supreme-verifier/at.asitplus.attestation.supreme

Package-level declarations

Types

class AttestationVerifier(val makoto: Makoto, val attestationProofOID: ObjectIdentifier = WardenDefaults.OIDs.ATTESTATION_PROOF, val genericDeviceNameOID: ObjectIdentifier? = WardenDefaults.OIDs.DEVICE_NAME, val defaultKeyConstraints: KeyConstraints? = WardenDefaults.KeyConstraints.p256Signer, val nonceValidity: Duration = makoto.longestValidityDuration ?: IosAttestationConfiguration.DEFAULT_VALIDITY_SECONDS.seconds, nonceGenerator: NonceGenerator = WardenDefaults.nonceGenerator, challengeValidator: ChallengeValidator = InMemoryChallengeCache( makoto.clock, -makoto.verificationTimeOffset ))

Verifies attestation statements and issues certificates on success. Expects a preconfigured Makoto instance defining which apps and devices are considered trustworthy.

CertificateIssuer

typealias CertificateIssuer = suspend AttestationResult.Verified.(Pkcs10CertificationRequest) -> CertificateChain

Gets passed the signed CSR from the mobile client after it was thoroughly checked and verified. At this point, the CSR's signature has been verified, then challenge checked, and the public key attested. Hence, a certificate can be issued and the whole certificate chain (from newly issued certificate up to the CA) shall be returned.

ChallengeValidationResult

sealed class ChallengeValidationResult

ChallengeValidator

interface ChallengeValidator

Invoked from AttestationVerifier.verifyAttestation. Useful to match against in-transit attestation processes. Most probably, this will check against a nonce cache and evict any matched nonce from the cache. Implementing this function in a meaningful manner is absolutely crucial, since this is the actual challenge matching, ensuring freshness!

InMemoryChallengeCache

class InMemoryChallengeCache(clock: Clock, offset: Duration) : ChallengeValidator

Caches issued challenges in memory in a coroutine-safe way. Requires a clock and an offset. The AttestationVerifier passes Makoto's clock and the inverse of Makoto.verificationTimeOffset, since these two values are also encoded into issues challenges.

NonceGenerator

typealias NonceGenerator = suspend () -> ByteArray

PreAttestationError

sealed class PreAttestationError

SupremeConfiguration

@Serializable

data class SupremeConfiguration : AttestationConfiguration

Integrated attestation configuration for the Supreme attestation verifier

Functions

invoke

operator fun Makoto.Companion.invoke(configuration: SupremeConfiguration): Makoto

Convenience extension to create a Makoto instance from configuration