Message signature validation

  • Updated on Aug 7, 2025
  • Published on Jan 24, 2025
  • 5 minute(s) read
Prev Next

This article describes the function(s) on which the message signature validation functionality is based. It contains information about parameters and possible return codes, as well as a prototype for each function.

The message signature validation functionality is applicable:

  • To hardware or software Digipass authenticators compliant with the multi-device two-step activation (in the context of the multi-device licensing model).
  • To hardware Digipass authenticators based on the single-device licensing model and able to perform operations based on the Secure Channel protocol.

Refer to the Authentication Suite Server SDK Product Guide for more information.

AAL2VerifyMessageSignatureICSF

Function prototype

aat_int32 AAL2VerifyMessageSignatureICSF (
                                    TDigipassBlob*  DPData,
                                    TKernelParms*   CallParms,
                                    aat_ascii       *aStorageKeyNameIn,
                                    aat_ascii       *aInitialVectorIn,
                                    aat_int32       MessageExpirationTime,
                                    aat_ascii*      Signature,
                                    aat_ascii*      SignedMessage,
                                    aat_int32       DeferredSignatureData
                                    aat_ascii*      ConfirmationCode,
                                    aat_ascii*      ConfirmationCodeLength);

Description

This function verifies the signature provided by the Digipass device:

  • in response to Activation Message 2 (generated with AAL2GenMessageActivation2ICSF) during the multi-device activation process
  • or in response to the request message (generated with AAL2GenMessageRequestICSF) during a Secure Channel request process (optionally; depending on whether the request requires a signature validation or not).

In case of verifying the signature of an Activation Message 2, the authenticator application BLOB used for the validation must correspond to the crypto application of the Digipass instance defined for the post-activation step. Information on the crypto application used for post-activation is part of the Digipass client configuration.

In case of verifying the signature of a request message (that contained a Secure Channel transaction), the authenticator application BLOB used for the validation must correspond to the crypto application of the Digipass instance selected for signing the message. Information on the crypto application selected for signing the message is part of the request body; it allows the Digipass device to perform the operation with the proper application.

The OnlineSG kernel parameter is also applied to the present function and is used as described in the Authentication Suite Server SDK C-C++ Programmer's Guide.

Signed message optional expiration check

This function allows optionally checking a maximum amount of time authorized since the generation of the Activation Message 2 or request message for which the signature validation is performed. This message time validity check depends on the MessageExpirationTime parameter.

If MessageExpirationTime = 0, the function will not perform any message time validity check.

If MessageExpirationTime > 0, MessageExpirationTime represents the maximum amount of time (expressed in seconds) authorized since the generation of the message (Activation Message 2 or a request message).

The instances of Activation Message 2 or request messages must have been MANDATORILLY generated by Authentication Suite Server SDK version 3.15.1 or later if checking the time validity (i.e. MessageExpirationTime > 0).

The timestamp of the generation time is embedded in the instances of Activation Message 2 and request messages only since Authentication Suite Server SDK 3.15.1.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based message signature validation which allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the signature, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2VerifyMessageSignatureICSF) for more details.

Parameters

  Table: Parameters (AAL2VerifyMessageSignatureICSF)
TypeNameUseDescription
TDigipassBlob *DPDataI/Oauthenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms *CallParmsIStructure of runtime parameters to use during this function call.
aat_ascii *aStorageKeyNameInIString of up to 64+1 characters, left-justified, null-terminated, or right-padded with spaces. This is the label of the ICSF storage key used to encrypt the sensitive Digipass application BLOB data.
aat_ascii *aInitialVectorInIString of 16 or 32 hexadecimal characters, left-justified, null-terminated. This is the initial vector used to encrypt the sensitive authenticator application BLOB data.
aat_int32Message expiration timeI

Must be mandatorily equal or greater to 0.

  • If MessageExpirationTime = 0: No message time validity check.
  • If MessageExpirationTime > 0: MessageExpirationTime represents the maximum amount of time (expressed in seconds) authorized since the generation of the message (Activation Message 2 or a request message).
aat_ascii *SignatureIString of up to 17 numeric characters, left-justified, null-terminated, or right-padded with spaces.
aat_ascii *SignedMessageIHexadecimal character string containing the message that has been used by the Digipass device to generate the signature. String length must be a multiple of 2. This can be either an Activation Message 2 or a request message.
aat_int32DeferredSignatureDataI
  • Must be 0 if signature is validated in online mode (OnlineSG=1 or 2).
  • If signature is validated in offline mode with OnlineSG=0, this parameter can receive the Digipass date of the signature generation (number of elapsed seconds since January 1, 1970) or 0. (With 0, the current time is used.)

