z/OS Security Server RACF Callable Services
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Usage notes for program signing

z/OS Security Server RACF Callable Services
SA23-2293-00

  1. This service tracks the resources used for signing using a task-related name/token pair. The 16–byte token name has the following format: 
    IRRPSIGNprogram-name
    Where program-name is one of the parameters provided by the caller. Consequently, for any given series of SIGINIT, SIGUPDAT, SIGFINAL, and SIGCLEAN calls used to sign a single program object, the program name value must be the same.
  2. Calls to this service using different program name values are considered independent operations.
  3. For a given program name, SIGINIT must be called before calling any of SIGUPDAT, SIGFINAL, or SIGCLEAN.
  4. For a given program name, SIGINIT cannot be called a second time without terminating the first SIGINIT with a call to SIGFINAL or SIGCLEAN.
  5. For a given program name, it is the caller’s responsibility to call the SIGCLEAN function if signature generation is not completed by calling SIGFINAL. Note that all R_PgmSignVer functions will perform this cleanup if they return an error to the caller. The caller must call the cleanup function if it is terminating for its own reason.
  6. The signature area allocated and returned to the caller in the PGSN_SF_SIG_AREA@ parameter by SIGFINAL has the following format:
    Table 1. PGSN_SF_SIG_AREA@ signature area format
    Offset Length Description
    0 4 Eyecatcher, “PSSD”.
    4 4 Length of entire area, including the eyecatcher.
    8 1 Subpool used to obtain the area storage.
    9 3 Reserved.
    12 4 Length of z/OS® signature information area.
    16 * ZOSSignatureInfo structure to be included in the signed program object. See the next usage note for the format.
  7. The ZOSSignatureInfo structure returned in the signature area is the signature data that is to be placed in the signed program object. It is DER encoded according to the following ASN.1 definition: 
    ZOSSignatureInfo ::= SEQUENCE {
   signDetails     SignatureDetails
   certs           SET OF Certificate -- In reverse hierarchy order, EE to root
   signature       BIT STRING         -- PKCS #1 format - Encrypted DigestInfo
}

SignatureDetails ::= SEQUENCE {        -- DER encoding included in data signed
   version         INTEGER(0)
   signatureAlg    AlgorithmIdentifier -- From PKCS #1
   signatureTime   OCTET STRING(12)    -- TIME DEC,ZONE=UTC,DATETYPE=YYYYMMDD
                                       -- format (EBCDIC)
}
  8. The only supported algorithm for the signatureAlg field is sha256WithRSAEncryption with NULL parameters.
  9. It is the caller’s responsibility to free the signature area when it is no longer needed.
  10. The only supported message digest algorithm is SHA256.
  11. The only supported certificate key type is RSA. The maximum RSA key size is 4096 bits.
  12. The supported certificate signature algorithms are:
    • sha256WithRSAEncryption
    • sha1WithRSAEncryption
  13. All numeric parameters are treated as unsigned.
  14. All length parameters must be non-zero unless otherwise indicated.
  15. On SIGINIT, if the key ring to use is not specified, the security manager determines the key ring that is based on security settings. See the z/OS Security Server RACF Security Administrator's Guide for information on these security settings and on how to populate the key ring . There can be no more than 10 certificates within the trust chain, starting with the code signer and ending with the self-signed certificate authority certificate.
  16. If no program data is ever passed in by the caller, a digital signature is generated solely for the SignatureDetails structure documented above.
Parent topic: Usage notes

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014