Generating quantum-safe keys
The examples in this appendix are REXX executables that can be used to generate quantum-safe keys that use CCA and PKCS#11.
This appendix includes the following topics:
B.1 CCA AES 256-bit key generation REXX sample
A CCA AES 256-bit key generation REXX sample is shown in Example B-1.
Example B-1 CCA AES 256-bit key generation REXX sample
/* rexx */
/*-------------------------------------------------------------------*/
/* Generate a secure CCA 256-bit AES CIPHER key */
/*-------------------------------------------------------------------*/
/* expected results */
ExpRC = '00000000'x ;
ExpRS = '00000000'x ;
/*-------------------------------------------------------------------*/
/* Build skeleton token with key usage and key management */
/*-------------------------------------------------------------------*/
KTB2_rule_array = 'INTERNAL' ||,
'AES ' ||,
'NO-KEY ' ||,
'CIPHER ' ||,
'ENCRYPT ' ||,
'DECRYPT ' ||,
'C-XLATE ' ||,
'ANY-MODE' ||,
'NOEX-SYM' ||,
'NOEX-RAW' ||,
'NOEXUASY' ||,
'NOEXAASY' ||,
'NOEX-DES' ||,
'NOEX-AES' ||,
'NOEX-RSA' ||,
'XPRTCPAC'
call CSNBKTB2
/*-------------------------------------------------------------------*/
/* Generate the AES key using the skeleton token from KTB2 */
/*-------------------------------------------------------------------*/
KGN2_Rule_Array = 'AES ' ||,
'OP '
KGN2_clear_key_Bit_Len = '00000100'x /* 256-bit */
KGN2_key_Type_1 = 'TOKEN '
KGN2_key_Type_2 = ''
KGN2_gen_key_1_Len = '000002D5'x
KGN2_gen_key_1 = left(KTB2_target_key_token,c2d(KGN2_gen_key_1_Len))
call CSNBKGN2
exit
/* --------------------------------------------------------------- */
/* CSNBKTB2 - Key Token Build2 */
/* */
/* Builds a variable-length AES skeleton token. */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNBKTB2:
KTB2_rc = 'ffffffff'x ;
KTB2_rs = 'ffffffff'x ;
KTB2_exit_Length = '00000000'x ;
KTB2_exit_Data = '' ;
KTB2_key_name_len = '00000000'x ;
KTB2_key_name = '';
KTB2_user_data_Len = '00000000'x ;
KTB2_user_data = '';
KTB2_token_data_Len = '00000000'x ;
KTB2_token_data = '';
KTB2_clear_key = '';
KTB2_service_data = '';
KTB2_service_data_Len = D2C(length(KTB2_service_data),4) ;
KTB2_target_key_token_Len = d2c(725,4) ;
KTB2_target_key_token = copies('00'x,c2d(KTB2_target_key_token_Len)) ;
KTB2_clear_key_bit_Len = '00000000'x;
KTB2_Rule_count = D2C(length(KTB2_rule_array)/8,4) ;
address linkpgm 'CSNBKTB2' ,
'KTB2_rc' 'KTB2_rs' ,
'KTB2_exit_Length' 'KTB2_exit_Data' ,
'KTB2_rule_count' 'KTB2_rule_array' ,
'KTB2_clear_key_bit_Len' ,
'KTB2_clear_key' ,
'KTB2_key_name_Len' 'KTB2_key_name' ,
'KTB2_user_data_Len' 'KTB2_user_data' ,
'KTB2_token_data_Len' 'KTB2_token_data' ,
'KTB2_service_data_Len' 'KTB2_service_data' ,
'KTB2_target_key_token_Len' 'KTB2_target_key_token' ;
KTB2_target_key_token = ,
