Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Integrate and manage biometric components with MOSIP using standard interfaces, supported modalities, and compatibility guidelines.
MOSIP platform integrates with the following biometric key components:
Biometric devices - Captures biometric data (fingerprint, iris, and face) for registration and authentication.
ABIS - Facilitates biometric de-duplication and identification to ensure uniqueness and prevent identity fraud.
Biometric SDK - Provides integration tools for biometric data capture, processing, and quality checks.
All biometric components must comply with MOSIP's standard interfaces. Compatibility can be verified using the provided test kits.
Vendors supplying biometric systems are recognized as MOSIP Partners.
MOSIP supports the following biometric modalities:
Fingerprint - Defines fingerprint capture and authentication device specifications per ISO 19794-4:2011, covering resolution, image quality, compression, and operational standards.
Iris - Outlines iris capture and authentication device specifications per ISO 19794-6:2011, detailing resolution, image quality, compression, and operational standards.
Face - Defines face capture and authentication device specifications per ISO 19794-5:2011, covering camera quality, image standards, compression, and operational requirements.
Providing a unique identity for a resident is one of the key features of any identity platform. To achieve this, MOSIP interfaces with an Automated Biometric Identification System (ABIS) to perform the de-duplication of a resident's biometric data.
The ABIS system never learns about residents' identities. Any Personally Identifiable Information (PII), such as demographic details or an applicant's AID (application ID), is not shared with the ABIS system. Internally, MOSIP maintains a mapping between the ABIS-specific reference ID and the AID of the resident.
ABIS is used for 1:N deduplication. For 1:1 authentication, Biometric SDK is used. MOSIP does not recommend using an ABIS for 1:1 authentication.
MOSIP interacts with ABIS only via message queues. The JSON format is used for all control messages in the queue. MOSIP ABIS middleware sends requests to the inbound queue address and receives responses from the outbound queue address. ABIS must comply with the interface defined in ABIS API Specifications
The interface may be tested using the ABIS testing kit.
ABIS must support the following types of biometric images:
Individual fingerprint images (segmented)
Iris images (left, right)
Face image
Biometrics data in MOSIP is exchanged as per formats defined in Biometric Image Specification.
MOSIP provides kits to test the interface. Refer to the abis-testing-kit repo
ABIS must comply with ABIS API Specifications.
The queues can be configured in the RegistrationProcessorAbis-env.json file. The ABIS system connects to the queues using a pre-defined user ID and password.
It is recommended that ABIS be deployed in the same secure zone (military zone) where the registration processor is deployed.
ABIS system is not recommended to connect to any external network.
Biometric devices capture individuals' biometric data (fingerprint, iris scan, photo) and send it to a registration client or authentication client (app). The functional architecture of the various entities involved is shown below.
Registration
Fingerprint
Slap scanner
SBI 1.0
Registration
Iris
Double eye scanner
SBI 1.0
Registration
Face
Camera
SBI 1.0
Authentication
Fingerprint
Single finger scanner
SBI 2.0
Authentication
Iris
Single eye scanner
SBI 2.0
Authentication
Face
Camera
SBI 2.0
* An adopter may choose to have different subtypes, however, the certification needs to be adhered to.
Compliance of a device may be tested using an Compliance Tool Kit (CTK).
The following calculator may be used to estimate the number of devices required for a rollout.
Providers of biometric devices are Partners of MOSIP and need to be onboarded to a given deployment of MOSIP. Specifically,
The BioSDK diagram illustrates how MOSIP integrates biometric devices for registration and authentication. It shows the flow of biometric data from capture devices through the Secure Biometric Interface (SBI) to the BioSDK, which performs quality checks, deduplication, and operator authentication.
For registration, signed biometrics are sent to the MOSIP backend, where the BioSDK ensures data quality, ABIS handles deduplication, and ID Auth manages 1:1 matching. During authentication, encrypted biometrics are verified via the authentication app. Device management, including registration, deregistration, and key rotation, is handled by the Device Management Server.
Registration Client.
Backend quality check.
Biometric authentication during onboarding (internal auth).
ID Authentications.
The library is used by the Registration Client to perform 1:N match, segmentation, extraction, etc. For more information on integration with Registration Client, refer to the Registration Client Biometric SDK Integration Guide.
A simulation of this library is available as Mock BioSDK. The same is installed in the MOSIP sandbox.
For 1:1 match and quality check of biometrics at the MOSIP backend, the BioSDK must be running as a service that can be accessed by Registration Processor and IDA Internal Services. The service exposes REST APIs specified here.
A simulation (mock) service has been provided. The mock service loads mock BioSDK internally on the startup and exposes the endpoints to perform 1:N match, segmentation, and extraction as per IBioAPI.
The service may be packaged as a docker running inside the MOSIP Kubernetes cluster or running separately on a server. The scalability of this service must be taken care of depending on the load on the system, i.e., the rate of enrolment and ID authentication.
BioSDK library: IBioAPIV2
BioSDK service: TBD.
BioSDK server request/response may be tested using the BioSDK testing kit.
The following properties in application-default.properties needs to be updated to integrate the BioSDK library and service with MOSIP.
Biometric images for various modalities are captured, represented, and exchanged according to the specifications outlined below.
The below table outlines the updates and modifications made to the biometric specifications over time.
Captures and compresses fingerprint images for registration and authentication.
Please refer to ISO 19794-4:2011 Specifications.
Captures high-quality iris images with optional cropping and compression.
Please refer to ISO 19794-6:2011 Specifications.
Captures facial images with lossless or lossy compression for identification.
Please refer to ISO 19794-5:2011 Specifications.
Capture Time across modalities should be less than 4 Seconds (time taken for providing a final capture response to the calling application, when the biometrics are well placed on the sensors)
We recommend that countries look at ergonomics, accessibility, ease of usage, and common availability of devices while choosing devices for use in registration and authentication scenarios.
Note: MOSIP adopters can change this if needed. Please refer to .
Note: MOSIP adopters can change this if needed. Please refer .
Note: MOSIP adopters can change this if needed. Please refer .
The biometric data is wrapped in .
7th May 2021
Removed NFIQ v2.0 from the supported quality score for fingerprint authentication devices.
Image Specification
ISO 19794-4:2011 Annex B1
ISO 19794-4:2011 Annex B2
Minimum Resolution
>= 500 native DPI. Higher densities are preferred.
>= 500 native DPI.
Minimum Active Platen Area or Capture area*
>=1.6 x 1.5 inches for 1 to 2 fingers >=3.2 x 2.0 inches for 4 fingers
>=0.5 x 0.65 inches*
Greyscale Density
8 bits (256 grey levels)
8 bits (256 grey levels)
Image Format
JPEG 2000 Lossless
JPEG 2000 Lossy or WSQ
Compression Ratio
Lossless
Up to 15:1
Quality Score
NFIQ v2.0
NFIQ v1.0
Capture Mode
Auto Capture
Auto Capture
Preview
> 3 FPS M-JPEG frames with NFIQ 2.0 score superimposed
Not Applicable
ESD
>= 8kv
>= 8kv
EMC Compliance
FCC class A or equivalent
FCC class A or equivalent
Operating Temperature*
0 to 50 °C
0 to 50 °C
FTM**
SBI 1.0 - Use host based security (and above)
SBI 2.0 - FTM supported security
Image Specification
ISO 19794-6:2011 Annex B
ISO 19794-6:2011 Annex B
Minimum Iris Diameter
>=210 pixels
>=150 pixels
Grey Scale Density
8 bits (256 grey levels)
8 bits (256 grey levels)
Spatial Resolution
>=60% @ 2Lp/mm
>= 50% @ 1Lp/mm
Pixel Resolution
>10 pixels/mm
>10 pixels/mm
Capture Distance
>=10CM
>=10CM
Imaging Wavelength
Approximately 700-900 nm
Approximately 700-900 nm
Illumination
The eye should be illuminated using infrared or any other source that could produce high-quality gray scale image
The eye should be illuminated using infrared or any other source that could produce high-quality gray scale image
Image Format
IMAGE_TYPE_VGA (K2) OR IMAGE_TYPE_CROPPED (K3)
IMAGE_TYPE_CROPPED_AND_MASKED (K7)
Compression
JPEG 2000 Lossless
JPEG 2000 Lossy
Compression Ratio
Lossless
Up to 15:1 (>= 3.5 KB)
Aspect Ratio
1:1
1:1
Capture Mode
Auto Capture
Auto Capture
Scan Type
Progressive
Progressive
Preview
>= 3 FPS M-JPEG frames with quality score superimposed
Not Applicable
EMC compliance
FCC Class A or equivalent
FCC Class A or equivalent
Operating Temperature*
0 to 50 °C
0 to °50 C
FTM**
SBI 1.0 - Use host-based security (and above)
SBI 2.0 - FTM supported security
Image Specification
ISO/IEC 19794-5:2011
ISO/IEC 19794-5:2011
Camera Specification
1080p with 90 degree FoV or above
720p or above
Skin Tone
All
All
Exception Image Specification
Full Frontal with FACE features, two palms next to the face, waist up photo. 60mm(width) X 40mm(height)
Not Applicable
Image quality
ICAO - Full frontal image, +/- 5 degrees rotation, 24 bit RGB, white background 35 mm(width) X 45mm(height)
ICAO is not mandated
Image format
JPEG 2000 Lossless
JPEG 2000 Lossy
Compression Ratio
Lossless
Up to 15:1
EMC compliance
FCC Class A or equivalent
FCC Class A or equivalent
Operation Temperature*
0 to 50 °C
0 to 50 °C
FTM**
SBI 1.0 - Use host based security (and above)
SBI 2.0 - FTM supported security
As the name suggests, Commons refers to all the common services (also called "kernel") that are used by other modules of MOSIP. The Kernel services are listed below:
Refer API Documentation.
To know more about the developer setups, read:
Standards:
ISO 19785-3
OASIS patron format ISO/IEC JTC 1 SC 37 - biometrics
Patron identifier 257
Patron format identifier 11
OASIS Binary Data Block Format Identifiers for Format Type ISO/IEC JTC 1 SC 37-biometrics
Patron identifier 257
BDB patron format identifier
7 for finger image
2 for finger minutiae
8 for face image
9 for iris image
MOSIP Schema is similar to OASIS Schema, with an optional attribute called others added from the LTS version.
MOSIP's CBEFF Utils can be used to create and validate CBEFF XML data.
Keycloak serves as the administrative access control module in MOSIP, managing authentication and authorization across its microservices. Since MOSIP is built on a microservice architecture, it heavily relies on OAuth 2.0 tokens for access control. These tokens contain embedded role definitions that determine who can access specific microservice APIs ensuring secure and granular access control.
Microservice Security – Each MOSIP microservice validates incoming API requests using OAuth 2.0 tokens issued by Keycloak. If the token lacks the necessary role, access is denied. This mechanism applies universally, even between internal MOSIP modules, ensuring a zero-trust architecture.
Data Access Control – Most sensitive data in MOSIP is encrypted in the database, making APIs the only entry point for accessing information. Keycloak enforces strict authentication and authorization policies, preventing internal attacks and API misuse.
Administrative Oversight – Administrators can monitor and control access permissions centrally via Keycloak, providing visibility into who can access what within the system.
User Repository Management – Keycloak also functions as the internal identity store for critical MOSIP roles, including:
Operators – Handle citizen registration and data collection.
Supervisors – Oversee registration processes and ensure compliance.
Adjudicators – Review and resolve identity conflicts or duplicate registrations.
By enforcing strict access controls and acting as both an identity provider and an authorization enforcer Keycloak helps MOSIP maintain high security, scalability, and compliance while protecting against unauthorized access.
This document defines the APIs specifications for various operations that ABIS can perform to integrate with MOSIP.
API specification version: 0.9
Published Date: February 05, 2021
May 07, 2020
This is the first formal publication of the interface as a version-ed specification. Earlier draft are superseded by this document. The interface is revamped to make it friendlier to programmers and also has a new method for conversion.
June 09, 2020
A note related to targetFPIR was added.
June 26, 2020
August 04, 2020
November 19, 2020
Note on encryption of biometric data share using referenceURL has been added.
February 05, 2021
March 23, 2021
May 3, 2021
The logic for encryption has been updated for ABIS Datashare URL.
September 8, 2021
All possible error codes for DataShare URL has been added.
An ABIS system that integrates with MOSIP should support the following operations.
All ABIS operations are via. a message queue and are asynchronous. The data sent in ABIS can be byte array or text based on a configuration in the registration processor.
