Trusted block organization

Edit online

A trusted block is a concatenation of a header followed by an unordered set of sections.

Some elements are required, while others are optional. The data structures of these sections are summarized in Table 1.
Table 1. Trusted block sections and their use

Trusted block sections and their use
Section Reference Usage
Header Table 1 Trusted block token header
X'11' Table 1 Trusted block public key
X'12' Table 1 Trusted block rule
X'13' Table 1 Trusted block name (key label)
X'14' Table 1 Trusted block information
X'15' Table 1 Trusted block application-defined data
Every trusted block starts with a token header. The first byte of the token header determines the key form:
  • An external header (first byte X'1E'), created by the Trusted Block Create verb
  • An internal header (first byte X'1F'), imported from an active external trusted block by the PKA Key Import verb
Following the token header of a trusted block is an unordered set of sections. A trusted block is formed by concatenating these sections to a trusted block header:
  • An optional public-key section (trusted block section identifier X'11')

    The trusted block trusted RSA public key section includes the key itself in addition to a key-usage flag. No multiple sections are allowed.

  • An optional rule section (trusted block section identifier X'12')

    A trusted block can have zero or more rule sections.

    1. A trusted block with no rule sections can be used by the PKA Key Token Change and PKA Key Import verbs. A trusted block with no rule sections can also be used by the Digital Signature Verify verb, provided there is an RSA public key section that has its key-usage flag bits set to allow digital signature operations.
    2. At least one rule section is required when the Remote Key Export verb is used to:
      • Generate an RKX key-token
      • Export an RKX key-token
      • Export a CCA DES key-token
      • Encrypt the clear generated or exported key using the provided vendor certificate
    3. If a trusted block has multiple rule sections, each rule section must have a unique 8-character Rule ID.
  • An optional name (key label) section (trusted block section identifier X'13')

    The trusted block name section provides a 64-byte variable to identify the trusted block, just as key labels are used to identify other CCA keys. This name, or label, enables a host access-control system such as RACF® to use the name to verify that the application has authority to use the trusted block. No multiple sections are allowed.

  • A required information section (trusted block section identifier X'14')

    The trusted block information section contains control and security information related to the trusted block. The information section is required while the others are optional. This section contains the cryptographic information that guarantees its integrity and binds it to the local system. No multiple sections are allowed.

  • An optional application-defined data section (trusted block section identifier X'15')

    The trusted block application-defined data section can be used to include application-defined data in the trusted block. The purpose of the data in this section is defined by the application. CCA does not examine or use this data in any way. No multiple sections are allowed.