Format of the object-specific sections of the token object records

The following classes of objects can be associated with a z/OS PKCS #11 token: The token object record for each begins with the common section described Common section of the token and object records, followed by a section specific to the class of object. Each of the object-specific sections begins with a 12-byte header record, followed by a variable-length section. Each 12-byte header contains a 4-byte flag field that has the same mapping for all classes of objects.

This 4-byte flag field occurs in the object header section of each token object record.

Table 1. Format of the token object flags
Offset (decimal) Field name Description
Flag byte 1
Bit 0 OBJ_IS_TOKOBJ When on, the object is a token object. When off, the object is a session object.
Bit 1 OBJ_IS_PRVOBJ When on, the object is a private object. When off, the object is a public object.
Bit 2 OBJ_IS_MODOBJ When on, the object is modifiable.
Bit 3 KEY_DERIVE When on, the key supports key derivation.
Bit 4 KEY_LOCAL When on, the key was generated locally.
Bit 5 KEY_ENCRYPT When on, the key supports encryption.
Bit 6 KEY_DECRYPT When on, the key supports decryption.
Bit 7 KEY_VERIFYA When on, the key supports verification where the signature is an appendix to the data.
Flag byte 2
Bit 0 KEY_VERIFYR When on, the key supports verification where the data is recovered from the signature
Bit 1 KEY_SIGA When on, the key supports signatures where the signature is an appendix to the data.
Bit 2 KEY_SIGR When on, the key supports signatures where the data is recovered from the signature.
Bit 3 KEY_WRAP When on, the key supports wrapping.
Bit 4 KEY_UNWRAP When on, the key supports unwrapping.
Bit 5 KEY_EXTRACT When on, the key is extractable.
Bit 6 KEY_IS_SENSITIVE When on, the key is sensitive.
Bit 7 KEY_IS_ALWAYS_SENSITIVE When on, the SENSITIVE attribute (KEY_IS_SENSITIVE) is always true.
Flag byte 3
Bit 0 KEY_NEVER_EXTRACT When on, the EXTRACTABLE attribute (KEY_EXTRACT) is never true. When off, the EXTRACTABLE attribute (KEY_EXTRACT) can be true.
Bit 1 OBJ_IS_TRUSTED When on, the certificate can be trusted for the application for which it was created.
Bit 2 CERT_IS_DEFAULT When on, this is the default certificate.
Bit 3 FIPS140 When on, key is only to be used in a FIPS-compliant manner.
Bit 4 KEY_IS_SECURE When on, key is a secure PKCS #11 key.
Bit 5 KEY_ATTRBOUND When on, key is attribute bound.
Bit 6 WRAP_WITH_TRUSTED When on, key may only be wrapped with another key marked OBJ_IS_TRUSTED
Bit 7 KEY_IS_ALWAYS_SECURE When on, KEY_IS_SECURE is always true.
Flag byte 4
Bits 0-7   Reserved for IBM's use
Table 2. Format of the token certificate object

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for certificate object: "CERT"
4 2 Version: EBCDIC '00'
6 2 Length of the object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

TYPE attribute:
X'00000000': CKC_X_509
16 4 Certificate category
0
Undefined
1
Token user
2
Certificate authority
3
Other entity
20 8 Reserved for IBM's use
28 32 Reserved for IBM's use
60 2 Length of SUBJECT attribute in bytes (aa)
62 2 Length of ID attribute in bytes (bb)
64 2 Length of ISSUER attribute in bytes (cc)
66 2 Length of SERIAL_NUMBER attribute in bytes (dd)
68 2 Length of VALUE attribute in bytes (ee)
70 2 Length of LABEL attribute in bytes (ff)
72 2 Length of APPLICATION attribute in bytes (gg)
74 22 Reserved for IBM's use
96 4 Offset of SUBJECT attribute in bytes
100 4 Offset of ID attribute in bytes
104 4 Offset of ISSUER attribute in bytes
108 4 Offset of SERIAL_NUMBER attribute in bytes
112 4 Offset of VALUE attribute in bytes
116 4 Offset of LABEL attribute in bytes
120 4 Offset of APPLICATION attribute in bytes
124 44 Reserved for IBM's use
168 aa + bb + cc + dd + ee + ff + gg Certificate attributes (variable length)

168 + aa + bb
+ cc + dd + ee
+ ff + gg

   End of certificate object
Table 3. Format of the token public key object (Version 0)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for public key object: "PUBK"
4 2 Version: EBCDIC '00'
6 2 Length of the object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

