OA54316: NEW FUNCTION - ENHANCEMENT TO ALLOW THE CKA_LABEL ATTRIBUTE OF APKCS11 OBJECT TO BE A LENGTH GREATER THAN 32 BYTES

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• New Function
  Support for allowing the size of the CKA_LABEL attribute of
  a PKCS11 object to be to be greater than 32 bytes.
  It will have no maximum but the entirety of the object
  has a 32k limit in size.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * ICSF Users of PKCS11                                         *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * ICSF currently limits the size of the                        *
  * CKA_LABEL attribute in a PKCS11 object                       *
  * to 32 bytes.  This restriction needs to                      *
  * be removed.                                                  *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  There is a limit on the CKA_LABEL attribute
  in PKCS11 objects of 32 bytes. ICSF is removing
  the restriction on the size of the CKA_LABEL
  attribute.
  
  
  This APAR requires that the PTFs for APAR OA54346
  be installed and active on all systems in the
  SYSPLEX before any exploitation of a CKA_LABEL
  greater than 32 bytes is done.
  
  Note:
  For PKCS11 Token Record List (CSFPTRL and CSFPTRL6)
  on systems that only have OA54346 applied and not OA54316
  applied, when the search_template parameter includes the
  CKA_LABEL attribute, only the first 32 bytes of the
  attribute will be used as the search criteria.
  
  SMFREC/K
  

Problem conclusion

Temporary fix

Comments

• This APAR adds support for the expansion of the CKA_Label
  attribute to support more than 32 bytes.
  
  The following documentation updates are needed for this APAR.
  
  Cryptographic Services ICSF Writing PKCS11 Applications
  SC14-7510-04 and SC14-7510-05
  
  Chapter- 2. The C API
  
  The same documentation change will be made in the following
  Tables:
  Table 8. Data object attributes that ICSF supports
  Table 9. X.509 certificate object attributes that ICSF supports
  Table 10.  Secret key object attributes that ICSF supports
  Table 11. Public key object attributes that ICSF supports
  Table 17. Private key object attributes that ICSF supports
  Table 23. Domain parameter object attributes that ICSF
  supports
  
   ---------------------------------------------------------------
   Old:
   Attribute         Data type         Notes
   CKA_LABEL         Printable EBCDIC  Application specific
                     string            nickname. Limit to 32
                                       chars. Default is
                                       empty. The string is
                                       assumed to come from
                                       the IBM1047 code page.
   New:
   Attribute         Data type         Notes
   CKA_LABEL         Printable EBCDIC  Application specific
                     string            nickname. Default is
                                       empty. The string is
                                       assumed to come from
                                       the IBM1047 code page.
  ---------------------------------------------------------------
  
  
  Cryptographic Services ICSF System Programmer's Guide
  SC14-7507-06 and SC14-7507-07
  
  Chapter- Appendix B: ICSF SMF Records
  
  The same documentation change will be made in the following
  Tables:
  Table 154: subtype 42 PKCS11 object lifecycle event
  Table 158: subtype 46 PKCS11 key usage event
  
  ---------------------------------------------------------------
  Old:
  Dec  Hex   Name      Length   Format  Description
  259  103   KEY_NAME  1-32     EBCDIC  The CKA_LABEL attribute
                                        from the object.
  
  New:
  Dec  Hex   Name      Length   Format  Description
  259  103   KEY_NAME  1-513    EBCDIC  The CKA_LABEL attribute
                                        from the object. If the
                                        CKA_LABEL is greater than
                                        512 chars then a '+' is
                                        put at the 513th char to
                                        indicate truncation.
  ---------------------------------------------------------------
  
  
  All of the changes included in this APAR will be documented in
  the next release/refresh of the following ICSF publications:
  
  ICSF Writing PKCS11 Applications SC14-7510
  ICSF System Programmer's Guide   SC14-7507
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA95824 UA95825

Modules/Macros

• CSFTCPA1 CSFTCPA0 CSFTCPA5 CSFTCPA4 CSFTCPA3 CSFTCPA2 CSFMIAKP
  CSFVCPTX CSFINXKP CSFNCMDW CSFMIKUT CSFCCVE  CSFMITSM CSFINIT
  

Fix information

• Fixed component name

  ICSF/MVS

• Fixed component ID

  568505101

Applicable component levels

• R7C0 PSY UA95825

     UP18/04/11 P F804  

• R7C1 PSY UA95824

     UP18/04/11 P F804  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.