validateAndroidKeyAttestation
suspend fun validateAndroidKeyAttestation(chain: X509CertChain, challenge: ByteString?, requireGmsAttestation: Boolean, requireVerifiedBootGreen: Boolean, requireKeyMintSecurityLevel: AndroidKeystoreSecurityLevel, requireAppSignatureCertificateDigests: Set<ByteString>, requireAppPackages: Set<String>, validateAt: Instant = Clock.System.now())
Checks if Android key attestation is valid according to the given criteria.
// TODO: use revocation list from https://android.googleapis.com/attestation/status
Parameters
chain
Android key attestation
challenge
challenge/nonce used during key creation
requireGmsAttestation
check that certificate chain is rooted in a known Google key
requireVerifiedBootGreen
check that the device has booted securely
requireKeyMintSecurityLevel
identifies acceptable security level
requireAppSignatureCertificateDigests
identifies trusted app signing keys
requireAppPackages
identifies trusted app package names
validateAt
time instant used to validate certificate validity intervals
Throws
if Android key attestation is not valid