In the last issue, I reported on a few of the new OS/400 encryption APIs: Qc3CalculateHash, Qc3EncryptData, and Qc3DecryptData.
Calling one of these APIs requires careful interpretation of the API's parameter list. The parameter lists consist of various data structures and formatting codes that can be somewhat vexing to say the least. Unless it's for performance reasons, I can't understand why IBM continues to publish APIs that require such complex parameters. Even I find them confusing, and I've been working with OS/400 APIs since before the first ones were even announced.
To help simplify matters, I've written two subprocedures that accept data as input (along with the encryption key/password) and return the data encrypted or decrypted, depending on which subprocedure you call.
RC4 Encryption
The first subprocedure uses RC4 encryption. This program accepts a character string as input and encrypts that string.
The variable named szData is encrypted using RC4 encryption. The encrypted data is returned in the encData field and is subsequently passed to Qc3DecryptData to be decrypted. Using the ILE debugger, you can set a breakpoint just before the call to Qc3DecryptData to view the encrypted data. You can then set another breakpoint immediately following the call to Qc3DecryptData to view the decrypted data.
To compile the RC4 example, you need to download the APIPROTOS source member. This source member includes the prototypes for several OS/400 APIs, including the recently added Qc3 APIs. I maintain this source member on my own system, and it is available for free download at rpgiv.com/downloads.
Here's how to do RC4 encryption using Qc3EncryptData and Qc3DecryptData:
H DFTACTGRP(*NO)
H OPTION(*NODEBUGIO:*SRCSTMT)
*** Download APIPROTOS from: www.rpgiv.com/downloads
/INCLUDE RPGLAB/QCPYSRC,apiprotos
** API Error Data structure
D QUSEC_EX DS Qualified
D Based(TEMPLATE_T)
D charKey 10I 0
D nErrorDSLen 10I 0
D nRtnLen 10I 0
D msgid 7A
D Reserved 1A
D CCSID 10I 0
D OffsetExcp 10I 0
D excpLen 10I 0
D excpData 128A
D ALGO_DES C Const(20)
D ALGO_TDES C Const(21)
D ALGO_AES C Const(22)
D ALGO_RC4 C Const(30)
D ALGO_RSA_PUB C Const(50)
D ALGO_RSA_PRIV C Const(51)
D ANY_CRYPTO_SRV C Const('0')
D SWF_CRYPTO_SRV C Const('1')
D HWD_CRYPTO_SRV C Const('2')
D CRYPTO_SRV S 10A Inz(*BLANKS)
** Cipher API data structures.
D myAlgo DS LikeDS(ALGD0300_T)
D myKey DS LikeDS(KEYD0200_T)
D apiError DS LikeDS(qusec_ex)
** The clear text (data to be encrypted)
D szData S 500A Inz('Robert Cozzi, Jr.')
** The encrypted data variable
D encData S Like(szData)
** The length of the data returned by the APIs
D nRtnLen S 10I 0
** The password (cipher key) used to encrypt the data.
D keyValue S 256A INZ('ROSEBUD')
/free
myAlgo.Algorithm = ALGO_RC4;
myKey.type = ALGO_RC4;
myKey.length = %Len(%TrimR(keyValue));
myKey.Format = '0';
myKey.value = %TrimR(keyValue);
apiError = *ALLX'00';
apiError.nErrorDSLen=%size(apiError);
Qc3EncryptData(szData:%len(%TrimR(szData)):'DATA0100':
myAlgo : 'ALGD0300' :
myKey : 'KEYD0200' :
ANY_CRYPTO_SRV : CRYPTO_SRV :
encData : %size(encData) : nRtnLen :
apiError );
apiError = *ALLX'00';
apiError.nErrorDSLen=%size(apiError);
Qc3DecryptData(encData : nRtnLen :
myAlgo : 'ALGD0300' :
myKey : 'KEYD0200' :
ANY_CRYPTO_SRV : CRYPTO_SRV :
szData : %size(szData) : nRtnLen :
apiError );
/end-free
C eval *INLR = *ON
AES Encryption
Encrypting with AES is a little different than with RC4. With AES, you're restricted to 16-, 24-, or 32-byte results or a multiple of those lengths. In other words, you can encrypt a 10-position field, but you end up with a 16-byte encrypted result, whereas a 40-position value when encrypted produces either a 48- or 64-byte encrypted value.
In the following example, the key length is set to a multiple of 16, 24, or 32 bytes as required by the algorithm. The rest of the routine is effectively the same as the RC4 routine but with different data structures and format codes.
