/* Rexx */
/*--------------------------------------------------------------*/
/* The ICSF callable services Key Export (CSNBKEX) and Key */
/* Import (CSNBKIM) can be used to copy a CKDS key label from */
/* one CKDS to another. */
/* */
/* Key-encrypting keys (KEKs) or transport keys are used to */
/* protect keys that are sent from one system to another */
/* system. KEKs can have key types of EXPORTER or IMPORTER. */
/* The EXPORTER KEK at the originator must have the same clear */
/* key value as the IMPORTER KEK at the receiver. */
/* */
/* For more information on key types and the callable services */
/* used in this sample, see the z/OS ICSF Application */
/* Programmer's Guide. */
/*--------------------------------------------------------------*/
/* This sample assumes the following key-encrypting keys exist */
/* in the respective (sender or receiver) CKDS. The sender */
/* EXPORTER KEK must have the same clear key value as the */
/* receiver IMPORTER KEK. */
SENDER_EXPORTER_KEK = left('SENDER.EXPORTER',64)
RECEIVER_IMPORTER_KEK = left('RECEIVER.IMPORTER',64)
/* This is the key to be exported. */
key_label_to_be_exported = left('SENDER.CIPHER.KEY',64)
/*---------------*/
/* Sender system */
/*---------------*/
/* Call Key Test2 to generate a key check value (kcv) for the */
/* key to be exported. This kcv can be sent with the exported */
/* key to the receiver system to verify that the key was */
/* received correctly. */
/* Key Test2 parameters */
rule_array_count = '00000003'x
rule_array = 'DES '||'GENERATE'||'ENC-ZERO'
key_identifier_length = '00000040'x
key_identifier = key_label_to_be_exported
verification_pattern_length = '00000008'x
verification_pattern = '0000000000000000'x
CALL KYT2
sender_kcv = verification_pattern /* save kcv */
SAY 'SENDER KCV:' c2x(sender_kcv)
/* KEY EXPORT (CSNBKEX) will unwrap the source key from */
/* encryption under the DES master key to encryption under the */
/* exporter key-encrypting key. All wrapping/unwrapping of */
/* secure keys are performed inside the secure boundary of the */
/* crypto coprocessor. */
/* */
/* NOTE: If key_type TOKEN is specified, ICSF will examine the */
/* source_key to determine the key type. */
/* Key Export parameter list */
KEX_rc = 'FFFFFFFF'x
KEX_rs = 'FFFFFFFF'x
exit_data_length = '00000000'x
exit_data = ''
key_type = 'TOKEN ' /* may also specify the key type */
source_key_identifier = key_label_to_be_exported
exporter_key_identifier = SENDER_EXPORTER_KEK
target_key_identifier = copies('00'x,64)
/* call Key Export */
ADDRESS LINKPGM 'CSNBKEX' ,
'KEX_rc' ,
'KEX_rs' ,
'exit_data_length' ,
'exit_data' ,
'key_type' ,
'source_key_identifier' ,
'exporter_key_identifier' ,
'target_key_identifier' ;
if KEX_rc /= '00000000'x THEN
DO
SAY 'KEX failed: rc =' c2x(KEX_rc) 'rs =' c2x(KEX_rs)
EXIT
END
ELSE
DO
/* Send the following key and kcv to the receiver system. */
SAY 'exported key: target_key_identifier:'
SAY c2x(substr(target_key_identifier, 1,32))
SAY c2x(substr(target_key_identifier,33,32))
END
/* ----------------*/
/* Receiver system */
/* ----------------*/
/* KEY IMPORT (CSNBKIM) will unwrap the source key from */
/* encryption under the key-encrypting key to encryption under */
/* the DES master key. */
/* Key Import parameter list */
KIM_rc = 'FFFFFFFF'x
KIM_rs = 'FFFFFFFF'x
exit_data_length = '00000000'x
exit_data = ''
key_type = 'CIPHER ' /* specify key_type if known,
else specify TOKEN */
source_key_identifier = target_key_identifier /* from KEX */
importer_key_identifier = RECEIVER_IMPORTER_KEK
target_key_identifier = copies('00'x,64)
/* call Key Import */
ADDRESS LINKPGM 'CSNBKIM' ,
'KIM_rc' ,
'KIM_rs' ,
'exit_data_length' ,
'exit_data' ,
'key_type' ,
'source_key_identifier' ,
'importer_key_identifier' ,
'target_key_identifier' ;
IF KIM_rc /= '00000000'x THEN
DO
SAY 'KIM failed: rc =' c2x(KIM_rc) 'rs =' c2x(KIM_rs)
EXIT
END
ELSE
DO
SAY 'imported key: target_key_identifier:'
SAY c2x(substr(target_key_identifier, 1,32))
SAY c2x(substr(target_key_identifier,33,32))
END
/* The imported key identifier is now encrypted under the */
/* DES master key. This key may be added to the CKDS. */
/* Key Record Create2 parameter list */
KRC2_rc = 'FFFFFFFF'x
KRC2_rs = 'FFFFFFFF'x
exit_data_length = '00000000'x
exit_data = ''
rule_array_count = '00000000'x
rule_array = ''
key_label = left('RECEIVER.CIPHER.KEY',64)
key_token_length = '00000040'x
key_token = target_key_identifier /* from KIM */
/* call CKDS Key Record Create2 */
ADDRESS LINKPGM 'CSNBKRC2',
'KRC2_rc' ,
'KRC2_rs' ,
'exit_data_length' ,
'exit_data' ,
'rule_array_count' ,
'rule_array' ,
'key_label' ,
'key_token_length' ,
'key_token' ;
IF KRC2_rc /= '00000000'x THEN
DO
SAY 'KRC2 failed: rc =' c2x(KRC2_rc) 'rs =' c2x(KRC2_rs)
EXIT
END
/* Call Key Test2 to verify that the kcv of the key received */
/* matches the kcv of the key sent. */
/* Key Test2 parameters */
rule_array_count = '00000003'x
rule_array = 'DES '||'VERIFY '||'ENC-ZERO'
key_identifier_length = '00000040'x
key_identifier = left('RECEIVER.CIPHER.KEY',64)
verification_pattern_length = '00000008'x
verification_pattern = sender_kcv
CALL KYT2
IF KYT2_rc = '00000000'x THEN
SAY 'KCVs MATCH!!!'
EXIT
/*--------------------------------------------------------------*/
/* Use Key Test2 to generate or verify a key check value. */
/*--------------------------------------------------------------*/
KYT2:
/* Key Test2 parameters */
KYT2_rc = 'FFFFFFFF'x
KYT2_rs = 'FFFFFFFF'x
exit_data_length = '00000000'x
exit_data = '' ;
key_encrypting_key_identifier_length = '00000000'x
key_encrypting_key_identifier = ''
reserved_length = '00000000'x
reserved = ''
/* call Key Test2 */
ADDRESS LINKPGM 'CSNBKYT2',
'KYT2_rc' ,
'KYT2_rs' ,
'exit_data_length' ,
'exit_data' ,
'rule_array_count' ,
'rule_array' ,
'key_identifier_length' ,
'key_identifier' ,
'key_encrypting_key_identifier_length' ,
'key_encrypting_key_identifier' ,
'reserved_length' ,
'reserved' ,
'verification_pattern_length' ,
'verification_pattern' ;
IF KYT2_rc /= '00000000'x THEN
DO
SAY 'KYT2 failed: rc =' c2x(KYT2_rc) 'rs =' c2x(KYT2_rs)
EXIT
END
RETURN