Calculate Signature (QC3CALSG, Qc3CalculateSignature) API

Required Parameter Group:

1	Input data	Input	Char(*)
2	Length of input data	Input	Binary(4)
3	Input data format name	Input	Char(8)
4	Algorithm description	Input	Char(*)
5	Algorithm description format name	Input	Char(8)
6	Key description	Input	Char(*)
7	Key description format name	Input	Char(8)
8	Cryptographic service provider	Input	Char(1)
9	Cryptographic device name	Input	Char(10)
10	Signature	Output	Char(*)
11	Length of area provided for signature	Input	Binary(4)
12	Length of signature returned	Output	Binary(4)
13	Error code	I/O	Char(*)

  Service Program Name: QC3SIGCL

  Default Public Authority: *USE

  Threadsafe: Yes

The Calculate Signature (OPM, QC3CALSG; ILE, Qc3CalculateSignature) API produces a digital signature by hashing the input data and encrypting the hash value using a public key algorithm (PKA). To verify the signature, use the Verify Signature (OPM, QC3VFYSG; ILE, Qc3VerifySig) API.

Information on cryptographic standards can be found in Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext) API.

Authorities and Locks

Required device description authority: *USE
Required file authority: *OBJOPR, *READ

Required Parameter Group

Input data

INPUT; CHAR(*)

The data to sign.
The format of the input data is specified in the input data format name parameter

Length of input data

INPUT; BINARY(4)

For input data format DATA0100, this is the length of the data to sign.
For input data format DATA0200, this is the number of entries in the array.

Input data format name

INPUT; CHAR(8)

The format of the input data parameter.
The possible format names follow.

DATA0100: The input data parameter contains the data to sign.
DATA0200: The input data parameter contains an array of pointers and lengths to the data to sign.
See Input Data Formats for a description of this format.

Algorithm description

INPUT; CHAR(*)

The algorithm and associated parameters for signing the data.
The format of the algorithm description is specified in the algorithm description format name parameter.

Algorithm description format name

INPUT; CHAR(8)

The format of the algorithm description.
The possible format names follow.

ALGD0100: The token for an algorithm context. This format must be used when performing the sign operation over multiple calls. After the last call (when the final operation flag is on), the context will reset to its initial state and can be used in another API.
ALGD0400: Parameters for a sign operation.

See Algorithm Description Formats for a description of these formats.

Key description

INPUT; CHAR(*)

The key and associated parameters for signing the data.
The format of the key description is specified in the key description format name parameter.
If the sign operation extends over multiple calls (see ALGD0100 description above), only the key description from the first call will be used. Therefore, on subsequent calls, you may set the pointer to this parameter to NULL.

Key description format name

INPUT; CHAR(8)

The format of the key description.
If the pointer to the key description parameter is NULL, this parameter will be ignored.
The possible format names follow.

KEYD0100: The token for a key context. This format identifies a key context. A key context is used to store a key value so it need not be recreated or retrieved every time it is used. To create a key context, use the Create Key Context (OPM, QC3CRTKX; ILE, Qc3CreateKeyContext) API.
KEYD0200: Key parameters.
KEYD0400: Keystore label. This format identifies a key from keystore. For more information about cryptographic services keystore, see Cryptographic Services Keystore.
KEYD0900: Application identifier. This format uses the private PKA key identified by an application identifier. The application identifier must be assigned to a valid certificate label in object signing certificate keystore (*OBJECTSIGNING).

See Key Description Formats for a description of these formats.

Cryptographic service provider

INPUT; CHAR(1)

The cryptographic service provider (CSP) that will perform the sign operation.

0	Any CSP. The system will choose an appropriate CSP to perform the sign operation.
1	Software CSP. The system will perform the sign operation using software. If the requested algorithm is not available in software, an error is returned.
2	Hardware CSP. The system will perform the sign operation using cryptographic hardware. If the requested algorithm is not available in hardware, an error is returned. A specific cryptographic device can be specified using the cryptographic device name parameter. If the cryptographic device is not specified, the system will choose an appropriate one.

Cryptographic device name

INPUT; CHAR(10)

The name of a cryptographic device description.
This parameter is valid when the cryptographic service provider parameter specifies 2 (hardware CSP). Otherwise, this parameter must be blanks or the pointer to this parameter set to NULL.

Signature

OUTPUT; CHAR(*)

The area to store the signature.

Length of area provided for signature

INPUT; BINARY(4)

The length of the signature parameter in bytes. The length of the signature will equal the key size. (See Generate PKA Key Pair (OPM, QC3GENPK; ILE, Qc3GenPKAKeyPair) API.) Because key size is normally specified in bits, divide that value by 8 and round up to obtain the length of area needed for the signature.

