Function Prototype
aat_int32 AAL2GenQADecryptQABlobCmd(
aat_byte *Cmd,
aat_int32 *CmdSize,
TDigipassBlob *DPData,
TKernelParms *CallParms,
aat_ascii *aStorageKeyNameIn,
aat_ascii *aIVIn,
aat_ascii *aChallenge,
aat_int32 *aEncryptionQABlob);
Description
This function creates a command for the HSM to process. It is used to decrypt an encrypted QA BLOB provided by the Authentication Suite Server SDK Software Question/Answer Authentication Service implemented in a Digipass for Web architecture.
With this function, you can address the HSM storage key by name and to specify an initial vector. The initial vector is used during the 3DES/AES encryption of the sensitive authenticator application BLOB data.
This function must be used with the post-HSM API AAL2ProcQADecryptQABlobRpl.
Parameters
Table: Parameters (AAL2GenQADecryptQABlobCmd) | Type | Name | Use | Description |
|---|
| aat_byte * | Cmd | O | Up to 839 bytes that serialize the DECRYPT QA BLOB command type and the input data to the decrypt function on the HSM: - Command Type - 2 bytes
- Digipass application BLOB - 192 bytes
- Runtime parameters - 80 bytes
- StorageKeyName - up to 128 characters
- InitialVector - 8 bytes
- Challenge - up to 17 characters
- Encrypted QA BLOB - up to 372 characters
- Encrypted QA BLOB size - 4 bytes
- Host time - 4 bytes
Plus 32 bytes for Authentication Suite Server SDK internal use. |
| aat_int32 * | CmdSize | I/O | On entry, this parameter contains the size of the Cmd buffer. On exit, this parameter contains the length of the Cmd message. |
| TDigipassBlob* | DPData | I | Digipass application BLOB. |
TKernelParms * | CallParms | I | Structure of runtime parameters to use during this function call. |
| aat_ascii * | aStorage KeyNameIn | I | String of up to 128+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the HSM storage key used to encrypt the sensitive Digipass application BLOB data. |
| aat_ascii * | aIVIn | I | String of 16 hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the initial vector used to encrypt the sensitive authenticator application BLOB data. |
| aat_ascii * | aChallenge | I | String of up to 17 numeric characters, left-justified, null-terminated or right-padded with spaces. This parameter holds the challenge that may be used for validating the OTP in the encrypted QABlob. If no challenge is used, this parameter should be NULL. |
| aat_ascii * | aEncryptedQABlob | I | String of up to 370+1 null-terminated alphanumeric characters. Encrypted QABlob format: - OTP - Up to 16+1 characters (16-byte OTP + 1-byte separator)
- UserID - Up to 32+1 characters (32-byte UserID +1-byte separator)
- Answer hashes - Up to 10 times 32 hexadecimal characters
- Checksum - 2 checksum numeric characters
Each answer hash contains: - 2 hexadecimal characters representing the index (01 to 0A)
- 30 hexadecimal characters containing the encrypted answer hash
|
Return codes
Table: Return codes (AAL2GenQADecryptQABlobCmd) | Code | Meaning | Code | Meaning |
|---|
| 0 | Success | 590 | Invalid command pointer |
| 149 | Invalid initial vector length | 706 | Invalid data buffer pointer |
| 412 | Invalid checksum (software) | 1000 | Function does not support EMV-CAP |
| 413 | Invalid Base64 format | 1018 | Invalid TLV item pointer |
| 510 | Invalid Digipass data pointer | 1025 | Data buffer too small |
| 536 | Invalid encrypted QABlob pointer | | |