "merge-stream@npm:2.0.0"
@@ -9171,6 +9547,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"methods@npm:~1.1.2":
+  version: 1.1.2
+  resolution: "methods@npm:1.1.2"
+  checksum: 0917ff4041fa8e2f2fda5425a955fe16ca411591fbd123c0d722fcf02b73971ed6f764d85f0a6f547ce49ee0221ce2c19a5fa692157931cecb422984f1dcd13a
+  languageName: node
+  linkType: hard
+
 "metro-babel-transformer@npm:0.80.6":
   version: 0.80.6
   resolution: "metro-babel-transformer@npm:0.80.6"
@@ -9406,7 +9789,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"mime-types@npm:2.1.35, mime-types@npm:^2.1.27, mime-types@npm:~2.1.34":
+"mime-types@npm:2.1.35, mime-types@npm:^2.1.27, mime-types@npm:~2.1.24, mime-types@npm:~2.1.34":
   version: 2.1.35
   resolution: "mime-types@npm:2.1.35"
   dependencies:
@@ -9792,6 +10175,33 @@ __metadata:
   languageName: node
   linkType: hard
 
+"nodemon@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "nodemon@npm:3.1.0"
+  dependencies:
+    chokidar: ^3.5.2
+    debug: ^4
+    ignore-by-default: ^1.0.1
+    minimatch: ^3.1.2
+    pstree.remy: ^1.1.8
+    semver: ^7.5.3
+    simple-update-notifier: ^2.0.0
+    supports-color: ^5.5.0
+    touch: ^3.1.0
+    undefsafe: ^2.0.5
+  bin:
+    nodemon: bin/nodemon.js
+  checksum: 0b721f66ee60d9bf092f6101965bc65769698fa2921d0283d90bbf3f0906aa4f3ac77316682375bd7f09c91679fddb131aa39f9fc839fea57061bbc8e81b60e3
+  languageName: node
+  linkType: hard
+
+"nofilter@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "nofilter@npm:3.1.0"
+  checksum: 58aa85a5b4b35cbb6e42de8a8591c5e338061edc9f3e7286f2c335e9e9b9b8fa7c335ae45daa8a1f3433164dc0b9a3d187fa96f9516e04a17a1f9ce722becc4f
+  languageName: node
+  linkType: hard
+
 "nopt@npm:^7.0.0":
   version: 7.2.0
   resolution: "nopt@npm:7.2.0"
@@ -9803,6 +10213,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"nopt@npm:~1.0.10":
+  version: 1.0.10
+  resolution: "nopt@npm:1.0.10"
+  dependencies:
+    abbrev: 1
+  bin:
+    nopt: ./bin/nopt.js
+  checksum: f62575aceaa3be43f365bf37a596b89bbac2e796b001b6d2e2a85c2140a4e378ff919e2753ccba959c4fd344776fc88c29b393bc167fa939fb1513f126f4cd45
+  languageName: node
+  linkType: hard
+
 "normalize-package-data@npm:^2.3.2, normalize-package-data@npm:^2.5.0":
   version: 2.5.0
   resolution: "normalize-package-data@npm:2.5.0"
@@ -9827,7 +10248,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"normalize-path@npm:^3.0.0":
+"normalize-path@npm:^3.0.0, normalize-path@npm:~3.0.0":
   version: 3.0.0
   resolution: "normalize-path@npm:3.0.0"
   checksum: 88eeb4da891e10b1318c4b2476b6e2ecbeb5ff97d946815ffea7794c31a89017c70d7f34b3c2ebf23ef4e9fc9fb99f7dffe36da22011b5b5c6ffa34f4873ec20
@@ -10359,6 +10780,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"path-to-regexp@npm:0.1.7":
+  version: 0.1.7
+  resolution: "path-to-regexp@npm:0.1.7"
+  checksum: 69a14ea24db543e8b0f4353305c5eac6907917031340e5a8b37df688e52accd09e3cebfe1660b70d76b6bd89152f52183f28c74813dbf454ba1a01c82a38abce
+  languageName: node
+  linkType: hard
+
 "path-type@npm:^3.0.0":
   version: 3.0.0
   resolution: "path-type@npm:3.0.0"
@@ -10382,7 +10810,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"picomatch@npm:^2.0.4, picomatch@npm:^2.2.3, picomatch@npm:^2.3.1":
+"picomatch@npm:^2.0.4, picomatch@npm:^2.2.1, picomatch@npm:^2.2.3, picomatch@npm:^2.3.1":
   version: 2.3.1
   resolution: "picomatch@npm:2.3.1"
   checksum: 050c865ce81119c4822c45d3c84f1ced46f93a0126febae20737bd05ca20589c564d6e9226977df859ed5e03dc73f02584a2b0faad36e896936238238b0446cf
@@ -10444,6 +10872,19 @@ __metadata:
   languageName: node
   linkType: hard
 
+"pkijs@npm:^3.0.15":
+  version: 3.0.15
+  resolution: "pkijs@npm:3.0.15"
+  dependencies:
+    asn1js: ^3.0.5
+    bytestreamjs: ^2.0.0
+    pvtsutils: ^1.3.2
+    pvutils: ^1.1.3
+    tslib: ^2.4.0
+  checksum: b9db0d98585bc0fc6f56d5cccf2df4a9f110e6abeb3fbabd2e412dc73d1dde318b360f7d7149fca26ad728d8a358827a9b97e06524e76e11e2a45e9cc9e9deaa
+  languageName: node
+  linkType: hard
+
 "possible-typed-array-names@npm:^1.0.0":
   version: 1.0.0
   resolution: "possible-typed-array-names@npm:1.0.0"
@@ -10588,6 +11029,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"proxy-addr@npm:~2.0.7":
+  version: 2.0.7
+  resolution: "proxy-addr@npm:2.0.7"
+  dependencies:
+    forwarded: 0.2.0
+    ipaddr.js: 1.9.1
+  checksum: 29c6990ce9364648255454842f06f8c46fcd124d3e6d7c5066df44662de63cdc0bad032e9bf5a3d653ff72141cc7b6019873d685708ac8210c30458ad99f2b74
+  languageName: node
+  linkType: hard
+
 "proxy-agent@npm:6.2.1":
   version: 6.2.1
   resolution: "proxy-agent@npm:6.2.1"
@@ -10611,6 +11062,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"pstree.remy@npm:^1.1.8":
+  version: 1.1.8
+  resolution: "pstree.remy@npm:1.1.8"
+  checksum: 5cb53698d6bb34dfb278c8a26957964aecfff3e161af5fbf7cee00bbe9d8547c7aced4bd9cb193bce15fb56e9e4220fc02a5bf9c14345ffb13a36b858701ec2d
+  languageName: node
+  linkType: hard
+
 "pump@npm:^3.0.0":
   version: 3.0.0
   resolution: "pump@npm:3.0.0"
@@ -10644,6 +11102,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"pvtsutils@npm:^1.3.2":
+  version: 1.3.5
+  resolution: "pvtsutils@npm:1.3.5"
+  dependencies:
+    tslib: ^2.6.1
+  checksum: e734516b3cb26086c18bd9c012fefe818928a5073178842ab7e62885a090f1dd7bda9c7bb8cd317167502cb8ec86c0b1b0ccd71dac7ab469382a4518157b0d12
+  languageName: node
+  linkType: hard
+
+"pvutils@npm:^1.1.3":
+  version: 1.1.3
+  resolution: "pvutils@npm:1.1.3"
+  checksum: 2ee26a9e5176c348977d6ec00d8ee80bff62f51743b1c5fe8abeeb4c5d29d9959cdfe0ce146707a9e6801bce88190fed3002d720b072dc87d031c692820b44c9
+  languageName: node
+  linkType: hard
+
 "q@npm:^1.5.1":
   version: 1.5.1
   resolution: "q@npm:1.5.1"
@@ -10651,6 +11125,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"qs@npm:6.11.0":
+  version: 6.11.0
+  resolution: "qs@npm:6.11.0"
+  dependencies:
+    side-channel: ^1.0.4
+  checksum: 6e1f29dd5385f7488ec74ac7b6c92f4d09a90408882d0c208414a34dd33badc1a621019d4c799a3df15ab9b1d0292f97c1dd71dc7c045e69f81a8064e5af7297
+  languageName: node
+  linkType: hard
+
 "queue-microtask@npm:^1.2.2":
   version: 1.2.3
   resolution: "queue-microtask@npm:1.2.3"
@@ -10688,6 +11171,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"raw-body@npm:2.5.2":
+  version: 2.5.2
+  resolution: "raw-body@npm:2.5.2"
+  dependencies:
+    bytes: 3.1.2
+    http-errors: 2.0.0
+    iconv-lite: 0.4.24
+    unpipe: 1.0.0
+  checksum: ba1583c8d8a48e8fbb7a873fdbb2df66ea4ff83775421bfe21ee120140949ab048200668c47d9ae3880012f6e217052690628cf679ddfbd82c9fc9358d574676
+  languageName: node
+  linkType: hard
+
 "rc@npm:1.2.8":
   version: 1.2.8
   resolution: "rc@npm:1.2.8"
@@ -10762,6 +11257,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"react-native-dotenv@npm:^3.4.11":
+  version: 3.4.11
+  resolution: "react-native-dotenv@npm:3.4.11"
+  dependencies:
+    dotenv: ^16.4.5
+  peerDependencies:
+    "@babel/runtime": ^7.20.6
+  checksum: 3ebac2c2ed79dd7e4920fd3fc2da9187413b7190231618e4858b46c47833677838b96d531afe7bd5c4b0a60454dba40cb8708722210df5d522e30aefbf41da05
+  languageName: node
+  linkType: hard
+
 "react-native-sha256@npm:^1.4.10":
   version: 1.4.10
   resolution: "react-native-sha256@npm:1.4.10"
@@ -10940,6 +11446,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"readdirp@npm:~3.6.0":
+  version: 3.6.0
+  resolution: "readdirp@npm:3.6.0"
+  dependencies:
+    picomatch: ^2.2.1
+  checksum: 1ced032e6e45670b6d7352d71d21ce7edf7b9b928494dcaba6f11fba63180d9da6cd7061ebc34175ffda6ff529f481818c962952004d273178acd70f7059b320
+  languageName: node
+  linkType: hard
+
 "readline@npm:^1.3.0":
   version: 1.3.0
   resolution: "readline@npm:1.3.0"
@@ -11328,6 +11843,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"rimraf@npm:^5.0.5":
+  version: 5.0.5
+  resolution: "rimraf@npm:5.0.5"
+  dependencies:
+    glob: ^10.3.7
+  bin:
+    rimraf: dist/esm/bin.mjs
+  checksum: d66eef829b2e23b16445f34e73d75c7b7cf4cbc8834b04720def1c8f298eb0753c3d76df77325fad79d0a2c60470525d95f89c2475283ad985fd7441c32732d1
+  languageName: node
+  linkType: hard
+
 "rimraf@npm:~2.6.2":
   version: 2.6.3
   resolution: "rimraf@npm:2.6.3"
@@ -11392,7 +11918,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"safe-buffer@npm:~5.2.0":
+"safe-buffer@npm:5.2.1, safe-buffer@npm:~5.2.0":
   version: 5.2.1
   resolution: "safe-buffer@npm:5.2.1"
   checksum: b99c4b41fdd67a6aaf280fcd05e9ffb0813654894223afb78a31f14a19ad220bba8aba1cb14eddce1fcfb037155fe6de4e861784eb434f7d11ed58d1e70dd491
@@ -11525,7 +12051,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"serve-static@npm:^1.13.1":
+"serve-static@npm:1.15.0, serve-static@npm:^1.13.1":
   version: 1.15.0
   resolution: "serve-static@npm:1.15.0"
   dependencies:
@@ -11648,6 +12174,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"simple-update-notifier@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "simple-update-notifier@npm:2.0.0"
+  dependencies:
+    semver: ^7.5.3
+  checksum: 9ba00d38ce6a29682f64a46213834e4eb01634c2f52c813a9a7b8873ca49cdbb703696f3290f3b27dc067de6d9418b0b84bef22c3eb074acf352529b2d6c27fd
+  languageName: node
+  linkType: hard
+
 "sisteransi@npm:^1.0.5":
   version: 1.0.5
   resolution: "sisteransi@npm:1.0.5"
@@ -12089,7 +12624,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"supports-color@npm:^5.3.0":
+"supports-color@npm:^5.3.0, supports-color@npm:^5.5.0":
   version: 5.5.0
   resolution: "supports-color@npm:5.5.0"
   dependencies:
@@ -12281,6 +12816,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"touch@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "touch@npm:3.1.0"
+  dependencies:
+    nopt: ~1.0.10
+  bin:
+    nodetouch: ./bin/nodetouch.js
+  checksum: e0be589cb5b0e6dbfce6e7e077d4a0d5f0aba558ef769c6d9c33f635e00d73d5be49da6f8631db302ee073919d82b5b7f56da2987feb28765c95a7673af68647
+  languageName: node
+  linkType: hard
+
 "tr46@npm:~0.0.3":
   version: 0.0.3
   resolution: "tr46@npm:0.0.3"
@@ -12302,7 +12848,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ts-node@npm:^10.8.1":
+"ts-node@npm:^10.8.1, ts-node@npm:^10.9.2":
   version: 10.9.2
   resolution: "ts-node@npm:10.9.2"
   dependencies:
@@ -12347,7 +12893,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tslib@npm:^2.0.1, tslib@npm:^2.1.0, tslib@npm:^2.6.2":
+"tslib@npm:^2.0.1, tslib@npm:^2.1.0, tslib@npm:^2.4.0, tslib@npm:^2.6.1, tslib@npm:^2.6.2":
   version: 2.6.2
   resolution: "tslib@npm:2.6.2"
   checksum: 329ea56123005922f39642318e3d1f0f8265d1e7fcb92c633e0809521da75eeaca28d2cf96d7248229deb40e5c19adf408259f4b9640afd20d13aecc1430f3ad
@@ -12517,6 +13063,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"type-is@npm:~1.6.18":
+  version: 1.6.18
+  resolution: "type-is@npm:1.6.18"
+  dependencies:
+    media-typer: 0.3.0
+    mime-types: ~2.1.24
+  checksum: 2c8e47675d55f8b4e404bcf529abdf5036c537a04c2b20177bcf78c9e3c1da69da3942b1346e6edb09e823228c0ee656ef0e033765ec39a70d496ef601a0c657
+  languageName: node
+  linkType: hard
+
 "typed-array-buffer@npm:^1.0.1":
   version: 1.0.2
   resolution: "typed-array-buffer@npm:1.0.2"
@@ -12595,6 +13151,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"typescript@npm:^5.4.2":
+  version: 5.4.2
+  resolution: "typescript@npm:5.4.2"
+  bin:
+    tsc: bin/tsc
+    tsserver: bin/tsserver
+  checksum: 96d80fde25a09bcb04d399082fb27a808a9e17c2111e43849d2aafbd642d835e4f4ef0de09b0ba795ec2a700be6c4c2c3f62bf4660c05404c948727b5bbfb32a
+  languageName: node
+  linkType: hard
+
 "typescript@patch:typescript@^4.6.4 || ^5.2.2#~builtin<compat/typescript>, typescript@patch:typescript@^5.2.2#~builtin<compat/typescript>":
   version: 5.3.3
   resolution: "typescript@patch:typescript@npm%3A5.3.3#~builtin<compat/typescript>::version=5.3.3&hash=14eedb"
@@ -12605,6 +13171,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"typescript@patch:typescript@^5.4.2#~builtin<compat/typescript>":
+  version: 5.4.2
+  resolution: "typescript@patch:typescript@npm%3A5.4.2#~builtin<compat/typescript>::version=5.4.2&hash=14eedb"
+  bin:
+    tsc: bin/tsc
+    tsserver: bin/tsserver
+  checksum: c1b669146bca5529873aae60870e243fa8140c85f57ca32c42f898f586d73ce4a6b4f6bb02ae312729e214d7f5859a0c70da3e527a116fdf5ad00c9fc733ecc6
+  languageName: node
+  linkType: hard
+
 "uglify-js@npm:^3.1.4":
   version: 3.17.4
   resolution: "uglify-js@npm:3.17.4"
@@ -12633,6 +13209,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"undefsafe@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "undefsafe@npm:2.0.5"
+  checksum: f42ab3b5770fedd4ada175fc1b2eb775b78f609156f7c389106aafd231bfc210813ee49f54483d7191d7b76e483bc7f537b5d92d19ded27156baf57592eb02cc
+  languageName: node
+  linkType: hard
+
 "undici-types@npm:~5.26.4":
   version: 5.26.5
   resolution: "undici-types@npm:5.26.5"
@@ -12719,7 +13302,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"unpipe@npm:~1.0.0":
+"unpipe@npm:1.0.0, unpipe@npm:~1.0.0":
   version: 1.0.0
   resolution: "unpipe@npm:1.0.0"
   checksum: 4fa18d8d8d977c55cb09715385c203197105e10a6d220087ec819f50cb68870f02942244f1017565484237f1f8c5d3cd413631b1ae104d3096f24fdfde1b4aa2
@@ -12799,6 +13382,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"uuid@npm:^9.0.1":
+  version: 9.0.1
+  resolution: "uuid@npm:9.0.1"
+  bin:
+    uuid: dist/bin/uuid
+  checksum: 39931f6da74e307f51c0fb463dc2462807531dc80760a9bff1e35af4316131b4fc3203d16da60ae33f07fdca5b56f3f1dd662da0c99fea9aaeab2004780cc5f4
+  languageName: node
+  linkType: hard
+
 "v8-compile-cache-lib@npm:^3.0.1":
   version: 3.0.1
   resolution: "v8-compile-cache-lib@npm:3.0.1"

