/* Rexx */
/* Sample: Perform secure key AES encryption / decryption */
/*-------------------------------------------------------------------*/
/* Description: */
/* */
/* This REXX contains samples that show how to generate and use an */
/* AES key for encrypt/decrypt: */
/* - Generate and store a 256-bit AES DATA key */
/* - Encrypt data using the generated key token */
/* - Decrypt data using the generated key token */
/* */
/* How To Run: */
/* - Execute this script from TSO */
/* (e.g. EX 'HLQ.MLD.LLQ(AESSEC)') */
/*-------------------------------------------------------------------*/
signal on novalue;
/* CLEANUP labels in use for this sample */
aes_key_label = left('ICSF.SECRET.AES256.KEY001',64);
krd_label = aes_key_label;
Call CSNBKRD;
/*********************************************************************/
/* Generate a 256-bit AES DATA key */
/*********************************************************************/
kgn_key_form = 'OP ';
kgn_key_length = 'KEYLN32 ';
kgn_key_type_1 = 'AESDATA ';
kgn_key_type_2 = '';
kgn_kek_identifier_1 = copies('00'x,64);
kgn_kek_identifier_2 = '';
kgn_generated_key_identifier_1 = copies('00'x,64);
kgn_generated_key_identifier_2 = '';
Call CSNBKGN;
say "aes secure key: " c2x(kgn_generated_key_identifier_1);
/*********************************************************************/
/* Store the key in the CKDS */
/*********************************************************************/
krc2_label = aes_key_label;
krc2_token_length = '00000040'x;
krc2_token = kgn_generated_key_identifier_1;
Call CSNBKRC2;
/*********************************************************************/
/* Encrypt data using the secure key */
/*********************************************************************/
sae_rule_array_count = '00000003'x;
sae_rule_array = 'AES ' || 'PKCS-PAD' || 'KEYIDENT';
sae_key_identifier_length = '00000040'x;
sae_key_identifier = aes_key_label;
sae_init_vector_length = '00000010'x;
sae_init_vector = '11111111111111111111111111111111'x;
sae_block_size = '00000010'x;
sae_clear_text_length = '0000000B'x;
sae_clear_text = 'Secret Data';
sae_cipher_text_length = '00000010'x;
sae_cipher_text = copies('00'x, 16);
Call CSNBSAE;
encrypted_text = substr(sae_cipher_text, 1, c2d(sae_cipher_text_length));
say 'clear_text: ' sae_clear_text;
say 'encrypted_text: ' c2x(encrypted_text);
/*********************************************************************/
/* Decrypt data using the secure key */
/*********************************************************************/
sad_rule_array_count = sae_rule_array_count;
sad_rule_array = sae_rule_array;
sad_key_identifier_length = '00000040'x;
sad_key_identifier = aes_key_label;
sad_init_vector_length = sae_init_vector_length;
sad_init_vector = sae_init_vector;
sad_block_size = sae_block_size;
sad_cipher_text_length = sae_cipher_text_length;
sad_cipher_text = sae_cipher_text;
sad_clear_text_length = '00000010'x;
sad_clear_text = copies('00'x, 16);
Call CSNBSAD;
decrypted_text = substr(sad_clear_text, 1, c2d(sad_clear_text_length));
say 'decrypted_text: ' decrypted_text;
say "-----------------------------------------------------------------"
say "End of Sample"
say "-----------------------------------------------------------------"
exit;
/* --------------------------------------------------------------- */
/* CSNBKGN - Key Generate */
/* */
/* Generates either one or two DES or AES keys encrypted under a */
/* master key (internal form) or KEK (external form). */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNBKGN:
KGN_RC = 'FFFFFFFF'x;
KGN_RS = 'FFFFFFFF'x;
KGN_exit_data_length = '00000000'x;
KGN_exit_data = '';
ADDRESS linkpgm "CSNBKGN",
'KGN_RC' 'KGN_RS' ,
'KGN_exit_data_length' 'KGN_exit_data' ,
'KGN_key_form' 'KGN_key_length' ,
'KGN_key_type_1' 'KGN_key_type_2' ,
'KGN_kek_identifier_1' 'KGN_kek_identifier_2' ,
'KGN_generated_key_identifier_1' 'KGN_generated_key_identifier_2';