Common parameters used for all ABIS operations:
requestID
ID that is associated with each request sent to ABIS
ABIS should not use this ID in any other context outside the request
UUID
referenceID
ID of a single registration record. Registration record is maintained in MOSIP. This ID is the mapping between MOSIP and ABIS
None
UUID
referenceURL
URL to the biometrics data stored in MOSIP. This URL will have read only access
None
HTTPS URL
biometricType
Type of biometric data sent in the request
FID/FIR/IIR
String
returnValue
Code for response
String
failureReason
Code for failure reason
String
1
Success
2
Failed
1
internal error - Unknown
2
aborted
3
unexpected error
4
unable to serve the request - invalid request structure
5
missing referenceId (in request body)
6
missing requestId (in request body)
7
unable to fetch biometric details (using referenceURL)
8
missing reference URL (in request body)
9
missing requesttime (in request body)
10
referenceId already exists (in ABIS)
11
CBEFF has no data
12
referenceId not found (in ABIS)
13
invalid version
14
invalid id
15
invalid requesttime format
16
invalid CBEFF format
17
data share URL has expired
18
Biometric Quality check failed
The following operations are supported by MOSIP:
ABIS must get biometric data from referenceURL, process it and store it locally within the ABIS reference database. More details about the referenceURL is mentioned in our referenceURL section.
referenceId must not be active prior to this operation i.e., it must not have been used before this operation.
De-duplication must not be performed in this operation.
MOSIP will provide biometric data in CBEFF format to ABIS as a response of referenceURL and the data will be encrypted and encoded as mentioned below.
Insert Request
Success Response
Failure Response
The reference URL is MOSIP's datashare URL which is generated based on a policy defined by MOISP's adopter.
The referenceURL is authenticated and authorized; ABIS needs to send a JWT token inside the request header COOKIE.
The referenceURL will be active for a certain time as decided by the MOSIP adopter.
The data sent in the referenceURL will be encrypted.
Authentication Token
As mentioned above in order to access the request URL the ABIS system needs to send a JWT token inside the request header COOKIE. In order to get the token ABIS needs to call MOSIP's AuthN & AuthZ API with Client ID & Secret Key by passing the credentials (clientid, secretkey and appid) which would be provided by the System Integrator (SI).
Below are the sample API details for getting the authentication token. More details about the API are available in our AuthN & AuthZ document.
Sample Request URL
POST https://{base_url}/v1/authmanager/authenticate/clientidsecretkey
Sample Request Body
Sample Response
DataShare URL
Below is the sample API detail for reference URL.
Sample Request URL
GET https://{base_url}/v1/datashare/get/mpolicy-default-abis/mpartner-default-abis/mpartner-default-abismpolicy-default-abis20210205062412BlQo0rJB
Sample Encrypted Response
The structure of the encrypted data downloaded from referenceURL in MOSIP 1.2.0 or later versions
The data downloaded would be URL-safe base64 encoded. Hence, after decoding the data will be in the below format. It will be divided into two Parts after splitting using #KEY_SPLITTER#.
Block 1
#KEY_SPLITTER#
Block 2
Block 1:
Block 1, i.e. the encrypted key data is again split into three parts,
The 1st part is VER_BYTES (version bytes). The Current version constant is set as VER_R2 and this is present in the first 6 bytes of Block 1.
The 2nd part is the Certificate Thumbprint i.e. the key identifier which is present in the next 32 bytes after VER_BYTES.
The 3rd part is the Encrypted Random AES Key, encrypted with the RSA OAEP - SHA256-MFG1. This constitutes the remaining 256 bytes of Block 1.
Block 2:
Block 2, i.e. the encrypted actual data is again split into two parts,
The 1st part is the random 32 bytes which will be used as AAD in AES encryption(first 32 bytes). From this 32 bytes AAD data, the first 12 bytes is IV/Nonce.
The 2nd part is the encrypted data which is encrypted using AES GCM PKCS5Padding.
Note: In Java 11, PKCS5Padding serves as a synonym for NoPadding in GCM mode encryption. Conversely, in Java 17, the synonym PKCS5Padding has been eliminated, and it is now mandatory to exclusively use NoPadding. Consequently, if data is encrypted using PKCS5Padding in Java 11, it will be decrypted with NoPadding in Java 17.
The structure of the encrypted data downloaded from referenceURL in MOSIP 1.1.5.5 or prior versions
The data downloaded would be base64 encoded. Hence, after decoding the data will be in the below format. It will be divided into two Parts after splitting using #KEY_SPLITTER#.
Block 1
#KEY_SPLITTER#
Block 2
Block 1:
Block 1, i.e. the encrypted key data is again split into two parts,
The first part is the Certificate Thumbprint i.e. the key identifier which is the first 32 bytes in Block 1.
The second part is the Encrypted Random AES Key which is encrypted with RSA OAEP - SHA256-MFG1. This constitutes the remaining 256 bytes of Block 1.
Block 2:
Block 2, i.e. the encrypted actual data is again split into two parts,
The 1st part is the Encrypted data, encrypted using AES GCM PKCS5Padding.
The 2nd part is IV/Nonce i.e. the last 32 bytes appended after encrypted data.
Note: In Java 11, PKCS5Padding serves as a synonym for NoPadding in GCM mode encryption. Conversely, in Java 17, the synonym PKCS5Padding has been eliminated, and it is now mandatory to exclusively use NoPadding. Consequently, if data is encrypted using PKCS5Padding in Java 11, it will be decrypted with NoPadding in Java 17.
Sample Response after Decryption
Sample Response in case of Authentication Failure
All Possible Error codes and Messages from Datashare URL
DAT-SER-003
File does not exists or File is empty
DAT-SER-006
Data share not found
DAT-SER-006
Data share usage expired
KER-ATH-401
Authentication Failed
KER-ATH-403
Forbidden
Please note that for all the functional failures MOSIP sends a response code 200.
All Insert requests added to the queue earlier must be serviced by ABIS when performing an Identify request.
Identify request provides a 1:N comparison. The given input is compared either against the gallery passed or if the gallery is not specified the entire database.
The input for comparison can be provided by referenceID or referenceURL.
If the referenceID is given it is used as the preferred option. The given referenceID must be existing in the ABIS database else ABIS will throw an error.
If the referenceID is omitted or NULL and the referenceURL is passed the ABIS retrieves the biometrics provided in the referenceURL and compares the same against either a gallery or its database.
If in case, both referenceID and referenceURL are missing ABIS throws an error.
We are not using the referenceURL in Identify request for our current implementation. Hence, it will be an empty string for Identify request. MOSIP adopters can have customized workflows where the referenceURL can be used.
Identify requests should give to all candidates which are considered as a match based on ABIS thresholds.
This request should not match against referenceID that is not in the reference database.
The response now has a section for analytics that contains key-value pairs. Values can be JSON objects also. The contents of the analytics section will be agreed upon by the MOSIP adopter with the ABIS provider. Scores are also moved to this section and are not mandatory response parameters anymore.
Ordering or ranking of results is not explicitly specified and can be agreed upon between the MOSIP adopter and the ABIS provider.
The flags section of the request can be used to customize or control ABIS behaviour by sending specific key-value pairs.
"targetFPIR" or "maxResults" are examples of such flags that can alter ABIS behaviour. These are optional attributes for MOSIP during an identify request. MOSIP expects the adopters to define these parameters based on the accuracy expectations and workflow requirements. These can be set at the ABIS configuration level and need not be part of the individual request at all.
To give an example, please find the following calculation for targetFPIR - which is the error rate at which identification requests are expected to return a non-empty candidate list.
round (-10 * log10 (target false positive identification rate))
With this calculation:
1 in 1,000
30
1 in 10,000
40
1 in 100,000
50
Removes only the entry referred by the referenceId.
This operation can be used to remove duplicates found by Identify.
A Ping request should respond with a response on the liveness of the ABIS system.
ABIS responds with the count of requests that are still pending.
ABIS will send a count of records in the reference database
Biometric Specification to know about the biometric specification in MOSIP.
CBEFF XML to know how MOSIP stores biometric data.
Authentication and Authorization API to get the JWT token.
MOSIP's de-duplication process for details about the De-Duplication process in MOSIP.
Commons module provides a bedrock to build and run services by providing several significant necessary technical operations. It contains common functionalities which are used by more than one module.
Below is a list of tools required in Commons:
JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
PostgreSQL
Any DB client (like DBeaver, pgAdmin)
Postman (any HTTP Client)
Git
Any Editor (like Vscode, Notepad++ etc optional)
lombok.jar (jar file)
settings.xml (document)
Download lombok.jar and settings.xml.
Unzip Apache Maven and move settings.xml to "conf" folder <apache maven unzip path>\conf.
Install Eclipse, open the lombok.jar file and then click Install/Update.
Check the Eclipse installation folder to see if the lombok.jar is added.
Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.
For the code setup, clone the repository and follow the guidelines mentioned in the Code Contributions.
Open the project folder where pom.xml is present.
Open the command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project.
After building, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successful importing of project, update the project by right-click on Project → Maven → Update Project.
Download Auth adapter and add to project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close.
Clone mosip-config repository.
Refer Commons-DB-deploy to deploy local DB.
For integration with any of our environments, do reach out to our team.
Commons uses two property files, kernel-default and application-default, configure them accordingly. For instance
Update spring.mail.host property to update SMTP host.
Secrets can be encrypted using config server.
Update Url's in property files.(It can be either pointed to any remotely or locally deployed services).
Download kernel-config-server.jar. For windows download config-server-start.bat, linux users can run java -jar -Dspring.profiles.active=native -Dspring.cloud.config.server.native.search-locations=file:{mosip-config-mt_folder_path}/config -Dspring.cloud.config.server.accept-empty=true -Dspring.cloud.config.server.git.force-pull=false -Dspring.cloud.config.server.git.cloneOnStart=false -Dspring.cloud.config.server.git.refreshRate=0 {jarName} .
Run the server by opening the config-server-start.bat file.
To verify the config-server, hit the below URL http://localhost:51000/config/{spring.profiles.active}/{spring.cloud.config.name}/{spring.cloud.config.label} for instance http://localhost:51000/config/kernel/env/master.
Commons repo consists of two types of project- REST services and libraries.
Every REST service consist of bootstrap.properties file in src/main/resources.
Below properties needed to be modified in order to connect to the config server:
Services can be run using Run As -> Spring Boot App/Java Application.
Libraries are not meant to be run alone they are projects used by commons as well as other modules of mosip to perform commons operations.
For API documentation, refer here.
The API's can be tried with the help of Swagger-UI and Postman.
Swagger-UI of services can be accessed from (https/http)://(<domain>/<host>:<port>)/<context-path>/swagger-ui/index.html?configUrl=<contect-path>/v3/api-docs/swagger-config for instance https://dev.mosip.net/v1/authmanager/swagger-ui/index.html?configUrl=/v1/authmanager/v3/api-docs/swagger-config.
Context-path of services is present in bootstrap.properties file in src/main/resources of every service.
The API's can be tried using Postman. URLs and Body structures can be found in Swagger or curl command can be copied and imported in Postman.
Audit Manager module provides audit-related functionalities.
Below is a list of tools required for auditing:
JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
PostgreSQL
Any DB client (like DBeaver, pgAdmin)
Postman (any HTTP Client)
Git
Any Editor (like Vscode, Notepad++ etc optional)
lombok.jar (jar file)
settings.xml (document)
1. Download lombok.jar and settings.xml.
2. Unzip Apache Maven and move settings.xml to the "conf" folder <apache maven unzip path>\conf.
4. Check the Eclipse installation folder to see if the lombok.jar is added.
5. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.
For the code setup, clone the repository and follow the guidelines mentioned in the Code Contributions.
Open the project folder where pom.xml is present.
Open the command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project.
After building, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successfully importing of project, update the project by right-clicking on Project → Maven → Update Project.
1. Download Auth adapter and add to project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close.
2. Clone mosip-config repository.
3. Refer Audit-DB-deploy to deploy local DB.
4. The audit uses two property files, kernel-default and application-default. Please configure them as needed. For instance,
Update the mosip.kernel.auditmanager-service-logs-location property to update the location of log files.
Secrets can be encrypted using config server.
Update URL's in property files.(It can be either pointed to any remotely or locally deployed services)
5. Download kernel-config-server.jar. For Windows, download config-server-start.bat, linux users can run
java -jar -Dspring.profiles.active=native -Dspring.cloud.config.server.native.search-locations=file:{mosip-config-mt_folder_path}/config -Dspring.cloud.config.server.accept-empty=true -Dspring.cloud.config.server.git.force-pull=false -Dspring.cloud.config.server.git.cloneOnStart=false -Dspring.cloud.config.server.git.refreshRate=0 {jarName} .
6. Run the server by opening the config-server-start.bat file.
7. To verify the config-server, hit the below URL:
http://localhost:51000/config/{spring.profiles.active}/{spring.cloud.config.name}/{spring.cloud.config.label} for instance http://localhost:51000/config/kernel/env/master.
Audit REST service consist of bootstrap.properties file in src/main/resources.
Below properties needed to be modified in order to connect to the config server:
Services can be run using Run As -> Spring Boot App/Java Application.
For API documentation, refer here.
