Signing credential (Shared-secret based)
The sample code lets you perform the following tasks to manage a signing credential (OCRA):
Provisioning the credential
The following sample code initiates the provisioning of signing (shared-secret based) capable credential. After successful provisioning, the signing credential object is returned to the mobile application, which can be used for generating the challenge-response.
The Credential prefix (VSCR) provided in this sample are trial production account-specific values. Contact your Symantec representative for production values when you are ready to move to production implementation.
//Pass activationCode and the credential prefix to create CredentialSigning //factory method [CredentialFactory createCredentialSigning:@"VSCR" activationCode:@"12345678" success:^(id<CredentialProtocol> iRefCredential) { CredentialSigning * signingCredential = (Credential *) iRefCredential; } failure:^(NSError *error) { // Handle Error }];
This code performs the following functions:
- Asynchronously initiates the Signing Credential provisioning throughVIPServices with an activation code and the credential prefix.
- Returns the credential object (signingCredential) as part of the provisioning response in the success callback.
Saving the credential
The following sample code gets the credential object and saves it:
NSError *error = [[NSError alloc] init]; if(signingCredential!= nil){ 1 NSArray *credentialArray = [NSArray arrayWithObjects: signingCredential, nil]; 2 // store the values in secure storage. BOOL isSucess = [self.vault storeCredential:credentialArray error:&error]; NSString *CredentialId = [signingCredential getCredentialId]; // Save credentialIds }
This code performs the following functions:
- Puts the credential object into an NSArray.
- Saves the array on the mobile device.
- Saves the credential ID of the credential.
If you do not use the Vault interface that Symantec provides, you must use the following code snippet to the credential object as NSData. Save this data in the encrypted form on the mobile device (for example, in the Keychain).
Credential * signingCredential = nil; NSData *myData = nil; NSMutableDictionary *dict = nil; if(signingCredential!= nil){ NSString *credentialId = [signingCredential getCredentialId]; [dict setObject: signingCredential forKey:credentialId]; myData = [NSKeyedArchiver archivedDataWithRootObject:dict]; // Store myData (NSData) in the key chain storage. }
Restoring the credential and generating a challenge-response
The following sample code retrieves the data from the mobile device, regenerates the credential, and generates a challenge-response based on the challenge that is set by the mobile application.
CredentialSigning * signingCredential = nil; NSMutableArray *credentialArray = [[NSMutableArray alloc] init]; NSError *error = [[NSError alloc] init]; // Restore values from storage BOOL success = [self.vault retrieveCredential:credentialId credentialArray:credentialArrayerror:&error]; if(success) { signingCredential = [credentialArray objectAtIndex:0]; if ([[signingCredential getCredentialType] hasSuffix:@"QH40"]) { success = [signingCredential setChallengeHex:challengeHex error:&error] } else { success = [signingCredential setChallengeNum:challengeNum error:&error] } NSString *chalRes = nil; chalRes = [signingCredential getChallengeResponse:&error]; }
This code performs the following functions:
- Retrieves the NSArray that was saved using the previous sample code by specifying the saved credentialID.
- Gets the first element in the array, which is the credential object.
- Sets the challenge for the Signing Credential.
- CallsgetChallengeResponseon the Signing Credential, which used the challenge that was set in the previous call.
If you do not use the Vault interface that Symantec provides, you must retrieve the Credential Object that was saved in the mobile storage using the previous sample code.
NSData *credData = nil; NSMutableDictionary *query = nil; NSString *credId = nil; // Get NSData object of credential from the keychain *dict = [NSKeyedUnarchiver unarchiveObjectWithData:credData]; signingCredential = [dictobjectForKey: credId];