Required commands

The required commands for CSNDSXD.

The Symmetric Key Export with Data verb requires the Symmetric Key Export with Data command (offset X'02B5') to be enabled in the active role.

In addition, the verb requires the following commands to be enabled in the active role based on the key-formatting method and the token algorithm:

Table 1. Required commands for the Symmetric Key Export with Data verb

Required commands for the Symmetric Key Export with Data verb

Key-formatting method Algorithm Offset Command
PKCS-EXT AES X'0130' Symmetric Key Export - AES, PKCSOAEP, PKCS-1.2
PKCS-EXT DES X'0105' Symmetric Key Export - DES, PKCS-1.2

The Symmetric Key Export with Data - Special command (offset X'02B6') affects which key types are allowed for the source key token. When offset X'02B6' is enabled in the active role, any key type can be used. When it is not enabled in the active role, the following rules apply:

Token algorithm AES:

  • If the source AES key is in a fixed-length CCA symmetric key-token, the key is always allowed.
  • If the source AES key is in a variable-length CCA symmetric key-token, the key type must be CIPHER.
  • If the source AES key is in a TR-31 token, then the TR-31 key usage is limited to D0, and the mode of key use is limited to B, D, or E.

Token algorithm DES:

  • If the source DES key is in a fixed-length CCA symmetric key-token, it must have one of the following:
    • a control vector with bit 61 = B'1' (NOT-CCA)
    • a key type of DATAC
    • a key type of DKYGENKY with subtype DKYL0
  • If the source DES key is in a TR-31 token, then it must have one of the following sets of attributes:
    • The TR-31 key usage must be D0, the Algorithm must be D, and the TR-31 mode of key use must be B, D, or E.
    • The TR-31 key usage must be B3, the Algorithm must be T or D, and the TR-31 mode of key use must be X.