From 9471271fa7ae62d04bb2d8ecd72ed6b1843cfd92 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Sun, 10 Mar 2024 18:41:21 +0100
Subject: [PATCH 34/64] chore: update

---
 backend/package.json |  5 ++---
 backend/src/index.ts | 27 +++++++++++++++++++++------
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/backend/package.json b/backend/package.json
index ae18bc3..0c1cfe2 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -4,10 +4,9 @@
   "description": "",
   "main": "index.js",
   "scripts": {
-    "start:dev": "npx nodemon",
+    "start": "npx nodemon",
     "test": "echo \"Error: no test specified\" && exit 1",
-    "build": "rimraf ./build && tsc",
-    "start": "npm run build && node build/index.js"
+    "build": "rimraf ./build && tsc"
   },
   "keywords": [],
   "author": "",
diff --git a/backend/src/index.ts b/backend/src/index.ts
index 03ced41..35688f3 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -17,11 +17,23 @@ let attestation: any = null;
 const BUNDLE_IDENTIFIER = process.env.BUNDLE_IDENTIFIER || '';
 const TEAM_IDENTIFIER = process.env.TEAM_IDENTIFIER || '';
 
+/**
+ * This endpoint is used to get the nonce for the attestation process.
+ * The nonce is a random string that is used to prevent replay attacks.
+ * The nonce is generated on the server and sent to the client.
+ * The client then sends the nonce back to the server as part of the attestation process.
+ */
 app.get('/attest/nonce', (_, res) => {
   console.debug(`challange was requested, returning ${nonce}`);
   res.send(JSON.stringify({ nonce }));
 });
 
+/**
+ * This endpoint is used to verify the attestation.
+ * The client sends the attestation and the challenge back to the server.
+ * The server then verifies the attestation and stores the public key for later use.
+ * The server also stores the keyId and the signCount.
+ */
 app.post(`/attest/verify`, (req, res) => {
   try {
     console.debug(`verify was requested: ${JSON.stringify(req.body, null, 2)}`);
@@ -42,16 +54,21 @@ app.post(`/attest/verify`, (req, res) => {
     attestation = {
       keyId: req.body.hardwareKeyTag,
       publicKey: result.publicKey,
-      signCount: 0,
+      signCount: 0, // is this be set incrementally?
     };
 
-    res.json({ result: 'ok' });
+    res.json({ result });
   } catch (error) {
     console.error(error);
     res.status(401).send({ error: 'Unauthorized' });
   }
 });
-
+/**
+ * This endpoint is used to verify the assertion.
+ * The client sends the assertion and the challenge back to the server.
+ * The server then verifies the assertion using the stored public key.
+ * The server also verifies the signCount and stores the new signCount.
+ */
 app.post(`/assertion/verify`, (req, res) => {
   try {
     const { hardwareKeyTag, assertion } = req.body;
@@ -68,7 +85,6 @@ app.post(`/assertion/verify`, (req, res) => {
       throw new Error('No attestation found');
     }
 
-    console.log(req.body.payload);
     const result = verifyAssertion({
       assertion: assertion,
       payload: req.body.payload,
@@ -78,10 +94,9 @@ app.post(`/assertion/verify`, (req, res) => {
       signCount: attestation.signCount,
     });
 
-    console.log(result);
     console.debug(`Received message: ${JSON.stringify(req.body)}`);
 
-    res.send({ result: 'ok' });
+    res.send({ result });
   } catch (error) {
     console.error(error);
     res.status(401).send({ error: 'Unauthorized' });

From 88203731eb6253b1d5633559c2eadb4cdfe6852e Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Thu, 14 Mar 2024 09:14:54 +0100
Subject: [PATCH 35/64] fix: syntax

---
 backend/.env.local | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/.env.local b/backend/.env.local
index 8aef389..2d1cb3e 100644
--- a/backend/.env.local
+++ b/backend/.env.local
@@ -1,3 +1,3 @@
 PORT =
-BUNDLE_IDENTIFIER = '';
-TEAM_IDENTIFIER = '';
+BUNDLE_IDENTIFIER = ''
+TEAM_IDENTIFIER = ''

From 679530852d64e5d1f50c5caa82d411210779828e Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Thu, 14 Mar 2024 09:21:06 +0100
Subject: [PATCH 36/64] chore: update

---
 backend/README.md | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/backend/README.md b/backend/README.md
index 0519ecb..ba65823 100644
--- a/backend/README.md
+++ b/backend/README.md
@@ -1 +1,33 @@
- 
\ No newline at end of file
+# Getting Started
+
+### This is a dev server to test integrity check integration with the example app adding verification steps.
+
+## NodeJS
+
+To run the project you need to install the correct version of NodeJS.
+We recommend the use of a virtual environment of your choice. For ease of use, this guide adopts [nodenv](https://github.com/nodenv/nodenv) for NodeJS, [rbenv](https://github.com/rbenv/rbenv) for Ruby.
+
+The node version used in this project is stored in [.node-version](.node-version),
+while the version of Ruby is stored in [.ruby-version](.ruby-version).
+
+## Build the app
+
+```bash
+# Install NodeJS with nodenv, the returned version should match the one in the .node-version file
+$ nodenv install && nodenv version
+
+# Install yarn and rehash to install shims
+$ npm install -g yarn && nodenv rehash
+
+# Install dependencies
+# Run this only during the first setup and when JS dependencies change
+$ yarn install
+```
+
+## Run the app
+
+```bash
+# First edit .env to add a BACKEND_ADDRESS (is required to use real local ip address instead localhost)
+$ cp .env.local env.local
+$ yarn start
+```

From f85fad7d0af6d38cd9871a9252b4d6d2fa694e74 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Thu, 14 Mar 2024 09:23:37 +0100
Subject: [PATCH 37/64] chore: update

---
 backend/src/index.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/src/index.ts b/backend/src/index.ts
index 35688f3..7f17e22 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -12,8 +12,13 @@ app.use(bodyParser.urlencoded({ extended: false }));
 
 const port = process.env.PORT || 3000;
 const nonce = uuid();
+
+// Please note that this is a simple example and the attestation should be stored in a secure way.
+// Every time the server restarts, the attestation is lost. Every time the app verify the attestation
+// this value be overwritten. This is just a simple example.
 let attestation: any = null;
 
+// The bundle identifier and team identifier are used to verify the attestation and assertion.
 const BUNDLE_IDENTIFIER = process.env.BUNDLE_IDENTIFIER || '';
 const TEAM_IDENTIFIER = process.env.TEAM_IDENTIFIER || '';
 

From 557deff77a69bfbda499a8767afb7578d7e0d51e Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Mon, 18 Mar 2024 17:51:42 +0100
Subject: [PATCH 38/64] chore: update

---
 example/src/IosApp.tsx | 127 +++++++++++++++++++++++++++++------------
 1 file changed, 90 insertions(+), 37 deletions(-)

diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
index e9b2fdb..7b6ce68 100644
--- a/example/src/IosApp.tsx
+++ b/example/src/IosApp.tsx
@@ -1,5 +1,4 @@
 import * as React from 'react';
-import { sha256 } from 'react-native-sha256';
 import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
 import {
   generateHardwareKey,
@@ -8,15 +7,27 @@ import {
   generateHardwareSignatureWithAssertion,
   type IntegrityError,
 } from '@pagopa/io-react-native-integrity';
+import { BACKEND_ADDRESS } from '@env';
 import ButtonWithLoader from './components/ButtonWithLoader';
 
-const challenge = 'challengeFromServer';
+// this is a mocked jwk for ephimeral public key, in a production
+// environment the ephimeral key must be generated by the client
+// every time a WTE must be required
+const jwk = {
+  crv: 'P-256',
+  kty: 'EC',
+  x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
+  y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
+  kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
+};
 
-export default function IosApp() {
+export default function App() {
+  const [challenge, setChallenge] = React.useState<string>('');
   const [hardwareKeyTag, setHardwareKeyTag] = React.useState<
     string | undefined
   >('');
   const [attestation, setAttestation] = React.useState<string | undefined>('');
+  const [assertion, setAssertion] = React.useState<string | undefined>('');
   const [hsWithAssertion, setHsWithAssertion] = React.useState<
     string | undefined
   >('');
@@ -45,45 +56,88 @@ export default function IosApp() {
     }
   };
 
+  const getChallengeFromServer = async () => {
+    // contact server run on local at port 3000 to get
+    // the challenge to be used for the attestation
+    try {
+      const response = await fetch(`${BACKEND_ADDRESS}/attest/nonce`);
+      const result = await response.json();
+      console.log(result);
+      return result.nonce;
+    } catch (error) {
+      console.error(error);
+      return '';
+    }
+  };
+
   const requestAttestation = async () => {
     setAttestation(undefined);
     if (hardwareKeyTag) {
-      const result = await getAttestation(challenge, hardwareKeyTag);
+      // get challenge from server
+      const nonce = await getChallengeFromServer();
+      setChallenge(nonce);
+      const result = await getAttestation(nonce, hardwareKeyTag);
       setAttestation(result);
       setDebugLog(result);
     }
   };
 
-  const getHardwareSignatureWithAssertion = async () => {
-    // this is a mocked jwk for ephimeral public key, in a production
-    // environment the ephimeral key must be generated by the client
-    // every time a WTE must be required
-    const jwk = {
-      crv: 'P-256',
-      kty: 'EC',
-      x: '4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44',
-      y: 'LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg',
-      kid: 'vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c',
-    };
+  const verifyAttestation = async () => {
+    // verify attestation on the server with POST
+    // and body of challenge, attestation and keyId
+    const result = await fetch(`${BACKEND_ADDRESS}/attest/verify`, {
+      method: 'POST',
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        challenge: challenge,
+        attestation: attestation,
+        hardwareKeyTag: hardwareKeyTag,
+      }),
+    });
+    const response = await result.json();
+    setDebugLog(JSON.stringify(response));
+  };
+
+  const verifyAssertion = async () => {
+    // verify attestation on the server with POST
+    // and body of challenge, attestation and keyId
+    const result = await fetch(`${BACKEND_ADDRESS}/assertion/verify`, {
+      method: 'POST',
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        challenge: challenge,
+        assertion: assertion,
+        hardwareKeyTag: hardwareKeyTag,
+        payload: JSON.stringify({ challenge: challenge, jwk: jwk }),
+      }),
+    });
+    const response = await result.json();
+    setDebugLog(JSON.stringify(response));
+  };
 
+  const getHardwareSignatureWithAssertion = async () => {
     const clientData = {
       challenge: challenge,
       jwk: jwk,
     };
-
     // Between Android and iOS there is a difference for the generation of hardwareSignature
     // and assertion as on iOS both are generated directly from the SDK via generateAssertion
     // while on Android the hardwareSignature must be generated via the signature functions and
     // the assertion must be retrieved from the backend via an integrityToken.
     if (hardwareKeyTag) {
-      const clientDataHash = await sha256(JSON.stringify(clientData));
-
       const result = await generateHardwareSignatureWithAssertion(
-        clientDataHash,
+        JSON.stringify(clientData),
         hardwareKeyTag
       );
       setHsWithAssertion(result);
       setDebugLog(result);
+      setAssertion(result);
     }
   };
 
@@ -107,10 +161,18 @@ export default function IosApp() {
             onPress={() => getHardwareSignatureWithAssertion()}
             loading={hsWithAssertion === undefined}
           />
+          <ButtonWithLoader
+            title="VerifyAttestation"
+            onPress={() => verifyAttestation()}
+            loading={false}
+          />
+          <ButtonWithLoader
+            title="VerifyAssertion"
+            onPress={() => verifyAssertion()}
+            loading={false}
+          />
         </>
-      ) : (
-        <Text style={styles.h2}>{'Attestation Service is not available'}</Text>
-      )}
+      ) : null}
       <ScrollView style={styles.debug}>
         <Text>{debugLog}</Text>
       </ScrollView>
@@ -121,27 +183,18 @@ export default function IosApp() {
 const styles = StyleSheet.create({
   container: {
     flex: 1,
+    backgroundColor: '#fff',
     alignItems: 'center',
+    justifyContent: 'center',
   },
   h1: {
+    fontSize: 20,
     fontWeight: 'bold',
-    fontSize: 32,
-    textAlign: 'center',
-    marginTop: 50,
-    marginBottom: 50,
-  },
-  h2: {
-    fontWeight: 'bold',
-    fontSize: 14,
-    textAlign: 'center',
-    marginTop: 50,
-    marginBottom: 50,
+    margin: 20,
   },
   debug: {
+    flex: 1,
     width: '100%',
-    height: 300,
-    position: 'absolute',
-    bottom: 0,
-    backgroundColor: '#eaeaea',
+    padding: 20,
   },
 });

From 1bcf66efdac5246422928ccd9082343794513939 Mon Sep 17 00:00:00 2001
From: Mario Perrotta <mario.perrotta@pagopa.it>
Date: Tue, 19 Mar 2024 13:14:16 +0100
Subject: [PATCH 39/64] chore: update

---
 backend/src/index.ts   | 2 +-
 example/src/IosApp.tsx | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/backend/src/index.ts b/backend/src/index.ts
index 7f17e22..65f617d 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -109,5 +109,5 @@ app.post(`/assertion/verify`, (req, res) => {
 });
 
 app.listen(port, () => {
-  console.log(`[server]: Server is running at http://localhost:3000`);
+  console.log(`[server]: Server is running at http://localhost:${port}`);
 });
diff --git a/example/src/IosApp.tsx b/example/src/IosApp.tsx
index 7b6ce68..972dc46 100644
--- a/example/src/IosApp.tsx
+++ b/example/src/IosApp.tsx
@@ -174,7 +174,7 @@ export default function App() {
         </>
       ) : null}
       <ScrollView style={styles.debug}>
-        <Text>{debugLog}</Text>
+        <Text style={styles.h2}>{debugLog}</Text>
       </ScrollView>
     </SafeAreaView>
   );
@@ -192,6 +192,11 @@ const styles = StyleSheet.create({
     fontWeight: 'bold',
     margin: 20,
   },
+  h2: {
+    fontSize: 18,
+    fontWeight: 'bold',
+    margin: 10,
+  },
   debug: {
     flex: 1,
     width: '100%',

