AAL2VerifySignatureICSF

Mis à jour le 23 Jan 2025
4 Minutes à lire

Partager
Sombre
Lumière
PDF

The content is currently unavailable in French. You are viewing the default English version.

Résumé de l’article

Avez-vous trouvé ce résumé utile ?

Merci pour vos commentaires

Function prototype (aal2sdk.h)

aat_int32 AAL2VerifySignatureICSF (
                               TDigipassBlob*   DPBlob,
                               TKernelParms*    CallParms,
                               aat_ascii*       aStorageKeyNameIn,
                               aat_ascii*       aInitialVectorIn,
                               aat_ascii*       aSignatureIn,
                               aat_ascii        aSignedDataFieldsIn[8][20],
                               aat_int32        FieldCountIn,
                               aat_int32        DeferredSignatureDataIn,
                               aat_ascii*       ConfirmationCode,
                               aat_int32*       ConfirmationCodeLength);

Description

The AAL2VerifySignatureICSF function is called passing the necessary data to perform signature validation and integrity control, based on the signature code generated by the user's Digipass, and up to eight SignedDataFields on which authentication and integrity control are to be performed. The exact number of valid data fields is given in FieldCount. If necessary, synchronization information may be passed using the DeferredSignatureData parameter.

This function is used to perform signature validation on a standard signature process involving up to eight signed data fields.
This function cannot be used to perform signature validation of a Secure Channel transaction (signature based on a Secure Channel request message). For signature validation of a Secure Channel transaction, AAL2VerifyMessageSignatureICSF must be used instead of AAL2VerifySignatureICSF.

The OnlineSG kernel parameter is applied to the present function and is used as described in the OneSpan Authentication Suite Server SDK C-C++ Programmer's Guide.

Signature confirmation code specifics

In addition, a feature is present that allows a client to authenticate back the host server that validated the signature.

It facilitates a two-way process. The server validates the user's signature and returns a confirmation code as an acknowledgment that the user is able to verify on their Digipass.

This function allows the integrator to address the HSM storage key by name and to specify an initial vector. The initial vector is used during the S3DES/AES decryption/encryption of the sensitive data of the authenticator application BLOB.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based signature validation which allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the signature, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2VerifySignatureICSF) for more details.

Parameters

The memory management of the output parameters must be performed by the calling function.

Table: Parameters (AAL2VerifySignatureICSF)
Type	Name	Use	Description
TDigipassBlob *	DPBlob	I/O	The authenticator application BLOB.
TKernelParms *	CallParms	I	Structure of runtime parameters to use during this function call.
aat_ascii *	aStorageKeyNameIn	I	String of up to 64+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the HSM storage key used to encrypt the sensitive authenticator applicationBLOB data.
aat_ascii *	aInitialVectorIn	I	String of 16 hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the initial vector used to encrypt the sensitive authenticator application BLOB data.
aat_ascii *	aSignatureIn	I	Up to 16+1 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces.
aat_ascii *	aSignedDataFieldsIn	I	Array of 8,left-justified, null-terminated, or space-padded strings of maximum 20 characters. This parameter holds the 8 possible data fields that are entered in the Digipass authenticator to generate a signature.
aat_int32 *	FieldCountIn	I	Numeric value from 1 to 8. Indicates the number of data fields to use from the aSignedDataFieldsIn array.
aat_int32 *	DeferredSignatureDataIn	I	Must be 0 if signature is validated in online mode (OnlineSG=1 or 2). If signature is validated in offline mode with OnlineSG=0, this parameter can receive the Digipass date of the signature generation (number of elapsed seconds from January 1, 1970) or 0 (0 forces using the current time) Important: If > 0, the parameter filled must be the Digipass time, and not the host time. If signature is validated in offline mode with OnlineSG=3, this parameter MUST receive the counter of the Digipass authenticator used for the signature generation.
aat_ascii	ConfirmationCode	O	String of up to 17 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the confirmation code generated by Authentication Suite Server SDK for this signature.
aat_int32	ConfirmationCodeLength	O	Pointer to a long integer that will contain the length of the confirmation code that has been generated.

COBOL calling convention

Entry point: AA2VVSIC
02   W-BLOB            PIC X(248).
02   W-KERNELPARMS.
     03  W-PARMCOUNT   PIC 9(8) USAGE BINARY.
     03  W-PARM01      PIC 9(8) USAGE BINARY.
     . . .
     03  W-PARM19      PIC 9(8) USAGE BINARY.
02   W-HOSTCODE        PIC X(17).
02   W-HOSTCODE-LENGTH  PIC 9(8) USAGE BINARY.
02   W-SIGNATURE        PIC X(17).
02   W-SIGNED-DATA      PIC X(20) OCCURS 8.
02   W-FIELDCOUNT       PIC 9(8) USAGE BINARY.
02   W-SIGNATUREDATE    PIC 9(8) USAGE BINARY.
02   W-STORAGEKEY      PIC X(65).
02   W-INITVECTOR      PIC X(17).
02   W-API-NAME        PIC X(8) VALUE 'AA2VVSIC'.
. . .
     CALL W-API-NAME USING
           BY REFERENCE W-BLOB
           BY REFERENCE W-KERNELPARMS
           BY REFERENCE W-STORAGEKEY
           BY REFERENCE W-INITVECTOR
           BY REFERENCE W-SIGNATURE
           BY REFERENCE W-SIGNED-DATA
           BY REFERENCE W-FIELDCOUNT
           BY REFERENCE W-HOSTCODE
           BY REFERENCE W-HOSTCODE-LENGTH
           RETURNING W-RETURN

Return codes

Table: Return codes (AAL2VerifySignatureICSF)
Code	Meaning	Code	Meaning
0	Success	900	Invalid session context handle
10001	Success with context warning*	908	HSM key not found
10002	Success with user warning*	951	Invalid HSM key type for HSM decryption
10003	Success with user & context warning*	1103	Unlock Version 2 not supported
10004	Success with platform warning*	1116	Response check digit not allowed
10005	Success with platform & context warning*	1117	Challenge check digit not allowed
10006	Success with platform & user warning*	1118	Unsupported BLOB
10007	Success with platform & user & context warning*	-101	Data field too short
1	Signature not verified	-102	Data field too long
132	Unsupported token type	-103	Data field check digit wrong
139	Invalid signature pointer	-105	Challenge minimum length not allowed
141	Invalid field count	-106	Challenge maximum length not allowed
148	Invalid data field pointer	-107	Challenge number wrong
203	Sign error threshold reached	-108	Challenge character invalid
204	Duplicate signature found	-201	Response length out of bounds
205	Inactive days reached	-202	Response too short
206	Chronological signature error	-203	Response too long
207	Deferred signature not allowed with OnLineSG not Null	-204	Response check digit wrong
208	Application disabled	-205	Response character not decimal
412	Invalid checksum (software)	-206	Response character not hexadecimal
413	Invalid Base64 format	-207	Response character set not specified
414	Invalid checksum (HSM)	-1501	Memory allocation failed
510	Invalid Digipass data pointer

* Specific score-based authentication codes; see Score-based Digipass.

Cet article vous a-t-il été utile ?

What's Next

Data Conversion Service

Table des matières

Function prototype (aal2sdk.h)
Description
Parameters
COBOL calling convention
Return codes