Manual Adjudication and Verification
When biometric duplicates are found in ABIS, the MOSIP system sends a request for manual adjudication to the Manual Adjudication System via a queue.
The system integrator can build the Manual Adjudication System, which would be listening to the
MOSIP-to-ManualAdjudication
queue for any manual adjudication requests and sends a response back in theManualAdjudication-to-MOSIP
system after verifying the data.The data sent to the Manual Adjudication System is driven by a policy defined in MOSIP and the specification is similar to ABIS identify request.
The manual adjudication stage in registration processor performs the following functions:
Sends the applicant's demographic and biometric information (via queue + Datashare) to Manual Adjudication System (MAS).
Receives decision from MAS and accordingly forwards the packets.
If rejected, notifies the applicant.
Manual Adjudication request to Queue is as follows:
Request parameters
requestId
: request_id that is associated with each request present in reg_manual_verification
table.
referenceId
: reg_id that is associated with each request present in reg_manual_verification
table.
referenceURL
: Datashare url of biometrics, demographics(identity), audits, metainfo, documents of reg_id
gallery
: contains the matched ref_id and referenceURL of matched ref_id.
Sample request
Manual adjudication response structure from MAS
Response parameters
returnValue
: 1-Success, 2-Failure
candidateList
: It contains matched candidate referenceIds, count and analytics.
Scenario: No match
Response structure- Not Matched (No Duplicate Profile found)
Scenario: There are matches
Response structure
Datashare structure
Datashare contains biometrics, identity documents, metainfo, audits related to particular rid and the datashare URL contains encrypted form of this data.
Note: Datashare encryption using partner key and decryption in MAS is using private key of that partner.
Sample Request URL
GET https://datashare-service/v1/datashare/get/mpolicy-default-adjudication/mpartner-default-adjudication/mpartner-default-adjudicationmpolicy-default-adjudication202011110619201EpLEjvD
Sample Encrypted Response
The structure of the encrypted data downloaded from referenceURL in MOSIP 1.2.0 or later versions. The data downloaded would be URL-safe base64 encoded. Hence, after decoding the data will be in the below format. It will be divided into two parts after splitting using #KEY_SPLITTER#.
Block 1
#KEY_SPLITTER#
Block 2
Block 1:
Block 1, i.e. the encrypted key data is again split into three parts, • The 1st part is VER_BYTES (version bytes). The Current version constant is set as VER_R2 and this is present in the first 6 bytes of Block 1.
• The 2nd part is the Certificate Thumbprint i.e. the key identifier which is present in the next 32 bytes after VER_BYTES.
• The 3rd part is the Encrypted Random AES Key, encrypted with the RSA OAEP - SHA256-MFG1. This constitutes the remaining 256 bytes of Block 1.
Block 2:
Block 2, i.e. the encrypted actual data is again split into two parts,
• The 1st part is the random 32 bytes which will be used as AAD in AES encryption (first 32 bytes). From this 32 bytes AAD data, the first 12 bytes is IV/Nonce.
• The 2nd part is the encrypted data which is encrypted using AES GCM PKCS5Padding.
The structure of the encrypted data downloaded from referenceURL in MOSIP 1.1.5.5 or prior versions.
The data downloaded would be base64 encoded. Hence, after decoding the data will be in the below format. It will be divided into two parts after splitting using #KEY_SPLITTER#.
Block 1
#KEY_SPLITTER#
Block 2
Block 1:
Block 1, i.e. the encrypted key data is again split into two parts,
The first part is the Certificate Thumbprint i.e. the key identifier which is the first 32 bytes in Block 1.
The second part is the Encrypted Random AES Key which is encrypted with RSA OAEP - SHA256-MFG1. This constitutes the remaining 256 bytes of Block 1.
Block 2:
Block 2, i.e. the encrypted actual data is again split into two parts,
The 1st part is the Encrypted data, encrypted using AES GCM PKCS5Padding.
The 2nd part is IV/Nonce i.e. the last 32 bytes appended after encrypted data.
