One-Way Hash Generate (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1)

Use the one-way hash generate callable service to generate a one-way hash on specified text. This service supports the following methods:

MD5 - software only
SHA-1
RIPEMD-160 - software only
SHA-224
SHA-256
SHA-384
SHA-512

The callable service names for AMODE(64) invocation are CSNEOWH and CSNEOWH1.

Format

CALL CSNBOWH(
             return_code,
             reason_code,
             exit_data_length,
             exit_data,
             rule_array_count,
             rule_array,
             text_length,
             text,
             chaining_vector_length,
             chaining_vector,
             hash_length,
             hash)

CALL CSNBOWH1(
              return_code,
              reason_code,
              exit_data_length,
              exit_data,
              rule_array_count,
              rule_array,
              text_length,
              text,
              chaining_vector_length,
              chaining_vector,
              hash_length,
              hash,
              text_id_in)

Parameters

return_code

Direction	Type
Output	Integer

The return code specifies the general result of the callable service. ICSF and cryptographic coprocessor return and reason codes lists the return codes.

reason_code

Direction	Type
Output	Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicate specific processing problems. ICSF and cryptographic coprocessor return and reason codes lists the reason codes.

exit_data_length

Direction	Type
Input/Output	Integer

The length of the data that is passed to the installation exit. The data is identified in the exit_data parameter.

exit_data

Direction	Type
Input/Output	String

The data that is passed to the installation exit.

rule_array_count

Direction	Type
Input	Integer

The number of keywords you are supplying in the rule_array parameter. The value must be 1, 2 or 3.

rule_array

Direction	Type
Input	String

Keywords that provide control information to the callable service are listed in Table 1. The optional chaining flag keyword indicates whether calls to this service are chained together logically to overcome buffer size limitations. Each keyword is left-justified in an 8-byte field and padded on the right with blanks. All keywords must be in contiguous storage.

Table 1. Keywords for One-Way Hash Generate Rule Array Control Information
Keyword	Meaning
*Hash Method (required)*
MD5	Hash algorithm is MD5 algorithm. Use this hash method for PKCS-1.0 and PKCS-1.1. Length of hash generated is 16 bytes.
MD5-LG	Hash algorithm is similar to the MD5 algorithm. Use this hash method for PKCS-1.0 and PKCS-1.1. Length of hash generated is 16 bytes. Legacy hash values from release HCR7751 and lower prior to APAR OA33657 will be generated for verification purposes with previously archived hash values.
RPMD-LG	Hash algorithm is similar to the RIPEMD-160. Length of hash generated is 20 bytes. Legacy hash values from release HCR7751 and lower prior to APAR OA33657 will be generated for verification purposes with previously archived hash values.
RPMD-160	Hash algorithm is RIPEMD-160. Length of hash generated is 20 bytes.
SHA-1	Hash algorithm is SHA-1 algorithm. Use this hash method for DSS. Length of hash generated is 20 bytes.
SHA-224	Hash algorithm is SHA-256 algorithm. Length of hash generated is 28 bytes.
SHA-256	Hash algorithm is SHA-256 algorithm. Length of hash generated is 32 bytes.
SHA-384	Hash algorithm is SHA-384 algorithm. Length of hash generated is 48 bytes.
SHA-512	Hash algorithm is SHA-512 algorithm. Length of hash generated is 64 bytes.
SHA1LG	Hash algorithm is similar to the SHA-1 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Use this hash method for DSS (applies to One-Way Hash Generate only.) Length of hash generated is 20 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
SHA224LG	Hash algorithm is similar to the SHA-224 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Length of hash generated is 28 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
SHA256LG	Hash algorithm is similar to the SHA-256 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Length of hash generated is 32 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
SHA384LG	Hash algorithm is similar to the SHA-384 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Length of hash generated is 48 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
SHA512LG	Hash algorithm is similar to the SHA-512 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Length of hash generated is 64 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
*Chaining Flag (optional)*
FIRST	Specifies this is the first call in a series of chained calls. Intermediate results are stored in the hash field.
LAST	Specifies this is the last call in a series of chained calls.
MIDDLE	Specifies this is a middle call in a series of chained calls. Intermediate results are stored in the hash field.
ONLY	Specifies this is the only call and the call is not chained. This is the default.

text_length

Direction	Type
Input	Integer

The length of the text parameter in bytes.

Note: If you specify the FIRST or MIDDLE keyword, then the text length must be a multiple of the blocksize of the hash method. For MD5, RPMD-160, SHA-1, SHA-224 and SHA-256, this is a multiple of 64 bytes. For SHA-384 and SHA-512, this is a multiple of 128 bytes.

For ONLY and LAST, this service performs the required padding according to the algorithm specified.

text

Direction	Type
Input	String

The application-supplied text on which this service performs the hash.

chaining_vector_length

Direction	Type
Input	Integer

The byte length of the chaining_vector parameter. This must be 128 bytes.

chaining_vector

Direction	Type
Input/Output	String

This field is a 128-byte work area. Your application must not change the data in this string. The chaining vector permits chaining data from one call to another.

hash_length

Direction	Type
Input	Integer

The length of the supplied hash field in bytes.

Note: For SHA-1 and RPMD-160 this must be at least 20 bytes; for MD5 this must be at least 16 bytes. For SHA-224 and SHA-256, the length must be at least 32 bytes long. Even though the length of the SHA-224 hash is less than SHA-256, the extra bytes are used as a work area during the generation of the hash value. The SHA-224 value is left-justified and padded with zeroes.

For SHA-384 and SHA-512, the length must be at least 64 bytes long. Even though the length of the SHA-384 hash is less than SHA-512, the extra bytes are used as a work area during the generation of the hash value. The SHA-384 value is left-justified and padded with zeroes.

hash

Direction	Type
Input/Output	String

This field contains the hash, left-justified. The processing of the rest of the field depends on the implementation. If you specify the FIRST or MIDDLE keyword, this field contains the intermediate hash value. Your application must not change the data in this field between the sequence of FIRST, MIDDLE, and LAST calls for a specific message.

text_id_in

Direction	Type
Input	Integer

For CSNBOWH1 only, the ALET for the data space containing the text for which to generate the hash.

Usage notes

Although MD5, SHA-1 and SHA-256 allow it, bit length text is not supported for any hashing method.

If the CSF.CSFSERV.AUTH.CSFOWH.DISABLE SAF resource profile is defined in the XFACILIT SAF resource class, no SAF authorization checks will be performed against the CSFSERV class when using this service. If CSF.CSFSERV.AUTH.CSFOWH.DISABLE is not defined, the SAF authorization check will be performed. Disabling the SAF check may improve the performance of your application.

Required hardware

The following table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 2. One-way hash generate required hardware
Server	Required cryptographic hardware	Restrictions
IBM eServer zSeries 990 IBM eServer zSeries 890	CP Assist for Cryptographic Functions	SHA-1 requires CPACF Keywords SHA-224, SHA-256, SHA-384 and SHA-512 are not supported.
IBM System z9 EC IBM System z9 BC	CP Assist for Cryptographic Functions	Keywords SHA-384 and SHA-512 are not supported
IBM System z10 EC IBM System z10 BC	CP Assist for Cryptographic Functions
IBM zEnterprise 196 IBM zEnterprise 114	CP Assist for Cryptographic Functions
IBM zEnterprise EC12 IBM zEnterprise BC12	CP Assist for Cryptographic Functions
IBM z13	CP Assist for Cryptographic Functions