    If this parameter is >0, the filled parameter must be the Digipass time, not the host time.

  • If the signature is validated in offline mode with OnlineSG=3, this parameter must receive counter of the Digipass instance used for the signature generation.
aat_ascii *ConfirmationCodeO

String of up to 16+1 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This is the confirmation code generated by Authentication Suite Server SDK for this signature.

aat_int32 *ConfirmationCodeLengthO

In input, this parameter must indicate the size of the allocated buffer for the ConfirmationCode parameter (recommended 17 bytes). In output, this parameter indicates the length of the ConfirmationCode string (without the null-terminated character).

COBOL calling convention

Entry point: AA2VMSIC
02   W-BLOB                    PIC X(248).
02   W-KERNELPARMS.
     03  W-PARMCOUNT           PIC 9(8) USAGE BINARY.
     03  W-PARM01              PIC 9(8) USAGE BINARY.
     . . .
     03  W-PARM19              PIC 9(8) USAGE BINARY.
02   W-CONFIRMCODE             PIC X(17).
02   W-CONFCODE-LENGTH         PIC 9(8) USAGE BINARY.
02   W-RETURN                  PIC S9(8) USAGE BINARY.
02   W-SIGNATURE               PIC X(17).
02   W-SIGNED-MESSAGE          PIC X(nnnn).
02   W-MESSAGEEXPIRATIONTIME   PIC 9(8) USAGE BINARY.
02   W-SIGNATUREDATA           PIC 9(8) USAGE BINARY.
02   W-STORAGEKEY              PIC X(65).
02   W-INITVECTOR              PIC X(17).
02   W-API-NAME                PIC X(8) VALUE 'AA2VMSIC'.
. . .
     CALL W-API-NAME USING
           BY REFERENCE W-BLOB
           BY REFERENCE W-KERNELPARMS
           BY REFERENCE W-STORAGEKEY
           BY REFERENCE W-INITVECTOR
           BY VALUE W-MESSAGEEXPIRATIONTIME
           BY REFERENCE W-SIGNATURE
           BY REFERENCE W-SIGNED-MESSAGE
           BY VALUE W-SIGNATUREDATA
           BY REFERENCE W-CONFIRMCODE
           BY REFERENCE W-CONFCODE-LENGTH
           RETURNING W-RETURN

Return codes

  Table:  Return codes (AAL2VerifyMessageSignatureICSF)
CodeMeaningCodeMeaning
0Success1116Response check digit not allowed
10001Success with context warning[1]1117Challenge check digit not allowed
10002Success with user warning[1]1118Unsupported BLOB
10003Success with user & context warning[1]1299Signed message not hexadecimal
10004Success with platform warning[1]1300Invalid signed message length
10005Success with platform & context warning[1]1301Invalid signed message pointer
10006Success with platform & user warning[1]1309Application can not be used for Secure Channel transactions
10007Success with platform & user & context warning[1]1337Unsupported message protocol version
1Signature not verified1339Invalid message length
132Unsupported token type1363Invalid message expiration time value
139Invalid signature pointer1364Message time validity expired
141Invalid field count-102Data field too long
203Sign error threshold reached-103Data field check digit wrong
204Duplicate signature found-105Challenge minimum length not allowed
205Inactive days reached-106Challenge maximum length not allowed
206Chronological signature error-107Challenge number wrong
207Deferred signature not allowed with OnLineSG not Null-108Challenge character invalid
208Application disabled-201Response length out of bounds
412Invalid checksum (software)-202Response too short
413Invalid Base64 format-203Response too long
414Invalid checksum (HSM)-204Response check digit wrong
510Invalid Digipass data pointer-205Response character not decimal
900Invalid session context handle-206Response character not hexadecimal
908HSM key not found-207Response character set not specified
951Invalid HSM key type for HSM decryption-1501Memory allocation failed
1103Unlock Version 2 not supported  
  1. Specific score-based authentication code (see Score-based DIGIPASS)