Sample response in case of Authentication Failure
Possible Error Codes and messages from Datashare URL
DAT-SER-003
File does not exist or File is empty
DAT-SER-006
Data share not found
DAT-SER-006
Data share usage expired
KER-ATH-401
Authentication failed
KER-ATH-403
Forbidden
Policy structure
partner Id
: mpartner-default-adjudication
policy Id
: mpolicy-default-adjudication
Configuration used in Manual adjudication
In registration-processor-default.properties
, the possible Error codes are as follows:
RPR-MVS-000
manual verification failed
RPR-MVS-001
Registration Id should not empty or null
RPR-MVS-002
No matched reference id found for given RID
RPR-MVS-025
Manual adjudication failed
RPR-MVS-022
Registration Id should not empty or null
RPR-MVS-022
TablenotAccessibleException
in Manual verification
RPR-MVS-021
Manual verification rejected
RPR-MVS-025
Manual verification resend to queue
RPR-SYS-012
IO EXCEPTION
Verification
This stage is applicable only if required biometrics are not present in the packet as per country configuration.
Sends applicant's demographic documents (via Queue + Datashare) to external Verification System (VS).
Receives decision from VS and accordingly forwards the packets.
If rejected, notifies the applicant.
Verification request to Queue is as follows:
requestId
: verification_request_id that is associated with each request present in reg_verification table
.
referenceId
: reg_id that is associated with each request present in reg_verification
table.
referenceURL
: Datashare URL of biometrics, demographics(identity) ,audits, metainfo, documents of reg_id .
Sample request
Sample Response
Response parameters
returnValue
: 1-success, 2-failure
Datashare structure
Datashare contains biometrics, identity, documents, metainfo, audits related to particular rid
and datashare URL contains encrypted form of this data.
Note: Datashare encryption using partner key and decryption in MAS is using private key of that partner.
Sample request URL
GET https://datashare-service/v1/datashare/get/mpolicy-default-adjudication/mpartner-default-adjudication/mpartner-default-adjudicationmpolicy-default-adjudication202011110619201EpLEjvD
Sample Encrypted Response
The structure of the encrypted data downloaded from referenceURL in MOSIP 1.2.0 or later versions. The data downloaded would be URL-safe base64 encoded. Hence, after decoding the data will be in the below format. It will be divided into two parts after splitting using #KEY_SPLITTER#.
Block 1
#KEY_SPLITTER#
Block 2
Block 1:
Block 1, i.e. the encrypted key data is again split into three parts, • The 1st part is VER_BYTES (version bytes). The Current version constant is set as VER_R2 and this is present in the first 6 bytes of Block 1.
• The 2nd part is the Certificate Thumbprint i.e. the key identifier which is present in the next 32 bytes after VER_BYTES.
• The 3rd part is the Encrypted Random AES Key, encrypted with the RSA OAEP - SHA256-MFG1. This constitutes the remaining 256 bytes of Block 1.
Block 2:
Block 2, i.e. the encrypted actual data is again split into two parts,
• The 1st part is the random 32 bytes which will be used as AAD in AES encryption (first 32 bytes). From this 32 bytes AAD data, the first 12 bytes is IV/Nonce.
• The 2nd part is the encrypted data which is encrypted using AES GCM PKCS5Padding.
The structure of the encrypted data downloaded from referenceURL in MOSIP 1.1.5.5 or prior versions.
The data downloaded would be base64 encoded. Hence, after decoding the data will be in the below format. It will be divided into two parts after splitting using #KEY_SPLITTER#.
Block 1
#KEY_SPLITTER#
Block 2
Block 1:
Block 1, i.e. the encrypted key data is again split into two parts,
The first part is the Certificate Thumbprint i.e. the key identifier which is the first 32 bytes in Block 1.
The second part is the Encrypted Random AES Key which is encrypted with RSA OAEP - SHA256-MFG1. This constitutes the remaining 256 bytes of Block 1.
Block 2:
Block 2, i.e. the encrypted actual data is again split into two parts,
The 1st part is the Encrypted data, encrypted using AES GCM PKCS5Padding.
The 2nd part is IV/Nonce i.e. the last 32 bytes appended after encrypted data.
Sample Response in case of Authentication Failure
Possible Error codes and Messages from Datashare URL
DAT-SER-003
File does not exists or File is empty
DAT-SER-006
Data share not found
DAT-SER-006
Data share usage expired
KER-ATH-401
Authentication Failed
KER-ATH-403
Forbidden
Policy structure
partner Id
: mpartner-default-adjudication policy Id
: mpolicy-default-adjudication
Configuration used in Verification
Error Codes
RPR-MVS-004
No Assigned Record Found
RPR-MVS-025
Multiple rids found for a reference id
RPR-MVS-022
TablenotAccessibleException in Manual verification
RPR-VER-002
Verification failed
RPR-VER-004
Resend for verification
RPR-MVS-016
Reg Id should not be null or empty
RPR-MVS-021
Manual verification rejected
Last updated