Device code validation

  • Updated on Aug 7, 2025
  • Published on Jan 24, 2025
  • 3 minute(s) read
Prev Next

This article describes the function(s) on which the device code validation functionality is based. It contains information about parameters and possible return codes, as well as a prototype for each function.

The device code validation functionality is only applicable to hardware or software Digipass authenticators compliant with the multi-device two-step activation (in the context of multi-device licensing). For more information, refer to the Authentication Suite Server SDK Product Guide.

AAL2VerifyDeviceCodeICSF

Function prototype

aat_int32 AAL2VerifyDeviceCodeICSF (
                                TDigipassBlob    *DPMAData,
                                TKernelParms     *CallParms,
                                aat_ascii        *aStorageKeyNameIn,
                                aat_ascii        *aInitialVectorIn,
                                aat_ascii        *Challenge,
                                aat_ascii        *DeviceCode,
                                aat_ascii        *DeviceID,
                                aat_int32        *DeviceIDLength,
                                aat_int32        *pDeviceType);

Description

This function verifies the device code provided by the Digipass device using the master activation application data. It also extracts in case of SUCCESS:

  • Digipass device ID
  • Digipass device type

It is only applicable to hardware or software Digipass authenticators compliant with the multi-device two-step activation (in the context of multi-device licensing). For more information, refer to the Authentication Suite Server SDK Product Guide.

If a challenge has been used to generate the Activation Message 1 (AALGenMessageActivation1) received by the Digipass device, the same challenge is necessary to validate the device code.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication to validate the device code. This allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the device code, it returns either SUCCESS or SUCCESS with the relevant scoring warning code.. See the list of return codes in Table: Return codes (AAL2VerifyDeviceCodeICSF) for more details.

Parameters

  Table: Parameters (AAL2VerifyDeviceCodeICSF)
TypeNameUseDescription
TDigipassBlobDPMADataI/ODigipass master activation application BLOB of the Digipass serial number license that will be used for the activation. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms *CallParmsIStructure of runtime parameters to use during this function call.
aat_ascii *aStorageKeyNameInIString of up to 64+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the ICSF storage key used to encrypt the sensitive Digipass application BLOB data.
aat_ascii *aInitialVectorInIString of 16 or 32 hexadecimal characters, left-justified, null-terminated. This is the initial vector used to encrypt the sensitive authenticator application BLOB data.
aat_ascii *ChallengeI

Optional string of 16 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This parameter must hold the challenge that was used initially to generate Activation Message 1. If no challenge was used to generate Activation Message 1, this parameter must be NULL.

aat_ascii *DeviceCodeI

String of up to 26+1 characters, null-terminated. It contains the device code generated by the Digipass device.

aat_ascii *DeviceIDO

Output string of 8+1 hexadecimal characters, null-terminated. If the device code has been successfully verified, this parameter contains the value of the Digipass device ID.

aat_int32 *DeviceIDLengthI/O

In input, this parameter must indicate the size of the allocated buffer for the DeviceID parameter (recommended 9 bytes). In output, this parameter indicates the length of the DeviceID string (without the null-terminated character).

aat_int32 *pDeviceTypeO

In output, this parameter contains the Digipass device type if the device code has been successfully verified (from 0 to 31).

COBOL calling convention

Entry point: AA2VDCIC
02   W-MA-BLOB             PIC X(248).
02   W-KERNELPARMS.
     03  W-PARMCOUNT      PIC 9(8) USAGE BINARY.
     03   W-PARM0         PIC 9(8) USAGE BINARY.
     . . .
     03  W-PARM19         PIC 9(8) USAGE BINARY.
02   W-CHALLENGE          PIC X(17).
02   W-DEVICE-CODE        PIC X(27).
02   W-DEVICE-ID          PIC X(9).
02   W-DEVICE-ID-LENGTH   PIC 9(8) USAGE BINARY VALUE 9.
02   W-DEVICE-TYPE        PIC S9(8) USAGE BINARY.
02   W-RETURN             PIC S9(8) USAGE BINARY.
02   W-STORAGEKEY         PIC X(65).
02   W-INITVECTOR         PIC X(17).
02   W-API-NAME            PIC X(8) VALUE 'AA2VDCIC'.
. . .
     CALL W-API-NAME USING
           BY REFERENCE W-MA-BLOB
           BY REFERENCE W-KERNELPARMS
           BY REFERENCE W-STORAGEKEY
           BY REFERENCE W-INITVECTOR
           BY REFERENCE W-CHALLENGE
           BY REFERENCE W-DEVICE-CODE
           BY REFERENCE W-DEVICE-ID
           BY REFERENCE W-DEVICE-ID-LENGTH
           BY REFERENCE W-DEVICE-TYPE
           RETURNING W-RETURN

Return codes

  Table:  Return codes (AAL2VerifyDeviceCodeICSF)
CodeMeaningCodeMeaning
0Success1040Invalid host code length with DP algorithm
10001Success with context warning[1]1103Unlock Version 2 not supported
10002Success with user warning[1]1116Response check digit not allowed
10003Success with user & context warning[1]1117Challenge check digit not allowed
10004Success with platform warning[1]1118Unsupported BLOB
10005Success with platform & context warning[1]1263Device ID buffer too small
10006Success with platform & user warning[1]1264Invalid master application
10007Success with platform & user & context warning[1]1265Invalid master application data pointer
1Code not verified1276Invalid device code pointer
130Invalid response pointer1277Invalid device ID pointer
140Challenge corrupted1278Invalid device ID length pointer
201Code replay attempt1280Invalid device type pointer
202Identification error threshold reached1281Invalid device code length
205Inactive days reached1282Invalid device code check digit
208Application disabled1283Invalid device code character
412Invalid checksum (software)1284Invalid device code
413Invalid Base64 format1285Master key derivation failed
414Invalid checksum (HSM)-102Challenge too long
600Invalid Gordian root information-103Challenge check digit wrong
601Invalid Gordian today information-105Challenge minimum length not allowed
602Invalid Gordian tomorrow information-106Challenge maximum length not allowed
603Invalid Gordian stimulus information-107Challenge number wrong
900Invalid session context handle-108Challenge character invalid
908HSM key not found-201Response length out of bounds
951Invalid HSM key type for HSM decryption-205Response character not decimal
1000Function does not support EMV-CAP-206Response character not hexadecimal
1025Buffer too small-207Response character set not specified
1039Invalid response length with DP algorithm  
  1. Specific score-based authentication code (see Score-based DIGIPASS)