supreme-verifier/at.asitplus.attestation.supreme/AttestationVerifier/AttestationVerifier

AttestationVerifier

constructor(androidAttestationConfiguration: <Error class: unknown class>, iosAttestationConfiguration: <Error class: unknown class>, attestationProofOID: <Error class: unknown class> = WardenDefaults.OIDs.ATTESTATION_PROOF, includeGenericDeviceName: Boolean = true, clock: <Error class: unknown class> = Clock.System, verificationTimeOffset: <Error class: unknown class> = Makoto.DEFAULT_TIME_OFFSET, defaultKeyConstraints: <Error class: unknown class>? = WardenDefaults.KeyConstraints.p256Signer, nonceValidity: <Error class: unknown class> = Makoto.shortestDuration( iosAttestationConfiguration.attestationStatementValiditySeconds, androidAttestationConfiguration.attestationStatementValiditySeconds ), nonceGenerator: NonceGenerator = suspend { CryptoRand.nextBytes(ByteArray(64)) }, challengeValidator: ChallengeValidator = InMemoryChallengeCache(clock, verificationTimeOffset))(source)

Parameters

androidAttestationConfiguration

Configuration for Android key attestation. See AndroidAttestationConfiguration for details.

iosAttestationConfiguration

IOS AppAttest configuration. See IosAttestationConfiguration for details.

attestationProofOID

specifies the OID be used in a CSR to convey an attestation statement. Can be overridden. It defaults to WardenDefaults.OIDs.ATTESTATION_PROOF.

includeGenericDeviceName

specifies Whether to include a generic make and model (such as "Google Pixel 8", or "iPhone 16" with the attestation proof). On its own, this is not the device's nickname and therefore cannot identify a person in its own. Defaults to true as it is very useful technical, non-personally-identifying data.

clock

a clock to set the time of verification (used for certificate validity checks)

verificationTimeOffset

allows for fine-grained clock drift compensation (this offsets the certificate validity duration checks and attestation statement validity checks); can be negative. Note that this is a real offset, shifting the time window of validity, not extending it!

defaultKeyConstraints

allows for specifying key constraints to the client. Not all platforms can restrict key usage and properties!

nonceValidity

indicates how long issued nonces remain valid. This defaults to the maximum of the passed IosAttestationConfiguration.attestationStatementValiditySeconds and AndroidAttestationConfiguration.attestationStatementValiditySeconds.

nonceGenerator

responsible for generating nonces to ensure freshness of issues challenges. Defaults to WardenDefaults.nonceGenerator, which generates secure, random 64-byte nonces

challengeValidator

lambda checking challenges validity and invalidating it once used validity checks); can be negative.

constructor(makoto: <Error class: unknown class>, attestationProofOID: <Error class: unknown class> = WardenDefaults.OIDs.ATTESTATION_PROOF, includeGenericDeviceName: Boolean = true, defaultKeyConstraints: <Error class: unknown class>? = WardenDefaults.KeyConstraints.p256Signer, nonceValidity: <Error class: unknown class> = makoto.shortestValidityDuration, nonceGenerator: NonceGenerator = WardenDefaults.nonceGenerator, challengeValidator: ChallengeValidator = InMemoryChallengeCache( makoto.clock, -makoto.verificationTimeOffset ))(source)