ibm-information-center/dist/eclipse/plugins/i5OS.ic.apis_5.4.0.1/qc3wrtkr.htm

674 lines
19 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
<!-- Begin Header Records -->
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<!-- Created for V5R4 by beth hagemeister 6/29/04 -->
<!-- Change history: -->
<!-- end header records -->
<title>Write Key Record (QC3WRTKR, Qc3WriteKeyRecord)</title>
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body>
<a name="Top_Of_Page"></a>
<!--Java sync-link-->
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
</script>
<h2><img src="delta.gif" alt="Start of change">Write Key Record (QC3WRTKR, Qc3WriteKeyRecord)</h2>
<div class="box" style="width: 80%;">
<br>
&nbsp;&nbsp;Required Parameter Group:<br>
<!-- iddvc RMBR -->
<br>
<table width="100%">
<tr>
<td align="center" valign="top" width="10%">1</td>
<td align="left" valign="top" width="60%">Qualified key store file name</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Char(20)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">2</td>
<td align="left" valign="top" width="60%">Record label</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Char(32)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">3</td>
<td align="left" valign="top" width="60%">Key string</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Char(*)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">4</td>
<td align="left" valign="top" width="60%">Length of key string</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Binary(4)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">5</td>
<td align="left" valign="top" width="60%">Key format</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Char(1)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">6</td>
<td align="left" valign="top" width="60%">Key type</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Binary(4)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">7</td>
<td align="left" valign="top" width="60%">Disallowed function</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Binary(4)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">8</td>
<td align="left" valign="top" width="60%">Key form</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Char(1)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">9</td>
<td align="left" valign="top" width="60%">Key-encrypting key context token</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Char(8)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">10</td>
<td align="left" valign="top" width="60%">Key-encrypting algorithm context
token</td>
<td align="left" valign="top" width="15%">Input</td>
<td align="left" valign="top" width="15%">Char(8)</td>
</tr>
<tr>
<td align="center" valign="top" width="10%">11</td>
<td align="left" valign="top" width="60%">Error code</td>
<td align="left" valign="top" width="15%">I/O</td>
<td align="left" valign="top" width="15%">Char(*)</td>
</tr>
</table>
<br>
&nbsp;Service Program Name: QC3KRWRT<br>
<!-- iddvc RMBR -->
<br>
&nbsp;Default Public Authority: *USE<br>
<!-- iddvc RMBR -->
<br>
&nbsp;Threadsafe: Yes<br>
<!-- iddvc RMBR -->
<br>
</div>
<p>The Write Key Record (OPM, QC3WRTKR; ILE, Qc3WriteKeyRecord)
API stores the specified key value in a key store file.
</p>
<p>For more information about cryptographic services key store, refer to
<a href="qc3KeyStore.htm">Cryptographic Services Key Store</a>.
</p>
<br>
<h3>Authorities and Locks</h3>
<dl>
<dt><strong>Required file authority</strong></dt>
<dd>*OBJOPR, *READ, *ADD<br>
<br>
</dd>
</dl>
<br>
<h3>Required Parameter Group</h3>
<dl>
<dt><strong>Qualified key store file name</strong></dt>
<dd>INPUT; CHAR(20)
<p>The key store file where the key will be stored. The first 10 characters
contain the file name. The second 10 characters contain the name of the library
where the key store file is located.</p>
</dd>
<dt><strong>Record label</strong></dt>
<dd>INPUT; CHAR(32)
<p>The label for the key record.
The label will be converted from the job CCSID, or if 65535, the job default
CCSID (DFTCCSID) job attribute to CCSID 1200 (Unicode UTF-16).
</p>
</dd>
<dt><strong>Key string</strong></dt>
<dd>INPUT; CHAR(*)
<p>A binary string or a formatted structure containing the key.
The exact format of the key string is specified in the key format parameter.
</p>
</dd>
<dt><strong>Length of key string</strong></dt>
<dd>INPUT; BINARY(4)
<p>Length of the key string specified in the key string parameter.</p>
<p>
Note this is not the same thing as key length. Key length is determined
based on the other parameters. Following are some examples:</p>
<ul>
<li>If key format is 0 (binary string) and
<ul>
<li>the key form is 0 (clear) then the key length equals the length of key string.</li>
<li>the key form is 1 (encrypted) then
the key length will be the decrypted key string length.</li>
</ul></li>
<li>If key format is 1 (BER string) then the key length will be the length
specified within the BER string.</li>
<li>If key format is 6 (PEM certificate) then the key length will be the length
specified in the certificate.</li>
</ul>
<p>Most algorithms have key length requirements. Refer to the key type
parameter for restrictions on key length.
