mDocs Holder SDK/global.mattr.mobilecredential.holder/MobileCredentialHolder/addCredential

addCredential

@Blocking

fun addCredential(credential: String, deviceKeyId: String): String

Add an mDoc to storage.

Return

ID of the saved mDoc.

This function validates the mDoc as per ISO/IEC 18013-5:2021 before adding it to storage. The validation steps include:

Device Key Validation:

Ensures the device key cryptographic curve is supported by the SDK.
Ensures the device key isn't already bound to another mDoc stored by the SDK.
Ensures the device key matches the device key in the provided mDoc.

Issuer Data Authentication:
Executes the issuer's data authentication procedure defined in section 9.3.1 of ISO/IEC 18013-5:2021:

MSO Header Validation: Validates the certificate found in the MSO (Mobile Security Object) header.
Signer Certificate Verification: Verifies the Signer Certificate (as specified in Section 9.3.3 and Table B.3 of ISO/IEC 18013-5:2021) against the set of the trusted issuer certificates, currently stored by the SDK.
IssuerAuth Digital Signature Verification: Verifies the digital signature of the IssuerAuth structure.
Verify Value Digest: Ensures the integrity and correctness of the value digest.
ValidityInfo Structure Validation: Ensures all elements in the ValidityInfo structure meet the defined standards.

DocType-Specific Validation:
Performs additional validation steps specific to the credential's docType.
For mDLs this includes :

Confirms the mDL signer's certificate maximum validity period is within limits (up to 457 days).
Ensures the mDL signer certificate has the correct ExtKeyUsage (ISO/IEC 18013-5:2021 B.1.4).
Confirms the mDL signer certificate set its key usage for digital signatures exclusively.
Verifies the mDL signer certificate was issued from the correct location.

When the DC API feature is enabled, after a credential is successfully added all stored credentials are automatically registered with the Android Credential Manager to keep its list of available credentials up to date.

If Activity Log writes are enabled for this instance, a "credential added" entry is recorded after the credential is stored. If recording the Activity Log entry fails, the credential remains stored but this call fails and does not return the credential ID.

Activity Log

When activity log recording is enabled, a successful addition logs an ActivityLogEntry containing a single ActivityLogCredentialEvent event.

If activity log recording fails, ActivityLogException.OperationFailedException is thrown.

Parameters

credential

Base64-encoded string (with or without padding) containing a CBOR formatted mDoc (as per ISO/IEC 18013-5:2021 section 8.3.2.1.2.2 - IssuerSigned).

deviceKeyId

The ID of the deviceKey used to generate the mDoc. A device key can be generated using generateDeviceKey.

Throws

HolderException.SdkNotInitializedException

If the SDK API is called before the SDK is initialized.

HolderException.DeviceKeyAlreadyInUseException

If the device key associated with the deviceKeyId, is already in use.

HolderException.DeviceKeyNotFoundException

If the device key associated with the deviceKeyId, is not found.

HolderException.InvalidCredentialException

If there is an error in generating the metadata from the metadata record or when the trust chain evaluation fails.

HolderException.DeviceKeysDoNotMatchException

If the stored device key does not match the credential key device key ID.

HolderException.CredentialNotAddedException

If the credential is not valid and could not be added.

HolderException.TrustedIssuerCertificateNotFoundException

If the Issuer's TrustedCertificate is not found.

HolderException.ActivityLogException.OperationFailedException

If reading or mapping activity log entries fails for any other reason.