373 lines
14 KiB
HTML
373 lines
14 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="reference" />
|
||
|
<meta name="DC.Title" content="Example: EXPORTing keys" />
|
||
|
<meta name="abstract" content="Change this program example to suit your needs for migrating the key store files." />
|
||
|
<meta name="description" content="Change this program example to suit your needs for migrating the key store files." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajcmigrateprpq.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="exporttsstxt" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Example: EXPORTing keys</title>
|
||
|
</head>
|
||
|
<body id="exporttsstxt"><a name="exporttsstxt"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Example: EXPORTing keys</h1>
|
||
|
<div><p>Change this program example to suit your needs for migrating the
|
||
|
key store files. </p>
|
||
|
<div class="section"><p>This is step one. Once you run this program, use <a href="rzajcimporttsstxt.htm#importtsstxt">Example: IMPORTing keys</a> to
|
||
|
complete the migration process.</p>
|
||
|
<div class="note"><span class="notetitle">Note:</span> Read the <a href="codedisclaimer.htm#codedisclaimer">Code license and disclaimer information</a> for
|
||
|
important legal information.<p>If you choose to use this program example,
|
||
|
change it to suit your specific needs. For security reasons, IBM<sup>®</sup> recommends
|
||
|
that you individualize these program examples rather than using the default
|
||
|
values provided.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="example"> <pre>/*---------------------------------------------------------------*/
|
||
|
/* Description: One of two programs used to migrate DES keys */
|
||
|
/* from a key store file used with the 2620 to a */
|
||
|
/* key store file for use with the card. */
|
||
|
/* */
|
||
|
/* Note: This program is intended to be used in conjunction with */
|
||
|
/* IMPORT_TSS to migrate DES keys from 2620 to card. */
|
||
|
/* EXPORT_TSS should be run first to generate a file */
|
||
|
/* containing the needed key information in a secure, */
|
||
|
/* exportable form. The file should then be transferred */
|
||
|
/* to the target system. IMPORT_TSS can then be run using */
|
||
|
/* the file to import the keys into a previously created */
|
||
|
/* key storage file. */
|
||
|
/* */
|
||
|
/* */
|
||
|
/* COPYRIGHT 5769-SS1 (c) IBM Corp 1999 */
|
||
|
/* */
|
||
|
/* This material contains programming source code for your */
|
||
|
/* consideration. These examples have not been thoroughly */
|
||
|
/* tested under all conditions. IBM, therefore, cannot */
|
||
|
/* guarantee or imply reliability, serviceability, or function */
|
||
|
/* of these programs. All programs contained herein are */
|
||
|
/* provided to you "AS IS". THE IMPLIED WARRANTIES OF */
|
||
|
/* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE */
|
||
|
/* EXPRESSLY DISCLAIMED. IBM provides no program services for */
|
||
|
/* these programs and files. */
|
||
|
/* */
|
||
|
/* Parameters: File to contain exported key information */
|
||
|
/* */
|
||
|
/* Examples: */
|
||
|
/* CALL PGM(EXPORT_TSS) PARM('File_for_Exported_Keys') */
|
||
|
/* */
|
||
|
/* */
|
||
|