substr(KTB2_target_key_token,1,c2d(KTB2_target_key_token_len))
If (KTB2_RC <> ExpRC) | (KTB2_RS <> ExpRS) then
do;
say 'KTB2 failed : rc =' c2x(KTB2_RC) 'rs =' c2x(KTB2_RS)
end;
else
say 'KTB2 successful : rc =' c2x(KTB2_RC) 'rs =' c2x(KTB2_RS)
return
/* --------------------------------------------------------------- */
/* CSNBKGN - Key Generate */
/* */
/* Generates either one or two DES or AES keys encrypted under a */
/* master key (internal form) or KEK (external form). */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNBKGN2:
KGN2_rc = 'ffffffff'x ;
KGN2_rs = 'ffffffff'x ;
KGN2_Exit_Length = '00000000'x ;
KGN2_Exit_Data = '' ;
KGN2_Rule_count = D2C(length(KGN2_rule_array)/8,4)
KGN2_key_Name_1_Len = '00000000'x ;
KGN2_key_Name_1 = '';
KGN2_key_Name_2_Len = '00000000'x ;
KGN2_key_Name_2 = '';
KGN2_user_data_1_Len = '00000000'x ;
KGN2_user_data_1 = '';
KGN2_user_data_2_Len = '00000000'x ;
KGN2_user_data_2 = '';
KGN2_KEK_1_Len = '00000000'x ;
KGN2_KEK_1 = '';
KGN2_KEK_2_Len = '00000000'x;
KGN2_KEK_2 = '';
KGN2_gen_key_2_Len = '00000000'x;
KGN2_gen_key_2 = '';
address linkpgm 'CSNBKGN2' ,
'KGN2_rc' 'KGN2_rs' ,
'KGN2_Exit_Length' 'KGN2_Exit_Data' ,
'KGN2_Rule_Count' 'KGN2_Rule_Array' ,
'KGN2_clear_key_Bit_Len' ,
'KGN2_key_Type_1' 'KGN2_key_Type_2' ,
'KGN2_key_Name_1_Len' 'KGN2_key_Name_1' ,
'KGN2_key_Name_2_Len' 'KGN2_key_Name_2' ,
'KGN2_user_data_1_Len' 'KGN2_user_data_1' ,
'KGN2_user_data_2_Len' 'KGN2_user_data_2' ,
'KGN2_KEK_1_Len' 'KGN2_KEK_1' ,
'KGN2_KEK_2_Len' 'KGN2_KEK_2' ,
'KGN2_gen_key_1_Len' 'KGN2_gen_key_1' ,
'KGN2_gen_key_2_Len' 'KGN2_gen_key_2' ;
If (KGN2_RC <> ExpRC) | (KGN2_RS <> ExpRS) then
do;
say 'KGN2 failed: rc =' c2x(KGN2_RC) 'rs =' c2x(KGN2_RS)
end;
else
say 'KGN2 successful: rc =' c2x(KGN2_RC) 'rs =' c2x(KGN2_RS)
KGN2_gen_key_1 = substr(KGN2_gen_key_1,1,c2d(KGN2_gen_key_1_len))
KGN2_gen_key_2 = substr(KGN2_gen_key_2,1,c2d(KGN2_gen_key_2_len))
Return
B.2 PKCS #11 AES 256-bit key generation REXX sample
A PKCS #11 AES 256-bit key generation REXX sample is shown in Example B-2.
Example B-2 PKCS #11 AES 256-bit key generation REXX sample
/*rexx*/
/*-------------------------------------------------------------------*/
/* Generate a secure 256-bit PKCS #11 AES key */
/*-------------------------------------------------------------------*/
Call TCSetup
/* expected results */
ExpRC = '00000000'x ;
ExpRS = '00000000'x ;
/*-------------------------------------------------------------------*/
/* Generate the AES key using the attribute list */
/*-------------------------------------------------------------------*/
GSK_Handle = Left('QSAFE.TEST.TOKEN',44) ;
GSK_AttrList = '0007'x ||, /* number attributes */
CKA_CLASS ||'0004'x || CKO_SECRET_KEY ||,
CKA_KEY_TYPE ||'0004'x || CKK_AES ||,
CKA_VALUE_LEN ||'0004'x || '00000020'x ||, /* AES 256-bit */
