IBM Crypto Education Community

IBM Crypto Education Community

IBM Crypto Education Community

Join the IBM Crypto Education community to explore and understand IBM cryptography technology. This community is operated and maintained by the IBM Crypto Development team.

 View Only
Expand all | Collapse all

ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

  • 1.  ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Wed September 25, 2024 08:58 AM
    Edited by Eleanor Chan Wed September 25, 2024 10:05 AM

    Hello

    My use case is to generate a Public/Private Key Pair in a first step and store it in the TKDS.
    The second step will be to export the Public key and import it into a TKDS on another environment.
    However, I fail to import the Public Key into the TKDS with an RC=8 RS=2AF8 which indicates the following problem:
    The value specified for length parameter for a key token, key, or text field is not valid. This can also occur if either the key type of the key or the algorithm of the key is unsupported by the callable service.
    User action: Correct the appropriate length field parameter.

    That's what I try to address, unfortunately without success, hence asking here if someone has experience with this and might be able to advise how to best proceed.

    To get the public key value and the attributes I'm using CSFPGAV and I'm using the sample provided here https://github.com/IBM-zOS-Crypto/ICSF-Education/blob/main/PKCS%20%2311%20Samples/GAVRSA.rexx
    That works as expected as it returns the values and they look as follows (public key intentionally redacted) like:
    pubkey_modulus_len = '0003'x                                           
    pubkey_modulus     = '010001'x                                         
    pubkey_pubexp_len  = '0200'x                                           
    pubkey_pubexp      = ,                                                 
    'DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE0' ||, 
    [intentionally redacted]
    '4DFA384260D165C3B83B0D8E977DD100002AA88D1617A67E474BC782CC1E58C6' ||, 
    'CBCF27788D212E62C170B03CDEEBE36B212E83BA5412F9A303C6D08806F5846F' ||, 
    '6589B4B82DEEECC121232CE88FFB107E90060C90CE1AF293303443948E6F2CDD'x  

    So far so good, to import the public key into another TKDS using CSFPTRC fails with RC=8 RS=2AF8. To import the key parts I'm using the sample provided here https://github.com/IBM-zOS-Crypto/ICSF-Education/blob/main/PKCS%20%2311%20Samples/TRCRSA.rexx

    However, when adding those values into the REXX (as requested on line 15,16,17,18) it does not seem to work as expected. Yet, I cannot comprehend why that should not work but I have an indication when enabling the trace in TRC_Object procedure.
    The trace resolves to:                                                                              
       145 *-*    TRC_AttrListLength   = D2C( Length( TRC_AttrList ),4)                                                                
           >V>      "??????????????????????????'0003'x'010001'x????'0200'x'DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D5
    [intentionally redacted]
    C3B83B0D8E977DD100002AA88D1617A67E474BC782CC1E58C6CBCF27788D212E62C170B03CDEEBE36B212E83BA5412F9A303C6D08806F5846F6589B4B82DEEECC12
    1232CE88FFB107E90060C90CE1AF293303443948E6F2CDD'x???????Ø?????????????"             

    So it seems that the parameters passed to the TRC_Object procedure are not in the expected format, hence the abend. But how to transform them to the expected format? As the parameters that are not manually filled are reported as ??? whereas the input I provided via line 15,16,17,18 is reported with 'clear text' characters (in hex).

    Any hint that helps me to put this into the right format is much appreciated.

    thanks and regards
    marco   



    ------------------------------
    Marco Egli
    ------------------------------



  • 2.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Wed September 25, 2024 10:42 AM

    Hi Marco - the values for modulus and public exponent are reversed.   (i.e. pubkey_pubexp is ='010001'x)



    ------------------------------
    Sheri DeGroodt
    ------------------------------



  • 3.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Thu September 26, 2024 09:09 AM

    Hi Sheri
    Thanks for the quick reply and hint, indeed it was mixed up, thanks for spotting this! Unfortunately this does not seem to be the only issue, as if I pass the values with ''x or without it still fails with the same error as you can see below.

