Key Test2 (CSNBKYT2)
Use the Key Test2 verb to generate or verify a secure, cryptographic verification pattern (also referred to as a key-check value) for AES, DES, and HMAC keys contained in a symmetric CCA key token or TR-31 key token.
A key to test can be in the clear, encrypted under the master key, or encrypted under a key-encrypting key. In addition, the verb permits you to test the CCA master keys. Keywords in the rule_array parameter specify whether the verb generates or verifies a verification pattern. See Cryptographic key-verification techniques.
When the verb tests a verification pattern against a key, you must supply the verification pattern from a previous call to Key Test2. This verb returns the verification result in the return code and reason code.
For DES, CCA key tokens may be external and internal, fixed-length (versions 00 or 01) tokens, or external variable-length tokens with a DESUSECV key.
For AES and HMAC, CCA key tokens are external and internal variable-length (version 05) key tokens.
External and internal TR-31 key blocks may contain a DES, AES, or HMAC key. TR-31 DES key blocks may be wrapped with a DES or AES key-encrypting key. TR-31 AES and HMAC key blocks must be wrapped with an AES key-encrypting key.
DES wrapped TR-31 key blocks (key block protection method VARXOR-A, VARDRV-B, and VARXOR-C) contain DES keys. AES wrapped TR-31 key blocks (VARDRV-D) may contain DES, AES, or HMAC keys.
Clear key tokens are not supported.
You can also use the Key Test2 verb to return the key length of an AES or DES key in a secure key token. The information is returned in the verification_pattern parameter.