RSA private internal key token

Read the contained information about the basic structure of RSA private internal key tokens.

An RSA private internal key token contains the following sections:

A required PKA token header, starting with the token identifier X'1F'
Basic record format of an RSA private internal key token. All length fields are in binary. All binary fields (exponents, lengths, and so on) are stored with the high-order byte first (left, low-address, big-endian format). All binary fields (exponents, modulus, and so on) in the private sections of tokens are right-aligned and padded with zeros to the left.

Table 1 shows the format.

Table 1. RSA private internal key token basic record format
RSA private internal key token basic record format
Offset (decimal)	Length (bytes)	Description
*Token Header* (Required)
000	001	Token identifier. X'1F' indicates an internal token. The private key is enciphered with a PKA master key.
001	001	Version, X'00'.
002	002	Length of the key token structure excluding the internal information section.
004	004	Ignored; should be zero.
*RSA Private Key Section and Secured Subsection* (Required) See the following sections: RSA private key token, 1024-bit Modulus-Exponent. RSA private key token, 1024-bit Modulus-Exponent format with OPK section RSA private key token, 8192-bit Modulus-Exponent. RSA private key, 8192-bit Modulus-Exponent format with AES encrypted OPK section RSA private key, 8192-bit Chinese Remainder Theorem with OPK RSA private key, 8192-bit Chinese Remainder Theorem format with AES encrypted OPK section RSA private key token, 1024-bit Modulus-Exponent internal format for cryptographic coprocessor feature.
*RSA Public Key Section* (Required)
000	001	X'04', section identifier, RSA public key.
001	001	X'00', version.
002	002	Section length, 12 + xxx.
004	002	Reserved field.
006	002	RSA public key exponent field length in bytes, `xxx`.
008	002	Public key modulus length in bits.
010	002	RSA public key modulus field length in bytes, which is zero for a private token.
012	xxx	Public key exponent (this is generally a 1, 3, or 64 - 256-byte quantity), e. e must be odd and 1 < e < n. (Frequently, the value of e is 2¹⁶ + 1 (= 65,537). Note: You can import an RSA public key having an exponent valued to two (2). Such a public key can correctly validate an ISO 9796-1 digital signature. However, the current product implementation does not generate an RSA key with a public exponent valued to two (a Rabin key).
*Private Key Name* (Optional)
000	001	X'10', section identifier, private key name.
001	001	X'00', version.
002	002	Section length, X'0044' (68 decimal).
004	064	Private key name (in ASCII), left-aligned, padded with space characters (X'20'). An access control system can use the private key name to verify the calling application is entitled to use the key.
*Internal Information Section* (Required)
000	004	Eye catcher 'PKTN'.
004	004	PKA token type. Bit Meaning When Set On 0 RSA key. 2 Private key. 3 Public key. 4 Private key name section exists. 5 Private key unenciphered. 6 Blinding information present. 7 Retained private key.
008	004	Address of token header.
012	002	Total length of total structure including this information section.
014	002	Count of number of sections.
016	016	PKA master key hash pattern.
032	001	Domain of retained key.
033	008	Serial number of processor holding retained key.
041	007	Reserved.