Cordova-Protected-Confirmation plugin for Cordova
This Cordova plugin provides the Protected Confirmation functionality introduced in Android 9 (Pie). Note that Android Protected Confirmation Protected Confirmation may not be supported by all devices running Android Pie but requires a special co-processor in order to work. Also, this plugin only works with Android, at the moment there is no similar API for iOS.
At the time of writing this, only the following devices are supported:
- Google Pixel 3
- Google Pixel 3XL
- Google Pixel 3A
Getting Started
Install with cordova-cli
If you are using cordova-cli, install with:
cordova plugins add https://github.com/Dbof/cordova-protected-confirmation.git
Install with plugman
With plugman and git
installed, you should be able to install it with:
plugman --plugin https://github.com/Dbof/cordova-protected-confirmation.git --platform android --project <directory>
Methods
Every method has a success and an error callback. The success
callback usually returns the requested value, while error
contains an error message for debugging purposes.
cordova.plugin.protectedconfirmation.isSupported(success(supported), error(msg));
cordova.plugin.protectedconfirmation.initKey(success, error(msg), base64_challenge);
cordova.plugin.protectedconfirmation.getCertificateChain(success(chain), error(msg));
cordova.plugin.protectedconfirmation.presentPrompt(success([base64_dataThatWasConfirmed, base64_signature]), error(msg), promptText, base64_extraData);
isSupported
Checks if Protected Confirmation is supported on the current device.
- Success callback argument: true/false
initKey
Creates a new key which will be used to sign the Protected Confirmation message to be confirmed. A base64-encoded challenge should be provided. As a best practice, the attestation server should provide this value and save it to confirm the uniqueness of the key.
- Success callback argument: None
getCertificateChain
Get the attestation certificate chain of your created key. You need to call initKey first in order to create an appropriate key. The certificates use the PEM format (plaintext) and are concatenated with the '|' character. Example:
"-----BEGIN CERTIFICATE-----
MIICkjCCAjagAwIBAgIBATAMBggqhkjOPQQDAgUAMC8xGTAXBgNVBAUTEDkwZThkYTNjYWRmYzc4MjAxEjAQBgNVBAwMCVN0cm9uZ0JveDAeFw03MDAxMDEwMDAwMDBaFw0yODA1MjMyMzU5NTlaMB8xHTAbBgNVBAMMFEFuZHJvaWQgS2V5c3RvcmUgS2V5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESSzblfw5vKUHXYLpdW0OZf17GlYYDzS0SSU6zoqXNK/r3zC9ICi8vKHL3EfAXLJX9ZndFzRT767tJwKh4WyFMqOCAU8wggFLMA4GA1UdDwEB/wQEAwIHgDCCATcGCisGAQQB1nkCAREEggEnMIIBIwIBAwoBAgIBBAoBAgQOTXlLZXlDaGFsbGVuZ2UEADBcv4U9CAIGAW7R6A/Xv4VFTARKMEgxIjAgBBpkZS5mYXUudGYuY3MxLm5vdGFuLmNsaWVudAICJxAxIgQgOlN+NOHxplrRe9QFeunm880GaTVOwat52RI2+koJIpIwgaShBTEDAgECogMCAQOjBAICAQClCDEGAgEEAgEGv4N3AgUAv4N8AgUAv4U+AwIBAL+FQEwwSgQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAKAQIEIDREORG7UGhP1fR0R7uq3fs9S0/hgn5mx2CHcMug8YPrv4VBBQIDAV+Qv4VCBQIDAxSzv4VOBgIEATPvqb+FTwUCAwMUszAMBggqhkjOPQQDAgUAA0gAMEUCIQDmiKSNuYKyFd7NmyKf5AS4NWkgmhsvR6dC3FKqoIym2QIgByjTHS/mtIrpWnXfIAbZQkEhR7rmPGUt5romyAO9Vhk=
-----END CERTIFICATE-----|-----BEGIN CERTIFICATE-----
MIICMDCCAbegAwIBAgIKESM4JDRACGgBcTAKBggqhkjOPQQDAjAvMRkwFwYDVQQFExBjY2QxOGI5YjYwOGQ2NThlMRIwEAYDVQQMDAlTdHJvbmdCb3gwHhcNMTgwNTI1MjMyODUwWhcNMjgwNTIyMjMyODUwWjAvMRkwFwYDVQQFExA5MGU4ZGEzY2FkZmM3ODIwMRIwEAYDVQQMDAlTdHJvbmdCb3gwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATkV0TCsZ+vcIoXK0BLe4q4sQ1veBPE228LqldQCQPCb6IBCpM7rHDgKmsaviWtsA0anJyUpXHTVix0mdIy9Xcno4G6MIG3MB0GA1UdDgQWBBRvsbUxnba4hRW+z8AMdxqP51TqljAfBgNVHSMEGDAWgBS8W8vVecaU3BmPm59nU8zr5mLf3jAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDBUBgNVHR8ETTBLMEmgR6BFhkNodHRwczovL2FuZHJvaWQuZ29vZ2xlYXBpcy5jb20vYXR0ZXN0YXRpb24vY3JsLzExMjMzODI0MzQ0MDA4NjgwMTcxMAoGCCqGSM49BAMCA2cAMGQCMFBzxlbrGJarX+e8d7UfD5M2Br3QxKUFAS1tfGxy9Lw72yfFn8v3jxNyCamglqpw8gIwYkzbZDvx/uU6vXIaB1y0PRGq5Jp5xIgKqUEJvsBuyMN8JdJsfzvHbkYyZUujU/SV
-----END CERTIFICATE-----|…
- Success callback arguments: String with attestation certificate chain
presentPrompt
Shows the actual fullscreen confirmation dialog with a given text. The extraData field should contain some base64-encoded unique data (e.g. a nonce). The extraData is not shown to the user, but included into the signed message that is returned to the application. As a best practice, the extraData should be checked by the remote party against a list of already-used values in order to counter replay attacks. The result includes both the confirmed message and the signature as base64-encoded string.
- Success callback argument: Array[base64_dataThatWasConfirmed, base64_signature]
Example
// errorCallbackvar { if message !== undefined ; else ;} // generate a keycordovapluginprotectedconfirmation; // present promptcordovapluginprotectedconfirmation;
On a connected test device, you can check the logs with the following command:
adb logcat chromium:D SystemWebViewClient:D *:S
License
The Cordova-Protected-Confirmation plugin for Cordova is open-sourced software licensed under the MIT license.