Usage notes
Usage notes for CSNBDKG.
Refer to Managing control vectors for information on the control vector bits for the DKG key generating key.
Starting with CCA release 8.1, the generated_key_identifier will take its compliance-tagged property from the generating_key_identifier, resulting in the following behavior:
- If the generating key is compliance-tagged, but the generated key skeleton is not, then the generated key is compliance-tagged.
- If the generating key is not compliance-tagged, but the generated key skeleton is compliance-tagged, then the generated key is NOT compliance-tagged.
When using TR-31 key tokens, observe the following:
- When the content of parameter generated_key_identifier is a skeleton TR-31
key token, the following applies:
- If the generating_key_identifier does NOT contain the DA optional block, then the skeleton TR- 31 token in generated key identifier is only checked against the allowed Key Usage values for the specified rule array keyword.
- Else if the generating_key_identifier contains the DA optional block, the generated key identifier skeleton is also checked against the allowed key block header configurations contained in the DA optional block. The skeleton attributes must be an exact match for one of the derivations in the optional block. If an exact match is not found, an error is thrown.
- When the content of parameter generated_key_identifier is a NULL token
(allowed only for TDES-CBC, TDES-ENC, and TDESDEC), then the CSNBDKG service builds the
generated_key_identifier using the content of parameter
generating_key_identifier as a model.
If the generating_key_identifier contains a DA optional block, the DA optional block must contain exactly an entry that matches itself.
- A completed TR-31 key token is not allowed in the generated_key_identifier parameter, only a skeleton TR-31 key token is allowed.
- Additionally, ensure that the buffer is sufficient for the key that is returned if the generated_key_identifier is a TR-31 skeleton on input. The maximum size of a TR-31 key token is 9992 bytes.