Callable services affected by key store policy

This table provides application programmers guidance on parameters covered by the key store policy controls.

Only the names of the 31-bit versions of the callable services are listed. However, 64-bit versions of the callable services and the ALET qualified versions of the services are also covered by the key store policy. The callable services that are affected by the TOKEN_CHECK key store policy controls are in the table below.

Table 1. Callable services and parameters affected by key store policy
ICSF callable service	31-bit name	Parameter checked
Authentication Parameter Generate	CSNBAPG	inbound_PIN_encrypting_key_identifier AP_encrypting_key_identifier
Cipher text translate2	CSNBCTT2	key_identifier_in key_identifier_out
Clear PIN encrypt	CSNBCPE	PIN_encrypting_key_identifier
Clear PIN generate alternate	CSNBCPA	PIN_encryption_key_identifier PIN_generation_key_identifier
Clear PIN generate	CSNBPGN	PIN_generation_key_identifier
Control vector translate	CSNBCVT	KEK_key_identifier source_key_token array_key_left array_key_right
CVV key combine	CSNBCKC	key_a_identifier key_b_identifier
Cryptographic variable encipher	CSNBCVE	c_variable_encrypting_key_identifier
Data key export	CSNBDKX	source_key_identifier exporter_key_identifier
Data key import	CSNBDKM	source_key_token importer_key_identifier
Decipher	CSNBDEC	key_identifier
Digital signature generate	CSNDDSG	PKA_private_key_identifier
Digital signature verify	CSNDDSV	PKA_public_key_identifier
Diversified key generate	CSNBDKG	generating_key_identifier generated_key_identifier
Diversified Key Generate2	CSNBDKG2	generating_key_identifier
DK Deterministic PIN Generate	CSNBDDPG	PIN_generation_key_identifier PRW_key_identifier PIN_print_key_identifier OPIN_encryption_key_identifier OEPB_MAC_key_identifier
DK Migrate PIN	CSNBDMP	IPINENC_key_identifier PRW_key_identifier OPIN_encryption_key_identifier OEPB_MAC_key_identifier
DK PAN Modify in Transaction	CSNBDPMT	CMAC_FUS_key_identifier IPIN_encryption_key_identifier PRW_key_identifier new_PRW_key_identifier
DK PAN Translate	CSNBDPT	PRW_key_identifier IPIN_encryption_key_identifier IEPB_MAC_key_identifier OPIN_encryption_key_identifier OEPB_MAC_key_identifier
DK PIN Change	CSNBDPC	PRW_MAC_key_identifier cur_IPIN_encryption_key_identifier new_IPIN_encryption_key_identifier script_key_identifier script_MAC_key_identifier new_PRW_MAC_key_identifier OPIN_encryption_key_identifier OEPB_MAC_key_identifier
DK PIN Verify	CSNBDPV	PRW_MAC_key_identifier IPIN_encryption_key_identifier
DK PRW Card Number Update	CSNBDPNU	PRW_key_identifier IPIN_encryption_key_identifier IEPB_MAC_key_identifier OPIN_encryption_key_identifier OEPB_MAC_key_identifier
DK PRW CMAC Generate	CSNBDPCG	CMAC_FUS_key_identifier
DK Random PIN Generate	CSNBDRPG	PRW_MAC_key_identifier PIN_print_key_identifier OPIN_encryption_key_identifier OEPB_MAC_key_identifier
DK Regenerate PRW	CSNBDRP	PRW_key_identifier IPIN_encryption_key_identifier IEPB_MAC_key_identifier OPIN_encryption_key_identifier OEPB_MAC_key_identifier
ECC Diffie-Hellman	CSNDEDH	private_key_identifier private_KEK_key_identifier public_key_identifier output_KEK_key_identifier
Encipher	CSNBENC	key_identifier
Encrypted PIN generate	CSNBEPG	PIN_generating_key_identifier outbound_PIN_encrypting_key_identifier
Encrypted PIN translate	CSNBPTR	input_PIN_encrypting_key_identifier output_PIN_encrypting_key_identifier
Encrypted PIN verify	CSNBPVR	input_PIN_encrypting_key_identifier PIN_verifying_key_identifier
FPE decipher	CSNBFPED	key_identifier
FPE encipher	CSNBFPEE	key_identifier
FPE translate	CSNBFPET	input_key_identifier output_key_identifier
HMAC generate	CSNBHMG	key_identifier
HMAC verify	CSNBHMV	key_identifier
