Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Eleanor,

Thanks for helping me out.

I saw that too.   But help me understand that to "unwrap" the external key I need to use an EXPORTER key rather than an IMPORTER key.  That just seems backwards to me.

Also, I did try to use the same key that I wrapped it with (EXPORTER key) and that did not change anything.   Neither an importer nor exporter key works for me.

Any ideas on what I can try next would be appreciated.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC

Original Message:
Sent: Wed October 01, 2025 02:00 PM
From: Eleanor Chan
Subject: TR-31 Export call fails with CV violation

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

------------------------------
Eleanor Chan

Original Message:
Sent: Tue September 30, 2025 07:02 PM
From: Mark Vollmer
Subject: TR-31 Export call fails with CV violation

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Mark -

I also assumed the unwrap key to be an IMPORTER, but it failed with a CV violation.  I thought I had recreated your issue.  Anyway, when I used EXPORTERs for both the unwrap and wrap KEK identifiers, my testcase worked.  Here are my parameters:

key_form   = 'OPEX'                                 
key_length = 'DOUBLE  '                             
key_type_1 = 'IPINENC '                             
key_type_2 = 'OPINENC '                             
KEK_id_1   = ''                                     
KEK_id_2   = EXPORTER_1                             
gen_key_id_1 = '00000040'x
gen_key_id_2 = '00000040'x
CALL KGN 
T31X_rule_array_count = '00000005'x            
T31X_rule_array = 'SKEY-DES'||,                
                  'VARDRV-B'||,                
                  'PINENC  '||,                
                  'ENC-ONLY'||,                
                  'EXP-NONE' ;                 
T31X_key_version_number = '00'                 
T31X_key_field_length   = '00000020'x          
T31X_source_key_identifier_length = '00000040'x
T31X_source_key_identifier = gen_key_id_2      
T31X_unwrap_kek_identifier_length = '00000040'x
T31X_unwrap_kek_identifier = EXPORTER_1        
T31X_wrap_kek_identifier_length = '00000040'x  
T31X_wrap_kek_identifier   = EXPORTER_2        
T31X_opt_blocks_length  = '00000000'x          
T31X_opt_blocks         = ''                   
T31X_key_block_length   = d2c(9992,4)          
T31X_key_block          = d2c(0,9992)          
CALL T31X

Eleanor,

Thanks for helping me out.

I saw that too.   But help me understand that to "unwrap" the external key I need to use an EXPORTER key rather than an IMPORTER key.  That just seems backwards to me.

Also, I did try to use the same key that I wrapped it with (EXPORTER key) and that did not change anything.   Neither an importer nor exporter key works for me.

Any ideas on what I can try next would be appreciated.

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Eleanor,

I will make the change and run that test again to see if maybe I just smiled wrong when I thought I did that.  I will reach out again when I have the results.

Is there any other CV setting that might create this error besides being an EXPORTER key?

Mark -

I also assumed the unwrap key to be an IMPORTER, but it failed with a CV violation.  I thought I had recreated your issue.  Anyway, when I used EXPORTERs for both the unwrap and wrap KEK identifiers, my testcase worked.  Here are my parameters:

key_form   = 'OPEX'                                 
key_length = 'DOUBLE  '                             
key_type_1 = 'IPINENC '                             
key_type_2 = 'OPINENC '                             
KEK_id_1   = ''                                     
KEK_id_2   = EXPORTER_1                             
gen_key_id_1 = '00000040'x
gen_key_id_2 = '00000040'x
CALL KGN 
T31X_rule_array_count = '00000005'x            
T31X_rule_array = 'SKEY-DES'||,                
                  'VARDRV-B'||,                
                  'PINENC  '||,                
                  'ENC-ONLY'||,                
                  'EXP-NONE' ;                 
T31X_key_version_number = '00'                 
T31X_key_field_length   = '00000020'x          
T31X_source_key_identifier_length = '00000040'x
T31X_source_key_identifier = gen_key_id_2      
T31X_unwrap_kek_identifier_length = '00000040'x
T31X_unwrap_kek_identifier = EXPORTER_1        
T31X_wrap_kek_identifier_length = '00000040'x  
T31X_wrap_kek_identifier   = EXPORTER_2        
T31X_opt_blocks_length  = '00000000'x          
T31X_opt_blocks         = ''                   
T31X_key_block_length   = d2c(9992,4)          
T31X_key_block          = d2c(0,9992)          
CALL T31X

Eleanor,

Thanks for helping me out.

I saw that too.   But help me understand that to "unwrap" the external key I need to use an EXPORTER key rather than an IMPORTER key.  That just seems backwards to me.

