Hello!! We are still doing tests with our ICSF.
Our scenario: We have the following Link: https://www.freeformatter.com/hmac-generator.html#ad-output For example we enter in "Copy-paste the string here" : Hola Mundo in "Secret key" : ABCabcAB12345678 in "Select a message digest algorithm" : We select SHA-256 Then we click on COMPUTE HMAC, and the following appears : 7483f0f47d20c89256805b69936ebdc31e62d99a40f6640b334c6b5a8d83df5e In Mainframe we use the CSNBSKI2 callable service first (to import the key) and then the CSNBHMG Callable Service (that calculate the HMAC with SHA-256 using the output of the first verb) Our issue is that we have different results using the link above and the mainframe and we are almost sure we need another conversion in the middle I appreciate any help. Thanks in advance. Regards, Andrea! On Fri, Aug 13, 2021 at 5:28 PM Eric D Rossman <[email protected]> wrote: > I've got questions. :) > > > Our scenario: > > We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0 > > This is a little out of service but I think we can make this work. > > > We want to calculate a hash using sha-256 with a certain secret key (or > > seed) that is provided by someone external (and given to us). We are not > > sure how to store that key in the CKDS Dataset. The length of the key is > 32 > > bits and has the form of n(1)n(2)....n(32) where each n(i) is an > > hexadecimal character (I don't know why...) > > I assume you mean 32 nibbles long (128 bits) because ICSF won't allow an > HMAC key of less than 80 bits. > > Since you are on HCR77B0, you would convert it to binary and then use > CSNBSKI2 to import clear key material as a secure key token. Doing this > will require enabling SSM (special secure mode) in ICSF options dataset. > > Then, you can use CSNBKRC2 to put the token into the CKDS. > > > We already created and stored an AES master key in the cryptographic > > hardware and we also changed the format of our CKDS in order to use > HMAC. > > Perfect. > > > We tried different ways of putting this key in the CKDS using different > > verbs, like using a REXX example from the web (HMAC Generation from a > Clear > > Key ) > > Do you have a link to that example? CSNBHMG doesn't allow clear key tokens > until "Cryptographic Support for z/OS V2R2 - z/OS V2R4 (HCR77D1)" (five > releases after the release you have). > > > In our mainframe we want to use the callable service (verb) CSNBHMG in a > > Cobol program to calculate the hash using the key stored in the CKDS. > This > > output should be the same as the output using > > (with the same key). > > To be clear, that page is treating the data as ASCII, so you will need to > account for that in your COBOL (ensure that the data is kept as binary > until it is HMACed. > > > Our biggest issue is how to put this secret key (or seed) in the CKDS > > dataset. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