    With ''x:

       145 *-*    TRC_AttrListLength   = D2C( Length( TRC_AttrList ),4)                                                                
           >V>      "??????????????????????????'0200'x'DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35
    [intentionally redacted]
    C90CE1AF293303443948E6F2CDD'x????'0003'x'010001'x???????Ø?????????????" 
    TRC failed: rc = 00000008 rs = 00002AF8                                                         

    Without ''x:

       145 *-*    TRC_AttrListLength   = D2C( Length( TRC_AttrList ),4)                                                                
           >V>      "??????????????????????????0200DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35AF24
    [intentionally redacted]
    E1AF293303443948E6F2CDD????0003010001???????Ø?????????????"              
    TRC failed: rc = 00000008 rs = 00002AF8   

    Both options are failing with the same RC/RS and I suspect the input is not in the correct format as what i passed has readable/visible characters and the other 'default' input is represented with '?'. I assume that would need somehow another transformation?

    regards

    marco                                       



    ------------------------------
    Marco Egli
    ------------------------------



  • 4.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Thu September 26, 2024 09:53 AM
    Edited by Eric Rossman Thu September 26, 2024 09:52 AM
    Everything is in binary. It's almost certain that the lengths in the attribute list don't add up correctly to the overall length (most commonly, it's the length for one of the components). Here's an example from one of my testcases. I would suggest using LENGTH function to calculate the length fields in the attribute list to avoid a miscalculation.
     
       CKA_CLASS                                   = '00000000'X;
       CKA_KEY_TYPE                                = '00000100'X;
       CKA_MODULUS                                 = '00000120'X;
       CKA_PUBLIC_EXPONENT                         = '00000122'X;
       CKO_PUBLIC_KEY                              = '00000002'X;
       CKK_RSA                                     = '00000000'X;
    pubkey_pubexp      = '010001'x
    pubkey_pubexp_len  = D2C(LENGTH(pubkey_pubexp),2);
    pubkey_modulus     = '012345...[redacted for space]...ABCDEF'X;
    pubkey_modulus_len = D2C(LENGTH(pubkey_modulus),2);
    TRC_AttrList         = '0004'X ||,
     CKA_CLASS          ||'0004'X           ||CKO_PUBLIC_KEY||,
     CKA_KEY_TYPE       ||'0004'X           ||CKK_RSA       ||,
     CKA_MODULUS        ||pubkey_modulus_len||pubkey_modulus||,
     CKA_PUBLIC_EXPONENT||pubkey_pubexp_len ||pubkey_pubexp ;
    TRC_AttrListLength   = D2C(LENGTH(TRC_AttrList),4)



    ------------------------------
    Eric Rossman
    ------------------------------



  • 5.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Thu September 26, 2024 11:15 AM

    Hi Eric

    Thanks for your quick reply. Using D2C and calculate the length seems to have the expected effect as the trace output results into ?? for the two length input.
       153 *-*    TRC_AttrListLength   = D2C( Length( TRC_AttrList ),4)                                                                
           >V>      "????????????????????????????'DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35AF244
    [intentionally redacted]
    1AF293303443948E6F2CDD'x??????'010001'x???????Ø?????????????"

    That means that pubKey_modulus and pubKey_pubexp needs to be put into that format as well, I assume. As you have for pubkey_pubexp and for pubkey_modulus the input
    just within ''x the same do I have but that does not seem to be interpreted as expected hence a transformation of the input seems to be required. regardless if I
    put the input straight or manually it does not seem to work. Comparing the above (with manual enclosure) and below without.

    Token:  SMF.VAL.MP.RSA4096.LGSTRM.D24263                                                                                           
       153 *-*    TRC_AttrListLength   = D2C( Length( TRC_AttrList ),4)                                                                
           >V>      "????????????????????????????DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35AF244F
    [intentionally redacted]
    AF293303443948E6F2CDD??????010001???????Ø?????????????"

