- return_code
-
Direction: Output | Type: Integer |
The return code specifies the general result of the callable
service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.
- reason_code
-
Direction: Output | Type: Integer |
The reason code specifies the specific results of processing.
Each return code has different reason codes that indicate specific
processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason
codes.
- exit_data_length
-
Direction: Input/Output | Type: Integer |
The length of the data that is passed to the installation
exit. The length can be from X'00000000' to X'7FFFFFFF' (2
gigabytes). The data is identified in the exit_data parameter.
- exit_data
-
Direction: Input/Output | Type: String |
The data that is passed to the installation exit.
- rule_array_count
-
Direction: Input | Type: Integer |
The number of keywords you are supplying in the rule_array parameter.
This number must be 0.
- rule_array
-
Direction: Input | Type: String |
Specifies a string variable containing an array of keywords.
Currently no rule_array keywords are defined for this service,
but you must still specify this parameter.
- trusted_block_length
-
Direction: Input | Type: Integer |
Specifies the number of bytes in the trusted_block_identifier
parameter. The maximum length is 3500 bytes.
- trusted_block_identifier
-
Direction: Input | Type: String |
Specifies a trusted block label or trusted block token
of an internal/complete trusted block constructed by the service,
which is used to validate the public key certificate (certificate)
and to define the rules for key generation and export.
- certificate_length
-
Direction: Input | Type: Integer |
Specifies the number of bytes in the certificate parameter.
The maximum is 5000 bytes.
If the certificate_length is zero
and the trusted block's Asymmetric Encrypted Output Key Format
indicates no asymmetric key output, this service will not attempt
to use or validate the certificate in any way. Consequently, the output
parameter asym_encrypted_key_length will contain zero and output parameter
asym_encrypted_key will not be changed from its input content.
If
the certificate length is zero and the trusted block's Asymmetric
Encrypted Output Key Format indicates PKCS1.2 output format or RSAOAEP
output format, this service will exit with an error.
If the
certificate_length is non-zero and the trusted block's
Asymmetric Encrypted Output Key Format indicates no asymmetric key
output, this service will fail.
- certificate
-
Direction: Input | Type: String |
Contains a public-key certificate. The certificate
must contain the public key modulus and exponent in binary_form, as
well as a digital signature. The signature in the certificate will
be verified using the root public key that is in the trusted block
supplied in trusted_block_identifier parameter.
- certificate_parms_length
-
Direction: Input | Type: Integer |
Contains the number of bytes in the certificate_parms parameter.
The length must be 36 bytes.
- certificate_parms
-
Direction: Input | Type: String |
Contains a structure provided by the caller used for identifying
the location and length of values within the certificate in parameter
certificate. For each of the values used by RKX, the structure contains
offsets from the start of the certificate and length in bytes. It
is the responsibility of the calling application program to provide
these values. This method gives the greatest flexibility to support
different certificate formats. The structure has this layout:
Table 83. Structure of values used by RKXOffset (bytes) | Length (bytes) | Description |
---|
0 | 4 | Offset of modulus |
4 | 4 | Length of modulus |
8 | 4 | Offset of public exponent |
12 | 4 | Length of public exponent |
16 | 4 | Offset of digital
signature |
20 | 4 | Length of digital
signature |
24 | 1 | Identifier for the
hash algorithm used |
25 | 1 | Identifier for the
digital hash formatting method
- 01 - PKCS-1.0
- 02 - PKCS-1.1
- 03 - X9.31
- 04 - ISO-9796
- 05 - ZERO-PAD
|
26 | 2 | Reserved -
must be filled with 0x00 bytes |
28 | 4 | Offset of first byte
of certificate data hashed to compute the digital signature |
32 | 4 | Length of the certificate
data hashed to compute the digital signature |
The modulus, exponent, and signature values are right-justified
and padded on the left with binary zeros if necessary.
These
values are defined for the hash algorithm identifier at offset 24
in the structure.
- transport_key_length
-
Direction: Input | Type: Integer |
Contains the number of bytes in the transport_key_identifier
parameter.
- transport_key_identifier
-
Direction: Input | Type: String |
Contains a label of an internal key token, or an RKX token
for a Key Encrypting Key (KEK) that is used to encrypt a key exported
by the RKX service. A transport key will not be used to encrypt a
generated key.
For flag bit0=1 (export existing key) within
Rule section and parameter rule_id = Rule section ruleID, the transport_key_identifier
encrypts the exported version of the key received in parameter source_key_identifier.
The service can distinguish between the internal key token or RKX
key token by virtue of the version number at offset 0x04 contained
in the key token and the flag value at offset 0x00 as follows:
- rule_id_length
-
Direction: Input | Type: Integer |
Contains the number of bytes in the rule_id parameter.
The value must be 8.
- rule_id
-
Direction: Input | Type: String |
Specifies the rule in the trusted block that will be used
to control key generation or export. The trusted block can contain
multiple rules, each of which is identified by a rule ID value.
