identity/com.midnight.kuira.core.identity.auth/KeyAuthorization

KeyAuthorization

object KeyAuthorization

Self-verifiable key authorization — the core innovation over rvcas.

The P-256 root key (passkey, in TEE) signs a payload that authorizes a secp256k1 access key to act on behalf of the sigil. Anyone can verify the authorization cryptographically — no server trust required.

The signing happens during a CredentialManager authentication ceremony: the payload hash is embedded in the WebAuthn challenge. The passkey signs authenticatorData || SHA-256(clientDataJSON) which transitively commits to our challenge (the payload hash).

Authorization record = root pubkey + access pubkey + scope + timestamp + WebAuthn signature

Properties

Link copied to clipboard
const val NO_EXPIRY: Long = 0
Link copied to clipboard
const val PAYLOAD_SIZE: Int

Fixed payload size: magic(13) + rootPK(33) + accessPK(33) + scope(4) + timestamp(8) + expiry(8)

Functions

Link copied to clipboard
fun buildPayload(rootPublicKey: ByteArray, accessPublicKey: ByteArray, scope: AuthorizationScope, timestampMs: Long, expiryMs: Long = NO_EXPIRY): ByteArray

Builds the authorization payload that will be signed by the passkey.

Link copied to clipboard
fun hashPayload(payload: ByteArray): ByteArray

Hashes the payload for use as the WebAuthn challenge.

Link copied to clipboard
fun parsePayload(payload: ByteArray): AuthorizationPayload

Parses a binary payload back into its components.