Also, I did try to use the same key that I wrapped it with (EXPORTER key) and that did not change anything.   Neither an importer nor exporter key works for me.

Any ideas on what I can try next would be appreciated.

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Mark -

I can't think of anything else.  The control vector violation can only come from the source, unwrap, or wrap keys.

Eleanor,

I will make the change and run that test again to see if maybe I just smiled wrong when I thought I did that.  I will reach out again when I have the results.

Is there any other CV setting that might create this error besides being an EXPORTER key?

Mark -

I also assumed the unwrap key to be an IMPORTER, but it failed with a CV violation.  I thought I had recreated your issue.  Anyway, when I used EXPORTERs for both the unwrap and wrap KEK identifiers, my testcase worked.  Here are my parameters:

key_form   = 'OPEX'                                 
key_length = 'DOUBLE  '                             
key_type_1 = 'IPINENC '                             
key_type_2 = 'OPINENC '                             
KEK_id_1   = ''                                     
KEK_id_2   = EXPORTER_1                             
gen_key_id_1 = '00000040'x
gen_key_id_2 = '00000040'x
CALL KGN 
T31X_rule_array_count = '00000005'x            
T31X_rule_array = 'SKEY-DES'||,                
                  'VARDRV-B'||,                
                  'PINENC  '||,                
                  'ENC-ONLY'||,                
                  'EXP-NONE' ;                 
T31X_key_version_number = '00'                 
T31X_key_field_length   = '00000020'x          
T31X_source_key_identifier_length = '00000040'x
T31X_source_key_identifier = gen_key_id_2      
T31X_unwrap_kek_identifier_length = '00000040'x
T31X_unwrap_kek_identifier = EXPORTER_1        
T31X_wrap_kek_identifier_length = '00000040'x  
T31X_wrap_kek_identifier   = EXPORTER_2        
T31X_opt_blocks_length  = '00000000'x          
T31X_opt_blocks         = ''                   
T31X_key_block_length   = d2c(9992,4)          
T31X_key_block          = d2c(0,9992)          
CALL T31X

Eleanor,

Thanks for helping me out.

I saw that too.   But help me understand that to "unwrap" the external key I need to use an EXPORTER key rather than an IMPORTER key.  That just seems backwards to me.

Also, I did try to use the same key that I wrapped it with (EXPORTER key) and that did not change anything.   Neither an importer nor exporter key works for me.

Any ideas on what I can try next would be appreciated.

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Eleanor,

I've run another test.   All 3 keys are exporter keys (confirmed by browsing CKDS for the 2 that use labels).   And I still get the CV Violation exception.   I've no idea what to check next.

Mark -

I can't think of anything else.  The control vector violation can only come from the source, unwrap, or wrap keys.

Eleanor,

I will make the change and run that test again to see if maybe I just smiled wrong when I thought I did that.  I will reach out again when I have the results.

Is there any other CV setting that might create this error besides being an EXPORTER key?

Mark -

I also assumed the unwrap key to be an IMPORTER, but it failed with a CV violation.  I thought I had recreated your issue.  Anyway, when I used EXPORTERs for both the unwrap and wrap KEK identifiers, my testcase worked.  Here are my parameters:

key_form   = 'OPEX'                                 
key_length = 'DOUBLE  '                             
key_type_1 = 'IPINENC '                             
key_type_2 = 'OPINENC '                             
KEK_id_1   = ''                                     
KEK_id_2   = EXPORTER_1                             
gen_key_id_1 = '00000040'x
gen_key_id_2 = '00000040'x
CALL KGN 
T31X_rule_array_count = '00000005'x            
T31X_rule_array = 'SKEY-DES'||,                
                  'VARDRV-B'||,                
                  'PINENC  '||,                
                  'ENC-ONLY'||,                
                  'EXP-NONE' ;                 
T31X_key_version_number = '00'                 
T31X_key_field_length   = '00000020'x          
T31X_source_key_identifier_length = '00000040'x
T31X_source_key_identifier = gen_key_id_2      
T31X_unwrap_kek_identifier_length = '00000040'x
T31X_unwrap_kek_identifier = EXPORTER_1        
T31X_wrap_kek_identifier_length = '00000040'x  
T31X_wrap_kek_identifier   = EXPORTER_2        
T31X_opt_blocks_length  = '00000000'x          
T31X_opt_blocks         = ''                   
T31X_key_block_length   = d2c(9992,4)          
T31X_key_block          = d2c(0,9992)          
CALL T31X

Eleanor,

Thanks for helping me out.

I saw that too.   But help me understand that to "unwrap" the external key I need to use an EXPORTER key rather than an IMPORTER key.  That just seems backwards to me.

