The software Digipass data derivation functionality is only applicable to software Digipass authenticators compliant with the standard one-step activation (in the context of single-device licensing); for more information, refer to the Authentication Suite Server SDK Product Guide.
Function prototype
aat_int32 AAL2DeriveTokenBlobs (
TDigipassBlob *DPData[8],
TKernelParms *CallParms,
aat_int16 *Appl_Count,
aat_ascii *Challenge,
aat_ascii *Derivationcode,
aat_word32 DerivationCodeFormat);,
Description
This function derives the Digipass data of a software Digipass authenticator based on the Digipass SDK 4.0 or later for software Digipass authenticators compliant with the standard one-step activation (in the context of single-device licensing (SDL)). Refer to the Authentication Suite Server SDK Product Guide for more information.
Digipass data derivation is allowed only for applications supporting the feature (Call the AAL2GetTokenProperty function with property DERIVATION_SUPPORTED to check if a authenticator application supports the feature).
If supported by the software Digipass authenticator, this feature is used to bind a software Digipass authenticator with its hosting device. In this case, during the activation process, the software Digipass authenticator can create a diversifier based on a device’s fingerprint and can provide a derivation code based on the diversifier, an OTP, and an optional challenge.
AAL2DeriveTokenBlobs allows applying the derivation to the authenticator application BLOBs on the server-side.
When reactivating the same Digipass authenticator on another device, the Digipass data must be derived again on the server-side using AAL2DeriveTokenBlobs with the new derivation code. The Digipass instance on the old device will not work anymore.
The derivation code is validated using the first authenticator application BLOB of the authenticator application BLOB table (DPData) input parameter. This first authenticator application BLOB MUST match the authenticator application used for generating the derivation code on the client. This first authenticator application BLOB MUST support either Response-Only or Challenge/Response authentication.
For example, it means that when the application named AUTH_APP1 is used for generating the derivation code on the client-side, the first authenticator application BLOB must relate to the AUTH_APP1 application.
Application names are exposed during import process.
In addition, the derivation will fail if one or more authenticator application BLOB does not support the derivation feature.
Score-based Digipass
For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication to validate the derivation code. This allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the BLOBs, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in AAL2DeriveTokenBlobs for more details.
Parameters
Return codes
| Code | Meaning | Code | Meaning |
|---|---|---|---|
| 0 | Success | 1000 | Function does not support EMV-CAP |
| 10001 | Success with context warning[1] | 1039 | Invalid response length with DP algorithm |
| 10002 | Success with user warning[1] | 1040 | Invalid host code length with DP algorithm |
| 10003 | Success with user & context warning[1] | 1103 | Unlock Version 2 not supported |
| 10004 | Success with platform warning[1] | 1109 | Invalid derivation code |
| 10005 | Success with platform & context warning[1] | 1110 | Invalid derivation code pointer |
| 10006 | Success with platform & user warning[1] | 1111 | Invalid derivation code length |
| 10007 | Success with platform & user & context warning[1] | 1112 | Invalid character in derivation code |
| 1 | Code not verified | 1113 | Derivation code check digit is wrong |
| 131 | Missing required challenge | 1114 | Invalid derivation code format parameter |
| 132 | Unsupported token type | 1118 | Unsupported BLOB |
| 140 | Challenge corrupted | -101 | Challenge too short |
| 201 | Code replay attempt | -102 | Challenge too long |
| 202 | Identification error threshold reached | -103 | Challenge check digit wrong |
| 205 | Inactive days reached | -105 | Challenge minimum length not allowed |
| 208 | Application disabled | -106 | Challenge maximum length not allowed |
| 412 | Invalid checksum | -107 | Challenge number wrong |
| 413 | Invalid Base64 format | -108 | Challenge character invalid |
| 510 | Invalid Digipass data pointer | -201 | Response length out of bounds |
| 600 | Invalid Gordian root information | -202 | Response too short |
| 601 | Invalid Gordian today information | -203 | Response too long |
| 602 | Invalid Gordian tomorrow information | -205 | Response character not decimal |
| 603 | Invalid Gordian stimulus information | -206 | Response character not hexadecimal |
| 807 | Serial number not equal | -207 | Response character set not specified |
| 808 | Invalid application count value | -1501 | Memory allocation failed |
- Specific score-based authentication code (see Score-based DIGIPASS)