Key Endpoints¶
GET /dreiattest/nonce¶
Headers (in addition to the common headers):
“Dreiattest-uid”: “hello@example.com;123e4567-e89b-12d3-a456-426614174000”
Response: random 32-byte base64 encoded string
e.g. “BZsLqvMo1ayGJ+Y/BOdTHgrDQec8N015JuAUV9Uzptw=”
Get a nonce (snonce) for registering a key.
Discussion
Only one nonce per uid can be valid at a given point in time. The mobile libraries, therefore, have to ensure that a key is only generated and registered once even when multiple requests are initiated at the same time. The nonce expires once it has been used or after one minute.
POST /dreiattest/key¶
Headers (in addition to the common headers):
“Dreiattest-uid”: “hello@example.com;123e4567-e89b-12d3-a456-426614174000”
“Dreiattest-nonce”: “”
Body:
{
"public_key": "AAAAc3...", // Android
"key_id": "AAAAc3...", // iOS
"attestation": "o2NmbX...", //attestation object provied by the platform specific service
"driver": "apple|google"
}
Registers a key.
Response:
Status: 200
Body: {"success": True, "key_id": "AAAAc3..."}
or
Status: 403
Headers:
“Dreiattest-error”: Error Key
Discussion
The nonce required by DeviceCheck / SafetyNet is calculated as
nonce = sha256(uid :: pubkey :: snonce)
Thus, the request is effectively signed by the attestation service.
For more information see: