SecureLog

In the event of error reporting, refer to the Protector OATH SDK log which contains the relevant diagnostic information which is useful when you are troubleshooting. From Protector OATH SDK V6.0, the application has the option to include the logger module and to enable the SDK log collection.

To protect the confidentiality of the logs, Protector OATH SDK logs are encrypted and stored securely on the file system. The log files can be retrieved and sent to the backend for analysis when an error occurs. The logs can only be decrypted with a specific private key that is held by the Application integrators.

To activate the Protector OATH SDK log collection, the application needs to pass the required configurations to Protector OATH SDK.

SecureLogConfig

The SecureLogConfig object contains the properties settings that are required for SecureLog:

SecureLogConfig
/**
 * Mandatory parameter
 * Is required to retrieve public key and encrypt the log message (Max Length is 1024 characters)
 * Throw NSInvalidArgumentException if publicKeyModulus is nil or the length is more than 1024 characters
*/
@property (nonatomic, strong) NSData *publicKeyModulus;

/**
 * Mandatory parameter
 * Is required to retrieve public key and encrypt the log message (Max Length is 8 characters)
 * Throw NSInvalidArgumentException if publicKeyExponent is nil or the length is more than 8 characters
*/
@property (nonatomic, strong) NSData *publicKeyExponent;

/**
 * Optional parameter
 * This file Id is part of the log file name.
 * Default value: d5a1
 * Maximum length is 10 characters
 * Throw NSInvalidArgumentException if the length is more than 10 characters
*/
@property (nonatomic, strong) NSString *fileID;

/**
 * Optional parameter
 * To set a Secure logger rolling file max count
 * Default value: 8
 * Throw NSInvalidArgumentException if rollingFileMaxCount is equals to 0 or more than 99.
*/
@property (nonatomic, assign) NSUInteger rollingFileMaxCount;

/**
 * Optional parameter
 * To set a Secure logger rolling size
 * Default value: 1024
 * Throw NSInvalidArgumentException if rollingSizeInKB = 0
*/
@property (nonatomic, assign) NSUInteger rollingSizeInKB;

/**
 * Optional parameter
 * The directory to store the logs
 * Default value: Library/Application Support/Thales
 * Throw NSInvalidArgumentException if the directory is not existed
*/
@property (nonatomic, strong) NSURL *directory;

/**
 * Optional parameter
 * The level of log which you want the secure log to write to the file
 * Default value: SecureLogLevelWarn
 * Throw NSInvalidArgumentException if the level is not from SecureLogLevel
*/
@property (nonatomic, assign) SecureLogLevel logLevel;

Creating a SecureLogConfig object

You have to pass at least the properties of publicKeyModulus and publicKeyExponent to construct the SecureLogConfig object. The rest of the properties are optional.

OpenSSL can be used to generate KeyPair as follow:

openssl genrsa -out key.pem 2048

// Retrieve the public key info (modulus & exponent)
openssl rsa -in key.pem -text

The following code snippet shows an example on how to create the SecureLogConfig object:

SecureLogConfig with default parameters
unsigned char DUMMY_PUBLIC_KEY_MODULUS[]= {
    0x00, 0xa0, 0x86, 0x90, 0xbe, 0x3a, 0x7d, 0xfd, 0x3d, 0x84, 0x56, 0x38, 0x23, 0x97, 0xd4,
    0xb6, 0x5f, 0xeb, 0x1e, 0xc0, 0x17, 0x5a, 0xb3, 0x08, 0x92, 0x3b, 0x2a, 0x2b, 0x6c, 0xf6,
    0x71, 0xd6, 0x62, 0x1c, 0x7a, 0x4f, 0x96, 0xf9, 0x37, 0xa0, 0x77, 0xd6, 0x24, 0x27, 0x84,
    0x98, 0xfa, 0x7c, 0xb9, 0x3c, 0xfd, 0xc9, 0x58, 0xcd, 0xb7, 0x04, 0x08, 0xbb, 0x0b, 0x23,
    0x8b, 0x21, 0xaa, 0x4d, 0x2c, 0xfd, 0x19, 0xf6, 0xa9, 0xc9, 0x43, 0xe0, 0xe9, 0x63, 0xcc,
    0xa8, 0x5e, 0x8c, 0xf4, 0x57, 0x02, 0x13, 0x44, 0x0b, 0xfc, 0x0d, 0x5d, 0x05, 0xbf, 0x70,
    0xe2, 0xac, 0xad, 0xe9, 0x55, 0x85, 0x04, 0x61, 0xfc, 0x67, 0x25, 0xe8, 0xd2, 0x0f, 0xba,
    0x0b, 0x62, 0x1a, 0x1d, 0x55, 0xa0, 0x6c, 0x08, 0x83, 0xde, 0xd4, 0xbe, 0x39, 0x95, 0xe6,
    0x7b, 0xe6, 0xc9, 0x44, 0x9b, 0xf8, 0x54, 0xb8, 0x4e, 0xe3, 0x75, 0xa6, 0xaf, 0xfa, 0x89,
    0x39, 0x3e, 0xaf, 0xfd, 0x4e, 0xf7, 0xd8, 0x2f, 0x80, 0x0d, 0xa9, 0x7c, 0xf7, 0xa7, 0x53,
    0x1d, 0x18, 0x95, 0x6a, 0x35, 0x98, 0x48, 0x24, 0xcf, 0x29, 0x52, 0xd7, 0x5f, 0xe0, 0x6b,
    0xce, 0x61, 0xe4, 0x71, 0x13, 0xd6, 0x82, 0xf3, 0xd9, 0x41, 0x74, 0x5f, 0x5b, 0x85, 0xc6,
    0x56, 0xa6, 0x1f, 0x8b, 0xd2, 0xc4, 0xa7, 0x57, 0x9c, 0xed, 0x82, 0xca, 0x2f, 0xd7, 0x84,
    0x47, 0x26, 0x65, 0x43, 0xd9, 0x76, 0x95, 0xf5, 0x20, 0xd1, 0x03, 0xf4, 0xeb, 0x00, 0x34,
    0x19, 0xca, 0x40, 0x40, 0x34, 0xe2, 0xfb, 0xbd, 0xe3, 0x64, 0x02, 0xcb, 0xe7, 0x1b, 0x87,
    0x69, 0xac, 0x3b, 0x7a, 0xae, 0x51, 0x3d, 0x4b, 0x32, 0x57, 0x24, 0xe2, 0x03, 0x34, 0x71,
    0x10, 0xda, 0x60, 0x77, 0x48, 0x26, 0xcb, 0x3c, 0x63, 0x0b, 0xa9, 0x49, 0xa4, 0x92, 0x53,
    0x69, 0x53};

unsigned char DUMMY_PUBLIC_KEY_EXPONENT[] = {0x01, 0x00, 0x01};


- (SecureLogConfig *)slogConfig
{
    NSData *dummyPublicKeyModulus = [NSData dataWithBytes:DUMMY_PUBLIC_KEY_MODULUS length:sizeof(DUMMY_PUBLIC_KEY_MODULUS)];
    NSData *dummyPublicKeyExponent = [NSData dataWithBytes:DUMMY_PUBLIC_KEY_EXPONENT length:sizeof(DUMMY_PUBLIC_KEY_EXPONENT)]; 
  
    return [[SecureLogConfig alloc] initWithConfigComponentsBuilder:^(SecureLogConfigComponents * _Nonnull componentsBuilder) {
        componentsBuilder.publicKeyModulus = dummyPublicKeyModulus;
        componentsBuilder.publicKeyExponent = dummyPublicKeyExponent;
    }];
}

Passing SecureLogConfig to Protector OATH SDK

After creating the SecureLogConfig object, you have to pass it to the EMCore configureSecureLog function on iOS or IdpCore.configureSecureLog() on Android to get the SecureLog instance. Subsequently, you have to store this object to interact with SecureLog.

Note

If you wish not to enable SecureLog in your project, you can simply set the EMCore configureSecureLog function in Protector OATH SDK to nil on iOS or passing null to IdpCore.configureSecureLog()on Android.

id<SecureLog> sLog = [EMCore configureSecureLog:[self slogConfig]];

Interacting with SecureLog

Getting log files

The files() function on iOS or getFiles() on Android will return an array of log files that are logged by Protector OATH SDK.

//Return an array of files in NSURL
NSArray *logFiles = [sLog files];

Deleting the log files

The deleteFiles() function will delete all the log files that are logged by Protector OATH SDK.

//return void
[sLog deleteFiles];

Changing the log level

You can change the level of log anytime during the life cycle of Protector OATH SDK or to disable the log temporary by using the setLevel() function.

//Only log fatal messages
[sLog setLevel:SecureLogLevelFatal];

//Stop logging
[sLog setLevel:SecureLogLevelOff];