CKA_TOKEN ||'0001'x || CK_TRUE ||,
CKA_IBM_SECURE ||'0001'x || CK_TRUE ||,
CKA_ENCRYPT ||'0001'x || CK_TRUE ||,
CKA_DECRYPT ||'0001'x || CK_TRUE
Call CSFPGSK;
exit
/* --------------------------------------------------------------- */
/* PKCS #11 Generate Secret Key */
/* Use the generate secret key callable service to generate a */
/* secret key or set of domain parameters. */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSFPGSK:
GSK_RC = 'FFFFFFFF'x ;
GSK_RS = 'FFFFFFFF'x ;
GSK_Exit_Length = '00000000'x ;
GSK_Exit_Data = '' ;
GSK_Rule_Count = '00000001'x;
GSK_Rule_Array = 'KEY ';
GSK_Parms_List = ''
GSK_Parms_List_Length = '00000000'x
GSK_AttrListLength = D2C( Length( GSK_AttrList ),4);
/* call GSK */
address linkpgm 'CSFPGSK' ,
'GSK_RC' 'GSK_RS' ,
'GSK_Exit_Length' 'GSK_Exit_Data' ,
'GSK_Handle' ,
'GSK_Rule_Count' 'GSK_Rule_Array' ,
'GSK_AttrListLength' 'GSK_AttrList' ,
'GSK_Parms_List_Length' 'GSK_Parms_List' ;
If (GSK_RC <> ExpRC) | (GSK_RS <> ExpRS) then
say 'GSK failed: rc =' c2x(GSK_rc) 'rs =' c2x(GSK_rs) ;
else
say 'GSK successful : rc =' c2x(GSK_rc) 'rs =' c2x(GSK_rs) ;
return
/* --------------------------------------------------------------- */
/* */
/* --------------------------------------------------------------- */
TCSetup:
CKK_AES = '0000001F'X
CKO_SECRET_KEY = '00000004'X
CKA_CLASS = '00000000'X
CKA_TOKEN = '00000001'X
CKA_IBM_SECURE = '80000006'X
CKA_KEY_TYPE = '00000100'X
CKA_ENCRYPT = '00000104'X;
CKA_DECRYPT = '00000105'X;
CKA_VALUE_LEN = '00000161'X
CK_TRUE = '01'x
CK_FALSE = '00'x
Return
EXIT;
B.3 CCA CRYSTALS-Dilithium key pair generation REXX sample
A CCA CRYSTALS-Dilithium key pair generation REXX sample is shown in Example B-3.
Example B-3 CCA CRYSTALS-Dilithium key pair generation REXX sample
/* Rexx */
/*-------------------------------------------------------------------*/
/* Generate a secure CRYSTALS-Dilithium CCA key pair */
/*-------------------------------------------------------------------*/
/* expected results */
ExpRc = '00000000'x
ExpRs = '00000000'x
/*-------------------------------------------------------------------*/
/* Build skeleton token with key usage */
/*-------------------------------------------------------------------*/
PKB_Rule_Count = '00000002'x ;
PKB_Rule_Array = 'QSA-PAIR' ||,
'U-DIGSIG'
/* CRYSTALS-Dilithium 87 Round 3 KVS */
PKB_KVS = '03'x ||, /* Alg Id */
'00'x ||, /* clear key format */
'0807'x ||, /* Alg param */
'0000'x ||, /* clear key len */
'0000'x /* Reserved */
/* CRYSTALS-Dilithium 65 Round 3 KVS */
/*
PKB_KVS = '03'x ||, /* Alg Id */
'00'x ||, /* clear key format */
'0605'x ||, /* Alg param */
'0000'x ||, /* clear key len */
'0000'x /* Reserved */
*/
call CSNDPKB
/*-------------------------------------------------------------------*/
/* Generate the Dilithium key pair using the skeleton token from PKB */
