Time-based credential
The sample code lets you perform the following tasks to manage a time-based credential:
Provisioning the credential
The following sample code provisions a time-based credential. After successful provisioning, the time-based credential object is returned to the mobile application, which can be used for generating the security code.
The Credential prefix (QAMT) provided in this sample are trial production account-specific values. Contact your Symantec representative for production values when you are ready to move to production implementation.
//Pass activationCode and the credential prefix to createTimeBasedCredential() //factory method 1 [CredentialFactory createTimeBasedCredential:@"QAMT" activationCode:@"12345678" success:^(id<CredentialProtocol> iRefCredential) { 2 Credential * securityCredential = (Credential *) iRefCredential; } failure:^(NSError *error) { // Handle Error }];
This code performs the following functions:
- Asynchronously initiates the time-based credential provisioning throughVIPServices with an activation code and the credential prefix.
- Credential object (securityCredential) is returned as part of the provisioning response in the success callback.
Provisioning the device certificate
To have a device hygiene response signed, you must provision a device certificate for the user's credential. The following sample code provisions a device certificate for the credential. After successful provisioning, the authentication credential object is updated with the device certificate and returned to the mobile application. Store the updated credential object in the
VIP
SDK or locally in the mobile app.Credential *securityCredential = //retrieve the credential from the your store or SDK Vault using Vault API or Create a new credential using Credential Factory APIs; if(![securityCredential isDeviceCertificateEnabled]){//if device cert is not already provisioned [securityCredential provisionDeviceCertificate:^(id<CredentialProtocol> credential) { Credential *securityCredential = (Credential *) credential; /*Device certificate provisioning is successful. If you use your own vault you can store this new credential. If you use vault from CDK please follow the below steps to store the credential by using Vault's storeCredential Method*/ if(self.vault == nil){ self.vault = [[Vault alloc] init]; } NSArray *credArray = [NSArray arrayWithObjects:credential, nil]; NSError *error; BOOL isSuccess = [self.vault storeCredential:credArray error:&error]; if(isSuccess){ //Stored successfully } } failure:^(NSError *error) { //Show Alert }]; }
This sample code performs the following functions:
- Retrieves the credential from theVIPSDK or the local store in the mobile app.Asynchronously initiates the device certificate provisioning throughVIPServices.
- Updates the credential object (credObject) with the device certificate.
- Returns the credential object as part of the provisioning response to theNetworkListenercallback methodonReceiveResponse ().
- Stores the updated credential object in theVIPSDK.
Saving the credential
The following sample code gets the credential object and saves it:
NSError *error = [[NSError alloc] init]; if(securityCredential != nil){ NSArray *credentialArray = [NSArray arrayWithObjects:securityCredential, nil]; // store the values in secure storage. BOOL isSucess = [self.vault storeCredential:credentialArray error:&error]; NSString *CredentialId = [securityCredential getCredentialId]; // Save credentialIds }
This code performs the following functions:
- Puts the credential object into anNSArray.
- Saves the array on the mobile device.
- Saves the credential ID of the credential.
If you do not use the Vault interface that Symantec provides, you must use the following code snippet to the credential object as
NSData
. Save this data in the encrypted form on the mobile device (for example, in the Keychain).Credential *securityCredential = nil; NSData *myData = nil; NSMutableDictionary *dict = nil; if(securityCredential!= nil){ NSString *credentialId = [securityCredential getCredentialId]; [dict setObject: securityCredential forKey:credentialId]; myData = [NSKeyedArchiver archivedDataWithRootObject:dict]; // Store myData (NSData) in the key chain storage. }
Restoring the credential and generating a security code
The following sample code retrieves the data from the mobile device, regenerates the credential, and generates a security code.
Credential *securityCredential = nil; NSMutableArray *credentialArray = [[NSMutableArray alloc] init]; NSError *error = [[NSError alloc] init]; // Restore values from storage 1 BOOL success = [self.vault retrieveCredential:credentialId credentialArray:credentialArray error:&error]; if(success) { 2 securityCredential = [credentialArray objectAtIndex:0]; NSString *code = nil; 3 code = [securityCredential getSecurityCode:&error]; }
This code performs the following functions:
- Retrieves the NSArray that was saved using the previous sample code by specifying the saved credentialID.
- Gets the first element in the array, which is the credential object.
- CallsgetSecurityCode. This call obtains the next sequential security code from the credential.
If you do not use the Vault interface that Symantec provides, you must retrieve
CredentialTimeBased
object that was saved in the mobile storage using the previous sample code.NSData *credData = nil; NSMutableDictionary *query = nil; NSString *credId = nil; // Get NSData object of credential from the keychain *dict = [NSKeyedUnarchiver unarchiveObjectWithData:credData]; securityCredential = [dict objectForKey: credId];
Synchronizing the time of creation
The following code re-synchronizes the time of creation of the credential with the
VIP
server time. This functionality must be used when the credential goes out of sync with the VIP
server time and starts generating invalid security codes. The credential may go out of sync if the time of mobile device or the VIP
server time is changed.//Asynchronously initiate the call to VIP Services to fetch the server time. [securityCredential resetServerTime:https://services.vip.symantec.com/prov success:^(id<CredentialProtocol> iRefCredential) { Credential * newSecurityCredential = (Credential *) iRefCredential; // Store the credential object newSecurityCredential. // Re-generate security code. } failure:^(NSError *error) { // Handle Error }];
This sample code performs the following functions:
- Asynchronously initiates the call toVIPServices to fetch the server time.
- Credential object (newSecurityCredential) with the updated server time is returned as part of theresetServerTimeresponse in the success callback.
- Stores the credential object on the mobile device.
- Re-generates the security code using the new credential object