Digital Signature Generate (CSNDDSG and CSNFDSG)

Use the Digital Signature Generate callable service to generate a digital signature using a PKA private key or for some limited functions, a secure PKCS #11 private key. Private keys must be valid for signature usage.

This service supports these hash formatting methods for the RSA algorithm:
  • ANSI X9.31
  • ISO 9796-1
  • RSA DSI PKCS #1 v1.5 and v2.1
  • Padding on the left with zeros

This service supports the ANSI X9.62 ECDSA algorithm.

This service accepts either the input message or a hash of the input message.

For CCA keys, when the private_key_identifier parameter specifies:
An RSA private key
Select the method of formatting the text by using the digital signature formatting method rule array keyword.
An ECC private key
Select the ECDSA signature algorithm rule array keyword.
For secure PKCS #11 keys, when the private_key_identifier parameter specifies:
An RSA private key
Select the PKCS-1.1 formatting method keyword.
An ECC private key
Select the ECDSA algorithm keyword.

If keyword ECDSA is specified in the rule array, the Elliptic Curve Digital Signature Algorithm is used as the digital-signature hash formatting method. Otherwise, specify the optional digital-signature hash formatting method keyword in the rule array for the method used to generate the RSA digital signature being verified.

The callable service name for AMODE(64) invocation is CSNFDSG.

Format

CALL CSNDDSG(
             return_code,
             reason_code,
             exit_data_length,
             exit_data,
             rule_array_count,
             rule_array,
             private_key_identifier_length,
             private_key_identifier,
             data_length,
             data,
             signature_field_length,
             signature_bit_length,
             signature_field)

Parameters

return_code
Direction Type
Output Integer

The return code specifies the general result of the callable service. ICSF and cryptographic coprocessor return and reason codes lists the return codes.

reason_code
Direction Type
Output Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes assigned to it that indicate specific processing problems. ICSF and cryptographic coprocessor return and reason codes lists the reason codes.

exit_data_length
Direction Type
Input/Output Integer

The length of the data that is passed to the installation exit. The data is identified in the exit_data parameter.

exit_data
Direction Type
Input/Output String

The data that is passed to the installation exit.

rule_array_count
Direction Type
Input Integer

The number of keywords you are supplying in the rule_array parameter. The value may be 0 1, 2, 3, or 4.

rule_array
Direction Type
Input String

The rule_array contains keywords that provide control information to the callable service. The keywords must be in contiguous storage with each of the keywords left-justified in its own 8-byte location and padded on the right with blanks.

Table 1. Keywords for Digital Signature Generate Control Information
Keyword Meaning
Signature algorithm (One, optional)
RSA Specifies to generate an RSA digital signature. This is the default.
ECDSA Specifies to generate an EC digital signature.
Digital Signature Formatting Method (optional, valid for RSA digital signature generation only)
ISO-9796 Specifies to format the hash according to the ISO/IEC 9796-1 standard and generate the digital signature. Any hash method is allowed. This is the default.
PKCS-1.0 Specifies to format the digital signature on the string supplied in the hash variable as defined in the RSA PKCS #1 standard for block-type 00. The PKCS #1 v2.0 standard no longer defines this signature scheme.
PKCS-1.1 Specifies to format the digital signature on the string supplied in the hash variable as defined in the RSA PKCS #1 v2.0 standard for the RSASSA-PKCS1-v1_5 signature scheme. This was formerly known as block-type 01.
PKCS-PSS Specifies to format the hash as defined in the RSA PKCS #1 v2.2 standard for the RSASSA-PSS signature scheme. Only valid for RSA-AESM and RSA-AESC key tokens.
X9.31 Specifies to format the hash according to the ANSI X9.31 standard. The modulus length of a key used must be one of 1024, 1280, 1536, 1792, 2048, or 4096 bits.
ZERO-PAD Specifies to format the hash by padding it on the left with binary zeros to the length of the RSA key modulus. Any supported hash function is allowed.
Data Input Type (One, optional)
HASH Specifies that the data parameter contains the hash that is to be signed. This is the default.
MESSAGE Specifies that the data parameter contains the message that is to be hashed and signed.
Hash Method Specification (One required when the MESSAGE keyword is specified or one required when the HASH keyword is specified and the hash formatting method is PKCS-PSS or X9.31)
MD5 Process the text supplied in the data parameter using the MD5 hash method. Not valid with PKCS-PSS or X9.31.
RPMD-160 Process the text supplied in the data parameter using the RIPEMD-160 hash method. Not valid with PKCS-PSS.
SHA-1 Process the text supplied in the data parameter using the SHA-1 hash method.
SHA-224 Process the text supplied in the data parameter using the SHA-224 hash method. Not valid with X9.31.
SHA-256 Process the text supplied in the data parameter using the SHA-256 hash method.
SHA-384 Process the text supplied in the data parameter using the SHA-384 hash method.
SHA-512 Process the text supplied in the data parameter using the SHA-512 hash method.
private_key_identifier_length
Direction Type
Input Integer

Specifies the length in bytes of the private_key_identifier parameter. If the private_key_identifier contains a label, the value must be 64. Otherwise, the value must be between the actual length of the token and 3500.

