Parameters

Edit online

The parameter definitions for CSNDT34B.

For the definitions of the return_code, reason_code, exit_data_length, and exit_data parameters, see Parameters common to all verbs.

rule_array_count
Direction Type
Input Integer
The number of keywords you supplied in the rule_array parameter. The value must be in the range 1 - 4.
rule_array
Direction Type
Input Character
The rule_array contains keywords that provide control information to the callable service. The keywords must be 8 bytes of contiguous storage with the keyword left-justified in its 8-byte location and padded on the right with blanks.
Table 1. Keywords for TR-34 Bind-Begin

Keywords for TR-34 Bind-Begin. This table contains two columns: Keyword and Meaning, and it contains rows for Requested action (one, required) and Public key infrastructure usage (one, optional).
Keyword Meaning
Requested action (one, required).
BINDCR TR34 BIND token (CTKDH) CREATE service. Creates the token sent by the KDH to the KRD to accomplish the BIND action in the TR-34 protocol. This binds the KRD to the KDH for a later key distribution action.
UNBINDCR TR34 UNBIND token (UBTKDH) CREATE service. Creates the token sent by the KDH to the KRD to accomplish the UNBIND action in the TR-34 protocol. This frees the KRD from the currently bound KDH and causes the KRD to remove all keys received while bound to this KDH.
REBINDCR TR34 REBIND token (RBTKDH) CREATE service. Creates the token sent by the KDH to the KRD to accomplish the REBIND action in the TR-34 protocol. This frees the KRD from the current binding key of the KDH and binds the KRD to a new binding key from the KDH. This also causes the KRD to remove all keys received while bound to the KDH under the prior binding key.
Public key infrastructure usage (one, optional).
PKI-CHK Specifies that the X.509 certificate for the other party (KRD) is to be validated against the trust chain of the PKI hosted in the adapter. This requires that the CA credentials have been installed using the Trusted Key Entry (TKE) workstation. This is required for compliance-tagged key token export with TR-34 services. This is the default.
PKI-NONE Specifies that the X.509 certificate for the other party (KRD) is not to be validated against the trust chain of the PKI hosted in the adapter. This is suitable if the certificate has been validated using host-based PKI services.
CRL expiration date checking (one, optional).
CRLEXPCK CRL Expiration Check - Check the expiration date of the certificate revocation list (CRL) in the crl parameter and return an error if the CRL is expired. This is the default.
CRLEXPAL CRL Expiration Allow - Check the expiration date of the certificate revocation list (CRL) in the crl parameter and return an informational message if the CRL is expired.
KRD certificate date checking (one, optional).
RCTEXPCK KRD Certificate Expiration Check - Check the expiration date of the key receiving device (KRD) certificate and return an error if the certificate is expired. This is the default.
RCTEXPAL KRD Certificate Expiration Allow - Check the expiration date of the key receiving device (KRD) certificate and return an informational message if the certificate is expired.
input_token_length
Direction Type
Input Integer
The length of the input_token parameter in bytes. The maximum length is 3500 bytes.
input_token
Direction Type
Input String
The DER encoded TR-34 token object. When the requested action keyword is BINDCR, the object is the TR-34 credential token from KRD (the CT-KRD). When the request action keyword is UNBINDCR or REBINDCR, the object is the TR-34 random number token from the KRD (the RT-KRD).
crl_length
Direction Type
Input Integer
The length of the crl parameter in bytes. The maximum length is 6000 bytes. The value of the crl_length must be balanced against the length of the other parameters. All parameters must fit within the limits of one call to the Crypto Express adapter and must be less than 11,500 bytes.
crl
Direction Type
Input String
The certificate revocation list (CRL) from the certificate authority the is in common with the KRD for the requested service. The CRL may be in DER or PEM format.
Note: The CSNDT34B service is acting as the KDH so the crl is not expected to validate against the internal PKI of the adapter.
cred_kdh_length
Direction Type
Input Integer
The length of the cred_kdh parameter in bytes. The maximum length is 3500 bytes.
cred_kdh
Direction Type
Input String
The X.509 certificate that is the credential of the KDH for the requested service. The certificate may be in DER or PEM format.
The meaning is determined by the requested action keyword:
BINDCR and UNBINDCR
This parameter must contain the X.509 certificate which is the TR-34 credential for the KDH (the CredKDH).
REBINDCR
This parameter must contain the new X.509 certificate which is the TR-34 credential for the KDH (the CredKDH-NEW).
Note: This service is acting as the KDH so the cred_kdh is not expected to validate against the internal PKI of the adapter.
old_cred_kdh_length
Direction Type
Input Integer
The length of the old_cred_kdh parameter in bytes. The maximum length is 3500 bytes. When the requested action keyword is BINDCR or UNBINDCR, the value must be 0.
old_cred_kdh
Direction Type
Input String
The X.509 certificate that is the credential of the KDH for the requested service. The certificate may be in DER or PEM format.

When the old_cred_kdh_length is zero, this parameter is ignored.

The meaning is determined by the requested action keyword:
REBINDCR
This parameter must contain the old X.509 certificate which is the TR-34 credential for the KDH (the CredKDH-OLD). The identifier and serial number are needed for the creation of the Rebind Token.
Note: This service is acting as the KDH so the old_cred_kdh is not expected to validate against the internal PKI of the adapter.
cred_krd_length
Direction Type
Input/Output Integer
The length of the cred_krd parameter in bytes. The maximum length is 3500 bytes.
cred_krd
Direction Type
Input/Output String
The X.509 certificate that is the credential of the KRD for the requested service (the CredKRD). The certificate may be in DER or PEM format.
The meaning is determined by the requested action keyword:
BINDCR
On input, this parameter must be an empty buffer of size cred_krd_length. On output, this parameter will contain the CredKRD extracted from the CT-KRD.
UNBINDCR, REBINDCR
This parameter must contain the CredKRD extracted by a previous BINDCR service.
Note: This service is acting as the KDH so the cred_krd is normally expected to validate against the internal PKI of the adapter. Use the PKI-NONE keyword to override this validation,
private_key_identifier_length
Direction Type
Input Integer
The length of the private_key_identifier parameter. When the requested action keyword is BINDCR, the value must be zero. When the keyword is UNBINDCR or REBINDCR, the value is the length of the key token or label. If the private_key_identifier contains a label, the value must be 64. Otherwise, the value must be between the actual length of the token and 3500.
private_key_identifier
Direction Type
Input String
The identifier of the private key used to sign the output token. The key identifier is an operational RSA secure token or the label of such a token in key storage. When the private_key_identifier_length is zero, this parameter is ignored.

The key usage of the token must allow digital signature. Retained private keys are not supported in this service.

output_token_length
Direction Type
Input/Output Integer
The length of the output_token parameter in bytes. The maximum length is 9000 bytes. On input, the value is the size of the buffer to receive the output_token. On output, the value is the actual size of the data returned in the output_token parameter.
output_token
Direction Type
Output String
The generated DER encoded TR-34 token.
BINDCR
This parameter will contain the TR-34 BIND token (CTKDH).
UNBINDCR
This parameter will contain the TR-34 UNBIND token (UBTKDH).
REBINDCR
This parameter will contain the TR-34 REBIND token (RBTKDH).
reserved_data_length
Direction Type
Input/Output Integer
This parameter is reserved. The value must be zero.
reserved_data
Direction Type
Input/Output String
This parameter is ignored.