/*-------------------------------------------------------------------*/
PKG_Rule_Array = 'MASTER '
PKG_Skeleton_Key = PKB_Token;
PKG_Skeleton_Key_length = PKB_Token_length;
call CSNDPKG
Exit
/*------------------------------------------------------------------*/
/* PKA Key Token Build - used to create PKA key tokens. */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/*------------------------------------------------------------------*/
CSNDPKB:
/* initialize parameter list */
PKB_Rc = 'FFFFFFFF'x ;
PKB_Rs = 'FFFFFFFF'x ;
Exit_Length = '00000000'x ;
Exit_Data = '' ;
PKB_KVS_Length = d2c(length(PKB_KVS),4) ;
PKB_UAD_Length = '00000000'x ;
PKB_UAD = ''
PKB_PrivName_Len = '00000000'x ;
PKB_PrivName = ''
Reserved2_Length = '00000000'x ; Reserved2 = '' ;
Reserved3_Length = '00000000'x ; Reserved3 = '' ;
Reserved4_Length = '00000000'x ; Reserved4 = '' ;
Reserved5_Length = '00000000'x ; Reserved5 = '' ;
PKB_Token_Length = d2c(8000,4) ;
PKB_Token = copies('00'x,8000) ;
/* call CSNDPKB */
address linkpgm 'CSNDPKB' ,
'PKB_Rc' 'PKB_Rs' ,
'Exit_Length' 'Exit_Data' ,
'PKB_Rule_Count' 'PKB_Rule_Array' ,
'PKB_KVS_Length' 'PKB_KVS' ,
'PKB_PrivName_Len' 'PKB_PrivName' ,
'PKB_UAD_Length' 'PKB_UAD' ,
'Reserved2_Length' 'Reserved2' ,
'Reserved3_Length' 'Reserved3' ,
'Reserved4_Length' 'Reserved4' ,
'Reserved5_Length' 'Reserved5' ,
'PKB_Token_Length' 'PKB_Token' ;
if (PKB_Rc = ExpRc | PKB_Rs = ExpRs) then
say 'PKB failed: rc =' c2x(PKB_Rc) 'rs =' c2x(PKB_Rs) ;
else
do ;
say 'PKB sucessful: rc =' c2x(PKB_Rc) 'rs =' c2x(PKB_Rs) ;
PKB_Token = substr(PKB_Token,1,c2d(PKB_Token_Length)) ;
end
return
/* --------------------------------------------------------------- */
/* PKA Key Generate - Used to generate PKA key pairs */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNDPKG:
PKG_rc = 'FFFFFFFF'x ;
PKG_rs = 'FFFFFFFF'x ;
PKG_Exit_length = '00000000'x ;
PKG_Exit_Data = '' ;
PKG_Rule_count = d2c( length(PKG_Rule_Array)/8,4 )
PKG_Token_length = '00001F40'x ;
PKG_Token = copies('00'x,c2d(PKG_token_length)) ;
PKG_Regen_data = ''
PKG_Regen_Data_length = d2c( length(PKG_Regen_data),4 )
PKG_Transport_Key_Id = ''
address linkpgm 'CSNDPKG' ,
'PKG_rc' 'PKG_rs' ,
'PKG_Exit_length' 'PKG_Exit_Data' ,
'PKG_Rule_Count' 'PKG_Rule_Array' ,
'PKG_Regen_Data_length' 'PKG_Regen_Data' ,
'PKG_Skeleton_Key_length' 'PKG_Skeleton_Key' ,
'PKG_Transport_Key_Id' ,
'PKG_Token_length' 'PKG_Token' ;
if (PKG_rc = ExpRc | PKG_rs = ExpRs) then
say 'PKG failed: rc =' c2x(PKG_rc) 'rs =' c2x(PKG_rs)
else
Do;
say 'PKG successful : rc =' c2x(PKG_rc) 'rs =' c2x(PKG_rs) ;
PKG_Token = substr(PKG_Token,1,c2d(PKG_Token_length)) ;
End;
Return
B.4 PKCS #11 CRYSTALS-Dilithium key pair generation REXX sample
A PKCS #11 CRYSTALS-Dilithium key pair generation REXX sample is shown in Example B-4.
