My guess is that the key does not exist in CKDS before starting the operation. When a key is used securely, it is fetched into the CEX card while encrypted under the master key.. Then it is decypted and is available for use. But that is just base upon the phrase secure key import.. Any secure key operations happen inside the CEX card / feature.
Rob Schramm On Wed, Nov 18, 2015, 8:52 AM John Blythe Reid <johnblyther...@gmail.com> wrote: > In the end I had to use ICSF callable services as the use of an assembler > routine was vetoed. Pity about that. However I do still have some questions > about the use of ICSF in this case. > > First I tried this: > > call csnbktb - build a token: > --key_type = 'CLRDES > --rule array = 'INTERNAL','DES','KEYLN8' > --key_value = the eight byte DES key X'0123456789ABCDEF' > Here's the token it built: > 000000000000000002468ACE0000000000000000000000000000000000008C15 > 100000000000000013579BDF000000000000000000000000000000000000BF36 > > call csnbenc - encipher > --key_identifier = the token created above > --plaintext = eight bytes of plain text in ASCII > --rule_array = 'CBC' > This ended with return code 8 reason: 02F (47) A source key token is > unusable because it contains data that is not valid or undefined. > > I was then told that an old module already existed which I could call to > do this. I did, and it worked. It seems rather long winded though. It does > this: > > CALL CSFKTB - build a token > --KEY_TYPE = 'DATA ' > --RULE ARRAY = 'INTERNAL' > --KEY VALUE = 16 spaces > > CALL CSFSKI - Secure key import > --KEY_TYPE = 'DATA ' > --CLEAR_KEY = the eight byte DES key X'0123456789ABCDEF' > --KEY_FORM = 'OP ' > --key_identifier = the token generated by CSFKTB above > > CALL CSFENC - encipher > --key_identifier = the token processed by CSFSKI above > --clear_text = eight bytes of plain text in ASCII > --rule_array = 'CUSP ' > --cipher_text = output area for enciphered text > > This works, but why is it necessary to use 'CSFSKI - Secure key import' > which according to the manual does this: "Use the secure key import > callable service to encipher a single-length or double-length clear key > under the system master key" ? > > So it seems my eight byte DES key of X'0123456789ABCDEF' is encrypted and > then decrypted so that it can be used to encrypt the plain text. That > doesn't seem to make sense to me. > > Any comments would be very welcome. > > Regards, > John. > > > > > > > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
