Object management ASN.1 syntaxes

ICSF provides a series of callable services to allow users to create or delete PKCS #11 tokens or objects, retrieve information of PKCS #11 tokens or objects, and save or retrieve attributes values of a PKCS #11 object. The RemoteCryptoPKCS#11 extended operation allows the CSFPTRC, CSFPTRD, CSFPTRL, CSFPGAV, and CSFPSAV ICSF callable services to be available for remote invocation.

Get attribute value (CSFPGAV) ASN.1 syntaxes

GAVInput ::= attrListLen
attrListLen ::= INTEGER (0 .. MaxCSFPInteger)

Where,

attrListLen: An integer that specifies the length of the buffer (in bytes) allocated to hold the attributes that are returned from ICSF in the CSFPGAV callable service.

GAVOutput ::= SEQUENCE {
   attrListLen         INTEGER (0 .. MaxCSFPInteger),
   attrList            Attributes
}

Where,

attrListLen: An integer that specifies the length (in bytes) of the attrList returned from ICSF in the CSFPGAV callable service. If the attrListLen specified on input is sufficient to hold all attributes, this is the same as attrListLen on input; otherwise, this is the minimum length needed.

attrList: A list of object attributes that are returned from ICSF in the CSFPGAV callable service

Set attribute value (CSFPSAV) ASN.1 syntaxes

SAVInput ::= attrList
attrList ::= Attributes

Where,

attrList: A list of attributes to be updated in the object in the CSFPSAV callable service.

SAVOutput ::= NULL

Token record create (CSFPTRC) ASN.1 syntaxes

TRCInput ::= SEQUENCE {
   trcAttrs ::= CHOICE {
       tokenAttrString     [0]   OCTET STRING,
       objectAttrList      [1]   Attributes
    }
}

Where,

trcAttrs: The token attributes string for the token that is being created or re-created, or the list of object attributes for the object that is being created.

tokenAttrString: When creating or re-creating a token ("TOKEN␢␢␢" specified in rule_array), this is a 68-byte string of the token attributes for the token that is being created or re-created.

objectAttrList: When creating or copying an object ("OBJECT␢␢" specified in rule_array), this is a list of object attributes for the object that is being created or copied. Note that for object copy ("COPY␢␢␢␢" specified in rule_array), this attributes list contains no attribute.

Note: ␢ represents a blank character.

TRCOutput ::= NULL

Token record delete (CSFPTRD) ASN.1 syntaxes

TRDInput ::= NULL
TRDOutput ::= NULL

Token record list (CSFPTRL) ASN.1 syntaxes

TRLInput ::= SEQUENCE {
   inListLen                   INTEGER (0 .. MaxCSFPInteger),
   maxHandleCount              INTEGER (0 .. MaxCSFPInteger),
   searchTemplate          [0] Attributes OPTIONAL
}

Where,

inListLen: An integer that specifies the length, in bytes, of the buffer that is to hold the contents of the output list that is returned from ICSF in the CSFPTRL callable service.

maxHandleCount: An integer that specifies the maximum number of tokens or object handles that are to be returned in the output list from ICSF in the CSFPTRL callable service.

searchTemplate: A list of criteria (attribute values) that an object must meet to be added to the output list returned from ICSF in the CSFPTRL callable service. For requesting tokens ("TOKEN␢␢␢" specified in rule_array), do not complete this field; for requesting session objects ("OBJECT␢␢" specified in rule_array), this field is optional.

Note: ␢ represents a blank character.

TRLOutput ::= SEQUENCE {
   outListLen             INTEGER (0 .. MaxCSFPInteger),
   outList                CHOICE {
      tokenList      [0]  OCTET STRING,
      handleList     [1]  OCTET STRING
   }
}

Where,

outListLen: Number of bytes used for the outList parameter. If the inListLen specified on input is insufficient to hold one record, it is set to the minimum length needed for one record.

tokenList: A string containing the list of z/OS® PKCS #11 tokens that the user has SAF authorization to. Each token record is 116 bytes long.

handleList: A string containing a list of token handles or a list of session objects handles for a specific token that the user has SAF authorization to. Only the objects that meet the search criteria are returned. Each object handle is 44 bytes long.