I shared the files directly with you. Looking forward to your review and what your observation will be.
Original Message:
Sent: Fri September 27, 2024 02:21 PM
From: Eric Rossman
Subject: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8
It should not be necessary to convert twice. The data just has to be in binary.
If you could share your actual code that is trying to do this, it would help immensely. Since this is a public key we're trying to create, there is no risk in sharing the public exponent or modulus as they are public values.
Also, can you show how the public exponent and modulus are getting into the REXX that is trying to create the public key object?
------------------------------
Eric Rossman
Original Message:
Sent: Fri September 27, 2024 12:52 AM
From: Marco Egli
Subject: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8
Hi Eric
Thanks for that, it seems with this conversion, the pubkey_pubexp is in the expected format when I check the output:
155 *-* TRC_AttrListLength = D2C( Length( TRC_AttrList ),4)
>V> "????????????????????????????DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35AF244F
[intentionally redacted]
AF293303443948E6F2CDD????????????????Ø?????????????"
Hence the previous string changed from
AF293303443948E6F2CDD??????010001???????Ø?????????????"
to
AF293303443948E6F2CDD????????????????Ø?????????????"
which is the expected result.
The only outstanding conversion seems then the pubkey_modulus to be. Checking the input with datatype() it returns CHAR but when converting that to character as well it does not get better ;-)
The output is then shown as
>V> "????????????????????????????¹C5rè÷m?qí/?,mäá7còLã@´??ä5?tN?\cÍ£Ã??)?®?|pþPã©Í?=سÚ_ M??¦?Èt°I8Ñ·?c???·?ÏBl?) ݨ,"
[intentionally redacted]
?Ái©½?ÓÖA???Y±Û?=°??°ó?2l??ämþ??ù????????????????Ø?????????????"
Does that input might require two conversions as it cannot be achieved in a single step?
------------------------------
Marco Egli
Original Message:
Sent: Thu September 26, 2024 12:06 PM
From: Eric Rossman
Subject: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8
It looks like you are creating a string that literally contains '012345678...'x (with the actual quotes and letter x), which is not what you want.
What you want to do is to convert from printable to binary. So, if you have 010001 already in a variable, you can convert it:
pubkey_pubexp_printable = '010001';
pubkey_pubexp = X2C(pubkey_pubexp_printable);
------------------------------
Eric Rossman
Original Message:
Sent: Thu September 26, 2024 10:28 AM
From: Marco Egli
Subject: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8
Hi Eric
Thanks for your quick reply. Using D2C and calculate the length seems to have the expected effect as the trace output results into ?? for the two length input.
153 *-* TRC_AttrListLength = D2C( Length( TRC_AttrList ),4)
>V> "????????????????????????????'DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35AF244
[intentionally redacted]
1AF293303443948E6F2CDD'x??????'010001'x???????Ø?????????????"
That means that pubKey_modulus and pubKey_pubexp needs to be put into that format as well, I assume. As you have for pubkey_pubexp and for pubkey_modulus the input
just within ''x the same do I have but that does not seem to be interpreted as expected hence a transformation of the input seems to be required. regardless if I
put the input straight or manually it does not seem to work. Comparing the above (with manual enclosure) and below without.
Token: SMF.VAL.MP.RSA4096.LGSTRM.D24263
153 *-* TRC_AttrListLength = D2C( Length( TRC_AttrList ),4)
>V> "????????????????????????????DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35AF244F
[intentionally redacted]
AF293303443948E6F2CDD??????010001???????Ø?????????????"
Passing the input does not work in neither of the options:
pubKey_modulus = "''"pubKey_modulus"'x" (sample above)
pubKey_modulus = pubKey_modulus (sample below)
Any hint to transform that input as well? As enclosing pubKey_modulus with D2C(pubKey_modulus) is not accepted.
122 +++ pubKey_modulus = d2c(pubKey_modulus,2)
37 +++ call get_values
IRX0040I Error running PUTPUBKV, line 122: Incorrect call to routine
regards
marco
------------------------------
Marco Egli
Original Message:
Sent: Thu September 26, 2024 09:44 AM
From: Eric Rossman
Subject: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8
Everything is in binary. It's almost certain that the lengths in the attribute list don't add up correctly to the overall length (most commonly, it's the length for one of the components). Here's an example from one of my testcases. I would suggest using LENGTH function to calculate the length fields in the attribute list to avoid a miscalculation.
