In the last issue, I reported on a few of the new OS/400 encryption APIs: Qc3CalculateHash, Qc3EncryptData, and Qc3DecryptData.
Calling one of these APIs requires careful interpretation of the API's parameter list. The parameter lists consist of various data structures and formatting codes that can be somewhat vexing to say the least. Unless it's for performance reasons, I can't understand why IBM continues to publish APIs that require such complex parameters. Even I find them confusing, and I've been working with OS/400 APIs since before the first ones were even announced.
To help simplify matters, I've written two subprocedures that accept data as input (along with the encryption key/password) and return the data encrypted or decrypted, depending on which subprocedure you call.
RC4 Encryption
The first subprocedure uses RC4 encryption. This program accepts a character string as input and encrypts that string.
The variable named szData is encrypted using RC4 encryption. The encrypted data is returned in the encData field and is subsequently passed to Qc3DecryptData to be decrypted. Using the ILE debugger, you can set a breakpoint just before the call to Qc3DecryptData to view the encrypted data. You can then set another breakpoint immediately following the call to Qc3DecryptData to view the decrypted data.
To compile the RC4 example, you need to download the APIPROTOS source member. This source member includes the prototypes for several OS/400 APIs, including the recently added Qc3 APIs. I maintain this source member on my own system, and it is available for free download at rpgiv.com/downloads.
Here's how to do RC4 encryption using Qc3EncryptData and Qc3DecryptData:
H DFTACTGRP(*NO)
H OPTION(*NODEBUGIO:*SRCSTMT)
*** Download APIPROTOS from: www.rpgiv.com/downloads
/INCLUDE RPGLAB/QCPYSRC,apiprotos
** API Error Data structure
D QUSEC_EX DS Qualified
D Based(TEMPLATE_T)
D charKey 10I 0
D nErrorDSLen 10I 0
D nRtnLen 10I 0
D msgid 7A
D Reserved 1A
D CCSID 10I 0
D OffsetExcp 10I 0
D excpLen 10I 0
D excpData 128A
D ALGO_DES C Const(20)
D ALGO_TDES C Const(21)
D ALGO_AES C Const(22)
D ALGO_RC4 C Const(30)
D ALGO_RSA_PUB C Const(50)
D ALGO_RSA_PRIV C Const(51)
D ANY_CRYPTO_SRV C Const('0')
D SWF_CRYPTO_SRV C Const('1')
D HWD_CRYPTO_SRV C Const('2')
D CRYPTO_SRV S 10A Inz(*BLANKS)
** Cipher API data structures.
D myAlgo DS LikeDS(ALGD0300_T)
D myKey DS LikeDS(KEYD0200_T)
D apiError DS LikeDS(qusec_ex)
** The clear text (data to be encrypted)
D szData S 500A Inz('Robert Cozzi, Jr.')
** The encrypted data variable
D encData S Like(szData)
** The length of the data returned by the APIs
D nRtnLen S 10I 0
** The password (cipher key) used to encrypt the data.
D keyValue S 256A INZ('ROSEBUD')
/free
myAlgo.Algorithm = ALGO_RC4;
myKey.type = ALGO_RC4;
myKey.length = %Len(%TrimR(keyValue));
myKey.Format = '0';
myKey.value = %TrimR(keyValue);
apiError = *ALLX'00';
apiError.nErrorDSLen=%size(apiError);
Qc3EncryptData(szData:%len(%TrimR(szData)):'DATA0100':
myAlgo : 'ALGD0300' :
myKey : 'KEYD0200' :
ANY_CRYPTO_SRV : CRYPTO_SRV :
encData : %size(encData) : nRtnLen :
apiError );
apiError = *ALLX'00';
apiError.nErrorDSLen=%size(apiError);
Qc3DecryptData(encData : nRtnLen :
myAlgo : 'ALGD0300' :
myKey : 'KEYD0200' :
ANY_CRYPTO_SRV : CRYPTO_SRV :
szData : %size(szData) : nRtnLen :
apiError );
/end-free
C eval *INLR = *ON
AES Encryption
Encrypting with AES is a little different than with RC4. With AES, you're restricted to 16-, 24-, or 32-byte results or a multiple of those lengths. In other words, you can encrypt a 10-position field, but you end up with a 16-byte encrypted result, whereas a 40-position value when encrypted produces either a 48- or 64-byte encrypted value.
In the following example, the key length is set to a multiple of 16, 24, or 32 bytes as required by the algorithm. The rest of the routine is effectively the same as the RC4 routine but with different data structures and format codes.
