Function prototype
aat_int32 AAL2VerifySignatureEsICSF (
TDigipassBlob* DPData,
TKernelParms* CallParms,
aat_ascii* aStorageKeyNameIn,
aat_ascii* aInitialVectorIn,
aat_ascii* Signature,
aat_ascii SignedDataFields[8],
aat_int32 FieldCount,
aat_int32 DeferredSignatureData,
aat_ascii* aServerPublicKey,
aat_ascii* ConfirmationCode,
aat_int32* ConfirmationCodeLength);Description
This function is an extension of AAL2VerifySignatureICSF, offering the enhanced security feature. This feature prevents potential man-in-the-middle attacks in the architecture integrating software Digipass. A server public key, such as a certificate, can be used in input to diversify the challenge.
In addition, this function introduces pre-processing on the DataFields in input; each DataField can have up to 32000 characters.
The enhanced signature validation function is supported by Digipass 110 and DIGIPASS for Web.
Digipass 110 and DIGIPASS for Web have been discontinued.
Parameters
| Type | Name | Use | Description |
|---|---|---|---|
| TDigipassBlob * | DPData | I/O | authenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect the changes. |
| TKernelParms * | CallParms | I | Structure of runtime parameters to use during this function call. |
| aat_ascii * | aStorageKeyNameIn | I | String of up to 64+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the ICSF storage key used to encrypt the sensitive Digipass application BLOB data. |
| aat_ascii * | aInitialVectorIn | I | String of 16 or 32 hexadecimal characters, left-justified, null-terminated. This is the initial vector used to encrypt the sensitive authenticator application BLOB data. |
| aat_ascii * | Signature | I | String of up to 17 numeric or hexadecimal characters, left justified, null terminated or right padded with spaces. |
| aat_ascii * | SignedDataFields | I | Array of 8 null-terminated strings of up to 32000 printable ASCII-EBCDIC invariant characters. This parameter holds the 8 possible data fields that are used to generate a signature. For a list of the characters that can be used for the data fields, see Supported data fields charset. |
| aat_int32 | FieldCount | I | Numeric value from 1 to 8. Indicates the number of data fields to use from the SignedDataFields array. |
| aat_int32 | DeferredSignatureData | I |
|
| aat_ascii * | aServerPublicKey | I | String of up to 1024 hexadecimal characters, null-terminated. This parameter is used as a diversifier to prevent man-in-the-middle attacks. If this parameter is NULL, the diversification will not take place. |
| aat_ascii * | ConfirmationCode | O | String of up to 17 numeric or hexadecimal characters, left justified, null terminated or right padded with spaces. This is the confirmation code generated by the Authentication Suite Server SDK for this signature (recommended buffer size is 18 bytes). |
| aat_int32 * | ConfirmationCodeLength | O | Pointer to a long integer that will contain the length of the generated confirmation code. |
COBOL calling convention
Entry point: AA2VSEIC
02 W-BLOB PIC X(248).
02 W-KERNELPARMS.
03 W-PARMCOUNT PIC 9(8) USAGE BINARY.
03 W-PARM01 PIC 9(8) USAGE BINARY.
. . .
03 W-PARM19 PIC 9(8) USAGE BINARY.
02 W-CONFIRMCODE PIC X(17).
02 W-CONFCODE-LENGTH PIC 9(8) USAGE BINARY.
02 W-RETURN PIC S9(8) USAGE BINARY.
02 W-SIGNATURE PIC X(17).
02 W-FIELDS-PTR-TABLE.
03 W-FIELD-PTR USAGE POINTER OCCURS 8.
02 W-DATAFIELD PIC X(nnnnn) OCCURS 8.
02 W-FIELDCOUNT PIC 9(8) USAGE BINARY.
02 W-SIGNATUREDATE PIC 9(8) USAGE BINARY.
02 W-STORAGEKEY PIC X(65).
02 W-INITVECTOR PIC X(17).
02 W-SERVER-PUBKEY PIC X(1025).
02 W-API-NAME PIC X(8) VALUE 'AA2VSEIC'.
. . .
SET W-FIELD-PTR(n) TO ADDRESS OF W-DATAFIELD(n).
CALL W-API-NAME USING
BY REFERENCE W-BLOB
BY REFERENCE W-KERNELPARMS
BY REFERENCE W-STORAGEKEY
BY REFERENCE W-INITVECTOR
BY REFERENCE W-SIGNATURE
BY REFERENCE W-FIELDS-PTR-TABLE
BY VALUE W-FIELDCOUNT
BY VALUE W-SIGNATUREDATE
BY REFERENCE W-SERVER-PUBKEY
BY REFERENCE W-CONFIRMCODE
BY REFERENCE W-CONFCODE-LENGTH
RETURNING W-RETURNReturn codes
| Code | Meaning | Code | Meaning |
|---|---|---|---|
| 0 | Success | 900 | Invalid session context handle |
| 1000 | Success with context warning[1] | 908 | HSM key not found |
| 1000 | Success with user warning[1] | 951 | Invalid HSM key type for HSM decryption |
| 1000 | Success with user & context warning[1] | 1103 | Unlock Version 2 not supported |
| 1000 | Success with platform warning[1] | 1116 | Response check digit not allowed |
| 1000 | Success with platform & context | 1117 | Challenge check digit not allowed |
| 1000 | Success with platform & user warning[1] | 1118 | Unsupported BLOB |
| 1000 | Success with platform & user & context | -101 | Data field too short |
| 1 | Signature not verified | -102 | Data field too long |
| 132 | Unsupported token type | -103 | Data field check digit wrong |
| 139 | Invalid signature pointer | -105 | Challenge minimum length not allowed |
| 141 | Invalid field count | -106 | Challenge maximum length not allowed |
| 148 | Invalid data field pointer | -107 | Challenge number wrong |
| 203 | Sign error threshold reached | -108 | Challenge character invalid |
| 204 | Duplicate signature found | -201 | Response length out of bounds |
| 205 | Inactive days reached | -202 | Response too short |
| 206 | Chronological signature error | -203 | Response too long |
| 207 | Deferred signature not allowed with OnLineSG not Null | -204 | Response check digit wrong |
| 208 | Application disabled | -205 | Response character not decimal |
| 412 | Invalid checksum (software) | -206 | Response character not hexadecimal |
| 413 | Invalid Base64 format | -207 | Response character set not specified |
| 414 | Invalid checksum (HSM) | -1501 | Memory allocation failed |
| 510 | Invalid Digipass data pointer |
- Specific score-based authentication code (see Score-based DIGIPASS)
Supported data fields charset
The following table lists the supported characters for the data fields of AAL2VerifySignatureEsICSF with associated hexadecimal values in ASCII and EBCDIC.