supreme-verifier/at.asitplus.attestation.supreme/AttestationVerifier

AttestationVerifier

class AttestationVerifier(val makoto: Makoto, val attestationProofOID: ObjectIdentifier = WardenDefaults.OIDs.ATTESTATION_PROOF, val genericDeviceNameOID: ObjectIdentifier? = WardenDefaults.OIDs.DEVICE_NAME, val defaultKeyConstraints: KeyConstraints? = WardenDefaults.KeyConstraints.p256Signer, val nonceValidity: Duration = makoto.longestValidityDuration ?: IosAttestationConfiguration.DEFAULT_VALIDITY_SECONDS.seconds, nonceGenerator: NonceGenerator = WardenDefaults.nonceGenerator, challengeValidator: ChallengeValidator = InMemoryChallengeCache( makoto.clock, -makoto.verificationTimeOffset ))(source)

Verifies attestation statements and issues certificates on success. Expects a preconfigured Makoto instance defining which apps and devices are considered trustworthy.

The attestationProofOID to be used in a CSR to convey an attestation statement. Can be overridden. It defaults to WardenDefaults.OIDs.ATTESTATION_PROOF When defaultKeyConstraints is specified, all issued challenges will automatically convey this, unless overridden. Note that key constraints cannot be reliably enforced due to technical client limitations. Not all platforms can restrict key usage and properties! Still, Warden Supreme's client will respect the key constraints and create keys as specified.

genericDeviceNameOID indicates whether to include a generic make and model (such as "Google Pixel 8", or "iPhone 16") with the attestation proof. On its own, this is not the device's nickname and therefore cannot identify a person in its own. Defaults to WardenDefaults.OIDs.DEVICE_NAME as it is very useful technical, non-personally-identifying data. Can be set to null to not include device names.

The nonceGenerator's responsibility is to generate nonces to ensure freshness of issues challenges. Defaults to WardenDefaults.nonceGenerator, which generates secure, random 64-byte nonces

nonceValidity indicates how long issued nonces remain valid. This defaults to the maximum of the passed makoto's IosAttestationConfiguration.attestationStatementValiditySeconds and AndroidAttestationConfiguration.attestationStatementValiditySeconds.

Constructors

Link copied to clipboard
constructor(makoto: Makoto, attestationProofOID: ObjectIdentifier = WardenDefaults.OIDs.ATTESTATION_PROOF, genericDeviceNameOID: ObjectIdentifier? = WardenDefaults.OIDs.DEVICE_NAME, defaultKeyConstraints: KeyConstraints? = WardenDefaults.KeyConstraints.p256Signer, nonceValidity: Duration = makoto.longestValidityDuration ?: IosAttestationConfiguration.DEFAULT_VALIDITY_SECONDS.seconds, nonceGenerator: NonceGenerator = WardenDefaults.nonceGenerator, challengeValidator: ChallengeValidator = InMemoryChallengeCache( makoto.clock, -makoto.verificationTimeOffset ))
constructor(androidAttestationConfiguration: AndroidAttestationConfiguration, iosAttestationConfiguration: IosAttestationConfiguration, attestationProofOID: ObjectIdentifier = WardenDefaults.OIDs.ATTESTATION_PROOF, genericDeviceNameOID: ObjectIdentifier? = WardenDefaults.OIDs.DEVICE_NAME, clock: Clock = Clock.System, verificationTimeOffset: Duration = Makoto.DEFAULT_TIME_OFFSET, defaultKeyConstraints: KeyConstraints? = WardenDefaults.KeyConstraints.p256Signer, nonceValidity: Duration = Makoto.longestDuration( iosAttestationConfiguration.attestationStatementValiditySeconds, androidAttestationConfiguration.attestationStatementValiditySeconds ), nonceGenerator: NonceGenerator = suspend { CryptoRand.nextBytes(ByteArray(64)) }, challengeValidator: ChallengeValidator = InMemoryChallengeCache(clock, -verificationTimeOffset))

Types

Link copied to clipboard
object Companion

Properties

Link copied to clipboard
val attestationProofOID: ObjectIdentifier
Link copied to clipboard
Link copied to clipboard
val genericDeviceNameOID: ObjectIdentifier?
Link copied to clipboard
val makoto: Makoto
Link copied to clipboard

Functions

Link copied to clipboard
suspend fun issueChallenge(postEndpoint: String, timeZone: TimeZone? = null, keyConstraints: KeyConstraints? = defaultKeyConstraints): AttestationChallenge

Issues a new attestation challenge, using a nonce generated by nonceGenerator, valid for a duration of nonceValidity, expecting an CSR containing an attestation statement to be HTTP POSTed to postEndpoint. It is possible, to pass a timeZone, but this is purely informational and is not fed into validity checks.

Link copied to clipboard
suspend fun verifyAttestation(csr: Pkcs10CertificationRequest, onChallengeValidated: suspend AttestationChallenge.(Pkcs10CertificationRequest) -> Unit = { }, onPreAttestationError: suspend PreAttestationError.() -> String? = { null }, onAttestationError: suspend AttestationResult.Error.(debugInfo: WardenDebugAttestationStatement) -> String? = { null }, onAttestationSuccess: suspend AttestationResult.Verified.(CryptoPublicKey) -> Unit = { }, certificateIssuer: CertificateIssuer): AttestationResponse

Verifies the received CSR:

Generated by Dokka
© 2026 Copyright