In ICSF there is "PKA Public Key Extract Callable Service (CSNDPKX and
CSNFPKX)". This service extracts a PKA public key token from a PKA
internal (operational) or external (importable) private key token. It
performs no cryptographic verification of the PKA private key token.
Of course this is useless unless RACF is storing keys in ICSF PKDS.
Something like RACDCERT EXPORT (LABEL('label-name')) FORMAT(PKCS7B64) will
give you the public key / cert.
R_PKIServ Export will also give it to you.
Rob Schramm
On Thu, Apr 28, 2016, 12:30 PM Kirk Wolf <k...@dovetail.com> wrote:
> I've used assembler for many years, but I've never used it in the same
> sentence with "friendly" :-)
>
> You are right - the Systems SSL gsk_* functions are C-library calls. (For
> a C programmer) these are pretty easy to use to do what you are asking.
>
> There is the R_Datalib API (which I have never used), but it can be called
> with standard calling conventions.
> I doubt that anyone would accuse this stuff of being "friendly" either :-)
> Wait till you see what "DER encoding" means.... that will be fun in
> assembler :-)
>
>
> https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ichd100/datalib.htm
>
>
> Kirk Wolf
> Dovetailed Technologies
> http://dovetail.com
>
> On Wed, Apr 27, 2016 at 5:20 PM, Ward, Mike S <mw...@ssfcu.org> wrote:
>
> > Does not seem to be assembler friendly, or am I missing something?
> >
> > -----Original Message-----
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> > Behalf Of Kirk Wolf
> > Sent: Wednesday, April 27, 2016 11:10 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: ICSF public key extraction.
> >
> > Check out the gsk_* apis in:
> >
> > z/OS Cryptographic Services System SSL Programming
> > SC14-7495-00
> >
> > Kirk Wolf
> > Dovetailed Technologies
> > http://dovetail.com
> >
> > On Wed, Apr 27, 2016 at 9:38 AM, Ward, Mike S <mw...@ssfcu.org> wrote:
> >
> > > Hello all, for all of you that are ICSF experts. I have been looking
> > > through the ICSF manuals for an API that would extract the public key
> > > from an SSL key that is in an RACF key ring.
> > >
> > > I have not been able to locate such an API in ICSF. Is there such a
> > beast?
> > >
> > > ==========================
> > > This email, and any files transmitted with it, is confidential and
> > > intended solely for the use of the individual or entity to which it is
> > > addressed. If you have received this email in error, please notify the
> > > system manager. This message contains confidential information and is
> > > intended only for the individual named. If you are not the named
> > > addressee, you should not disseminate, distribute or copy this e-mail.
> > > Please notify the sender immediately by e-mail if you have received
> > > this message by mistake and delete this e-mail from your system. If
> > > you are not the intended recipient, you are notified that disclosing,
> > > copying, distributing or taking any action in reliance on the contents
> > > of this information is strictly prohibited.
> > >
> > > ----------------------------------------------------------------------
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > ==========================
> > This email, and any files transmitted with it, is confidential and
> > intended solely for the use of the individual or entity to which it is
> > addressed. If you have received this email in error, please notify the
> > system manager. This message contains confidential information and is
> > intended only for the individual named. If you are not the named
> addressee,
> > you should not disseminate, distribute or copy this e-mail. Please notify
> > the sender immediately by e-mail if you have received this message by
> > mistake and delete this e-mail from your system. If you are not the
> > intended recipient, you are notified that disclosing, copying,
> distributing
> > or taking any action in reliance on the contents of this information is
> > strictly prohibited.
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
--
Rob Schramm
The Art of Mainframe, Inc
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