</p><br>
</dd>
<dt><strong>Key format</strong></dt>
<dd>INPUT; CHAR(1)
<p>Format of the key string parameter.<br>
Following are the valid values.</p>
<table width="95%">
<!-- cols="5 95" -->
<tr>
<td align="left" valign="top" width="5%"><strong>0</strong></td>
<td align="left" valign="top" width="95%">Binary string. The key is specified
as a binary value. To obtain a good random key value, use the <a href=
"qc3gensk.htm">Generate Symmetric Key (OPM, QC3GENSK; ILE,
Qc3GenSymmetricKey)</a>, or <a href="qc3genprns.htm">Generate Pseudorandom
Numbers (OPM, QC3GENRN; ILE, Qc3GenPRNs)</a> API.
<br><br>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>1</strong></td>
<td align="left" valign="top" width="95%">BER string. If the key type field
specifies 50 (RSA public), the key may be specified in BER encoded X.509
Certificate or
SubjectPublicKeyInfo
format. For specifications of these formats, refer to
RFC 3280. If the key type field specifies 51 (RSA private), the key must be
specified in BER encoded PKCS #8 format. For specifications of this format,
refer to RSA Security Inc. Public-Key Cryptography Standards. To generate a
PKA key pair, use the <a href="qc3genpk.htm">Generate PKA Key Pair (OPM, QC3GENPK;
ILE, Qc3GenPKAKeyPair)</a> API.
<br><br>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>6</strong></td>
<td align="left" valign="top" width="95%">PEM certificate. The key string parameter
contains a PEM based certificate.
<br><br>
</td>
</tr>
</table>
</dd>
<dt><strong>Key type</strong></dt>
<dd>INPUT; BINARY(4)
<p>The type of key.<br>
Following are the valid values.</p>
<table width="95%">
<!-- cols="5 95" -->
<tr>
<td align="left" valign="top" width="5%"><strong>1</strong></td>
<td align="left" valign="top" width="95%">MD5<br>
The key format must be 0.
An MD5 key is used for HMAC (hash message
authentication code) operations. The minimum length for an MD5 HMAC key is 16
bytes. A key longer than 16 bytes does not significantly increase the function
strength unless the randomness of the key is considered weak. A key longer than
64 bytes will be hashed before it is used.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>2</strong></td>
<td align="left" valign="top" width="95%">SHA-1<br>
The key format must be 0.
An SHA-1 key is used for HMAC (hash message
authentication code) operations. The minimum length for an SHA-1 HMAC key is 20
bytes. A key longer than 20 bytes does not significantly increase the function
strength unless the randomness of the key is considered weak. A key longer than
64 bytes will be hashed before it is used.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>3</strong></td>
<td align="left" valign="top" width="95%">SHA-256<br>
The key format must be 0.
An SHA-256 key is used for HMAC (hash message
authentication code) operations. The minimum length for an SHA-256 HMAC key is
32 bytes. A key longer than 32 bytes does not significantly increase the
function strength unless the randomness of the key is considered weak. A key
longer than 64 bytes will be hashed before it is used.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>4</strong></td>
<td align="left" valign="top" width="95%">SHA-384<br>
The key format must be 0.
An SHA-384 key is used for HMAC (hash message
authentication code) operations. The minimum length for an SHA-384 HMAC key is
48 bytes. A key longer than 48 bytes does not significantly increase the
function strength unless the randomness of the key is considered weak. A key
longer than 128 bytes will be hashed before it is used.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>5</strong></td>
<td align="left" valign="top" width="95%">SHA-512<br>
The key format must be 0.
An SHA-512 key is used for HMAC (hash message
authentication code) operations. The minimum length for an SHA-512 HMAC key is
64 bytes. A key longer than 64 bytes does not significantly increase the
function strength unless the randomness of the key is considered weak. A key
longer than 128 bytes will be hashed before it is used.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>20</strong></td>
<td align="left" valign="top" width="95%">DES<br>
The key format must be 0.
The key must be 8 bytes in length. Only 7 bits of each
byte are used as the actual key. The rightmost bit of each byte is used to set
parity. Some cryptographic service providers require that a DES key have odd
parity in every byte. Others ignore parity.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>21</strong></td>
<td align="left" valign="top" width="95%">Triple DES<br>
The key format must be 0.
The key must be 8, 16, or 24 bytes in length. Triple DES
operates on an encryption block by doing a DES encrypt, followed by a DES
decrypt, and then another DES encrypt. Therefore, it actually uses three 8-byte
DES keys. If 24 bytes are supplied in the key string, the first 8 bytes are
used for key 1, the second 8 bytes for key 2, and the third 8 bytes for key 3.
