IBM Crypto Education Community - Group home

Pervasive (DS) Encryption Sample: Generate a Secure AES DATA Key

  

/* Rexx */

/* Pervasive (Data Set) Encryption: Step 6 of 10                     */
/*-------------------------------------------------------------------*/
/* Generate a secure AES DATA key, store the key in the CKDS and     */
/* display the key label and key. If the key label already exists,   */
/* return the existing key label and key.                            */
/*-------------------------------------------------------------------*/
/* Instructions:                                                     */
/* - Update aes_key_label with your desired key label name           */
/*                                                                   */
/*      Note: An example key label naming scheme is                  */
/*              DATASET.<dataset_resource>.ENCRKEY.<seqno>           */
/*                                                                   */
/* - EXECUTE THIS CLIST FROM TSO                                     */
/*   (E.G. EX 'HLQ.MLD.LLQ(GENKEY)')                                 */
/*-------------------------------------------------------------------*/
signal on novalue;

aes_key_label = ,
   left('DATASET.EYSHA.ICSF.ENCRYPT.ME.ENCRKEY.00000001',64);

/*-------------------------------------------------------------------*/
/* Check if the key exists in the CKDS (to prevent overwriting)      */
/*-------------------------------------------------------------------*/
krr_label = aes_key_label;
krr_token = copies('00'x,64);

Call CSNBKRR;                    /* If key is found, print and exit */

/*-------------------------------------------------------------------*/
/* Generate a 256-bit AES DATA key                                   */
/*-------------------------------------------------------------------*/
kgn_key_form           = 'OP  ';
kgn_key_length         = 'KEYLN32 ';
kgn_key_type_1         = 'AESDATA ';
kgn_key_type_2         = '';
kgn_kek_identifier_1   = copies('00'x,64);
kgn_kek_identifier_2   = '';
kgn_generated_key_identifier_1 = copies('00'x,64);
kgn_generated_key_identifier_2 = '';
Call CSNBKGN;

/*-------------------------------------------------------------------*/
/* Store the key in the CKDS                                         */
/*-------------------------------------------------------------------*/
krc2_label = aes_key_label;
krc2_token_length = '00000040'x;
krc2_token = kgn_generated_key_identifier_1;
Call CSNBKRC2;

/*-------------------------------------------------------------------*/
/* Read the key from the CKDS                                        */
/*-------------------------------------------------------------------*/
krr_label = aes_key_label;
krr_token = copies('00'x,64);

Call CSNBKRR;

say "-----------------------------------------------------------------"
say "End of Sample"
say "-----------------------------------------------------------------"

exit;

/* --------------------------------------------------------------- */
/* CSNBKGN - Key Generate                                          */
/*                                                                 */
/* Generates either one or two DES or AES keys encrypted under a   */
/* master key (internal form) or KEK (external form).              */
/*                                                                 */
/* See the ICSF Application Programmer's Guide for more details.   */
/* --------------------------------------------------------------- */
CSNBKGN:

KGN_RC = 'FFFFFFFF'x;
KGN_RS = 'FFFFFFFF'x;
KGN_exit_data_length         = '00000000'x;
KGN_exit_data                = '';

ADDRESS linkpgm "CSNBKGN",
   'KGN_RC'                          'KGN_RS'               ,
   'KGN_exit_data_length'            'KGN_exit_data'        ,
   'KGN_key_form'                    'KGN_key_length'       ,
   'KGN_key_type_1'                  'KGN_key_type_2'       ,
   'KGN_kek_identifier_1'            'KGN_kek_identifier_2' ,
   'KGN_generated_key_identifier_1'  'KGN_generated_key_identifier_2';

if (KGN_RC /= '00000000'x) Then
  do;
    say 'KGN Failed   (rc=' c2x(KGN_RC)' rs='c2x(KGN_rs)')' ;
    exit;
  end;

Return;

/* --------------------------------------------------------------- */
/* CSNBKRC2 - Key Record Create2                                   */
/*                                                                 */
/* Adds a key token to the CKDS.                                   */
/*                                                                 */
/* See the ICSF Application Programmer's Guide for more details.   */
/* --------------------------------------------------------------- */
CSNBKRC2:
krc2_rc = 'FFFFFFFF'x;
krc2_rs = 'FFFFFFFF'x;
krc2_exit_data_length = '00000000'x;
krc2_exit_data = '';
krc2_rule_count = '00000000'x;
krc2_rule_array = '';

ADDRESS LINKPGM "CSNBKRC2",
                "krc2_rc",
                "krc2_rs",
                "krc2_exit_data_length",
                "krc2_exit_data",
                "krc2_rule_count",
                "krc2_rule_array",
                "krc2_label",
                "krc2_token_length",
                "krc2_token";

if (KRC2_RC /= '00000000'x & KRC2_RS /= '00003EA4'x) then
  do;
    say 'KRC2 Failed   (rc=' c2x(KRC2_RC)' rs='c2x(KRC2_rs)')' ;
    exit;
  end;

return;

/* --------------------------------------------------------------- */
/* CSNBKRD - Key Record Delete                                     */
/*                                                                 */
/* Deletes a key record from the CKDS.                             */
/*                                                                 */
/* See the ICSF Application Programmer's Guide for more details.   */
/* --------------------------------------------------------------- */
CSNBKRD:
krd_rc = 'FFFFFFFF'x;
krd_rs = 'FFFFFFFF'x;
krd_exit_data_length = '00000000'x;
krd_exit_data = '';
krd_rule_array_count = '00000001'x;
krd_rule_array = 'LABEL-DL';

ADDRESS LINKPGM "CSNBKRD",
                "krd_rc",
                "krd_rs",
                "krd_exit_data_length",
                "krd_exit_data",
                "krd_rule_array_count",
                "krd_rule_array",
                "krd_label";

if (KRD_RC /= '00000000'x & KRD_RS /= '0000271C'x) Then
  say 'KRD Failed   (rc=' c2x(KRD_RC)' rs='c2x(KRD_rs)')' ;

return;

/* --------------------------------------------------------------- */
/* CSNBKRR - Key Record Read (CKDS)                                */
/*                                                                 */
/* Reads a key token from the CKDS.                                */
/*                                                                 */
/* See the ICSF Application Programmer's Guide for more details.   */
/* --------------------------------------------------------------- */

CSNBKRR:
krr_rc = 'FFFFFFFF'x;
krr_rs = 'FFFFFFFF'x;
krr_exit_data_length = '00000000'x;
krr_exit_data    = '';
krr_token        = copies('00'x, 64);

ADDRESS LINKPGM "CSNBKRR",
                "krr_rc",
                "krr_rs",
                "krr_exit_data_length",
                "krr_exit_data",
                "krr_label",
                "krr_token";

if (KRR_RC = '00000000'x) Then
  do;
    say "Secure key label: " strip(aes_key_label);
    say "Secure key token: ";
    say c2x(substr(krr_token,1,32));
    say c2x(substr(krr_token,33,32));
    exit;
  end;

return;

/* --------------------------------------------------------------- */
/* Debug ;-)                                                       */
/* --------------------------------------------------------------- */
NOVALUE:
Say "Condition NOVALUE was raised."
Say CONDITION("D") "variable was not initialized."
Say SOURCELINE(sigl)
Exit