Also, I did try to use the same key that I wrapped it with (EXPORTER key) and that did not change anything.   Neither an importer nor exporter key works for me.

Any ideas on what I can try next would be appreciated.

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Mark -

All 3 keys are exporter keys???  You said in your first post that the source_key is an exported OPINENC external token.

Eleanor,

I've run another test.   All 3 keys are exporter keys (confirmed by browsing CKDS for the 2 that use labels).   And I still get the CV Violation exception.   I've no idea what to check next.

Mark -

I can't think of anything else.  The control vector violation can only come from the source, unwrap, or wrap keys.

Eleanor,

I will make the change and run that test again to see if maybe I just smiled wrong when I thought I did that.  I will reach out again when I have the results.

Is there any other CV setting that might create this error besides being an EXPORTER key?

Mark -

I also assumed the unwrap key to be an IMPORTER, but it failed with a CV violation.  I thought I had recreated your issue.  Anyway, when I used EXPORTERs for both the unwrap and wrap KEK identifiers, my testcase worked.  Here are my parameters:

key_form   = 'OPEX'                                 
key_length = 'DOUBLE  '                             
key_type_1 = 'IPINENC '                             
key_type_2 = 'OPINENC '                             
KEK_id_1   = ''                                     
KEK_id_2   = EXPORTER_1                             
gen_key_id_1 = '00000040'x
gen_key_id_2 = '00000040'x
CALL KGN 
T31X_rule_array_count = '00000005'x            
T31X_rule_array = 'SKEY-DES'||,                
                  'VARDRV-B'||,                
                  'PINENC  '||,                
                  'ENC-ONLY'||,                
                  'EXP-NONE' ;                 
T31X_key_version_number = '00'                 
T31X_key_field_length   = '00000020'x          
T31X_source_key_identifier_length = '00000040'x
T31X_source_key_identifier = gen_key_id_2      
T31X_unwrap_kek_identifier_length = '00000040'x
T31X_unwrap_kek_identifier = EXPORTER_1        
T31X_wrap_kek_identifier_length = '00000040'x  
T31X_wrap_kek_identifier   = EXPORTER_2        
T31X_opt_blocks_length  = '00000000'x          
T31X_opt_blocks         = ''                   
T31X_key_block_length   = d2c(9992,4)          
T31X_key_block          = d2c(0,9992)          
CALL T31X

Eleanor,

Thanks for helping me out.

I saw that too.   But help me understand that to "unwrap" the external key I need to use an EXPORTER key rather than an IMPORTER key.  That just seems backwards to me.

Also, I did try to use the same key that I wrapped it with (EXPORTER key) and that did not change anything.   Neither an importer nor exporter key works for me.

Any ideas on what I can try next would be appreciated.

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Eleanor,

Yes, my mistake.   It is an exported OPINENC external token.

Mark -

All 3 keys are exporter keys???  You said in your first post that the source_key is an exported OPINENC external token.

Eleanor,

I've run another test.   All 3 keys are exporter keys (confirmed by browsing CKDS for the 2 that use labels).   And I still get the CV Violation exception.   I've no idea what to check next.

Mark -

I can't think of anything else.  The control vector violation can only come from the source, unwrap, or wrap keys.

Eleanor,

I will make the change and run that test again to see if maybe I just smiled wrong when I thought I did that.  I will reach out again when I have the results.

Is there any other CV setting that might create this error besides being an EXPORTER key?

Mark -

I also assumed the unwrap key to be an IMPORTER, but it failed with a CV violation.  I thought I had recreated your issue.  Anyway, when I used EXPORTERs for both the unwrap and wrap KEK identifiers, my testcase worked.  Here are my parameters:

key_form   = 'OPEX'                                 
key_length = 'DOUBLE  '                             
key_type_1 = 'IPINENC '                             
key_type_2 = 'OPINENC '                             
KEK_id_1   = ''                                     
KEK_id_2   = EXPORTER_1                             
gen_key_id_1 = '00000040'x
gen_key_id_2 = '00000040'x
CALL KGN 
T31X_rule_array_count = '00000005'x            
T31X_rule_array = 'SKEY-DES'||,                
                  'VARDRV-B'||,                
                  'PINENC  '||,                
                  'ENC-ONLY'||,                
                  'EXP-NONE' ;                 
T31X_key_version_number = '00'                 
T31X_key_field_length   = '00000020'x          
T31X_source_key_identifier_length = '00000040'x
T31X_source_key_identifier = gen_key_id_2      
T31X_unwrap_kek_identifier_length = '00000040'x
T31X_unwrap_kek_identifier = EXPORTER_1        
T31X_wrap_kek_identifier_length = '00000040'x  
T31X_wrap_kek_identifier   = EXPORTER_2        
T31X_opt_blocks_length  = '00000000'x          
T31X_opt_blocks         = ''                   
T31X_key_block_length   = d2c(9992,4)          
T31X_key_block          = d2c(0,9992)          
CALL T31X

Eleanor,

Thanks for helping me out.

