- 19 Oct 2024
- 6 Minutes to read
- DarkLight
Transaction data signing
- Updated on 19 Oct 2024
- 6 Minutes to read
- DarkLight
For more information about the transaction data signing mechanism, refer to the Mobile Authenticator Studio Product Guide.
Listing transactions to sign
With transaction data signing enabled, Mobile Authenticator Studio is able to retrieve a list of transactions on user demand, and sign each transaction locally. The signature is then sent back to a server for validation.
Listing pending transactions (overview)
Integrating transaction data signing involves the following steps:
The app submits an HTTP(S) request to the integrator back-end system. The request contains a one-time password (OTP) to authenticate the issuer.
The integrator validates the OTP.
On successful authentication, the list of pending transactions can be retrieved from the database.
The response that contains the transaction list is sent back to the app.
Transaction list request
The request sent by Mobile Authenticator Studio is configured in the TransactionList section of the configuration file:
The URL can use the HTTP POST or GET methods. For more information about URL customization, refer to the Mobile Authenticator Studio Customization Guide.
Parameter name | Description |
---|---|
SerialNumber | The authenticator serial number. Format: Alphanumeric string, 10 characters |
RegistrationIdentifier | The identifier provided by the user via the online activation screen of the Mobile Authenticator Studio app. Format: Alphanumeric string, limited to 40 characters |
UserIdentifier | The extra user identifier that has been set during activation. Format: Alphanumeric string, limited to 40 characters |
OTP | The OTP generated by the cryptographic application defined by the authenticationCryptoAppIndex attribute of the TransactionDataSigningAction element. Format: Hexadecimal string, limited to 16 characters |
Version | The version of the application binary as defined when configuring the app. |
DeviceIdentifier | The device-unique identifier. Format: String of 64 hexadecimal characters |
Transaction list response
The transaction content can be used for a standard transaction (i.e. with up to 8 data fields) or a Secure Channel transaction.
The response expected by Mobile Authenticator Studio must be formatted as described in the DTD:
<!ELEMENT DP4Mobile (Activation?,PendingTransactions?)>
<!ATTLIST DP4Mobile retCode CDATA #REQUIRED>
<!ATTLIST DP4Mobile message CDATA #REQUIRED>
<!ATTLIST DP4Mobile serverTime CDATA #IMPLIED>
<!ELEMENT PendingTransactions (Transaction*)>
<!ELEMENT Transaction (Item*)>
<!ATTLIST Transaction identifier CDATA #REQUIRED>
<!ATTLIST Transaction name CDATA #REQUIRED>
<!ATTLIST Transaction secureChannelMessage CDATA #IMPLIED>
<!ELEMENT Item EMPTY>
<!ATTLIST Item value CDATA #REQUIRED>
<!ATTLIST Item dtfIndex (1|2|3|4|5|6|7|8) #IMPLIED>
<!ATTLIST Item hidden (true|false) #IMPLIED>
<!ATTLIST Item align (left|right|center) #IMPLIED>
<!ATTLIST Item bold (true|false) #IMPLIED>
<!ATTLIST Item italic (true|false) #IMPLIED>
If the transaction content is used for a standard transaction, the secureChannelMessage attribute must be empty.
Example
<?xml version="1.0" encoding="UTF-8"?>
<DP4Mobile retCode="0" message="Operation Successful" >
<PendingTransactions>
<Transaction identifier="795ba1121281608b84a8000"
name="Transaction 1">
<Item value="Amount" bold="true" align="center" />
<Item value="123" dtfIndex="1" />
<Item value="" />
<Item value="Destination" italic="true" />
<Item value="456" dtfIndex="2" />
<Item value="789" hidden="true" dtfIndex="3" />
</Transaction>
<Transaction identifier="3456426341316aec21ef0190" name="Transaction 2" >
<Item value="Amount" bold="true" align="center" />
<Item value="111" dtfIndex="1" />
<Item value="Destination" italic="true" />
<Item value="222" dtfIndex="2" />
<Item value="333" hidden="true" dtfIndex="3" />
</Transaction>
</PendingTransactions>
</DP4Mobile>
If the transaction content is used for a Secure Channel transaction, no item element must be present.
Example
<?xml version="1.0" encoding="UTF-8"?>
<DP4Mobile retCode="0" message="Operation Successful" >
<PendingTransactions>
<Transaction identifier="795ba1121281608b84a8000" name="Transaction 1" secureChannelMessage="00C1C...E74AE" />
<Transaction identifier="3456426341316aec21ef0190" name="Transaction 2" secureChannelMessage="00C1C...E74AE" />
</PendingTransactions>
</DP4Mobile>
Attribute name | Description |
---|---|
//DP4Mobile/@retCode | Required. The return code associated with the transaction list request. 0 means success, any other value will cause the message attribute value to be displayed and the list transaction to stop. |
//DP4Mobile/@message | Required. The return message associated with the transaction list request. This value will be displayed by the app if not 0. |
//DP4Mobile/@serverTime | Optional. This is the current server GMT time. This value will be used by the app to silently set the drift between device and server time to keep the app synchronized. |
//Transaction/@identifier | The unique identifier of a transaction. It is not displayed, but only used to uniquely trace a transaction during the signing process. Format: Alphanumeric string |
//Transaction/@name | The name of the transaction as displayed on the device. Format: Alphanumeric string |
//Transaction /@secureChannelMessage | The Secure Channel message. This parameter is mandatory for Secure Channel transactions, but must not be present for standard transaction. Format: Hexadecimal string |
Each transaction contains a list of items that will be displayed in the app. Each item has a number of attributes. For Secure Channel transactions, no item must be present.
