Key label
If the first byte of the key identifier is greater than X'5A', the field is considered to be holding a key label.
The contents of a key label are interpreted as a pointer to a CKDS or PKDS key entry. The key label is an indirect reference to an internal key token.
A key label is specified on callable services with the key_identifier parameter as a 64-byte character string, left-justified, and padded on the right with blanks. In most cases, the callable service does not check the syntax of the key label beyond the first byte. One exception is the CKDS key record create callable service, which enforces the KGUP rules for key labels unless syntax checking is bypassed by a preprocessing exit.
A key label has this form:
| Offset | Length | Data |
|---|---|---|
| 00-63 | 64 | Key label name |
There are some general rules for creating labels for CKDS key records.
- Each label can consist of up to 64 characters. The first character must be alphabetic or a national character (#, $, @). The remaining characters can be alphanumeric, a national character (#, $, @), or a period (.).
- All alphabetic characters must be uppercase (A-Z). All labels in the key data sets are created with uppercase characters.
- Labels must be unique for all CCA key types except these DES key types in CCA key tokens: EXPORTER, IMPORTER, PINGEN, PINVER, OPINENC, and IPINENC.
- Labels must be unique for all X9.143 (TR-31) key blocks.
- Transport and PIN keys can have duplicate labels for different key types. However, keys that use the dynamic CKDS update services to create or update must have unique key labels.
- Labels must be unique for any key record, including transport and PIN keys, which are created or updated by using the dynamic CKDS update services.