Key Endpoints

GET /dreiattest/nonce

Headers (in addition to the common headers):

“Dreiattest-uid”: “hello@example.com;123e4567-e89b-12d3-a456-426614174000”

Response: random 32-byte base64 encoded string
e.g. “BZsLqvMo1ayGJ+Y/BOdTHgrDQec8N015JuAUV9Uzptw=”

Get a nonce (snonce) for registering a key.

Discussion
Only one nonce per uid can be valid at a given point in time. The mobile libraries, therefore, have to ensure that a key is only generated and registered once even when multiple requests are initiated at the same time. The nonce expires once it has been used or after one minute.

POST /dreiattest/key

Headers (in addition to the common headers):

“Dreiattest-uid”: “hello@example.com;123e4567-e89b-12d3-a456-426614174000”
“Dreiattest-nonce”: “”

Body:

{
    "public_key": "AAAAc3...", // Android
    "key_id": "AAAAc3...", // iOS
    "attestation": "o2NmbX...", //attestation object provied by the platform specific service
    "driver": "apple|google"
}

Registers a key.

Response:
Status: 200
Body: {"success": True, "key_id": "AAAAc3..."}

or

Status: 403
Headers:

“Dreiattest-error”: Error Key

Discussion
The nonce required by DeviceCheck / SafetyNet is calculated as

nonce = sha256(uid :: pubkey :: snonce)

Thus, the request is effectively signed by the attestation service.

For more information see:

• https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server/

• https://developer.android.com/training/safetynet/attestation#verify-attestation-response/