verify

suspend fun verify(sessionTranscript: DataItem, eReaderKey: AsymmetricKey? = null, atTime: Instant = Clock.System.now())

Verifies the integrity of the returned documents, according to ISO/IEC 18013-5.

The following checks are performed for each MdocDocument instance in documents.

For MdocDocument.issuerAuth the signature is checked against the leaf certificate in the associated X.509 chain.
The document type in the MSO matches the docType in the response.
The MSO is validity period includes the passed-in atTime.
The data returned in MdocDocument.issuerNamespaces is checked against digests in the MSO.
The device-authentication structures (ECDSA or MAC) are checked.

The following checks are expected to be done by the application:

Determining whether the issuer's document signing certificate is trusted. An application can use org.multipaz.trustmanagement.TrustManager to do this.
Checking whether the MSO is revoked, or any of the keys involved are revoked.
Checking the integrity of any Zero-Knowledge Proofs for documents returned in zkDocuments. An application can use org.multipaz.mdoc.zkp.ZkSystem to do this.
Checking or decrypting any encrypted documents returned in encryptedDocuments. Use EncryptedDocuments.decrypt to do this.

sessionTranscript

the session transcript to use.

eReaderKey

the ephemeral reader key or null if not using session encryption.

atTime

the point in time for validating the whether returned documents are valid.

if validation fails.