/* Use the following commands to compile this program: */
|
||
|
/* ADDLIBLE LIB(QTSS) */
|
||
|
/* CRTCMOD MODULE(EXPORT_TSS) SRCFILE(SAMPLE) */
|
||
|
/* CRTPGM PGM(EXPORT_TSS) MODULE(EXPORT_TSS) */
|
||
|
/* */
|
||
|
/* Note: authority to the functions CSNBKEX, CSNBKPI, CSNBKRL, */
|
||
|
/* and CSNBKTB is assumed */
|
||
|
/* */
|
||
|
/* Common Cryptographic Architecture (CCA) verbs used: */
|
||
|
/* Key_Export CSNBKEX */
|
||
|
/* Key_Part_Import CSNBKPI */
|
||
|
/* Key_Record_List CSNBKRL */
|
||
|
/* Key_Token_Build CSNBKTB */
|
||
|
/*---------------------------------------------------------------*/
|
||
|
|
||
|
#include <stdlib.h>
|
||
|
#include <stdio.h>
|
||
|
#include <string.h>
|
||
|
#include "MIPTRNAM.H" /* needed to resolve function ptrs */
|
||
|
#include "csucincl.h" /* header file for CCA Cryptographic
|
||
|
Service Provider */
|
||
|
|
||
|
|
||
|
int main(int argc, char *argv[])
|
||
|
{
|
||
|
|
||
|
/*--------------------------------------------------*/
|
||
|
/* standard return codes */
|
||
|
/*--------------------------------------------------*/
|
||
|
#define ERROR -1
|
||
|
#define OK 0
|
||
|
|
||
|
/*--------------------------------------------------*/
|
||
|
/* Declare function pointers (see csucincl.h) */
|
||
|
/*--------------------------------------------------*/
|
||
|
T_CSNBKEX *CSNBKEX;
|
||
|
T_CSNBKRL *CSNBKRL;
|
||
|
T_CSNBKPI *CSNBKPI;
|
||
|
T_CSNBKTB *CSNBKTB;
|
||
|
|
||
|
|
||
|
/*--------------------------------------------------*/
|
||
|
/* standard CCA parameters */
|
||
|
/*--------------------------------------------------*/
|
||
|
|
||
|
long return_code;
|
||
|
long reason_code;
|
||
|
long exit_data_length = 0;
|
||
|
char exit_data[2];
|
||
|
long rule_array_count = 0;
|
||
|
char rule_array[2][8];
|
||
|
|
||
|
/*--------------------------------------------------*/
|
||
|
/* additional parameters needed for CSNBKRL */
|
||
|
/*--------------------------------------------------*/
|
||
|
char key_label[64];
|
||
|
long data_set_name_length = 0;
|
||
|
char data_set_name[65];
|
||
|
char security_server_name[9] = " ";
|
||
|
|
||
|
/*--------------------------------------------------*/
|
||
|
/* additional parameters needed for CSNBKEX */
|
||
|
/*--------------------------------------------------*/
|
||
|
char key_type[8];
|
||
|
char source_key_identifier[64];
|
||
|
char exporter_key_identifier[64];
|
||
|
char target_key_token[64];
|
||
|
|
||
|
/*--------------------------------------------------*/
|
||
|
/* additional parameters needed for CSNBKTB */
|
||
|
/*--------------------------------------------------*/
|
||
|
char key_token[64];
|
||
|
char key_value[64];
|
||
|
long master_key_verification_pattern = 0;
|
||
|
long reserved_int;
|
||
|
char reserved_str[8];
|
||
|
char control_vector[16];
|
||
|
|
||
|
/*--------------------------------------------------*/
|
||
|
/* additional parameters needed for CSNBKPI */
|
||
|
/*--------------------------------------------------*/
|
||
|
char key_part[16];
|
||
|
char key_identifier[64];
|
||
|
|
||
|
/*--------------------------------------------------*/
|
||
|
/* Other variables */
|
||
|
/*--------------------------------------------------*/
|
||
|
char header1[77];
|
||
|
long num_rec, i;
|
||
|
long num_successful = 0;
|
||
|
