multipaz/org.multipaz.securearea.cloud/CloudSecureAreaProtocol/RegisterRequest1

RegisterRequest1

data class RegisterRequest1(val deviceChallenge: ByteArray, val deviceAttestation: DeviceAttestation, val deviceBindingKey: CoseKey, val deviceBindingKeyAttestation: X509CertChain?, val serverState: ByteArray) : CloudSecureAreaProtocol.Command

Message sent by the client to the server in response to RegisterResponse0.

The device uses the DeviceCheck API to generate a DeviceAttestation and DeviceAssertion for the cloudChallenge nonce received.

The device includes deviceBindingKeyAttestation (which is a list of encoded X509 certificates) and serverState described in RegisterRequest0. The device also generates deviceChallenge which is to be included in this message and also stored in the device's session state.

Upon receiving this message the server shall check deviceBindingKeyAttestation which is an Android Keystore attestation and this include checking that the previously sent cloudChallenge is present in the Android Attestation Extension, that verified boot is in state GREEN, that the expected Android application requested the creation of the key, the root public key is well-known (e.g. the Google root), and so on. If a check fails the server shall return HTTP status code 403 (Forbidden).

After this, the server shall create CloudBindingKey - an EC key using curve P-256 - using deviceChallenge as the challenge to be included in the attestation. The attestation format to be used is defined in this protocol, see TODO for the encoding of the attestation extension and the OID to include it at.

The server proceeds to prepare a RegisterResponse1 message.

Constructors

Link copied to clipboard
constructor(deviceChallenge: ByteArray, deviceAttestation: DeviceAttestation, deviceBindingKey: CoseKey, deviceBindingKeyAttestation: X509CertChain?, serverState: ByteArray)

Properties

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard