Generating and exporting DES keys

This verb uses a trusted block to generate or export DES keys.

To create a trusted block, see Trusted Block Create (CSNDTBC). Remote Key Export accepts as input parameters a trusted block, a public-key certificate and certificate parameters, a transport key, a rule ID to identify the appropriate rule section to be used within a trusted block, an importer key, a source key, optional extra data that can be used as part of the OAEP key-wrapping process, and key-check parameters used to calculate an optional key-check value.

This verb validates all input parameters for generate and export operations. After the verb performs the input parameter validation, the remaining steps depend on whether the generate option or the export option is specified in the selected rule of the trusted block.

This is a high-level description of the remaining processing steps for generate and export.

Processing for generate operation

The verb performs these steps for the generate operation:

Generates a random value for the generated key, K. The generated key length specified by the selected rule determines the key length.
XORs the output key variant with the randomly generated key K from the previous step, if the selected rule contains a common export key parameters subsection and the output key variant length is greater than zero. Adjusts the result to have valid DES key parity.
Continues with Final processing common to generate and export operations.

Processing for export operation

The verb performs these steps for the export operation:

If the selected rule contains a transport key rule reference subsection, verifies that the rule ID in the transport key rule reference subsection matches the rule ID in the token identified by the transport_key_identifier parameter, provided that the token is an RKX key-token. For more information on RKX key tokens, see External RKX DES key tokens.
Verifies that the length of the transport key variant in the transport key variant subsection of the selected rule is greater than or equal to the length of the key identified by the transport_key_identifier parameter.
Verifies that the key token identified by the importer_key_identifier parameter is of key type IMPORTER, if the source_key_identifier parameter identifies an external CCA DES key-token.
Recovers the clear value of the source key, K, identified by the source_key_identifier parameter.
Verifies that the length of key K is between the export key minimum length and export key maximum length specified in the common export key parameters subsection of the selected rule.
XORs the output key variant with the randomly generated key K from the previous step, if the selected rule contains a common export key parameters subsection and the output key variant length is greater than zero. Adjusts the result to have valid DES key parity.
Uses the public key in the trusted block to verify the digital signature embedded in the certificate variable if the certificate_length variable is greater than zero. Any necessary certificate objects are located with information from the certificate_parms variable. Returns an error if the signature verification fails.
XORs the transport key variant with the clear value of the transport key (recovered in the previous step) if the selected rule contains a transport key variant subsection and the output key variant length is greater than zero. Adjusts the result to have valid DES key parity.
Continues with Final processing common to generate and export operations.

Final processing common to generate and export operations

Based on the symmetric encrypted output key format flag of the selected rule, returns the encrypted result in the token identified by the sym_encrypted_key_identifier parameter:
- of Processing for generate operation, step 2, or of Processing for export operation, step 6, into an RKX key-token, if the flag indicates to return an RKX key-token.
- using the resulting key from Processing for export operation, step 6 into a CCA DES key-token and returns it in the token identified by the sym_encrypted_key_identifier parameter, if the flag indicates to return a CCA DES key-token.
Encrypts the key result from Processing for generate operation, step 2 or from Processing for export operation, step 6, with the format specified, if the asymmetric encrypted output key format flag of the selected rule indicates to output an asymmetric encrypted key and return it to the asym_encrypted_key parameter.
Returns the computed key-check value as determined by the key-check algorithm identifier if the key-check algorithm identifier in the specified rule indicates to compute a key-check value. The value is returned in the key_check_value variable.