/* Rexx */

/*--------------------------------------------------------------------*/
/* This sample will convert an existing RSA private key so that it    */
/* can be used with the PKCS-PSS digital-signature hash formatting    */
/* method.                                                            */
/*                                                                    */
/* The RSA key to be converted must be an existing secure key         */
/* encrypted under the RSA master key.  The RSA key may be in         */
/* modulus-exponent (ME) format or Chinese Remainder Theorem (CRT)    */
/* format.  The RSA key token formats are described in the ICSF       */
/* Application Programmer's Guide (APG), Appendix "Key token formats".*/
/*                                                                    */
/* See the ICSF APG for more detailed information on the callable     */
/* services used in this sample.                                      */
/*                                                                    */
/* PKCS-PSS formatting method is supported on ICSF HCR77C0 and CEX5C  */
/* and above.  The coprocessor ECC master key must be active. If the  */
/* ECC master key is not active, see the ICSF Administrator's Guide   */
/* "Updating the key data sets with additional master keys".          */
/*--------------------------------------------------------------------*/

/* existing RSA private key label to convert */
existing_RSA_key_label = left('SAMPLE.RSA.CRT.MOD2048',64) ;

/* converted RSA private key label */
converted_RSA_private_key = left('SAMPLE.RSA.CRT.MOD2048.PSS',64) ;

/*-------------------*/
/* PKA Key Translate */
/*-------------------*/
PKT_rc            = 'FFFFFFFF'x ;
PKT_rs            = 'FFFFFFFF'x ;
exit_data_length  = '00000000'x ;
exit_data         = '' ;
rule_array_count  = d2c(2,4) ;
rule_array        = 'INTDWAKW'||,
                    'FR-PSS  ' ; /* format restriction keyword */
/* Once converted, this key may only be used with the PKCS-PSS
   digital-signature hash formatting method. For no restriction
   on usage, specify FR-NONE.  See the ICSF Application        
   Programmer's Guide for more information.                    
*/                                                            
source_key_length = d2c(64,4) ;
source_key        = existing_RSA_key_label ;
source_xport_key_length = d2c(0,4) ;
source_xport_key  = '' ;
target_xport_key_length = d2c(0,4) ;
target_xport_key  = '' ;
target_key_length = d2c(3500,4) ;
target_key        = d2c(0,3500) ;

/* CALL CSNDPKT */
ADDRESS LINKPGM 'CSNDPKT' ,
                'PKT_rc' ,
                'PKT_rs' ,
                'exit_data_length' ,
                'exit_data' ,
                'rule_array_count' ,
                'rule_array' ,
                'source_key_length' ,
                'source_key' ,
                'source_xport_key_length' ,
                'source_xport_key' ,
                'target_xport_key_length' ,
                'target_xport_key' ,
                'target_key_length' ,
                'target_key' ;

IF PKT_rc /= '00000000'x THEN
  DO ;
   SAY 'PKT failed: rc =' c2x(PKT_rc) 'rs =' c2x(PKT_rs) ;
   EXIT ;
  END ;

/* Write converted RSA private key to PKDS */
key_label        = converted_RSA_private_key ;
key_token_length = target_key_length ;
key_token        = target_key ;
CALL PKRC ;

/*-----------------------------------------------------------------*/
/* Use the converted RSA private key to generate a signature using */
/* the PKCS-PSS digital signature formatting hash method.          */
/*-----------------------------------------------------------------*/
DSG_rc             = 'FFFFFFFF'x ;
DSG_rs             = 'FFFFFFFF'x ;
exit_data_length   = '00000000'x ;
exit_data          = '' ;
rule_array_count   = '00000004'x ;
rule_array         = 'RSA     '||,
                     'PKCS-PSS'||,
                     'HASH    '||,
                     'SHA-256 ' ;
private_key_length = d2c(64,4) ;
private_key        = converted_RSA_private_key ;
data_length        = '00000024'x ;
data               = '00000020'x||,       /* salt length */
  '9EFDE926830891B7F2889646D0105BD8'x||,  /* hash        */
  '09C64F6217EC046F5B384F625C9CCF66'x ;
sig_field_length   = '00000100'x ;        /* 256 decimal */
sig_bit_length     = '00000800'x ;        /* 2048 decimal */
sig_field          = copies('00'x,256) ;

/* CALL CSNDDSG */
ADDRESS LINKPGM 'CSNDDSG' ,
                'DSG_rc' ,
                'DSG_rs' ,
                'exit_data_length' ,
                'exit_data' ,
                'rule_array_count' ,
                'rule_array' ,
                'private_key_length' ,
                'private_key' ,
                'data_length' ,
                'data' ,
                'sig_field_length' ,
                'sig_bit_length' ,
                'sig_field' ;

IF DSG_rc /= '00000000'x THEN
  SAY 'DSG failed: rc =' c2x(DSG_rc) 'rs =' c2x(DSG_rs) ;
ELSE
 DO ;
  sig_field = substr(sig_field,1,c2d(sig_field_length)) ;
  SAY 'signature field length:' c2x(sig_field_length) ;
  SAY 'signature bit length:' c2x(sig_bit_length) ;
  SAY 'signature:' c2x(sig_field) ;
 END ;

EXIT ;

/*------------------------*/
/* PKDS Key Record Create */
/*------------------------*/
PKRC:

PKRC_rc = 'FFFFFFFF'x ;
PKRC_rs = 'FFFFFFFF'x ;
exit_data_length = '00000000' ;
exit_data        = '' ;
rule_array_count = '00000000'x ;
rule_array       = '' ;

/* CALL CSNDKRC */
ADDRESS LINKPGM 'CSNDKRC' ,
                'PKRC_rc' ,
                'PKRC_rs' ,
                'exit_data_length' ,
                'exit_data' ,
                'rule_array_count' ,
                'rule_array' ,
                'key_label' ,
                'key_token_length' ,
                'key_token' ;

IF PKRC_rc /= '00000000'x THEN
  DO ;
   SAY 'PKRC failed: rc =' c2x(PKRC_rc) 'rs =' c2x(PKRC_rs) ;
   EXIT ;
  END ;

RETURN ;