From f9bb2ad5002f261d0ab93c345c5799fa20b59f54 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Wed, 20 Mar 2024 17:51:10 +0100
Subject: [PATCH 40/64] feat: add verification backend

---
 backend/.env.local                      |   4 +
 backend/.node-version                   |   1 +
 backend/README.md                       |  25 +++-
 backend/package.json                    |   1 +
 backend/src/android/androidIntegrity.ts |  33 +++++
 backend/src/android/androidRouter.ts    |  49 +++++++
 backend/src/index.ts                    |   6 +
 example/.env.local                      |   5 +-
 example/env.d.ts                        |   1 +
 example/src/AndroidApp.tsx              |  65 ++++++---
 yarn.lock                               | 167 +++++++++++++++++++++++-
 11 files changed, 331 insertions(+), 26 deletions(-)
 create mode 100644 backend/.node-version
 create mode 100644 backend/src/android/androidIntegrity.ts
 create mode 100644 backend/src/android/androidRouter.ts

diff --git a/backend/.env.local b/backend/.env.local
index 2d1cb3e..636c57d 100644
--- a/backend/.env.local
+++ b/backend/.env.local
@@ -1,3 +1,7 @@
 PORT =
 BUNDLE_IDENTIFIER = ''
 TEAM_IDENTIFIER = ''
+
+# Android
+GOOGLE_APPLICATION_CREDENTIALS = ''
+ANDROID_BUNDLE_IDENTIFIER = 'com.pagopa.ioreactnativeintegrity'
diff --git a/backend/.node-version b/backend/.node-version
new file mode 100644
index 0000000..34bfa5c
--- /dev/null
+++ b/backend/.node-version
@@ -0,0 +1 @@
+18.19.1
\ No newline at end of file
diff --git a/backend/README.md b/backend/README.md
index ba65823..18e052c 100644
--- a/backend/README.md
+++ b/backend/README.md
@@ -5,10 +5,8 @@
 ## NodeJS
 
 To run the project you need to install the correct version of NodeJS.
-We recommend the use of a virtual environment of your choice. For ease of use, this guide adopts [nodenv](https://github.com/nodenv/nodenv) for NodeJS, [rbenv](https://github.com/rbenv/rbenv) for Ruby.
-
-The node version used in this project is stored in [.node-version](.node-version),
-while the version of Ruby is stored in [.ruby-version](.ruby-version).
+We recommend the use of a virtual environment of your choice. For ease of use, this guide adopts [nodenv](https://github.com/nodenv/nodenv) for NodeJS.
+The node version used in this project is stored in [.node-version](.node-version).
 
 ## Build the app
 
@@ -24,10 +22,25 @@ $ npm install -g yarn && nodenv rehash
 $ yarn install
 ```
 
+## Android environment
+
+In order to use the Android verification endpoints you need to enable the Google Play Integrity API service on the Google Cloud project related to the `GOOGLE_CLOUD_PROJECT_NUMBER` provided in the example app `.env` file. Referer to the [setup page](https://developer.android.com/google/play/integrity/setup) for more information.
+
+Be sure to fill the `.env` file with the required enviroment variables:
+
+```javascript
+ANDROID_BUNDLE_IDENTIFIER =
+GOOGLE_APPLICATION_CREDENTIALS =
+```
+
+`ANDROID_BUNDLE_IDENTIFIER` is the package name of the app you want to verify, it's already included in the `.env.local` file for the example app of this project.
+
+`GOOGLE_APPLICATION_CREDENTIALS` consists of a JSON string with the service account credentials. Refer to the [instructions](https://developer.android.com/google/play/integrity/standard#decrypt-and) for more information.
+
 ## Run the app
 
