Authentication signing credential
The sample code lets you perform the following tasks to manage an authentication signing credential:
Provisioning the credential
The following sample code initiates the provisioning of an authentication and signing-capable credential. After successful provisioning, the
authentication and signing
credential object is returned to the mobile application. The authentication and signing object can be used for generating the security code and retrieve and sign the transactions.The Credential prefix (QAMT) provided in this sample are trial production account-specific values. Contact your Symantec representative for production values when you are ready to move to production implementation.
//Pass activationCode and the credential prefix to createCredentialAuthSigning //factory method [CredentialFactory createCredentialAuthSigning:@"QAMT" activationCode:@"12345678" success:^(id<CredentialProtocol> iRefCredential) { CredentialAuthSigning * securityCredential = (Credential *) iRefCredential; } failure:^(NSError *error) { // Handle Error }];
This code performs the following functions:
- Asynchronously initiates the Authentication Signing Credential provisioning throughVIPServices with an activation code and the credential prefix.
- Returns the credential object (securityCredential) as part of the provisioning response in the success callback.
Provisioning the device certificate
To have a device hygiene response signed, you must provision a device certificate for the user's credential. The following sample code provisions a device certificate for the credential. After successful provisioning, the authentication credential object is updated with the device certificate and returned to the mobile application. Store the updated credential object in the
VIP
SDK or locally in the mobile app.Credential *securityCredential = //retrieve the credential from the your store or SDK's Vault using Vault API or Create a new credential using Credential Factory API's; if(![securityCredential isDeviceCertificateEnabled]){//if device cert is not already provisioned [securityCredential provisionDeviceCertificate:^(id<CredentialProtocol> credential) { Credential *securityCredential = (Credential *) credential; /*Device certificate provisioning is successful. If you use your own vault you can store this new credential. If you use vault from CDK please follow the below steps to store the credential by using Vault's storeCredential Method*/ if(self.vault == nil){ self.vault = [[Vault alloc] init]; } NSArray *credArray = [NSArray arrayWithObjects:credential, nil]; NSError *error; BOOL isSuccess = [self.vault storeCredential:credArray error:&error]; if(isSuccess){ //Stored successfully } } failure:^(NSError *error) { //Show Alert }]; }
This sample code performs the following functions:
- Retrieves the credential from theVIPSDK or the local store in the mobile app.Asynchronously initiates the device certificate provisioning throughVIPServices.
- Updated the credential object (credObject) with the device certificate.
- Returns the credential object as part of the provisioning response to theNetworkListenercallback methodonReceiveResponse ().
- Stores the updated credential object in theVIPSDK.
Saving the credential
The following sample code gets the credential object and saves it:
NSError *error = [[NSError alloc] init]; if(securityCredential != nil){ NSArray *credentialArray = [NSArray arrayWithObjects:securityCredential, nil]; // store the values in secure storage. BOOL isSucess = [self.vault storeCredential:credentialArray error;&error]; NSString *CredentialId = [securityCredential getCredentialId]; // Save credentialIds }
This code performs the following functions:
- Puts the credential object into an NSArray.
- Saves the array on the mobile device.
- Saves the credential ID of the credential.
If you do not use the Vault interface that Symantec provides, you must use the following code snippet to the credential object as NSData. Save this data in the encrypted form on the mobile device (for example, in the Keychain).
Credential *securityCredential = nil; NSData *myData = nil; NSMutableDictionary *dict = nil; if(securityCredential!= nil){ NSString *credentialId = [securityCredential getCredentialId]; [dict setObject: securityCredential forKey:credentialId]; myData = [NSKeyedArchiver archivedDataWithRootObject:dict]; // Store myData (NSData) in the key chain storage. }
Restoring the credential and generating a security code
The following sample code retrieves the data from the mobile device, regenerates the credential, and generates a security code.
CredentialAuthSigning *securityCredential = nil; NSMutableArray *credentialArray = [[NSMutableArray alloc] init]; NSError *error = [[NSError alloc] init]; 1 // Restore values from storage BOOL success = [self.vault retrieveCredential:credentialId credentialArray:credentialArray erro:&error]; if(success) { 2 securityCredential = [credentialArray objectAtIndex:0]; 3 NSString *code = nil; code = [securityCredential getSecurityCode:&error];
This code performs the following functions:
- Retrieves the NSArray that was saved using the previous sample code by specifying the savedcredentialID.
- Gets the first element in the array, which is the credential object.
- CallsgetSecurityCode. This call obtains the next sequential security code from the credential.
If you do not use the Vault interface that Symantec provides, you must retrieve the Credential Object that was saved in the mobile storage using the previous sample code.
