z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Parameters

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

return_code
Direction: OutputType: Integer

The return code specifies the general result of the callable service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.

reason_code
Direction: OutputType: Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.

exit_data_length
Direction: IgnoredType: Integer

This field is ignored. It is recommended to specify 0 for this parameter.

exit_data
Direction: IgnoredType: String

This field is ignored.

rule_array_count
Direction: InputType: Integer
The number of keywords you supplied in the rule_array parameter. This value must be 1.
rule_array
Direction: InputType: String

Keywords that provide control information to the callable service. Each keyword is left-justified in 8-byte fields and padded on the right with blanks. All keywords must be in contiguous storage.

Table 296. Keywords for derive key
KeywordMeaning
Mechanism (required)
PKCS-DHUse the Diffie-Hellman PKCS derivation protocol as defined in the PKCS #11 standard as mechanism CKM_DH_PKCS_DERIVE.
SSL-MSUse the SSL 3.0 Master Secret derivation protocol as defined in the PKCS #11 standard as mechanism CKM_SSL3_MASTER_KEY_DERIVE. The SSL protocol version is also returned. The base key must have been generated according to the rules for SSL 3.0
SSL-MSDHUse the SSL 3.0 Master Secret for Diffie-Hellman derivation protocol as defined in the PKCS #11 standard as mechanism CKM_SSL3_MASTER_KEY_DERIVE_DH.
TLS-MSUse the TLS Master Secret derivation protocol as defined in the PKCS #11 standard as mechanism CKM_TLS_MASTER_KEY_DERIVE. The base key must have been generated according to the rules for TLS 1.0 or TLS 1.1
TLS-MSDHUse the TLS Master Secret for Diffie-Hellman derivation protocol as defined in the PKCS #11 standard as mechanism CKM_TLS_MASTER_KEY_DERIVE_DH.
EC-DHUse the Elliptic Curve Diffie-Hellman derivation protocol as defined in the PKCS #11 standard as mechanism CKM_ECDH1_DERIVE
IKESEEDUse the IKEv1 or IKEv2 initial seeding protocol to derive a seed key using a previously derived secret key as the base key.

Using IKE terminology, this mechanism performs either SKEYID = prf(Ni_b | Nr_b, g^xy) for IKEv1 or SKEYSEED = prf(Ni | Nr, g^ir) for IKEv2.

Where:

  • Ni_b | Nr_b or Ni | Nr - is the concatenated initiator/responder nonce string
  • g^xy or g^ir - is the base key
IKESHAREUse the IKEv1 initial seeding protocol to derive a seed key using a pre-shared secret key as the base key.

Using IKE terminology, this mechanism performs SKEYID = prf(pre-shared-key, Ni_b | Nr_b).

Where:

  • Ni_b | Nr_b - is the concatenated initiator/responder nonce string
  • pre-shared-key - is the base key
IKEREKEYUse the IKEv2 rekeying protocol to derive a new seed key using a previously derived IKE derivation key as the base key and a previously derived secret key as an additional key.

Using IKE terminology, this mechanism performs SKEYSEED = prf(SK_d, g^ir | Ni | Nr).

Where:

  • Ni | Nr - is the concatenated initiator/responder nonce string
  • SK_d - is the base key
  • g^ir - is the additional key
attribute_list_length
Direction: InputType: Integer
The length of the attributes supplied in the attribute_list parameter in bytes. The maximum value for this field is 32750.
attribute_list
Direction: InputType: String
List of attributes for the derived secret key object. See Attribute List for the format of an attribute_list .
base_key_handle
Direction: InputType: String
The 44-byte handle of the source key object. See Handles for the format of a base_key_handle.
parms_list_length
Direction: InputType: Integer
The length of the parameters supplied in the parms_list parameter in bytes.
parms_list
Direction: Input/OutputType: String
The protocol specific parameters. This field has a varying format depending on the mechanism specified:
Table 297. parms_list parameter format for PKCS-DH mechanism
OffsetLength in bytesDirectionDescription
04Inputlength in bytes of the other party's public value, where 64 <= length <= 256
4<=256Inputbinary value representing the other party's public value.
Table 298. parms_list parameter format for SSL-MS, SSL-MSDH, TLS-MS, and TLS-MSDH mechanisms
OffsetLength in bytesDirectionDescription
02OutputSSL protocol version returned for SSL-MS and TLS-MS only. For the other protocols, this field is left unchanged.
22not applicablereserved
Table 299. parms_list parameter format for EC-DH mechanism
OffsetLength in bytesDirectionDescription
01InputKDF function code, x'01' = NULL; x'02' = SHA1. x'05' = SHA224, x'06' = SHA256, x'07' = SHA384, and x'08' = SHA512
13not applicablereserved
44Inputlength in bytes of the optional data shared between the two parties. A zero length means no shared data. For the NULL KDF the length must be zero. Otherwise, the maximum shared data length 2147483647.
88Input64-bit address of the data shared between the two parties. The data must reside in the caller's address space. High order word must be set to all zeros by AMODE31 callers. This field is ignored if the length is zero.
164Inputlength in bytes of the other party's public value (x). This length is dependent on the curve type/size of the base key and on whether the value is DER encoded or not:
secp192r1 - 49 (51 w/DER)
secp224r1 - 57 (59 w/DER)
secp256r1 - 65 (67 w/DER)
secp384r1 - 97 (99 w/DER)
secp521r1 - 133 (136 w/DER)

brainpoolP160r1 - 41 (43 w/DER)
brainpoolP192r1 - 49 (51 w/DER)
brainpoolP224r1 - 57 (59 w/DER)
brainpoolP256r1 - 65 (67 w/DER)
brainpoolP320r1 - 81 (83 w/DER)
brainpoolP384r1 - 97 (99 w/DER)
brainpoolP512r1 - 129 (132 w/DER)
20x<=136Inputbinary value representing the other party's public value with or without DER encoding.
Table 300. parms_list parameter format for IKESEED, IKESHARE, and IKEREKEY mechanisms
OffsetLength in bytesDirectionDescription
01InputIKE version code. Must be x'01' for IKESHARE, x'02' for IKEREKEY, x'01' or x'02' for IKESEED
11InputPRF function code x'01' = HMAC_MD5, x'02' = HMAC_SHA1, x'04' = HMAC_SHA256, x'05' = SHA384, and x'06' = SHA512
22InputLength of concatenated initiator/responder nonce string (n), where 16 <= n <= 512
444InputKey handle of additional key - required for IKEREKEY. Ignored for the other mechanisms.
48nInputConcatenated initiator/responder nonce string
target_key_handle
Direction: OutputType: String
Upon successful completion, the 44-byte handle of the secret key object that was derived.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014