AltIdQrVerifier

class AltIdQrVerifier(trustAnchors: List<X509Certificate> = emptyList(), replayGuard: AltIdReplayGuard = AltIdReplayGuard.InMemory, clockSkewSeconds: Long = 60, maxTimeToLiveSeconds: Long = 190)

Verifies an assembled AltID SignedQR (AltIdQrPayload) — the "verification phase".

This performs the offline cryptographic checks of AltID's validation, i.e. everything that needs no external infrastructure:

  • mdocGeneratedNonce is Base64URL of 16 bytes (step 5)

  • the QR temporal window nbf/exp (with clock skew) and its time-to-live (steps 3–4)

  • the issuer signature (COSE_Sign1 over the MSO) against the embedded leaf certificate (step 7)

  • the disclosed IssuerSignedItem digests against the signed MSO (step 8)

  • the MSO docType matches the document docType (step 9)

  • the MSO ValidityInfo window (step 10)

  • the device signature (COSE_Sign1 over DeviceAuthentication) against the MSO device key (step 11)

  • mdocGeneratedNonce replay protection (step 13)

Two checks are pluggable: issuer trust (step 6 — supply trustAnchors, e.g. AltIdTrustList.builtIn; a signing certificate is trusted when it byte-matches a trust-list leaf or a chain from it terminates in a trust-list CA) and the status-list check (step 12 — use the suspending verify(payload, currentTimeSeconds, statusCheck) overload, which fetches and validates the Token Status List referenced by the MSO).

Parameters

trustAnchors

the issuer trust list; empty disables trust validation.

replayGuard

nonce replay guard; defaults to a process-wide in-memory set.

clockSkewSeconds

tolerance applied to temporal checks.

maxTimeToLiveSeconds

maximum allowed exp - nbf.

Constructors

Link copied to clipboard
constructor(trustAnchors: List<X509Certificate> = emptyList(), replayGuard: AltIdReplayGuard = AltIdReplayGuard.InMemory, clockSkewSeconds: Long = 60, maxTimeToLiveSeconds: Long = 190)

Types

Link copied to clipboard
sealed class Result

Functions

Link copied to clipboard
suspend fun verify(payload: AltIdQrPayload, currentTimeSeconds: Long, statusCheck: AltIdStatusCheckPolicy = AltIdStatusCheckPolicy.FAIL_OPEN, statusClient: AltIdStatusListClient = AltIdStatusListClient()): AltIdQrVerifier.Result

Verifies payload including the status-list check (step 12) when the attestation's MSO references one. Runs all offline checks first, then — per statusCheck — fetches the Token Status List, validates it (signature, signer trust against the same trust list, sub, iat/exp), and rejects revoked attestations.

Link copied to clipboard
fun verifyOffline(payload: AltIdQrPayload, currentTimeSeconds: Long): AltIdQrVerifier.Result