roboto/at.asitplus.attestation.android/AndroidAttestationConfiguration/AndroidAttestationConfiguration

AndroidAttestationConfiguration

constructor(singleApp: AndroidAttestationConfiguration.AppData, androidVersion: Int? = null, patchLevel: PatchLevel? = null, requireStrongBox: Boolean = false, allowBootloaderUnlock: Boolean = false, requireRollbackResistance: Boolean = false, ignoreLeafValidity: Boolean = false, hardwareAttestationTrustAnchors: Set<PublicKey> = linkedSetOf(*DEFAULT_HARDWARE_TRUST_ANCHORS), softwareAttestationTrustAnchors: Set<PublicKey> = linkedSetOf(*DEFAULT_SOFTWARE_TRUST_ANCHORS), verificationSecondsOffset: Long = 0, attestationStatementValiditySeconds: Long? = 5 * 60, disableHardwareAttestation: Boolean = false, enableNougatAttestation: Boolean = false, enableSoftwareAttestation: Boolean = false, httpProxy: String? = null, requireRemoteKeyProvisioning: Boolean = false)(source)

Convenience constructor to attest a single app

constructor(version: Int? = null, patchLevel: PatchLevel? = null, requireStrongBox: Boolean = false, allowBootloaderUnlock: Boolean = false, requireRollbackResistance: Boolean = false, ignoreLeafValidity: Boolean = false, verificationSecondsOffset: Long = 0, attestationStatementValiditySeconds: Long? = 5 * 60, disableHardwareAttestation: Boolean = false, enableNougatAttestation: Boolean = false, enableSoftwareAttestation: Boolean = false, hardwareAttestationRootKeys: Set<ByteArray> = DEFAULT_HARDWARE_TRUST_ANCHORS.map { it.encoded }.toSet(), softwareAttestationRootKeys: Set<ByteArray> = DEFAULT_SOFTWARE_TRUST_ANCHORS.map { it.encoded }.toSet(), apps: List<AndroidAttestationConfiguration.AppData>, httpProxy: String? = null, requireRemoteKeyProvisioning: Boolean = false)(source)

Constructor used when loading this class from a config file through Hoplite

@JvmOverloads

constructor(applications: List<AndroidAttestationConfiguration.AppData>, androidVersion: Int? = null, patchLevel: PatchLevel? = null, requireStrongBox: Boolean = false, allowBootloaderUnlock: Boolean = false, requireRollbackResistance: Boolean = false, ignoreLeafValidity: Boolean = false, hardwareAttestationTrustAnchors: Set<@Serializable(with = PubKeyBasePemSerializer::class) PublicKey> = linkedSetOf(*DEFAULT_HARDWARE_TRUST_ANCHORS), softwareAttestationTrustAnchors: Set<@Serializable(with = PubKeyBasePemSerializer::class) PublicKey> = linkedSetOf(*DEFAULT_SOFTWARE_TRUST_ANCHORS), verificationSecondsOffset: Long = 0, attestationStatementValiditySeconds: Long? = 5 * 60, disableHardwareAttestation: Boolean = false, enableNougatAttestation: Boolean = false, enableSoftwareAttestation: Boolean = false, requireRemoteKeyProvisioning: Boolean = false, httpProxy: String? = null)(source)

Parameters

applications

list of applications to be attested

androidVersion

optional parameter. If set, attestation enforces Android version to be greater or equal to this parameter. Caution: Major Android versions increment in steps of ten-thousands. I.e. Android 11 is specified as 110000 Can be overridden for individual apps

patchLevel

optional parameter. If set, attestation enforces Security patch level to be greater or equal to this parameter

requireStrongBox

optional parameter. Set to true if StrongBox security level should be required

allowBootloaderUnlock

optional parameter. Set to true if unlocked bootloaders should be allowed. Attention: Allowing unlocked bootloaders in production effectively defeats the purpose of app attestation. (but retains the ability to attest whether a key is securely stored in hardware) Useful for debugging/testing

requireRollbackResistance

optional parameter. Unsupported by most devices. See Official Documentation

ignoreLeafValidity

optional parameter. Whether to ignore the timely validity of the leaf certificate (looking at you, Samsung!)

hardwareAttestationTrustAnchors

Manually specify the trust anchor for HW-attested certificate chains. Defaults to google HW attestation key. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through DEFAULT_HARDWARE_TRUST_ANCHORS

softwareAttestationTrustAnchors

Manually specify the trust anchor for SW-attested certificate chains. Defaults to google SW attestation keys. Overriding this set is useful for automated end-to-end tests, for example. The default trust anchors are accessible through DEFAULT_SOFTWARE_TRUST_ANCHORS

disableHardwareAttestation

Entirely disable creation of a HardwareAttestationChecker. Only change this flag, if you really know what you are doing!

enableNougatAttestation

Enables hybrid attestation. NougatHybridAttestationChecker can only be instantiated if this flag is set to true. Only change this flag, if you require support for devices, which originally shipped with Android 7 (Nougat), as these devices only support hardware-backed key attestation, but provide no indication about the OS state. Hence, app-attestation cannot be trusted, but key attestation still can.

enableSoftwareAttestation

Enables software attestation. A SoftwareAttestationChecker can only be instantiated if this flag is set to true. Only change this flag, if you really know what you are doing! Enabling this flag, while keeping disableHardwareAttestation true makes is possible to instantiate both a HardwareAttestationChecker and a SoftwareAttestationChecker.