|
- return_code
-
Direction: Output | Type: Integer |
The return code specifies the general result of the callable
service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.
- reason_code
-
Direction: Output | Type: Integer |
The reason code specifies the result of the callable service
that is returned to the application program. Each return code has
different reason codes that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.
- exit_data_length
-
Direction: Ignored | Type: Integer |
This field is ignored. It is recommended to specify 0 for
this parameter.
- exit_data
-
Direction: Ignored | Type: String |
This field is ignored.
- rule_array_count
-
Direction: Input | Type: Integer | The number of keywords you supplied in the rule_array parameter.
This value must be 1.
- rule_array
-
Direction: Input | Type: String |
Keywords that provide control information to the callable
service. Each keyword is left-justified in 8-byte fields and padded
on the right with blanks. All keywords must be in contiguous storage.
Table 296. Keywords for derive keyKeyword | Meaning |
---|
Mechanism
(required) | PKCS-DH | Use
the Diffie-Hellman PKCS derivation protocol as defined in the PKCS
#11 standard as mechanism CKM_DH_PKCS_DERIVE. | SSL-MS | Use
the SSL 3.0 Master Secret derivation protocol as defined in the PKCS
#11 standard as mechanism CKM_SSL3_MASTER_KEY_DERIVE. The SSL protocol
version is also returned. The base key must have been generated according
to the rules for SSL 3.0 | SSL-MSDH | Use the SSL 3.0 Master Secret for Diffie-Hellman
derivation protocol as defined in the PKCS #11 standard as mechanism
CKM_SSL3_MASTER_KEY_DERIVE_DH. | TLS-MS | Use the TLS Master Secret derivation protocol
as defined in the PKCS #11 standard as mechanism CKM_TLS_MASTER_KEY_DERIVE.
The base key must have been generated according to the rules for TLS
1.0 or TLS 1.1 | TLS-MSDH | Use the TLS Master Secret for Diffie-Hellman
derivation protocol as defined in the PKCS #11 standard as mechanism
CKM_TLS_MASTER_KEY_DERIVE_DH. | EC-DH | Use the Elliptic Curve Diffie-Hellman derivation
protocol as defined in the PKCS #11 standard as mechanism CKM_ECDH1_DERIVE | IKESEED | Use the IKEv1 or IKEv2 initial seeding protocol
to derive a seed key using a previously derived secret key as the
base key.
Using IKE terminology, this mechanism performs either SKEYID = prf(Ni_b | Nr_b, g^xy) for IKEv1 or SKEYSEED = prf(Ni | Nr, g^ir) for IKEv2.
Where:
- Ni_b | Nr_b or Ni | Nr - is the concatenated
initiator/responder nonce string
- g^xy or g^ir -
is the base key
| IKESHARE | Use the IKEv1 initial seeding protocol to derive
a seed key using a pre-shared secret key as the base key.
Using
IKE terminology, this mechanism performs SKEYID = prf(pre-shared-key, Ni_b | Nr_b).
Where:
- Ni_b | Nr_b -
is the concatenated initiator/responder nonce string
- pre-shared-key - is the base key
| IKEREKEY | Use the IKEv2 rekeying protocol to derive a
new seed key using a previously derived IKE derivation key as the
base key and a previously derived secret key as an additional key.
Using
IKE terminology, this mechanism performs SKEYSEED = prf(SK_d, g^ir
| Ni | Nr).
Where:
- Ni | Nr - is the
concatenated initiator/responder nonce string
- SK_d - is the base key
- g^ir - is the additional key
|
- attribute_list_length
-
Direction: Input | Type: Integer | The length of the attributes supplied in the attribute_list parameter
in bytes. The maximum value for this field is 32750.
- attribute_list
-
Direction: Input | Type: String | List of attributes for the derived secret key
object. See Attribute List for the format
of an attribute_list .
- base_key_handle
-
Direction: Input | Type: String | The 44-byte handle of the source key object. See Handles for the format of a base_key_handle.
- parms_list_length
-
Direction: Input | Type: Integer | The length of the parameters supplied in the parms_list parameter
in bytes.
- parms_list
-
Direction: Input/Output | Type: String | The protocol specific parameters. This field has a varying
format depending on the mechanism specified:
Table 299. parms_list parameter format for EC-DH mechanismOffset | Length in bytes | Direction | Description |
---|
0 | 1 | Input | KDF function code, x'01' = NULL;
x'02' = SHA1. x'05' = SHA224, x'06'
= SHA256, x'07' = SHA384, and x'08' = SHA512 | 1 | 3 | not applicable | reserved | 4 | 4 | Input | length in bytes of the optional data shared
between the two parties. A zero length means no shared data. For the
NULL KDF the length must be zero. Otherwise, the maximum shared data
length 2147483647. | 8 | 8 | Input | 64-bit address of the data shared between
the two parties. The data must reside in the caller's address
space. High order word must be set to all zeros by AMODE31 callers.
This field is ignored if the length is zero. | 16 | 4 | Input | length in bytes of the other party's
public value (x). This length is dependent on the curve type/size
of the base key and on whether the value is DER encoded or not:
secp192r1 - 49 (51 w/DER)
secp224r1 - 57 (59 w/DER)
secp256r1 - 65 (67 w/DER)
secp384r1 - 97 (99 w/DER)
secp521r1 - 133 (136 w/DER)
brainpoolP160r1 - 41 (43 w/DER)
brainpoolP192r1 - 49 (51 w/DER)
brainpoolP224r1 - 57 (59 w/DER)
brainpoolP256r1 - 65 (67 w/DER)
brainpoolP320r1 - 81 (83 w/DER)
brainpoolP384r1 - 97 (99 w/DER)
brainpoolP512r1 - 129 (132 w/DER)
| 20 | x<=136 | Input | binary value representing the other party's
public value with or without DER encoding. |
Table 300. parms_list parameter format for IKESEED, IKESHARE, and IKEREKEY mechanismsOffset | Length in bytes | Direction | Description |
---|
0 | 1 | Input | IKE version code. Must be x'01'
for IKESHARE, x'02' for IKEREKEY, x'01' or x'02'
for IKESEED | 1 | 1 | Input | PRF function code x'01' = HMAC_MD5, x'02'
= HMAC_SHA1, x'04' = HMAC_SHA256, x'05' = SHA384,
and x'06' = SHA512 | 2 | 2 | Input | Length of concatenated initiator/responder
nonce string (n), where 16 <= n <= 512 | 4 | 44 | Input | Key handle of additional key - required
for IKEREKEY. Ignored for the other mechanisms. | 48 | n | Input | Concatenated initiator/responder nonce string |
- target_key_handle
-
Direction: Output | Type: String | Upon successful completion, the 44-byte handle of the secret
key object that was derived.
|