supreme-client/at.asitplus.attestation.supreme/AttestationClient/getChallenge

getChallenge

suspend fun getChallenge(endpoint: Url): KmmResult<AttestationChallenge>(source)

Fetches a challenge from an endpoint. This is the first step in an attestation ceremony. This will fail if the system time is off too much:

AttestationChallenge.validUntil is earlier than the local system clock
AttestationChallenge.issuedAt is later than the local system clock

This will also fail when a challenge of a newer version was received

The reason for the second constraint is the simple fact that if the back-end's clock lags behind the local system clock (i.e., challenge issuing time is after Clock.System.now), certificate chain validation will fail, due to the leaf certificate's notBefore being in the future from the back-end's point of view.

The first contraint simply fails early for challenges that will be rejected by the back-end anyhow. Since AttestationChallenge.validUntil may be null, this check is only performed if the challenge indicates any validity.