Length of signature returned

OUTPUT; BINARY(4)

The length of the signature returned in the signature parameter.
If the length of area provided for the signature is too small, an error will be generated and no data will be returned in the signature parameter.

Error code

I/O; CHAR(*)

The structure in which to return error information.
For the format of the structure, see Error code parameter.

Input Data Formats

For detailed descriptions of the table fields, see Input Data Formats Field Descriptions.

DATA0200 Format

Offset		Type	Field
Dec	Hex	Type	Field
These fields repeat.		PTR(SPP)	Input data pointer
		BINARY(4)	Input data length
		CHAR(12)	Reserved

Input Data Formats Field Descriptions

Input data length: The length of data to sign.

Input data pointer: A space pointer to the data to sign.

Reserved: Must be null (binary 0s).

Algorithm Description Formats

For detailed descriptions of the table fields, see Algorithm Description Formats Field Descriptions.

ALGD0100 Format

Offset		Type	Field
Dec	Hex	Type	Field
0	0	CHAR(8)	Algorithm context token
8	8	CHAR(1)	Final operation flag

ALGD0400 Format

Offset		Type	Field
Dec	Hex	Type	Field
0	0	BINARY(4)	Public key cipher algorithm
4	4	CHAR(1)	PKA block format
5	5	CHAR(3)	Reserved
8	8	BINARY(4)	Signing hash algorithm

Algorithm Description Formats Field Descriptions

Algorithm context token

A token for an algorithm context. The algorithm context is created by using the Create Algorithm Context (OPM, QC3CRTAX; ILE, Qc3CreateAlgorithmContext) API.

Final operation flag

The final processing indicator.

Continue.
The system will not perform final processing and the algorithm context will maintain the state of the operation. The algorithm context can be used on future calls to this API to continue the sign operation. The signature will not be returned until the final operation flag is set on. The pointer to the signature parameter may be set to NULL because the signature will not be returned until the final operation flag is set on.

Final.
The system will perform final processing. The signature will be returned and the algorithm context will reset to its initial state. The algorithm context can then be used to begin a new cryptographic operation. When performing a final operation, the pointer to the input data parameter may be set to NULL.

PKA block format

The public key algorithm block format. Following are the valid values.

0	PKCS #1 block type 00
1	PKCS #1 block type 01
3	ISO 9796-1 Because of security weaknesses, this format should be used for compatibility purposes only.
5	ANSI X9.31 This format is only valid with signing hash algorithm 2 (SHA-1).

Public key cipher algorithm

The encryption algorithm. Following are the valid public key cipher algorithms.

RSA

Reserved

Must be null (binary 0s).

Signing hash algorithm

The hash algorithm. Following are the valid values for the signing hash algorithm.

1	MD5
2	SHA-1

Key Description Formats

For detailed descriptions of the table fields, see Key Description Formats Field Descriptions.

KEYD0100 Format

Offset		Type	Field
Dec	Hex	Type	Field
0	0	CHAR(8)	Key context token

KEYD0200 Format

Offset		Type	Field
Dec	Hex	Type	Field
0	0	BINARY(4)	Key type
4	4	BINARY(4)	Key string length
8	8	CHAR(1)	Key format
9	9	CHAR(3)	Reserved
12	C	CHAR(*)	Key string

KEYD0400 Format

Offset		Type	Field
Dec	Hex	Type	Field
0	0	CHAR(20)	Qualified keystore file name
20	14	CHAR(32)	Record label
52	34	CHAR(4)	Reserved

KEYD0900 Format

Offset		Type	Field
Dec	Hex	Type	Field
0	0	BINARY(4)	Application identifier length
4	4	CHAR(4)	Reserved
8	8	CHAR(*)	Application identifier

Key Description Formats Field Descriptions

Application identifer

The application ID assigned to a certificate with a private key in object signing certificate keystore (*OBJECTSIGNING).

Application identifier length

The length of the application ID. The length can not be greater than 32.

File name

The name of a keystore file. Keystore files are created by using the Create Keystore (OPM, QC3CRTKS; ILE, Qc3CreateKeyStore) API.

Key context token

A token for a key context. The key context is created by using the Create Key Context (OPM, QC3CRTKX; ILE, Qc3CreateKeyContext) API.

Key format

The format of the key string field. Following are the valid values.

1	BER string The key is specified in BER encoded PKCS #8 format. For specifications of this format, refer to RSA Security Inc. Public-Key Cryptography Standards. To generate a PKA key pair in this format, use the Generate PKA Key Pair (OPM, QC3GENPK; ILE, Qc3GenPKAKeyPair) API.

Key string

The key to use in the sign operation.

Key string length

Length of the key string specified in the key string field.

Key type

The type of key. Following are the valid values.