Example B-4 PKCS #11 CRYSTALS-Dilithium key pair generation REXX sample
/* Rexx */
/*-------------------------------------------------------------------*/
/* Generate a secure PKCS #11 Dilithium key pair */
/*-------------------------------------------------------------------*/
/* expected results */
ExpRC = '00000000'x ;
ExpRS = '00000000'x ;
Call TCSetup
GKP_Handle = Left('QSAFE.TEST.TOKEN',44)
GKP_PrivKey_Attr_List = '0005'x||,
CKA_CLASS ||'0004'x|| CKO_PRIVATE_KEY ||,
CKA_KEY_TYPE ||'0004'x|| CKK_IBM_DILITHIUM ||,
CKA_TOKEN ||'0001'x|| CK_TRUE ||,
CKA_SIGN ||'0001'x|| CK_TRUE ||,
CKA_IBM_SECURE ||'0001'x|| CK_TRUE
GKP_PubKey_Attr_List = '0005'x||,
CKA_CLASS ||'0004'x|| CKO_PUBLIC_KEY ||,
CKA_KEY_TYPE ||'0004'x|| CKK_IBM_DILITHIUM ||,
CKA_IBM_DILITHIUM_MODE ||'000D'x|| DER_OID_8_7_R3 ||,
CKA_TOKEN ||'0001'x|| CK_TRUE ||,
CKA_VERIFY ||'0001'x|| CK_TRUE
Call CSFPGKP;
Exit
/* --------------------------------------------------------------- */
/* PKCS #11 Generate Key Pair */
/* Use the PKCS #11 Generate Key Pair callable service to generate */
/* an RSA, DSA, Elliptic Curve, Diffie-Hellman, Dilithium (LI2) or */
/* Kyber key pair. */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSFPGKP:
GKP_RC = 'FFFFFFFF'x
GKP_RS = 'FFFFFFFF'x
GKP_Exit_Length = '00000000'x
GKP_Exit_Data = ''
GKP_Rule_Count = '00000000'x
GKP_Rule_Array = ''
GKP_PubKey_Handle = copies(' ',44)
GKP_PrivKey_Handle = copies(' ',44)
GKP_PubKey_Attr_List_Length = D2C(Length(GKP_PubKey_Attr_List),4)
GKP_PrivKey_Attr_List_Length = D2C(Length(GKP_PrivKey_Attr_List),4)
address linkpgm 'CSFPGKP',
'GKP_RC' 'GKP_RS',
'GKP_Exit_Length' 'GKP_Exit_Data',
'GKP_Handle',
'GKP_Rule_Count' 'GKP_Rule_Array',
'GKP_PubKey_Attr_List_Length',
'GKP_PubKey_Attr_List',
'GKP_PubKey_Handle',
'GKP_PrivKey_Attr_List_Length',
'GKP_PrivKey_Attr_List',
'GKP_PrivKey_Handle'
if (GKP_RC = ExpRC | GKP_RS = ExpRS) Then
say 'GKP failed: rc =' c2x(GKP_rc) 'rs =' c2x(GKP_rs) ;
else
say 'GKP successful : rc =' c2x(GKP_rc) 'rs =' c2x(GKP_rs) ;
return;
/* --------------------------------------------------------------- */
/* */
/* --------------------------------------------------------------- */
TCSetup:
DER_OID_8_7_R3 = '060B2B0601040102820B070807'X
CKK_IBM_DILITHIUM = '80010023'X
CKO_PUBLIC_KEY = '00000002'X
CKO_PRIVATE_KEY = '00000003'X
CKA_IBM_SECURE = '80000006'X
CKA_KEY_TYPE = '00000100'X
CKA_CLASS = '00000000'X
CKA_TOKEN = '00000001'X
CKA_IBM_DILITHIUM_MODE = '80000010'X
CKA_SIGN = '00000108'X;
CKA_VERIFY = '0000010A'X;
CK_TRUE = '01'x
CK_FALSE = '00'x
Return
EXIT;
B.5 CCA CRYSTALS-Kyber key pair generation REXX sample
A CCA CRYSTALS-Kyber key pair generation REXX sample is shown in Example B-5.
