ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajccertkeyc.htm

320 lines
15 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Example: ILE C program for certifying a public key token" />
<meta name="abstract" content="Change this program example to suit your needs for certifying a public key token." />
<meta name="description" content="Change this program example to suit your needs for certifying a public key token." />
<meta name="DC.Relation" scheme="URI" content="rzajcworking.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="certkeyc" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Example: ILE C program for certifying a public key token</title>
</head>
<body id="certkeyc"><a name="certkeyc"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Example: ILE C program for certifying a public key token</h1>
<div><p>Change this program example to suit your needs for certifying a
public key token. </p>
<div class="section"><div class="p"><div class="note"><span class="notetitle">Note:</span> Read the <a href="codedisclaimer.htm#codedisclaimer">Code license and disclaimer information</a> for
important legal information.</div>
</div>
</div>
<div class="example"> <pre>/*-------------------------------------------------------------------*/
/* CERTKEY */
/* */
/* Sample program to certify a CCA public key certificate to be */
/* used for master key cloning. */
/* */
/* COPYRIGHT 5769-SS1 (C) IBM CORP. 1999, 1999 */
/* */
/* This material contains programming source code for your */
/* consideration. These examples have not been thoroughly */
/* tested under all conditions. IBM, therefore, cannot */
/* guarantee or imply reliability, serviceability, or function */
/* of these program. All programs contained herein are */
/* provided to you "AS IS". THE IMPLIED WARRANTIES OF */
/* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE */
/* ARE EXPRESSLY DISCLAIMED. IBM provides no program services for */
/* these programs and files. */
/* */
/* */
/* Note: Input format is more fully described in Chapter 2 of */
/* IBM CCA Basic Services Reference and Guide */
/* (SC31-8609) publication. */
/* */
/* Parameters: FILENAME - File containing public key token */
/* RETAINED_KEY_NAME - Name of key to certify token */
/* */
/* Example: */
/* CALL PGM(CERTKEY) PARM(MYKEY.PUB CERTKEY) */
/* */
/* */
/* Note: This program assumes the card with the profile is */
/* already identified either by defaulting to the CRP01 */
/* device or by being explicitly named using the */
/* Cryptographic_Resource_Allocate verb. Also this */
/* device must be varied on and you must be authorized */
/* to use this device description. */
/* */
/* The Common Cryptographic Architecture (CCA) verbs used are */
/* Digital_Signature_Generate (CSNDDSG) and One_Way_Hash (CSNBOWH). */
/* */
/* Use these commands to compile this program on the system: */
/* ADDLIBLE LIB(QCCA) */
/* CRTCMOD MODULE(CERTKEY) SRCFILE(SAMPLE) */
/* CRTPGM PGM(CERTKEY) MODULE(CERTKEY) */
/* BNDDIR(QCCA/QC6BNDDIR) */
/* */
/* Note: Authority to the CSNDDSG and CSNBOWH service programs */
/* in the QCCA library is assumed. */
/* */
/*-------------------------------------------------------------------*/
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include "csucincl.h"
#include "decimal.h"
extern void QDCXLATE(decimal(5,0), char *, char*, char *);
#pragma linkage (QDCXLATE, OS, nowiden)
int main(int argc, char *argv[])
{
/*------------------------------------------------------------------*/
/* Declares for CCA parameters */
/*------------------------------------------------------------------*/
long return_code = 0;
long reason_code = 0;
long exit_data_length = 0;
char exit_data[4];
char rule_array[24];
long rule_array_count;
long token_len = 2500;
char token[2500];
long chaining_vector_length = 128;
long hash_length = 20;
long text_length;
unsigned char chaining_vector[128];
unsigned char hash[20];
long signature_length = 256;
long signature_bit_length;
/*------------------------------------------------------------------*/
/* Declares for working with a PKA token */
/*------------------------------------------------------------------*/
long pub_sec_len; /* Public section length */
long cert_sec_len; /* Certificate section length */
long offset; /* Offset into token */
long tempOffset; /* (Another) Offset into token */
long tempLength; /* Length variable */
char name[64]; /* Private key name */
char SAname[64]; /* Share administration or certifying */
/* key name. */
char SAnameASCII[64]; /* Share admin key name in ASCII */
long SAname_length = 64; /* Length of Share admin key name */
long count; /* Number of bytes read from file */
decimal(5,0) xlate_length = 64; /* Packed decimal variable */
/* needed for call to QDCXLATE. */
FILE *fp; /* File pointer */
if (argc &lt; 3) /* Check the number of parameters passed */
{
printf("Need to enter a public key name and SA key\n");
return 1;
}
name[0] = 0; /* Make copy of name parameters */
strcpy(name,argv[1]);
memset(SAname, ' ', 64); /* Make copy of Share Admin key name */
memcpy(SAname,argv[2],strlen(argv[2]));
fp = fopen(name,"rb"); /* Open the file containing the token */
if (!fp)
{
printf("File %s not found.\n",argv[1]);
return 1;
}