 ```bash
-# First edit .env to add a BACKEND_ADDRESS (is required to use real local ip address instead localhost)
-$ cp .env.local env.local
+# First edit .env to add the required environment variables according to the platform you want to test
+$ cp .env.local .env
 $ yarn start
 ```
diff --git a/backend/package.json b/backend/package.json
index 0c1cfe2..0c37c8b 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -27,6 +27,7 @@
     "cbor": "^9.0.2",
     "dotenv": "^16.4.5",
     "express": "^4.18.3",
+    "googleapis": "^134.0.0",
     "pkijs": "^3.0.15",
     "uuid": "^9.0.1"
   }
diff --git a/backend/src/android/androidIntegrity.ts b/backend/src/android/androidIntegrity.ts
new file mode 100644
index 0000000..33f4fc2
--- /dev/null
+++ b/backend/src/android/androidIntegrity.ts
@@ -0,0 +1,33 @@
+import { google } from 'googleapis';
+
+export const playintegrity = google.playintegrity('v1');
+
+/**
+ * Calls the Google Play Integrity API to verify and decrypt an integrity token.
+ * @param credentialClientEmail - The service account email.
+ * @param credentialPrivateKey - The private key of the service account.
+ * @param packageName - The package name of the app which generated the integrity token.
+ * @param integrityToken - The integrity token to verify.
+ * @returns an object containing the result of the integrity token verification. This token shouldn't be returned to the client.
+ * A simple yes/no answer should be returned to the client instead, based on the result of the verification.
+ */
+export const verifyIntegrityToken = async (
+  credentialClientEmail: string,
+  credentialPrivateKey: string,
+  packageName: string,
+  integrityToken: string
+) => {
+  let jwtClient = new google.auth.JWT(
+    credentialClientEmail,
+    undefined,
+    credentialPrivateKey,
+    ['https://www.googleapis.com/auth/playintegrity']
+  );
+  google.options({ auth: jwtClient });
+  return await playintegrity.v1.decodeIntegrityToken({
+    packageName,
+    requestBody: {
+      integrityToken,
+    },
+  });
+};
diff --git a/backend/src/android/androidRouter.ts b/backend/src/android/androidRouter.ts
new file mode 100644
index 0000000..182ff14
--- /dev/null
+++ b/backend/src/android/androidRouter.ts
@@ -0,0 +1,49 @@
+import express, { Router } from 'express';
+import { verifyIntegrityToken } from './androidIntegrity';
+
+const router: Router = express.Router();
+
+/**
+ * Verifies a Google Play Integrity Token.
+ * The check is done for a standard request and the token is decrypted and verified on Google Cloud, not locally.
+ * The GOOGLE_APPLICATION_CREDENTIALS and ANDROID_BUNDLE_IDENTIFIER environment variables must be set.
+ * @param integrityToken - The integrity token to verify.
+ * @returns The result of the integrity token verification.
+ */
+router.post('/verifyIntegrityToken', async (req, res) => {
+  console.debug(
+    `Play integrity verdict was requested: ${JSON.stringify(req.body, null, 2)}`
+  );
+  const GOOGLE_APPLICATION_CREDENTIALS =
+    process.env.GOOGLE_APPLICATION_CREDENTIALS;
+  const ANDROID_BUNDLE_IDENTIFIER = process.env.ANDROID_BUNDLE_IDENTIFIER;
+  if (!GOOGLE_APPLICATION_CREDENTIALS || !ANDROID_BUNDLE_IDENTIFIER) {
+    res.status(500).send({
+      error:
+        'GOOGLE_APPLICATION_CREDENTIALS and ANDROID_BUNDLE_INDENTIFIER must be set in the .env file',
+    });
+    return;
+  }
+  try {
+    const googleCredentials = JSON.parse(GOOGLE_APPLICATION_CREDENTIALS);
+    const { integrityToken } = req.body;
+    if (req.body.integrityToken === undefined) {
+      res.status(400).send({ error: 'Invalid integrity token' });
+      return;
+    }
+    const { data } = await verifyIntegrityToken(
+      googleCredentials.client_email,
+      googleCredentials.private_key,
+      ANDROID_BUNDLE_IDENTIFIER,
+      integrityToken
+    );
+    res.send(data);
+  } catch (error) {
+    console.error(error);
+    res
+      .status(500)
+      .send({ error: 'An error occurred while verifying the integrity token' });
+  }
+});
+
+export default router;
diff --git a/backend/src/index.ts b/backend/src/index.ts
index 65f617d..d550c4e 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -4,6 +4,7 @@ import dotenv from 'dotenv';
 import verifyAttestation from './verifyAttestation';
 import bodyParser from 'body-parser';
 import verifyAssertion from './verifyAssertion';
+import androidRouter from './android/androidRouter';
 
 dotenv.config();
 const app = express();
@@ -22,6 +23,11 @@ let attestation: any = null;
 const BUNDLE_IDENTIFIER = process.env.BUNDLE_IDENTIFIER || '';
 const TEAM_IDENTIFIER = process.env.TEAM_IDENTIFIER || '';
 
+/**
+ * Router for the android specific endpoints.
+ */
+app.use('/android', androidRouter);
+
 /**
  * This endpoint is used to get the nonce for the attestation process.
  * The nonce is a random string that is used to prevent replay attacks.
diff --git a/example/.env.local b/example/.env.local
index 7848848..f99a711 100644
--- a/example/.env.local
+++ b/example/.env.local
@@ -1 +1,4 @@
-BACKEND_ADDRESS = ""
\ No newline at end of file
+# Backend address for remote verification
+BACKEND_ADDRESS = ""
+# Google Cloud Project Number
+GOOGLE_CLOUD_PROJECT_NUMBER = "" 
\ No newline at end of file
diff --git a/example/env.d.ts b/example/env.d.ts
index e29c264..a113db6 100644
--- a/example/env.d.ts
+++ b/example/env.d.ts
@@ -1,3 +1,4 @@
 declare module '@env' {
   export const BACKEND_ADDRESS: string;
+  export const GOOGLE_CLOUD_PROJECT_NUMBER: string;
 }
diff --git a/example/src/AndroidApp.tsx b/example/src/AndroidApp.tsx
index 887b4aa..4e1f803 100644
--- a/example/src/AndroidApp.tsx
+++ b/example/src/AndroidApp.tsx
@@ -7,8 +7,7 @@ import {
   requestIntegrityToken,
 } from '@pagopa/io-react-native-integrity';
 import ButtonWithLoader from './components/ButtonWithLoader';
-
-const GOOGLE_CLOUD_PROJECT_NUMBER = '1234567890';
+import { BACKEND_ADDRESS, GOOGLE_CLOUD_PROJECT_NUMBER } from '@env';
 
 export default function AndroidApp() {
   const [isServiceAvailable, setIsServiceAvailable] =
@@ -17,8 +16,13 @@ export default function AndroidApp() {
     React.useState<boolean>(false);
   const [isRequestTokenLoading, setIsRequestTokenLoading] =
     React.useState<boolean>(false);
+  const [integrityToken, setIntegrityToken] = React.useState<
+    string | undefined
+  >();
   const [isGetAttestationLoading, setIsGetAttestationLoading] =
     React.useState<boolean>(false);
+  const [isVerifyintegrityTokenLoading, setIsVerifyintegrityTokenLoading] =
+    React.useState<boolean>(false);
   const [debugLog, setDebugLog] = React.useState<string>('.. >');
 
   React.useEffect(() => {
@@ -31,7 +35,7 @@ export default function AndroidApp() {
       });
   }, []);
 
-  const prepareCallback = async () => {
+  const prepare = async () => {
     if (isServiceAvailable) {
       try {
         setIsPrepareLoading(true);
@@ -44,15 +48,13 @@ export default function AndroidApp() {
     }
   };
 
-  const requestTokenCallback = async () => {
+  const requestToken = async () => {
     if (isServiceAvailable) {
       try {
         setIsRequestTokenLoading(true);
-        const rq = await requestIntegrityToken(
-          'lW1DCr5p4nLA2JkYU7BRYzCCByQplBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbn'
-        );
-
+        const rq = await requestIntegrityToken('randomvalue');
         setIsRequestTokenLoading(false);
+        setIntegrityToken(rq);
         setDebugLog(rq);
       } catch (e) {
         setIsRequestTokenLoading(false);
@@ -61,12 +63,10 @@ export default function AndroidApp() {
     }
   };
 
-  const getAttestationCallback = async () => {
+  const requestAttestation = async () => {
     try {
       setIsGetAttestationLoading(true);
-      const att = await getAttestation(
-        'lW1DCr5p4nLA2JkYU7BRYzCCByQi28plBcrXpEMNHanu8OE43sHpRqi1SAnUQTSaFVyYOh4GrXfTJuBIIoriwbhGizYWeHYxOWh2cGs0pLcXUROXYAbnQIYPwJBZQ2V1'
-      );
+      const att = await getAttestation('randomvalue', 'integrity-key');
       setIsGetAttestationLoading(false);
       setDebugLog(att);
     } catch (e) {
@@ -75,6 +75,36 @@ export default function AndroidApp() {
     }
   };
 
+  const verifyToken = async () => {
+    try {
+      if (integrityToken === undefined) {
+        setDebugLog(
+          'Integrity token is undefined, please call prepare and get token first.'
+        );
+        return;
+      }
+      setIsVerifyintegrityTokenLoading(true);
+      const result = await fetch(
+        `${BACKEND_ADDRESS}/android/verifyIntegrityToken`,
+        {
+          method: 'POST',
+          headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({
+            integrityToken,
+          }),
+        }
+      );
+      const response = await result.json();
+      setIsVerifyintegrityTokenLoading(false);
+      setDebugLog(JSON.stringify(response));
+    } catch (e) {
+      setDebugLog(`${e}`);
+    }
+  };
+
   return (
     <SafeAreaView style={styles.container}>
       <Text style={styles.h1}>Integrity Check Demo App</Text>
@@ -82,17 +112,22 @@ export default function AndroidApp() {
         <>
           <ButtonWithLoader
             title="Prepare"
-            onPress={() => prepareCallback()}
+            onPress={() => prepare()}
             loading={isPrepareLoading}
           />
           <ButtonWithLoader
             title="Get token"
-            onPress={() => requestTokenCallback()}
+            onPress={() => requestToken()}
             loading={isRequestTokenLoading}
           />
+          <ButtonWithLoader
+            title="Verify Token"
+            onPress={() => verifyToken()}
+            loading={isVerifyintegrityTokenLoading}
+          />
           <ButtonWithLoader
             title="Get attestation"
-            onPress={() => getAttestationCallback()}
+            onPress={() => requestAttestation()}
             loading={isGetAttestationLoading}
           />
         </>
diff --git a/yarn.lock b/yarn.lock
index 701d758..da0fd17 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2560,6 +2560,7 @@ __metadata:
     cbor: ^9.0.2
     dotenv: ^16.4.5
     express: ^4.18.3
+    googleapis: ^134.0.0
     nodemon: ^3.1.0
     pkijs: ^3.0.15
     rimraf: ^5.0.5
@@ -4223,7 +4224,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"base64-js@npm:^1.3.1, base64-js@npm:^1.5.1":
+"base64-js@npm:^1.3.0, base64-js@npm:^1.3.1, base64-js@npm:^1.5.1":
   version: 1.5.1
   resolution: "base64-js@npm:1.5.1"
   checksum: 669632eb3745404c2f822a18fc3a0122d2f9a7a13f7fb8b5823ee19d1d2ff9ee5b52c53367176ea4ad093c332fd5ab4bd0ebae5a8e27917a4105a4cfc86b1005
@@ -4251,6 +4252,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"bignumber.js@npm:^9.0.0":
+  version: 9.1.2
+  resolution: "bignumber.js@npm:9.1.2"
+  checksum: 582c03af77ec9cb0ebd682a373ee6c66475db94a4325f92299621d544aa4bd45cb45fd60001610e94aef8ae98a0905fa538241d9638d4422d57abbeeac6fadaf
+  languageName: node
+  linkType: hard
+
 "binary-extensions@npm:^2.0.0":
   version: 2.2.0
   resolution: "binary-extensions@npm:2.2.0"
@@ -4376,6 +4384,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"buffer-equal-constant-time@npm:1.0.1":
+  version: 1.0.1
+  resolution: "buffer-equal-constant-time@npm:1.0.1"
+  checksum: 80bb945f5d782a56f374b292770901065bad21420e34936ecbe949e57724b4a13874f735850dd1cc61f078773c4fb5493a41391e7bda40d1fa388d6bd80daaab
+  languageName: node
+  linkType: hard
+
 "buffer-from@npm:^1.0.0":
   version: 1.1.2
   resolution: "buffer-from@npm:1.1.2"
@@ -5761,6 +5776,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"ecdsa-sig-formatter@npm:1.0.11, ecdsa-sig-formatter@npm:^1.0.11":
+  version: 1.0.11
+  resolution: "ecdsa-sig-formatter@npm:1.0.11"
+  dependencies:
+    safe-buffer: ^5.0.1
+  checksum: 207f9ab1c2669b8e65540bce29506134613dd5f122cccf1e6a560f4d63f2732d427d938f8481df175505aad94583bcb32c688737bb39a6df0625f903d6d93c03
+  languageName: node
+  linkType: hard
+
 "ee-first@npm:1.1.1":
   version: 1.1.1
   resolution: "ee-first@npm:1.1.1"
@@ -6525,6 +6549,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"extend@npm:^3.0.2":
+  version: 3.0.2
+  resolution: "extend@npm:3.0.2"
+  checksum: a50a8309ca65ea5d426382ff09f33586527882cf532931cb08ca786ea3146c0553310bda688710ff61d7668eba9f96b923fe1420cdf56a2c3eaf30fcab87b515
+  languageName: node
+  linkType: hard
+
 "external-editor@npm:^3.0.3":
   version: 3.1.0
   resolution: "external-editor@npm:3.1.0"
@@ -6924,6 +6955,28 @@ __metadata:
   languageName: node
   linkType: hard
 
+"gaxios@npm:^6.0.0, gaxios@npm:^6.0.3, gaxios@npm:^6.1.1":
+  version: 6.3.0
+  resolution: "gaxios@npm:6.3.0"
+  dependencies:
+    extend: ^3.0.2
+    https-proxy-agent: ^7.0.1
+    is-stream: ^2.0.0
+    node-fetch: ^2.6.9
+  checksum: 4d4a8db32d833f8012435e2016cb0c919cac288e821bf81f877504e4284ef12b444cd903448e738c4031cd5219adf1e8d68e7df2b3dba774db9fde27f71109d4
+  languageName: node
+  linkType: hard
+
+"gcp-metadata@npm:^6.1.0":
+  version: 6.1.0
+  resolution: "gcp-metadata@npm:6.1.0"
+  dependencies:
+    gaxios: ^6.0.0
+    json-bigint: ^1.0.0
+  checksum: 55de8ae4a6b7664379a093abf7e758ae06e82f244d41bd58d881a470bf34db94c4067ce9e1b425d9455b7705636d5f8baad844e49bb73879c338753ba7785b2b
+  languageName: node
+  linkType: hard
+
 "gensync@npm:^1.0.0-beta.2":
   version: 1.0.0-beta.2
   resolution: "gensync@npm:1.0.0-beta.2"
@@ -7219,6 +7272,44 @@ __metadata:
   languageName: node
   linkType: hard
 
+"google-auth-library@npm:^9.0.0":
+  version: 9.7.0
+  resolution: "google-auth-library@npm:9.7.0"
+  dependencies:
+    base64-js: ^1.3.0
+    ecdsa-sig-formatter: ^1.0.11
+    gaxios: ^6.1.1
+    gcp-metadata: ^6.1.0
+    gtoken: ^7.0.0
+    jws: ^4.0.0
+  checksum: b0f273fa08ac69cf38f037c195c137ef9d1f3d197c31fd57db957bd5c38c4a110e1c029504f09574a59fa6c9c85fc6fb9d7748c2ed75f30ecae0c71daa369c23
+  languageName: node
+  linkType: hard
+
+"googleapis-common@npm:^7.0.0":
+  version: 7.0.1
+  resolution: "googleapis-common@npm:7.0.1"
+  dependencies:
+    extend: ^3.0.2
+    gaxios: ^6.0.3
+    google-auth-library: ^9.0.0
+    qs: ^6.7.0
+    url-template: ^2.0.8
+    uuid: ^9.0.0
+  checksum: b87f3e14aed5fab82d3327d924e82a1f1527715c93c0b3534b2e28de698abc02daea00bebe375966ca8bb491394f5fd521e6b615cb89e1bfbe8870b7caa5f899
+  languageName: node
+  linkType: hard
+
+"googleapis@npm:^134.0.0":
+  version: 134.0.0
+  resolution: "googleapis@npm:134.0.0"
+  dependencies:
+    google-auth-library: ^9.0.0
+    googleapis-common: ^7.0.0
+  checksum: 0c2772f5641f9e06df149201f0284e1f5e8581690cac146c9255d1970ec0664e8c39fc891072aa20c56f920d3b144fe3307fcf84665df7790c8bdcedaf84f345
+  languageName: node
+  linkType: hard
+
 "gopd@npm:^1.0.1":
   version: 1.0.1
   resolution: "gopd@npm:1.0.1"
@@ -7268,6 +7359,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"gtoken@npm:^7.0.0":
+  version: 7.1.0
+  resolution: "gtoken@npm:7.1.0"
+  dependencies:
+    gaxios: ^6.0.0
+    jws: ^4.0.0
+  checksum: 1f338dced78f9d895ea03cd507454eb5a7b77e841ecd1d45e44483b08c1e64d16a9b0342358d37586d87462ffc2d5f5bff5dfe77ed8d4f0aafc3b5b0347d5d16
+  languageName: node
+  linkType: hard
+
 "handlebars@npm:^4.7.7":
   version: 4.7.8
   resolution: "handlebars@npm:4.7.8"
@@ -8947,6 +9048,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"json-bigint@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "json-bigint@npm:1.0.0"
+  dependencies:
+    bignumber.js: ^9.0.0
+  checksum: c67bb93ccb3c291e60eb4b62931403e378906aab113ec1c2a8dd0f9a7f065ad6fd9713d627b732abefae2e244ac9ce1721c7a3142b2979532f12b258634ce6f6
+  languageName: node
+  linkType: hard
+
 "json-buffer@npm:3.0.1":
   version: 3.0.1
   resolution: "json-buffer@npm:3.0.1"
@@ -9049,6 +9159,27 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jwa@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "jwa@npm:2.0.0"
+  dependencies:
+    buffer-equal-constant-time: 1.0.1
+    ecdsa-sig-formatter: 1.0.11
+    safe-buffer: ^5.0.1
+  checksum: 8f00b71ad5fe94cb55006d0d19202f8f56889109caada2f7eeb63ca81755769ce87f4f48101967f398462e3b8ae4faebfbd5a0269cb755dead5d63c77ba4d2f1
+  languageName: node
+  linkType: hard
+
+"jws@npm:^4.0.0":
+  version: 4.0.0
+  resolution: "jws@npm:4.0.0"
+  dependencies:
+    jwa: ^2.0.0
+    safe-buffer: ^5.0.1
+  checksum: d68d07aa6d1b8cb35c363a9bd2b48f15064d342a5d9dc18a250dbbce8dc06bd7e4792516c50baa16b8d14f61167c19e851fd7f66b59ecc68b7f6a013759765f7
+  languageName: node
+  linkType: hard
+
 "keyv@npm:^4.5.3":
   version: 4.5.4
   resolution: "keyv@npm:4.5.4"
@@ -10120,7 +10251,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"node-fetch@npm:^2.2.0, node-fetch@npm:^2.6.0, node-fetch@npm:^2.6.7":
+"node-fetch@npm:^2.2.0, node-fetch@npm:^2.6.0, node-fetch@npm:^2.6.7, node-fetch@npm:^2.6.9":
   version: 2.7.0
   resolution: "node-fetch@npm:2.7.0"
   dependencies:
@@ -11134,6 +11265,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"qs@npm:^6.7.0":
+  version: 6.12.0
+  resolution: "qs@npm:6.12.0"
+  dependencies:
+    side-channel: ^1.0.6
+  checksum: ba007fb2488880b9c6c3df356fe6888b9c1f4c5127552edac214486cfe83a332de09a5c40d490d79bb27bef977ba1085a8497512ff52eaac72e26564f77ce908
+  languageName: node
+  linkType: hard
+
 "queue-microtask@npm:^1.2.2":
   version: 1.2.3
   resolution: "queue-microtask@npm:1.2.3"
@@ -11918,7 +12058,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"safe-buffer@npm:5.2.1, safe-buffer@npm:~5.2.0":
+"safe-buffer@npm:5.2.1, safe-buffer@npm:^5.0.1, safe-buffer@npm:~5.2.0":
   version: 5.2.1
   resolution: "safe-buffer@npm:5.2.1"
   checksum: b99c4b41fdd67a6aaf280fcd05e9ffb0813654894223afb78a31f14a19ad220bba8aba1cb14eddce1fcfb037155fe6de4e861784eb434f7d11ed58d1e70dd491
@@ -12160,6 +12300,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"side-channel@npm:^1.0.6":
+  version: 1.0.6
+  resolution: "side-channel@npm:1.0.6"
+  dependencies:
+    call-bind: ^1.0.7
+    es-errors: ^1.3.0
+    get-intrinsic: ^1.2.4
+    object-inspect: ^1.13.1
+  checksum: bfc1afc1827d712271453e91b7cd3878ac0efd767495fd4e594c4c2afaa7963b7b510e249572bfd54b0527e66e4a12b61b80c061389e129755f34c493aad9b97
+  languageName: node
+  linkType: hard
+
 "signal-exit@npm:^3.0.2, signal-exit@npm:^3.0.3, signal-exit@npm:^3.0.7":
   version: 3.0.7
   resolution: "signal-exit@npm:3.0.7"
@@ -13368,6 +13520,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"url-template@npm:^2.0.8":
+  version: 2.0.8
+  resolution: "url-template@npm:2.0.8"
+  checksum: 4183fccd74e3591e4154134d4443dccecba9c455c15c7df774f1f1e3fa340fd9bffb903b5beec347196d15ce49c34edf6dec0634a95d170ad6e78c0467d6e13e
+  languageName: node
+  linkType: hard
+
 "util-deprecate@npm:^1.0.1, util-deprecate@npm:~1.0.1":
   version: 1.0.2
   resolution: "util-deprecate@npm:1.0.2"
@@ -13382,7 +13541,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"uuid@npm:^9.0.1":
+"uuid@npm:^9.0.0, uuid@npm:^9.0.1":
   version: 9.0.1
   resolution: "uuid@npm:9.0.1"
   bin:

From b8dbdff4c70bcff8d359bea37e27f5310c5f4a1f Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 22 Mar 2024 18:53:36 +0100
Subject: [PATCH 41/64] feat: add key attestation verification

---
 backend/src/android/androidIntegrity.ts       | 136 ++++++++++++++++++
 backend/src/android/androidRouter.ts          |  24 +++-
 .../android/googleHardwareAttestationRoot.key |  14 ++
 example/README.md                             |   2 +
 example/src/AndroidApp.tsx                    |  46 +++++-
 5 files changed, 220 insertions(+), 2 deletions(-)
 create mode 100644 backend/src/android/googleHardwareAttestationRoot.key

diff --git a/backend/src/android/androidIntegrity.ts b/backend/src/android/androidIntegrity.ts
index 33f4fc2..d89a660 100644
--- a/backend/src/android/androidIntegrity.ts
+++ b/backend/src/android/androidIntegrity.ts
@@ -1,4 +1,23 @@
 import { google } from 'googleapis';
+import { X509Certificate } from 'crypto';
+import * as asn1js from 'asn1js';
+import * as pkijs from 'pkijs';
+import * as fs from 'fs';
+import * as crypto from 'crypto';
+
+/**
+ * Simplified type definition for the Certificate Revocation List (CRL) object.
+ */
+type CRL = {
+  entries: Record<
+    string,
+    { status: string; expires: string; reason: string; comment: string }
+  >;
+};
+
+const CRL_URL = 'https://android.googleapis.com/attestation/status';
+
+const KEY_OID = '1.3.6.1.4.1.11129.2.1.17';
 
 export const playintegrity = google.playintegrity('v1');
 
@@ -31,3 +50,120 @@ export const verifyIntegrityToken = async (
     },
   });
 };
+
+/**
+ * Verifies a key attestation which is a signed statement from a secure hardware module that attests to the security properties of the module.
+ * On Android it is represented as a chain of X.509 certificates.
+ * The native implementation contacates the chain of certificates into a single base64 encoded string divided by commas.
+ * {@link https://developer.android.com/training/articles/security-key-attestation}
+ * 1st and 2nd steps are not implemented here as they are done on the client side.
+ * Functions used to verify the attestation have their relative steps commented in the TSdoc.
+ * Even though some steps might be joined in a single function, they are separated in the comments for clarity at the cost of some repetition.
+ * The 5th step is not implemented as it is only implemented in newer chains.
+ * The 7th step which compares the attestation extension data with a fixed set of expected values is not implemented in this example as it heavily depends on the specific use case.
+ * @param x509Array - The chain of X.509 certificates in base64 format divided by commas.
+ * @throws {Error} - If the attestation is invalid.
+ */
+export const verifyAttestation = async (x509Array: string) => {
+  // We split the chain of certificates and convert them to PEM format to be parsed by the X509Certificate class
+  const decodedString = Buffer.from(x509Array, 'base64').toString('utf-8');
+  const certificates = decodedString.split(',');
+  const x509Chain = certificates.map((cert) => {
+    return new X509Certificate(base64ToPem(cert));
+  });
+  validateIssuance(x509Chain);
+  await validateRevokation(x509Chain);
+  validateKeyAttestationExtension(x509Chain);
+};
+
+/**
+ * 3.
+ * Obtain a reference to the X.509 certificate chain parsing and validation library that is most appropriate for your toolset.
+ * Verify that the root public certificate is trustworthy and that each certificate signs the next certificate in the chain.
+ * @param x509Chain - The chain of {@link X509Certificate} certificates.
+ * @throws {Error} - If the chain is invalid.
+ */
+const validateIssuance = (x509Chain: X509Certificate[]) => {
+  if (x509Chain.length === 0) throw new Error('No certificates provided');
+
+  // Check dates
+  const now = new Date();
+  const datesValid = x509Chain.every(
+    (c) => new Date(c.validFrom) < now && now < new Date(c.validTo)
+  );
+  if (!datesValid) throw new Error('Certificates expired');
+
+  // Check that each certificate, except for the last, is issued by the subsequent one.
+  if (x509Chain.length >= 2) {
+    for (let i = 0; i < x509Chain.length - 1; i++) {
+      const subject = x509Chain[i];
+      const issuer = x509Chain[i + 1];
+
+      if (
+        !subject ||
+        !issuer ||
+        subject.checkIssued(issuer) === false ||
+        subject.verify(issuer.publicKey) === false
+      ) {
+        throw new Error('Certificate chain is invalid');
+      }
+    }
+  }
+
+  // Ensure that the last certificate in the chain is the expected Google Hardware Attestation Root CA.
+  const pkFile = fs.readFileSync(
+    require('path').resolve(__dirname, 'googleHardwareAttestationRoot.key')
+  );
+  const pk = crypto.createPublicKey(pkFile);
+  const rootCert = x509Chain[x509Chain.length - 1]; // Last certificate in the chain is the root certificate
+  if (!rootCert || !rootCert.verify(pk)) {
+    throw new Error(
+      'Root certificate is not signed by Google Hardware Attestation Root CA'
+    );
+  }
+};
+
+/**
+ * 4.
+ * Check each certificate's revocation status to ensure that none of the certificates have been revoked.
+ * @param x509Chain - The chain of {@link X509Certificate} certificates.
+ * @throws {Error} - If any certificate in the chain is revoked.
+ */
+const validateRevokation = async (x509Chain: X509Certificate[]) => {
+  if (x509Chain.length === 0) throw new Error('No certificates provided');
+  const res = await fetch(CRL_URL, { method: 'GET' });
+  if (!res.ok) throw new Error('Failed to fetch CRL');
+  const crl = (await res.json()) as CRL; // Add type assertion for crl
+  const isExpired = x509Chain.some((cert) => {
+    return cert.serialNumber in crl.entries;
+  });
+  if (isExpired) throw new Error('Certificate is revoked');
+};
+
+/**
+ * 6.
+ * Obtain a reference to the ASN.1 parser library that is most appropriate for your toolset.
+ * Find the nearest certificate to the root that contains the key attestation certificate extension.
+ *  If the provisioning information certificate extension was present, the key attestation certificate extension must be in the immediately subsequent certificate.
+ *  Use the parser to extract the key attestation certificate extension data from that certificate.
+ * @param x509Chain - The chain of {@link X509Certificate} certificates.
+ * @throws {Error} - If no key attestation extension is found.
+ */
+const validateKeyAttestationExtension = (x509Chain: X509Certificate[]) => {
+  if (x509Chain.length === 0) throw new Error('No certificates provided');
+  const found = x509Chain.reverse().some((certificate) => {
+    const asn1 = asn1js.fromBER(certificate.raw);
+    const parsedCertificate = new pkijs.Certificate({ schema: asn1.result });
+    const extension = parsedCertificate.extensions?.find(
+      (e) => e.extnID === KEY_OID
+    );
+    return extension ?? false;
+  });
+  if (!found) throw new Error('No key attestation extension found');
+};
+
+const base64ToPem = (b64cert: string) => {
+  return (
+    '-----BEGIN CERTIFICATE-----\n' + b64cert + '-----END CERTIFICATE-----'
+  );
+};
diff --git a/backend/src/android/androidRouter.ts b/backend/src/android/androidRouter.ts
index 182ff14..53450d2 100644
--- a/backend/src/android/androidRouter.ts
+++ b/backend/src/android/androidRouter.ts
@@ -1,5 +1,5 @@
 import express, { Router } from 'express';
-import { verifyIntegrityToken } from './androidIntegrity';
+import { verifyAttestation, verifyIntegrityToken } from './androidIntegrity';
 
 const router: Router = express.Router();
 
@@ -46,4 +46,26 @@ router.post('/verifyIntegrityToken', async (req, res) => {
   }
 });
 
+/**
+ * Verifies a Google Play Integrity Token.
+ * The check is done for a standard request and the token is decrypted and verified on Google Cloud, not locally.
+ * The GOOGLE_APPLICATION_CREDENTIALS and ANDROID_BUNDLE_IDENTIFIER environment variables must be set.
+ * @param integrityToken - The integrity token to verify.
+ * @returns The result of the integrity token verification.
+ */
+router.post('/verifyAttestation', async (req, res) => {
+  console.debug(
+    `Key attestation verdict was requested: ${JSON.stringify(req.body, null, 2)}`
+  );
+  try {
+    await verifyAttestation(req.body.attestation);
+    res.status(200).send({ result: 'Attestation verified' });
+  } catch (error) {
+    console.error(error);
+    res.status(500).send({
+      error: `An error occurred while verifying the key attestation token ${error}`,
+    });
+  }
+});
+
 export default router;
diff --git a/backend/src/android/googleHardwareAttestationRoot.key b/backend/src/android/googleHardwareAttestationRoot.key
new file mode 100644
index 0000000..5b99837
--- /dev/null
+++ b/backend/src/android/googleHardwareAttestationRoot.key
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xU
+FmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5j
+lRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y
+//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73X
+pXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYI
+mQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB
++TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7q
+uvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgp
+Zrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7
+gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82
+ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+
+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAQ==
+-----END PUBLIC KEY-----
\ No newline at end of file
diff --git a/example/README.md b/example/README.md
index 0a98c16..8addbeb 100644
--- a/example/README.md
+++ b/example/README.md
@@ -45,6 +45,8 @@ $ cd ios && bundle exec pod install && cd ..
 ```bash
 # Android
 $ yarn android
+# If you want to use the local server, you need to reverse the 3000 port
+$ adb reverse tcp:3000 tcp:3000
 