If 16 bytes are supplied, the first 8 bytes are used for key 1 and key 3, and
the second 8 bytes for key 2. If only 8 bytes are supplied, it will be used for
all 3 keys (essentially making the operation equivalent to a single DES
operation). Only 7 bits of each byte are used as the actual key. The rightmost
bit of each byte is used to set parity. Some cryptographic service providers
require that a Triple DES key have odd parity in every byte. Others ignore
parity.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>22</strong></td>
<td align="left" valign="top" width="95%">AES<br>
The key format must be 0.
The key must be 16, 24, or 32 bytes in length.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>23</strong></td>
<td align="left" valign="top" width="95%">RC2<br>
The key format must be 0.
The key must be from 1 to 128 bytes in length.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>30</strong></td>
<td align="left" valign="top" width="95%">RC4-compatible<br>
The key format must be 0.
The key must be from 1 to 256 bytes in length. Because of
the nature of the RC4-compatible algorithm, using the same key for more than
one message will severely compromise security.</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>50</strong></td>
<td align="left" valign="top" width="95%">RSA public<br>
The key format must be 1 or 6.
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%"><strong>51</strong></td>
<td align="left" valign="top" width="95%">RSA private<br>
The key format must be 1.
</td>
</tr>
</table>
<br>
</dd>
<dt><strong>Disallowed function</strong></dt>
<dd>INPUT; BINARY(4)
<p>This parameter specifies the functions that cannot be used with this key
record. The values listed below can be added together to disallow multiple
functions. For example, to disallow everything but MACing, set the value to
11.</p>
<table width="95%">
<!-- cols="10 90" -->
<tr>
<td align="left" valign="top" width="10%"><strong>0</strong></td>
<td align="left" valign="top" width="90%">No functions are disallowed.</td>
</tr>
<tr>
<td align="left" valign="top"><strong>1</strong></td>
<td align="left" valign="top">Encryption is disallowed.</td>
</tr>
<tr>
<td align="left" valign="top"><strong>2</strong></td>
<td align="left" valign="top">Decryption is disallowed.</td>
</tr>
<tr>
<td align="left" valign="top"><strong>4</strong></td>
<td align="left" valign="top">MACing is disallowed.</td>
</tr>
<tr>
<td align="left" valign="top"><strong>8</strong></td>
<td align="left" valign="top">Signing is disallowed.</td>
</tr>
</table>
<br>
</dd>
<dt><strong>Key form</strong></dt>
<dd>INPUT; CHAR(1)
<p>An indicator specifying if the key string parameter is in encrypted form.</p>
<table width="95%">
<!-- cols="5 95" -->
<tr>
<td align="left" valign="top" width="5%"><strong>0</strong></td>
<td align="left" valign="top" width="95%">Clear.<br>
The key string is not encrypted.</td>
</tr>
<tr>
<td align="left" valign="top"><strong>1</strong></td>
<td align="left" valign="top">Encrypted.<br>
The key string is encrypted. The key-encrypting key context token and
key-encrypting algorithm context token parameters are used to decrypt the key
string when a cryptographic operation is performed. This option is only
allowed with key formats 0 (binary string) and 1 (BER string.)</td>
</tr>
</table>
<br>
</dd>
<dt><strong>Key-encrypting key context token</strong></dt>
<dd>INPUT; CHAR(8)
<p>The key context token specifying the key for decrypting the key string
parameter. If the key string parameter is not encrypted (key form parameter is
0), this parameter must be set to blanks or the pointer to this parameter set
to NULL.</p>
</dd>
<dt><strong>Key-encrypting algorithm context token</strong></dt>
<dd>INPUT; CHAR(8)
<p>The algorithm context token specifying the algorithm for decrypting the key
string parameter. If the key string parameter is not encrypted (key form
parameter is 0), this parameter must be set to blanks or the pointer to this
parameter set to NULL.</p>
</dd>
<dt><strong>Error code</strong></dt>
<dd>I/O; CHAR(*)
<p>The structure in which to return error information.