For secure PKCS #11 keys, the length must be 64.

private_key_identifier
Direction Type
Input String

The identifier of the private key to generate the signature. The key identifier is an operational secure token or the label of such a token in key storage.

For CCA, this is an RSA or EC private key or a retained RSA key. The token key usage flag must permit the generation of signatures. The format restriction field of the RSA private key token will restrict the format allowed to be used with the key.

If formatting method PKCS-PSS is specified, the RSA key token must have an AES object protection key (private key section identifiers X'30' and X'31'), which can be created with key type RSA-AESM and RSA-AESC in PKA Key Token Build (CSNDPKB and CSNFPKB).

For secure PKCS #11 keys, this is the 44-byte handle of the private key, prefixed with an EBCDIC equal sign character (‘=’ or X’7E’), and padded on the right with spaces for a total length of 64 bytes.

data_length
Direction Type
Input Integer

The length of the data parameter in bytes. See Usage Notes for details of the formatting methods and the length requirements.

When the data input type keyword is MESSAGE, the value is the length of the message to be hashed. The maximum value is 2147483647 bytes. A hash method rule array keyword must be specified.

When the data input type keyword is HASH, the value must be the exact length of the hash to be signed. The maximum value is 516 bytes. The length of the hash for the supported hashing method is 16 for MD5, 20 for SHA-1 and RPMD-160, 28 for SHA-224, 32 for SHA-256, 48 for SHA-384, and 64 for SHA-512. You can use either the One-Way Hash Generate callable service or the MDC Generate callable service to generate the hash.

For the PKCS-PSS formatting rule, the first four bytes must be the salt length. The remaining bytes of the parameter must contain the hash or message. The value will be 4 + length of the hash or message.

For the ZERO-PAD format rule, the length is restricted to 36 for RSA keys that permit key management in the key usage field. For RSA keys that permit signature only in the key usage field, the maximum value is 512. This hash length limit is controlled by an access control point. Only RSA keys that permit key management are affected by this access control point. See the restrictions section of this service for details.

data
Direction Type
Input String

The application-supplied data to be signed. The data can be the message to be hashed and signed or the hash of the message. See Usage Notes for details of the formatting methods and the data requirements.

The data must be in the caller's primary address space.

For the PKCS-PSS formatting rule, the first four bytes must be the salt length. The remaining bytes of the parameter must contain the hash or message.

signature_field_length
Direction Type
Input/Output Integer

The length in bytes of the signature_field to contain the generated digital signature. Upon return, this field contains the actual length of the generated signature. The maximum size for RSA is 512 bytes. The maximum size of ECC is 132.

For RSA, this must be at least the byte length of the modulus rounded up to a multiple of 32 bytes for the X9.31 signature format or one byte for all other signature formats.

For ECDSA NIST prime curves, the maximum is 2 * 521 bits. For brain pool curves, the maximum size is 2 * 512 bits.

signature_bit_length
Direction Type
Input/Output Integer

The bit length of the digital signature generated. For ISO-9796, this is 1 less than the modulus length. For other RSA processing methods, this is the modulus length.

signature_field
Direction Type
Input/Output String

The digital signature generated is returned in this field. The digital signature is in the low-order bits (right-justified) of a string whose length is the minimum number of bytes that can contain the digital signature. This string is left-justified within the signature_field. Any unused bytes to the right are undefined.

Restrictions

Although ISO-9796 does not require the input hash to be an integral number of bytes in length, this service requires you to specify the hash_length in bytes.

For CCA RSA keys, the hash length limit is controlled by the DSG ZERO-PAD unrestricted hash length access control point. If enabled, the maximum hash length limit for ZERO-PAD is the modulus length of the PKA private key. If disabled, the maximum hash length limit for ZERO-PAD is 36 bytes. Only RSA key management keys are affected by this access control point. The limit for RSA signature use only keys is 512 bytes. This access control point is disabled in the domain role. You must have a TKE workstation to enable it.

Authorization

To use this service with a secure PKCS #11 private key that is a public object, the caller must have SO (READ) authority or USER (READ) authority (any access) to the containing PKCS #11 token.

To use this service with a secure PKCS #11 private key that is a private object, the caller must have USER (READ) authority (user access) to the containing PKCS #11 token.

See z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for more information on the SO and User PKCS #11 roles.

Usage notes

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS, PKDS, or TKDS.

Notes on formatting the message:
ISO-9796
The length of the hash must be less than or equal to one-half of the number of bytes required to contain the modulus of the RSA key.
PKCS-1.0 and PKCS-1.1
The length of the hash must be 11 bytes shorter than the number of bytes required to contain the modulus of the RSA key.