 # iOS
 $ yarn ios
diff --git a/example/src/AndroidApp.tsx b/example/src/AndroidApp.tsx
index 4e1f803..8d25456 100644
--- a/example/src/AndroidApp.tsx
+++ b/example/src/AndroidApp.tsx
@@ -19,10 +19,14 @@ export default function AndroidApp() {
   const [integrityToken, setIntegrityToken] = React.useState<
     string | undefined
   >();
+  const [isVerifyintegrityTokenLoading, setIsVerifyintegrityTokenLoading] =
+    React.useState<boolean>(false);
   const [isGetAttestationLoading, setIsGetAttestationLoading] =
     React.useState<boolean>(false);
-  const [isVerifyintegrityTokenLoading, setIsVerifyintegrityTokenLoading] =
+  const [attestation, setAttestation] = React.useState<string | undefined>();
+  const [isVerifyAttestationLoading, setIsVerifyAttestationLoading] =
     React.useState<boolean>(false);
+
   const [debugLog, setDebugLog] = React.useState<string>('.. >');
 
   React.useEffect(() => {
@@ -67,6 +71,7 @@ export default function AndroidApp() {
     try {
       setIsGetAttestationLoading(true);
       const att = await getAttestation('randomvalue', 'integrity-key');
+      setAttestation(att);
       setIsGetAttestationLoading(false);
       setDebugLog(att);
     } catch (e) {
@@ -101,6 +106,38 @@ export default function AndroidApp() {
       setIsVerifyintegrityTokenLoading(false);
       setDebugLog(JSON.stringify(response));
     } catch (e) {
+      setIsVerifyintegrityTokenLoading(false);
+      setDebugLog(`${e}`);
+    }
+  };
+
+  const verifyAttestation = async () => {
+    try {
+      if (attestation === undefined) {
+        setDebugLog(
+          'Attestation is undefined, please call get attestation first.'
+        );
+        return;
+      }
+      setIsVerifyAttestationLoading(true);
+      const result = await fetch(
+        `${BACKEND_ADDRESS}/android/verifyAttestation`,
+        {
+          method: 'POST',
+          headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({
+            attestation,
+          }),
+        }
+      );
+      const response = await result.json();
+      setIsVerifyAttestationLoading(false);
+      setDebugLog(JSON.stringify(response));
+    } catch (e) {
+      setIsVerifyAttestationLoading(false);
       setDebugLog(`${e}`);
     }
   };
@@ -110,6 +147,7 @@ export default function AndroidApp() {
       <Text style={styles.h1}>Integrity Check Demo App</Text>
       {isServiceAvailable ? (
         <>
+          <Text>Play Integrity Standard Request</Text>
           <ButtonWithLoader
             title="Prepare"
             onPress={() => prepare()}
@@ -125,11 +163,17 @@ export default function AndroidApp() {
             onPress={() => verifyToken()}
             loading={isVerifyintegrityTokenLoading}
           />
+          <Text>Key Attestation</Text>
           <ButtonWithLoader
             title="Get attestation"
             onPress={() => requestAttestation()}
             loading={isGetAttestationLoading}
           />
+          <ButtonWithLoader
+            title="Verify attestation"
+            onPress={() => verifyAttestation()}
+            loading={isVerifyAttestationLoading}
+          />
         </>
       ) : null}
       <ScrollView style={styles.debug}>

From 3e0ab7dd5892169823f809ded6da54305ded9170 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Mon, 25 Mar 2024 10:12:49 +0100
Subject: [PATCH 42/64] chore: update example app README.md

---
 example/.env.local |  2 +-
 example/README.md  | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/example/.env.local b/example/.env.local
index 3bfcd2e..16865fd 100644
--- a/example/.env.local
+++ b/example/.env.local
@@ -1,4 +1,4 @@
 # Backend address for remote verification
-BACKEND_ADDRESS = ""
+BACKEND_ADDRESS = "http://127.0.0.1:3000"
 # Google Cloud Project Number
 GOOGLE_CLOUD_PROJECT_NUMBER = ""
\ No newline at end of file
diff --git a/example/README.md b/example/README.md
index 8addbeb..c548fbe 100644
--- a/example/README.md
+++ b/example/README.md
@@ -40,6 +40,22 @@ $ yarn install
 $ cd ios && bundle exec pod install && cd ..
 ```
 
+## Environment variables
+
+In order to run the app, you need to create a `.env` file by copying the `.env.local` file and updating the values.
+
+```bash
+$ cp .env.local .env
+```
+
+For the Google Play Integrity API calls, you need to update the `GOOGLE_CLOUD_PROJECT_NUMBER` value. This requires a Google Cloud project with the Play Integrity API enabled. Follow the official
+documentation provided by Google [here](https://developer.android.com/google/play/integrity/setup).
+
+## Local server
+
+If you want to verify the tokens and attestations generate by the example app you can use the provided local server. By default, the `.env.local` file is configured to use it but you can customize the `BACKEND_ADDRESS` value to use a different server.
+More information about the local server setup can be found in its [README](../backend/README.md).
+
 ## Run the app
 
 ```bash

From 5482064ebc1076b59b96fb1a06f47cda1202e6b8 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Mon, 25 Mar 2024 10:17:28 +0100
Subject: [PATCH 43/64] chore: update example app README.md

---
 example/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/README.md b/example/README.md
index c548fbe..8e09c45 100644
--- a/example/README.md
+++ b/example/README.md
@@ -42,7 +42,7 @@ $ cd ios && bundle exec pod install && cd ..
 
 ## Environment variables
 
-In order to run the app, you need to create a `.env` file by copying the `.env.local` file and updating the values.
+In order to run the app, you need to create a `.env` file by copying the `.env.local` file and updating its values.
 
 ```bash
 $ cp .env.local .env

From 868f895e4a1fef95fb53cb7a0ce4c7effc67d4b5 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 12:38:12 +0100
Subject: [PATCH 44/64] chore: update README.md

---
 example/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/example/README.md b/example/README.md
index 8e09c45..c0c6865 100644
--- a/example/README.md
+++ b/example/README.md
@@ -48,6 +48,9 @@ In order to run the app, you need to create a `.env` file by copying the `.env.l
 $ cp .env.local .env
 ```
 
+> [!IMPORTANT]  
+> When changing the `.env` file, make sure to clear the Metro bundler cache by running `yarn start --reset-cache`.
+
 For the Google Play Integrity API calls, you need to update the `GOOGLE_CLOUD_PROJECT_NUMBER` value. This requires a Google Cloud project with the Play Integrity API enabled. Follow the official
 documentation provided by Google [here](https://developer.android.com/google/play/integrity/setup).
 

From 428ad8842558fa29ff259210e5e41c82b42b1052 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 12:39:10 +0100
Subject: [PATCH 45/64] chore: update README.md

