One-Way Hash Generate (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1)

Use the one-way hash generate callable service to generate a one-way hash on specified text. This service supports the following methods:

The callable service names for AMODE(64) invocation are CSNEOWH and CSNEOWH1.

Format

CALL CSNBOWH(
             return_code,
             reason_code,
             exit_data_length,
             exit_data,
             rule_array_count,
             rule_array,
             text_length,
             text,
             chaining_vector_length,
             chaining_vector,
             hash_length,
             hash) 
CALL CSNBOWH1(
              return_code,
              reason_code,
              exit_data_length,
              exit_data,
              rule_array_count,
              rule_array,
              text_length,
              text,
              chaining_vector_length,
              chaining_vector,
              hash_length,
              hash,
              text_id_in) 

Parameters

return_code
Direction Type
Output Integer

The return code specifies the general result of the callable service. ICSF and cryptographic coprocessor return and reason codes lists the return codes.

reason_code
Direction Type
Output Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicate specific processing problems. ICSF and cryptographic coprocessor return and reason codes lists the reason codes.

exit_data_length
Direction Type
Input/Output Integer

The length of the data that is passed to the installation exit. The data is identified in the exit_data parameter.

exit_data
Direction Type
Input/Output String

The data that is passed to the installation exit.

rule_array_count
Direction Type
Input Integer

The number of keywords you are supplying in the rule_array parameter. The value must be 1, 2 or 3.

rule_array
Direction Type
Input String

Keywords that provide control information to the callable service are listed in Table 1. The optional chaining flag keyword indicates whether calls to this service are chained together logically to overcome buffer size limitations. Each keyword is left-justified in an 8-byte field and padded on the right with blanks. All keywords must be in contiguous storage.

Table 1. Keywords for One-Way Hash Generate Rule Array Control Information
Keyword Meaning
Hash Method (required)
MD5 Hash algorithm is MD5 algorithm. Use this hash method for PKCS-1.0 and PKCS-1.1. Length of hash generated is 16 bytes.
MD5-LG Hash algorithm is similar to the MD5 algorithm. Use this hash method for PKCS-1.0 and PKCS-1.1. Length of hash generated is 16 bytes. Legacy hash values from release HCR7751 and lower prior to APAR OA33657 will be generated for verification purposes with previously archived hash values.
RPMD-LG Hash algorithm is similar to the RIPEMD-160. Length of hash generated is 20 bytes. Legacy hash values from release HCR7751 and lower prior to APAR OA33657 will be generated for verification purposes with previously archived hash values.
RPMD-160 Hash algorithm is RIPEMD-160. Length of hash generated is 20 bytes.
SHA-1 Hash algorithm is SHA-1 algorithm. Use this hash method for DSS. Length of hash generated is 20 bytes.
SHA-224 Hash algorithm is SHA-256 algorithm. Length of hash generated is 28 bytes.
SHA-256 Hash algorithm is SHA-256 algorithm. Length of hash generated is 32 bytes.
SHA-384 Hash algorithm is SHA-384 algorithm. Length of hash generated is 48 bytes.
SHA-512 Hash algorithm is SHA-512 algorithm. Length of hash generated is 64 bytes.
SHA1LG Hash algorithm is similar to the SHA-1 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Use this hash method for DSS (applies to One-Way Hash Generate only.) Length of hash generated is 20 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
SHA224LG Hash algorithm is similar to the SHA-224 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Length of hash generated is 28 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
SHA256LG Hash algorithm is similar to the SHA-256 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Length of hash generated is 32 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
SHA384LG Hash algorithm is similar to the SHA-384 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Length of hash generated is 48 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
SHA512LG Hash algorithm is similar to the SHA-512 algorithm. Use only when text_length is greater than or equal to 256 megabytes (512 megabytes on IBM eServer zSeries 990, IBM eServer zSeries 890, or later hardware on HCR7770). Length of hash generated is 64 bytes. Legacy hash values from release HCR7770 and higher prior to APAR OA43937 will be generated for verification purposes with previously archived hash values.
Chaining Flag (optional)
FIRST Specifies this is the first call in a series of chained calls. Intermediate results are stored in the hash field.
LAST Specifies this is the last call in a series of chained calls.
MIDDLE Specifies this is a middle call in a series of chained calls. Intermediate results are stored in the hash field.
ONLY Specifies this is the only call and the call is not chained. This is the default.
text_length
Direction Type
Input Integer

The length of the text parameter in bytes.

Note: If you specify the FIRST or MIDDLE keyword, then the text length must be a multiple of the blocksize of the hash method. For MD5, RPMD-160, SHA-1, SHA-224 and SHA-256, this is a multiple of 64 bytes. For SHA-384 and SHA-512, this is a multiple of 128 bytes.

For ONLY and LAST, this service performs the required padding according to the algorithm specified.

text
Direction Type
Input String
The application-supplied text on which this service performs the hash.
chaining_vector_length
Direction Type
Input Integer

The byte length of the chaining_vector parameter. This must be 128 bytes.

chaining_vector
Direction Type
Input/Output String

This field is a 128-byte work area. Your application must not change the data in this string. The chaining vector permits chaining data from one call to another.

hash_length
Direction Type
Input Integer

The length of the supplied hash field in bytes.

Note: For SHA-1 and RPMD-160 this must be at least 20 bytes; for MD5 this must be at least 16 bytes. For SHA-224 and SHA-256, the length must be at least 32 bytes long. Even though the length of the SHA-224 hash is less than SHA-256, the extra bytes are used as a work area during the generation of the hash value. The SHA-224 value is left-justified and padded with zeroes.

For SHA-384 and SHA-512, the length must be at least 64 bytes long. Even though the length of the SHA-384 hash is less than SHA-512, the extra bytes are used as a work area during the generation of the hash value. The SHA-384 value is left-justified and padded with zeroes.

hash
Direction Type
Input/Output String

This field contains the hash, left-justified. The processing of the rest of the field depends on the implementation. If you specify the FIRST or MIDDLE keyword, this field contains the intermediate hash value. Your application must not change the data in this field between the sequence of FIRST, MIDDLE, and LAST calls for a specific message.

text_id_in
Direction Type
Input Integer

For CSNBOWH1 only, the ALET for the data space containing the text for which to generate the hash.

Usage notes

Although MD5, SHA-1 and SHA-256 allow it, bit length text is not supported for any hashing method.

If the CSF.CSFSERV.AUTH.CSFOWH.DISABLE SAF resource profile is defined in the XFACILIT SAF resource class, no SAF authorization checks will be performed against the CSFSERV class when using this service. If CSF.CSFSERV.AUTH.CSFOWH.DISABLE is not defined, the SAF authorization check will be performed. Disabling the SAF check may improve the performance of your application.

Required hardware

The following table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 2. One-way hash generate required hardware
Server Required cryptographic hardware Restrictions
IBM eServer zSeries 990

IBM eServer zSeries 890

CP Assist for Cryptographic Functions

SHA-1 requires CPACF

Keywords SHA-224, SHA-256, SHA-384 and SHA-512 are not supported.

IBM System z9 EC

IBM System z9 BC

CP Assist for Cryptographic Functions

Keywords SHA-384 and SHA-512 are not supported

IBM System z10 EC

IBM System z10 BC

CP Assist for Cryptographic Functions  
IBM zEnterprise 196

IBM zEnterprise 114

CP Assist for Cryptographic Functions  
IBM zEnterprise EC12

IBM zEnterprise BC12

CP Assist for Cryptographic Functions  
IBM z13 CP Assist for Cryptographic Functions