    Passing the input does not work in neither of the options:
    pubKey_modulus     =  "''"pubKey_modulus"'x" (sample above)
    pubKey_modulus     =      pubKey_modulus     (sample below)

    Any hint to transform that input as well? As enclosing pubKey_modulus with D2C(pubKey_modulus) is not accepted.
       122 +++      pubKey_modulus     =  d2c(pubKey_modulus,2)         
        37 +++   call get_values                                        
    IRX0040I Error running PUTPUBKV, line 122: Incorrect call to routine

    regards
    marco



    ------------------------------
    Marco Egli
    ------------------------------



  • 6.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Thu September 26, 2024 12:07 PM

    It looks like you are creating a string that literally contains '012345678...'x (with the actual quotes and letter x), which is not what you want.

    What you want to do is to convert from printable to binary. So, if you have 010001 already in a variable, you can convert it:

    pubkey_pubexp_printable = '010001';

    pubkey_pubexp = X2C(pubkey_pubexp_printable);



    ------------------------------
    Eric Rossman
    ------------------------------



  • 7.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Fri September 27, 2024 10:44 AM

    Hi Eric

    Thanks for that, it seems with this conversion, the pubkey_pubexp is in the expected format when I check the output:

       155 *-*    TRC_AttrListLength   = D2C( Length( TRC_AttrList ),4)                                                                
           >V>      "????????????????????????????DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35AF244F
    [intentionally redacted]
    AF293303443948E6F2CDD????????????????Ø?????????????"                    

    Hence the previous string changed from
    AF293303443948E6F2CDD??????010001???????Ø?????????????"
    to
    AF293303443948E6F2CDD????????????????Ø?????????????"
    which is the expected result.

    The only outstanding conversion seems then the pubkey_modulus to be. Checking the input with datatype() it returns CHAR but when converting that to character as well it does not get better ;-)

    The output is then shown as

           >V>      "????????????????????????????¹C5rè÷m?qí/?,mäá7còLã@´??ä5?tN?\cÍ£Ã??)?®?|pþPã©Í?=سÚ_ M??¦?Èt°I8Ñ·?c???·?ÏBl?)­ ݨ,"
    [intentionally redacted]
    ?Ái©½?ÓÖA???Y±Û?=°??°ó?2l??ämþ??ù????????????????Ø?????????????"

    Does that input might require two conversions as it cannot be achieved in a single step?            



    ------------------------------
    Marco Egli
    ------------------------------



  • 8.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Fri September 27, 2024 02:22 PM

    It should not be necessary to convert twice. The data just has to be in binary.

    If you could share your actual code that is trying to do this, it would help immensely. Since this is a public key we're trying to create, there is no risk in sharing the public exponent or modulus as they are public values.

    Also, can you show how the public exponent and modulus are getting into the REXX that is trying to create the public key object?



    ------------------------------
    Eric Rossman
    ------------------------------



  • 9.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Mon September 30, 2024 08:09 AM

    Hi Eric

    I shared the files directly with you. Looking forward to your review and what your observation will be.



    ------------------------------
    Marco Egli
    ------------------------------



  • 10.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Mon September 30, 2024 08:27 AM
    Edited by Eric Rossman Mon September 30, 2024 08:27 AM

    Just looking at the code, it looks like you are calculating the length of the two fields before you have converted it from printable to binary, so both lengths are twice what they should be.

    If you perform the X2C(field) on both of the fields first and then field_length = D2C(LENGTH(field)) afterward, I suspect that will fix the problem you are seeing.


    ------------------------------
    Eric Rossman
    ------------------------------



  • 11.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Mon September 30, 2024 08:56 AM

    Hi Eric

    Exactly, the order was wrong! Changed it accordingly and now the import for both key types (RSA and LI2) works as expected.

    Thank you very much Eric for your fast support!

    kind regards



    ------------------------------
    Marco Egli
    ------------------------------



  • 12.  RE: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8

    Posted Mon September 30, 2024 12:38 PM

    So glad to hear that helped!



    ------------------------------
    Eric Rossman
    ------------------------------