---
 example/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/example/README.md b/example/README.md
index c0c6865..817c81d 100644
--- a/example/README.md
+++ b/example/README.md
@@ -48,12 +48,12 @@ In order to run the app, you need to create a `.env` file by copying the `.env.l
 $ cp .env.local .env
 ```
 
-> [!IMPORTANT]  
-> When changing the `.env` file, make sure to clear the Metro bundler cache by running `yarn start --reset-cache`.
-
 For the Google Play Integrity API calls, you need to update the `GOOGLE_CLOUD_PROJECT_NUMBER` value. This requires a Google Cloud project with the Play Integrity API enabled. Follow the official
 documentation provided by Google [here](https://developer.android.com/google/play/integrity/setup).
 
+> [!IMPORTANT]  
+> When changing the `.env` file, make sure to clear the Metro bundler cache by running `yarn start --reset-cache`.
+
 ## Local server
 
 If you want to verify the tokens and attestations generate by the example app you can use the provided local server. By default, the `.env.local` file is configured to use it but you can customize the `BACKEND_ADDRESS` value to use a different server.

From 08902bf772ba251bfcbb9365ce487e56ca2d3af9 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 16:19:34 +0100
Subject: [PATCH 46/64] fix: key purpose

---
 .../ioreactnativeintegrity/IoReactNativeIntegrityModule.kt | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index c2f64ef..381aef2 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -185,15 +185,14 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    * @returns the generated key pair.
    */
   @RequiresApi(Build.VERSION_CODES.N)
-  private fun generateAttestationKey(keyAlias: String, challenge: ByteArray, useStrongBox: Boolean): KeyPair {
-      val purposes = KeyProperties.PURPOSE_VERIFY
+  private fun generateAttestationKey(keyAlias: String, challenge: ByteArray, hasStrongBox: Boolean): KeyPair {
       val builder =
-        KeyGenParameterSpec.Builder(keyAlias, purposes)
+        KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_SIGN)
           .setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1")) // P-256
           .setDigests(KeyProperties.DIGEST_SHA256)
           .setKeySize(256)
           .setAttestationChallenge(challenge)
-      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && useStrongBox) {
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && hasStrongBox) {
         builder.setIsStrongBoxBacked(true)
       }
       val keyPairGenerator = KeyPairGenerator.getInstance(

From 8e3e03107254e2d5e58f6fa29d553d9b6fa502c7 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 16:23:46 +0100
Subject: [PATCH 47/64] chore: update README.md

---
 example/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/README.md b/example/README.md
index 817c81d..2381bb9 100644
--- a/example/README.md
+++ b/example/README.md
@@ -2,7 +2,7 @@ This is a new [**React Native**](https://reactnative.dev) project, bootstrapped
 
 # Getting Started
 
-> **Note**: Make sure you have completed the [React Native - Environment Setup](https://reactnative.dev/docs/environment-setup) instructions till "Creating a new application" step, before proceeding.
+> **Note**: Make sure you have completed the [React Native - Environment Setup](https://reactnative.dev/docs/environment-setup) instructions till "Creating a new application" step, before proceeding. For Android, make sure you have Java 17 installed and the `JAVA_HOME` environment variable is set.
 
 ## NodeJS and Ruby
 

From 45dc4f13fd2840341f38ec378e9e88e405f8049c Mon Sep 17 00:00:00 2001
From: LazyAfternoons <LazyAfternoons@users.noreply.github.com>
Date: Thu, 28 Mar 2024 16:26:46 +0100
Subject: [PATCH 48/64] chore: update documentation

Co-authored-by: Fabio Bombardi <16268789+shadowsheep1@users.noreply.github.com>
---
 backend/src/android/androidIntegrity.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/backend/src/android/androidIntegrity.ts b/backend/src/android/androidIntegrity.ts
index d89a660..229522e 100644
--- a/backend/src/android/androidIntegrity.ts
+++ b/backend/src/android/androidIntegrity.ts
@@ -15,8 +15,11 @@ type CRL = {
   >;
 };
 
+// Certificate Revocation status List
+// https://developer.android.com/privacy-and-security/security-key-attestation#certificate_status
 const CRL_URL = 'https://android.googleapis.com/attestation/status';
-
+// Key attestation extension data schema OID
+// https://developer.android.com/privacy-and-security/security-key-attestation#key_attestation_ext_schema
 const KEY_OID = '1.3.6.1.4.1.11129.2.1.17';
 
 export const playintegrity = google.playintegrity('v1');

From d37c699309b2deb1513826cc8ae69be6eb2ba6f1 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 16:28:46 +0100
Subject: [PATCH 49/64] chore: update documentation

---
 backend/src/android/androidRouter.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/src/android/androidRouter.ts b/backend/src/android/androidRouter.ts
index 53450d2..08758dd 100644
--- a/backend/src/android/androidRouter.ts
+++ b/backend/src/android/androidRouter.ts
@@ -47,11 +47,11 @@ router.post('/verifyIntegrityToken', async (req, res) => {
 });
 
 /**
- * Verifies a Google Play Integrity Token.
- * The check is done for a standard request and the token is decrypted and verified on Google Cloud, not locally.
- * The GOOGLE_APPLICATION_CREDENTIALS and ANDROID_BUNDLE_IDENTIFIER environment variables must be set.
- * @param integrityToken - The integrity token to verify.
- * @returns The result of the integrity token verification.
+ * Verifies a key attestation which is a signed statement from a secure hardware module that attests to the security properties of the module.
+ * On Android it is represented as a chain of X.509 certificates.
+ * See {@link verifyAttestation} for more details.
+ * @param attestation - The key attestation to verify
+ * @returns The result of the chain verification.
  */
 router.post('/verifyAttestation', async (req, res) => {
   console.debug(

From 77a7cae2caa7678a0e42f4f57a9708abf04e2798 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <LazyAfternoons@users.noreply.github.com>
Date: Thu, 28 Mar 2024 16:30:52 +0100
Subject: [PATCH 50/64] chore: update env default value

Co-authored-by: Fabio Bombardi <16268789+shadowsheep1@users.noreply.github.com>
---
 backend/.env.local | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/.env.local b/backend/.env.local
index 636c57d..e4298e0 100644
--- a/backend/.env.local
+++ b/backend/.env.local
@@ -4,4 +4,4 @@ TEAM_IDENTIFIER = ''
 
 # Android
 GOOGLE_APPLICATION_CREDENTIALS = ''
-ANDROID_BUNDLE_IDENTIFIER = 'com.pagopa.ioreactnativeintegrity'
+ANDROID_BUNDLE_IDENTIFIER = 'com.ioreactnativeintegrityexample'

From 135cc11cb40627fdc7e63d63a39015e3c5e737bc Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 16:32:12 +0100
Subject: [PATCH 51/64] chore: remove explicit types

---
 .../ioreactnativeintegrity/IoReactNativeIntegrityModule.kt    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index 381aef2..d3f1268 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -98,7 +98,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
   fun prepareIntegrityToken(cloudProjectNumber: String, promise: Promise) {
     try {
       val cpn = cloudProjectNumber.toLong()
-      val standardIntegrityManager: StandardIntegrityManager =
+      val standardIntegrityManager =
         IntegrityManagerFactory.createStandard(reactApplicationContext)
       standardIntegrityManager.prepareIntegrityToken(
         StandardIntegrityManager.PrepareIntegrityTokenRequest.builder()
@@ -128,7 +128,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
   @ReactMethod
   fun requestIntegrityToken(requestHash: String?, promise: Promise) {
     try {
-      val integrityTokenResponse: Task<StandardIntegrityToken> = integrityTokenProvider.request(
+      val integrityTokenResponse = integrityTokenProvider.request(
         StandardIntegrityTokenRequest.builder()
           .setRequestHash(requestHash)
           .build()

From ac3b86a81e4054368d82e4ff693901d4adcadcf3 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 16:46:42 +0100
Subject: [PATCH 52/64] chore: formatting

---
 .../IoReactNativeIntegrityModule.kt           | 92 ++++++++++++-------
 .../MainActivity.kt                           |  2 +-
 .../MainApplication.kt                        | 22 ++---
 3 files changed, 70 insertions(+), 46 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index d3f1268..e03bada 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -74,8 +74,9 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    * @param promise the React Native promise to be resolved or reject.
    */
   @ReactMethod
-  fun isPlayServicesAvailable (promise: Promise){
-    val result = when (GoogleApiAvailability.getInstance().isGooglePlayServicesAvailable(reactApplicationContext)) {
+  fun isPlayServicesAvailable(promise: Promise) {
+    val result = when (GoogleApiAvailability.getInstance()
+      .isGooglePlayServicesAvailable(reactApplicationContext)) {
       0, 18, 2 -> true
       else -> false
     }
@@ -106,11 +107,19 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
           .build()
       )
         .addOnSuccessListener { res -> integrityTokenProvider = res; promise.resolve(null) }
-        .addOnFailureListener { ex -> ModuleException.PREPARE_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))) }
-    }catch (_: NumberFormatException){
+        .addOnFailureListener { ex ->
+          ModuleException.PREPARE_FAILED.reject(
+            promise,
+            Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
+          )
+        }
+    } catch (_: NumberFormatException) {
       ModuleException.WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT.reject(promise)
-    }catch (e: Exception){
-      ModuleException.PREPARE_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e)))
+    } catch (e: Exception) {
+      ModuleException.PREPARE_FAILED.reject(
+        promise,
+        Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
+      )
     }
   }
 
@@ -135,12 +144,19 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
       )
       integrityTokenResponse
         .addOnSuccessListener { res -> promise.resolve((res.token())) }
-        .addOnFailureListener { ex -> ModuleException.REQUEST_TOKEN_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))) }
-    }catch(_: UninitializedPropertyAccessException){
-        ModuleException.PREPARE_NOT_CALLED.reject(promise)
-    }
-    catch (e: Exception){
-      ModuleException.REQUEST_TOKEN_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e)))
+        .addOnFailureListener { ex ->
+          ModuleException.REQUEST_TOKEN_FAILED.reject(
+            promise,
+            Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
+          )
+        }
+    } catch (_: UninitializedPropertyAccessException) {
+      ModuleException.PREPARE_NOT_CALLED.reject(promise)
+    } catch (e: Exception) {
+      ModuleException.REQUEST_TOKEN_FAILED.reject(
+        promise,
+        Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
+      )
     }
   }
 
@@ -185,21 +201,25 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    * @returns the generated key pair.
    */
   @RequiresApi(Build.VERSION_CODES.N)
-  private fun generateAttestationKey(keyAlias: String, challenge: ByteArray, hasStrongBox: Boolean): KeyPair {
-      val builder =
-        KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_SIGN)
-          .setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1")) // P-256
-          .setDigests(KeyProperties.DIGEST_SHA256)
-          .setKeySize(256)
-          .setAttestationChallenge(challenge)
-      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && hasStrongBox) {
-        builder.setIsStrongBoxBacked(true)
-      }
-      val keyPairGenerator = KeyPairGenerator.getInstance(
-        KeyProperties.KEY_ALGORITHM_EC, KEYSTORE_PROVIDER
-      )
-      keyPairGenerator.initialize(builder.build())
-      return keyPairGenerator.generateKeyPair()
+  private fun generateAttestationKey(
+    keyAlias: String,
+    challenge: ByteArray,
+    hasStrongBox: Boolean
+  ): KeyPair {
+    val builder =
+      KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_SIGN)
+        .setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1")) // P-256
+        .setDigests(KeyProperties.DIGEST_SHA256)
+        .setKeySize(256)
+        .setAttestationChallenge(challenge)
+    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && hasStrongBox) {
+      builder.setIsStrongBoxBacked(true)
+    }
+    val keyPairGenerator = KeyPairGenerator.getInstance(
+      KeyProperties.KEY_ALGORITHM_EC, KEYSTORE_PROVIDER
+    )
+    keyPairGenerator.initialize(builder.build())
+    return keyPairGenerator.generateKeyPair()
   }
 
   /**
@@ -219,9 +239,9 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    * @param promise the React Native promise to be resolved or rejected.
    */
   @ReactMethod
-  fun getAttestation(challenge: String, keyAlias: String?, promise: Promise){
+  fun getAttestation(challenge: String, keyAlias: String?, promise: Promise) {
     Thread {
-      try{
+      try {
         // Remove this block if the minSdkVersion is set to 24
         if (Build.VERSION.SDK_INT < Build.VERSION_CODES.N) {
           ModuleException.UNSUPPORTED_DEVICE.reject(promise)
@@ -231,7 +251,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
         val hasStrongBox = Build.VERSION.SDK_INT >= Build.VERSION_CODES.P &&
           reactApplicationContext.packageManager.hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE)
         val keyPair = generateAttestationKey(alias, challenge.toByteArray(), hasStrongBox)
-        if(!isKeyHardwareBacked(keyPair.private)){
+        if (!isKeyHardwareBacked(keyPair.private)) {
           // We check if the key is hardware backed just to be sure exclude software fallback
           ModuleException.KEY_IS_NOT_HARDWARE_BACKED.reject(promise)
           return@Thread
@@ -244,10 +264,14 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
           attestations += cert
         }
         val concatenatedAttestations = attestations.joinToString(",")
-        val encodedAttestation = Base64.encodeToString(concatenatedAttestations.toByteArray(), Base64.DEFAULT)
+        val encodedAttestation =
+          Base64.encodeToString(concatenatedAttestations.toByteArray(), Base64.DEFAULT)
         promise.resolve(encodedAttestation)
-      }catch(e: Exception) {
-        ModuleException.REQUEST_ATTESTATION_FAILED.reject(promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e)))
+      } catch (e: Exception) {
+        ModuleException.REQUEST_ATTESTATION_FAILED.reject(
+          promise,
+          Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
+        )
       }
     }.start()
   }
@@ -257,7 +281,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    * @param e an exception.
    * @return [e] message field or an empty string otherwise.
    */
-  private fun getExceptionMessageOrEmpty(e: Exception): String{
+  private fun getExceptionMessageOrEmpty(e: Exception): String {
     return e.message ?: ""
   }
 
diff --git a/example/android/app/src/main/java/com/ioreactnativeintegrityexample/MainActivity.kt b/example/android/app/src/main/java/com/ioreactnativeintegrityexample/MainActivity.kt
index edc2bb6..c86fd76 100644
--- a/example/android/app/src/main/java/com/ioreactnativeintegrityexample/MainActivity.kt
+++ b/example/android/app/src/main/java/com/ioreactnativeintegrityexample/MainActivity.kt
@@ -18,5 +18,5 @@ class MainActivity : ReactActivity() {
    * which allows you to enable New Architecture with a single boolean flags [fabricEnabled]
    */
   override fun createReactActivityDelegate(): ReactActivityDelegate =
-      DefaultReactActivityDelegate(this, mainComponentName, fabricEnabled)
+    DefaultReactActivityDelegate(this, mainComponentName, fabricEnabled)
 }
diff --git a/example/android/app/src/main/java/com/ioreactnativeintegrityexample/MainApplication.kt b/example/android/app/src/main/java/com/ioreactnativeintegrityexample/MainApplication.kt
index 37b9843..a3b2db6 100644
--- a/example/android/app/src/main/java/com/ioreactnativeintegrityexample/MainApplication.kt
+++ b/example/android/app/src/main/java/com/ioreactnativeintegrityexample/MainApplication.kt
@@ -15,20 +15,20 @@ import com.facebook.soloader.SoLoader
 class MainApplication : Application(), ReactApplication {
 
   override val reactNativeHost: ReactNativeHost =
-      object : DefaultReactNativeHost(this) {
-        override fun getPackages(): List<ReactPackage> =
-            PackageList(this).packages.apply {
-              // Packages that cannot be autolinked yet can be added manually here, for example:
-              // add(MyReactNativePackage())
-            }
+    object : DefaultReactNativeHost(this) {
+      override fun getPackages(): List<ReactPackage> =
+        PackageList(this).packages.apply {
+          // Packages that cannot be autolinked yet can be added manually here, for example:
+          // add(MyReactNativePackage())
+        }
 
-        override fun getJSMainModuleName(): String = "index"
+      override fun getJSMainModuleName(): String = "index"
 
-        override fun getUseDeveloperSupport(): Boolean = BuildConfig.DEBUG
+      override fun getUseDeveloperSupport(): Boolean = BuildConfig.DEBUG
 
-        override val isNewArchEnabled: Boolean = BuildConfig.IS_NEW_ARCHITECTURE_ENABLED
-        override val isHermesEnabled: Boolean = BuildConfig.IS_HERMES_ENABLED
-      }
+      override val isNewArchEnabled: Boolean = BuildConfig.IS_NEW_ARCHITECTURE_ENABLED
