multipaz-csa/org.multipaz.securearea.cloud/CloudSecureAreaServer

CloudSecureAreaServer

class CloudSecureAreaServer(serverSecureAreaBoundKey: ByteArray, attestationKey: EcPrivateKey, attestationKeySignatureAlgorithm: Algorithm, attestationKeyIssuer: String, attestationKeyCertification: X509CertChain, cloudRootAttestationKey: EcPrivateKey, cloudRootAttestationKeySignatureAlgorithm: Algorithm, cloudRootAttestationKeyIssuer: String, cloudRootAttestationKeyCertification: X509CertChain, e2eeKeyLimitSeconds: Int, iosReleaseBuild: Boolean, iosAppIdentifier: String?, androidGmsAttestation: Boolean, androidVerifiedBootGreen: Boolean, androidAppSignatureCertificateDigests: List<ByteString>, openid4vciKeyAttestationIssuer: String?, openid4vciKeyAttestationKeyStorage: String?, openid4vciKeyAttestationUserAuthentication: String?, openid4vciKeyAttestationUserAuthenticationNoPassphrase: String?, openid4vciKeyAttestationCertification: String?, passphraseFailureEnforcer: PassphraseFailureEnforcer)

A reference implementation of the Cloud Secure Area server.

This code is not intended for production use.

Parameters

serverSecureAreaBoundKey

the secret key used to encrypt/decrypt state externally stored.

attestationKey

the private key used to sign attestations for keys created by clients.

attestationKeyCertification

a certification of the attestation key.

cloudRootAttestationKey

the private key used to sign attestations for CloudBindingKey.

cloudRootAttestationKeyCertification

a certification of the attestation key for CloudBindingKey.

e2eeKeyLimitSeconds

Re-keying interval for end-to-end encryption.

iosReleaseBuild

Whether a release build is required on iOS. When false, both debug and release builds are accepted.

iosAppIdentifier

iOS app identifier that consists of a team id followed by a dot and app bundle name. If null, any app identifier is accepted. It must not be null if iosReleaseBuild is true

androidGmsAttestation

whether to require attestations made for local key on clients is using the Google root.

androidVerifiedBootGreen

whether to require clients are in verified boot state green.

androidAppSignatureCertificateDigests

the allowed list of applications that can use the service. Each element is the bytes of the SHA-256 of a signing certificate, see the Signature class in the Android SDK for details. If empty, allow any app.

openid4vciKeyAttestationIssuer

The value to use for the iss field in OpenID4VCI attestations or null to not include this field.

openid4vciKeyAttestationKeyStorage

The value to use for the key_storage field in OpenID4VCI attestations or null to not include this field.

openid4vciKeyAttestationUserAuthentication

The value to use for the user_authentication field in OpenID4VCI attestations for keys that are passphrase protected or null to not include this field.

openid4vciKeyAttestationUserAuthenticationNoPassphrase

The value to use for the user_authentication field in OpenID4VCI attestations for keys that are not passphrase protected or null to not include this field.

openid4vciKeyAttestationCertification

The value to use for the certification field in OpenID4VCI attestations or null to not include this field.

passphraseFailureEnforcer

Constructors

Link copied to clipboard
constructor(serverSecureAreaBoundKey: ByteArray, attestationKey: EcPrivateKey, attestationKeySignatureAlgorithm: Algorithm, attestationKeyIssuer: String, attestationKeyCertification: X509CertChain, cloudRootAttestationKey: EcPrivateKey, cloudRootAttestationKeySignatureAlgorithm: Algorithm, cloudRootAttestationKeyIssuer: String, cloudRootAttestationKeyCertification: X509CertChain, e2eeKeyLimitSeconds: Int, iosReleaseBuild: Boolean, iosAppIdentifier: String?, androidGmsAttestation: Boolean, androidVerifiedBootGreen: Boolean, androidAppSignatureCertificateDigests: List<ByteString>, openid4vciKeyAttestationIssuer: String?, openid4vciKeyAttestationKeyStorage: String?, openid4vciKeyAttestationUserAuthentication: String?, openid4vciKeyAttestationUserAuthenticationNoPassphrase: String?, openid4vciKeyAttestationCertification: String?, passphraseFailureEnforcer: PassphraseFailureEnforcer)

Types

Link copied to clipboard
object Companion
Link copied to clipboard
data class CreateKeyState(var challenge: ByteArray? = null, var cloudChallenge: ByteArray? = null, var algorithm: Algorithm = Algorithm.ESP256, var validFromMillis: Long = 0, var validUntilMillis: Long = 0, var passphraseRequired: Boolean = false, var userAuthenticationRequired: Boolean = false, var userAuthenticationTypes: Long = 0, var cloudKeyStorage: ByteArray? = null, var localKey: CoseKey? = null)
Link copied to clipboard
data class E2EEState(var context: CloudSecureAreaServer.RegisterState? = null, var cloudNonce: ByteArray? = null, var skDevice: ByteArray? = null, var skCloud: ByteArray? = null, var encryptedCounter: Int = 0, var decryptedCounter: Int = 0, var derivationTimestamp: Long = 0)
Link copied to clipboard
data class KeyAgreementState(var keyContext: CloudSecureAreaServer.CreateKeyState? = null, var otherPublicKey: CoseKey? = null, var cloudNonce: ByteArray? = null)
Link copied to clipboard
data class RegisterState(var clientVersion: String = "", var attestationChallenge: ByteString? = null, var cloudChallenge: ByteArray? = null, var cloudBindingKey: CoseKey? = null, var deviceBindingKey: CoseKey? = null, var clientPassphraseSalt: ByteArray = byteArrayOf(), var clientSaltedPassphrase: ByteArray = byteArrayOf(), var registrationComplete: Boolean = false, var clientId: String? = null, var deviceAttestation: DeviceAttestation? = null)
Link copied to clipboard
data class SignState(var keyContext: CloudSecureAreaServer.CreateKeyState? = null, var dataToSign: ByteArray? = null, var cloudNonce: ByteArray? = null)

Functions

Link copied to clipboard
suspend fun handleCommand(requestData: ByteArray, remoteHost: String): Pair<Int, ByteArray>