Attribute name | Description |
---|---|
//Item/@value | The text as displayed on the device. Format: Alphanumeric string |
//Item/@bold | Indicates whether the text is in bold. |
//Item/@align | Indicates whether the text is in left-, center-, or right-aligned. |
//Item/@italic | Indicates whether the text is in italics. |
//Item/@dtfIndex | Indicates whether the item value is signed as a data field. If omitted, the text is not signed. |
//Item/@hidden | Indicates whether the text is visible. |
Validating transactions
Internal transaction validation
Internal transaction validation (overview)
Once Mobile Authenticator Studio has signed the content of a transaction, it can manage the validation of the transaction inside the app by connecting to a web service. The web service must be able to validate the signature of a transaction identified by its unique transaction identifier.
The request sent by Mobile Authenticator Studio is configured in the TransactionValidation section of the configuration file:
The URL can use the HTTP POST or GET methods. For more information about URL customization, refer to the Mobile Authenticator Studio Customization Guide.
Parameter name | Description |
---|---|
SerialNumber | The authenticator serial number. Format: Alphanumeric string, 10 characters |
RegistrationIdentifier | The identifier provided by the user via the online activation screen of the Mobile Authenticator Studio app. Format: Alphanumeric string, limited to 40 characters |
UserIdentifier | The extra user identifier that has been set during activation. Format: Alphanumeric string, limited to 40 characters |
OTP | The signature generated by the cryptographic application defined by the signatureCryptoAppIndex attribute of the TransactionDataSigningAction element. |
TransactionIdentifier | The unique identifier of a transaction. Format: Alphanumeric string |
Version | The version of the application binary as defined when configuring the app. |
DeviceIdentifier | The device-unique identifier. Format: String of 64 hexadecimal characters |
The response expected by Mobile Authenticator Studio must be formatted as described in the DTD:
<!ELEMENT DP4Mobile (Activation?,PendingTransactions?)>
<!ATTLIST DP4Mobile retCode CDATA #REQUIRED>
<!ATTLIST DP4Mobile message CDATA #REQUIRED>
<!ATTLIST DP4Mobile serverTime CDATA #IMPLIED>
<!ATTLIST DP4Mobile confirmationCode CDATA #IMPLIED>
Example
<?xml version="1.0" encoding="UTF-8"?>
<DP4Mobile retCode="0" message="Operation Successful" confirmationCode="123456" >
<PendingTransactions/>
</DP4Mobile>
A confirmation code attribute can be added to the response. It will be displayed by the app together with the message.
Attribute name | Description |
---|---|
//DP4Mobile/@retCode | Required. The return code associated with the transaction validation request. 0 means success, any other value will cause the message attribute value to be displayed and the transaction data signing process to stop. |
//DP4Mobile/@message | Required. The return message associated with the transaction validation request. This value will be displayed by the app if not empty. |
//DP4Mobile/@serverTime | Optional. This is the current server GMT time. This value will be used by the app to silently set the drift between device and server time to keep the app synchronized. |
//DP4Mobile/@confirmationCode | Optional. The server return host code. If provided, it will be displayed along with the message. |
Rejecting transactions
Transaction rejection (overview)
The user can reject a transaction. When a transaction is rejected, no signature will be generated and the transaction will be removed from the list of pending transactions. Transaction rejection is managed by connecting to a web service.
The request sent by Mobile Authenticator Studio is configured for every TransactionDataSigningAction element of the configuration file:
The URL can use the HTTP POST or GET methods. For more information about URL customization, refer to the Mobile Authenticator Studio Customization Guide.
Parameter name | Description |
---|---|
SerialNumber | The authenticator serial number. Format: Alphanumeric string, 10 characters |
RegistrationIdentifier | The identifier provided by the user via the online activation screen of the Mobile Authenticator Studio app. Format: Alphanumeric string, limited to 40 characters |
UserIdentifier | The extra user identifier that has been set during activation. Format: Alphanumeric string, limited to 40 characters |
TransactionIdentifier | The unique identifier of a transaction. Format: Alphanumeric string |
Version | The version of the application binary as defined when configuring the app. |
DeviceIdentifier | The device-unique identifier. Format: String of 64 hexadecimal characters |
Transaction rejection is only available for Android and iOS.
The response expected by Mobile Authenticator Studio must be formatted as described in the DTD:
<!ELEMENT DP4Mobile (Activation?,PendingTransactions?)>
<!ATTLIST DP4Mobile retCode CDATA #REQUIRED>
<!ATTLIST DP4Mobile message CDATA #REQUIRED>
<!ATTLIST DP4Mobile serverTime CDATA #IMPLIED>
Example
<?xml version="1.0" encoding="UTF-8"?>
<DP4Mobile retCode="0" message="Operation Successful" >
<PendingTransactions />
</DP4Mobile>
A confirmation code attribute can be added to the response. It will be displayed by the application along with the message.
Attribute name | Description |
---|---|
//DP4Mobile/@retCode | Required. The return code associated with the transaction rejection request. 0 means success, any other value will cause the message attribute value to be displayed and the transaction data signing process to stop. |
//DP4Mobile/@message | Required. The return message associated with the transaction rejection request. This value will be displayed by the app if not empty. |
//DP4Mobile/@serverTime | Optional. This is the current server GMT time. This value will be used by the app to silently set the drift between device and server time to keep the app synchronized. |