A fix is available
APAR status
Closed as new function.
Error description
New Function - Support creation of PKCS7 SignedData detached signature messages.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * Users of System SSL PKCS7 SignedData. * **************************************************************** * PROBLEM DESCRIPTION: * * Support creation of PKCS7 * * SignedData detached signature * * messages in System SSL. * **************************************************************** * RECOMMENDATION: * * APPLY PTF * **************************************************************** The gsk_make_signed_data_content_extended() and gsk_make_signed_data_msg_extended() routines have been enhanced to support the creation of a detached signature style SignedData message. A detached signature SignedData message is a message where the content or application data is included in the data when the digital signatures are generated but are not included in the final SignedData message.
Problem conclusion
Temporary fix
Comments
The gsk_make_signed_data_content_extended() and gsk_make_signed_data_msg_extended() routines have been enhanced to support the creation of a detached signature style SignedData message. A detached signature SignedData message is a message where the content or application data is included in the data when the digital signatures are generated but are not included in the final SignedData message. Cryptographic Services System Secure Sockets Layer Programming (SC14-7495) Chapter "Certificate Management Services (CMS) API reference" gsk_make_signed_data_content_extended() and gsk_make_signed_data_msg_extended() z/OS Cryptographic Services System SSL (V2.1) option_flag - new option value Create detached (external) signature signed data. The passed in data is included in the data being digitally signed but not included in the returned SignedData content. This flag is only supported when version 500, 501 or 502 is specified. It is ignored when version 0, 1 or 2 is specified. version - new version values Versions 500, 501 and 502 have similar meanings to versions 0, 1 and 2, except when using versions 500, 501 and 502 the caller of this routine has ensured that all bits within the option_flag have been set to 0 except for those bits which need to be processed to build the appropriate signedData message. Specify 500 to create SignedData content as described in PKCS7 Version 1.4. This version encodes the IssuerAndSerialNumber as the signerIdentifier. Specify 501 to create SignedData content as described in PKCS7 Version 1.5. This version encodes the IssuerAndSerialNumber as the signerIdentifier. Specify 502 to create SignedData content as described in PKCS7 Version 1.6. This version encodes the IssuerAndSerialNumber as the signerIdentifier. z/OS Cryptographic Services System SSL (V2.2) and (V2.3) option_flag - new option value Create detached (external) signature signed data. The passed in data is included in the data being digitally signed but not included in the returned SignedData content. This flag is only supported when version 500, 501, 502 or 503 is specified. It is ignored when version 0, 1, 2 or 3 is specified. version - new version values Versions 500, 501, 502 and 503 have similar meanings to versions 0, 1, 2 and 3, except when using versions 500, 501, 502 and 503 the caller of this routine has ensured that all bits within the option_flag have been set to 0 except for those bits which need to be processed to build the appropriate signedData message. Specify 500 to create SignedData constant as described in PKCS7 Version 1.4 This version encodes the IssuerAndSerialNumber as the signerIdentifier. Specify 501 to create SignedData content as described in PKCS7 Version 1.5. This version encodes the IssuerAndSerialNumber as the signerIdentifier. Specify 502 to create SignedData content as described in PKCS7 Version 1.6. This version encodes the IssuerAndSerialNumber as the signerIdentifier. Specify 503 to create Signed Data content as described in PKCS7 RFC 3852. This version encodes the SubjectKeyIdentifier as the signerIdentifier. z/OS Cryptographic Services System SSL (V2.1), (V2.2) and (V2.3) gsk_make_signed_data_content_extended() - Usage - first paragraph updated to: The gsk_make_signed_data_content_extended() routine creates PKCS7 (Cryptographic Message Syntax) SignedData content information. The data type must be one of the types defined by PKCS7. Processing is similar to gsk_make_signed_data_content() except for the presence of the option_flag and authenticated_attributes parameters. The gsk_read_signed_data_content() or gsk_read_signed_data_content_extended() routine can be used to extract the content data from the SignedData content information except for a detached (external) signature. Detached signature SignedData messages do not contain any content information and are not supported by the read routines. The key usage for the signer certificates can be optionally specified as to whether digital signature must be allowed. No validity checking is performed on the signer certificates. It is assumed that the application has already validated the signer certificates. gsk_make_signed_data_msg_extended() - Usage - first paragraph updated to: The gsk_make_signed_data_msg_extended() routine creates PKCS7 (Cryptographic Message Syntax) SignedData message and returns the ASN.1 DER-encoded ContentInfo sequence. The signed data content type will be Data. The gsk_read_signed_data_msg() or the gsk_read_signed_data_msg_extended() routine can be used to extract the application data from the stream when included in the message. Detached signature SignedData messages do not contain the application data and are not supported by the read routines. The key usage for the signer certificates can be optionally specified as to whether digital signature must be allowed. No validity checking will be performed on the signer certificates. It is assumed that the application has already validated the signer certificates.
APAR Information
APAR number
OA54821
Reported component name
SYSTEM SSL
Reported component ID
565506805
Reported release
410
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2018-02-05
Closed date
2018-05-01
Last modified date
2018-06-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA96089 UA96092 UA96093 UA96099 UA96100 UA96101
Modules/Macros
GSKC31F GSKC31 GSKHP001 GSKCMS31 GSKCMS64 GSKC64 GSKAH039 GSKC64F
| SC147495XX |
Fix information
Fixed component name
SYSTEM SSL
Fixed component ID
565506805
Applicable component levels
R411 PSY UA96099
UP18/05/05 P F805
R420 PSY UA96100
UP18/05/05 P F805
R421 PSY UA96101
UP18/05/05 P F805
R431 PSY UA96092
UP18/05/05 P F805
R430 PSY UA96089
UP18/05/05 P F805
R410 PSY UA96093
UP18/05/05 P F805
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"410","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"410","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 June 2018