H DFTACTGRP(*NO)
H OPTION(*NODEBUGIO:*SRCSTMT)
*** Download APIPROTOS from www.rpgiv.com/downloads
/INCLUDE RPGLAB/QCPYSRC,apiprotos
** API Error Data structure
D QUSEC_EX DS Qualified Inz
D ccharKey 10I 0
D nErrorDSLen 10I 0
D nRtnLen 10I 0
D msgid 7A
D Reserved 1A
D CCSID 10I 0
D OffsetExcp 10I 0
D excpLen 10I 0
D excpData 128A
// Move the following named consts to a /COPY
D ALGO_DES C Const(20)
D ALGO_TDES C Const(21)
D ALGO_AES C Const(22)
D ALGO_RC4 C Const(30)
D ALGO_RSA_PUB C Const(50)
D ALGO_RSA_PRIV C Const(51)
D mode_ECB C Const('0')
D mode_CBC C Const('1')
D mode_OFB C Const('2')
D mode_CFB1Bit C Const('3')
D mode_CFB8Bit C Const('4')
D mode_CFB64Bit C Const('5')
D pad_NoPad C Const('0')
D pad_PadChar C Const('1')
D pad_PadCounter C Const('2')
D key_BIN C Const('0')
D key_BER C Const('1')
D ANY_CRYPTO_SRV C Const('0')
D SWF_CRYPTO_SRV C Const('1')
D HWD_CRYPTO_SRV C Const('2')
// Move the above named consts to a /COPY
D CRYPTO_SRV S 10A Inz(*BLANKS)
** Qc3 API Data Structures used for AES encryption
D myAlgo DS LikeDS(ALGD0200_T)
D myKey DS LikeDS(KEYD0200_T)
D apiError DS LikeDS(qusec_ex)
** The clear text (data to be encrypted)
D szData S 500A Inz('Robert Cozzi, Jr.')
** The encrypted data
D encData S Like(szData)
D nRtnLen S 10I 0
D nDataLen S 10I 0
** The password (cipher key) used to encrypt the data
D keyValue S 256A INZ('ROSEBUD')
** With AES encryption, we use a key-length multiplier
D nKeyLength S 10I 0
/FREE
// Set up the AES encryption DS
myAlgo.Algorithm = ALGO_AES;
myAlgo.blocklength = 16;
myAlgo.mode = mode_ECB;
myAlgo.PadChar = X'00';
myAlgo.PadOption = pad_PadChar;
myAlgo.reserved1 = X'00';
myAlgo.macLength = 0;
myAlgo.keySize = 0;
myalgo.inzVector = *ALLX'00';
// Set up the Key DS
myKey.type = ALGO_AES;
nKeyLength = %Len(%TrimR(keyValue));
// Key length must be 16, 24 or 32-bytes
// Set the length based on the true key length.
if (nKeyLength <= 16);
myKey.length = 16;
elseif (nKeyLength <= 24);
myKey.length = 24;
elseif (nKeyLength <=32);
myKey.length = 32;
else; // Key length invalid
return;
endif;
myKey.Format = key_BIN;
myKey.value = %TrimR(keyValue);
// Clear the error/DS
apiError = *ALLX'00';
apiError.nErrorDSLen=%size(apiError);
// Set the length of the data to be encrypted
// by removing the trailing blanks.
nDataLen = %len(%TrimR(szData));
// Encrypt using AES encryption.
Qc3EncryptData(szData: nDataLen :'DATA0100':
myAlgo : 'ALGD0200' :
myKey : 'KEYD0200' :
ANY_CRYPTO_SRV : CRYPTO_SRV :
encData : %size(encData) :
nRtnLen :
apiError );
apiError = *ALLX'00';
apiError.nErrorDSLen=%size(apiError);
// Clear out the original data to prove decrypt works.
szData = *BLANKS;
// Decrypt using AES algorithm
Qc3DecryptData(encData : nRtnLen :
myAlgo : 'ALGD0200' :
myKey : 'KEYD0200' :
ANY_CRYPTO_SRV : CRYPTO_SRV :
szData : %size(szData) :
nRtnLen :
apiError );
/end-free
C eval *INLR = *ON
The _CIPHER MI instruction was the first—and for a long time, the only—method of encrypting data on the system. Today, with the Qc3 APIs, there are two productive methods for encrypting text. In addition, with the advent of an efficient C compiler for the ILE environment, using the APIs may mean quicker access to new encryption algorithms in the future.
Bob Cozzi is a programmer/consultant, writer/author, and software developer of the RPG xTools, a popular add-on subprocedure library for RPG IV. His book The Modern RPG Language has been the most widely used RPG programming book for nearly two decades. He, along with others, speaks at and runs the highly-popular RPG World conference for RPG programmers.
LATEST COMMENTS
MC Press Online