multipaz/org.multipaz.device/DeviceAttestationSoftware

DeviceAttestationSoftware

data class DeviceAttestationSoftware(val publicKey: EcPublicKey, val proofOfSecret: ByteString? = null) : DeviceAttestation

A DeviceAttestation for environments that do not support platform-backed attestations.

This format includes a key pair which reside on the device to be used for generating one or more DeviceAssertion. It doesn't actually prove anything - it can't - so this attestation type is normally used together with proving that the client possesses a secret. This proof is computed as follows

K = HKDF(
  ikm = secretUtf8Encoded,
  salt = challenge,
  info = "MpzAttestationWithSecret1",
  length = 32
)

proofOfSecret = HMAC(
  key = K,
  message = challenge || secretUtf8Encoded
)
Content copied to clipboard

using the server-provided challenge and SHA-256 as the hash function. This mechanism should be used carefully since in most cases embedding a secret in the client binary is inherently insecure due to the risk of attackers exfiltrating the secret.

Constructors

Link copied to clipboard
constructor(publicKey: EcPublicKey, proofOfSecret: ByteString? = null)

Types

Link copied to clipboard
object Companion

Properties

Link copied to clipboard
val proofOfSecret: ByteString?

optional proof of possession of a secret.

Link copied to clipboard
val publicKey: EcPublicKey

the public part of the device-bound key.

Functions

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
open suspend override fun validate(validationData: DeviceAttestationValidationData, validateAt: Instant)

Check the validity of this DeviceAttestation.

Link copied to clipboard
open suspend override fun validateAssertion(assertion: DeviceAssertion)

Check the validity of assertion in the context of this DeviceAttestation.

Generated by Dokka
© 2026 Copyright