Key export	CSNBKEX	source_key_identifier exporter_key_identifier
Key generate	CSNBKGN	KEK_key_identifier_1 KEK_key_identifier_2
Key import	CSNBKIM	source_key_token importer_key_identifier
Key test	CSNBKYT	key_identifier
Key test2	CSNBKYT2	key_identifier
Key test extended	CSNBYTX	key_identifier kek_key_identifier
Key translate	CSNBKTR	input_KEK_key_identifier output_KEK_key_identifier
Key translate2	CSNBKTR2,	input_key_token input_KEK_identifier output_KEK_identifier
MAC generate	CSNBMGN	key_identifier
MAC Generate2	CSNBMGN2	key_identifier
MAC Generate2 (with ALET)	CSNBMGN3	key_identifier
MAC verify	CSNBMGN	key_identifier
MAC Verify2	CSNBMVR2	key_identifier
MAC Verify2 (with ALET)	CSNBMVR3	key_identifier
Multiple secure key import	CSNBSKM	key_encrypting_key_identifier
PIN Change/Unblock	CSNBPCU	authentication_issuer_master_key_identifier encryption_issuer_master_key_identifier new_reference_PIN_key_identifier current_reference_PIN_key_identifier
PKA decrypt	CSNDPKD	PKA_key_identifier
PKA encrypt	CSNDPKE	PKA_key_identifier
PKA key generate	CSNDPKG	transport_key_identifier
PKA key import	CSNDPKI	importer_key_identifier
PKA key translate	CSNDPKT	source_key_identifier source_transport_key_identifier target_transport_key_identifier
PKA key token change	CSNDPKTC	key_identifier
PKA public key extract	CSNDPKX	source_key_identifier target_public_key_token
Prohibit export	CSNBPEX	key_identifier
Prohibit export extended	CSNBPEXX	source_key_token, kek_key_identifier
Recover PIN From Offset	CSNBPFO	PIN_encryption_key_identifier PIN_generation_key_identifier
Remote key export	CSNDRKX	trusted_block_identifier transport_key_identifier importer_key_identifier source_key_identifier
Restrict key attribute	CSNBRKA	key_identifier
Secure key import	CSNBSKI	importer_key_identifier key_identifier
Secure messaging for keys	CSNBSKY	input_key_identifier key_encrypting_key_identifier secmsg_key_identifier
Secure messaging for PINs	CSNBSPN	PIN_encrypting_key_identifier secmsg_key_identifier
SET block compose	CSNDSBC	RSA_public_key_identifier DES_key_block RSA_OAEP_block
SET block decompose	CSNDSBD	RSA_private_key_identifier DES_key_block (one or two tokens)
Symmetric algorithm decipher	CSNBSAD	key_identifier
Symmetric algorithm encipher	CSNBSAE	key_identifier
Symmetric key export	CSNDSYX	DATA_key_identifier RSA_public_key_identifier
Symmetric Key Export with Data	CSNDSXD	source_key_identifier RSA_public_key_identifier
Symmetric key generate	CSFSYG	key_encrypting_key_identifier RSA_public_key_identifier DES_enciphered_key_token
Symmetric key import	CSNDSYI	RSA_enciphered_key RSA_private_key_identifier
Symmetric key import2	CSNDSYI2	RSA_private_key_identifier
Transaction validation	CSNBTRV	transaction_key_identifier
Trusted block create	CSNDTBC	input_block_identifier transport_key_identifier
TR-31 Export	CSNBT31X	source_key_identifier unwrap_kek_identifier wrap_kek_identifier
TR-31 Import	CSNBT31I	unwrap_kek_identifier, wrap_kek_identifier
Unique Key Derive	CSNBUKD	base_derivation_key_identifier transport_key_identifier
VISA CVV service generate	CSNBCSG	CVV_key_A_Identifier CVV_key_B_Identifier
VISA CVV service verify	CSNBCSV	CVV_key_A_Identifier CVV_key_B_Identifier

The callable services that are affected by the no duplicates key store policy controls are listed in the table below.

Table 2. Callable services that are affected by the no duplicates key store policy controls
ICSF callable service	31-bit name	Parameter checked
Key part import	CSNBKPI	key_identifier
Key record write	CSNBKRW	key_token
PKA Key Generate	CSNDPKG/CSNFPKG	generated_key_token
PKA Key Import	CSNDPKI/CSNFPKI	source_key_identifier
PKDS record create	CSNDKRC/CSNFKRC	token
PKDS record read	CSNDKRR	token
PKDS record write	CSNDKRW	key_token
Trusted Block Create	CSNDTBC	input_block_identifier