supreme-verifier/at.asitplus.attestation.supreme/ChallengeValidator

ChallengeValidator

interface ChallengeValidator(source)

Invoked from AttestationVerifier.verifyAttestation. Useful to match against in-transit attestation processes. Most probably, this will check against a nonce cache and evict any matched nonce from the cache. Implementing this function in a meaningful manner is absolutely crucial, since this is the actual challenge matching, ensuring freshness!

BEWARE OF CLOCK DRIFT AND CONFIGURED OFFSETS WRT VALIDITY DURATION!

See also

for a sane default logic to account for clock drift

Inheritors

Functions

Link copied to clipboard
abstract suspend fun store(challenge: <Error class: unknown class>)

The contract of this function is that it stores challenges regardless of their contents and performs no sanity checks. Reason: Strong cryptographic nonces are assumed, making collisions unrealistic

Link copied to clipboard
abstract suspend fun validate(nonce: ByteArray): ChallengeValidationResult

The contract of this function is that it returns a ChallengeValidationResult.Success iff a single still valid challenge matching the passend nonce is found. In all other cases, it must return a ChallengeValidationResult.Failure. In addition, it should also remove all expired nonces, to keep stale nonces from inflating memory/storage.