Verify Signature (QC3VFYSG, Qc3VerifySignature) API

The Verify Signature (OPM, QC3VFYSG; ILE, Qc3VerifySignature) API verifies a digital signature is correctly related to the input data. If the verification fails with a CPF9DEF, the input data has been corrupted. A digital signature is created by hashing data and encrypting the hash value using a public key algorithm (PKA). A digital signature can be created by using the Calculate Signature (OPM, QC3CALSG; ILE, Qc3CalculateSignature) API.

Information on cryptographic standards can be found in Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext) API.

Authorities and Locks

Required device description authority

*USE

Required file authority

*OBJOPR, *READ

Required Parameter Group

Signature

INPUT; CHAR(*)

The digital signature to verify.

Length of signature

INPUT; BINARY(4)

The length of signature should be equal to the key size (size of the modulus), but expressed in bytes.

Input data

INPUT; CHAR(*)

The data to verify.
The format of the input data is specified in the input data format name parameter.

Length of input data

INPUT; BINARY(4)

For input data format DATA0100, this is the length of the data to verify.
For input data format DATA0200, this is the number of entries in the array.

Input data format name

INPUT; CHAR(8)

The format of the input data parameter.
The possible format names follow.

DATA0100

The input data parameter contains the data to verify.

DATA0200

The input data parameter contains an array of pointers and lengths to the data to verify.
See Input Data Formats for a description of this format.

Algorithm description

INPUT; CHAR(*)

The algorithm and associated parameters for verifying the data.
The format of the algorithm description is specified in the algorithm description format name parameter.

Algorithm description format name

INPUT; CHAR(8)

The format of the algorithm description.
The possible format names follow.

ALGD0100

The token for an algorithm context. This format must be used when performing the verify signature operation over multiple calls. After the last call (when the final operation flag is on), the context will reset to its initial state and can be used in another API.

ALGD0400

Parameters for a verify signature operation.

See Algorithm Description Formats for a description of these formats.

Key description

INPUT; CHAR(*)

The key and associated parameters for verifying the data.
The format of the key description is specified in the key description format name parameter.
If the verify operation extends over multiple calls (see ALGD0100 description above), only the key description from the first call will be used. Therefore, on subsequent calls, you may set the pointer to this parameter to NULL.

Key description format name

INPUT; CHAR(8)

The format of the key description.
If the pointer to the key description parameter is NULL, this parameter will be ignored.
The possible format names follow.

KEYD0100

The token for a key context. This format identifies a key context. A key context is used to store a key value so it need not be recreated or retrieved every time it is used. To create a key context, use the Create Key Context (OPM, QC3CRTKX; ILE, Qc3CreateKeyContext) API.

KEYD0200

Key parameters.

KEYD0400

Keystore label. This format identifies a key from keystore. For more information about cryptographic services keystore, see Cryptographic Services Keystore.

KEYD0600

PEM certificate. This format uses the PKA key in an ASCII encoded PEM based certificate.

KEYD0700

Certificate label. This format uses the public PKA key identified by a label into signature verification certificate keystore (*SIGNATUREVERIFICATION).

KEYD0800

Distinguished name. This format uses the public PKA key identified by a distinguished name for a certificate in signature verification certificate keystore (*SIGNATUREVERIFICATION).

See Key Description Formats for a description of these formats.

Cryptographic service provider

INPUT; CHAR(1)

The cryptographic service provider (CSP) that will perform the verify signature operation.

0	Any CSP. The system will choose an appropriate CSP to perform the verify signature operation.
1	Software CSP. The system will perform the verify signature operation using software. If the requested algorithm is not available in software, an error is returned.
2	Hardware CSP. The system will perform the verify signature operation using cryptographic hardware. If the requested algorithm is not available in hardware, an error is returned. A specific cryptographic device can be specified using the cryptographic device name parameter. If the cryptographic device is not specified, the system will choose an appropriate one.

Cryptographic device name

INPUT; CHAR(10)

The name of a cryptographic device description.
This parameter is valid when the cryptographic service provider parameter specifies 2 (hardware CSP). Otherwise, this parameter must be blanks or the pointer to this parameter set to NULL.

