RPG APIs

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 
 /FREE
  // Encrypt value in CreditCardValue and insert into external file

  If HTTP_InsEncFld(‘CCFIELD’
                   :CreditCardValue
                   :LogCmt
                   :ExtIndex
                   :MsgId
                   :MsgText);

     // Success-> Store the ExtIndex (index number) in existing DB field
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …

  Endif;

 /END-FREE

HTTP_UpdEncFld – Update Encrypted Field Value in External File

The HTTP_UpdEncFld procedure will encrypt a field value and then update the record in the external file with this encrypted value. The name of the external file is specified in the Field Encryption Registry.

This procedure should only be used if all of the following conditions are met:

• The field is registered and *ACTIVE in the Encryption Registry
• Triggers are not used to automatically encrypt the field values
• The encrypted values are stored in an external file

Procedure name:HTTP_UpdEncFld
Bind to Service Program: CRSP511
Prototype source member:@CRSP511 in CRYPTO/QCPYLESRC source file

Parameters for HTTP_UpdEncFld procedure:

Return value: *ON if successful, *OFF if errors

Example in /Free form RPG:

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 
 /FREE
  // Convert the index number (stored in ccno) from alphanumeric to decimal

  ExtIndex = %dec(ccno:16:0);
  // Using the index specified in ExtIndex, encrypt value in 
  // CreditCardValue and update record in external file 
  If HTTP_UpdEncFld(‘CCFIELD’
                   :ExtIndex
                   :CreditCardValue
                   :LogCmt
                   :MsgId
                   :MsgText);

     // Success-> Encrypted value was stored
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …

  Endif;

 /END-FREE

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 
 /FREE
  // Convert the index number (stored in ccno) from alphanumeric to decimal

  ExtIndex = %dec(ccno:16:0);
  // Using the index specified in ExtIndex, remove the encrypted value

  // from the external file

  If HTTP_DltEncFld (‘CCFIELD’
                :ExtIndex
                 :MsgId
                    :MsgText);

     // Success-> Encrypted value was removed
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …

  Endif;

 /END-FREE

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 
 /FREE
  // Convert the index number (stored in ccno) from alphanumeric to decimal

  ExtIndex = %dec(ccno:16:0);
  // Using the index specified in ExtIndex, retrieve the value from
  // external file, decrypt and return it.

  If HTTP_GetEncFld(‘CCFIELD’
                   :ExtIndex
                   :LogCmt
                   :CreditCardValue
                   :MsgId
                   :MsgText);

     // Success-> The decrypted value is in CreditCardValue variable
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …

  Endif;

 /END-FREE

HTTP_GetEncFldMask – Get Decrypted Field Value from External File (Masked value)

The HTTP_GetEncFldMask procedure will retrieve an encrypted field value from an external file, then decrypt it and apply a mask, based on the settings specified in the Field Encryption Registry. For instance, if a mask of ‘************9999’ is specified in the Registry for a credit card number, then a sample of a returned credit card number would be ‘************1234’.

This procedure should only be used if all of the following conditions are met:

• The field is registered and *ACTIVE in the Encryption Registry
• The field has a mask value specified in the Encryption Registry
• The encrypted values are stored in an external file

Procedure name:HTTP_GetEncFldMask
Bind to Service Program: CRSP511
Prototype source member:@CRSP511 in CRYPTO/QCPYLESRC source file

Parameters for HTTP_GetEncFldMask procedure:

Return value: *ON if successful, *OFF if errors

Example in /Free form RPG:

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511 

 /FREE
  // Convert the index number (stored in ccno) from alphanumeric to decimal
  ExtIndex = %dec(ccno:16:0);
  // Using the index specified in ExtIndex, retrieve the value from
  // external file, decrypt, mask and return it.
  If HTTP_GetEncFldMask(‘CCFIELD’
                       :ExtIndex
                       :LogCmt
                       :MaskedValue
                       :MsgId
                       :MsgText);
     // Success-> The decrypted masked value is in the MaskedValue variable
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …
  Endif;
 /END-FREE

HTTP_GetEncFldAuth – Get Decrypted Field Value from External File (Authorized value)

The HTTP_GetEncFldAuth procedure can be used if the encrypted field values are stored in an external file . Based on the user’s authority to the field, the HTTP_GetEncFldAuth procedure will return either 1) the fully decrypted value for the field or 2) the masked value for the field or 3) a blank value.