long rec_length, offset_rec1;
|
||
|
|
||
|
char key_record[154];
|
||
|
|
||
|
FILE *krl, *export_file;
|
||
|
|
||
|
|
||
|
/* Check input parm */
|
||
|
if (argc < 2)
|
||
|
{
|
||
|
printf("File for storing the exported key data not specified.\n");
|
||
|
return ERROR;
|
||
|
}
|
||
|
|
||
|
/*---------------------------------------------------*/
|
||
|
/* Resolve function pointers */
|
||
|
/*---------------------------------------------------*/
|
||
|
_lib_qualify(CSNBKEX,QTSS)
|
||
|
_lib_qualify(CSNBKRL,QTSS)
|
||
|
_lib_qualify(CSNBKPI,QTSS)
|
||
|
_lib_qualify(CSNBKTB,QTSS)
|
||
|
|
||
|
memset(key_label,' ',64);
|
||
|
memcpy(key_label,"*.*.*.*.*",9);
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
/*-----------------------------------------------------------*/
|
||
|
/* Invoke the verb to create a DES Key Record List */
|
||
|
/*-----------------------------------------------------------*/
|
||
|
CSNBKRL( &return_code,
|
||
|
&reason_code,
|
||
|
&exit_data_length,
|
||
|
exit_data,
|
||
|
key_label,
|
||
|
&data_set_name_length,
|
||
|
data_set_name,
|
||
|
security_server_name);
|
||
|
|
||
|
if ((return_code != 0) || (reason_code != 0))
|
||
|
{
|
||
|
printf("Key Record List generation was unsuccessful. ");
|
||
|
printf("Return/reason code = %d/%d\n",return_code, reason_code);
|
||
|
return ERROR;
|
||
|
}
|
||
|
|
||
|
|
||
|
printf("Key Record List generation was successful. ");
|
||
|
printf("Return/reason codes = %d/%d\n",return_code, reason_code);
|
||
|
data_set_name[data_set_name_length] = '\0';
|
||
|
printf("data_set_name = %s\n\n",data_set_name);
|
||
|
|
||
|
|
||
|
/* Generate a clear key for export use. */
|
||
|
/* The same key will be used for import. */
|
||
|
memcpy(key_type,"EXPORTER",8);
|
||
|
rule_array_count = 2;
|
||
|
memcpy(rule_array[0],"INTERNAL",8);
|
||
|
memcpy(rule_array[1],"KEY-PART",8);
|
||
|
|
||
|
CSNBKTB( &return_code,
|
||
|
&reason_code,
|
||
|
&exit_data_length,
|
||
|
exit_data,
|
||
|
key_token,
|
||
|
key_type,
|
||
|
&rule_array_count,
|
||
|
(char *) rule_array,
|
||
|
key_value,
|
||
|
&master_key_verification_pattern,
|
||
|
&reserved_int,
|
||
|
reserved_str,
|
||
|
control_vector,
|
||
|
reserved_str,
|
||
|
&reserved_int,
|
||
|
reserved_str,
|
||
|
reserved_str);
|
||
|
|
||
|
if (return_code != 0) {
|
||
|
printf("Building of the export key failed.\n");
|
||
|
printf("Key Token Build failed.");
|
||
|
printf("Return/reason codes = %d/%d\n",return_code, reason_code);
|
||
|
return ERROR;
|
||
|
}
|
||
|
|
||
|
/* Import the key parts to be used. */
|
||
|
rule_array_count = 1;
|
||
|
memcpy(rule_array[0],"FIRST ",8);
|
||
|
memset(key_part,'\x01',16);
|
||
|
|
||
|
for(i=1;i<=2;i++) {
|
||
|
CSNBKPI( &return_code,
|
||
|
&reason_code,
|
||
|
&exit_data_length,
|
||
|
(char *) exit_data,
|
||
|
&rule_array_count,
|
||
|
(char *) rule_array,
|
||
|
key_part,
|
||
|
key_token);
|
||
|
|
||
|
if (return_code != 0) {
|
||
|
printf("Building of the export key failed.\n");
|
||
|
printf("Key Part Import failed.");
|
||
|
printf("Return/reason codes = %d/%d\n",return_code, reason_code);
|
||
|
return ERROR;
|
||
|
}
|
||
|
|
||
|
memcpy(rule_array[0],"LAST ",8);
|
||
|
/* Set key part to the clear key to be used. */
|
||
|
/* Note: It may not be desirable to hard-code this. */