memset(token,0,2500); /* Read the token from the file */
count = fread(token,1,2500,fp);
fclose(fp);
/* Determine length of token from length */
/* bytes at offset 2 and 3. */
token_len = ((256 * token[2]) + token[3]);
if (count &lt; token_len) /* Check if whole token was read in */
{
printf("Incomplete token in file\n");
return 1;
}
/************************************************************/
/* Find the certificate offset in the token */
/* */
/* The layout of the token is */
/* */
/* - Token header - 8 bytes - including 2 length bytes */
/* - Public key section - length bytes at offset 10 overall */
/* - Private key name - 68 bytes */
/* - Certificate section */
/* */
/************************************************************/
pub_sec_len = ((256 * token[10]) + token[11]);
offset = pub_sec_len + 68 + 8; /* Set offset to certiicate section */
/* Determine certificate section */
/* length from the length bytes at */
/* offset 2 of the section. */
cert_sec_len = ((256 * token[offset + 2]) + token[offset + 3]);
tempOffset = offset + 4; /* Set offset to first subsection */
/*-----------------------------------------------------*/
/* Parse each subsection of the certificate until the */
/* signature subsection is found or the end is reached.*/
/* (Identifier for signature subsection is Hex 45.) */
/*-----------------------------------------------------*/
while(token[tempOffset] != 0x45 &amp;&amp;
tempOffset &lt; offset + cert_sec_len)
{
tempOffset += 256 * token[tempOffset + 2] + token[tempOffset+3];
}
/*----------------------------------------------------*/
/* Check if no signature was found before the end of */
/* the certificate section. */
/*----------------------------------------------------*/
if (token[tempOffset] != 0x45)
{
printf("Invalid certificate\n");
return 1;
}
/*******************************************************/
/* Replace Private key name in certificate with the */
/* Share admin key name (expressed in ASCII). */
/*******************************************************/
text_length = tempOffset - offset + 70;
memcpy(SAnameASCII,SAname,64);
/*----------------------------------------------------*/
/* Convert the Share Admin key name to ASCII */
/*----------------------------------------------------*/
QDCXLATE(xlate_length, SAnameASCII, "QASCII ", "QSYS ");
memcpy(&amp;token[tempOffset + 6], SAnameASCII, 64);
/**************************************************************/
/* Hash the certificate */
/**************************************************************/
memcpy((void*)rule_array,"SHA-1 ",8);
rule_array_count = 1;
chaining_vector_length = 128;
hash_length = 20;
CSNBOWH( &amp;return_code, &amp;reason_code, &amp;exit_data_length,
exit_data,
&amp;rule_array_count,
(unsigned char*)rule_array,
&amp;text_length,
&amp;token[offset],
&amp;chaining_vector_length,
chaining_vector,
&amp;hash_length,
hash);
if (return_code != 0)
{
printf("One_Way_Hash Failed : return reason %d/%d\n",
return_code, reason_code);
return 1;
}
/**************************************************************/
/* Create a signature */
/**************************************************************/
memcpy((void*)rule_array,"ISO-9796",8);
rule_array_count = 1;
CSNDDSG( &amp;return_code, &amp;reason_code, &amp;exit_data_length,
exit_data,
&amp;rule_array_count,
(unsigned char*)rule_array,
&amp;SAname_length,
SAname,
&amp;hash_length,
hash,
&amp;signature_length,
&amp;signature_bit_length,
&amp;token[tempOffset+70]);
if (return_code != 0)
{
printf("Digital Signature Generate Failed : return reason %d/%d\n",
return_code, reason_code);
return 1;
}
/*-----------------------------------------------*/
/* Check if the new signature is longer than the */
/* original signature */
/*-----------------------------------------------*/
if((token[tempOffset + 2] * 256 + token[tempOffset + 3]) - 70 !=
signature_length)
{
printf("Signature Length change from %d to %d.\n",
token[tempOffset + 2] * 256 + token[tempOffset + 3] - 70,
signature_length);
/* Adjust length in signature subsection */
token[tempOffset + 2] = signature_length &gt;&gt; 8;
token[tempOffset + 3] = signature_length;
/* Adjust length in certificate section */
token[offset + 2] = (text_length + signature_length) &gt;&gt; 8;
token[offset + 3] = text_length + signature_length;
/* Adjust length in token header section */
tempLength = 8 + pub_sec_len + 68 + text_length +
signature_length;
token[2] = tempLength &gt;&gt; 8;
token[3] = tempLength;
}
else tempLength = token[2] * 256 + token[3];
/********************************************/
/* Write certified public key out to a file */
/********************************************/
strcat(name,".CRT"); /* Append .CRP to filename */
fp = fopen(name,"wb"); /* Open the certificate file */
if (!fp)
{
printf("File open failed for output\n");
}
else
{
fwrite(token, 1, tempLength, fp);
fclose(fp);
printf("Public token written to file %s.\n",name);
}
}</pre>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcworking.htm" title="After you set up your Cryptographic Coprocessor, you can begin writing programs to make use of your Cryptographic Coprocessor's cryptographic functions.">Manage the Cryptographic Coprocessor</a></div>
</div>
</div>
</body>
</html>