Control Vector Translate example

As an example, consider the case of receiving a single-length PIN-block encrypting key from a non-CCA system. Often such a key will be encrypted by an unmodified transport key (no control vector or variant is used). In a CCA system, an inbound PIN encrypting key is double-length.

First use the Key Token Build callable service to insert the single-length key value into the left-half key-space in a key token. Specify USE-CV as a key type and a control vector value set to 16 bytes of X'00'. Also specify EXTERNAL, KEY, and CV keywords in the rule array. This key token will be the source key key token.

Second, the target key token can also be created using the Key Token Build callable service. Specify a key type of IPINENC and the NO-EXPORT rule array keyword.

Then call the Control Vector Translate callable service and specify a rule-array keyword of LEFT. The mask arrays can be constructed as follows:

A₁ is set to the value of the KEK's control vector, most likely the value of an IMPORTER key, perhaps with the NO-EXPORT bit set. B₁ is set to eight bytes of X'FF' so that all bits of the KEK's control vector will be tested.
A₂ is set to eight bytes of X'00', the (null) value of the source key control vector. B₂ is set to eight bytes of X'FF' so that all bits of the source-key control vector will be tested.
A₃ is set to the value of the target key's left-half control vector. B₃ is set to X'FFFF FFFF FF9F FFFF'. This will cause all bits of the control vector to be tested except for the two (fff) bits used to distinguish between the left-half and right-half target-key control vector.
B₄ is set to eight bytes of X'00' so that no comparison is made between the source and target control vectors.