The API's can be tried with the help of Swagger-UI and Postman.
Swagger-UI of service can be accessed from (https/http)://(<domain>/<host>:<port>)/<context-path>/swagger-ui/index.html?configUrl=<contect-path>/v3/api-docs/swagger-config for instance https://dev2.mosip.net/v1/auditmanager/swagger-ui/index.html?configUrl=/v1/auditmanager/v3/api-docs/swagger-config.
The API's can be tried using postman by copying CURL command below, updating host and importing in Postman.
OpenID-Bridge module provides AutnN and AuthZ related funtionalities.
Below is a list of tools required in OpenID Bridge:
JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
PostgreSQL
Any DB client (like DBeaver, pgAdmin)
Postman (any HTTP Client)
Git
Any Editor (like Vscode, Notepad++ etc optional)
lombok.jar (jar file)
settings.xml (document)
Download lombok.jar and settings.xml.
Unzip Apache Maven and move settings.xml to "conf" folder <apache maven unzip path>\conf.
Install Eclipse, open the lombok.jar file and then click Install/Update.
Check the Eclipse installation folder to see if the lombok.jar is added.
Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.
For the code setup, clone the repository and follow the guidelines mentioned in the Code Contributions.
Open the project folder where pom.xml is present.
Open the command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project .
After building, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successful importing of project, update the project by right-click on Project → Maven → Update Project.
1. Clone mosip-config repository.
2. OpenID Bridge uses two property files, kernel-default and application-default, configure them accordingly. For instance,
OpenID bridge connects to an IAM which supports Openid and Oauth. For integration with our keycloak, Please reach out to our team.
Update mosip.iam.open-id-url property to update iam url.
Secrets can be encrypted using config server
Update Url's in property files.(It can be either pointed to any remotely or locally deployed services)
3. Download kernel-config-server.jar. For Windows, download config-server-start.bat, Linux users can run
java -jar -Dspring.profiles.active=native -Dspring.cloud.config.server.native.search-locations=file:{mosip-config-mt_folder_path}/config -Dspring.cloud.config.server.accept-empty=true -Dspring.cloud.config.server.git.force-pull=false -Dspring.cloud.config.server.git.cloneOnStart=false -Dspring.cloud.config.server.git.refreshRate=0 {jarName} .
5. To verify the config-server, hit the below URL: http://localhost:51000/config/{spring.profiles.active}/{spring.cloud.config.name}/{spring.cloud.config.label} for instance http://localhost:51000/config/kernel/env/master
Audit REST service consists of bootstrap.properties file in src/main/resources.
Below properties needed to be modified in order to connect to the config server:
Services can be run using Run As -> Spring Boot App/Java Application.
For API documentation, refer here.
The API's can be tried with the help of Swagger-UI and Postman.
Swagger-UI service can be accessed from (https/http)://(<domain>/<host>:<port>)/<context-path>/swagger-ui/index.html?configUrl=<contect-path>/v3/api-docs/swagger-config for instance https://dev2.mosip.net/v1/auditmanager/swagger-ui/index.html?configUrl=/v1/auditmanager/v3/api-docs/swagger-config.
The API's can be tried using postman. URLs and Body structures can be found in Swagger or curl command can be copied and imported in Postman.
The objective of this specification document is to establish the technical and compliance standards/ protocols that are necessary for a biometric device to be used in MOSIP solutions.
This is a biometric device specification document and aims to help the biometric device manufacturers, their developers, and their designers in building MOSIP-compliant devices. It is assumed that the readers are familiar with MOSIP registration and authentication services.
All devices that collect biometric data for MOSIP should operate within the specification of this document.
0.9.2
Frozen
Aug-2019
0.9.3
Frozen
Feb-2020
0.9.5
Draft
13-Jun-2020
0.9.5
Draft
10-Aug-2020
Signature for API to retrieve encryption certificate has been changed from GET to POST and Device Stream now supports an optional parameter - timeout
0.9.5
Draft
04-Dec-2020
In the header of JWT Signature, the key to store the type has been changed to "typ" from "type" as per JWT standards. Kindly view the digital id specification for the change.
0.9.5
Draft
26-Feb-2021
0.9.5
Draft
24-Mar-2021
0.9.5
Draft
07-Apr-2021
Device De registration API spec was updated.
0.9.5
Draft
08-Apr-2021
We will be following datetime values in ISO 8601 with format yyyy-mm-ddTHH:MM:ssZ. The same has been updated throughout the document.
0.9.5
Draft
24-May-2021
Clarification on hash and previousHash definition has been provided
0.9.5
Draft
04-Apr-2022
Register and De-register of devices have been removed from MOSIP. Device validation in MOSIP will be done via cryptography. Here onwards, registering a device will mean a device obtaining a certificate from the management server.
0.9.5
Draft
27-Jul-2022
0.9.5
Draft
24-Oct-2023
Added error code for devices in busy or not ready state. Also added validation for transactionID in request parameters.
Device Provider - An entity that manufactures or imports the devices in their name. This entity should have legal rights to obtain an organization-level digital certificate from the respective authority in the country.
FTM Provider - An entity that manufactures or guarantees the trustworthiness of the foundational trust module. This can be the device provider as well.
Device - A hardware capable of capturing biometric information.
L1 Certified Device / L1 Device - A device certified as capable of performing encryption in line with this spec in its trusted zone.
L0 Certified Device / L0 Device - A device certified as one where the encryption is done on the host machine device driver or the MOSIP device service.
FTM Provider Certificate - A digital certificate issued to the "Foundational Trust Provider". This certificate proves that the provider has successfully gone through the required Foundational Trust Provider evaluation. The entity is expected to keep this certificate in secure possession in an HSM. All the individual FTM trust certificates are issued using this certificate as the root. This certificate would be issued by the countries in conjunction with MOSIP.
Device Provider Certificate - A digital certificate issued to the "Device Provider". This certificate proves that the provider has been certified for L0/L1 respective compliance. The entity is expected to keep this certificate in secure possession in an HSM. All the individual trust certificates are issued using this certificate as the root. This certificate is issued by the countries in conjunction with MOSIP.
Registration - The process of applying for a Foundational Id.
KYC - Know Your Customer. The process of providing consent to perform profile verification and update.
Auth - The process of verifying one’s identity.
FPS - Frames Per Second
Management Server - A server run by the device provider to manage the life cycle of the biometric devices.
Device Registration - The process of a device obtaining a certificate from the management server.
Signature - All signatures should be as per RFC 7515.
header in signature - The header in the signature means the attribute with "alg" set to RS256 and x5c set to base64encoded certificate.
payload is the byte array of the actual data, always represented as base64urlencoded.
signature - base64urlencoded signature bytes
ISO format timestamp | ISO 8601 with the format yyyy-mm-ddTHH:MM:ssZ (Example: 2020-12-08T09:39:37Z). This value should be in UTC (Coordinated Universal Time).
The MOSIP device specification provides compliance guidelines devices for that to work with MOSIP. The compliance is based on device capability, trust and communication protocols. A MOSIP-compliant device would follow the standards established in this document. It is expected that the devices are compliant with this specification and tested and validated. The details of each of these are outlined in the subsequent sections.
The MOSIP-compliant device is expected to perform the following,
Should have the ability to collect one or more biometric
Should have the ability to sign the captured biometric image or template.
Should have the ability to protect secret keys
Should have no mechanism to inject the biometric
For details about biometric data specifications please view the page MOSIP Biometric Specification.
We recommend that countries look at ergonomics, accessibility, ease of usage, and common availability of devices while choosing devices for use in registration and authentication scenarios.
MOSIP-compliant devices provide a trusted environment for the devices to be used in registration, KYC and AUTH scenarios. The trust level is established based on the device support for trusted execution.
L1 - The trust is provided by a secure chip with a secure execution environment.
L0 - The trust is provided at the software level. No hardware-related trust exists. This type of compliance is used in controlled environments.
The foundational trust module would be created using a secure microprocessor capable of performing all required biometric processing and secure storage of keys. The foundational device trust would satisfy the below requirements.
The module can securely generate, store and process cryptographic keys.
Generation of asymmetric keys and symmetric keys with TRNG.
The module can protect keys from extraction.
The module has to protect the keys from physical tampering, temperature, frequency and voltage-related attacks.
The module could withstand Hardware cloning.
The module could withstand probing attacks
The module provides memory segregation for cryptographic operations and protection against buffer overflow attacks
The module provides the ability to withstand cryptographic side-channel attacks like Differential Power analysis attacks, Timing attacks.
CAVP validated the implementation of the cryptographic algorithm.
The module can perform a cryptographically validatable secure boot.
The module can run trusted applications.
The foundational device trust derived from this module is used to enable trust-based computing for biometric capture. The foundational device trust module provides a trusted execution environment based on the following:
Secure Boot
Ability to cryptographically verify code before execution.
Ability to check for integrity violations of the module/device.
Halt upon failure.
Ability to securely upgrade and perform forward-only upgrades, to thwart downgrade attacks.
SHA256 hash equivalent or above should be used for all hashing requirements
All root of trust is provisioned upon first boot or before.
All upgrades would be considered a success only after the successful boot with proper hash and signature verification.
The boot should fail upon hash/signature failures and would never operate in an intermediary state.
A maximum of 10 failed attempts should lock the upgrade process and brick the device. However, chip manufacturers can decide to be less than 10.
Secure application
Ability to run applications that are trusted.
Protect against the downgrading of applications.
Isolated memory to support cryptographic operations.
All trust is anchored during the first boot and not modifiable.
Certification
The FTM should have at least one of the following certifications in each category to meet the given requirement.
Category: Cryptographic Algorithm Implementation
CAVP (RSA, AES, SHA256, TRNG (DRBGVS), ECC)
{% hint style="info" %} The supported algorithm and curves are listed here {% endhint %}
Category: FTM Chip
(ONE of the following certifications)
FIPS 140-2 L3 or above
PCI PTS 5 or above (Pre-certified)
PCI - PED 2.0 or above (Pre-Certified)
One of the following Common Criteria (CC) certification
System/Device Level Tamper (optional)
System/Device Level Tamper Responsiveness is recommended (not mandatory). In this case, FTM should be capable of showcasing Tamper Responsiveness (keys must be erased) against a tamper at the system/device level.
Threats to Protect
The FTM should protect against the following threats.
Hardware cloning attacks - Ability to protect against attacks that could result in a duplicate with keys.
Hardware Tamper attacks
Physical tamper - No way to physically tamper and obtain its secrets.
Voltage & frequency related attacks - Should shield against voltage leaks and should prevent low voltage. The FTM should always be in either the state operational normally or inoperable. The FTM should never be operable when its input voltages are not met.
Temperature attacks on the crypto block - Low or High the FTM are expected to operate or reach an inoperable state. No state in between.
Differential Power Analysis attack.
Probing attacks - FTM should protect its surface area against any probe-related attacks.
Segregation of memory for execution of cryptographic operation (crypto block should be protected from buffer overflow type attacks).
Vulnerability of the cryptographic algorithm implementation.
Attacks against secure boot & secure upgrade.
TEE/Secure processor OS attack (if applicable).
Foundational Trust Module Identity
Upon FTM provider approval by the MOSIP adopters, the FTM provider would submit a self-signed public certificate to the adopter. Let us call this the FTM root. The adopter would use this certificate to seed their device's trust database. The FTM root and their key pairs should be generated and stored in FIPS 140-2 Level 3 or more compliant devices with no possible mechanism to extract the keys. The foundational module upon its first boot is expected to generate a random asymmetric key pair and provide the public part of the key to obtain a valid certificate. The FTM provider would validate to ensure that the chip is unique and would issue a certificate with the issuer set to an FTM certificate chain. The entire certificate issuance would be in a secured provisioning facility. Auditable upon notice by the adopters or its approved auditors. The certificate issued to the module will have a defined validity period as per the MOSIP certificate policy document defined by the MOSIP adopters. This certificate and private key within the FTM chip is expected to be in its permanent memory.
{% hint style="info" %} The validity of the chip certificate can not exceed 20 years from the date of manufacturing. {% endhint %}
MOSIP devices are most often used to collect biometrics. The devices are expected to follow the specification for all levels of compliance and their usage. The MOSIP devices fall under the category of Trust Level 3 (TL3) as defined in MOSIP architecture. At TL3 device is expected to be whitelisted with a fully capable PKI and secure storage of keys at the hardware.
L0 - A device can obtain L0 certification when it uses a software-level cryptographic library with no secure boot or FTM. These devices will follow different device identities and the same would be mentioned as part of exception flows.
L1 - A device can obtain L1 certification when it is built in a secure facility with one of the certified FTM.
Device Identity
All devices that connect to MOSIP must be identifiable. MOSIP believes in cryptographic Identity as its basis for trust.