I saw that too.   But help me understand that to "unwrap" the external key I need to use an EXPORTER key rather than an IMPORTER key.  That just seems backwards to me.

Also, I did try to use the same key that I wrapped it with (EXPORTER key) and that did not change anything.   Neither an importer nor exporter key works for me.

Any ideas on what I can try next would be appreciated.

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Mark -

Does the control vector of the source_key look like the following?

020000000000C0000000000000000000A05B37BD899DF26F3E03D36504FD7780
0024770003410000002477000321000000000000000000000000000075A62311

I don't have any other ideas.

Eleanor,

Yes, my mistake.   It is an exported OPINENC external token.

Mark -

All 3 keys are exporter keys???  You said in your first post that the source_key is an exported OPINENC external token.

Eleanor,

I've run another test.   All 3 keys are exporter keys (confirmed by browsing CKDS for the 2 that use labels).   And I still get the CV Violation exception.   I've no idea what to check next.

Mark -

I can't think of anything else.  The control vector violation can only come from the source, unwrap, or wrap keys.

Eleanor,

I will make the change and run that test again to see if maybe I just smiled wrong when I thought I did that.  I will reach out again when I have the results.

Is there any other CV setting that might create this error besides being an EXPORTER key?

Mark -

I also assumed the unwrap key to be an IMPORTER, but it failed with a CV violation.  I thought I had recreated your issue.  Anyway, when I used EXPORTERs for both the unwrap and wrap KEK identifiers, my testcase worked.  Here are my parameters:

key_form   = 'OPEX'                                 
key_length = 'DOUBLE  '                             
key_type_1 = 'IPINENC '                             
key_type_2 = 'OPINENC '                             
KEK_id_1   = ''                                     
KEK_id_2   = EXPORTER_1                             
gen_key_id_1 = '00000040'x
gen_key_id_2 = '00000040'x
CALL KGN 
T31X_rule_array_count = '00000005'x            
T31X_rule_array = 'SKEY-DES'||,                
                  'VARDRV-B'||,                
                  'PINENC  '||,                
                  'ENC-ONLY'||,                
                  'EXP-NONE' ;                 
T31X_key_version_number = '00'                 
T31X_key_field_length   = '00000020'x          
T31X_source_key_identifier_length = '00000040'x
T31X_source_key_identifier = gen_key_id_2      
T31X_unwrap_kek_identifier_length = '00000040'x
T31X_unwrap_kek_identifier = EXPORTER_1        
T31X_wrap_kek_identifier_length = '00000040'x  
T31X_wrap_kek_identifier   = EXPORTER_2        
T31X_opt_blocks_length  = '00000000'x          
T31X_opt_blocks         = ''                   
T31X_key_block_length   = d2c(9992,4)          
T31X_key_block          = d2c(0,9992)          
CALL T31X

Eleanor,

Thanks for helping me out.

I saw that too.   But help me understand that to "unwrap" the external key I need to use an EXPORTER key rather than an IMPORTER key.  That just seems backwards to me.

Also, I did try to use the same key that I wrapped it with (EXPORTER key) and that did not change anything.   Neither an importer nor exporter key works for me.

Any ideas on what I can try next would be appreciated.

Hello Mark -

According to the APG, the unwrap_kek_identifier must be

• A CCA DES EXPORTER with the control vector bit EXPORT enabled or OKEYXLAT key

Everyone,

I could use another pair of eyes on my problem.  I am just not seeing what I need to find.  All this is DES.

I've done a KGN of a double length OPEX IPINENC OPINENC pair.

I'm looking to use CSNBT31X (TR-31 export) to export the key for use elsewhere.

As the source key I'm using the exported OPINENC external token.

I've provided an unwrap key that is an importer key (KIK).  Though the documentation indicates I should use the same KEK that I exported the OPINENC key in the first place.  But that just seems wrong to me.  That said, I did pass the KEK key for one of my tests and it did not change a thing.

I've provided a wrap key that I'm very sure is an exporter key (KEK).  I'm looking for confirmation of what I'm sure of, just in case.  (I have confirmation it is an exporter key)

My rules are SKEY-DES, VARDRV-B, PINENC, ENC-ONLY, & EXP-NONE.

The OPINENC external token is required to use ENC-ONLY under VARDRV-B, and I want to add the EXP-NONE option for our own needs.

Anyone have any hints on where I need to look for my CV violation problem?

Thanks for helping me.

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------