- importer_key_length
-
Direction: Input | Type: Integer |
Contains the number of bytes in the importer_key_identifier
parameter. It must be zero if the Generate/Export flag in the rule
section (section 0x12) of the Trusted Block is a zero, indicating
a new key is to be generated.
- importer_key_identifier
-
Direction: Input | Type: String |
Contains a key token or key label for the IMPORTER key-encrypting
key that is used to decipher the key passed in parameter source_key_identifier.
It is unused if either RKX is being used to generate a key, or if
the source_key_identifier is an RKX key token.
- source_key_length
-
Direction: Input | Type: Integer |
Contains the number of bytes in the source_key_identifier
parameter. The parameter must be 0 if the trusted block Rule section
ruleID = rule_id parameter and the flag bit0 = 0 (Generate new key).
The
parameter must be 64 if the trusted block Rule section has a flag
bit0 = 1 (Export existing key).
- source_key_identifier
-
Direction: Input | Type: String |
Contains a label of a single or double length external
or internal key token or an RKX key token for a key to be exported.
It must be empty (source_key_length=0) if RKX is used to generate
a new key. The service examines the key token to determine which form
has been provided. This parameter is known as the source_key_identifier in
other callable services.
Table 86. Examination of key token for source_key_identifierFlag Byte Offset
00 | Version Number Offset
04 | Description |
---|
0X01 | 0X00 | Internal DES key token
version 0 |
0X02 | 0X00 | External DES key token
version 0 |
0X02 | 0X01 | External DES key token
version 1 |
0X02 | 0X10 | RKX Key token (Flag
byte 0x02 indicates external key token) |
- asym_encrypted_key_length
-
Direction: Input/Output | Type: Integer |
The length of the asym_encrypted_key parameter. On input,
it is the length of the storage to receive the output. On output,
it is the length of the data returned in the asym_encrypted_key parameter.
The maximum length is 512 bytes.
- asym_encrypted_key
-
Direction: Output | Type: String |
The contents of this field is ignored on input. A
string buffer RKX will use to return a generated or exported key that
is encrypted under the public (asymmetric) key passed in parameter
certificate. An error will be returned if the caller's buffer is too
small to hold the value that would be returned.
- sym_encrypted_key_length
-
Direction: Input/Output | Type: Integer |
On input, the sym_encrypted_key_length parameter is an
integer variable containing the number of bytes in the sym_encrypted_key
field. On output, that value in sym_encrypted_key_length is replaced
with the length of the key returned in sym_encrypted_key field.
- sym_encrypted_key
-
Direction: Output | Type: String |
Sym_encrypted_key is the string buffer RKX uses to return
a generated or exported key that is encrypted under the key-encrypting
key passed in the transport_key_identifier parameter. The value returned
will be 64 bytes. An error will be returned if the caller's buffer
is smaller than 64 bytes, and so too small to hold the value that
would be returned. The sym_encrypted_key may be an RKX key token or
a key token depending upon the value of the Symmetric Encrypted Output
Key Format value of the Rule section within the trusted_block_identifier
parameter.
ICSF supports two methods of wrapping the key value
in a symmetric key token: the original ECB wrapping and an enhanced
CBC wrapping method which is ANSI X9.24 compliant. The sym_encrypted_key will
be wrapped in the same manner as the source_key_identifier.
- extra_data_length
-
Direction: Input | Type: Integer |
Contains the number of bytes of data in the extra_data
parameter. It must be zero if the output format for the RSA-encrypted
key in asym_encrypted_key is anything but RSAOEAP. The maximum size
is 1024 bytes.
- extra_data
-
Direction: Input | Type: String |
Can be used in the OAEP key wrapping process. Extra_data
is optional and is only applicable when the output format for the
RSA-encrypted key returned in asym_encrypted_key is RSAOAEP.
Note:
RSAOAEP format is specified in the rule in the trusted block.
- key_check_parameters_length
-
Direction: Input | Type: Integer |
Contains the number of bytes in the key_check_parameters
parameter. Currently, none of the defined key check algorithms require
any key check parameters, so this field must specify 0.
- key_check_parameters
-
Direction: Input | Type: String |
Contains parameters that are required to calculate a key
check value parameter, which will be returned in key_check_value.
Currently, none of the defined key check algorithms require any key
check parameters, but you must still specify this parameter.
- key_check_length
-
Direction: Input/Output | Type: Integer |
On input this parameter contains the number of bytes in
the key_check_value parameter. On output, the value is replaced with
the length of the key check value returned in the key_check_value
parameter. The length depends on the key-check algorithm identifier.
See Table 360.
- key_check_value
-
Direction: Output | Type: String |
Used by RKX to return a key check value that calculates
on the generated or exported key. Values in the rule specified with
rule_id can specify a key check algorithm that should be used to calculate
this output value.