CKA_CLASS = '00000000'X;
CKA_KEY_TYPE = '00000100'X;
CKA_MODULUS = '00000120'X;
CKA_PUBLIC_EXPONENT = '00000122'X;
CKO_PUBLIC_KEY = '00000002'X;
CKK_RSA = '00000000'X;
pubkey_pubexp = '010001'x
pubkey_pubexp_len = D2C(LENGTH(pubkey_pubexp),2);
pubkey_modulus = '012345...[redacted for space]...ABCDEF'X;
pubkey_modulus_len = D2C(LENGTH(pubkey_modulus),2);
TRC_AttrList = '0004'X ||,
CKA_CLASS ||'0004'X ||CKO_PUBLIC_KEY||,
CKA_KEY_TYPE ||'0004'X ||CKK_RSA ||,
CKA_MODULUS ||pubkey_modulus_len||pubkey_modulus||,
CKA_PUBLIC_EXPONENT||pubkey_pubexp_len ||pubkey_pubexp ;
TRC_AttrListLength = D2C(LENGTH(TRC_AttrList),4)
------------------------------
Eric Rossman
Original Message:
Sent: Thu September 26, 2024 12:19 AM
From: Marco Egli
Subject: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8
Hi Sheri
Thanks for the quick reply and hint, indeed it was mixed up, thanks for spotting this! Unfortunately this does not seem to be the only issue, as if I pass the values with ''x or without it still fails with the same error as you can see below.
With ''x:
145 *-* TRC_AttrListLength = D2C( Length( TRC_AttrList ),4)
>V> "??????????????????????????'0200'x'DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35
[intentionally redacted]
C90CE1AF293303443948E6F2CDD'x????'0003'x'010001'x???????Ø?????????????"
TRC failed: rc = 00000008 rs = 00002AF8
Without ''x:
145 *-* TRC_AttrListLength = D2C( Length( TRC_AttrList ),4)
>V> "??????????????????????????0200DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE08375B166323C5D35AF24
[intentionally redacted]
E1AF293303443948E6F2CDD????0003010001???????Ø?????????????"
TRC failed: rc = 00000008 rs = 00002AF8
Both options are failing with the same RC/RS and I suspect the input is not in the correct format as what i passed has readable/visible characters and the other 'default' input is represented with '?'. I assume that would need somehow another transformation?
regards
marco
------------------------------
Marco Egli
Original Message:
Sent: Wed September 25, 2024 10:36 AM
From: Sheri DeGroodt
Subject: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8
Hi Marco - the values for modulus and public exponent are reversed. (i.e. pubkey_pubexp is ='010001'x)
------------------------------
Sheri DeGroodt
Original Message:
Sent: Wed September 25, 2024 06:29 AM
From: Marco Egli
Subject: ICSF - Public Key import to TKDS with CSFPTRC -> RC=8 RS=2AF8
Hello
My use case is to generate a Public/Private Key Pair in a first step and store it in the TKDS.
The second step will be to export the Public key and import it into a TKDS on another environment.
However, I fail to import the Public Key into the TKDS with an RC=8 RS=2AF8 which indicates the following problem:
The value specified for length parameter for a key token, key, or text field is not valid. This can also occur if either the key type of the key or the algorithm of the key is unsupported by the callable service.
User action: Correct the appropriate length field parameter.
That's what I try to address, unfortunately without success, hence asking here if someone has experience with this and might be able to advise how to best proceed.
To get the public key value and the attributes I'm using CSFPGAV and I'm using the sample provided here https://github.com/IBM-zOS-Crypto/ICSF-Education/blob/main/PKCS%20%2311%20Samples/GAVRSA.rexx
That works as expected as it returns the values and they look as follows (public key intentionally redacted) like:
pubkey_modulus_len = '0003'x
pubkey_modulus = '010001'x
pubkey_pubexp_len = '0200'x
pubkey_pubexp = ,
'DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D51DE0' ||,
[intentionally redacted]
'4DFA384260D165C3B83B0D8E977DD100002AA88D1617A67E474BC782CC1E58C6' ||,
'CBCF27788D212E62C170B03CDEEBE36B212E83BA5412F9A303C6D08806F5846F' ||,
'6589B4B82DEEECC121232CE88FFB107E90060C90CE1AF293303443948E6F2CDD'x
So far so good, to import the public key into another TKDS using CSFPTRC fails with RC=8 RS=2AF8. To import the key parts I'm using the sample provided here https://github.com/IBM-zOS-Crypto/ICSF-Education/blob/main/PKCS%20%2311%20Samples/TRCRSA.rexx
However, when adding those values into the REXX (as requested on line 15,16,17,18) it does not seem to work as expected. Yet, I cannot comprehend why that should not work but I have an indication when enabling the trace in TRC_Object procedure.
The trace resolves to:
145 *-* TRC_AttrListLength = D2C( Length( TRC_AttrList ),4)
>V> "??????????????????????????'0003'x'010001'x????'0200'x'DAC3F59954E1940F985561256B944345F783CDD3467CBE000843F535A3D5
[intentionally redacted]
C3B83B0D8E977DD100002AA88D1617A67E474BC782CC1E58C6CBCF27788D212E62C170B03CDEEBE36B212E83BA5412F9A303C6D08806F5846F6589B4B82DEEECC12
1232CE88FFB107E90060C90CE1AF293303443948E6F2CDD'x???????Ø?????????????"
So it seems that the parameters passed to the TRC_Object procedure are not in the expected format, hence the abend. But how to transform them to the expected format? As the parameters that are not manually filled are reported as ??? whereas the input I provided via line 15,16,17,18 is reported with 'clear text' characters (in hex).
Any hint that helps me to put this into the right format is much appreciated.
thanks and regards
marco
------------------------------
Marco Egli
------------------------------