z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Parameters

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

return_code
Direction: OutputType: Integer

The return code specifies the general result of the callable service. Appendix A. ICSF and TSS Return and Reason Codes lists the return codes.

reason_code
Direction: OutputType: Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicate specific processing problems. Appendix A. ICSF and TSS Return and Reason Codes lists the reason codes.

exit_data_length
Direction: Input/OutputType: Integer

The length of the data that is passed to the installation exit. The length can be from X'00000000' to X'7FFFFFFF' (2 gigabytes). The data is identified in the exit_data parameter.

exit_data
Direction: Input/OutputType: String

The data that is passed to the installation exit.

rule_array_count
Direction: InputType: Integer

The number of keywords you are supplying in the rule_array parameter. The value may be 0 1, 2, or 3.

rule_array
Direction: InputType: String

Keywords that provide control information to the callable service. One keyword specifies the method for calculating the digital signature. Another keyword specifies formatting of the hash value for RSA digital signature generation. A third keyword specifies the hash method used to prepare the hash value for RSA digital signature generation. Table 223 lists the keywords. Each keyword is left-justified in an 8-byte field and padded on the right with blanks. All keywords must be in contiguous storage.

Table 223. Keywords for Digital Signature Generate Control Information
KeywordMeaning
ISO-9796Calculate the digital signature on the hash according to ISO-9796-1. Any hash method is allowed. This is the default.
PKCS-1.0Calculate the digital signature on the BER-encoded ASN.1 value of the type DigestInfo containing the hash according to the RSA Data Security, Inc. Public Key Cryptography Standards #1 block type 00. The text must have been hashed prior to inputting to this service.
PKCS-1.1Calculate the digital signature on the BER-encoded ASN.1 value of the type DigestInfo containing the hash according to the RSA Data Security, Inc. Public Key Cryptography Standards #1 block type 01. The text must have been hashed prior to inputting to this service.
ZERO-PADFormat the hash by padding it on the left with binary zeros to the length of the RSA key modulus. Any supported hash function is allowed.
RPMD-160Hash the input text using the RIPEMD-160 hash method.
SHA-1Hash the input text using the SHA-1 hash method.
Signature algorithm (optional, supported on the CEX3C coprocessor)
RSARSA or DSS processing is to occur.
ECDSAThe elliptic curve digital signature algorithm is to be used. When specified, this is the only keyword permitted in the Rule Array.
PKA_private_key_identifier_length
Direction: InputType: Integer

The length of the PKA_private_key_identifier field. The maximum size is 3500 bytes.

PKA_private_key_identifier
Direction: InputType: String

An internal token or label of an RSA or DSS private key or Retained key. If the signature format is X9.31, the modulus of the RSA key must have a length of at least 1024 bits. If the signature algorithm is ECDSA, this must be a token or label of an ECC private key.

hash_length
Direction: InputType: Integer

The length of the hash parameter in bytes. It must be the exact length of the text to sign. The maximum size is 512 bytes. If you specify ZERO-PAD in the rule_array parameter, the length is restricted to 36 bytes unless the RSA key is a signature only key, then the maximum length is 512 bytes.

On the IBM eServer zSeries 990 and subsequent releases, the hash length limit is controlled by a new access control point. Only RSA key management keys are affected by this access control point. The limit for RSA signature use only keys is 512 bytes. This new access control point is always disabled in the Default role. You must have a TKE workstation to enable it.

hash
Direction: InputType: String

The application-supplied text on which to generate the signature.

signature_field_length
Direction: Input/OutputType: Integer

The length in bytes of the signature_field to contain the generated digital signature. Upon return, this field contains the actual length of the generated signature. The maximum size is 512 bytes.

Note:
For RSA, this must be at least the RSA modulus size (rounded up to a multiple of 32 bytes for the X9.31 signature format, or one byte for all other signature formats). For DSS, this must be at least 40 bytes.

For RSA and DSS, this field is updated with the minimum byte length of the digital signature.

For ECDSA, signature algorithm R concatenated with S is the digital signature. The maximum output value will be 1042 bits (131 bytes). The size of the signature is determined by the size of P. Both R and S will have size P. For prime curves, the maximum is 2 * 521 bits. For brain pool curves, the maximum size is 2 * 512 bits.

signature_bit_length
Direction: OutputType: Integer

The bit length of the digital signature generated. For ISO-9796 this is 1 less than the modulus length. For other RSA processing methods, this is the modulus length. For DSS, this is 320.

signature_field
Direction: OutputType: String

The digital signature generated is returned in this field. The digital signature is in the low-order bits (right-justified) of a string whose length is the minimum number of bytes that can contain the digital signature. This string is left-justified within the signature_field. Any unused bytes to the right are undefined.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014