51	RSA private

Qualified keystore file name

The keystore file where the key is stored. Keystore files are created by using the Create Keystore (OPM, QC3CRTKS; ILE, Qc3CreateKeyStore) API. The first 10 characters contain the file name. The second 10 characters contain the name of the library where the keystore file is located. You can use the following special values for the library name.

*CURLIB	The job's current library is used to locate the keystore file. If no library is specified as the current library for the job, the QGPL library is used.
*LIBL	The job's library list is searched for the first occurence of the specified file name.

Record label

The label of a key record in a keystore file. The label will be converted from the job CCSID, or if 65535, the job default CCSID (DFTCCSID) job attribute to CCSID 1200 (Unicode UTF-16). Key records are created by using the Write Key Record (OPM, QC3WRTKR; ILE, Qc3WriteKeyRecord) API or the Generate Key Record (OPM, QC3GENKR; ILE, Qc3GenKeyRecord) API.

Reserved

Must be null (binary 0s).

Error Messages

Message ID	Error Message Text
CPF24B4 E	Severe error while addressing parameter list.
CPF3C1E E	Required parameter &1 omitted.
CPF3CF1 E	Error code parameter not valid.
CPF9872 E	Program or service program &1 in library &2 ended. Reason code &3.
CPF9D94 E	A pending value exists for a master key.
CPF9D99 E	Error openning certificate store.
CPF9D9C E	Function is disallowed with specified key context.
CPF9D9F E	Not authorized to keystore file.
CPF9DA0 E	Error occured opening keystore file.
CPF9DA1 E	Key record not found.
CPF9DA2 E	Option 34 is not installed.
CPF9DA3 E	Not authorized to use APPIDs.
CPF9DA4 E	RSA key identifier was not found in system certificate store.
CPF9DA5 E	Keystore file not found.
CPF9DA6 E	The keystore file is not available.
CPF9DA7 E	File is corrupt or not a valid keystore file.
CPF9DA8 D	The application identifier length is not valid.
CPF9DAA D	A key requires translation.
CPF9DAB E	A key can not be decrypted.
CPF9DB3 E	Qualified keystore file name not valid.
CPF9DB6 E	Record label not valid.
CPF9DB8 E	Error occured retrieving key record from keystore.
CPF9DC2 E	Key-encrypting algorithm context not compatible with key-encrypting key context.
CPF9DC3 E	Unable to decrypt data or key.
CPF9DC6 E	Algorithm not valid for encrypting or decrypting a key.
CPF9DC7 E	The output data parameter specifies a NULL pointer.
CPF9DC8 E	The input data parameter specifies a NULL pointer.
CPF9DC9 E	The total length of data in the input data array is not valid.
CPF9DCC E	The length of area provided for signature is not valid.
CPF9DCE E	A data length is not valid.
CPF9DCF E	A data pointer is null.
CPF9DD0 E	Clear data format name not valid.
CPF9DD2 E	Algorithm description format name not valid.
CPF9DD3 E	Key description format name not valid.
CPF9DD5 E	Length of input data not valid.
CPF9DD6 E	Length of area provided for output data is too small.
CPF9DD7 E	The key-encrypting key context for the specified key is not valid or was previously destroyed.
CPF9DD8 E	The key-encrypting algorithm context for the specified key is not valid or was previously destroyed.
CPF9DDA E	Unexpected return code &1.
CPF9DDB E	The key string or Diffie-Hellman parameter string is not valid.
CPF9DDD E	The key string length is not valid.
CPF9DE0 E	Hash algorithm not valid.
CPF9DE3 E	Mode not valid.
CPF9DE5 E	PKA (public key algorithm) block format not valid.
CPF9DE6 E	Public key algorithm not valid.
CPF9DE7 E	Key type not valid.
CPF9DE9 E	Key format not valid.
CPF9DEC E	Cryptographic service provider not valid.
CPF9DED E	Final operation flag not valid.
CPF9DEE E	Reserved field not null.
CPF9DF0 E	Operation, algorithm, or mode not available on the requested CSP (cryptographic service provider).
CPF9DF1 E	The algorithm context token does not reference a valid algorithm context.
CPF9DF2 E	The algorithm context is not found or was previously destroyed.
CPF9DF3 E	Algorithm in algorithm context not valid for requested operation.
CPF9DF4 E	The key context token does not reference a valid key context.
CPF9DF5 E	The key context is not found or was previously destroyed.
CPF9DF7 E	Algorithm context not compatible with key context.
CPF9DF8 E	Cryptographic device name not valid.
CPF9DF9 E	Cryptographic device not found.
CPF9DFB E	Cryptographic service provider conflicts with the key context CSP.
CPF9DFD E	Not authorized to device.
CPF9DFE E	Cryptographic device not available.

API introduced: V5R3

[ Back to top | Cryptographic Services APIs | APIs by category ]