multipaz-csa/org.multipaz.securearea.cloud/CloudSecureAreaServer/CloudSecureAreaServer

CloudSecureAreaServer

constructor(serverSecureAreaBoundKey: ByteArray, attestationKey: EcPrivateKey, attestationKeySignatureAlgorithm: Algorithm, attestationKeyIssuer: String, attestationKeyCertification: X509CertChain, cloudRootAttestationKey: EcPrivateKey, cloudRootAttestationKeySignatureAlgorithm: Algorithm, cloudRootAttestationKeyIssuer: String, cloudRootAttestationKeyCertification: X509CertChain, e2eeKeyLimitSeconds: Int, iosReleaseBuild: Boolean, iosAppIdentifier: String?, androidGmsAttestation: Boolean, androidVerifiedBootGreen: Boolean, androidAppSignatureCertificateDigests: List<ByteString>, openid4vciKeyAttestationIssuer: String?, openid4vciKeyAttestationKeyStorage: String?, openid4vciKeyAttestationUserAuthentication: String?, openid4vciKeyAttestationUserAuthenticationNoPassphrase: String?, openid4vciKeyAttestationCertification: String?, passphraseFailureEnforcer: PassphraseFailureEnforcer)

Parameters

serverSecureAreaBoundKey

the secret key used to encrypt/decrypt state externally stored.

attestationKey

the private key used to sign attestations for keys created by clients.

attestationKeyCertification

a certification of the attestation key.

cloudRootAttestationKey

the private key used to sign attestations for CloudBindingKey.

cloudRootAttestationKeyCertification

a certification of the attestation key for CloudBindingKey.

e2eeKeyLimitSeconds

Re-keying interval for end-to-end encryption.

iosReleaseBuild

Whether a release build is required on iOS. When false, both debug and release builds are accepted.

iosAppIdentifier

iOS app identifier that consists of a team id followed by a dot and app bundle name. If null, any app identifier is accepted. It must not be null if iosReleaseBuild is true

androidGmsAttestation

whether to require attestations made for local key on clients is using the Google root.

androidVerifiedBootGreen

whether to require clients are in verified boot state green.

androidAppSignatureCertificateDigests

the allowed list of applications that can use the service. Each element is the bytes of the SHA-256 of a signing certificate, see the Signature class in the Android SDK for details. If empty, allow any app.

openid4vciKeyAttestationIssuer

The value to use for the iss field in OpenID4VCI attestations or null to not include this field.

openid4vciKeyAttestationKeyStorage

The value to use for the key_storage field in OpenID4VCI attestations or null to not include this field.

openid4vciKeyAttestationUserAuthentication

The value to use for the user_authentication field in OpenID4VCI attestations for keys that are passphrase protected or null to not include this field.

openid4vciKeyAttestationUserAuthenticationNoPassphrase

The value to use for the user_authentication field in OpenID4VCI attestations for keys that are not passphrase protected or null to not include this field.

openid4vciKeyAttestationCertification

The value to use for the certification field in OpenID4VCI attestations or null to not include this field.

passphraseFailureEnforcer

the PassphraseFailureEnforcer to use.