CCA Release 2.54
The verb first processes the source and target tokens as with the
SINGLE keyword. Then the source token is processed using the
single-length enciphered key and the source token right-half control
vector to obtain the actual key value. The key value is then
enciphered using the KEK and the control vector in the target token
for the right-half of the key.
This approach is frequently of use when you must obtain a
double-length CCA key from a system that only supports a
single-length key. For example when processing PIN keys or
key-encrypting keys received from non-CCA systems.
To prevent the verb from ensuring that each key byte has odd parity, you can
specify the NOADJUST keyword. If you do not specify the NOADJUST keyword,
or if you specify the ADJUST keyword, the verb ensures that each byte of the
target key has odd parity.
When the Target Key-Token CV Is Null
When you use any of the LEFT, BOTH, or RIGHT keywords, and when the control
vector in the target key token is null (all B'0'), then bit 0 in byte 59 of the target
version X'01' key token will be set to B'1' to indicate that this is a double-length
DATA key.
Control_Vector_Translate Example
As an example, consider the case of receiving a single-length PIN-block encrypting
key from a non-CCA system. Often such a key will be encrypted by an unmodified
transport key (no control vector or variant is used). In a CCA system, an inbound
PIN encrypting key is double-length.
First use the Key_Token_Build verb to insert the single-length key value into the
left-half key-space in a key token. Specify USE-CV as a key type and a control
vector value set to 16 bytes of X'00'. Also specify EXTERNAL, KEY, and CV
keywords in the rule array. This key token will be the source key key-token.
Second, the target key token can also be created using the Key_Token_Build verb.
Specify a key type of IPINENC and the NO-EXPORT rule array keyword.
Then call the Control_Vector_Translate verb and specify a rule-array keyword of
LEFT. The mask arrays can be constructed as follows:
A
1
is set to the value of the KEK's control vector, most likely the value of an
IMPORTER key, perhaps with the NO-EXPORT bit set. B
1
is set to eight bytes
of X'FF' so that all bits of the KEK's control vector will be tested.
A
2
is set to eight bytes of X'00', the (null) value of the source key control
vector. B
2
is set to eight bytes of X'FF' so that all bits of the source-key
“control vector” will be tested.
A
3
is set to the value of the target key's left-half control vector. B
3
is set to
X'FFFF FFFF FF9F FFFF'. This will cause all bits of the control vector to be
tested except for the two (“fff”) bits used to distinguish between the left-half and
right-half target-key control vector.
B
4
is set to eight bytes of X'00' so that no comparison is made between the
source and target control vectors.
C-24 IBM 4758 CCA Basic Services, Release 2.54, February 2005