AAL2VerifyMessageSignature

The message signature validation functionality is applicable:
To hardware or software Digipass authenticators compliant with the multi-device two-step activation (in the context of the multi-device licensing model).
To hardware Digipass authenticators based on the single-device licensing model and able to perform operations based on the Secure Channel protocol.
For more information, refer to the Authentication Suite Server SDK Product Guide.

Function prototype

aat_int32 AAL2VerifyMessageSignature (
                                    TDigipassBlob*  DPData,
                                    TKernelParms*   CallParms,
                                    aat_int32       MessageExpirationTime,
                                    aat_ascii*      Signature,
                                    aat_ascii*      SignedMessage,
                                    aat_int32       DeferredSignatureData
                                    aat_ascii*      ConfirmationCode,
                                    aat_ascii*      ConfirmationCodeLength);

Description

This function verifies the signature provided by the Digipass device:

in response to Activation Message 2 (generated with AAL2GenMessageActivation2) during the multi-device activation process
or in response to the request message (generated with AAL2GenMessageRequest) during a Secure Channel request process (optionally; depending on whether the request requires a signature validation or not).

In case of verifying the signature of an Activation Message 2, the authenticator application BLOB used for the validation must correspond to the crypto application of the Digipass instance defined for the post-activation step. Information on the crypto application used for post-activation is part of the Digipass client configuration.

In case of verifying the signature of a request message, (that was containing a Secure Channel transaction), the authenticator application BLOB used for the validation must correspond to the crypto application of the Digipass instance selected for signing the message. Information on the crypto application selected for signing the message is part of the request body; it allows the Digipass device to perform the operation with the proper application.

The OnlineSG kernel parameter is also applied to the present function and is used as described in OnLineSG.

Signed message optional expiration check

This function allows optionally checking a maximum amount of time authorized since the generation of the Activation Message 2 or request message for which the signature validation is performed. This message time validity check depends on the MessageExpirationTime parameter.

If MessageExpirationTime = 0, the function will not perform any message time validity check.

If MessageExpirationTime > 0, MessageExpirationTime represents the maximum amount of time (expressed in seconds) authorized since the generation of the message (Activation Message 2 or a request message).

The instances of Activation Message 2 or request messages must have been MANDATORILLY generated by Authentication Suite Server SDK version 3.15.1 or later if checking the time validity (i.e. MessageExpirationTime > 0).
The timestamp of the generation time is embedded in the instances of Activation Message 2 and request messages only since Authentication Suite Server SDK 3.15.1.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based message signature validation which allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the signature, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2VerifyMessageSignature) for more details.

Parameters

Table: Parameters (AAL2VerifyMessageSignature)
Type	Name	Use	Description
TDigipassBlob *	DPData	I/O	authenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms *	CallParms	I	Structure of runtime parameters to use during this function call.
aat_int32	Message expiration time	I	Must be mandatorily equal or greater to 0. If MessageExpirationTime = 0: No message time validity check. If MessageExpirationTime > 0: MessageExpirationTime represents the maximum amount of time (expressed in seconds) authorized since the generation of the message (Activation Message 2 or a request message).
aat_ascii *	Signature	I	String of up to 17 numeric characters, left-justified, null-terminated, or right-padded with spaces.
aat_ascii *	SignedMessage	I	Hexadecimal character string containing the message that has been used by the Digipass device to generate the signature. String length must be a multiple of 2. This can be either an Activation Message 2 or a request message.
aat_int32	Deferred signature data	I	Must be 0 if signature is validated in online mode (OnlineSG=1 or 2). If signature is validated in offline mode with OnlineSG=0, this parameter can receive the Digipass date of the signature generation (number of elapsed seconds since January 1, 1970) or 0. (With 0, the current time is used.) If this parameter is >0, the filled parameter must be the Digipass time, not the host time. If the signature is validated in offline mode with OnlineSG=3, this parameter must receive counter of the Digipass instance used for the signature generation.
aat_ascii *	Confirmationcode	O	String of up to 16+1 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the confirmation code generated by Authentication Suite Server SDK for this signature.
aat_int32 *	ConfirmationCodeLength	O	In input, this parameter must indicate the size of the allocated buffer for the ConfirmationCode parameter (recommended 17 bytes). In output, this parameter indicates the length of the ConfirmationCode string (without the null-terminated character).

Return codes

Table: Return codes (AAL2VerifyMessageSignature)
Code	Meaning	Code	Meaning
0	Success	1117	Challenge check digit not allowed
10001	Success with context warning[1]	1118	Unsupported BLOB
10002	Success with user warning[1]	1299	Signed message not hexadecimal
10003	Success with user & context warning[1]	1300	Invalid signed message length
10004	Success with platform warning[1]	1301	Invalid signed message pointer
10005	Success with platform & context warning[1]	1309	Application can not be used for Secure Channel transactions
10006	Success with platform & user warning[1]	1337	Unsupported message protocol version
10007	Success with platform & user & context warning[1]	1339	Invalid message length
1	Signature not verified	1363	Invalid message expiration time value
132	Unsupported token type	1364	Message time validity expired
139	Invalid signature pointer	-102	Data field too long
141	Invalid field count	-103	Data field check digit wrong
203	Sign error threshold reached	-105	Challenge minimum length not allowed
204	Duplicate signature found	-106	Challenge maximum length not allowed
205	Inactive days reached	-107	Challenge number wrong
206	Chronological signature error	-108	Challenge character invalid
207	Deferred signature not allowed with OnLineSG not Null	-201	Response length out of bounds
208	Application disabled	-202	Response too short
412	Invalid checksum	-203	Response too long
413	Invalid Base64 format	-204	Response check digit wrong
510	Invalid Digipass data pointer	-205	Response character not decimal
1000	Function does not support EMV-CAP	-206	Response character not hexadecimal
1103	Unlock Version 2 not supported	-207	Response character set not specified
1116	Response check digit not allowed	-1501	Memory allocation failed

Specific score-based authentication code (see Score-based DIGIPASS)