+      override val isHermesEnabled: Boolean = BuildConfig.IS_HERMES_ENABLED
+    }
 
   override val reactHost: ReactHost
     get() = getDefaultReactHost(this.applicationContext, reactNativeHost)

From e63fc5258eb4f262c330e30bdbecef217f6cc6ba Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 16:49:01 +0100
Subject: [PATCH 53/64] refactor: use explicit enum when checking for play
 services

---
 .../IoReactNativeIntegrityModule.kt           | 85 ++++++++-----------
 1 file changed, 37 insertions(+), 48 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index e03bada..30145d1 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -16,6 +16,7 @@ import com.facebook.react.bridge.ReactContextBaseJavaModule
 import com.facebook.react.bridge.ReactMethod
 import com.facebook.react.bridge.WritableMap
 import com.facebook.react.bridge.WritableNativeMap
+import com.google.android.gms.common.ConnectionResult
 import com.google.android.gms.common.GoogleApiAvailability
 import com.google.android.gms.tasks.Task
 import com.google.android.play.core.integrity.IntegrityManagerFactory
@@ -75,12 +76,14 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    */
   @ReactMethod
   fun isPlayServicesAvailable(promise: Promise) {
-    val result = when (GoogleApiAvailability.getInstance()
-      .isGooglePlayServicesAvailable(reactApplicationContext)) {
-      0, 18, 2 -> true
-      else -> false
-    }
-    promise.resolve(result)
+    val status =
+      GoogleApiAvailability.getInstance().isGooglePlayServicesAvailable(reactApplicationContext)
+    val isAvailable = status in listOf(
+      ConnectionResult.SUCCESS,
+      ConnectionResult.SERVICE_UPDATING,
+      ConnectionResult.SERVICE_VERSION_UPDATE_REQUIRED
+    )
+    promise.resolve(isAvailable)
   }
 
   /**
@@ -99,26 +102,21 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
   fun prepareIntegrityToken(cloudProjectNumber: String, promise: Promise) {
     try {
       val cpn = cloudProjectNumber.toLong()
-      val standardIntegrityManager =
-        IntegrityManagerFactory.createStandard(reactApplicationContext)
+      val standardIntegrityManager = IntegrityManagerFactory.createStandard(reactApplicationContext)
       standardIntegrityManager.prepareIntegrityToken(
-        StandardIntegrityManager.PrepareIntegrityTokenRequest.builder()
-          .setCloudProjectNumber(cpn)
+        StandardIntegrityManager.PrepareIntegrityTokenRequest.builder().setCloudProjectNumber(cpn)
           .build()
-      )
-        .addOnSuccessListener { res -> integrityTokenProvider = res; promise.resolve(null) }
+      ).addOnSuccessListener { res -> integrityTokenProvider = res; promise.resolve(null) }
         .addOnFailureListener { ex ->
           ModuleException.PREPARE_FAILED.reject(
-            promise,
-            Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
+            promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
           )
         }
     } catch (_: NumberFormatException) {
       ModuleException.WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT.reject(promise)
     } catch (e: Exception) {
       ModuleException.PREPARE_FAILED.reject(
-        promise,
-        Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
+        promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
       )
     }
   }
@@ -138,24 +136,19 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
   fun requestIntegrityToken(requestHash: String?, promise: Promise) {
     try {
       val integrityTokenResponse = integrityTokenProvider.request(
-        StandardIntegrityTokenRequest.builder()
-          .setRequestHash(requestHash)
-          .build()
+        StandardIntegrityTokenRequest.builder().setRequestHash(requestHash).build()
       )
-      integrityTokenResponse
-        .addOnSuccessListener { res -> promise.resolve((res.token())) }
+      integrityTokenResponse.addOnSuccessListener { res -> promise.resolve((res.token())) }
         .addOnFailureListener { ex ->
           ModuleException.REQUEST_TOKEN_FAILED.reject(
-            promise,
-            Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
+            promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
           )
         }
     } catch (_: UninitializedPropertyAccessException) {
       ModuleException.PREPARE_NOT_CALLED.reject(promise)
     } catch (e: Exception) {
       ModuleException.REQUEST_TOKEN_FAILED.reject(
-        promise,
-        Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
+        promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
       )
     }
   }
@@ -177,9 +170,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
       val keyInfo = factory.getKeySpec(key, KeyInfo::class.java)
       return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.S) {
         //
-        keyInfo.securityLevel == SECURITY_LEVEL_TRUSTED_ENVIRONMENT
-          || keyInfo.securityLevel == SECURITY_LEVEL_STRONGBOX
-          || keyInfo.securityLevel == SECURITY_LEVEL_UNKNOWN_SECURE
+        keyInfo.securityLevel == SECURITY_LEVEL_TRUSTED_ENVIRONMENT || keyInfo.securityLevel == SECURITY_LEVEL_STRONGBOX || keyInfo.securityLevel == SECURITY_LEVEL_UNKNOWN_SECURE
       } else {
         @Suppress("DEPRECATION") return keyInfo.isInsideSecureHardware
       }
@@ -202,16 +193,11 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    */
   @RequiresApi(Build.VERSION_CODES.N)
   private fun generateAttestationKey(
-    keyAlias: String,
-    challenge: ByteArray,
-    hasStrongBox: Boolean
+    keyAlias: String, challenge: ByteArray, hasStrongBox: Boolean
   ): KeyPair {
-    val builder =
-      KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_SIGN)
-        .setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1")) // P-256
-        .setDigests(KeyProperties.DIGEST_SHA256)
-        .setKeySize(256)
-        .setAttestationChallenge(challenge)
+    val builder = KeyGenParameterSpec.Builder(keyAlias, KeyProperties.PURPOSE_SIGN)
+      .setAlgorithmParameterSpec(ECGenParameterSpec("secp256r1")) // P-256
+      .setDigests(KeyProperties.DIGEST_SHA256).setKeySize(256).setAttestationChallenge(challenge)
     if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && hasStrongBox) {
       builder.setIsStrongBoxBacked(true)
     }
@@ -248,8 +234,10 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
           return@Thread
         }
         val alias = keyAlias ?: "attestationKeyAlias"
-        val hasStrongBox = Build.VERSION.SDK_INT >= Build.VERSION_CODES.P &&
-          reactApplicationContext.packageManager.hasSystemFeature(PackageManager.FEATURE_STRONGBOX_KEYSTORE)
+        val hasStrongBox =
+          Build.VERSION.SDK_INT >= Build.VERSION_CODES.P && reactApplicationContext.packageManager.hasSystemFeature(
+            PackageManager.FEATURE_STRONGBOX_KEYSTORE
+          )
         val keyPair = generateAttestationKey(alias, challenge.toByteArray(), hasStrongBox)
         if (!isKeyHardwareBacked(keyPair.private)) {
           // We check if the key is hardware backed just to be sure exclude software fallback
@@ -269,8 +257,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
         promise.resolve(encodedAttestation)
       } catch (e: Exception) {
         ModuleException.REQUEST_ATTESTATION_FAILED.reject(
-          promise,
-          Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
+          promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
         )
       }
     }.start()
@@ -299,13 +286,15 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
     private enum class ModuleException(
       val ex: Exception
     ) {
-      WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT(Exception("WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT")),
-      PREPARE_FAILED(Exception("PREPARE_TOKEN_EXCEPTION")),
-      PREPARE_NOT_CALLED(Exception("PREPARE_NOT_CALLED")),
-      REQUEST_TOKEN_FAILED(Exception("REQUEST_TOKEN_FAILED")),
-      REQUEST_ATTESTATION_FAILED(Exception("REQUEST_ATTESTATION_FAILED")),
-      KEY_IS_NOT_HARDWARE_BACKED(Exception("KEY_IS_NOT_HARDWARE_BACKED")),
-      UNSUPPORTED_DEVICE(Exception("UNSUPPORTED_DEVICE"));
+      WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT(Exception("WRONG_GOOGLE_CLOUD_PROJECT_NUMBER_FORMAT")), PREPARE_FAILED(
+        Exception("PREPARE_TOKEN_EXCEPTION")
+      ),
+      PREPARE_NOT_CALLED(Exception("PREPARE_NOT_CALLED")), REQUEST_TOKEN_FAILED(Exception("REQUEST_TOKEN_FAILED")), REQUEST_ATTESTATION_FAILED(
+        Exception("REQUEST_ATTESTATION_FAILED")
+      ),
+      KEY_IS_NOT_HARDWARE_BACKED(Exception("KEY_IS_NOT_HARDWARE_BACKED")), UNSUPPORTED_DEVICE(
+        Exception("UNSUPPORTED_DEVICE")
+      );
 
       /**
        * Rejects the provided promise with the appropriate error message and additional data.

From 29515ed470eb11f83c18dcba546bb640e4fbfe2d Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 17:38:06 +0100
Subject: [PATCH 54/64] chore: add console warns when env is missing

---
 backend/src/android/androidRouter.ts |  4 +---
 backend/src/index.ts                 | 24 +++++++++++++++++++++++-
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/backend/src/android/androidRouter.ts b/backend/src/android/androidRouter.ts
index 08758dd..223ff45 100644
--- a/backend/src/android/androidRouter.ts
+++ b/backend/src/android/androidRouter.ts
@@ -1,5 +1,6 @@
 import express, { Router } from 'express';
 import { verifyAttestation, verifyIntegrityToken } from './androidIntegrity';
+import { ANDROID_BUNDLE_IDENTIFIER, GOOGLE_APPLICATION_CREDENTIALS } from '..';
 
 const router: Router = express.Router();
 
@@ -14,9 +15,6 @@ router.post('/verifyIntegrityToken', async (req, res) => {
   console.debug(
     `Play integrity verdict was requested: ${JSON.stringify(req.body, null, 2)}`
   );
-  const GOOGLE_APPLICATION_CREDENTIALS =
-    process.env.GOOGLE_APPLICATION_CREDENTIALS;
-  const ANDROID_BUNDLE_IDENTIFIER = process.env.ANDROID_BUNDLE_IDENTIFIER;
   if (!GOOGLE_APPLICATION_CREDENTIALS || !ANDROID_BUNDLE_IDENTIFIER) {
     res.status(500).send({
       error:
diff --git a/backend/src/index.ts b/backend/src/index.ts
index d550c4e..3f966f9 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -22,6 +22,10 @@ let attestation: any = null;
 // The bundle identifier and team identifier are used to verify the attestation and assertion.
 const BUNDLE_IDENTIFIER = process.env.BUNDLE_IDENTIFIER || '';
 const TEAM_IDENTIFIER = process.env.TEAM_IDENTIFIER || '';
+export const GOOGLE_APPLICATION_CREDENTIALS =
+  process.env.GOOGLE_APPLICATION_CREDENTIALS || '';
+export const ANDROID_BUNDLE_IDENTIFIER =
+  process.env.ANDROID_BUNDLE_IDENTIFIER || '';
 
 /**
  * Router for the android specific endpoints.
@@ -115,5 +119,23 @@ app.post(`/assertion/verify`, (req, res) => {
 });
 
 app.listen(port, () => {
-  console.log(`[server]: Server is running at http://localhost:${port}`);
+  console.log(`[server] server is running at http://localhost:${port}`);
+  // Check if the environment variables are set, if not, a warning is displayed.
+  if (!GOOGLE_APPLICATION_CREDENTIALS)
+    console.warn('[server] GOOGLE_APPLICATION_CREDENTIALS is not set in .env');
+  else {
+    try {
+      JSON.parse(GOOGLE_APPLICATION_CREDENTIALS);
+    } catch (error) {
+      console.warn(
+        '[server] GOOGLE_APPLICATION_CREDENTIALS is not a valid JSON in .env'
+      );
+    }
+  }
+  if (!ANDROID_BUNDLE_IDENTIFIER)
+    console.warn('[server] ANDROID_BUNDLE_IDENTIFIER is not set in .env');
+  if (!BUNDLE_IDENTIFIER)
+    console.warn('[server] BUNDLE_IDENTIFIER is not set in .env');
+  if (!TEAM_IDENTIFIER)
+    console.warn('[server] TEAM_IDENTIFIER is not set in .env');
 });

From ef557e22239321d79532c5e5041ca87a3e9f0889 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 17:50:59 +0100
Subject: [PATCH 55/64] chore: minor adjustments

---
 .../ioreactnativeintegrity/IoReactNativeIntegrityModule.kt    | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index 30145d1..3e2a372 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -18,10 +18,8 @@ import com.facebook.react.bridge.WritableMap
 import com.facebook.react.bridge.WritableNativeMap
 import com.google.android.gms.common.ConnectionResult
 import com.google.android.gms.common.GoogleApiAvailability
-import com.google.android.gms.tasks.Task
 import com.google.android.play.core.integrity.IntegrityManagerFactory
 import com.google.android.play.core.integrity.StandardIntegrityManager
-import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityToken
 import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityTokenProvider
 import com.google.android.play.core.integrity.StandardIntegrityManager.StandardIntegrityTokenRequest
 import java.security.KeyFactory
@@ -188,7 +186,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
    * If the key is in secure hardware, and if the secure hardware supports attestation,
    * the certificate will be signed by a chain of certificates rooted at a trustworthy CA key.
    * Otherwise the chain will be rooted at an untrusted certificate.
-   * @param useStrongBox indicates whether or not the key pair will be stored using StrongBox.
+   * @param hasStrongBox indicates whether or not the key pair will be stored using StrongBox.
    * @returns the generated key pair.
    */
   @RequiresApi(Build.VERSION_CODES.N)

From 7d08a89cf6d8dc047ccb0a01749e473046e60276 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 17:56:32 +0100
Subject: [PATCH 56/64] refactor: remove lateinit

---
 .../IoReactNativeIntegrityModule.kt               | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index 3e2a372..61c7563 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -37,7 +37,7 @@ import java.security.spec.ECGenParameterSpec
 class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
   ReactContextBaseJavaModule(reactContext) {
 
-  private lateinit var integrityTokenProvider: StandardIntegrityTokenProvider
+  private var integrityTokenProvider: StandardIntegrityTokenProvider? = null
 
   private val keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER)
 
@@ -133,17 +133,18 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
   @ReactMethod
   fun requestIntegrityToken(requestHash: String?, promise: Promise) {
     try {
-      val integrityTokenResponse = integrityTokenProvider.request(
+      val integrityTokenResponse = integrityTokenProvider?.request(
         StandardIntegrityTokenRequest.builder().setRequestHash(requestHash).build()
       )
-      integrityTokenResponse.addOnSuccessListener { res -> promise.resolve((res.token())) }
-        .addOnFailureListener { ex ->
+      integrityTokenResponse?.apply {
+        addOnSuccessListener { res -> promise.resolve((res.token())) }
+        addOnFailureListener { ex ->
           ModuleException.REQUEST_TOKEN_FAILED.reject(
-            promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
+            promise,
+            Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
           )
         }
-    } catch (_: UninitializedPropertyAccessException) {
-      ModuleException.PREPARE_NOT_CALLED.reject(promise)
+      } ?: ModuleException.PREPARE_NOT_CALLED.reject(promise)
     } catch (e: Exception) {
       ModuleException.REQUEST_TOKEN_FAILED.reject(
         promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))

From 0bc6183bb25995c50a0dcf2308bcc7507e024394 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <LazyAfternoons@users.noreply.github.com>
Date: Thu, 28 Mar 2024 18:00:06 +0100
Subject: [PATCH 57/64] chore: update example app

Co-authored-by: Fabio Bombardi <16268789+shadowsheep1@users.noreply.github.com>
---
 example/src/AndroidApp.tsx | 93 ++++++++++++++++++++++++--------------
 1 file changed, 58 insertions(+), 35 deletions(-)

diff --git a/example/src/AndroidApp.tsx b/example/src/AndroidApp.tsx
index 8d25456..55355e5 100644
--- a/example/src/AndroidApp.tsx
+++ b/example/src/AndroidApp.tsx
@@ -142,42 +142,49 @@ export default function AndroidApp() {
     }
   };
 
-  return (
+return (
     <SafeAreaView style={styles.container}>
-      <Text style={styles.h1}>Integrity Check Demo App</Text>
-      {isServiceAvailable ? (
+      <ScrollView contentContainerStyle={styles.scrollViewContentContainer}>
+        <Text style={styles.h1}>Integrity Check Demo App</Text>
+        {isServiceAvailable ? (
+          <>
+            <Text style={styles.h2}>Play Integrity Standard Request</Text>
+            <ButtonWithLoader
+              title="Prepare"
+              onPress={() => prepare()}
+              loading={isPrepareLoading}
+            />
+            <View style={styles.spacer} />
+            <ButtonWithLoader
+              title="Get token"
+              onPress={() => requestToken()}
+              loading={isRequestTokenLoading}
+            />
+            <View style={styles.spacer} />
+            <ButtonWithLoader
+              title="Verify Token"
+              onPress={() => verifyToken()}
+              loading={isVerifyintegrityTokenLoading}
+            />
+            <View style={styles.spacer} />
+            <Text style={styles.h2}>Key Attestation</Text>
+            <ButtonWithLoader
+              title="Get attestation"
+              onPress={() => requestAttestation()}
+              loading={isGetAttestationLoading}
+            />
+            <View style={styles.spacer} />
+            <ButtonWithLoader
+              title="Verify attestation"
+              onPress={() => verifyAttestation()}
+              loading={isVerifyAttestationLoading}
+            />
+            <View style={styles.spacer} />
+          </>
+        ) : null}
         <>
-          <Text>Play Integrity Standard Request</Text>
-          <ButtonWithLoader