NSData *credData = nil; NSMutableDictionary *query = nil; NSString *credId = nil; // Get NSData object of credential from the keychain *dict = [NSKeyedUnarchiver unarchiveObjectWithData:credData]; securityCredential = [dict objectForKey: credId];
Retrieving and signing the transaction
The Authentication and Signing type credential is capable of retrieving and signing the transaction that is initiated from the
VIP
member site application to VIP
Services. The following code processes the outstanding transaction with VIP
Services for the particular credential.//Below code snippet demonstrates a way of invoking this method 1 [authSigningCredential retrieveTransaction:transactionID success:^(NSDictionary *transactionDetails) { 2 //parse the transactionDetails for title, displayMsg, rpUrl, timestamp, expiration parameters // Show UI and get user response. Call completeTransaction as per response. 3 [authSigningCredential completeTransaction:transactionDetails response:userResponseonTransactionCompleted:^(NSError *error) { if(error) { 4 // Handle Error } else { 5 NSLog(@"Transaction completed successfully"); } }]; } failure:^(NSError *error) { if(error) { 6 // Handle Error } }];
This code performs the following functions:
If the
VIP
member site application has initiated the authenticate request with the push parameters as enforceLocalAuth
, the completeTransaction
API prompts for device authentication through the application.If the
VIP
member site application has initiated the authenticate request with the push parameters as includeDeviceInfo
, device hygiene parameters are returned. - Retrieves the transaction fromVIPServices for the provided Transaction ID.
- Parses the transaction details and Show UI and gets user response.
- CallscompleteTransactionwith the user response.
- Handles errors incompleteTransactioncall.
- Handles successful transaction completion.
- Handle error inretrieveTransactioncall.
Retrieving and signing the transaction with challenge number
The Authentication and Signing type credential is capable of retrieving and signing the transaction that is initiated from the
VIP
member site application to VIP
Services. The following code processes the outstanding transaction with VIP
Services for the particular credential.//Below code snippet demonstrates a way of invoking this method 1 [authSigningCredential retrieveTransaction:transactionID success:^(NSDictionary *transactionDetails) { 2 //parse the transactionDetails for title, displayMsg, rpUrl, timestamp, expiration parameters //parse the isNumbersChallenge values (boolean) // Show UI and get user response. Call completeTransaction as per response. 3 [securityCredential completeTransaction:transactionDetails response:YES numbersChallenge:numbersChallenge onTransactionCompleted:^(NSError *error) { if(error) { 4 // Handle Error } else { 5 NSLog(@"Transaction completed successfully"); } }]; } failure:^(NSError *error) { if(error) { 6 // Handle Error } }];
This code performs the following functions:
If the
VIP
member site application has initiated the authenticate request with the push parameters as enforceLocalAuth
, the completeTransaction
API prompts for device authentication through the application.If the
VIP
member site application has initiated the authenticate request with the push parameters as includeDeviceInfo
, device hygiene parameters are returned. - Retrieves the transaction fromVIPServices for the provided Transaction ID.
- Parses the transaction details and Show UI and gets user response.
- CallscompleteTransactionwith the user response.
- Handles errors incompleteTransactioncall.
- Handles successful transaction completion.
- Handle error inretrieveTransactioncall.
Migrating the authentication credential to authentication signing credential
The following code helps to migrate the Authentication-based credential to Authentication Signing-based credential. After migration, it is recommended that you use the new AuthSigning credential object for further operations on the credential.
// This call creates new CredentialAuthSigning object out of this Credential object. // It is recommended to null the old Credential object reference and persist // the new CredentialAuthSigning object before further use. [securityCredential enableSigning:PROV_URL success:^(id<CredentialProtocol> credential) { CredentialAuthSigning *authSigningCredential = (CredentialAuthSigning*)credential; // Save the credential object authSigningCredential } failure:^(NSError *error) { // Handle Error }];
This code performs the following functions:
- CallsenableSigningto create aCredentialAuthSigningfrom Credential.
- Gets theCredentialAuthSigningobject.
- Saves theCredentialAuthSigningobject.
- Handles errors in theenableSigningcall.
Synchronizing the time of creation
The following code re-synchronizes the time of creation of the credential with the
VIP
server time. This functionality must be used when the credential goes out-of-sync with the VIP
server time and generates invalid security code. The credential may go out-of-sync with the VIP
server time if the time of mobile device or the VIP
server time is changed.//Asynchronously initiate the call to VIP Services to fetch the server time. [securityCredential resetServerTime:https://services.vip.symantec.com/prov success:^(id<CredentialProtocol> iRefCredential) { CredentialAuthSigning * newSecurityCredential = (CredentialAuthSigning *) iRefCredential; // Store the credential object newSecurityCredential. // Re-generate security code. } failure:^(NSError *error) { // Handle Error }];
This sample code performs the following functions:
- Asynchronously initiates the call toVIPServices to fetch the server time.
- Credential object (newSecurityCredential) with the updated server time is returned as part of theresetServerTimeresponse in the success callback.
- Stores the credential object on the mobile device.
- Re-generates the security code using the new credential object.