TYPE attribute:
CKK_RSA
16 8 Start date for the key, in the format yyyymmdd
24 8 End date for the key, in the format yyyymmdd
32 4

Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
36 36 Reserved
72 4 Length in bits of modulus n
76 256 Modulus n
332 256 Reserved
588 256 Public exponent e
844 256 Reserved
1100 2 Length of SUBJECT attribute in bytes (aa)
1102 2 Length of ID attribute in bytes (bb)
1104 2 Length of LABEL attribute in bytes (cc)
1106 2 Length of APPLICATION attribute in bytes (dd)
1108 20 Reserved
1128 4 Offset of SUBJECT attribute in bytes
1132 4 Offset of ID attribute in bytes
1136 4 Offset of LABEL attribute in bytes
1140 4 Offset of APPLICATION attribute in bytes
1144 40 Reserved
1184 aa+bb+cc+dd Public key attributes (variable length)

1184
+aa+bb+cc+dd

   End of public key object
Table 4. Format of the token public key object (Version 1)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for public key object: "PUBK"
4 2 Version: EBCDIC '01'
6 2 Length of the object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

TYPE attribute:
CKK_RSA, CKK_DSA, CKK_EC, or CKK_DH
16 8 Start date for the key, in the format yyyymmdd
24 8 End date for the key, in the format yyyymmdd
32 4

Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
36 36 Reserved
Algorithm-specific section (RSA)
72 4 Length in bits of modulus n
76 512 Modulus n
588 512 Public exponent e
Algorithm-specific section (DSA)
72 4 Length in bits of prime p
76 128 Reserved
204 128 Prime p
332 128 Reserved
460 128 Base g
588 128 Reserved
716 128 Value y
844 20 Reserved
864 20 Subprime q
884 216 Reserved
Algorithm-specific section (DH)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 256 Value y
844 256 Reserved
Algorithm-specific section (EC)
72 4 EC params curve constant –

x'00000001' secp192r1
     - { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
     - { 1 3 132 0 33 }
x'00000003' secp256r1
     - { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
     - { 1 3 132 0 34 }
x'00000005' secp521r1
     - { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
     - { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
     - { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
     - { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
     - { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
     - { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
     - { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
     - { 1 3 36 3 3 2 8 1 1 13 }
76 128 Reserved
204 136 EC point Q (DER encoded)
340 760 Reserved
Variable length attribute section
1100 2 Length of SUBJECT attribute in bytes (aa)
1102 2 Length of ID attribute in bytes (bb)
1104 2 Length of LABEL attribute in bytes (cc)
1106 2 Length of APPLICATION attribute in bytes (dd)
1108 20 Reserved
1128 4 Offset of SUBJECT attribute in bytes
1132 4 Offset of ID attribute in bytes
1136 4 Offset of LABEL attribute in bytes
1140 4 Offset of APPLICATION attribute in bytes
1144 40 Reserved
1184 aa+bb+cc+dd Public key attributes (variable length)

1184
+aa+bb+cc+dd

   End of public key object
Table 5. Format of the token public key object (Version 2)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for public key object: "PUBK"
4 2 Version: EBCDIC '02'
6 2 Length of the object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

TYPE attribute:
CKK_RSA, CKK_DSA, CKK_EC, or CKK_DH
16 8 Start date for the key, in the format yyyymmdd
24 8 End date for the key, in the format yyyymmdd
32 4

Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
36 36 Reserved
Algorithm-specific section (RSA)
72 4 Length in bits of modulus n
76 512 Modulus n
588 512 Public exponent e
Algorithm-specific section (DSA)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 256 Value y
844 8 Reserved
852 32 Subprime q
884 216 Reserved
Algorithm-specific section (DH)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 256 Value y
844 256 Reserved
Algorithm-specific section (EC)
72 4 EC params curve constant –

x'00000001' secp192r1
     - { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
     - { 1 3 132 0 33 }
x'00000003' secp256r1
     - { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
     - { 1 3 132 0 34 }
x'00000005' secp521r1
     - { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
     - { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
     - { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
     - { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
     - { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
     - { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
     - { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
     - { 1 3 36 3 3 2 8 1 1 13 }
76 128 Reserved
204 136 EC point Q (DER encoded)
340 760 Reserved
Variable length attribute section
1100 2 Length of SUBJECT attribute in bytes (aa)
1102 2 Length of ID attribute in bytes (bb)
1104 2 Length of LABEL attribute in bytes (cc)
1106 2 Length of APPLICATION attribute in bytes (dd)
1108 20 Reserved
1128 4 Offset of SUBJECT attribute in bytes
1132 4 Offset of ID attribute in bytes
1136 4 Offset of LABEL attribute in bytes
1140 4 Offset of APPLICATION attribute in bytes
1144 40 Reserved
1184 aa+bb+cc+dd Public key attributes (variable length)