Physical ID
An identification mark that shows MOSIP compliance and a readable unique device serial number (minimum of 12 alphanumeric characters) make and model. The same information has to be available over a 2D QR Code or Barcode. This is to help field support and validation.
Digital ID
A digital device ID in MOSIP would be a signed JSON (RFC 7515) as follows:
Signed with the JSON Web Signature (RFC 7515) using the "Foundational Trust Module" Identity key, this data is the fundamental identity of the device. Every MOSIP-compliant device will need the foundational trust module.
The only exception to this rule is for the L0-compliant devices that have the purpose of "Registration". L0 devices would sign the Digital Id with the device key.
A signed digital ID would look as follows:
The header in the digital id would have:
MOSIP assumes that the first certificate in the x5c is the FTM's chip public certificate issued by the FTM root certificate.
An unsigned digital ID would look as follows:
Payload is the Digital ID JSON object.
{% hint style="info" %} For an L0 unregistered device, the digital id will be unsigned. In all other scenarios, except for a discovery call, the digital ID will be signed either by the chip key (L1) or the device key (L0). {% endhint %}
Accepted Values for Digital ID
serialNo
Serial number of the device.
make
Brand name.
model
Model of the device.
type
Currently allowed values for device type are "Finger", "Iris" or "Face".
More types can be added based on Adopter's implementation.
deviceSubType
The device subtype is based on the device type.
For Finger - "Slap", "Single" or "Touchless"
For Iris - "Single" or "Double"
For Face - "Full face"
deviceProvider
Name of the device provider.
The device provider should be a legal entity in the country.
dateTime
The current time during the issuance of the request.
This is in ISO format.
List of keys used in the device and their explanation.
Device Key
Each biometric device would contain an authorized private key after the device registration. This key is rotated frequently based on the requirement of the respective adopter of MOSIP. By default, MOSIP recommends a 30-day key rotation policy for the device key. The device keys are created by the device providers inside the FTM during a successful registration. The device keys are used for signing the biometric. More details of the signing and its usage will be here. This key is issued by the device provider and the certificate of the device key is issued by the device provider key which in turn is issued by the MOSIP adopter after approval of the device provider's specific model.
FTM Key
The FTM key is the root of the identity. This key is created by the FTM provider during the manufacturing/provisioning stage. This is a permanent key and would never be rotated. This key is used to sign the Digital ID.
MOSIP Key
The MOSIP key is the public key provided by the MOSIP adopter. This key is used to encrypt the biometric. Details of the encryption are listed below. We recommend rotating this key every 1 year.
The section explains the necessary details of the biometric device connectivity, accessibility, discover-ability and protocols used to build and communicate with the device.
The device should implement only the following set of APIs. All the APIs are independent of the physical layer and the operating system, with the invocation being different across operating systems. While the operating system names are defined in this spec a similar technology can be used for unspecified operating systems. It is expected that the device service ensures that the device is connected locally to the host.
Device discovery would be used to identify MOSIP-compliant devices in a system by the applications. The protocol is designed as a simple plug-and-play with all the necessary abstractions to the specifics.
Device Discovery Request
Accepted Values for Device Discovery Request
type - "Biometric Device", "Finger", "Face", "Iris"
{% hint style="info" %} "Biometric Device" - is a special type and is used in case you are looking for any biometric device. {% endhint %}
Device Discovery Response
Accepted Values for Device Discovery Response
deviceStatus
Allowed values are "Ready", "Busy", "Not Ready" or "Not Registered".
certification
Allowed values are "L0" or "L1" based on the level of certification.
serviceVersion
Device service version.
deviceId
Internal ID to identify the actual biometric device within the device service.
deviceSubId
Allowed values are 1, 2 or 3.
The device sub-id could be used to enable a specific module in the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index which always starts with 1 and increases sequentially for each sub-device present.
In the case of Finger/Iris, it's 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).
callbackId
This differs as per the OS.
In the case of Linux and windows operating systems, it is an HTTP URL.
In the case of android, it is the intent name.
In IOS, it is the URL scheme.
The call-back URL takes precedence over future requests as a base URL.
digitalId
Digital ID as per the Digital ID definition but it will not be signed.
deviceCode
Same as serialNo in digital ID.
specVersion
An array of supported MDS specification versions. The array element zero will always contain the spec version using which the response is created.
purpose
Purpose of the device in the MOSIP ecosystem. Allowed values are "Auth" or "Registration".
error
error.errorCode
error.errorInfo
Description of the error that can be displayed to the end user. Multi-lingual support.
{% hint style="info" %}
The response is an array that we could have a single device enumerating with multiple biometric options.
The service should ensure to respond only if the type parameter matches the type of device or the type parameter is a "Biometric Device".
This response is a direct JSON as shown in the response. {% endhint %}
Windows/Linux
All the device API will be based on the HTTP specification. The device always binds to any of the available ports ranging from 4501 - 4600. The IP address used for binding has to be 127.0.0.1 and not localhost.
The applications that require access to MOSIP devices could discover them by sending the HTTP request to the supported port range. We will call this port the device_service_port in the rest of the document.
HTTP Request:
HTTP Response:
{% hint style="info" %}
The payloads are JSON in both cases and are part of the body.
CallbackId would be set to the http://127.0.0.1:<device_service_port>/. So, the caller will use the respective HTTP verb/method and the URL to call the service. {% endhint %}
Android
For details on android specifications please view the section - Android SBI Specification.
The device information API would be used to identify the MOSIP-compliant devices and their status by the applications.
Device Info Request
NA
Accepted Values for Device Info Request
NA
Device Info Response
So the API would respond in the following format.
Allowed values for Device Info Response
deviceInfo
The deviceInfo object is sent as JSON Web Token (JWT).
For a device which is not registered, the deviceInfo will be unsigned.
For a device which is registered, the deviceInfo will be signed using the device key.
deviceInfo.deviceStatus
This is the status of the device.
Allowed values are "Ready", "Busy", "Not Ready" or "Not Registered".
deviceInfo.deviceId
Internal Id to identify the actual biometric device within the device service.
deviceInfo.firmware
The exact version of the firmware.
In the case of L0, this is the same as serviceVersion.
deviceInfo.certification
Allowed values are "L0" or "L1" based on the level of certification.
deviceInfo.serviceVersion
The version of the MDS specification that is supported.
deviceInfo.deviceId
Internal ID to identify the actual biometric device within the device service.
deviceSubId
Allowed values are 1, 2 or 3.
The device sub-id could be used to enable a specific module in the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index which always starts with 1 and increases sequentially for each sub-device present.
In the case of Finger/Iris, it's 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).
deviceInfo.callbackId
This differs as per the OS.
In the case of Linux and windows operating systems, it is an HTTP URL.
In the case of android, it is the intent name.
In IOS, it is the URL scheme.
The call-back URL takes precedence over future requests as a base URL.
deviceInfo.digitalId
The digital id is as per the digital id definition.
For L0 devices which is not registered, the digital id will be unsigned.
For L0 devices which are registered, the digital id will be signed using the device key.
For L1 devices, the digital id will be signed using the FTM key.
deviceInfo.env
The target environment.
For devices that are not registered the environment is "None".
For a device that is registered, then send the environment in which it is registered.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".
deviceInfo.purpose
The purpose of the device in the MOSIP ecosystem.
For devices that are not registered the purpose is empty.
Allowed values are "Auth" or "Registration".
deviceInfo.specVersion
An array of supported MDS specification versions. The array element Zero will always contain the spec version using which the response is created.
error
error.errorCode
error.errorInfo
Description of the error that can be displayed to the end user. Multi-lingual support.
{% hint style="info" %}
The response is an array that we could have a single device enumerating with multiple biometric options.
The service should ensure to respond only if the type parameter matches the type of device or the type parameter is a "Biometric Device". {% endhint %}
Windows/Linux
The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range. The device always binds to any of the available ports ranging from 4501 - 4600. The IP address used for binding has to be 127.0.0.1 and not localhost.
HTTP Request:
HTTP Response:
{% hint style="info" %} The payloads are JSON in both cases and are part of the body. {% endhint %}
Android
For details on android specifications please view the section - Android SBI Specification.
The capture request would be used to capture a biometric from MOSIP-compliant devices by the applications. The captured call will respond with success to only one call at a time. So, in case of a parallel call, the device info details are sent with the status "Busy".
Capture Request
{% hint style="info" %} The count value should be driven by the count of the bioSubType for Iris and Finger. For Face, there will be no bioSubType but the count should be "1". {% endhint %}
Allowed Values for Capture Request
env
The target environment.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".
purpose
The purpose of the device in the MOSIP ecosystem.
For devices that are not registered the purpose is empty.
Allowed values are "Auth" or "Registration".
specVersion
Expected version of MDS specification.
timeout
Max time the app will wait for the capture.
It's expected that the API will respond back before the timeout with the best frame.
All timeouts are in milliseconds.
captureTime
Time of capture in ISO format.
The time is as per the requested application.
domainUri
URI of the authentication server.
This can be used to federate across multiple providers or countries or unions.
transactionId
Unique Id of the transaction.
This is an internal Id to the application that's requesting a capture.
Different IDs should be used for every request.
The transactionId can have minimum lenght as 4 and max length as 50.
Allowed characters in transactionId are alphabets, numbers and hyphens (-).
bio.type
Allowed values are "Finger", "Iris" or "Face".
bio.count
The number of biometric data that is collected for a given type.
The device should validate and ensure that this number is in line with the type of biometric that's captured.
bio.bioSubType
For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb", "UNKNOWN"]
For Iris: ["Left", "Right", "UNKNOWN"]
For Face: No bioSubType
bio.requestedScore
Upon reaching the quality score the biometric device is expected to auto-capture the image. If the requested score is not met, until the timeout, the best frame during the capture sequence must be captured/returned. This value will be scaled from 0 - 100 for NFIQ v1.0. The logic for scaling is mentioned below.
bio.deviceId
Internal Id to identify the actual biometric device within the device service.
bio.deviceSubId
Allowed values are 1, 2 or 3.
The device sub-id could be used to enable a specific model of the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index that always starts with 1 and increases sequentially for each sub-device present.
In the case of Finger/Iris, it's 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).
bio.previousHash
For the first capture, the previousHash is the SHA256 hash of an empty UTF-8 string. From the second capture the previous capture's "hash" is used as input. This is used to chain all the captures across modalities so all captures have happened for the same transaction and during the same time.
customOpts
In case, the device vendor wants to send additional parameters they can use this to send key-value pairs if necessary.
The values cannot be hard coded and have to be configured by the app's server and should be modifiable upon need by the applications.
Vendors are free to include additional parameters and fine-tune the process.
None of these values should go undocumented by the vendor.
No sensitive data should be available in the customOpts.
NFIQ v1.0 on a scale of 0-100 (quality score).
81 - 100
1
61 - 80
2
41 - 60
3
21 - 40
4
0 - 20
5
Capture Response
Accepted Values for Capture Response
specVersion
The version of the MDS specification using which the response was generated.
data
The data object is sent as JSON Web Token (JWT).
The data block will be signed using the device key.
data.digitalId
The digital id is as per the digital id definition in JWT format.
For L0 devices, the digital id will be signed using the device key.
For L1 devices, the digital id will be signed using the FTM key.
data.deviceCode
Same as serialNo in digital ID.
data.deviceServiceVersion
MDS version
data.bioType
Allowed values are "Finger", "Iris" or "Face".
data.bioSubType
For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb", "UNKNOWN"]
For Iris: ["Left", "Right", "UNKNOWN"]
For Face: No bioSubType
data.purpose
The purpose of the device in the MOSIP ecosystem.
Allowed values are "Auth".
data.env
The target environment.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".
data.domainUri
URI of the authentication server.
This can be used to federate across multiple providers or countries or unions.
data.bioValue
Biometric data is encrypted with a random symmetric (AES GCM) key and base-64-URL encoded. For symmetric key encryption of bioValue, (biometrics.data.timestamp XOR transactoinId) is computed and the last 16 bytes and the last 12 bytes of the results are set as the aad and the IV(salt) respectively. Look at the Authentication document to understand more about encryption.
data.transactionId
Same transactionId shared in the request should be used.
data.timestamp
Time as per the biometric device.
Note: The biometric device is expected to sync its time from the management server at regular intervals so accurate time could be maintained on the device.
data.requestedScore
Floating point number to represent the minimum required score for the capture. This value will be scaled from 0 - 100 for NFIQ v1.0. The logic for scaling is mentioned above.
data.qualityScore
The floating point number represents the score for the current capture. This value will be scaled from 0 - 100 for NFIQ v1.0. The logic for scaling is mentioned above.
hash
sha256 in hex format in upper case (previous "hash" + sha256 hash of the current biometric ISO data before encryption)
sessionKey
The session key (used for the encryption of the biodata (ISO)) is encrypted using the MOSIP public certificate with RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING algorithm and then encode the encrypted session key with base64 URL safe encoding.
thumbprint
SHA256 representation of the certificate (HEX encoded) that was used for encryption of the session key. All texts are to be treated as uppercase without any spaces or hyphens.
error
error.errorCode
error.errorInfo
Description of the error that can be displayed to the end-user. Multi-lingual support.
