I’ve put some code on GITHUB which has C and REXX code which have a simpler interface to ICSF. The code examples hide a lot of the complexity.
For example to generate an AES CIPHER key the high level C code is
// build the skeleton for C=CIPHER ( could be E for exporter or I for IMporter // It returns the skeleton and its length rc = skeletonAES("C",& pToken,& lToken); if ( rc != 0 ) return rc; // Generate the key - passing the skeleton and returning the Token // input the skeleton // output the token rc = GENAES2(pToken,&lToken); if ( rc != 0 ) return rc; // Add this to the CKDS rc = addCKDS(pKey,pToken ,lToken,pReplace); if ( rc != 0 ) return rc; printf("GENAES %s successful\n",pKey); return rc;
To export an AES key
// Pass in the name of the AES key pKey // the name of the encryption key (AES EXPORT or PKI) pKek // Get back the blob of data rc =exportAES (pKey,pKek,&pData, &lData); if (rc > 0 ) return rc; Write the blob to a file specified by dd rc = writeKey("dd:TOKEN",pData,lData);
It gives in //SYSPRINT
Exists: CSNBKRR2 read AESDHE CKDS rc 0 rs 0 No error found
KEY:AESDHE:INTERNAL SYMMETRI EXPORTER CANAES
Exists: CSNBKRR2 read PKDS2 CKDS rc 8 rs 10012 Key not found
Exists: CSNDKRR read PKDS2 PKDS rc 0 rs 0 No error found .
KEK:PKDS2:INTERNAL PKA RSAPRIV 1024MEAO
RSA ¬AES:Rule:AES PKOAEP2 SHA-256 AES AESKW AES
ExpAESK:CSNDSYX rc 8 rs 2055 The RSA public key is too small to encrypt the DES key
- Exists: CSNBKRR2 read AESDHE CKDS rc 0 rs 0 No error found
- It used the ICSF CSNBKRR2 to check AESDHE is in the CKDS
- KEY:AESDHE:INTERNAL SYMMETRI EXPORTER CANAES
- It reports some info on the key. It is a Symmetric (AES) Exporter and can do AES processing
- Exists: CSNBKRR2 read PKDS2 CKDS rc 8 rs 10012 Key not found
- This is ok — it looks in the CKDS first – but as this is a PKI – it will not be found
- Exists: CSNDKRR read PKDS2 PKDS rc 0 rs 0 No error found .
- It is found in the PKDS
- KEK:PKDS2:INTERNAL PKA RSAPRIV 1024MEAO
- This gives info about the Key Encryption Key. It is RSA and has a private key. The key size is 1024
- RSA ¬AES:Rule:AES PKOAEP2 SHA-256 AES AESKW AES
- This is the rule used
- ExpAESK:CSNDSYX rc 8 rs 2055 The RSA public key is too small to encrypt the DES key
- The size of the PKI key was too small.
- As well as giving the return code and reason code, it gives the reason for some of the reason codes.
- When I repeated this with a RSA key with a large enough key – it worked successfully.
There are also some macros such as
- isRSAPRIV… is this token (blob of data) an RSA private key?
- isEXPORTER … has this token been defined as an EXPORTER key?
I use these to check keys being used for operations to check that keys are valid for the ICSF operations.
The git hub code is work in progress. As I find problems I’m fixing them, but overall it should you what you can do with it.