Example B-5 CCA CRYSTALS-Kyber key pair generation REXX sample
/* Rexx */
/*-------------------------------------------------------------------*/
/* Generate a secure CRYSTALS-Kyber CCA key pair */
/*-------------------------------------------------------------------*/
/* expected results */
ExpRc = '00000000'x
ExpRs = '00000000'x
/*-------------------------------------------------------------------*/
/* Build skeleton token with key usage */
/*-------------------------------------------------------------------*/
PKB_Rule_Count = '00000003'x ;
PKB_Rule_Array = 'QSA-PAIR' ||,
'U-KEYENC' ||,
'U-DATENC'
/* CRYSTALS-Kyber 1024 Round 2 KVS */
PKB_KVS = '02'x ||, /* Alg Id */
'00'x ||, /* clear key format */
'1024'x ||, /* Alg param */
'0000'x ||, /* clear key len */
'0000'x /* Reserved */
call CSNDPKB
/*-------------------------------------------------------------------*/
/* Generate the Kyber key pair using the skeleton token from PKB */
/*-------------------------------------------------------------------*/
PKG_Rule_Array = 'MASTER '
PKG_Skeleton_Key = PKB_Token;
PKG_Skeleton_Key_length = PKB_Token_length;
call CSNDPKG
Exit
/*------------------------------------------------------------------*/
/* PKA Key Token Build - used to create PKA key tokens. */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/*------------------------------------------------------------------*/
CSNDPKB:
/* initialize parameter list */
PKB_Rc = 'FFFFFFFF'x ;
PKB_Rs = 'FFFFFFFF'x ;
Exit_Length = '00000000'x ;
Exit_Data = '' ;
PKB_KVS_Length = d2c(length(PKB_KVS),4) ;
PKB_UAD_Length = '00000000'x ;
PKB_UAD = ''
PKB_PrivName_Len = '00000000'x ;
PKB_PrivName = ''
Reserved2_Length = '00000000'x ; Reserved2 = '' ;
Reserved3_Length = '00000000'x ; Reserved3 = '' ;
Reserved4_Length = '00000000'x ; Reserved4 = '' ;
Reserved5_Length = '00000000'x ; Reserved5 = '' ;
PKB_Token_Length = d2c(8000,4) ;
PKB_Token = copies('00'x,8000) ;
/* call CSNDPKB */
address linkpgm 'CSNDPKB' ,
'PKB_Rc' 'PKB_Rs' ,
'Exit_Length' 'Exit_Data' ,
'PKB_Rule_Count' 'PKB_Rule_Array' ,
'PKB_KVS_Length' 'PKB_KVS' ,
'PKB_PrivName_Len' 'PKB_PrivName' ,
'PKB_UAD_Length' 'PKB_UAD' ,
'Reserved2_Length' 'Reserved2' ,
'Reserved3_Length' 'Reserved3' ,
'Reserved4_Length' 'Reserved4' ,
'Reserved5_Length' 'Reserved5' ,
'PKB_Token_Length' 'PKB_Token' ;
if (PKB_Rc = ExpRc | PKB_Rs = ExpRs) then
say 'PKB failed: rc =' c2x(PKB_Rc) 'rs =' c2x(PKB_Rs) ;
else
do ;
say 'PKB sucessful: rc =' c2x(PKB_Rc) 'rs =' c2x(PKB_Rs) ;
PKB_Token = substr(PKB_Token,1,c2d(PKB_Token_Length)) ;
end
return
/* --------------------------------------------------------------- */
/* PKA Key Generate - Used to generate PKA key pairs */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSNDPKG:
PKG_rc = 'FFFFFFFF'x ;
PKG_rs = 'FFFFFFFF'x ;
PKG_Exit_length = '00000000'x ;
PKG_Exit_Data = '' ;
PKG_Rule_count = d2c( length(PKG_Rule_Array)/8,4 )
PKG_Token_length = '00001F40'x ;
PKG_Token = copies('00'x,c2d(PKG_token_length)) ;
PKG_Regen_data = ''
PKG_Regen_Data_length = d2c( length(PKG_Regen_data),4 )
PKG_Transport_Key_Id = ''
address linkpgm 'CSNDPKG' ,
'PKG_rc' 'PKG_rs' ,
'PKG_Exit_length' 'PKG_Exit_Data' ,
'PKG_Rule_Count' 'PKG_Rule_Array' ,
'PKG_Regen_Data_length' 'PKG_Regen_Data' ,
'PKG_Skeleton_Key_length' 'PKG_Skeleton_Key' ,
'PKG_Transport_Key_Id' ,
'PKG_Token_length' 'PKG_Token' ;
if (PKG_rc = ExpRc | PKG_rs = ExpRs) then
say 'PKG failed: rc =' c2x(PKG_rc) 'rs =' c2x(PKG_rs)
else
Do;
say 'PKG successful : rc =' c2x(PKG_rc) 'rs =' c2x(PKG_rs) ;
PKG_Token = substr(PKG_Token,1,c2d(PKG_Token_length)) ;
End;
Return
B.6 PKCS #11 CRYSTALS-Kyber key pair generation REXX sample
A PKCS #11 CRYSTALS-Kyber key pair generation REXX sample is shown in Example B-6.