The entire data object is sent in JWT format. So, the data object will look like this:
Windows/Linux
The applications that require capturing biometric data from a MOSIP device could do so by sending the HTTP request to the supported port range.
HTTP Request:
HTTP Response:
{% hint style="info" %} The payloads are JSON in both cases and are part of the body. {% endhint %}
Android
For details on android specifications please view the section - Android SBI Specification.
The device would open a stream channel to send live video streams. This would help when there is an assisted operation to collect biometrics. Please note the stream APIs are available only for the registration environment.
Used only for registration module-compatible devices. This API is visible only for the devices that are registered for the purpose of "Registration".
Device Stream Request
Allowed Values for device Stream Request
deviceId
Internal Id to identify the actual biometric device within the device service.
deviceSubId
Allowed values are 1, 2 or 3.
The device sub-id could be used to enable a specific module in the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index which always starts with 1 and increases sequentially for each sub-device present.
In the case of Finger/Iris, it's 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).
timeout
Max time after which the stream should close.
This is an optional parameter and by default, the value will be 5 minutes.
All timeouts are in milliseconds.
Device Stream Response
Live Video stream with a quality of 3 frames per second or more using M-JPEG.
{% hint style="info" %} The preview should have quality markings and segment markings. The preview would also be used to display an error message on the user screen. All error messages should be localized. {% endhint %}
Error Response for Device Stream
Windows/Linux
The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range.
HTTP Request:
HTTP Response: HTTP Chunk of frames to be displayed. Minimum frames 3 per second.
Android
For details on android specifications please view the section - Android SBI Specification.
The registration client application will discover the device. Once the device is discovered the status of the device is obtained with the device info API. During the registration, the registration client sends the RCAPTURE API and the response will provide the actual biometric data in a digitally signed non-encrypted form. When the Device Registration Capture API is called the frames should not be added to the stream. The device is expected to send the images in ISO format.
The requestedScore is on a scale of 1-100 (NFIQ v2.0 for fingerprints). So, in cases where you have four fingers the average of all will be considered for the capture threshold. The device would always send the best frame during the capture time even if the requested score is not met.
The API is used by devices that are compatible with the registration module. This API should not be supported by devices that are compatible with authentication.
Registration Capture Request
{% hint style="info" %} To capture the exception photo exception value for Iris or Finger should be sent in bio.exception for bio.type = 'Face'. ICAO checks are not mandatory here but one face must be present within the frame. {% endhint %}
Accepted Values for Registration Capture Request
env
The target environment.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".
purpose
The purpose of the device in the MOSIP ecosystem.
For devices that are not registered the purpose is empty.
Allowed values are "Auth" or "Registration".
specVersion
Expected version of MDS specification.
timeout
Max time the app will wait for the capture.
Its expected that the API will respond back before timeout with the best frame.
All timeouts are in milliseconds.
captureTime
Time of capture in ISO format.
The time is as per the requesting application.
transactionId
Unique Id of the transaction.
This is an internal Id to the application that's requesting a capture.
Different IDs should be used for every request.
The transactionId can have minimum lenght as 4 and max length as 50.
Allowed characters in transactionId are alphabets, numbers and hyphens (-).
bio.type
Allowed values are "Finger", "Iris" or "Face".
bio.count
Number of biometric data that is collected for a given type.
The device should validate and ensure that this number is in line with the type of biometric that's captured.
bio.bioSubType
Array of bioSubType for respective biometric type.
For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb", "UNKNOWN"]
For Iris: ["Left", "Right", "UNKNOWN"]
For Face: No bioSubType
This is an optional parameter.
bio.exception
This is an array and all the exceptions are marked.
In case exceptions are sent for face then follow the exception photo specification above.
For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb"]
For Iris: ["Left", "Right"]
bio.requestedScore
Upon reaching the quality score the biometric device is expected to auto capture the image.
bio.deviceId
Internal Id to identify the actual biometric device within the device service.
bio.deviceSubId
Allowed values are 1, 2 or 3.
The device sub id could be used to enable a specific module in the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index that always starts with 1 and increases sequentially for each sub-device present.
In case of Finger/Iris its 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).
bio.previousHash
For the first capture the previousHash is the SHA256 hash of an empty UTF-8 string. From the second capture the previous capture's "hash" is used as input. This is used to chain all the captures across modalities so all captures have happened for the same transaction and during the same time.
customOpts
In case, the device vendor wants to send additional parameters they can use this to send key value pair if necessary.
The values cannot be hard coded and have to be configured by the apps server and should be modifiable upon need by the applications.
Vendors are free to include additional parameters and fine-tuning the process.
None of these values should go undocumented by the vendor.
No sensitive data should be available in the customOpts.
Registration Capture Response
Allowed Values for Registration Capture Response
specVersion
Version of the MDS specification using which the response was generated.
data
The data object is sent as JSON Web Token (JWT).
The data block will be signed using the device key.
data.bioType
Allowed values are "Finger", "Iris" or "Face".
data.digitalId
The digital id as per the digital id definition in JWT format.
For L0 devices, the digital id will be signed using the device key.
For L1 devices, the digital id will be signed using the FTM key.
data.bioSubType
For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb", "UNKNOWN"]
For Iris: ["Left", "Right", "UNKNOWN"]
For Face: No bioSubType
data.deviceServiceVersion
MDS Version
data.env
The target environment.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".
data.purpose
The purpose of the device in the MOSIP ecosystem.
Allowed values are "Auth" or "Registration".
data.bioValue
Base64-URL-encoded biometrics (in ISO format)
data.transactionId
Same transactionId shared in the request should be used.
data.timestamp
Time as per the biometric device.
Note: The biometric device is expected to sync its time from the management server at regular intervals so accurate time could be maintained on the device.
data.requestedScore
Floating point number to represent the minimum required score for the capture.
data.qualityScore
Floating point number representing the score for the current capture.
hash
sha256 in hex format in upper case (previous "hash" + sha256 hash of the current biometric ISO data).
error
error.errorCode
error.errorInfo
Description of the error that can be displayed to end user. Multi lingual support.
Windows/Linux
The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range.
HTTP Request:
HTTP Response: HTTP response.
Android
For details on android specifications please view the section - Android SBI Specification.
The MOSIP server would provide the following retrieve encryption certificate API which is white-listed to the management servers of the device provider or their partners.
POST https://{base_url}/v1/masterdata/device/encryptioncertficates
Version: v1
The request is sent in a JWT format. So the final request will look like this:
The entire response is sent in a JWT format. So the final response will look like this:
The management server has the following objectives.
Validate the devices to ensure they genuine devices from the respective device provider. This can be achieved using the device info and the certificates for the Foundational Trust Module.
Register the genuine device with the MOSIP device server.
Manage/Sync time between the end device and the server. The time to be synced should be the only trusted time accepted by the device.
Ability to issue commands to the end device for
De-registration of the device (Device Keys)
Collect device information to maintain, manage, support and upgrade a device remotely.
A central repository of all the approved devices from the device provider.
Safe storage of keys using HSM FIPS 140-2 Level 3. These keys are used to issue the device certificate upon registration. The Management Server is created and hosted by the device provider outside of MOSIP software. The communication protocols between the MDS and the Management Server can be decided by the respective device provider. Such communication should be restricted to the above-specified interactions only. No transactional information should be sent to this server.
Should have the ability to push updates from the server to the client devices.
{% hint style="info" %} As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time. {% endhint %}
The management client is the interface that connects the device with the respective management server. The communication between the management server and its clients must be designed with scalability, robustness, performance and security. The management server may add many more capabilities than what is described here, But the basic security objectives should be met at all times irrespective of the offerings.
For better and more efficient handling of the device at large volumes, we expect the devices to auto-register to the Management Server.
All communication to the server and from the server should follow the below properties.
All communication is digitally signed with the approved algorithms
All communication to the server is encrypted using one of the approved public key cryptography (HTTPS – TLS1.2/1.3 is required with one of the approved algorithms.
All request has timestamps attached in ISO format to the milliseconds inside the signature.
All communication back and forth should have the signed digital id as one of the attributes.
It's expected that auto-registration has an absolute way to identify and validate the devices.
The management client should be able to detect the devices in a plug-and-play model.
All key rotations should be triggered from the server.
Should have the ability to detect if it's speaking to the right management server.
All upgrades should be verifiable and the client should have the ability to verify software upgrades.
Should not allow any downgrade of software.
Should not expose any API to capture biometrics. The management server should have no ability to trigger a capture request.
No logging of biometric data is allowed. (Both in the encrypted and unencrypted format)
L1 Certified Device / L1 Device - A device certified as capable of performing encryption on the device inside its trusted zone. L0 Certified Device / L0 Device - A device certified as one where the encryption is done on the host inside its device driver or the MOSIP device service.
Secure provisioning applies to both the FTM and the Device providers.
The devices and FTM should have a mechanism to protect against fraudulent attempts to create or replicate.
The device and FTM trust should be programmed in a secure facility that is certified by the respective MOSIP adopters.
The organization should have a mechanism to segregate the FTMs and Devices built for MOSIP using a cryptographically valid and repeatable process.
All debug options within the FTM or device should be disabled permanently
All key creations need for provisioning should happen automatically using FIPS 140-2 Level 3 or higher devices. No individual or group or organization should have a mechanism to influence this behaviour.
Before the devices/FTM leaves the secure provisioning facility all the necessary trust should be established and should not be re-programmable.
{% hint style="info" %}
As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time.* {% endhint %}
Device Discovery
L0/L1
Device Info
L0/L1
Capture
L1
Registration Capture
L0/L1
Supported algorithms:
Encryption of biometrics - Session Key
AES
>=256
No storage, Key is created with TRNG/DRBG inside FTM
Encryption session key data outside of FTM
RSA OAEP
>=2048
FTM trusted memory
Encryption session key data outside of FTM
ECC curve 25519
>=256
FTM trusted memory
Biometric Signature
RSA
>=2048
Key never leaves FTM created and destroyed
Biometric Signature
ECC curve 25519
>=256
Key never leaves FTM created and destroyed
Secure Boot
RSA
>=256
FTM trusted memory
Secure Boot
ECC curve 25519
>=256
FTM trusted memory
{% hint style="info" %} No other ECC curves are supported. {% endhint %}
In all the above APIs, some of the requests and responses are signed with various keys to verify the requester's authenticity. Here we have detailed the key used for signing a particular block in a request or response body of various APIs.
Device Discovery Response
Device Info
NA as it will not be signed
Device Discovery Response
Digital ID
NA as it will not be signed
Device Info Response
Device Info
NA in case of unregistered device
Device Key in case of registered device
Device Info Response
Digital ID
For L0 device using device key
For L1 device using FTM chip key
Capture Response
Data
Device key is used
Capture Response
Digital ID
FTM chip key is used
Registration Capture Response
Data
Device key is used
Registration Capture Response
Digital ID
For L0 device using device key
For L1 device using FTM chip key
This section explains the mechanism for the SBI devices to communicate in the android operating system.
Draft document V 0.9
Discovery will return the appId of the discovered items. Users will be given a choice to choose one of the discovered SBI app. The selected app responds back to the intent using the default intent callback functionality.
Request: io.sbi.device action: io.sbi.device data: no change type: application/json Request Schema: No change in the data structure. The serialized request data as byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The serialized response data (byte array) is set in the intent extras with the key as “response”.
callbackId should be set to the appId, and can not be empty in android.
Request: appId.Info action: appId.Info data: no change type: application/json Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The serialized response data as a byte array is set in the intent extras with the key as “response”.
deviceInfo: callbackId should be set to the appId, can not be empty in android.
Request: appId.Capture action: appId.Capture data: no change type: application/json flag: FLAG_GRANT_READ_URI_PERMISSION Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The response content is set as content URI “content://authority/path/id” in the intent extras as a string with the key as “response”.
URI must be invalidated right after the read.
Request: appId.rCapture action: appId.rCapture data: no change type: application/json flag: FLAG_GRANT_READ_URI_PERMISSION Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The response content is set as content URI “content://authority/path/id” in the intent extras as a string with the key as “response”.
The content provider should not support insert, update, delete
On receiving rCapture request MDS must show the stream within its UI in the foreground.
Ensure to set the correct authority in the manifest and set the android:exported as “False”
Android 9 (API Level 28) and above with hardware-backed key store.
0
Success
100
Device not registered
101
Unable to detect a biometric object
102
Technical error during extraction.
103
Device tamper detected
104
Unable to connect to the management server
105
Image orientation error
106
Device not found
107
Device public key expired
108
Domain public key missing
109
Requested number of biometric (Finger/IRIS) not supported
110
Device is not ready
111
Device is Busy
112
Invalid Transaction ID
5xx
Custom errors. The device provider is free to choose his error code and error messages.
