z/TPF cryptographic function inventory code scanning

In addition to the z/TPF secure key compliance tooling, you can use the z/TPF cryptographic function inventory code scanning function to gather a comprehensive cryptographic inventory of your z/TPF system.

z/TPF applications can issue APIs to encrypt and decrypt data, and create hash values, message digests, and digital signatures. Information about z/TPF secure keys that are used online by applications for encryption and decryption is automatically collected and displayed by using the z/TPF secure key compliance tooling. However, other application usage of cryptographic functionality might exist. The following table shows the cryptographic functions that are available on the z/TPF system, their respective purposes, and corresponding grep strings that can be used to search other usage of these functions within your code. In addition to the automatically collected online information, you can use the scanning results to gain a complete picture.

Table 1. Cryptographic functions available for z/TPF applications
C functions, assembler macros, and assembler instructions	Usage	Grep strings (using BRE syntax)
tpf_RSA_sign	Create a digital signature from contiguous data by using an RSA private key.	tpf_RSA_sign
tpf_RSA_sign_init	Initialize control structure for creating a digital signature of discontiguous data.
tpf_RSA_sign_update	Update hashed data value in digital signature context.
tpf_RSA_sign_final	Compute final digital signature value.
tpf_RSA_verify	Verify a digital signature of contiguous data by using an RSA public key.	tpf_RSA_verify
tpf_RSA_verify_init	Initialize control structure for verifying a digital signature of discontiguous data.
tpf_RSA_verify_update	Update hashed data value in digital signature context.
tpf_RSA_verify_final	Verify data against final digital signature value.
tpf_RSA_encrypt_data	Encrypt data by using an RSA public key.	tpf_RSA_encrypt_data
tpf_RSA_decrypt_data	Decrypt data by using an RSA private key.	tpf_RSA_decrypt_data
tpf_cryptc	Encrypt and decrypt data by using a clear key.	tpf_cryptc
CRYPC	Encrypt and decrypt data by using a clear key.	' CRYPC \+FUNC='
tpf_random	Generate a random number.	tpf_random
tpf_SHA1_Init	Initialize SHA1 control structure.	tpf_SHA1
tpf_SHA1_Digest	Create an SHA1 message digest.
tpf_SHA1_Update	Update the SHA1 message digest value.
tpf_SHA1_Final	Compute the final SHA1 message digest value.
tpf_SHA1_Init_new	Initialize SHA1 control structure.
tpf_SHA1_Digest_new	Create an SHA1 message digest.
tpf_SHA1_Update_new	Update the SHA1 message digest value.
tpf_SHA1_Final_new	Compute the final SHA1 message digest value.
tpf_SHA256_Init	Initialize SHA256 control structure.	tpf_SHA256
tpf_SHA256_Digest	Create an SHA256 message digest.
tpf_SHA256_Update	Update the SHA256 message digest value.
tpf_SHA256_Final	Compute the final SHA256 message digest value.
tpf_SHA256_Init_new	Initialize SHA256 control structure.
tpf_SHA256_Digest_new	Create an SHA256 message digest.
tpf_SHA256_Update_new	Update the SHA256 message digest value.
tpf_SHA256_Final_new	Compute the final SHA256 message digest value.
tpf_SHA512_Init	Initialize SHA512 control structure.	tpf_SHA512
tpf_SHA512_Digest	Create an SHA512 message digest.
tpf_SHA512_Update	Update the SHA512 message digest value.
tpf_SHA512_Final	Compute the final SHA512 message digest value.
tpf_encrypt_data	Encrypt data by using symmetric key from keystore.	tpf_encrypt_data
tpf_decrypt_data	Decrypt data by using symmetric key from keystore.	tpf_decrypt_data
KLMD	Compute the last message digest.	' KLMD \+R[0-9]'
KIMD	Compute the intermediate message digest.	' KIMD \+R[0-9]'
KM	Compute a cipher message.	' KM[ACFORT]* \+R[0-9]'
KMC	Compute a cipher message with chaining.
KMAC	Compute message authentication code.
KMA	Compute a cipher message with authentication.
KMO	Compute a cipher message with output feedback.
KMF	Compute a cipher message with cipher feedback.
KMCTR	Compute a cipher message with counter.

You can put the grep strings that you want to search for into a text file. With each string on a separate line, you can search for all grep strings at once by using one command on Linux®. For example, if the grep strings are put in a text file that is named crypto_search, you can run the following command to recursively search for all occurrences of each cryptographic function that starts from the your_codebase directory.

grep -rf crypto_search your_codebase

The following example shows grep string pattern file crypto_search that includes all crypto pattern strings from Table 1. The pattern file ends with a newline character at the end of the last pattern to be matched. Single quotation marks are removed from the beginning and end of any pattern string.

tpf_RSA_sign
tpf_RSA_verify
tpf_RSA_encrypt_data
tpf_RSA_decrypt_data
tpf_cryptc
 CRYPC \+FUNC=
tpf_random
tpf_SHA1
tpf_SHA256
tpf_SHA512
tpf_encrypt_data
tpf_decrypt_data
 KLMD \+R[0-9]
 KIMD \+R[0-9]
 KM[ACFORT]* \+R[0-9]

The search results on tpf_encrypt_data and tpf_decrypt_data might also appear in the online secure key compliance display. Some search results might not appear in the online secure key compliance display. To gather a complete cryptographic inventory, cross-check both the secure key compliance information and the results from the grep search from the table. The online secure key compliance display shows which applications used secure keys, the name of the key, and the algorithm that was associated with the key name when that key was used. The application source code scanning shows which applications issue secure key APIs, but cannot tell what algorithm is being used as that information is only available online at API execution time.