IBM Crypto Education Community

I'm using BKGN to make a DES pair of keys using form OPEX, key types IMPORTER EXPORTER, key length DOUBLE-O.   I've passed an exporter key label for the key id 2 for an internal token exporter key, and low values for the key id1.  I've also set low values for both the generated key id values.     I get back a 8/39 (A Control Vector Violation) error code for the call.

I've tried to pass a token I built (using key token build) in the gen key id 2 field, but that didn't change my error.

I'm just trying to build a key pair of importer & exporter matching keys. 

I've read through the BKGN documentation several times.  I'm missing something.  I just can't see it. 

Anyone who can point me in the right direction would be appreciated.

Thanks,
-Mark Vollmer

Without seeing all the parms, I'd suggest making sure that KEK id 2 is an EXPORTER with attributes OPEX and EXPORT enabled in the control vector.

Easy way: If you or someone has access to the CKDS KEYS utility (ICSF option 5.5), you can take a look at the attributes of the key in the CKDS.

Hard way: If you must look at the token manually, the control vector mapping is defined in ICSF Application Programmer's Guide (APG), Appendix C. Changing control vectors with the CVT callable service, Section Control-Vector Base Bits. The control vector is at offset 32 in the key token (APG, Appendix B. Key Token Formats, Section DES fixed-length key token).

I'm using BKGN to make a DES pair of keys using form OPEX, key types IMPORTER EXPORTER, key length DOUBLE-O.   I've passed an exporter key label for the key id 2 for an internal token exporter key, and low values for the key id1.  I've also set low values for both the generated key id values.     I get back a 8/39 (A Control Vector Violation) error code for the call.

I've tried to pass a token I built (using key token build) in the gen key id 2 field, but that didn't change my error.

I'm just trying to build a key pair of importer & exporter matching keys. 

I've read through the BKGN documentation several times.  I'm missing something.  I just can't see it. 

Anyone who can point me in the right direction would be appreciated.

Thanks,
-Mark Vollmer

The exporter key has this information...

 Key Attributes                                                      
  Algorithm:      DES            Key type:        EXPORTER           
  Length (bits):  128            Key check value: xxxxxx    ENC-ZERO
  Key Usage:      GEN-IMEX GEN-OPEX GEN-EXEX EXPORT                  

                                                     
 Key Management: WRAP-ECB XPORT-OK T31XPTOK NOCMPTAG 

Does this look right?

Without seeing all the parms, I'd suggest making sure that KEK id 2 is an EXPORTER with attributes OPEX and EXPORT enabled in the control vector.

Easy way: If you or someone has access to the CKDS KEYS utility (ICSF option 5.5), you can take a look at the attributes of the key in the CKDS.

Hard way: If you must look at the token manually, the control vector mapping is defined in ICSF Application Programmer's Guide (APG), Appendix C. Changing control vectors with the CVT callable service, Section Control-Vector Base Bits. The control vector is at offset 32 in the key token (APG, Appendix B. Key Token Formats, Section DES fixed-length key token).

I'm using BKGN to make a DES pair of keys using form OPEX, key types IMPORTER EXPORTER, key length DOUBLE-O.   I've passed an exporter key label for the key id 2 for an internal token exporter key, and low values for the key id1.  I've also set low values for both the generated key id values.     I get back a 8/39 (A Control Vector Violation) error code for the call.

I've tried to pass a token I built (using key token build) in the gen key id 2 field, but that didn't change my error.

I'm just trying to build a key pair of importer & exporter matching keys. 

I've read through the BKGN documentation several times.  I'm missing something.  I just can't see it. 

Anyone who can point me in the right direction would be appreciated.

Thanks,
-Mark Vollmer

I'm using BKGN to make a DES pair of keys using form OPEX, key types IMPORTER EXPORTER, key length DOUBLE-O.   I've passed an exporter key label for the key id 2 for an internal token exporter key, and low values for the key id1.  I've also set low values for both the generated key id values.     I get back a 8/39 (A Control Vector Violation) error code for the call.

I've tried to pass a token I built (using key token build) in the gen key id 2 field, but that didn't change my error.

I'm just trying to build a key pair of importer & exporter matching keys. 

I've read through the BKGN documentation several times.  I'm missing something.  I just can't see it. 

Anyone who can point me in the right direction would be appreciated.

Thanks,
-Mark Vollmer

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Try using a KEK that's also DOUBLE-O or TRIPLE-O in the KEK_key_identifier_2 parameter.

------------------------------
Eleanor Chan

Original Message:
Sent: Wed April 26, 2023 03:33 PM
From: Mark Vollmer
Subject: Could use some pointers on a Key Gen failed call

I'm using BKGN to make a DES pair of keys using form OPEX, key types IMPORTER EXPORTER, key length DOUBLE-O.   I've passed an exporter key label for the key id 2 for an internal token exporter key, and low values for the key id1.  I've also set low values for both the generated key id values.     I get back a 8/39 (A Control Vector Violation) error code for the call.

I've tried to pass a token I built (using key token build) in the gen key id 2 field, but that didn't change my error.

I'm just trying to build a key pair of importer & exporter matching keys. 

I've read through the BKGN documentation several times.  I'm missing something.  I just can't see it. 

Anyone who can point me in the right direction would be appreciated.

Thanks,
-Mark Vollmer

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

The Key Management attributes for KEK_key_identifier_2 should list DOUBLE-O

Key Attributes                                                       
 Algorithm:      DES            Key type:        EXPORTER            
 Length (bits):  128            Key check value: EEDDD5    ENC-ZERO  
 Key Usage:      GEN-IMEX GEN-OPEX GEN-EXEX EXPORT                   
                                                                     
                                                                     
                                                                     
 Key Management: WRAP-ECB DOUBLE-O XPORT-OK T31XPTOK NOCMPTAG        

Try using a KEK that's also DOUBLE-O or TRIPLE-O in the KEK_key_identifier_2 parameter.