The DataShare service is used to share data with other entrusted services and partners. The mechanism shares are the following:
Retrieves and stores data to be shared in Object Store and returns a Datashare URL.
It fetches data from the Object Store when the Datashare URL is called.
The sharing of data is controlled by the Datashare policy.
Data is encrypted before sharing it with partners. Learn more about datashare encryption.
The relationship of Datashare Service with other services is explained here. NOTE: The numbers do not signify the sequence of operations or control flow. Arrows indicate the data flow.
ABIS Handler Stage creates datashare for ABIS.
Manual Adjudication Stage creates datashare for adjudication.
Verification Stage creates datashare for verification.
Datashare Service calls Policy Manager Service to get the policy for creating shares.
It calls the Keymanager Service to encrypt data as per policy.
Stores datashare inside object store.
Retrieves datashare from the object store when the datashare URL is called.
External systems like ABIS, Print System, Adjudication system etc. calls Datashare Service to get the datashare.
Print Service creates UIN PDF and uploads to datashare through Credential.
Partner Manager Service creates credentials for CA certificates to be used by ID Authentication.
Printing Stage creates credentials for printing systems and sends the data through datashare.
ID Repository Service sends data to ID Authentication system through Credential.
Khazana provides following adapters to store objects
POSIX - Supports storage of packets on a filesystem. Its typically used by registration client to store packets locally on the machine. This adapter is not receommended for usage in low latency environments like packet manager.
Object Store is used for following purpose wihin mosip
Registration Client - Encrypted packets
Pre-registration - Uploaded Documents
Idrepo - Individual's biometrics and documents
Datashare - On demand individual's biometrics, documents and other information.
Note: Please note its important to choose the right partner for object storage and work with them to scale acordingly. Please follow the hardware estimate for Object Store based on respective Object store products.
The below is the list of S3 Java API's used by MOSIP. This can be used to understand the vendor compatibility. Khazana does not use any internal business logic and is purely an storage abstraction layer.
Entity relationships diagrams for all databases used in MOSIP are given below.
Connection details
{module_name}_database_url
{module_name}_database_username
{module_name}_database_password
Hibernate configurations
javax.persistence.jdbc.driver
hibernate.dialect
hibernate.jdbc.lob.non_contextual_creation
hibernate.hbm2ddl.auto
hibernate.show_sql
hibernate.format_sql
hibernate.connection.charSet
hibernate.cache.use_second_level_cache
hibernate.cache.use_query_cache
hibernate.cache.use_structured_entries
hibernate.generate_statistics
logging.level.org.hibernate.SQL
logging.level.org.hibernate.type
These are some of the reference settings of a production database. It is expected that these are reviewed and finalized for a given deployment.
This service is used to generate various IDs like UIN and VID.
The UIN should follow the following filters and constraints:
Only integers with length, as specified in mosip.kernel.uin.length configuration.
Minimum pregenerated UINs that should be available, as specified in mosip.kernel.uin.min-unused-threshold configuration. If not available then the next batch of generation would start.
Number of UINs to generate, as specified in mosip.kernel.uin.uins-to-generate configuration.
Upper bound of number of digits in sequence allowed in id, as specified in mosip.kernel.uin.length.sequence-limit configuration. For example if limit is 3, then 12 is allowed but 123 is not allowed in id (in both ascending and descending order).
Number of digits in repeating block allowed in id, as specified in mosip.kernel.uin.length.repeating-block-limit configuration. For example if limit is 2, then 4xxx4 is allowed but 48xxx48 is not allowed in id (x is any digit).
Lower bound of number of digits allowed in between two repeating digits in id, as specified in mosip.kernel.uin.length.repeating-limit configuration. For example if limit is 2, then 11 and 1x1 is not allowed in id (x is any digit).
Number of digits to check for reverse digits group limit, as specified in mosip.kernel.uin.length.reverse-digits-limit configuration. For example if limit is 5 and UIN is 4345665434, then first 5 digits will be 43456, reverse 65434.
Number of digits to check for digits group limit in id, as specified in mosip.kernel.uin.length.digits-limit configuration. For example if limit is 5 and UIN is 4345643456, then 5 digits group will be 43456.
Number of even adjacent digits limit in id, as specified in mosip.kernel.uin.length.conjugative-even-digits-limit configuration. For example, if limit is 3 then any 3 even adjacent digits is not allowed.
List of restricted numbers with , seperation as specified in mosip.kernel.uin.restricted-numbers configuration.
List of numbers that should not be the starting digits in the id. Its a , separated list, as specified in mosip.kernel.uin.not-start-with configuration. For example, the number should not contain '0' or '1' as the first digit.
No alphanumeric characters allowed.
No cyclic numbers as mentioned below are allowed. "142857", "0588235294117647", "052631578947368421", "0434782608695652173913", "0344827586206896551724137931", "0212765957446808510638297872340425531914893617", "0169491525423728813559322033898305084745762711864406779661", "016393442622950819672131147540983606557377049180327868852459", "010309278350515463917525773195876288659793814432989690721649484536082474226804123711340206185567".
Note: Significant thought has been invested in the above design to ensure the generated numbers are both random and secure. We strongly recommend retaining the stated values to maintain the integrity and security of the same.
The above logic reduces the space of the total number of IDs possible. As it is difficult to represent the above logic with a mathematical formula, we provide a statistical estimate of the total number of unique IDs as below:
The following code was used for this estimate.
You are encouraged to find any lacunae in this code!
Packet Manager performs the following functions:
Performs in-memory encryption and decryption of packets.
Performs security checks, checksum, file validations, ID object validations, etc. on the registration packet.
Packet Manager runs as a service and is also available as a library.
The relationship of the Packet Manager with other services is explained here.
NOTE: The numbers do not signify a sequence of operations or control flow. Arrows indicate data flow
Audit logs.
Encryption and decryption of packet.
The Foundational Trust Module (FTM) is created using a secure microprocessor capable of performing all required biometric processing and secure storage of keys. The foundational device trust would satisfy the below requirements.
The module has the ability to securely generate, store, and process cryptographic keys.
Generation of asymmetric and symmetric keys with TRNG.
The module has the ability to protect keys from extraction.
The module has to protect the keys from physical tampering, temperature, frequency, and voltage-related attacks.
The module could withstand Hardware cloning.
The module could withstand probing attacks
The module provides memory segregation for cryptographic operations and protection against buffer overflow attacks
The module provides the ability to withstand cryptographic side-channel attacks like Differential Power analysis attacks, and timing attacks.
CAVP validated the implementation of the cryptographic algorithm.
The module has the ability to perform a cryptographically valid, secure boot.
The module has the ability to run trusted applications.
The foundational device trust derived from this module is used to enable trust-based computing for biometric capture. The foundational device trust module provides a trusted execution environment based on the following:
Secure Boot
Ability to cryptographically verify code before execution.
Ability to check for integrity violations of the module or device.
Halt upon failure.
The ability to securely upgrade and perform forward-only upgrades to thwart downgrade attacks.
SHA256 hash equivalent or above should be used for all hashing requirements
All root of trust is provisioned upon first boot or before.
All upgrades would be considered successful only after a successful boot with proper hash and signature verification.
The boot should fail upon hash or signature failures and never operate in an intermediary state.
A maximum of 10 failed attempts should lock the upgrade process and brick the device. However, chip manufacturers can decide to be less than 10.
Secure application
Ability to run applications that are trusted.
Protect against the downgrading of applications.
Isolated memory to support cryptographic operations.
All trust is anchored during the first boot and not modifiable.
The FTM should have at least one of the following certifications in each category to meet the given requirement.
Category: Cryptographic Algorithm Implementation
CAVP (RSA, AES, SHA256, TRNG (DRBGVS), ECC)
Category: FTM Chip
(ONE of the following certifications)
FIPS 140-2 L3 or above
PCI PTS 5 or above (Pre-certified)
PCI - PED 2.0 or above (Pre-Certified)
One of the following Common Criteria (CC) certification
https://www.commoncriteriaportal.org/files/ppfiles/pp0035a.pdf
https://www.commoncriteriaportal.org/files/ppfiles/pp0084a_pdf.pdf
System/Device Level Tamper (optional)
System/Device Level Tamper Responsiveness is recommended (not mandatory). In this case, FTM should be capable of showcasing Tamper Responsiveness (keys must be erased) against a tamper at the system/device level.
The FTM should protect against the following threats.
Hardware cloning attacks - Ability to protect against attacks that could result in a duplicate with keys.
Hardware Tamper attacks
Physical tamper - No way to physically tamper and obtain its secrets.
Voltage & frequency related attacks - Should shield against voltage leaks and should prevent low voltage. The FTM should always be in either the state operational normally or inoperable. The FTM should never be operable when its input voltages are not met.
Temperature attacks on the crypto block - Low or High the FTM are expected to operate or reach an inoperable state. No state in between.
Differential Power Analysis attack.
Probing attacks - FTM should protect its surface area against any probe-related attacks.
Segregation of memory for execution of cryptographic operation (crypto block should be protected from buffer overflow type attacks).
Vulnerability of the cryptographic algorithm implementation.
Attacks against secure boot & secure upgrade.
TEE/Secure processor OS attack.
Upon the FTM provider's approval by the MOSIP adopters, the FTM provider would submit a self-signed public certificate to the adopter. Let us call this the FTM root. The adopter would use this certificate to seed their device's trust database. The FTM root and their key pairs should be generated and stored in FIPS 140-2 Level 3 or more compliant devices with no possible mechanism to extract the keys. The foundational module upon its first boot is expected to generate a random asymmetric key pair and provide the public part of the key to obtain a valid certificate. The FTM provider would validate to ensure that the chip is unique and would issue a certificate with the issuer set to FTM root. The entire certificate issuance would be in a secured provisioning facility. Auditable upon notice by the adopters or its approved auditors. The certificate issued to the module will have a defined validity period as per the MOSIP certificate policy document defined by the MOSIP adopters. This certificate and private key within the FTM chip are expected to be in its permanent memory.
The validity of the chip certificate can not exceed 20 years from the date of manufacturing.
The FTM should have at least one of the following certifications in each category to meet the given requirement.
Secure provisioning applies to both the FTM and the Device providers.
The devices and FTM should have a mechanism to protect against fraudulent attempts to create or replicate.
The device and FTM trust should be programmed in a secure facility which is certified by the respective MOSIP adopters.
The organization should have a mechanism to segregate the FTMs and Devices built for MOSIP using a cryptographically valid and repeatable process.
All debug options within the FTM or device should be disabled permanently
All key creations needed for provisioning should happen automatically using FIPS 140-2 Level 3 or higher devices. No individual or group or organization should have a mechanism to influence this behaviour.
Before the devices/FTM leaves the secure provisioning facility all the necessary trust should be established and should not be re-programmable.
As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time.
New (code - 6, 8, 9, 10, 11, 12) for ABIS have been added.
Analytics section has been added to the overall response for Identify and the have been updated.
Note on and was added for Insert Request.
New (code - 17) for ABIS has been added.
3. Install Eclipse, open the lombok.jar file, and click Install/Update.
4. Run the server by opening the config-server-start.bat file.
Updated the to include PCI PED 2.0 and CC.
The reference to L2 devices has been removed from this document. The biometric specification listed here has been moved to a new section and the old specification is now in for reference.
Added the section on
This value should be same as printed on the device (Refer ).
This value should be the same as printed on the device (Refer to ).
This value should be the same as printed on the device (Refer to ).
Error codes should be sent for device in "Busy", "Not Ready" and "Not Registered" from the below .
Relevant errors as defined under the of this document.
A standardized error code is defined in the .
Error codes should be sent for device in "Busy", "Not Ready" and "Not Registered" from the below .
Relevant errors as defined under the of this document.
A standardized error code is defined in the .
If the above validations are not met then a error can be thrown in the .
Relevant errors as defined under the of this document.
Standardized error code defined in the .
If the above validations are not met then a error can be thrown in the .
Relevant errors as defined under the of this document.
Standardized error code defined in the .
Object Store is a storage module for MOSIP named as . The module is an abstraction of storage layer used across , , for packets and biometric data.
S3 - is one of the well known API for object stores. is used in Khazana to support any S3 compliant object storage solutions.
Swift - An object storage system from . Swift has published API's and Khazana supports the same on experimental basis using . This works with any Swift or Swift compliant object storage solutions.
As part of our sandbox deployment we have provided an example use case with for on-prem deployment and AWS S3 with AWS deployment. Object Store is installed as part of .
MOSIP uses DB for all relational data storage. The DB creation SQL scripts are located under /db_scripts the folder of the module repository. In , Postgres is installed as a docker inside the cluster. However, in production deployment, typically, Postgres will be installed external to the cluster.
