Skip to content
Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a remote attestation implementation with email alerts to go along with the local implementation based on QR code scanning in the app.
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
gradle/wrapper update gradle to 5.2.1 Mar 16, 2019
src/main/java/app/attestation/server add pinnedSecurityLevel column if missing May 18, 2019
static display pinned security level May 18, 2019
.gitignore add initial gitignore Nov 6, 2018
LICENSE add MIT license Mar 30, 2019
README.md add link to overview on attestation.app May 12, 2019
attestation.service enable NoNewPrivileges for the service Aug 18, 2018
build.gradle
deploy_server set permissions on deployment Apr 28, 2019
deploy_static use relative path for deployment Apr 28, 2019
gradlew update gradle to 5.2.1 Mar 16, 2019
gradlew.bat update gradle to 5.2.1 Mar 16, 2019

README.md

See the overview of the project at https://attestation.app/about.

Email alert configuration

In order to send email alerts, AttestationServer needs to be configured with valid credentials for an SMTP server. The configuration is stored in the Configuration table in the database and can be safely modified while the server is running to have it kick in for the next email alert cycle.

Only SMTPS (SMTP over TLS) with a valid certificate is supported. STARTTLS is deliberately not supported because it's less secure. The username must also be the full address for sending emails.

For example, making an initial configuration:

sqlite3 attestation.db "INSERT INTO Configuration VALUES ('emailUsername', 'alert@attestation.app'), ('emailPassword', '<password>'), ('emailHost', 'smtp.fastmail.com'), ('emailPort', '465')"

API for the Auditor app

QR code

The scanned QR code contains space-separated values in plain-text: <domain> <userId> <subscribeKey> <verifyInterval>. The subscribeKey should be treated as an opaque string rather than assuming base64 encoding. Additional fields may be added in the future.

/challenge

  • Request method: POST
  • Request headers: n/a
  • Request body: n/a
  • Response body:

Returns a standard challenge message in the same format as the Auditor app QR code. The challenge can only be used once and expires in 1 minute.

The server challenge index is always zeroed out and the userId should be used instead.

/verify

  • Request method: POST
  • Request headers:

The Authorization header needs to be set to Auditor <userId> <subscribeKey> for an unpaired attestation. That will also work for a paired attestation if the subscribeKey matches, but it should be set to Auditor <userId> to allow for subscribeKey rotation.

  • Request body:

Standard attestation message in the same format as the Auditor app QR code.

  • Response body:

Returns space-separated values in plain text: <subscribeKey> <verifyInterval>. Additional fields may be added in the future.

You can’t perform that action at this time.