Parameters

The parameters for CSNDSXD.

For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see Parameters common to all verbs.

rule_array_count
Direction: Input
Type: Integer
A pointer to an integer variable containing the number of elements in the rule_array variable. The value must be 2.
rule_array
Direction: Input
Type: String array
A pointer to a string variable containing an array of keywords. The keywords are eight bytes in length and must be left-aligned and padded on the right with space characters. The rule_array keywords are described in Table 1.
Table 1. Keywords for Symmetric Key Export with Data control information

Keywords for Symmetric Key Export with Data control information

Keyword Description
Algorithm (One required)
AES The key specified in source_key_identifier is an AES key.
DES The key specified in source_key_identifier is a DES key.
Key Formatting method (One required)
PKCS–EXT Copy the clear key data (length determined by the key length in the source key token) into the provided data field at the offset specified in the data_offset parameter. Then encrypt the key using the PKCS-1.5 block type 2 formatting algorithm.
source_key_identifier_length
Direction: Input
Type: Integer
A pointer to an integer variable containing the number of bytes in the source_key_identifier variable. This value is 64 when a label is supplied. When the key identifier is a key token, the value is the length of the token. For CCA DES key tokens, the value must be 64. For CCA AES key tokens, the maximum value is 725. For TR-31 tokens, the maximum value is 9992.
source_key_identifier
Direction: Input
Type: String
An internal key token, or the label of an operational symmetric key-token record in AES or DES key storage containing an operational AES or DES key token that is to be exported.

If the key is a CCA DES key, bit 17 of the control vector must be equal to '1'b (XPORT-OK). The key must have a control vector of DATAC or DKYGENKY with subtype DKYL0, unless the Symmetric Key Export with Data Special (offset X’02B6’) access control point is enabled.

If the AES key is in a fixed length CCA key token, no control vector checking is needed. If the AES key is in a variable length CCA token, the key type must be CIPHER and the key management field in the key must allow export by RSA keys and by unauthenticated asymmetric keys.

If the key type is not CIPHER, then access control point Symmetric Key Export with Data Special (offset X’02B6’) must be enabled.

If the key is a TR-31 DES token, it must have the following attributes:

  • TR-31 key usage: B3 or D0
  • Algorithm: T or D (D only if key usage is D0)
  • TR-31 mode of key use: B, D, E, or X (B, D, or E only if key usage is D0)
  • Exportable: S

Unless the Symmetric Key Export with Data - Special access control point (offset X’02B6’) is enabled, then the TR-31 DES token can have any TR-31 key usage and mode of key use attributes. But it must still have the correct Algorithm and Exportable attributes:

  • Algorithm: T or D
  • Exportable: S

If the key is a TR-31 AES token, then the token must have the following attributes:

  • TR-31 key usage: D0
  • Algorithm: A
  • TR-31 mode of key use: B, D, or E
  • Exportable S

Unless the Symmetric Key Export with Data - Special access control point (offset X’02B6’) is enabled, the TR-31 AES token can have any TR-31 key usage and mode of key use. But it must still have the correct Algorithm and Exportable attributes:

  • Algorithm: A
  • Exportable: S

If the token supplied was encrypted under the old master key, the token is returned encrypted under the current master key.

data_length
Direction: Input
Type: Integer
The length of the data parameter in bytes. The maximum value is the length of the modulus (in bytes) of the RSA_public_key_identifier minus 11. The overall maximum value is 501.
data_offset
Direction: Input
Type: Integer
The offset in bytes from the start of the clear data (data) where the clear DES or AES key is to be copied. The maximum value is data_length minus the key length of the clear source key.
data
Direction: Input
Type: String
The clear data. The deciphered key from parameter source_key_identifier is copied into this data at the specified offset, and then encrypted with the key from parameter RSA_public_key_identifier.
RSA_public_key_identifier_length
Direction: Input
Type: Integer
The length of the RSA_public_key_identifier field in bytes. This value is 64 when a label is supplied. When the key identifier is a key token, the value is the length of the token. The maximum value is 3500.
RSA_public_key_identifier
Direction: Input
Type: String
A PKA96 RSA internal or external key-token with the RSA public key of the remote node that imports the exported key.
RSA_enciphered_key_length
Direction: Input
Type: Integer
The length of the RSA_enciphered_key field in bytes. On output, the variable is updated with the actual length of the RSA_enciphered_key parameter. The maximum length is 512.
RSA_enciphered_key
Direction: Output
Type: String
The exported RSA-enciphered key.