|
||
|
memcpy(key_part,"ClEar.KEY.hErE!!",16);
|
||
|
|
||
|
}
|
||
|
|
||
|
/* Export key built successfully. */
|
||
|
/* Open the Key Record List file. */
|
||
|
krl = fopen(data_set_name, "rb");
|
||
|
|
||
|
if (krl == NULL)
|
||
|
{ /* Open failed. */
|
||
|
printf("The open of the Key Record List file failed.\n");
|
||
|
return ERROR;
|
||
|
}
|
||
|
|
||
|
|
||
|
|
||
|
/* Key record list open was successful. */
|
||
|
/* Open the file to save key info. */
|
||
|
export_file = fopen(argv[1], "wb");
|
||
|
if (export_file == NULL)
|
||
|
{
|
||
|
printf("Opening of key export file failed.\n");
|
||
|
fclose(krl);
|
||
|
return ERROR;
|
||
|
}
|
||
|
|
||
|
/* Write num_successful to the export file to hold a place for it. */
|
||
|
fwrite(&num_successful,sizeof(long),1,export_file);
|
||
|
|
||
|
/* Read the first part of the KRL header. */
|
||
|
fread(header1,1,77,krl);
|
||
|
|
||
|
/* Get the number of key records in the file. */
|
||
|
num_rec = atoi(&header1[50]);
|
||
|
printf("Number of key records = %d\n",num_rec);
|
||
|
|
||
|
/* Get the length for the key records. */
|
||
|
rec_length = atol(&header1[58]);
|
||
|
|
||
|
/* Get the offset for the first key record. */
|
||
|
offset_rec1 = atol(&header1[62]);
|
||
|
|
||
|
/* Set the file pointer to the first key record. */
|
||
|
fseek(krl, offset_rec1, SEEK_SET);
|
||
|
|
||
|
/* Set the key type to TOKEN. */
|
||
|
memcpy(key_type,"TOKEN ",8);
|
||
|
|
||
|
/* Loop through the entries in the KRL and EXPORT. */
|
||
|
for (i = 1; i <= num_rec; i++)
|
||
|
{
|
||
|
fread(key_record, 1, rec_length, krl);
|
||
|
memcpy(source_key_identifier, &key_record[3], 64);
|
||
|
|
||
|
CSNBKEX(&return_code,
|
||
|
&reason_code,
|
||
|
&exit_data_length,
|
||
|
exit_data,
|
||
|
key_type,
|
||
|
source_key_identifier,
|
||
|
key_token,
|
||
|
/* exporter_key_identifier, */
|
||
|
target_key_token);
|
||
|
|
||
|
printf("Exporting of key = %.64s",source_key_identifier);
|
||
|
printf("completed with return/reason codes of ");
|
||
|
printf("%d/%d\n",return_code,reason_code);
|
||
|
|
||
|
if (return_code == 0)
|
||
|
{
|
||
|
++num_successful;
|
||
|
fwrite(source_key_identifier, 1, 64, export_file);
|
||
|
fwrite(target_key_token, 1, 64, export_file);
|
||
|
}
|
||
|
|
||
|
} /* end of for loop */
|
||
|
|
||
|
printf("Key store file exported successfully.\n");
|
||
|
printf("%d key(s) successfully exported.\n\n",num_successful);
|
||
|
|
||
|
/* Write out the number of exported keys and close the file. */
|
||
|
fseek(export_file,0,SEEK_SET);
|
||
|
fwrite(&num_successful,sizeof(long),1,export_file);
|
||
|
|
||
|
/* Close the files and return. */
|
||
|
fclose(krl);
|
||
|
fclose(export_file);
|
||
|
return OK;
|
||
|
}</pre>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcmigrateprpq.htm" title="If you currently use the Common Cryptographic Architecture (CCA) Services for OS/400 (5799-FRF), you can migrate the keys in the key store file so that your Cryptographic Coprocessor can use them. The Coprocessor uses the migrated keys with the CCA Cryptographic Service Provider (CCA CSP, which is packaged as i5/OS Option 35).">Migrate key store files from the IBM CCA Services for OS/400 PRPQ</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|