MOSIP's ID Generator Service generates randomised unique IDs for a given length of the ID.
MOSIP uses the cryptographically safe SecureRandom algorithm to generate UINs (Unique Identification Numbers) with high randomness. A checksum is added using the Verhoeff Algorithm to validate the UIN/VID. Generated UINs are filtered against as outlined below, to eliminate easily identifiable numbers and prevent repetitions or sequences. The random number seed is refreshed every 45 minutes or as configured via mosip.idgen.uin.secure-random-reinit-frequency in minutes.
The source code of the ID Generator Service may be found .
Reads/writes registration packets from/to the .
Provides packet information to other services via APIs. In case of multiple packets associated with an ID, pulls information from packets based on configured priority. (See ).
uses the Packet Manager library to create packets.
reads packet data using the Packet Manager service.
Packets are stored and retrieved from the .
uses the Packet Manager library to create packets.
Refer to .
Refer to .
.
The supported algorithm and curves are listed
getConnection(bucketName).getObject(bucketName, finalObjectName)
getConnection(bucketName).getObjectMetadata(bucketName, finalObjectName)
doesBucketExistV2(bucketName)
createBucket(bucketName)
getObjectMetadata()
getObjectMetadata().getUserMetadata()
addUserMetadata(m.getKey(), m.getValue())
PutObjectRequest(bucketName, finalObjectName, s3Object.getObjectContent(), objectMetadata)
getRequestClientOptions()
setReadLimit(readlimit)
putObject(putObjectRequest)
deleteObject(bucketName, objectName)
listObjects(account, searchPattern)
getObjectSummaries()
listObjects(searchPattern)
getObjectSummaries()
doesObjectExist(bucketName, finalObjectName)
GetObjectTaggingRequest(bucketName,finalObjectName)
getObjectTagging(getObjectTaggingRequest)
SetObjectTaggingRequest(bucketName,finalObjectName,objectTagging)
setObjectTagging(setObjectTaggingRequest)
10
164 million
11
1.6 billion
12
15.7 billion
A registration packet is a zipped, encrypted file containing ID information of an individual. It contains meta information about operator/supervisor, registration center, machine, devices etc.
Example zipped file:
10001100771006920220128223618-10001_10077-20220128223618.zip
Naming convention: appid-refid_timestamp.zip
refid: centerid_machineid
*_id.zip: Applicant demographic/biometric/document fields which are marked as "pvt" or "kyc" or "none" in ID Schema.
*_id.json: Meta information (process, encrypted hash, signature, schema version etc.) for *_id.zip file.
*_evidence.zip: Applicant's demographic/biometric/document fields which are marked as "evidence" or "none" in ID Schema.
*_evidence.json: Meta information (process, encrypted hash, signature, schema version etc.) for *_evidence.zip file.
*_optional.zip: Applicant demographic/biometric/document fields which are marked as "optional" or "none" ID Schema.
*_optional.json: Meta information (process, encrypted hash, signature, schema version etc.) for *_optional.zip file.
Note: this is a sample packet and doesnot mean a particular information will be always available in same packet. The fields are populated based on the fieldCategory set in schema json.
Id
Evidence
Optional
See sample packet.
Content coming soon
We implemented three specialized test rigs for automation testing in MOSIP Identity. The UI test rig ensures thorough validation of web-based application modules, including Admin UI, PMP UI, and Resident UI.
The Domain-Specific Language (DSL) test rig facilitates end-to-end testing of MOSIP functionalities like Registration and Authentication. Additionally, the API test rig rigorously tests all MOSIP APIs, covering various corner cases for enhanced reliability.
Click the below mentioned cards to know more.
The UI test rig is a comprehensive automation framework designed to validate the functionality and user interface of various modules within web-based applications. This robust framework encompasses modules tailored for specific functionalities, ensuring thorough testing and validation of essential components. Below are the modules covered:
Admin UI: Admin Service module facilitates the creation of machines and performs user, center, and device mapping. Additionally, it supports master data bulk upload and retrieval of lost RIDs.
PMP UI (Partner Management Services): PMPUI is a web-based UI application offering services for partner onboarding and management. It includes functionalities for Partner Management Service and Policy Management Service.
Resident UI: Resident service is a web-based UI application that enables users to perform various operations related to their UINs / VIDs. Users can utilize these services to view, update, manage, and share their data. Additionally, they can report issues in case of grievances.
Test Script
Description: The test script is the Java code that defines the steps and actions to be executed during the UI automation.
Implementation: Written in Java, it utilizes Selenium WebDriver commands to interact with the web elements of the application.
Selenium WebDriver
Description: The core component of Selenium that provides a programming interface for interacting with web browsers.
Implementation: Instantiate WebDriver (for example, ChromeDriver, FirefoxDriver) to control the browser and navigate through the application.
Test Data
Description: Input data required for the test, such as login credentials, file paths for document upload, or any other data necessary for the test scenario.
Implementation: Defined in the test script or loaded from the external sources like kernel files.
Logging and Reporting
Description: Capture and log relevant information during the execution for debugging and reporting purposes.
Implementation: Utilize logging frameworks (for example, Log4j) and generate test reports (for example, TestNG ).
Setup Phase
Initialize WebDriver: Set up the Selenium WebDriver by instantiating the appropriate browser driver (for example, ChromeDriver).
Navigate to URL: Open the browser and navigate to the URL of the document-based application.
Test Execution Phase
User Authentication (if required): If the application requires login, provide the necessary credentials using Selenium commands.
Interact with UI Elements: Use WebDriver commands to locate and interact with UI elements (for example, buttons, input fields, dropdowns).
Perform Actions: Execute actions such as uploading and downloading documents, entering data, or triggering events.
Data Validation: Implement assertions to validate that the application behaves as expected.
Clone Repository
Admin UI: Clone the repository from Admin UI.
Resident UI: Clone the repository from Resident UI.
PMP UI: Clone the repository from Partner Management Portal.
Navigate to the cloned repository directory.
Navigate to the directory of the cloned repository.
Update the properties file with the following changes:
Verify that the client ID and secret key are accurately configured for the target environment.
Confirm the existence of the 'globaladmin' user in the Database.
Ensure all VM arguments mentioned above are correctly passed and executed.
Update the kernel.properties file with the correct values for the client ID and secret key.
Configure environment-specific secret keys in the Kernel.properties file located at: Kernel.properties
Set environment variables for each unique URL corresponding to different environments (for example, development, test, production).
Setup:
Once the UItest rig configuration maps are accurately configured, you can proceed to execute the UI test rig pod within the Docker environment
Following execution, the comprehensive execution report will be made available in the Minio S3 bucket, accessible for retrieval and further analysis. For the docker setup of uitestrig, we need to deploy uitestrig in a docker, then we can directly run it using RUN button after execution, we will get report in uitestrig folder in minio.
Application and URL Information
Application URL: Ensure you have the correct URL of the application under test. This is crucial for navigating to the relevant web page during test execution. The application URL is sourced from kernel.properties.
Login Credentials: If the application necessitates authentication, ensure you possess valid login credentials for testing purposes. During test execution, user accounts are created to facilitate login credential management.
Test Data
Positive Test Data: Positive test data is generated dynamically during the execution of uitestrig via APIs.
Document Files (if applicable): If your automation includes document uploads or downloads, ensure you have sample document files (e.g., PDFs, Word documents) prepared for testing purposes. These files will be utilized during the testing process.
Configuration Files: Ensure all necessary configuration files for your project are prepared. These files may include browser configurations, test environment settings, or other parameters essential for the execution of your tests.
Environment Variables: Consider utilizing environment variables if your application URL or other settings vary across different environments. This approach provides flexibility and allows for easier management of environment-specific configurations during testing.
Generate TestNG Reports: Ensure your Selenium and Java project is configured to generate TestNG reports. Utilize build automation tools like Maven or Gradle to execute tests and automatically generate TestNG reports.
Locate the TestNG Reports: After test execution, locate the TestNG reports directory. Typically, TestNG generates HTML reports in the testng-report or uitestrig directory within your project's directory structure.
Reviewing TestNG HTML Reports:
Overview Page: Open the index.html or emailable-report.html file to access the test suite overview. Look for summary information such as total tests run, passed, failed, and skipped.
Suite Information: Navigate to the "Suite" section to examine details about individual test suites, including start and end times.
Test Information: Check the "Tests" section for detailed information about each test, including start and end times, test duration, and a summary of passed, failed, and skipped methods.
Methods Information: Explore the "Methods" section to obtain detailed information about each test method. This includes the class name, method name, description, status (pass/fail/skip), and time taken.
Logs and Output: TestNG reports often include logs and output links. These contain additional information about test execution, such as console logs, error messages, or stack traces.
Analyzing Failed Tests:
Failed Tests Section: Focus on the "Failed tests" section within the TestNG report. Here, you'll find detailed information about the failed tests, including the class name, method name, and the reason for the failure. This section provides a concise overview of which tests encountered issues during execution.
Screenshots: Uitestrig framework captures screenshots on test failure. Analyzing screenshots can help identify UI rendering problems, layout issues, or unexpected behaviour that may not be evident from the test logs alone.
To automate a new UI flow for the three modules (AdminUI, PMPUI, and ResidentUI), you can follow these steps:
Understand the New Flow:
Requirement Analysis: Thoroughly review the documentation, user stories, or specifications related to the new functionality to gain a clear understanding of the flow.
Test Scenarios: Identify specific test scenarios for each module's UI flow. Break down the flow into individual steps that can be automated.
Design Test Cases:
Test Case Definition: Define test cases for each identified scenario, outlining the expected behaviour, input data, and verification points.
Use Page Object Model (POM): Implement the Page Object Model to structure your automation framework. Create separate classes representing each page or component within the modules
Write Automation Scripts:
Script Structure: Write automation scripts using Java and Selenium WebDriver, following a modular and maintainable structure.
Implement Test Cases: Translate the defined test cases into executable scripts. Utilize Selenium WebDriver commands to interact with web elements, perform actions, and validate the expected behavior.
For each module (AdminUI, PMPUI, and ResidentUI), create separate sets of automation scripts that cover the identified test scenarios. Each script should focus on a specific test case, interacting with the respective UI elements and validating the expected outcomes.
Utilize the Page Object Model to encapsulate the interaction with web elements within separate page classes. This approach enhances maintainability and reusability of your automation scripts by separating the UI logic from the test scripts.
Lastly, ensure thorough testing and validation of the implemented automation scripts to verify the accuracy and reliability of the automated UI flows for each module
This documentation provides comprehensive guidance for utilizing and expanding the UI Test Rig functionalities effectively.
API Test Rig is a comprehensive tool designed to rigorously test all APIs provided by MOSIP Identity. It ensures thorough testing by covering various corner cases. This Test Rig is module-specific, allowing users to execute specific APIs based on their requirements efficiently. With its optimized design, API Test Rig can complete test runs in few minutes, enhancing the testing process's speed and effectiveness.
The API Test Rig consists of several key components and follows a specific execution flow.
modules: Indicates the name of the module being tested. Examples include auth, prereg, idrepo, resident, esignet, partner, mimoto, etc. Users can specify the module they wish to test, enabling targeted testing based on specific functionalities.
env.user: This parameter specifies the user of the environment where the Testrig file will be executed.
env.endpoint: Indicates the environment where the application under test is deployed. Users should replace <base_env> with the hostname of the desired environment.
env.testlevel: Determines the level of testing to be conducted. It should be set to ‘smoke’ to run only smoke test cases or ‘smokeandRegression’ to execute all tests of all modules.
Ensure that the following software and configurations are set up on your local machine before executing the automation tests:
Java 11 and Maven (3.6.0): Install Java 11 JDK and Maven 3.6.0 on your machine. These are required to compile and execute the automation tests.
Lombok Configuration: Configure Lombok on your machine. Click here to refer to the official Lombok website for installation instructions and setup details.
Git Bash (for Windows): Install Git Bash version 2.18.0.windows.1 on your Windows machine. Git Bash provides a Unix-like command-line environment on Windows, enabling seamless execution of commands.
For Windows: Place the settings.xml file in the .m2 directory.
For Linux: Place the settings.xml file in the regular Maven configuration folder.Additionally, copy the same settings.xml file to /usr/local/maven/conf directory.
Clone Repository
From a terminal (Linux) or command prompt (Windows), navigate to your preferred directory
Using Git Bash: Copy the Git repository link: https://github.com/mosip/mosip-functional-tests
Open Git Bash at any location
Run the command: git clone https://github.com/mosip/mosip-functional-tests
Configure Properties
Navigate to the cloned repository directory
Update the properties file as follows:
Uncomment the lines beginning with authDemoServiceBaseURL and authDemoServicePort to run locally
Comment out the lines beginning with authDemoServiceBaseURL and authDemoServicePort intended for Docker
Ensure that the push-reports-to-s3 property is set to no for local execution
Update the kernel.properties file with the appropriate client ID and secret key Values
Ensure that the client ID and secret key are correctly configured for the intended environment.
