z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


gsk_sign_data()

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Signs a data stream.

Format

#include <gskcms.h>

gsk_status gsk_sign_data (
                          x509_algorithm_type               sign_algorithm,
                          pkcs_private_key_info *           private_key,
                          gsk_boolean                       is_digest, 
                          gsk_buffer *                      data,
                          gsk_buffer *                      signature)

Parameters

sign_algorithm
Specifies the signature algorithm.
private_key
Specifies the private key.
is_digest
Specify TRUE if the data stream digest has been computed or FALSE if the data stream digest needs to be computed.
data
Specifies either the data stream digest (is_digest is TRUE) or the data stream (is_digest is FALSE).
signature
Returns the generated signature. The caller should release the signature buffer when it is no longer needed by calling the gsk_free_buffer() routine.

Results

The return status will be zero if the signature is successfully generated. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:

[CMSERR_ALG_NOT_SUPPORTED]
The signature algorithm is not supported.
[CMSERR_BAD_DIGEST_SIZE]
The digest size is not correct.
[CMSERR_BAD_EC_PARAMS]
Elliptic Curve parameters are not valid.
[CMSERR_BAD_KEY_SIZE]
The key size is not valid.
[CMSERR_BAD_RNG_OUTPUT]
In FIPS mode, random bytes generation produced duplicate output.
[CMSERR_ECURVE_NOT_FIPS_APPROVED]
Elliptic Curve not supported in FIPS mode.
[CMSERR_ECURVE_NOT_SUPPORTED]
Elliptic Curve is not supported.
[CMSERR_ICSF_FIPS_DISABLED]
ICSF PKCS #11 services are disabled.
[CMSERR_ICSF_NOT_AVAILABLE]
ICSF services are not available.
[CMSERR_ICSF_NOT_FIPS]
ICSF PKCS #11 not operating in FIPS mode.
[CMSERR_ICSF_SERVICE_FAILURE]
ICSF callable service returned an error.
[CMSERR_INVALID_KEY_ATTRIBUTE]
Key does not have required PKCS #11 attributes to perform signing.
[CMSERR_KEY_MISMATCH]
The supplied key does not match the signature algorithm.
[CMSERR_NO_MEMORY]
Insufficient storage is available.
[CMSERR_NO_PKCS11_KEY_LABEL]
A TKDS secure key label is either invalid or missing.
[CMSERR_NO_PRIVATE_KEY]
Private key does not exist, is not accessible, or the PKCS #11 TKDS secure key is not a supported algorithm type.

Usage

The gsk_sign_data() routine will generate the signature for a data stream using the supplied private key. The private key can be an RSA key, a DSA key, or an ECDSA key. If executing in FIPS mode, the minimum key size for RSA and DSA keys is 1024 bits, and the minimum size for ECDSA keys is 160 bits. The private key can be an ASN.1-encoded value contained in the privateKey field or an ICSF key label contained in the keyToken field. In either case, the key type must be specified by the privateKeyAlgorithm field.

The application can either provide the message digest or have the gsk_sign_data() routine compute the message digest.

When the application provides the message digest, the digest length must be correct for the specified signature algorithm. Digest lengths: MD2 and MD5 are 16 bytes; SHA-1 is 20 bytes; SHA-224 is 28 bytes; SHA-256 is 32 bytes; SHA-384 is 48 bytes and SHA-512 is 64 bytes. The supplied digest will be used as-is without any further processing (specifically, for an RSA encryption key, the digest will not be encoded as an ASN.1 DigestInfo sequence before generating the signature).

The following signature algorithms are supported:
x509_alg_md2WithRsaEncryption
RSA encryption with MD2 digest - {1.2.840.113549.1.1.2}
x509_alg_md5WithRsaEncryption
RSA encryption with MD5 digest - {1.2.840.113549.1.1.4}
x509_alg_sha1WithRsaEncryption
RSA encryption with SHA-1 digest - {1.2.840.113549.1.1.5}
x509_alg_sha224WithRsaEncryption
RSA encryption with SHA-224 digest - {1.2.840.113549.1.1.14}
x509_alg_sha256WithRsaEncryption
RSA encryption with SHA-256 digest - {1.2.840.113549.1.1.11}
x509_alg_sha384WithRsaEncryption
RSA encryption with SHA-384 digest - {1.2.840.113549.1.1.12}
x509_alg_sha512WithRsaEncryption
RSA encryption with SHA-512 digest - {1.2.840.113549.1.1.13}
x509_alg_dsaWithSha1
Digital Signature Standard with SHA-1 digest - {1.2.840.10040.4.3}
x509_alg_dsaWithSha224
Digital Signature Standard with SHA-224 digest – {2.16.840.1.101.3.4.3.1}
x509_alg_dsaWithSha256
Digital Signature Standard with SHA-256 digest – {2.16.840.1.101.3.4.3.2}
x509_alg_ecdsaWithSha1
Elliptic Curve Digital Signature Algorithm with SHA-1 digest – {1.2.840.10045.4.1}
x509_alg_ecdsaWithSha224
Elliptic Curve Digital Signature Algorithm with SHA-224 digest – {1.2.840.10045.4.3.1}
x509_alg_ecdsaWithSha256
Elliptic Curve Digital Signature Algorithm with SHA-256 digest – {1.2.840.10045.4.3.2}
x509_alg_ecdsaWithSha384
Elliptic Curve Digital Signature Algorithm with SHA-384 digest – {1.2.840.10045.4.3.3}
x509_alg_ecdsaWithSha512
Elliptic Curve Digital Signature Algorithm with SHA-512 digest – {1.2.840.10045.4.3.4}
x509_alg_md5Sha1WithRsaEncryption
RSA encryption with combined MD5 and SHA-1 digests

When executing in FIPS mode, signature algorithms x509_alg_md2WithRSAEncryption and x509_alg_md5WithRsaEncryption are not supported.

Parent topic: Certificate Management Services (CMS) API reference

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014