Error code

I/O; CHAR(*)

The structure in which to return error information.
For the format of the structure, see Error code parameter.

Input Data Formats

DATA0200 Format

Input Data Formats Field Descriptions

Input data length

The length of data to verify.

Input data pointer

A space pointer to the data to verify.

Reserved

Must be null (binary 0s).

Algorithm Description Formats

ALGD0100 Format

ALGD0400 Format

Algorithm Description Formats Field Descriptions

Algorithm context token

A token for an algorithm context. The algorithm context is created by using the Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext) API.

Final operation flag

The final processing indicator.

0

Continue. The system will not perform final processing and the algorithm context will maintain the state of the operation. The algorithm context can be used on future calls to this API to continue the verify signature operation. The result of the signature verification will not be returned until the final operation flag is set on. The pointer to the signature parameter may be set to NULL because the signature is not used until the final operation flag is set on.

1

Final. The system will perform final processing. The signature will be verified and the algorithm context will reset to its initial state. The algorithm context can then be used to begin a new cryptographic operation. When performing a final operation, the pointer to the input data parameter may be set to NULL.

PKA block format

The public key algorithm block format. Following are the valid values.

0	PKCS #1 block type 00
1	PKCS #1 block type 01
3	ISO 9796-1
5	ANSI X9.31 This format is only valid with signing hash algorithm 2 (SHA-1).

Public key cipher algorithm

The encryption algorithm. Following are the valid public key cipher algorithms.

50

RSA

Reserved

Must be null (binary 0s).

Signing hash algorithm

The hash algorithm. Following are the valid values for the signing hash algorithm.

1	MD5
2	SHA-1

Key Description Formats

KEYD0100 Format

KEYD0200 Format

KEYD0400 Format

KEYD0600 Format

KEYD0700 Format

KEYD0800 Format

Key Description Formats Field Descriptions

Certificate label

The label of the certificate in signature verification certificate keystore (*SIGNATUREVERIFICATION).

Certificate label length

The length of the certificate label.

Distinguished name

The distinguished name of the certificate in signature verification certificate keystore (*SIGNATUREVERIFICATION).

Distinguished name length

The length of the distinguished name.

File name

The name of a keystore file. Keystore files are created by using the Create Keystore (OPM, QC3CRTKS; ILE, Qc3CreateKeyStore) API.

Key context token

A token for a key context. The key context is created by using the Create Key Context (OPM, QC3CRTKX; ILE, Qc3CreateKeyContext) API.

Key format

The format of the key string field. Following are the valid values.

1	BER string The key is specified in BER encoded X.509 Certificate or SubjectPublicKeyInfo format. For specifications of this format, refer to RFC 3280.

Key string

The key to use in the verify signature operation.

Key string length

Length of the key string specified in the key string field. The format of the key string is specified in the key format field.

Key type

The type of key. Following are the valid values.

50	RSA public

PEM certificate

An ASCII encoded PEM formated certificate.

PEM certificate length

The length of the PEM certificate.

Qualified keystore file name

The keystore file where the key is stored. Keystore files are created by using the Create Keystore (OPM, QC3CRTKS; ILE, Qc3CreateKeyStore) API. The first 10 characters contain the file name. The second 10 characters contain the name of the library where the keystore file is located. You can use the following special values for the library name.

*CURLIB	The job's current library is used to locate the keystore file. If no library is specified as the current library for the job, the QGPL library is used.
*LIBL	The job's library list is searched for the first occurence of the specified file name.

Record label

The label of a key record in a keystore file. The label will be converted from the job CCSID, or if 65535, the job default CCSID (DFTCCSID) job attribute to CCSID 1200 (Unicode UTF-16). The key record may contain either an RSA public or private key. If a private key, the public key is extracted to use in the verify operation. Key records are created by using the Write Key Record (OPM, QC3WRTKR; ILE, Qc3WriteKeyRecord) API or the Generate Key Record (OPM, QC3GENKR; ILE, Qc3GenKeyRecord) API.

Reserved

Must be null (binary 0s).

Error Messages

[ Back to top | Cryptographic Services APIs | APIs by category ]