Function prototype
aat_int32 AAL2GenVerifySignatureEsCmd(
aat_byte* Cmd,
aat_int32* CmdSize,
TDigipassBlob* DPData,
TKernelParms* CallParms,
aat_ascii* aStorageKeyNameIn,
aat_ascii* aIVIn,
aat_ascii* aSignatureIn,
aat_ascii* aSignedDataFieldsIn[8],
aat_int32 FieldCountIn,
aat_int32 DeferredSignatureDataIn,
aat_ascii aServerPublicKey);
Description
This function extends AL2GenVerifySignatureCmd offering the enhanced security feature. This feature prevents potential man-in-the-middle attacks in the architecture integrating software Digipass authenticators. A server public key, such as a certificate, can be used in input to diversify the challenge.
In addition, this function introduces pre-processing on the DataFields in input; each DataField can have up to 32000 characters.
The signature validation with enhanced security on the HSM is identical to the functionality available with the Authentication Suite Server SDK Software e-Signature Validation Service. For information on the associated functions, refer to the Authentication Suite Server SDK C-C++ Programmer's Guide.
This function must be used with the post-HSM API AAL2ProcVerifySignatureEsRpl.
Parameters
Table: Parameters (AAL2GenVerifySignatureEsCmd) | Type | Name | Use | Description |
|---|
| aat_byte * | Cmd | O | Up to 1539 bytes that serialize the VERIFY SIGNATURE command type and the input data to the verify signature function on the HSM: - Command type - 2 bytes
- Digipass data block - 192 bytes
- Runtime parameters - 80 bytes
- StorageKeyName - up to 128 characters
- InitialVector - 8 bytes
- Signature - up to 41 characters
- Formatted signed data fields - 16 characters
- Field count - 4 bytes
- Deferred signature data - 4 bytes
- Host time - 4 bytes
Plus 36 bytes for Authentication Suite Server SDK internal use. |
| aat_int32 * | CmdSize | I/O | On entry, this parameter contains the size of the Cmd buffer.On exit, this parameter contains the length of the Cmd message. |
| TDigipassBlob * | DPData | I | Digipass description data block. |
| TKernelParms* | CallParms | I | Structure of runtime parameters to use during this function call. |
| aat_ascii * | aStorageKeyNameIn | I | String of up to 128+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the HSM storage key used to encrypt the sensitive Digipass application BLOB data. |
| aat_ascii * | aIVIn | I | String of 16 hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the initial vector used to encrypt the sensitive authenticator application BLOB data. |
| aat_ascii * | aSignatureIn | I | String of up to 17+24 numeric or hexadecimal characters, null-terminated or padded with spaces. |
| aat_ascii * | aSignedDataFieldsIn | I | Array of 8 null-terminated strings of up to 32000 printable ASCII-EBCDIC invariant characters. This parameter holds the 8 possible data fields that are used to generate a signature. For a list of the characters that can be used for the data fields, refer to the Authentication Suite Server SDK C-C++ Programmer's Guide, Section "Supported data fields charset". |
| aat_int32 | FieldCount | I | Numeric value from 1 to 8 indicating the number of data fields to use from the aSignedDataFieldsIn array. |
| aat_int32 | Deferred Signature Data | I | |
| aat_ascii * | aServerPublicKey | I | String of up to 1024 hexadecimal characters, null-terminated. This parameter is used as a diversifier to prevent man-in-the-middle attacks. If this parameter is NULL, diversification will not take place. |
Return codes
Table: Return codes (AAL2GenVerifySignatureEsCmd) | Code | Meaning | Code | Meaning |
|---|
| 0 | Success | 413 | Invalid Base64 format |
| 139 | Invalid signature pointer | 510 | Invalid Digipass data pointer |
| 141 | Invalid field count | 590 | Invalid command pointerr |
| 148 | Invalid data field pointer | 706 | Invalid data buffer pointer |
| 207 | Deferred signature not allowed with OnLineSG not Null | 1018 | Invalid TLV item pointer |
| 412 | Invalid checksum (software) | 1025 | Data buffer too small |