External programming interfaces
Applications can directly access the zcrypt device driver through an API.
- The libica library /usr/include/ica_api.h
- The openCryptoki library /usr/include/opencryptoki/pkcs11.h
- The CCA library /opt/IBM/CCA/include/csulincl.h
- The EP11 library /usr/include/ep11/ep11.h and /usr/include/ep11/ep11adm.h
ep11.h and ep11adm.h are included in the EP11 devel package. pkcs11.h is included in the opencryptoki devel package. ica_api.h and csulincl.h are present after their libraries are installed.
Clear key cryptographic functions
The libica library provides a C API to clear-key cryptographic functions that are supported by IBM Z® hardware. You can configure both openCryptoki (by using the icatoken) and openssl (by using the ibmca engine) to use IBM Z clear-key cryptographic hardware support through libica. See libica Programmer's Reference, SC34-2602 for details about the libica functions.
If you must circumvent libica and access the zcrypt device driver directly, your user space
program must open the z90crypt device node, and submit the cryptographic request with an IOCTL. The
IOCTL subfunction ICARSAMODEXPO performs RSA modular exponent encryption and decryption. The IOCTL
ICARSACRT performs RSA CRT decryption. See the cryptographic device driver header file in the Linux source tree:
/usr/include/asm/zcrypt.h
Secure key cryptographic functions
To use secure key cryptographic functions in your user space program by accessing a CCA coprocessor adapter, see Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide, SC33-8294. You can obtain this publication at https://www.ibm.com/docs/linuxonibm/liaaf/lnz_r_ccacnt.html.
To use secure key cryptographic functions in your user space program by accessing an EP11 coprocessor adapter, see Exploiting Enterprise PKCS #11 using openCryptoki, SC34-2713. You can obtain it at ibm.com/docs/en/linux-on-systems?topic=overview-exploiting-enterprise-pkcs-11-using-opencryptoki.