DIGIPASS for Web

This article describes the function(s) on which the DIGIPASS for Web data conversion functionality is based. It contains information about parameters and possible return codes, as well as a prototype for each function.

DIGIPASS for Web has been discontinued. The functions in this section are deprecated and should no longer be used.

AAL2QADecryptQABlobICSF

This command is deprecated! Do not use anymore.

Function prototype

aat_int32 AAL2QADecryptQABlobICSF (
                               TDigipassBlob*     DPData,
                               TKernelParms*      CallParms,
                               aat_ascii*         aStorageKeyNameIn,
                               aat_ascii*         aInitialVectorIn,
                               aat_ascii*         Challenge,
                               aat_ascii*         aEncryptedQABlob,
                               aat_ascii*         aQABlob,
                               aat_int32*         QABlobSize);

Description

This function decrypts the encrypted QA BLOB provided by the Java applet of the DIGIPASS for Web architecture.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication to decrypt the QA BLOB. This allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully decrypted the QA BLOB, it returns either SUCCESS or SUCCESS with the relevant scoring warning code.. See the list of return codes in Table: Return codes (AAL2QADecryptQABlobICSF) for more details.

Parameters

Table: Parameters (AAL2QADecryptQABlobICSF)
Type	Name	Use	Description
TDigipassBlob *	DPData	I/O	authenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms *	KernelParms	I	List of formatted kernel parameters: ParamertName1=Value1;ParameterName2=Value2;….
aat_ascii *	aStorageKeyNameIn	I	String of up to 64+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the ICSF storage key used to encrypt the sensitive Digipass application BLOB data.
aat_ascii *	aInitialVectorIn	I	String of 16 or 32 hexadecimal characters, left-justified, null-terminated. This is the initial vector used to encrypt the sensitive authenticator application BLOB data.
aat_ascii *	Challenge	I	Challenge for CR mode.
aat_ascii *	EncryptedQABlob	I	Encrypted QA BLOB format: OTP User ID: up to32 chars Idx1: 02 chars XHA1: 30 chars Idx2: 02 chars XHA2: 30 chars ... Chk: 16 chars
aat_ascii *	QABlob	O	BLOB resulting from the formatted answer hash: User ID: 32 chars BLOB version: 02 chars Hash number: 02 chars \|Index \|02 chars \|Hash \|30 chars Checksum: 16 chars
aat_int32	QABlobSize	I/O	In input, this parameter contains the allocated size of the QABlob buffer and in output it contains the number of characters copied in the QABlob buffer.

COBOL calling convention

Entry point: AA2QDQIC
02   W-BLOB                  PIC X(248).
02   W-KERNELPARMS.
     03  W-PARMCOUNT        PIC 9(8) USAGE BINARY.
     03  W-PARM01           PIC 9(8) USAGE BINARY.
     . . .
     03  W-PARM19           PIC 9(8) USAGE BINARY.
02   W-BLOB-TABLE.
     03  W-BLOB             PIC X(248) OCCURS 8.
02   W-BLOB-PTR-TABLE.
     03  W-BLOB-PTR         USAGE POINTER OCCURS 8.
02   W-CHALLENGE            PIC X(17).
02   W-ENC-QA-BLOB          PIC X(400).
02   W-QA-BLOB              PIC X(400).
02   W-STORAGEKEY           PIC X(65).
02   W-INITVECTOR           PIC X(17).
02   W-RETURN               PIC S9(8) USAGE BINARY.
02   W-QA-BLOBSIZE          PIC S9(8) USAGE BINARY.
02   W-API-NAME              PIC X(8) VALUE 'AA2QDQIC'.
. . .
     CALL W-API-NAME USING
           BY REFERENCE W-BLOB
           BY REFERENCE W-KERNELPARMS
           BY REFERENCE W-STORAGEKEY
           BY REFERENCE W-INITVECTOR
           BY REFERENCE W-CHALLENGE
           BY REFERENCE W-ENC-QA-BLOB
           BY REFERENCE W-QA-BLOB
           BY REFERENCE W-QA-BLOBSIZE
           RETURNING W-RETURN

Return codes

Table: Return codes (AAL2QADecryptQABlobICSF)
Code	Meaning	Code	Meaning
0	Success	603	Invalid Gordian stimulus information
10001	Success with context warning[1]	802	Change password mandatory
10002	Success with user warning[1]	803	New password too short
10003	Success with user & context warning[1]	804	New password too long
10004	Success with platform warning[1]	900	Invalid session context handle
10005	Success with platform & context warning[1]	908	HSM key not found
10006	Success with platform & user warning[1]	951	Invalid HSM key type for HSM decryption
10007	Success with platform & user & context warning[1]	1000	Function does not support EMV-CAP
1	Code not verified	1025	Buffer too small
2	Static password validation failed	1103	Unlock Version 2 not supported
130	Invalid response pointer	1116	Response check digit not allowed
131	Missing required challenge	1117	Challenge check digit not allowed
140	Challenge corrupted	1118	Unsupported BLOB
201	Code replay attempt	-101	Challenge too short
202	Identification error threshold reached	-102	Challenge too long
205	Inactive days reached	-103	Challenge check digit wrong
208	Application disabled	-105	Challenge minimum length not allowed
412	Invalid checksum	-106	Challenge maximum length not allowed
413	Invalid Base64 format	-107	Challenge number wrong
414	Invalid checksum (HSM)	-108	Challenge character invalid
510	Invalid Digipass data pointer	-201	Response length out of bounds
530	Invalid QA data pointer	-202	Response too short
532	Invalid QA data length	-203	Response too long
535	Invalid QA number	-204	Response check digit wrong
536	Invalid encrypted QA data	-205	Response character not decimal
600	Invalid Gordian root information	-206	Response character not hexadecimal
601	Invalid Gordian today information	-207	Response character set not specified
602	Invalid Gordian tomorrow information

Specific score-based authentication code (see Score-based DIGIPASS)