Make sure globaladmin user is available in the Database.
Pass all the VM Arguments Properly mentioned above and execute.
Setup
Authdemo pod should be up
All Cronjob-apitestrig should be up
Below Config Maps should be proper
Following are tested modules:
ID Repository (idrepo): ID Repository serves as a centralized database containing individual identity records. It offers API-based functionalities for storing, retrieving, and updating identity details, facilitating seamless integration with other MOSIP modules.
Purpose: Testing the functionality and reliability of identity data management operations within the ID Repository module.
Authentication (auth): Authentication module provides independent services for verifying individual identities. It supports seeding with authentication data and includes services such as Authentication Services, OTP Service, and Internal Services.
Purpose: Evaluating the effectiveness and accuracy of identity authentication processes, including authentication services and OTP generation, within the Authentication module.
Pre-registration (preregistration): Pre-registration module enables residents to enter demographic data, upload supporting documents, and book registration appointments. It supports appointment management, notifications, rescheduling, and cancellation functionalities, enhancing the registration process efficiency.
Purpose: Testing the functionality and usability of pre-registration features, including data entry, appointment booking, and appointment management, to ensure a seamless registration experience for residents.
Mobile ID (MobileId): Mobile ID module facilitates the generation and management of mobile-based identity credentials. It offers secure and convenient identity verification solutions leveraging mobile devices.
Purpose: Assessing the reliability and security of mobile-based identity credential generation and management processes within the Mobile ID module.
Esignet: Esignet module provides electronic signature services, enabling digital signing of documents and transactions. It ensures the integrity and authenticity of electronic documents and transactions.
Purpose: Verifying the functionality and effectiveness of electronic signature services, including document signing and verification processes, within the Esignet module.
Partner Management Services (Partner): Partner Management Services module offers services for partner onboarding and management. It includes Partner Management Service and Policy Management Service functionalities.
Purpose: Testing the partner onboarding process and management services provided by the Partner Management Services module, ensuring smooth collaboration and integration with partner entities.
Identify Report Name
Locate the report file in the 'Object Store' automation bucket.
The report name typically follows the format: mosip-api-internal.<env_name>-<module_name>-<timestamp>_report_T-<Total>_P-<Passed>_S-<Skipped>_F-<Failed>.html.
<env_name>: Name of the environment where the tests were conducted
<module_name>: Name of the module for which tests were executed
<timestamp>: Timestamp indicating when the report was generated
T, P, S, F: Total, Passed, Skipped, and Failed counts of test cases, respectively
Open the report file and review the summary section
Check the total number of test cases executed (T), along with the counts of passed (P), skipped (S), and failed (F) test cases
In the beginning of the report, you'll find a section listing all API names along with their corresponding test case counts
Click on the specific API you want to inspect further
After selecting an API, you'll be directed to a page displaying all test cases associated with that API
Click on the individual test case to view detailed information, including request and response data
Analyze the request payload, expected response, and actual response received during testing
If a test case failed, analyze the details to identify the root cause
Review the request parameters, headers, and body to ensure correctness
Check the response received against the expected response, focusing on status codes, data format, and content
Create folder structure
Create a folder with the API name in the specific module directory
This folder will contain the necessary files for automating the API
Create Input and Output Templates
Inside the API folder, create one Handlebars (hbs) file for input and one for output
The input hbs file should contain placeholders for parameters that will be used in the test cases
The output hbs file should contain placeholders for expected response data
Parameterize Data in Input Template
Parametrize the data in the input hbs file using Handlebars syntax
Define variables or placeholders for the input data that will be used in the test cases
Create YAML File
Create a YAML file to define the test cases for the API
Follow the predefined structure for the YAML file, including API name, test case names, endpoint, authentication method, HTTP method, input/output templates, and input/output data
Define each test case under the corresponding API with relevant details such as endpoint, authentication method, HTTP method, input/output templates, and input/output data
Input and Output Data in YAML
In the YAML file, provide the input data for each test case under the input block, using the parameters defined in the input template
Similarly, define the expected output data under the output block, using placeholders defined in the output template
Once the folder structure and YAML file are created, execute the test cases using the automation testing framework
The framework will substitute the input data from the YAML file into the input template and compare the actual output with the expected output defined in the YAML file
This documentation provides comprehensive guidance for utilizing and expanding the API Test Rig functionalities effectively.
A Domain-Specific Language (DSL) test framework is crafted specifically to facilitate thorough end-to-end testing of MOSIP functionalities. This framework empowers the specification and execution of test cases that accurately reflect real-world scenarios. These functionalities include:
Registration
Pre-registration + registration
Authentication
Execution Components and Flow
The PacketCreator service, constructed with Spring Boot, is responsible for generating dummy data packets used in registrations. It employs Mockmds to fabricate realistic, simulated biometric information in the cbeff format, tailored to various use cases.
During deployment, the PacketCreator service can be configured to operate on a specific port or URL, providing flexibility in its deployment settings. In Rancher environments, this configuration is managed through ConfigMaps, allowing for seamless adjustment of deployment parameters.
Moreover, PacketCreator is equipped with the ability to concurrently execute multiple test scenarios, thereby optimising its operational efficiency.
Click here to know more about code and test data to run automation tests.
During deployment, the service can be configured to operate on a specific port or URL, a setup that is facilitated through the use of Config Maps in Rancher environments. Additionally, it includes functionality to generate partner P12 files, which are crucial for establishing secure communication channels.
Click here to know more about MOSIP repository for Functional Tests.
The DSL test rig, also referred to as the DSL orchestrator, plays an important role in managing test data and executing the use cases outlined in scenario sheets. It harnesses the capabilities of PacketCreator and AuthDemo certificates to seamlessly orchestrate the complete scenario execution. Furthermore, the test rig is adept at concurrently running multiple scenarios, thereby maximizing efficiency.
Upon completion of execution, comprehensive reports are meticulously stored in a Object Store S3 bucket, with the folder name specified in the configuration maps.
Click here to know more about test data to run automation tests.
PacketCreator establishes a connection with Mockmds through the Service Bus Interface (SBI). The SBI acts as a mediator and provides the port number (for example, 4501) used by PacketCreator to call Mockmds and access its cbeff generation utility for creating simulated biometric data.
The MountVolume component is responsible for downloading and mounting specific folders from an NFS (Network File System) shared storage (/srv/nfs/mosip/testrig), which is accessible by both DSLtestrig and PacketCreator. These folders, namely:
dsl-scenarios
packetcreator-data
packetcreator-authdemo-authcerts
Device certificates generated by PacketCreator are stored in the packetcreator-authdemo-authcerts folder.
Generated packets are stored in the following location for future retrieval.
A profile resource is utilized for each generated packet. This profile acts as a container for test data, including both demographic information and biometric details specific to the packet.
For local execution of DSL scenario, follow these steps:
Configure environment-specific secret keys in the Kernel.properties file located at: Kernel.properties.
Set environment variables for each unique URL corresponding to different environments (e.g., development, test, production).
Set centralized folder locally can be downloaded from the following location: Centralized Folder.
Place the latest build JAR file in the packetcreator folder. Execute run.bat from the packetcreator folder to start the PacketCreator service.
Place the latest build JAR file for the Auth Demo service. Ensure the service runs on the same port specified in the Kernel file.
Identify the specific scenario numbers you want to execute by defining a configuration parameter like scenariosToRun. Assign a comma-separated list of scenario numbers. For a full suite execution, leave this parameter empty.
Define another configuration parameter like scenariosToSkip to list the scenario numbers corresponding to known issues you want to exclude from execution. This allows focusing on new or relevant scenarios without re-running known problematic ones.
To ensure successful execution from Docker, please verify the following prerequisites:
Ensure that the Authdemo pod is running and operational within the Docker environment.
Confirm that the Packetcreator pod is deployed and operational within the Docker environment.
Verify that the configuration maps for the DSL test rig are correctly set up and configured to facilitate communication and orchestration between components.
Once the DSL test rig configuration maps are accurately configured, you can proceed to execute the DSL test rig pod within the Docker environment.
Following execution, the comprehensive execution report will be made available in the 'Object Store' S3 bucket, accessible for retrieval and further analysis.
Before executing the DSL test rig, ensure the following prerequisites are met:
Globaladmin User Configuration: The globaladmin user should be configured to point to either Mycountry or the root hierarchy within the user management system.
Keycloak Deployment: Ensure a running Keycloak deployment is available to manage user authentication and authorization processes during test execution.
Network File System (NFS) Setup: NFS must be properly configured and accessible to share data between relevant components, such as DSL test rig and PacketCreator.
PacketCreator and AuthDemo Paths: Verify that the paths for both PacketCreator and AuthDemo in the configuration are accurately set, referencing their respective locations within the environment.
Scenario Sheet: The scenario sheet containing test cases must have the correct scenario number(s) specified for execution.
'Object Store' Bucket Access: Confirm that the configuration maps hold valid information to access the 'Object Store' S3 bucket. This access is necessary for retrieving reports after the completion of the test run.
Fetch reports from 'Object Store' as displayed below.
Here is the explanation of the different reports generated by the DSL test rig:
ExtentReport:
Provides a summarized overview of executed scenarios and their outcomes (pass/fail).
Each entry may include a brief description of failure if a scenario fails.
Ideal for quickly identifying failing scenarios without diving into details.
Detailed Testing Report:
Offers a comprehensive overview of each executed scenario.
Allows searching for specific scenarios by their number.
Displays the complete execution flow of a chosen scenario, starting from the beginning.
Provides detailed logs and information about scenario execution and any encountered failures.
Suitable for in-depth analysis of specific scenarios and understanding the root cause of failures.
Pod Logs:
Contain detailed logging information generated by individual pods involved in the test execution (for example, DSL test rig, PacketCreator).
Provide low-level details about system events, errors, and communication between components
Recommended for advanced troubleshooting and identifying the root cause of complex failures.
To write a new scenario using existing DSL steps for the DSL test rig, focusing on scenario number 2 and adapting it for a different flow, follow these steps:
Analyze Existing Scenario 2:
Thoroughly analyze the existing scenario number 2 to understand its basic UIN generation flow.
Identify the specific changes needed in the flow to adapt it for your new scenario.
Leverage Existing Steps:
Review the existing DSL step definitions available in your test framework.
Identify existing steps that align with your new scenario and can be reused.
Re-using existing steps will save time and effort compared to building new steps from scratch.
Create New Steps (if Necessary)
If your desired flow involves actions not covered by existing steps, create new DSL steps as needed.
Ensure proper documentation and adhere to coding best practices when creating new steps.
Organize the steps in the desired order of execution for your new scenario.
Use existing steps where applicable and incorporate new steps as needed.
Test and Refine
Testing and refining the newly created scenario is crucial to ensure it functions correctly and produces the desired outcome. To test and refine, complete the following steps:
Execute the newly created scenario within the DSL test rig environment.
Verify that the scenario executes as expected and produces the desired outcome. Check for any errors or unexpected behaviour during execution.
If necessary, debug and refine the scenario to address any issues or discrepancies encountered during execution.
Additional Tips:
Start with a simple scenario to build confidence in your understanding of the DSL and scenario writing process.
Consult colleagues who are familiar with the existing DSL and scenario definitions for guidance and support if needed.
Document your new scenario clearly and concisely, explaining its purpose and any changes made compared to the original scenario.
Below snapshot displays many more methods for your reference for the scenarios.
To analyze scenario names effectively, consider the following strategies:
Look for keywords or phrases within scenario step names that provide hints about their purpose or the information they handle. These keywords can offer insights into the actions or data manipulations performed by each step.
Most DSLs come with documentation detailing their syntax, available steps, and structure. Refer to this documentation to understand the expected format and parameters for each step. It can provide clarity on the purpose and usage of individual steps.
Test Scenarios Incrementally: Start by testing a simple scenario that involves only a few steps you understand. Gradually add complexity as you gain confidence in your understanding. This practice can help you identify potential gaps in your knowledge and where further investigation might be needed.
This documentation provides comprehensive guidance for utilizing and expanding the DSL Test Rig functionalities effectively.
MOSIP provides automation test repositories for the following:
Selenium webdriver-based Admin Portal Automation covers CRUD (create, read, update and delete) operation performed via UI with Chrome driver.
Registration test automation covers these flows: New, Update, Correction, and Lost flows.
This repository contains API automation tests. The automation is written using Java REST Assured and TestNG framework. The following modules are covered:
Pre-registration
Masterdata
Partner Management
ID Repository
IDA
Resident
Functional tests support multi-languages, i.e., the input can be provided in any of the languages configured in a given MOSIP installation.
This repository contains a test framework for end-to-end testing of MOSIP functionality. The following functionalities are covered:
Registration
Pre-registration + Registration
Authentication
To know more about each, click .