H DFTACTGRP(*NO)
H OPTION(*NODEBUGIO:*SRCSTMT)
*** Download APIPROTOS from www.rpgiv.com/downloads
/INCLUDE RPGLAB/QCPYSRC,apiprotos
** API Error Data structure
D QUSEC_EX DS Qualified Inz
D ccharKey 10I 0
D nErrorDSLen 10I 0
D nRtnLen 10I 0
D msgid 7A
D Reserved 1A
D CCSID 10I 0
D OffsetExcp 10I 0
D excpLen 10I 0
D excpData 128A
// Move the following named consts to a /COPY
D ALGO_DES C Const(20)
D ALGO_TDES C Const(21)
D ALGO_AES C Const(22)
D ALGO_RC4 C Const(30)
D ALGO_RSA_PUB C Const(50)
D ALGO_RSA_PRIV C Const(51)
D mode_ECB C Const('0')
D mode_CBC C Const('1')
D mode_OFB C Const('2')
D mode_CFB1Bit C Const('3')
D mode_CFB8Bit C Const('4')
D mode_CFB64Bit C Const('5')
D pad_NoPad C Const('0')
D pad_PadChar C Const('1')
D pad_PadCounter C Const('2')
D key_BIN C Const('0')
D key_BER C Const('1')
D ANY_CRYPTO_SRV C Const('0')
D SWF_CRYPTO_SRV C Const('1')
D HWD_CRYPTO_SRV C Const('2')
// Move the above named consts to a /COPY
D CRYPTO_SRV S 10A Inz(*BLANKS)
** Qc3 API Data Structures used for AES encryption
D myAlgo DS LikeDS(ALGD0200_T)
D myKey DS LikeDS(KEYD0200_T)
D apiError DS LikeDS(qusec_ex)
** The clear text (data to be encrypted)
D szData S 500A Inz('Robert Cozzi, Jr.')
** The encrypted data
D encData S Like(szData)
D nRtnLen S 10I 0
D nDataLen S 10I 0
** The password (cipher key) used to encrypt the data
D keyValue S 256A INZ('ROSEBUD')
** With AES encryption, we use a key-length multiplier
D nKeyLength S 10I 0
/FREE
// Set up the AES encryption DS
myAlgo.Algorithm = ALGO_AES;
myAlgo.blocklength = 16;
myAlgo.mode = mode_ECB;
myAlgo.PadChar = X'00';
myAlgo.PadOption = pad_PadChar;
myAlgo.reserved1 = X'00';
myAlgo.macLength = 0;
myAlgo.keySize = 0;
myalgo.inzVector = *ALLX'00';
// Set up the Key DS
myKey.type = ALGO_AES;
nKeyLength = %Len(%TrimR(keyValue));
// Key length must be 16, 24 or 32-bytes
// Set the length based on the true key length.
if (nKeyLength <= 16);
myKey.length = 16;
elseif (nKeyLength <= 24);
myKey.length = 24;
elseif (nKeyLength <=32);
myKey.length = 32;
else; // Key length invalid
return;
endif;
myKey.Format = key_BIN;
myKey.value = %TrimR(keyValue);
// Clear the error/DS
apiError = *ALLX'00';
apiError.nErrorDSLen=%size(apiError);
// Set the length of the data to be encrypted
// by removing the trailing blanks.
nDataLen = %len(%TrimR(szData));
// Encrypt using AES encryption.
Qc3EncryptData(szData: nDataLen :'DATA0100':
myAlgo : 'ALGD0200' :
myKey : 'KEYD0200' :
ANY_CRYPTO_SRV : CRYPTO_SRV :
encData : %size(encData) :
nRtnLen :
apiError );
apiError = *ALLX'00';
apiError.nErrorDSLen=%size(apiError);
// Clear out the original data to prove decrypt works.
szData = *BLANKS;
// Decrypt using AES algorithm
Qc3DecryptData(encData : nRtnLen :
myAlgo : 'ALGD0200' :
myKey : 'KEYD0200' :
ANY_CRYPTO_SRV : CRYPTO_SRV :
szData : %size(szData) :
nRtnLen :
apiError );
/end-free
C eval *INLR = *ON
The _CIPHER MI instruction was the first—and for a long time, the only—method of encrypting data on the system. Today, with the Qc3 APIs, there are two productive methods for encrypting text. In addition, with the advent of an efficient C compiler for the ILE environment, using the APIs may mean quicker access to new encryption algorithms in the future.
Bob Cozzi is a programmer/consultant, writer/author, and software developer of the RPG xTools, a popular add-on subprocedure library for RPG IV. His book The Modern RPG Language has been the most widely used RPG programming book for nearly two decades. He, along with others, speaks at and runs the highly-popular RPG World conference for RPG programmers.
Bob Cozzi is a programmer/consultant, writer/author, and software developer. His popular RPG xTools add-on subprocedure library for RPG IV is fast becoming a standard with RPG developers. His book The Modern RPG Language has been the most widely used RPG programming book for more than a decade. He, along with others, speaks at and produces the highly popular RPG World conference for RPG programmers.
MC Press books written by Robert Cozzi available now on the MC Press Bookstore.
 |
||
 |
|
RPG TnT Get this jam-packed resource of quick, easy-to-implement RPG tips! List Price $65.00 Now On Sale
|
|
||
 |
|
The Modern RPG IV Language Cozzi on everything RPG! What more could you want? List Price $99.95
Now On Sale
|
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online