Trusted block section X'12'
Trusted block section X'12' contains information that defines a rule.
TA trusted block can have zero or more rule sections.
- A trusted block with no rule sections can be used by the PKA Key Token Change and PKA Key Import verbs. A trusted block with no rule sections can be used by the Digital Signature Verify verb, provided there is an RSA public key section that has its key-usage flag set to allow digital signature operations.
- At least one rule section is required when the Remote Key Export verb is used to:
- Generate an RKX key-token
- Export an RKX key-token
- Export a CCA DES key-token
- Generate or export a key encrypted by a public key. The public key is contained in a vendor certificate and is the root certification key for the ATM vendor. It is used to verify the digital signature on public-key certificates for specific individual ATMs.
- If a trusted block has multiple rule sections, each rule section must have a unique 8-character Rule ID.
Five subsections (TLV objects) are defined.
| Offset (bytes) | Length (bytes) | Description |
|---|---|---|
| 000 | 001 | Section identifier:
|
| 001 | 001 | Section version number (X'00'). |
| 002 | 002 | Section length in bytes (20 + yyy). |
| 004 | 008 | Rule ID (in ASCII). An 8-byte character string that uniquely identifies the rule within the trusted block. Valid ASCII characters are: A - Z, a - z, 0 - 9, - (hyphen), and _ (underscore), left-aligned and padded on the right with space characters. |
| 012 | 004 | Flags (undefined flag bits are reserved and must be zero).
|
| 016 | 001 | Generated key length. Length in bytes of key to be generated when flags value (offset 012) is set to generate a new key; otherwise ignore this value. Valid values are 8, 16, or 24; return an error if not valid. |
| 017 | 001 | Key-check algorithm identifier (all others are reserved and must not be used):
|
| 018 | 001 | Symmetric encrypted output key format flag (all other values are reserved and
must not be used). Return the indicated symmetric key-token using the sym_encrypted_key_identifier parameter.
|
| 019 | 001 | Asymmetric encrypted output key format flag (all other values are reserved and
must not be used). Return the indicated asymmetric key-token in the asym_encrypted_key variable.
|
| 020 | yyy | Rule section subsections (tag-length-value objects). A series of zero - five objects in TLV format. |