The user’s authority to the field is determined by checking the Authority Lists indicated on the field’s AUTLDEC and AUTLMASK settings that are specified in the Field Encryption Registry.

If a masked value is returned, the mask will be based on the field’s FLDMASK setting that is specified in the Field Encryption Registry.

This procedure should only be used if all of the following conditions are met:

• The field is registered and *ACTIVE in the Encryption Registry
• The encrypted values are stored in an external file

Procedure name:HTTP_GetEncFldAuth
Bind to Service Program: CRSP511
Prototype source member:@CRSP511 in CRYPTO/QCPYLESRC source file

Parameters for HTTP_GetEncFldAuth procedure:

Return value: *ON if successful, *OFF if errors

HTTP_GetEncFldAuth example in /Free form RPG:

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 /FREE
  // Convert the index number (stored in ccno) from alphanumeric to decimal
  ExtIndex = %dec(ccno:16:0);
  // Using the index specified in ExtIndex, retrieve the encrypted value 
  // from the external file. Based on the user’s authorities, it returns
  // either the fully decrypted value, the masked value or a blank value.
  If HTTP_GetEncFldAuth(‘CCFIELD’
			:ExtIndex
			:LogCmt
			:OutputValue
			:MsgId
			:MsgText);
  // Success-> The returned value is in the OutputValue variable
  … logic …
 Else;
  // Errors-> Display MsgId and MsgText values
  … logic …
  Endif;
/END-FREE		

HTTP_GetFldTkn – Get Field Token Value from External File

The HTTP_GetFldTkn procedure will return the token that matches an unencrypted value entered from the Field Encryption Registry.

This procedure should only be used if all of the following conditions are met:

• The field is registered and *ACTIVE in the Encryption Registry
• Triggers are not used to automatically encrypt the field values
• The encrypted values are stored in an external file

Procedure name:HTTP_GetFldTkn
Bind to Service Program: CRSP511
Prototype source member:@CRSP511 in CRYPTO/QCPYLESRC source file

Parameters for HTTP_GetFldTkn procedure:

Return value: *ON if successful, *OFF if errors

Example in /Free form RPG:

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 
 /FREE
  // Rerurn the Token for an unencrypted CreditCard Value 

  If HTTP_GetFldTkn(‘CCFIELD’
                   :CreditCardValue
                   :ExtIndex
                   :MsgId
                   :MsgText);

     // Success-> Returns the ExtIndex (index number) 
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …

  Endif;

 /END-FREE

HTTP_Encrypt – Encrypt text with Advanced options using Key Label

The HTTP_Encrypt procedure will encrypt text using advanced options. This procedure requires a Key Label.

Procedure name:HTTP_Encrypt
Bind to Service Program: CRSP511
Prototype source member:@CRSP511 in CRYPTO/QCPYLESRC source file

Parameters for HTTP_Encrypt procedure:

Return value: *ON if successful, *OFF if errors

Parameter Notes:

1. Specify the special value of *DEFAULT for the Key Store Name in order to use the default key store name indicated at the Key Policy level.
2. Specify *LIBL for the Key Store Library to locate the Key Store in the library list.
3. Algorithms supported are *TDES (for Triple DES), *AES128, *AES192 and *AES256. Must match algorithm stored in specified key.
4. Modes supported are ‘0’ for ECB, ‘1’ for CBC and ‘6’ for CUSP
5. Block length:

• For *AES128, *AES192 and *AES256 algorithms: either specify a 0 to automatically calculate the block length or specify a block length of 16, 24 or 32.
• For *TDES algorithm: specify a 0 to automatically calculate the block length or specify a block length of 8.