-            title="Prepare"
-            onPress={() => prepare()}
-            loading={isPrepareLoading}
-          />
-          <ButtonWithLoader
-            title="Get token"
-            onPress={() => requestToken()}
-            loading={isRequestTokenLoading}
-          />
-          <ButtonWithLoader
-            title="Verify Token"
-            onPress={() => verifyToken()}
-            loading={isVerifyintegrityTokenLoading}
-          />
-          <Text>Key Attestation</Text>
-          <ButtonWithLoader
-            title="Get attestation"
-            onPress={() => requestAttestation()}
-            loading={isGetAttestationLoading}
-          />
-          <ButtonWithLoader
-            title="Verify attestation"
-            onPress={() => verifyAttestation()}
-            loading={isVerifyAttestationLoading}
-          />
+          <Text>{debugLog}</Text>
         </>
-      ) : null}
-      <ScrollView style={styles.debug}>
-        <Text>{debugLog}</Text>
       </ScrollView>
     </SafeAreaView>
   );
@@ -188,12 +195,28 @@ const styles = StyleSheet.create({
     flex: 1,
     alignItems: 'center',
   },
+  scrollViewContentContainer: {
+    justifyContent: 'center',
+    alignItems: 'center',
+    flexGrow: 1,
+    padding: 10,
+  },
   h1: {
     fontWeight: 'bold',
     fontSize: 32,
     textAlign: 'center',
-    marginTop: 50,
-    marginBottom: 50,
+    marginTop: 16,
+    marginBottom: 16,
+  },
+  h2: {
+    fontWeight: 'bold',
+    fontSize: 16,
+    textAlign: 'center',
+    marginTop: 16,
+    marginBottom: 16,
+  },
+  spacer: {
+    height: 8,
   },
   debug: {
     width: '100%',

From 60ce68ce7e4e6cc3b00a9a1b279f1ae57c1b273a Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Thu, 28 Mar 2024 18:02:03 +0100
Subject: [PATCH 58/64] fix: missing import

---
 example/src/AndroidApp.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example/src/AndroidApp.tsx b/example/src/AndroidApp.tsx
index 55355e5..986a3a3 100644
--- a/example/src/AndroidApp.tsx
+++ b/example/src/AndroidApp.tsx
@@ -1,5 +1,5 @@
 import * as React from 'react';
-import { StyleSheet, SafeAreaView, Text, ScrollView } from 'react-native';
+import { StyleSheet, SafeAreaView, Text, ScrollView, View } from 'react-native';
 import {
   getAttestation,
   isPlayServicesAvailable,
@@ -142,7 +142,7 @@ export default function AndroidApp() {
     }
   };
 
-return (
+  return (
     <SafeAreaView style={styles.container}>
       <ScrollView contentContainerStyle={styles.scrollViewContentContainer}>
         <Text style={styles.h1}>Integrity Check Demo App</Text>

From 77967ffc11c1180a96c2a875d78f7cc944efe987 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 29 Mar 2024 10:39:14 +0100
Subject: [PATCH 59/64] refactor: remove init

---
 .../IoReactNativeIntegrityModule.kt           | 20 ++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index 61c7563..1d20f88 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -39,13 +39,19 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
 
   private var integrityTokenProvider: StandardIntegrityTokenProvider? = null
 
-  private val keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER)
-
   /**
-   * Constructor which initializes the keystore engine.
+   * Lazily initialize the keystore manager only when the variable is called,
+   * otherwise it won't be created. Once created the same object will be used during
+   * its lifecycle.
    */
-  init {
-    keyStore.load(null)
+  private val keyStore: KeyStore? by lazy {
+    try {
+      KeyStore.getInstance(KEYSTORE_PROVIDER).also {
+        it.load(null)
+      }
+    } catch (e: Exception) {
+      null
+    }
   }
 
   /**
@@ -243,10 +249,10 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
           ModuleException.KEY_IS_NOT_HARDWARE_BACKED.reject(promise)
           return@Thread
         }
-        val chain = keyStore.getCertificateChain(alias)
+        val chain = keyStore?.getCertificateChain(alias)
         // The certificate chain consists of an array of certificates, thus we concat them into a string
         var attestations = arrayOf<String>()
-        chain.forEachIndexed { _, certificate ->
+        chain?.forEachIndexed { _, certificate ->
           val cert = Base64.encodeToString(certificate.encoded, Base64.DEFAULT)
           attestations += cert
         }

From d42b80245072ce0e61923798b8a68f47693c86b6 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 29 Mar 2024 13:10:20 +0100
Subject: [PATCH 60/64] fix: empty certifications array

---
 .../IoReactNativeIntegrityModule.kt           | 32 +++++++++++--------
 src/index.tsx                                 |  3 +-
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index 1d20f88..9199ff2 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -146,8 +146,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
         addOnSuccessListener { res -> promise.resolve((res.token())) }
         addOnFailureListener { ex ->
           ModuleException.REQUEST_TOKEN_FAILED.reject(
-            promise,
-            Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
+            promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(ex))
           )
         }
       } ?: ModuleException.PREPARE_NOT_CALLED.reject(promise)
@@ -249,17 +248,21 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
           ModuleException.KEY_IS_NOT_HARDWARE_BACKED.reject(promise)
           return@Thread
         }
-        val chain = keyStore?.getCertificateChain(alias)
-        // The certificate chain consists of an array of certificates, thus we concat them into a string
-        var attestations = arrayOf<String>()
-        chain?.forEachIndexed { _, certificate ->
-          val cert = Base64.encodeToString(certificate.encoded, Base64.DEFAULT)
-          attestations += cert
-        }
-        val concatenatedAttestations = attestations.joinToString(",")
-        val encodedAttestation =
-          Base64.encodeToString(concatenatedAttestations.toByteArray(), Base64.DEFAULT)
-        promise.resolve(encodedAttestation)
+        keyStore?.let {
+          val chain = it.getCertificateChain(alias)
+          // The certificate chain consists of an array of certificates, thus we concat them into a string
+          var attestations = arrayOf<String>()
+          chain?.forEachIndexed { _, certificate ->
+            val cert = Base64.encodeToString(certificate.encoded, Base64.DEFAULT)
+            attestations += cert
+          }
+          val concatenatedAttestations = attestations.joinToString(",")
+          val encodedAttestation =
+            Base64.encodeToString(concatenatedAttestations.toByteArray(), Base64.DEFAULT)
+          promise.resolve(encodedAttestation)
+        } ?: ModuleException.KEYSTORE_NOT_INITIALIZED.reject(
+          promise
+        )
       } catch (e: Exception) {
         ModuleException.REQUEST_ATTESTATION_FAILED.reject(
           promise, Pair(ERROR_USER_INFO_KEY, getExceptionMessageOrEmpty(e))
@@ -299,7 +302,8 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
       ),
       KEY_IS_NOT_HARDWARE_BACKED(Exception("KEY_IS_NOT_HARDWARE_BACKED")), UNSUPPORTED_DEVICE(
         Exception("UNSUPPORTED_DEVICE")
-      );
+      ),
+      KEYSTORE_NOT_INITIALIZED(Exception("KEYSTORE_NOT_INITIALIZED"));
 
       /**
        * Rejects the provided promise with the appropriate error message and additional data.
diff --git a/src/index.tsx b/src/index.tsx
index 0cd2b64..f7a3ba7 100644
--- a/src/index.tsx
+++ b/src/index.tsx
@@ -11,7 +11,8 @@ type IntegrityErrorCodesAndroid =
   | 'REQUEST_TOKEN_FAILED'
   | 'REQUEST_ATTESTATION_FAILED'
   | 'KEY_IS_NOT_HARDWARE_BACKED'
-  | 'UNSUPPORTED_DEVICE';
+  | 'UNSUPPORTED_DEVICE'
+  | 'KEYSTORE_NOT_INITIALIZED';
 
 /**
  * Error codes returned by the iOS module.

From d198b6bc4f450b8c8929eb8bc960871d0160ee1d Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 29 Mar 2024 13:12:29 +0100
Subject: [PATCH 61/64] chore: remove safe call

---
 .../ioreactnativeintegrity/IoReactNativeIntegrityModule.kt      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
index 9199ff2..c59e6ce 100644
--- a/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
+++ b/android/src/main/java/com/pagopa/ioreactnativeintegrity/IoReactNativeIntegrityModule.kt
@@ -252,7 +252,7 @@ class IoReactNativeIntegrityModule(reactContext: ReactApplicationContext) :
           val chain = it.getCertificateChain(alias)
           // The certificate chain consists of an array of certificates, thus we concat them into a string
           var attestations = arrayOf<String>()
-          chain?.forEachIndexed { _, certificate ->
+          chain.forEachIndexed { _, certificate ->
             val cert = Base64.encodeToString(certificate.encoded, Base64.DEFAULT)
             attestations += cert
           }

From 19f0ca271b7c97e10edf2968379ac3837b0b7ec6 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 5 Apr 2024 17:49:56 +0200
Subject: [PATCH 62/64] chore: use destructured req object

---
 backend/src/android/androidRouter.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/android/androidRouter.ts b/backend/src/android/androidRouter.ts
index 223ff45..9a89378 100644
--- a/backend/src/android/androidRouter.ts
+++ b/backend/src/android/androidRouter.ts
@@ -25,7 +25,7 @@ router.post('/verifyIntegrityToken', async (req, res) => {
   try {
     const googleCredentials = JSON.parse(GOOGLE_APPLICATION_CREDENTIALS);
     const { integrityToken } = req.body;
-    if (req.body.integrityToken === undefined) {
+    if (integrityToken === undefined) {
       res.status(400).send({ error: 'Invalid integrity token' });
       return;
     }

From ed771359fb56f9a65ef729325d896a72973acc50 Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 5 Apr 2024 17:56:01 +0200
Subject: [PATCH 63/64] chore: remove unwanted changes

---
 ios/IoReactNativeIntegrity.swift | 161 -------------------------------
 1 file changed, 161 deletions(-)

diff --git a/ios/IoReactNativeIntegrity.swift b/ios/IoReactNativeIntegrity.swift
index c1a2f28..48eb79b 100644
--- a/ios/IoReactNativeIntegrity.swift
+++ b/ios/IoReactNativeIntegrity.swift
@@ -201,165 +201,4 @@ class IoReactNativeIntegrity: NSObject {
       reject("\(error.code)", error.domain, error)
     }
   }
-  
-  /// Generates a hardware key using the DeviceCheck App Attestation Service.
-  /// - Parameters:
-  ///   - resolve: The promise resolve block to call with the hardware key tag.
-  ///   - reject: The promise reject block to call in case of an error.
-  @objc(generateHardwareKey:withRejecter:)
-  func generateHardwareKey(resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
-    
-    guard #available(iOS 14.0, *) else {
-      ME.unsupportedIOSVersion.reject(reject: reject)
-      return
-    }
-    
-    if DCAppAttestService.shared.isSupported {
-      let service = DCAppAttestService.shared
-      
-      service.generateKey { hardwareKeyTag, error in
-          
-        guard error == nil else {
-          ME.generationKeyFailed.reject(reject: reject, ("error", error?.localizedDescription ?? ""))
-          return
-        }
-          
-        resolve(hardwareKeyTag)
-          
-      }
-    } else {
-      ME.unsupportedService.reject(reject: reject);
-    }
-  }
-  
-  /// Requests an attestation of the hardware key for a given challenge.
-  /// - Parameters:
-  ///   - challenge: A string representing the challenge for which the attestation is requested.
-  ///   - hardwareKeyTag: A string representing the hardware key tag to be attested.
-  ///   - resolve: The promise resolve block to call with the attestation result.
-  ///   - reject: The promise reject block to call in case of an error.
-  @objc(getAttestation:withHardwareKeyTag:withResolver:withRejecter:)
-  func getAttestation(challenge: String, hardwareKeyTag: String, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
-    
-    guard #available(iOS 14.0, *) else {
-      ME.unsupportedIOSVersion.reject(reject: reject);
-      return
-    }
-    
-    if DCAppAttestService.shared.isSupported {
-      let service = DCAppAttestService.shared
-      
-      // Safely encode the challenge string to data and generate a hash.
-      guard let challengeData = challenge.data(using: .utf8) else {
-        ME.challengeError.reject(reject: reject)
-        return
-      }
-      let hash = Data(SHA256.hash(data: challengeData))
-      
-      // Request attestation with the generated hash and handle the response
-      service.attestKey(hardwareKeyTag, clientDataHash: hash) {attestation, error in
-            
-        guard error == nil else {
-          ME.attestationError.reject(reject: reject, ("error", error?.localizedDescription ?? ""))
-          return
-        }
-        
-        let encodedAttestation = attestation?.base64EncodedString()
-          resolve(encodedAttestation)
-        }
-        
-    } else {
-      ME.unsupportedService.reject(reject: reject)
-    }
-  }
-  
-  /// Requests an hardwareSignature with assertion for a given clientData and hardwareKeyTag.
-  /// - Parameters:
-  ///   - clientData: A string representing the clientData (challange+publicJwkEphimeralKey)).
-  ///   - hardwareKeyTag: A string representing the hardware key tag to be attested.
-  ///   - resolve: The promise resolve block to call with the attestation result.
-  ///   - reject: The promise reject block to call in case of an error.
-  @objc(generateHardwareSignatureWithAssertion:withHardwareKeyTag:withResolver:withRejecter:)
-  func generateHardwareSignatureWithAssertion(clientData: String, hardwareKeyTag: String, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) -> Void {
-    
-    guard #available(iOS 14.0, *) else {
-      ME.unsupportedIOSVersion.reject(reject: reject)
-      return
-    }
-    
-    if DCAppAttestService.shared.isSupported {
-      let service = DCAppAttestService.shared
-      
-      // Safely encode the clientData string to data and generate a hash.
-      guard let encodedClientData = clientData.data(using: .utf8) else {
-        ME.clientDataEncodingError.reject(reject: reject)
-        return
-      }
-      
-      let clientDataHash = Data(SHA256.hash(data: encodedClientData))
-      
-      service.generateAssertion(hardwareKeyTag, clientDataHash: clientDataHash) { assertion, error in
-        
-        guard error == nil else {
-          ME.generationAssertionFailed.reject(reject: reject, ("error", error?.localizedDescription ?? ""))
-          return
-        }
-        
-        let encodedAssertion = assertion?.base64EncodedString()
-        resolve(encodedAssertion)
-        
-      }
-    } else {
-      ME.unsupportedService.reject(reject: reject)
-    }
-  }
-  
-  /// A private enum to handle exceptions and errors.
-  /// - generationKeyFailed: The hardware key generation failed.
-  /// - unsupportedService: The DeviceCheck App Attestation Service is not supported.
-  /// - attestationError: The attestation request failed.
-  /// - unsupportedIOSVersion: The iOS version is not supported.
-  /// - challengeError: The challenge encoding failed.
-  /// - clientDataEncodingError: The clientData encoding failed.
-  /// - generationAssertionFailed: The assertion generation failed.
-  private enum ModuleException: String, CaseIterable {
-    
-    case generationKeyFailed = "GENERATION_KEY_FAILED"
-    case unsupportedService = "UNSUPPORTED_SERVICE"
-    case attestationError = "ATTESTATION_ERROR"
-    case unsupportedIOSVersion = "UNSUPPORTED_IOS_VERSION"
-    case challengeError = "CHALLANGE_ERROR"
-    case clientDataEncodingError = "CLIENT_DATA_ENCODING_ERROR"
-    case generationAssertionFailed = "GENERATION_ASSERTION_FAILED"
-      
-      func error(userInfo: [String : Any]? = nil) -> NSError {
-        switch self {
-        case .generationKeyFailed:
-          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
-        case .unsupportedService:
-          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
-        case .attestationError:
-          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
-        case .unsupportedIOSVersion:
-          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
-        case .challengeError:
-          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
-        case .clientDataEncodingError:
-          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
-        case .generationAssertionFailed:
-          return NSError(domain: self.rawValue, code: -1, userInfo: userInfo)
-        }
-      }
-      
-      /// Rejects a promise with the error.
-      /// - Parameters:
-      ///  - reject: The promise reject block to call in case of an error.
-      ///  - moreUserInfo: A list of tuples to add more information to the error.
-      func reject(reject: RCTPromiseRejectBlock, _ moreUserInfo: (String, Any)...) {
-        var userInfo = [String : Any]()
-        moreUserInfo.forEach { userInfo[$0.0] = $0.1 }
-        let error = error(userInfo: userInfo)
-        reject("\(error.code)", error.domain, error)
-      }
-    }
 }

From f8f1d6100b177c494cb2eb90a9f8b5b9f944b1cb Mon Sep 17 00:00:00 2001
From: LazyAfternoons <lazyafternoons@outlook.it>
Date: Fri, 5 Apr 2024 18:18:27 +0200
Subject: [PATCH 64/64] chore: remove unwanted changes

---
 example/.env.local | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/example/.env.local b/example/.env.local
index 5eb8e34..ffa9013 100644
--- a/example/.env.local
+++ b/example/.env.local
@@ -1,4 +1,3 @@
-# Backend address for remote verification
-BACKEND_ADDRESS = "http://127.0.0.1:3000"
-# Google Cloud Project Number
+# Example BACKEND_ADDRESS = "http://192.168.0.1:3000"
+BACKEND_ADDRESS = ""
 GOOGLE_CLOUD_PROJECT_NUMBER = ""