Example B-6 PKCS #11 CRYSTALS-Kyber key pair generation REXX sample
/* Rexx */
Call TCSetup
/*-------------------------------------------------------------------*/
/* Generate a secure PKCS #11 Kyber key pair */
/*-------------------------------------------------------------------*/
/* expected results */
ExpRC = '00000000'x ;
ExpRS = '00000000'x ;
Call TCSETUP
GKP_Handle = Left('QSAFE.TEST.TOKEN',44)
GKP_PrivKey_Attr_List = '0007'x||,
CKA_CLASS ||'0004'x|| CKO_PRIVATE_KEY ||,
CKA_KEY_TYPE ||'0004'x|| CKK_IBM_KYBER ||,
CKA_TOKEN ||'0001'x|| CK_TRUE ||,
CKA_DERIVE ||'0001'x|| CK_TRUE ||,
CKA_DECRYPT ||'0001'x|| CK_TRUE ||,
CKA_UNWRAP ||'0001'x|| CK_TRUE ||,
CKA_IBM_SECURE ||'0001'x|| CK_TRUE
GKP_PubKey_Attr_List = '0007'x||,
CKA_CLASS ||'0004'x|| CKO_PUBLIC_KEY ||,
CKA_KEY_TYPE ||'0004'x|| CKK_IBM_KYBER ||,
CKA_IBM_KYBER_MODE ||'000D'x|| DER_OID_KYBER_1024_R2 ||,
CKA_TOKEN ||'0001'x|| CK_TRUE ||,
CKA_WRAP ||'0001'x|| CK_TRUE ||,
CKA_DERIVE ||'0001'x|| CK_TRUE ||,
CKA_ENCRYPT ||'0001'x|| CK_TRUE
Call CSFPGKP;
Exit
/* --------------------------------------------------------------- */
/* PKCS #11 Generate Key Pair */
/* Use the PKCS #11 Generate Key Pair callable service to generate */
/* an RSA, DSA, Elliptic Curve, Diffie-Hellman, Dilithium (LI2) or */
/* Kyber key pair. */
/* */
/* See the ICSF Application Programmer's Guide for more details. */
/* --------------------------------------------------------------- */
CSFPGKP:
GKP_RC = 'FFFFFFFF'x
GKP_RS = 'FFFFFFFF'x
GKP_Exit_Length = '00000000'x
GKP_Exit_Data = ''
GKP_Rule_Count = '00000000'x
GKP_Rule_Array = ''
GKP_PubKey_Handle = copies(' ',44)
GKP_PrivKey_Handle = copies(' ',44)
GKP_PubKey_Attr_List_Length = D2C(Length(GKP_PubKey_Attr_List),4)
GKP_PrivKey_Attr_List_Length = D2C(Length(GKP_PrivKey_Attr_List),4)
address linkpgm 'CSFPGKP',
'GKP_RC' 'GKP_RS',
'GKP_Exit_Length' 'GKP_Exit_Data',
'GKP_Handle',
'GKP_Rule_Count' 'GKP_Rule_Array',
'GKP_PubKey_Attr_List_Length',
'GKP_PubKey_Attr_List',
'GKP_PubKey_Handle',
'GKP_PrivKey_Attr_List_Length',
'GKP_PrivKey_Attr_List',
'GKP_PrivKey_Handle'
if (GKP_RC = ExpRC | GKP_RS = ExpRS) Then
say 'GKP failed: rc =' c2x(GKP_rc) 'rs =' c2x(GKP_rs) ;
else
say 'GKP successful : rc =' c2x(GKP_rc) 'rs =' c2x(GKP_rs) ;
return;
/* --------------------------------------------------------------- */
/* */
/* --------------------------------------------------------------- */
TCSetup:
DER_OID_KYBER_1024_R2 = '060B2B0601040102820B050404'X;
CKK_IBM_KYBER = '80010024'X;
CKO_PUBLIC_KEY = '00000002'X
CKO_PRIVATE_KEY = '00000003'X
CKA_IBM_SECURE = '80000006'X
CKA_KEY_TYPE = '00000100'X
CKA_CLASS = '00000000'X
CKA_TOKEN = '00000001'X
CKA_IBM_KYBER_MODE = '8000000E'X;
CKA_ENCRYPT = '00000104'X;
CKA_DECRYPT = '00000105'X;
CKA_WRAP = '00000106'X;
CKA_UNWRAP = '00000107'X;
CKA_DERIVE = '0000010C'X;
CK_TRUE = '01'x
CK_FALSE = '00'x
Return
EXIT;
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.