6. Valid values for the PadOption are:

• ‘0’ or blanks = No Padding
• ‘1’ = Pad using pad character (only valid with the *TDES algorithm)
• ‘2’ = Pad using pad number

  Specifying a PadOption will pad the data in the PlainText out to the next block length multiple. For example, the block length would be 8 for *TDES algorithm. This is true even if the block length is an even multiple of 8. Therefore, a value’s length of 20 is padded to 24, 32 is padded to 40, and so forth. The last byte of data will contain a 1-byte binary counter containing the number of pad characters used (a value from 1 to 8). If PadOption is a ‘1’, the PadChar value is used for the rest of the pad characters. If PadOption is ‘2’, the binary counter is used for the rest of the pad characters.

7. OutputType valid values are *EBCDIC and *ASCII. If none is specified, then the default value of *EBCDIC will be used.
8. OutputFmt valid values are *CHAR, *HEX and *BASE64. If none is specified, then the default value of *CHAR will be used.
9. Initialization vector (IV): Specify an IV value to manipulate the encryption operation. In other words, the same Plain Text which is encrypted with different IVs will produce different Cipher text values. For *AES algorithms, the IV length should not exceed the block length. For *TDES, the IV length should not exceed 8. The IV need not be secret, but it should be unique. Upon completion of the operation, an output chaining value will be returned in the IV field. This value can be used as the IV for the next operation when encrypting or decrypting text in multiple blocks. Refer to ANSI X9.52 for an explanation of its use. Allowed for algorithm modes of ‘1’ (CBC) and ‘6’ (CUSP).

Example in /Free form RPG:

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 
 /FREE
  // Encrypt value in CreditCard variable using AES256 algorithm

  If HTTP_Encrypt(CreditCard
       :CreditCardLength

                 :‘OE_KEYS’
                 :‘*LIBL’             

                 :‘CREDIT_CARD_KEY’
                 :‘Audit Log comment…’
                 :‘*AES256’
                 :‘0’
                 :16
                 :PadOption

                 :PadChar
                 :‘*EBCDIC’
                 :‘*CHAR’

                 :InitVector             

                 :CipherText
                 :CipherTextLen
                 :MsgId
                 :MsgText);

     // Success-> The encrypted value is in CipherText variable
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …

  Endif;
 /END-FREE

Additional notes for HTTP_Encrypt:

• When using *AES128, *AES192 and *AES256 algorithms with ECB or CBC modes, the returned Cipher Text length will be a minimum of 16 bytes long. This returned Cipher text length will be divisible by 16 or 24. For instance:

• When using *AES128, *AES192 and *AES256 algorithms with CUSP mode, the returned Cipher Text length will be the same as the Plain Text length.
• For *TDES algorithm, the returned Cipher Text length will be a minimum of 8 bytes long. This returned Cipher text length will be divisible by 8. For instance:

HTTP_Decrypt – Decrypt text with Advanced options using Key Label

The HTTP_Decrypt procedure will decrypt text using advanced options. This procedure requires a Key Label.

Procedure name:HTTP_Decrypt
Bind to Service Program: CRSP511
Prototype source member:@CRSP511 in CRYPTO/QCPYLESRC source file

Parameters for HTTP_Decrypt procedure:

Return value: *ON if successful, *OFF if errors

Parameter Notes:

1. InputType valid values are *EBCDIC and *ASCII. If none is specified, then the default value of *EBCDIC will be used.
2. InputFmt valid values are *CHAR, *HEX and *BASE64. If none is specified, then the default value of *CHAR will be used.
3. Specify the special value of *DEFAULT for the Key Store Name in order to use the default key store name indicated at the Key Policy level.
4. Specify *LIBL for the Key Store Library to locate the Key Store in the library list.
5. Algorithms supported are *TDES (for Triple DES), *AES128, *AES192 and *AES256
6. Modes supported are ‘0’ for ECB, ‘1’ for CBC and ‘6’ for CUSP
7. Block length:
   • For *AES128, *AES192 and *AES256 algorithms: either specify a 0 to automatically calculate the block length or specify a block length of 16, 24 or 32.
   • For *TDES algorithm: specify a 0 to automatically calculate the block length or specify a block length of 8.
8. Valid values for the PadOption are:
   • ‘0’ or blanks = Value is not padded
   • ‘1’ = Value is padded with a pad character (only valid with the *TDES algorithm)
   • ‘2’ = Value is padded with a pad number

     Specifying a PadOption will strip the pad bytes off the end of the value before returning it in the PlainText.

9. Initialization vector (IV): Specify an IV value to manipulate the decryption operation. In other words, the same Cipher which is decrypted with different IVs will produce different Plain text values. For *AES algorithms, the IV length should not exceed the block length. For *TDES, the IV length should not exceed 8. The IV need not be secret, but it should be unique. Upon completion of the operation, an output chaining value will be returned in the IV field. This value can be used as the IV for the next operation when encrypting or decrypting text in multiple blocks. Refer to ANSI X9.52 for an explanation of its use. Allowed for algorithm modes of ‘1’ (CBC) and ‘6’ (CUSP).

Example in /Free form RPG:

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 
 /FREE
  // Decrypt value in CipherText variable using AES256 algorithm

  If HTTP_Decrypt(CipherText
                 :CipherTextLen
                 :‘*EBCDIC’
                 :‘*CHAR’

                 :‘OE_KEYS’
                 :‘*LIBL’             

                 :‘CREDIT_CARD_KEY’
                 :‘Audit Log comment…’
                 :‘*AES256’
                 :‘0’
                 :16
                 :PadOption

                 :PadChar

                 :InitVector

                 :CreditCard
                 :CreditCardLength
                 :MsgId
                 :MsgText);

     // Success-> The decrypted value is in CreditCard variable
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …

  Endif; 
 /END-FREE

HTTP_ExpSymKey – Export a Symmetric key

The HTTP_ExpSymKey procedure will export a symmetric key.

Procedure name:HTTP_ExpSymKey
Bind to Service Program: CRSP511
Prototype source member:@CRSP511 in CRYPTO/QCPYLESRC source file

Parameters for HTTP_ExpSymKey procedure:

Return value: *ON if successful, *OFF if errors

Parameter Notes:

1. Specify the special value of *DEFAULT for the Key Store Name in order to use the default key store name indicated at the Key Policy level.
2. Specify *LIBL for the Key Store Library to locate the Key Store in the library list. When specifying *LIBL, if the Key Store is not found in the servers library list, then an error will be returned.
3. Specify the special value of *DEFAULT for the Key Encryption Key Store Name in order to use the default key store name indicated at the Key Policy level.
4. Specify *LIBL for the Key Store Library to locate the Key Encryption Key Store in the library list.
5. KeyFmt valid values are *CHAR, *HEX and *BASE64. If none is specified, then the default value of *CHAR will be used.

Example in /Free form RPG:

H BNDDIR('CRYPTO/CRYPTO') DFTACTGRP(*NO)
D/COPY CRYPTO/QCPYLESRC,@CRSP511
 
 /FREE
  // Get an encryption key using the export symmetric key API.

  If HTTP_ExpSymKey(‘OE_KEYS’
                   :‘*LIBL’             

                   :‘CREDIT_CARD_KEY’
               :‘OE_KEYS’ 
                   :‘*LIBL’             

                   :‘KEY_ENCRYPTION_KEY’
                   :KeyFormat
                   :KeyValue 
                   :MsgId
                   :MsgText);

     // Success-> The key value is in the KeyValue field 
     … logic …
  Else;
     // Errors-> Display MsgId and MsgText values
     … logic …

  Endif; 
 /END-FREE