For the format of the structure, see <a href="../apiref/error.htm#hdrerrcod">Error Code
Parameter</a>.</p>
</dd>
</dl>
<br>
<h3><a name="header_9">Error Messages</a></h3>
<table width="100%">
<tr>
<th align="left" valign="top">Message ID</th>
<th align="left" valign="top">Error Message Text</th>
</tr>
<tr>
<td width="15%" valign="top">CPF24B4 E</td>
<td width="85%" valign="top">Severe error while addressing parameter list.</td>
</tr>
<tr>
<td valign="top">CPF3C1E E</td>
<td valign="top">Required parameter &amp;1 omitted.</td>
</tr>
<tr>
<td valign="top">CPF3CF1 E</td>
<td valign="top">Error code parameter not valid.</td>
</tr>
<tr>
<td align="left" valign="top">CPF3CF2 E</td>
<td align="left" valign="top">Error(s) occurred during running of &amp;1
API.</td>
</tr>
<tr>
<td valign="top">CPF9872 E</td>
<td valign="top">Program or service program &amp;1 in library &amp;2 ended. Reason code &amp;3.</td>
</tr>
<tr>
<td valign="top">CPF9D9E D</td>
<td valign="top">Record label already exists.</td>
</tr>
<tr>
<td valign="top">CPF9D9F D</td>
<td valign="top">Not authorized to key store file.</td>
</tr>
<tr>
<td valign="top">CPF9DA0 D</td>
<td valign="top">Error occured opening key store file.</td>
</tr>
<tr>
<td valign="top">CPF9DA5 D</td>
<td valign="top">Key store file not found.</td>
</tr>
<tr>
<td valign="top">CPF9DA6 D</td>
<td valign="top">The key store file is not available.</td>
</tr>
<tr>
<td valign="top">CPF9DA7 D</td>
<td valign="top">File is corrupt or not a valid key store file.</td>
</tr>
<tr>
<td valign="top">CPF9DA9 D</td>
<td valign="top">The PEM certificate contains invalid formatting.</td>
</tr>
<tr>
<td valign="top">CPF9DAC E</td>
<td valign="top">Disallowed function value not valid.</td>
</tr>
<tr>
<td valign="top">CPF9DB3 E</td>
<td valign="top">Qualified key store file name not valid.</td>
</tr>
<tr>
<td valign="top">CPF9DB6 E</td>
<td valign="top">Record label not valid.</td>
</tr>
<tr>
<td valign="top">CPF9DB7 E</td>
<td valign="top">Error occured writing to key store.</td>
</tr>
<tr>
<td valign="top">CPF9DB8 E</td>
<td valign="top">Error occured retrieving key record from key store.</td>
</tr>
<tr>
<td valign="top">CPF9DC2 E</td>
<td valign="top">Key-encrypting algorithm context not compatible with key-encrypting key context.</td>
</tr>
<tr>
<td valign="top">CPF9DC6 E</td>
<td valign="top">Algorithm not valid for encrypting or decrypting a key.</td>
</tr>
<tr>
<td valign="top">CPF9DD7 E</td>
<td valign="top">The key-encrypting key context for the specified key is not valid or was previously destroyed.</td>
</tr>
<tr>
<td valign="top">CPF9DD8 E</td>
<td valign="top">The key-encrypting algorithm context for the specified key is not valid or was previously destroyed.</td>
</tr>
<tr>
<td valign="top">CPF9DDA E</td>
<td valign="top">Unexpected return code &amp;1.</td>
</tr>
<tr>
<td valign="top">CPF9DDB E</td>
<td valign="top">The key string or Diffie-Hellman parameter string is not valid.</td>
</tr>
<tr>
<td valign="top">CPF9DDD E</td>
<td valign="top">The key string length is not valid.</td>
</tr>
<tr>
<td valign="top">CPF9DE7 E</td>
<td valign="top">Key type not valid.</td>
</tr>
<tr>
<td valign="top">CPF9DE8 E</td>
<td valign="top">Key form not valid.</td>
</tr>
<tr>
<td valign="top">CPF9DE9 E</td>
<td valign="top">Key format not valid.</td>
</tr>
<tr>
<td valign="top">CPF9DF1 E</td>
<td valign="top">The algorithm context token does not reference a valid algorithm context.</td>
</tr>
<tr>
<td valign="top">CPF9DF3 E</td>
<td valign="top">Algorithm in algorithm context not valid for requested operation.</td>
</tr>
<tr>
<td valign="top">CPF9DF4 E</td>
<td valign="top">The key context token does not reference a valid key context.</td>
</tr>
<tr>
<td valign="top">CPF9DFC E</td>
<td valign="top">The key-encrypting algorithm or key context token is not valid.</td>
</tr>
</table>
<br>
<img src="deltaend.gif" alt="End of change"><br>
<hr>
API introduced: V5R4
<hr>
<center>
<table cellpadding="2" cellspacing="2">
<tr align="center">
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
"catcrypt.htm">Cryptographic Services APIs</a> | <a href="aplist.htm">APIs by
category</a></td>
</tr>
</table>
</center>
</body>
</html>