PKA Key Import (CSNDPKI)

Use this service to import an RSA, ECC, a CRYSTALS-Dilithium, CRYSTALS-Kyber, ML-KEM or pure or pre-hash ML-DSA public-private key pair. A private key must be accompanied by the associated public key. The source PKA private-key either can be in the clear or it can be enciphered.

To import a PKA public-private key pair:

  • Identify the external RSA, ECC, or QSA key token to be imported using the source_key_identifier parameter. Use the PKA Key Generate service to obtain the token or, if the key originates in a non-CCA system, use the PKA Key Token Build service.
  • Use the transport_key_identifier parameter to identify the key used to encipher the source key token:
    • For a CKM_RSA_AES_KEY_WRAP formatted ECC or RSA key, provide the RSA key that was used to wrap the PKA key.
    • For an enciphered ECC key token, provide an AES key-encrypting key in a variable-length symmetric key-token.
    • For an enciphered RSA key token, provide a key-encrypting key that can be used for import, either in a fixed-length DES key-token or a variable-length AES key token. The transport key must have its key usage set to allow IMPORT. A variable-length key must also allow wrapping of an RSA key.
    • For a clear key token, provide a null transport key token.

If an RSA source key token that does not have an AES-enciphered Object Protection Key (OPK) contains an enciphered private key or its OPK data, the target key is protected by the RSA master-key. When an RSA private-key token contains a private-key section with a section identifier of X'30' or X'31', its AES OPK is used to encipher the private key and the APKA master key is used, in turn, to AES-encipher the OPK and its data. Likewise, if an ECC key token contains an enciphered private key, its AES OPK is used to encipher the private key and the APKA master key is used to encipher the OPK and its data.

The result is returned in an internal PKA key-token identified by the target_key_identifier parameter. The verb also updates the target_key_identifier_length variable to the length of data returned in the target_key_identifier variable.

This service can also be used to import an active external trusted block. A trusted block does not contain a private key. Instead, it contains an encrypted confounder and triple-length MAC key. The MAC key is used to calculate an ISO 16609 CBC-mode Triple-DES MAC of the trusted block contents. In an external trusted block, the MAC key is encrypted under a DES IMP-PKA key.

To import an external trusted block so that it can be used as input by the PKA Key Import verb:

  • Identify the active external trusted block to be imported using the source_key_identifer parameter. Use the Trusted Block Create service with the ACTIVATE rule-array keyword to obtain the token.
  • Use the transport_key_identifier parameter to identify the operational DES IMP-PKA key used to encipher the confounder and triple-length MAC key contained within the trusted block. This is an IMPORTER key-encrypting key with only its IMPORT key-usage bit on (CV bit 21 = B'1').

The confounder and MAC key are enciphered under the RSA master key and returned along with the updated MAC value in an internal trusted block identified by the target_key_identifier parameter. The service also updates the target_key_identifier_length variable to the length of the returned token or key label.