if (KGN_RC /= '00000000'x) Then
do;
say 'KGN Failed (rc=' c2x(KGN_RC)' rs='c2x(KGN_rs)')' ;
exit;
end;
Return;
/* --------------------------------------------------------------- */
/* CSNBKRC2 - Key Record Create2 */
/* */
/* Adds a key token to the CKDS. */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNBKRC2:
krc2_rc = 'FFFFFFFF'x;
krc2_rs = 'FFFFFFFF'x;
krc2_exit_data_length = '00000000'x;
krc2_exit_data = '';
krc2_rule_count = '00000000'x;
krc2_rule_array = '';
ADDRESS LINKPGM "CSNBKRC2",
"krc2_rc",
"krc2_rs",
"krc2_exit_data_length",
"krc2_exit_data",
"krc2_rule_count",
"krc2_rule_array",
"krc2_label",
"krc2_token_length",
"krc2_token";
if (KRC2_RC /= '00000000'x) Then
do;
say 'KRC2 Failed (rc=' c2x(KRC2_RC)' rs='c2x(KRC2_rs)')' ;
exit;
end;
return;
/* --------------------------------------------------------------- */
/* CSNBSAE - Symmetric Algorithm Encipher */
/* */
/* Encrypts data using a secure, symmetric key */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNBSAE:
sae_rc = 'FFFFFFFF'x;
sae_rs = 'FFFFFFFF'x;
sae_exit_data_length = '00000000'x;
sae_exit_data = '';
sae_key_parms_length = '00000000'x;
sae_key_parms = '';
sae_chain_data_length = '00000020'x;
sae_chain_data = copies('00'x,32);
sae_optional_data_length = '00000000'x;
sae_optional_data = '';
ADDRESS linkpgm "CSNBSAE",
'SAE_RC' 'SAE_RS' ,
'SAE_exit_data_length' 'SAE_exit_data' ,
'SAE_rule_array_count' 'SAE_rule_array' ,
'SAE_key_identifier_length' 'SAE_key_identifier' ,
'SAE_key_parms_length' 'SAE_key_parms' ,
'SAE_block_size' ,
'SAE_init_vector_length' 'SAE_init_vector' ,
'SAE_chain_data_length' 'SAE_chain_data' ,
'SAE_clear_text_length' 'SAE_clear_text' ,
'SAE_cipher_text_length' 'SAE_cipher_text' ,
'SAE_optional_data_length' 'SAE_optional_data';
if (SAE_RC /= '00000000'x) Then
do;
say 'SAE Failed (rc=' c2x(SAE_RC)' rs='c2x(SAE_rs)')' ;
exit;
end;
return;
/* --------------------------------------------------------------- */
/* CSNBSAD - Symmetric Algorithm Decipher */
/* */
/* Decrypts data using a secure, symmetric key */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNBSAD:
sad_rc = 'FFFFFFFF'x;
sad_rs = 'FFFFFFFF'x;
sad_exit_data_length = '00000000'x;
sad_exit_data = '';
sad_key_parms_length = '00000000'x;
sad_key_parms = '';
sad_chain_data_length = '00000020'x;
sad_chain_data = copies('00'x,32);
sad_optional_data_length = '00000000'x;
sad_optional_data = '';
ADDRESS linkpgm "CSNBSAD",
'SAD_RC' 'SAD_RS' ,
'SAD_exit_data_length' 'SAD_exit_data' ,
'SAD_rule_array_count' 'SAD_rule_array' ,
'SAD_key_identifier_length' 'SAD_key_identifier' ,
'SAD_key_parms_length' 'SAD_key_parms' ,
'SAD_block_size' ,
'SAD_init_vector_length' 'SAD_init_vector' ,
'SAD_chain_data_length' 'SAD_chain_data' ,
'SAD_cipher_text_length' 'SAD_cipher_text' ,
'SAD_clear_text_length' 'SAD_clear_text' ,
'SAD_optional_data_length' 'SAD_optional_data';
if (SAD_RC /= '00000000'x) Then
do;
say 'SAD Failed (rc=' c2x(SAD_RC)' rs='c2x(SAD_rs)')' ;
exit;
end;
return;
/* --------------------------------------------------------------- */
/* CSNBKRD - Key Record Delete */
/* */
/* Deletes a key record from the CKDS. */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNBKRD:
krd_rc = 'FFFFFFFF'x;
krd_rs = 'FFFFFFFF'x;
krd_exit_data_length = '00000000'x;
krd_exit_data = '';
krd_rule_array_count = '00000001'x;
krd_rule_array = 'LABEL-DL';
ADDRESS LINKPGM "CSNBKRD",
"krd_rc",
"krd_rs",
"krd_exit_data_length",
"krd_exit_data",
"krd_rule_array_count",
"krd_rule_array",
"krd_label";
if (KRD_RC /= '00000000'x & KRD_RS /= '0000271C'x) Then
say 'KRD Failed (rc=' c2x(KRD_RC)' rs='c2x(KRD_rs)')' ;
return;
/* --------------------------------------------------------------- */
/* Debug ;-) */
/* --------------------------------------------------------------- */
NOVALUE:
Say "Condition NOVALUE was raised."
Say CONDITION("D") "variable was not initialized."
Say SOURCELINE(sigl)
Exit