Function prototype (aal2sdk.h)
aat_int32 AAL2VerifySignatureICSF (
TDigipassBlob* DPBlob,
TKernelParms* CallParms,
aat_ascii* aStorageKeyNameIn,
aat_ascii* aInitialVectorIn,
aat_ascii* aSignatureIn,
aat_ascii aSignedDataFieldsIn[8][20],
aat_int32 FieldCountIn,
aat_int32 DeferredSignatureDataIn,
aat_ascii* ConfirmationCode,
aat_int32* ConfirmationCodeLength);Description
The AAL2VerifySignatureICSF function is called passing the necessary data to perform signature validation and integrity control, based on the signature code generated by the user's Digipass, and up to eight SignedDataFields on which authentication and integrity control are to be performed. The exact number of valid data fields is given in FieldCount. If necessary, synchronization information may be passed using the DeferredSignatureData parameter.
This function is used to perform signature validation on a standard signature process involving up to eight signed data fields.
This function cannot be used to perform signature validation of a Secure Channel transaction (signature based on a Secure Channel request message). For signature validation of a Secure Channel transaction, AAL2VerifyMessageSignatureICSF must be used instead of AAL2VerifySignatureICSF.
The OnlineSG kernel parameter is applied to the present function and is used as described in the Authentication Suite Server SDK C-C++ Programmer's Guide.
Signature confirmation code specifics
In addition, a feature is present that allows a client to authenticate back the host server that validated the signature.
It facilitates a two-way process. The server validates the user's signature and returns a confirmation code as an acknowledgment that the user is able to verify on their Digipass.
This function allows the integrator to address the HSM storage key by name and to specify an initial vector. The initial vector is used during the S3DES/AES decryption/encryption of the sensitive data of the authenticator application BLOB.
Score-based Digipass
For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based signature validation which allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the signature, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2VerifySignatureICSF) for more details.
Parameters
The memory management of the output parameters must be performed by the calling function.
COBOL calling convention
Entry point: AA2VVSIC
02 W-BLOB PIC X(248).
02 W-KERNELPARMS.
03 W-PARMCOUNT PIC 9(8) USAGE BINARY.
03 W-PARM01 PIC 9(8) USAGE BINARY.
. . .
03 W-PARM19 PIC 9(8) USAGE BINARY.
02 W-HOSTCODE PIC X(17).
02 W-HOSTCODE-LENGTH PIC 9(8) USAGE BINARY.
02 W-SIGNATURE PIC X(17).
02 W-SIGNED-DATA PIC X(20) OCCURS 8.
02 W-FIELDCOUNT PIC 9(8) USAGE BINARY.
02 W-SIGNATUREDATE PIC 9(8) USAGE BINARY.
02 W-STORAGEKEY PIC X(65).
02 W-INITVECTOR PIC X(17).
02 W-API-NAME PIC X(8) VALUE 'AA2VVSIC'.
. . .
CALL W-API-NAME USING
BY REFERENCE W-BLOB
BY REFERENCE W-KERNELPARMS
BY REFERENCE W-STORAGEKEY
BY REFERENCE W-INITVECTOR
BY REFERENCE W-SIGNATURE
BY REFERENCE W-SIGNED-DATA
BY REFERENCE W-FIELDCOUNT
BY REFERENCE W-HOSTCODE
BY REFERENCE W-HOSTCODE-LENGTH
RETURNING W-RETURNReturn codes
| Code | Meaning | Code | Meaning |
|---|---|---|---|
| 0 | Success | 900 | Invalid session context handle |
| 10001 | Success with context warning[1] | 908 | HSM key not found |
| 10002 | Success with user warning[1] | 951 | Invalid HSM key type for HSM decryption |
| 10003 | Success with user & context warning[1] | 1103 | Unlock Version 2 not supported |
| 10004 | Success with platform warning[1] | 1116 | Response check digit not allowed |
| 10005 | Success with platform & context warning[1] | 1117 | Challenge check digit not allowed |
| 10006 | Success with platform & user warning[1] | 1118 | Unsupported BLOB |
| 10007 | Success with platform & user & context warning[1] | -101 | Data field too short |
| 1 | Signature not verified | -102 | Data field too long |
| 132 | Unsupported token type | -103 | Data field check digit wrong |
| 139 | Invalid signature pointer | -105 | Challenge minimum length not allowed |
| 141 | Invalid field count | -106 | Challenge maximum length not allowed |
| 148 | Invalid data field pointer | -107 | Challenge number wrong |
| 203 | Sign error threshold reached | -108 | Challenge character invalid |
| 204 | Duplicate signature found | -201 | Response length out of bounds |
| 205 | Inactive days reached | -202 | Response too short |
| 206 | Chronological signature error | -203 | Response too long |
| 207 | Deferred signature not allowed with OnLineSG not Null | -204 | Response check digit wrong |
| 208 | Application disabled | -205 | Response character not decimal |
| 412 | Invalid checksum (software) | -206 | Response character not hexadecimal |
| 413 | Invalid Base64 format | -207 | Response character set not specified |
| 414 | Invalid checksum (HSM) | -1501 | Memory allocation failed |
| 510 | Invalid Digipass data pointer |
- Specific score-based authentication code (see Score-based DIGIPASS)