supreme-verifier/at.asitplus.attestation.supreme/AttestationVerifier

AttestationVerifier

class AttestationVerifier(makoto: <Error class: unknown class>, val attestationProofOID: <Error class: unknown class> = WardenDefaults.OIDs.ATTESTATION_PROOF, val includeGenericDeviceName: Boolean = true, val defaultKeyConstraints: <Error class: unknown class>? = WardenDefaults.KeyConstraints.p256Signer, val nonceValidity: <Error class: unknown class> = makoto.shortestValidityDuration, nonceGenerator: NonceGenerator = WardenDefaults.nonceGenerator, challengeValidator: ChallengeValidator = InMemoryChallengeCache( makoto.clock, -makoto.verificationTimeOffset ))(source)

Verifies attestation statements and issues certificates on success. Expects a preconfigured Makoto instance defining which apps and devices are considered trustworthy.

The attestationProofOID to be used in a CSR to convey an attestation statement. Can be overridden. It defaults to WardenDefaults.OIDs.ATTESTATION_PROOF When defaultKeyConstraints is specified, all issued challenges will automatically convey this, unless overridden. Note that key constraints cannot be reliably enforced due to technical client limitations. Not all platforms can restrict key usage and properties! Still, Warden Supreme's client will respect the key constraints and create keys as specified.

includeGenericDeviceName indicates whether to include a generic make and model (such as "Google Pixel 8", or "iPhone 16") with the attestation proof. On its own, this is not the device's nickname and therefore cannot identify a person in its own. Defaults to true as it is very useful technical, non-personally-identifying data.

The nonceGenerator's responsibility is to generate nonces to ensure freshness of issues challenges. Defaults to WardenDefaults.nonceGenerator, which generates secure, random 64-byte nonces

nonceValidity indicates how long issued nonces remain valid. This defaults to the maximum of the passed makoto's IosAttestationConfiguration.attestationStatementValiditySeconds and AndroidAttestationConfiguration.attestationStatementValiditySeconds.

Constructors

Link copied to clipboard
constructor(androidAttestationConfiguration: <Error class: unknown class>, iosAttestationConfiguration: <Error class: unknown class>, attestationProofOID: <Error class: unknown class> = WardenDefaults.OIDs.ATTESTATION_PROOF, includeGenericDeviceName: Boolean = true, clock: <Error class: unknown class> = Clock.System, verificationTimeOffset: <Error class: unknown class> = Makoto.DEFAULT_TIME_OFFSET, defaultKeyConstraints: <Error class: unknown class>? = WardenDefaults.KeyConstraints.p256Signer, nonceValidity: <Error class: unknown class> = Makoto.shortestDuration( iosAttestationConfiguration.attestationStatementValiditySeconds, androidAttestationConfiguration.attestationStatementValiditySeconds ), nonceGenerator: NonceGenerator = suspend { CryptoRand.nextBytes(ByteArray(64)) }, challengeValidator: ChallengeValidator = InMemoryChallengeCache(clock, verificationTimeOffset))
constructor(makoto: <Error class: unknown class>, attestationProofOID: <Error class: unknown class> = WardenDefaults.OIDs.ATTESTATION_PROOF, includeGenericDeviceName: Boolean = true, defaultKeyConstraints: <Error class: unknown class>? = WardenDefaults.KeyConstraints.p256Signer, nonceValidity: <Error class: unknown class> = makoto.shortestValidityDuration, nonceGenerator: NonceGenerator = WardenDefaults.nonceGenerator, challengeValidator: ChallengeValidator = InMemoryChallengeCache( makoto.clock, -makoto.verificationTimeOffset ))

Properties

Link copied to clipboard
val attestationProofOID: <Error class: unknown class>
Link copied to clipboard
val defaultKeyConstraints: <Error class: unknown class>?
Link copied to clipboard
Link copied to clipboard
val nonceValidity: <Error class: unknown class>
Link copied to clipboard
val warden: <Error class: unknown class>

Alias for makoto

Functions

Link copied to clipboard
suspend fun issueChallenge(postEndpoint: String, timeZone: <Error class: unknown class>? = null, keyConstraints: <Error class: unknown class>? = defaultKeyConstraints): <Error class: unknown class>

Issues a new attestation challenge, using a nonce generated by nonceGenerator, valid for a duration of nonceValidity, expecting an CSR containing an attestation statement to be HTTP POSTed to postEndpoint. It is possible, to pass a timeZone, but this is purely informational and is not fed into validity checks.

Link copied to clipboard
suspend fun verifyAttestation(csr: <Error class: unknown class>, onPreAttestationError: PreAttestationError.() -> String? = { null }, onAttestationError: <Error class: unknown class>.(<Error class: unknown class>) -> String? = { null }, onAttestationSuccess: <Error class: unknown class>.(<Error class: unknown class>) -> Unit = { }, certificateIssuer: CertificateIssuer): <Error class: unknown class>

Verifies the received CSR:

Link copied to clipboard
suspend fun verifyKeyAttestation(csr: <Error class: unknown class>, onPreAttestationError: PreAttestationError.() -> String? = { null }, onAttestationError: <Error class: unknown class>.(<Error class: unknown class>) -> String? = { null }, onAttestationSuccess: <Error class: unknown class>.(<Error class: unknown class>) -> Unit = { }, certificateIssuer: suspend (<Error class: unknown class>, <Error class: unknown class>) -> <Error class: unknown class>): <Error class: unknown class>