supreme-verifier/at.asitplus.attestation.supreme

Package-level declarations

Types

Link copied to clipboard
Link copied to clipboard
class AttestationVerifier(makoto: <Error class: unknown class>, val attestationProofOID: <Error class: unknown class> = WardenDefaults.OIDs.ATTESTATION_PROOF, val includeGenericDeviceName: Boolean = true, val defaultKeyConstraints: <Error class: unknown class>? = WardenDefaults.KeyConstraints.p256Signer, val nonceValidity: <Error class: unknown class> = makoto.shortestValidityDuration, nonceGenerator: NonceGenerator = WardenDefaults.nonceGenerator, challengeValidator: ChallengeValidator = InMemoryChallengeCache( makoto.clock, -makoto.verificationTimeOffset ))

Verifies attestation statements and issues certificates on success. Expects a preconfigured Makoto instance defining which apps and devices are considered trustworthy.

Link copied to clipboard
typealias CertificateIssuer = suspend <Error class: unknown class>.(<Error class: unknown class>) -> <Error class: unknown class>

Gets passed the signed CSR from the mobile client after it was thoroughly checked and verified. At this point, the CSR's signature has been verified, then challenge checked, and the public key attested. Hence, a certificate can be issued and the whole certificate chain (from newly issued certificate up to the CA) shall be returned.

Link copied to clipboard
Link copied to clipboard
interface ChallengeValidator

Invoked from AttestationVerifier.verifyAttestation. Useful to match against in-transit attestation processes. Most probably, this will check against a nonce cache and evict any matched nonce from the cache. Implementing this function in a meaningful manner is absolutely crucial, since this is the actual challenge matching, ensuring freshness!

Link copied to clipboard
class InMemoryChallengeCache(clock: <Error class: unknown class>, offset: <Error class: unknown class>) : ChallengeValidator

Caches issued challenges in memory in a coroutine-safe way. Requires a clock and an offset. The AttestationVerifier passes Makoto's clock and the inverse of Makoto.verificationTimeOffset, since these two values are also encoded into issues challenges.

Link copied to clipboard
typealias NonceGenerator = suspend () -> ByteArray
Link copied to clipboard
sealed class PreAttestationError