IBM Crypto Education Community

  • 1.  FYI: Reason code 2158 not documented.

    Posted Sat September 18, 2021 12:41 PM
      |   view attached
    I've found that reason code 2158 is not documented.
    I was expecting a reason code to say public/private key mismatch in  EC type and or key size.
    I'm using

    CSNDEDH with  2 private/public keys.
    Public ECBPP160            - EC Brain Pool P160
    Private ECNISTP192       - EC Nist P192

    The documentation says under private_key

    The ECC curve type and size must be the same as the type (Prime, Brainpool, or Koblitz) and size of
    the ECC key-token specified by the public key identifier parameter.

    so I expect this to be the problem.

    I've attached a program  in zipped format.
    Unzip it, then ftp to z/OS using Site recfm=fb, lrecl=80 etc
    The use tso receive indsn(...)

    The JCL I used is

    //GAESXDH EXEC CCPROC,PROG=GAESXDH
    //*
    // SET PR='-private ECNISTP192'
    // SET PU='-public ECBPP160 '
    /*
    // SET TYPE='I'
    //IMPORTER EXEC PGM=GAESXDH,REGION=0M,
    // PARM='-key AESDH&TYPE. -replace y -type &TYPE &PR &PU'
    //STEPLIB DD DISP=SHR,DSN=COLIN.LOAD
    //SYSPRINT DD SYSOUT=*,DCB=(LRECL=200)
    //CEEDUMP DD SYSOUT=*,DCB=(LRECL=200)
    //SYSOUT DD SYSOUT=*
    //SYSERR DD SYSOUT=*
    /*

    The output in //SYSPRINT is
    Exists: CSNBKRR2 read ECNISTP192 CKDS rc 8 rs 10012 Key not found
    Exists: CSNDKRR read ECNISTP192 PKDS rc 0 rs 0 No error found .
    Private:ECNISTP192:INTERNAL PKA ECCPRIV
    Exists: CSNBKRR2 read ECBPP160 CKDS rc 8 rs 10012 Key not found
    Exists: CSNDKRR read ECBPP160 PKDS rc 0 rs 0 No error found .
    Public :ECBPP160:INTERNAL PKA ECCPRIV
    SKELAES:CSNBKTB2 type=I rc 0 rs 0 No error found
    print variable key
    {

    Internal token
    Version 5
    Wrapping No key
    Wrapping key is encrypted under the master key (internal)
    Key Verification:None
    Wrapping Method:AESKW
    Hash. SHA-256
    Variable length payload
    Key Use alg AES
    Key type:Importer
    Key used:CBC
    }
    Public ECBPP160
    Private ECNISTP192
    CSNDEDH rc 8 rs 2158
     


    A public key with
    Key Attributes
    Algorithm: ECC Curve: BRAINPOOL
    P (bits): 512 Q (bytes): 129
    Key Usage: KEYM SIGN NO-XLAT Key Management: NOEXCPAC
    Sections: PRIVATE PUBLIC

    works

    but

    Key Attributes
    Algorithm: ECC Curve: BRAINPOOL
    P (bits): 160 Q (bytes): 41
    Key Usage: KEYM SIGN NO-XLAT Key Management: NOEXCPAC
    Sections: PRIVATE PUBLIC
    doesnt work

    with private key
    Key Attributes
    Algorithm: ECC Curve: BRAINPOOL
    P (bits): 512 Q (bytes): 129
    Key Usage: KEYM SIGN NO-XLAT Key Management: NOEXCPAC
    Sections: PRIVATE PUBLIC

    This is just a suggestion for the doc.. I would have sent an email to mhvrcfs@us.ibm.com but I would not have been able to send the attachment.

    regards

    Colin

    ------------------------------
    Colin Paice
    ------------------------------

    Attachment(s)

    zip
    colin.zip   77 KB 1 version


  • 2.  RE: FYI: Reason code 2158 not documented.

    Posted Sat September 18, 2021 10:17 PM
    Typo in the pubs. It was mistakenly listed as 86C (2156). It was already fixed for an upcoming V2R5 publication refresh (we cannot update the older pubs).

    86E (2158)
    There is a mismatch between ECC key tokens of either curve types, key lengths, or both.
    User action: Correct the inputs so that the curve types and key lengths match.

    ------------------------------
    Eric Rossman
    ------------------------------