When the HASH keyword is specified, the hash must be BER encoded. See Formatting hashes and keys in public-key cryptography for a description of the formatting methods.

PKCS-PSS
The first four bytes of the data parameter will contain the salt length. The remaining bytes of the parameter contains the hash or message.

It is recommended that the salt length be either 0 or the byte length of the hash algorithm selected. The salt length should not be less than the byte length of the hash algorithm, but it can be greater. When the Digital Signature Generate – PKCS-PSS allow small salt access control is enabled in the domain role, the salt length may be less than the length of the hash.

The size of the data to be signed is governed by the size of the RSA modulus. The modulus size and hash length affect the maximum salt length for a given key modulus size and specified hash. The maximum salt length equals modulus size/8 - hash length - 2. For example, with a 4096 bit modulus key and SHA-1, the maximum salt length becomes – (4096/8) – 20 -2 => 512-20-2 = 490.

X9.31
There are no restrictions for the hash length or message.
ZERO-PAD
The length of the hash must be less than or equal to the number of bytes required to contain the modulus of the RSA key.
ECDSA
There are no restrictions for the hash length or message.

The Digital Signature Generate callable service can take advantage of a PKCS#11 private key object stored in the TKDS, but you should check if using PKCS #11 Private Key Sign (CSFPPKS and CSFPPKS6) aligns better with the overall design of your application.

Before specifying PKCS-PSS, see section A.2.3 of RFC 8017: PKCS #1: RSA Cryptography Specifications Version 2.2 (RFC 8017). Section A.2.3 defines a parameter field for RSASSA-PSS that has the following four parameters:
hashAlgorithm
This parameter identifies the hash function. A hashing-method specification keyword of SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512 is required. There is no default.
maskGenAlgorithm
This parameter identifies the mask generation function. MGF1 is a mask generation function based on a hash function and is the only function currently defined by the standard. For CCA, the hash function on which MGF1 is based is always the same as hashAlgorithm. Although this is not required, CCA enforces the recommendation by the standard that the underlying hash function be the same as the one identified by hashAlgorithm.
saltLength
This is the length of the salt, which is a randomly generated value. Use the data variable of the verb to prepend a 4-byte saltLength field in big endian format to the hash digest to be signed or the message to be hashed and signed.
trailerField
This is the trailer field number. This is not an input to the verb because it is always set to the value X'BC'. Other trailer field numbers are not supported by the standard.

Access control points

For PKA private keys, the Digital Signature Generate access control point controls the function of this service.

The length of the hash for ZERO-PAD is restricted to 36 bytes. If the DSG ZERO-PAD unrestricted hash length access control point is enabled in the domain role, the length of the hash is not restricted. This access control is disabled by default.

For the PKCS-PSS formatting method, ICSF requires the salt length specified in the data parameter to be zero or the length of the hash specified. When the Digital Signature Generate – PKCS-PSS allow small salt access control is enabled in the domain role, the salt length may be less than the length of the hash.

For secure PKCS #11 private keys, the Sign with private keys access control point controls the function of this service. For more information on the access control points of the Enterprise PKCS #11 coprocessor, see 'PKCS #11 Access Control Points' in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

Required hardware

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service.

Table 2. Digital Signature Generate required hardware
Server Required cryptographic hardware Restrictions
IBM System z9 EC
IBM System z9 BC
 Crypto Express2 Coprocessor ECC not supported.

RSA key support with moduli within the range 2048-bit to 4096-bit requires the Nov. 2007 or later licensed internal code (LIC).

Keywords PKCS-PSS, SHA-384, and SHA-512 are not supported.
IBM System z10 EC
IBM System z10 BC
 Crypto Express2 Coprocessor ECC not supported.

RSA key support with moduli within the range 2048-bit to 4096-bit requires the Nov. 2007 or later licensed internal code (LIC).

Keyword PKCS-PSS is not supported. The combination of the X9.31 keyword and either SHA-384 or SHA-512 is not supported.
Crypto Express3 Coprocessor ECC support requires the Sep. 2010 licensed internal code (LIC).

Keyword PKCS-PSS is not supported. The combination of the X9.31 keyword and either SHA-384 or SHA-512 is not supported.
IBM zEnterprise 196
IBM zEnterprise 114
 Crypto Express3 Coprocessor Keyword PKCS-PSS is not supported.
IBM zEnterprise EC12
IBM zEnterprise BC12
 Crypto Express3 Coprocessor

Crypto Express4 CCA Coprocessor

 Keyword PKCS-PSS isn’t supported.
Crypto Express4 Enterprise PKCS #11 coprocessor Required to use a secure PKCS #11 private key.
IBM z13
IBM z13s
 Crypto Express5 CCA Coprocessor PKCS-PSS support requires the October 2016 or later licensed internal code (LIC).
Crypto Express5 Enterprise PKCS #11 coprocessor Required to use a secure PKCS #11 private key.