------------------------------
Eleanor Chan

Original Message:
Sent: Wed April 26, 2023 03:33 PM
From: Mark Vollmer
Subject: Could use some pointers on a Key Gen failed call

I'm using BKGN to make a DES pair of keys using form OPEX, key types IMPORTER EXPORTER, key length DOUBLE-O.   I've passed an exporter key label for the key id 2 for an internal token exporter key, and low values for the key id1.  I've also set low values for both the generated key id values.     I get back a 8/39 (A Control Vector Violation) error code for the call.

I've tried to pass a token I built (using key token build) in the gen key id 2 field, but that didn't change my error.

I'm just trying to build a key pair of importer & exporter matching keys. 

I've read through the BKGN documentation several times.  I'm missing something.  I just can't see it. 

Anyone who can point me in the right direction would be appreciated.

Thanks,
-Mark Vollmer

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Thanks very much.  Creating a KEK with a DOUBLE-O attribute did indeed get me past this problem. 

Thanks for the hint.   And thanks to Roan Dawkins for helping me navigate to more features under ICSF to help diagnose my problem.

I hope to return the favors some day.

The Key Management attributes for KEK_key_identifier_2 should list DOUBLE-O

Key Attributes                                                       
 Algorithm:      DES            Key type:        EXPORTER            
 Length (bits):  128            Key check value: EEDDD5    ENC-ZERO  
 Key Usage:      GEN-IMEX GEN-OPEX GEN-EXEX EXPORT                   
                                                                     
                                                                     
                                                                     
 Key Management: WRAP-ECB DOUBLE-O XPORT-OK T31XPTOK NOCMPTAG        

Try using a KEK that's also DOUBLE-O or TRIPLE-O in the KEK_key_identifier_2 parameter.

------------------------------
Eleanor Chan

Original Message:
Sent: Wed April 26, 2023 03:33 PM
From: Mark Vollmer
Subject: Could use some pointers on a Key Gen failed call

I'm using BKGN to make a DES pair of keys using form OPEX, key types IMPORTER EXPORTER, key length DOUBLE-O.   I've passed an exporter key label for the key id 2 for an internal token exporter key, and low values for the key id1.  I've also set low values for both the generated key id values.     I get back a 8/39 (A Control Vector Violation) error code for the call.

I've tried to pass a token I built (using key token build) in the gen key id 2 field, but that didn't change my error.

I'm just trying to build a key pair of importer & exporter matching keys. 

I've read through the BKGN documentation several times.  I'm missing something.  I just can't see it. 

Anyone who can point me in the right direction would be appreciated.

Thanks,
-Mark Vollmer

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Follow up question...

I was successful in the BKGN call.  OPEX  (IMPORTER/EXPORTER).  I provided a skeleton token for both keys.  In the key build calls I did specify DOUBLE-O.  Yet for some reason after the BKGN call is made the keys created do not have the DOUBLE-O attribute on the resulting keys.

For the EX/EXPORTER key, I performed an KIM(Key Import) using the corresponding import key used on the ID2 part of the BKGN call to get it back into internal form.

Create two tokens, one internal importer, one external exporter, both DOUBLE-O. 
BKGN with OPEX  IMPORTER, EXPORTER and the two token templates I just built.
BKIM to import the external EXPORTER key to get it into internal format.
Browsing CKDS, I find neither key has the DOUBLE-O attribute.  

Either I'm doing something wrong, or what I want done can be completed this way. 

Any thoughts would be appreciated.

Sincerely,
Mark Vollmer

All of my calls completed with zeroes.

But because I had specified DOUBLE-O on the key token build calls, I expected to see that attribute on the resulting keys generated.

Note: Using DES double length keys for everything at this time.

Thanks very much.  Creating a KEK with a DOUBLE-O attribute did indeed get me past this problem. 

Thanks for the hint.   And thanks to Roan Dawkins for helping me navigate to more features under ICSF to help diagnose my problem.

I hope to return the favors some day.

The Key Management attributes for KEK_key_identifier_2 should list DOUBLE-O

Key Attributes                                                       
 Algorithm:      DES            Key type:        EXPORTER            
 Length (bits):  128            Key check value: EEDDD5    ENC-ZERO  
 Key Usage:      GEN-IMEX GEN-OPEX GEN-EXEX EXPORT                   
                                                                     
                                                                     
                                                                     
 Key Management: WRAP-ECB DOUBLE-O XPORT-OK T31XPTOK NOCMPTAG        

Try using a KEK that's also DOUBLE-O or TRIPLE-O in the KEK_key_identifier_2 parameter.

------------------------------
Eleanor Chan

Original Message:
Sent: Wed April 26, 2023 03:33 PM
From: Mark Vollmer
Subject: Could use some pointers on a Key Gen failed call

I'm using BKGN to make a DES pair of keys using form OPEX, key types IMPORTER EXPORTER, key length DOUBLE-O.   I've passed an exporter key label for the key id 2 for an internal token exporter key, and low values for the key id1.  I've also set low values for both the generated key id values.     I get back a 8/39 (A Control Vector Violation) error code for the call.

I've tried to pass a token I built (using key token build) in the gen key id 2 field, but that didn't change my error.

I'm just trying to build a key pair of importer & exporter matching keys. 

I've read through the BKGN documentation several times.  I'm missing something.  I just can't see it. 

Anyone who can point me in the right direction would be appreciated.

Thanks,
-Mark Vollmer

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------