Availability: Authentication Suite Server SDK 4.0.2 and later
Service: Digipass Multi-Device Activation
Function prototype
aat_int32 AAL2VerifyDeviceCodeEx ( TDigipassBlob *DPMAData,
TKernelParms *CallParms,
aat_ascii *Challenge,
aat_ascii *SignedMessage,
aat_ascii *DeviceCode,
aat_ascii *DeviceID,
aat_int32 *DeviceIDLength,
aat_int32 *pDeviceType );Description
AAL2VerifyDeviceCodeEx() overloads AAL2VerifyDeviceCode(), exposing a new SignedMessage parameter to provide device binding support for FIDO2–capable authenticators, such as DIGIPASS FX2.
This function verifies the device code provided by the Digipass device using the master activation application data. In case of SUCCESS it also extracts the following:
- Digipass device ID
- Digipass device type
It is only applicable to hardware or software authenticators compliant with the multi-device two-step activation (in context of multi-device licensing).
It uses different parameters for the validation, depending on the mode:
- FIDO2 binding mode. In case of a bound FIDO2 device, the signed message (Activation Message 1 generated with the FIDO2 public key and challenge using AAL2GenMessageActivation1Ex()) is used to validate the device code.
- Unbound mode. In any other case, if a challenge has been used to generate the Activation Message 1 (using AAL2GenMessageActivation1Ex()) received by the authenticator, the same challenge is used to validate the device code.
If challenge is not used, the kernel parameter CheckChallenge has to be set to 0 to disable the challenge checking.
Score-based Digipass
For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication to validate the device code. This allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the device code, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2VerifyDeviceCodeEx) for more details.
Parameters
| Type | Name | Use | Description |
|---|---|---|---|
| TDigipassBlob | DPMAData | I/O | Digipass master activation application BLOB of the Digipass serial number license that will be used for the activation. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes. |
| TKernelParms * | CallParms | I | Structure of runtime parameters to use during this function call. |
| aat_ascii * | Challenge | I | Optional string of 16 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This parameter must hold the challenge that was used initially to generate Activation Message 1. If no challenge was used to generate Activation Message 1, this parameter must be NULL. |
| aat_ascii * | SignedMessage | I | The signed message generated by AAL2GenMessageActivation1Ex(). If this parameter is NULL, the function does a standard device code validation using the optional In case of a bound FIDO2 device, the signed message is the Activation Message 1 generated using the FIDO2 public key. |
| aat_ascii * | DeviceCode | I | String of up to 26+1 characters, null-terminated. It contains the device code generated by the Digipass device. |
| aat_ascii * | DeviceID | O | Output string of 8+1 hexadecimal characters, null-terminated. If the device code has been successfully verified, this parameter contains the value of the Digipass device ID. |
| aat_int32 * | DeviceIDLength | I/O | In input, this parameter must indicate the size of the allocated buffer for the DeviceID parameter (recommended 9 bytes). In output, this parameter indicates the length of the DeviceID string (without the null-terminated character). |
| aat_int32 * | pDeviceType | O | In output, this parameter contains the Digipass device type if the device code has been successfully verified (from 0 to 31). |
Return codes
| Code | Meaning | Code | Meaning |
|---|---|---|---|
| 0 | Success | 1116 | Response check digit not allowed |
| 10001 | Success with context warning[1] | 1117 | Challenge check digit not allowed |
| 10002 | Success with user warning[1] | 1118 | Unsupported BLOB |
| 10003 | Success with user & context warning[1] | 1263 | Device ID buffer too small |
| 10004 | Success with platform warning[1] | 1264 | Invalid master application |
| 10005 | Success with platform & context warning[1] | 1265 | Invalid master application data pointer |
| 10006 | Success with platform & user warning[1] | 1276 | Invalid device code pointer |
| 10007 | Success with platform & user & context warning[1] | 1277 | Invalid device ID pointer |
| 1 | Code not verified | 1278 | Invalid device ID length pointer |
| 140 | Challenge corrupted | 1280 | Invalid device type pointer |
| 201 | Code replay attempt | 1281 | Invalid device code length |
| 202 | Identification error threshold reached | 1282 | Invalid device code check digit |
| 205 | Inactive days reached | 1283 | Invalid device code character |
| 208 | Application disabled | 1284 | Invalid device code |
| 412 | Invalid checksum | 1285 | Master key derivation failed |
| 413 | Invalid Base64 format | -102 | Challenge too long |
| 600 | Invalid Gordian root information | -103 | Challenge check digit wrong |
| 601 | Invalid Gordian today information | -105 | Challenge minimum length not allowed |
| 602 | Invalid Gordian tomorrow information | -106 | Challenge maximum length not allowed |
| 603 | Invalid Gordian stimulus information | -107 | Challenge number wrong |
| 1000 | Function does not support EMV-CAP | -108 | Challenge character invalid |
| 1025 | Buffer too small | -201 | Response length out of bounds |
| 1039 | Invalid response length with DP algorithm | -205 | Response character not decimal |
| 1040 | Invalid host code length with DP algorithm | -206 | Response character not hexadecimal |
| 1103 | Unlock Version 2 not supported | -207 | Response character set not specified |
- Specific score-based authentication code (see Score-based DIGIPASS)