1184
+aa+bb+cc+dd

   End of public key object
Table 6. Format of the token public key object (Version 3)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for public key object: "PUBK"
4 2 Version: EBCDIC '03'
6 2 Length of the object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

TYPE attribute:
CKK_RSA, CKK_DSA, CKK_EC, or CKK_DH
16 8 Start date for the key, in the format yyyymmdd
24 8 End date for the key, in the format yyyymmdd
32 4

Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
36 2 Reserved
38 2 Length of secure key material in bytes (ee)
40 4 Offset to secure key material in bytes
44 28 Reserved
Algorithm-specific section (RSA)
72 4 Length in bits of modulus n
76 512 Modulus n
588 512 Public exponent e
Algorithm-specific section (DSA)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 256 Value y
844 8 Reserved
852 32 Subprime q
884 216 Reserved
Algorithm-specific section (DH)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 256 Value y
844 256 Reserved
Algorithm-specific section (EC)
72 4 EC params curve constant –

x'00000001' secp192r1
     - { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
     - { 1 3 132 0 33 }
x'00000003' secp256r1
     - { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
     - { 1 3 132 0 34 }
x'00000005' secp521r1
     - { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
     - { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
     - { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
     - { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
     - { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
     - { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
     - { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
     - { 1 3 36 3 3 2 8 1 1 13 }
76 128 Reserved
204 136 EC point Q (DER encoded)
340 760 Reserved
Variable length attribute section
1100 2 Length of SUBJECT attribute in bytes (aa)
1102 2 Length of ID attribute in bytes (bb)
1104 2 Length of LABEL attribute in bytes (cc)
1106 2 Length of APPLICATION attribute in bytes (dd)
1108 20 Reserved
1128 4 Offset of SUBJECT attribute in bytes
1132 4 Offset of ID attribute in bytes
1136 4 Offset of LABEL attribute in bytes
1140 4 Offset of APPLICATION attribute in bytes
1144 40 Reserved
1184 aa+bb+cc+dd+ee Public key attributes (variable length)

1184
+aa+bb+cc+dd+ee

   End of public key object
Table 7. Format of the token private key object (Version 0)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for private key object: "PRIV"
4 2 Version: EBCDIC '00'
6 2 Length of object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

Type attribute: CKK_RSA
16 8 Start date for the key (in the format yyyymmdd)
24 8 End date for the key (in the format yyyymmdd)
32 4

Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
36 36 Reserved
72 4 Length in bits of modulus n
76 256 Modulus: modulus n
332 256 Reserved
588 256 Public exponent e
844 256 Reserved
1100 32 Reserved
1132 256 Private exponent d
1388 256 Reserved
1644 136 Prime p
1780 128 Reserved
1908 128 Prime q
2036 128 Reserved
2172 136 Private exponent d modulo p-1
2300 128 Reserved
2428 128 Private exponent d modulo q-1
2556 128 Reserved
2684 136 CRT coefficient q-1 mod p
2820 128 Reserved
2948 2 Length of SUBJECT attribute in bytes (xx)
2950 2 Length of ID attribute in bytes (yy)
2952 2 Length of LABEL attribute in bytes (zz)
2954 2 Length of APPLICATION attribute in bytes (ww)
2956 20 Reserved
2976 4 Offset of SUBJECT attribute in bytes
2980 4 Offset of ID attribute in bytes
2984 4 Offset of LABEL attribute in bytes
2988 4 Offset of APPLICATION attribute in bytes
2992 40 Reserved
3032 xx+yy+zz+ww Private key attributes (variable length)

3032
+xx+yy+zz+ww

   End of private key object
Table 8. Format of the token private key object (Version 1)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for private key object: "PRIV"
4 2 Version: EBCDIC '01'
6 2 Length of object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

Type attribute: CKK_RSA, CKK_DSA,
CKK_EC, or CKK_DH
16 8 Start date for the key (in the format yyyymmdd)
24 8 End date for the key (in the format yyyymmdd)
32 4

Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
36 36 Reserved
Algorithm-specific section (RSA)
72 4 Length in bits of modulus n
76 512 Modulus: modulus n
588 512 Public exponent e
1100 32 Reserved
1132 512 Private exponent d
1644 264 Prime p
1908 256 Prime q
2164 264 Private exponent d modulo p-1
2428 256 Private exponent d modulo q-1
2684 264 CRT coefficient q-1 mod p
Algorithm-specific section (DSA)
72 4 Length in bits of prime p
76 128 Reserved
204 128 Prime p
332 128 Reserved
460 128 Base g
588 236 Reserved
824 20 Value x
844 20 Reserved
864 20 Subprime q
884 2064 Reserved
Algorithm-specific section (DH)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 236 Reserved
824 20 Value x
844 2104 Reserved
Algorithm-specific section (EC)
72 4 EC params curve constant –

x'00000001' secp192r1
     - { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
     - { 1 3 132 0 33 }
x'00000003' secp256r1
     - { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
     - { 1 3 132 0 34 }
x'00000005' secp521r1
     - { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
     - { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
     - { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
     - { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
     - { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
     - { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
     - { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
     - { 1 3 36 3 3 2 8 1 1 13 }
76 64 Reserved
140 66 Value d
206 2742 Reserved
Variable length attribute section
2948 2 Length of SUBJECT attribute in bytes (xx)
2950 2 Length of ID attribute in bytes (yy)
2952 2 Length of LABEL attribute in bytes (zz)
2954 2 Length of APPLICATION attribute in bytes (ww)
2956 20 Reserved
2976 4 Offset of SUBJECT attribute in bytes
2980 4 Offset of ID attribute in bytes
2984 4 Offset of LABEL attribute in bytes
2988 4 Offset of APPLICATION attribute in bytes
2992 40 Reserved
3032 xx+yy+zz+ww Private key attributes (variable length)

3032
+xx+yy+zz+ww

   End of private key object
Table 9. Format of the token private key object (Version 2)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for private key object: "PRIV"
4 2 Version: EBCDIC '02'
6 2 Length of object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

Type attribute: CKK_RSA, CKK_DSA,
CKK_EC, or CKK_DH
16 8 Start date for the key (in the format yyyymmdd)
24 8 End date for the key (in the format yyyymmdd)
32 4

Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
36 36 Reserved
Algorithm-specific section (RSA)
72 4 Length in bits of modulus n
76 512 Modulus: modulus n
588 512 Public exponent e
1100 32 Reserved
1132 512 Private exponent d
1644 264 Prime p
1908 256 Prime q
2164 264 Private exponent d modulo p-1
2428 256 Private exponent d modulo q-1
2684 264 CRT coefficient q-1 mod p
Algorithm-specific section (DSA)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 224 Reserved
812 32 Value x
844 8 Reserved
852 32 Subprime q
884 2064 Reserved
Algorithm-specific section (DH)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 256 Value x
844 4 Length in bits of value x
848 2100 Reserved
Algorithm-specific section (EC)
72 4 EC params curve constant –

x'00000001' secp192r1
     - { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
     - { 1 3 132 0 33 }
x'00000003' secp256r1
     - { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
     - { 1 3 132 0 34 }
x'00000005' secp521r1
     - { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
     - { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
     - { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
     - { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
     - { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
     - { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
     - { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
     - { 1 3 36 3 3 2 8 1 1 13 }
76 64 Reserved
140 66 Value d
206 2742 Reserved
Variable length attribute section
2948 2 Length of SUBJECT attribute in bytes (xx)
2950 2 Length of ID attribute in bytes (yy)
2952 2 Length of LABEL attribute in bytes (zz)
2954 2 Length of APPLICATION attribute in bytes (ww)
2956 20 Reserved
2976 4 Offset of SUBJECT attribute in bytes
2980 4 Offset of ID attribute in bytes
2984 4 Offset of LABEL attribute in bytes
2988 4 Offset of APPLICATION attribute in bytes
2992 40 Reserved
3032 xx+yy+zz+ww Private key attributes (variable length)

3032
+xx+yy+zz+ww+ee

   End of private key object
Table 10. Format of the token private key object (Version 3)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for private key object: "PRIV"
4 2 Version: EBCDIC '03'
6 2 Length of object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4

Type attribute: CKK_RSA, CKK_DSA,
CKK_EC, or CKK_DH
16 8 Start date for the key (in the format yyyymmdd)
24 8 End date for the key (in the format yyyymmdd)
32 4

Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
36 2 Reserved
38 2 Length of secure key material (ee)
40 4 Offset to secure key material in bytes
44 28 Reserved
Algorithm-specific section (RSA)
72 4 Length in bits of modulus n
76 512 Modulus: modulus n
588 512 Public exponent e
1100 32 Reserved
1132 512 Private exponent d
1644 264 Prime p
1908 256 Prime q
2164 264 Private exponent d modulo p-1
2428 256 Private exponent d modulo q-1
2684 264 CRT coefficient q-1 mod p
Algorithm-specific section (DSA)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 224 Reserved
812 32 Value x
844 8 Reserved
852 32 Subprime q
884 2064 Reserved
Algorithm-specific section (DH)
72 4 Length in bits of prime p
76 256 Prime p
332 256 Base g
588 256 Value x
844 4 Length in bits of value x
848 2100 Reserved
Algorithm-specific section (EC)
72 4 EC params curve constant –

x'00000001' secp192r1
     - { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
     - { 1 3 132 0 33 }
x'00000003' secp256r1
     - { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
     - { 1 3 132 0 34 }
x'00000005' secp521r1
     - { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
     - { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
     - { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
     - { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
     - { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
     - { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
     - { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
     - { 1 3 36 3 3 2 8 1 1 13 }
76 64 Reserved
140 66 Value d
206 2742 Reserved
Variable length attribute section
2948 2 Length of SUBJECT attribute in bytes (xx)
2950 2 Length of ID attribute in bytes (yy)
2952 2 Length of LABEL attribute in bytes (zz)
2954 2 Length of APPLICATION attribute in bytes (ww)
2956 20 Reserved
2976 4 Offset of SUBJECT attribute in bytes
2980 4 Offset of ID attribute in bytes
2984 4 Offset of LABEL attribute in bytes
2988 4 Offset of APPLICATION attribute in bytes
2992 40 Reserved
3032 xx+yy+zz+ww+ee Private key attributes (variable length)

3032
+xx+yy+zz+ww+ee

   End of private key object
Table 11. Format of the token secret key object (Version 0)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for secret key object: "SECK"
4 2 Version: EBCDIC '00'
6 2 Length of the object in bytes
8 4 Flags (see Table 1)
Object type-specific section
12 4 Type of key: CKK_DES, CKK_DES2, CKK_DES3, CKK_AES
16 8 Start date for the key (in the format yyyymmdd)
24 8 End date for the key (in the format yyyymmdd)
32 4

Key generate mechanism
CK_UNAVAILABLE_INFORMATION
36 2 Length of the key in bytes
38 32 Reserved
70 64 VALUE: value of the key
134 538 Reserved
672 4 Usage counter field
676 2 Reserved
678 2 Length of LABEL attribute in bytes (xx)
680 2 Length of APPLICATION attribute in bytes (yy)
682 2 Length of the ID attribute in bytes (zz)
684 20 Reserved
704 4 Offset of LABEL attribute in bytes
708 4 Offset of APPLICATION attribute in bytes
712 4 Offset of the ID attribute in bytes
716 40 Reserved
756 xx+yy+zz Secret key attributes (variable length)

756
+xx+yy+zz

   End of secret key object
Table 12. Format of the token secret key object (Version 1)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for secret key object: "SECK"
4 2 Version: EBCDIC '01'
6 2 Length of the object in bytes
8 4 Flags (see Table 1)
Object type-specific section
12 4 Type of key:

CKK_DES, CKK_DES2, CKK_DES3, CKK_BLOWFISH, CKK_RC4, CKK_GENERIC_SECRET, and CKK_AES.
16 8 Start date for the key (in the format yyyymmdd)
24 8 End date for the key (in the format yyyymmdd)
32 4

Key generate mechanism
CK_UNAVAILABLE_INFORMATION
36 2 Length of the key in bytes
38 32 Reserved
70 256 VALUE: value of the key
326 346 Reserved
672 4 Usage counter field
676 2 Reserved
678 2 Length of LABEL attribute in bytes (xx)
680 2 Length of APPLICATION attribute in bytes (yy)
682 2 Length of the ID attribute in bytes (zz)
684 20 Reserved
704 4 Offset of LABEL attribute in bytes
708 4 Offset of APPLICATION attribute in bytes
712 4 Offset of the ID attribute in bytes
716 40 Reserved
756 xx+yy+zz Secret key attributes (variable length)

756
+xx+yy+zz

   End of secret key object
Table 13. Format of the token secret key object (Version 3)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for secret key object: "SECK"
4 2 Version: EBCDIC '03'
6 2 Length of the object in bytes
8 4 Flags (see Table 1)
Object type-specific section
12 4 Type of key:

CKK_DES, CKK_DES2, CKK_DES3, CKK_BLOWFISH, CKK_RC4, CKK_GENERIC_SECRET, and CKK_AES.
16 8 Start date for the key (in the format yyyymmdd)
24 8 End date for the key (in the format yyyymmdd)
32 4

Key generate mechanism
CK_UNAVAILABLE_INFORMATION
36 2 Length of the key in bytes
38 2 Length of secure key material (ee)
40 4 Offset to secure key material in bytes
44 26 Reserved
70 256 VALUE: value of the key
326 346 Reserved
672 4 Usage counter field
676 2 Reserved
678 2 Length of LABEL attribute in bytes (xx)
680 2 Length of APPLICATION attribute in bytes (yy)
682 2 Length of the ID attribute in bytes (zz)
684 20 Reserved
704 4 Offset of LABEL attribute in bytes
708 4 Offset of APPLICATION attribute in bytes
712 4 Offset of the ID attribute in bytes
716 40 Reserved
756 xx+yy+zz+ee Secret key attributes (variable length)

756
+xx+yy+zz+ee

   End of secret key object
Table 14. Format of the token domain parameters object (Version 1)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for token domain object: "DOMP"
4 2 Version: EBCDIC '01'
6 2 Length of the object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4 TYPE attribute: CKK_DSA or CKK_DH
16 28 Reserved
Algorithm-specific section (DSA)
44 4 Length in bits of prime p
48 128 Reserved
176 128 Prime p
304 128 Reserved
432 128 Base g
560 20 Reserved
580 20 Subprime q
600 636 Reserved
Algorithm-specific section (DH)
44 4 Length in bits of prime p
48 4 Reserved
52 256 Prime p
308 256 Reserved
564 256 Base g
820 416 Reserved
Variable length attribute section
1236 2 Length of LABEL attribute in bytes (aa)
1238 2 Length of APPLICATION attribute in bytes (bb)
1240 20 Reserved
1260 4 Offset of LABEL attribute in bytes
1264 4 Offset of APPLICATION attribute in bytes
1268 40 Reserved
1308 aa+bb Domain parameters attributes (variable length)

1308
+aa+bb

   End of domain parameters object
Table 15. Format of the token domain parameters object (Version 2)

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for token domain object: "DOMP"
4 2 Version: EBCDIC '02'
6 2 Length of the object (in bytes)
8 4 Flags (see Table 1)
Object type-specific section
12 4 TYPE attribute: CKK_DSA or CKK_DH
16 28 Reserved
Algorithm-specific section (DSA)
44 4 Length in bits of prime p
48 256 Prime p
304 256 Base g
560 8 Reserved
568 32 Subprime q
600 636 Reserved
Algorithm-specific section (DH)
44 4 Length in bits of prime p
48 4 Reserved
52 256 Prime p
308 256 Reserved
564 256 Base g
820 416 Reserved
Variable length attribute section
1236 2 Length of LABEL attribute in bytes (aa)
1238 2 Length of APPLICATION attribute in bytes (bb)
1240 20 Reserved
1260 4 Offset of LABEL attribute in bytes
1264 4 Offset of APPLICATION attribute in bytes
1268 40 Reserved
1308 aa+bb Domain parameters attributes (variable length)

1308
+aa+bb

   End of domain parameters object
Table 16. Format of the token data object

Offset (decimal)
188 +

Length of field (bytes) Description
Object header
0 4 Eye catcher for data object: "DATA"
4 2 Version: EBCDIC '00'
6 2 Length of object, in bytes
8 4 Flags (see Table 1)
Object type-specific section
12 4 Reserved for IBM's use
16 28 Reserved for IBM's use
44 2 Length of VALUE attribute in bytes (aa)
46 2 Length of OBJECT_ID attribute in bytes (bb)
48 2 Length of LABEL attribute in bytes (cc)
50 2 Length of APPLICATION attribute in bytes (dd)
52 2 Length of ID attribute in bytes (ee)
54 22 Reserved for IBM's use
76 4 Offset of VALUE attribute in bytes
80 4 Offset of OBJECT_ID attribute in bytes
84 4 Offset of LABEL attribute in bytes
88 4 Offset of APPLICATION attribute in bytes
92 4 Offset of ID attribute in bytes
96 44 Reserved for IBM's use
140 aa + bb + cc + dd + ee Data attributes (variable length)

140 + aa + bb
+ cc + dd + ee

   End of data object
Parent topic: Format of the token and object records