RSA private external key token

An RSA private external key token contains the following sections:

A required PKA token header starting with the token identifier X'1E'
A required RSA private key section starting with one of the following section identifiers:
- X'02' which indicates a modulus-exponent form RSA private key section (not optimized) with modulus length of up to 1024 bits.
- X'08' which indicates an optimized Chinese Remainder Theorem form private key section with modulus bit length of up to 4096.
- X'09' which indicates a modulus-exponent form RSA private key section (not optimized) with modulus length of up to 4096 bits.
- X'30' which indicates a modulus-exponent form RSA private key section with modulus length of up to 4096 bits with an AES object protection key.
- X'31' which indicates an Chinese Remainder Theorem form private key section with modulus bit length of up to 4096 bits with an AES object protection key.
A required RSA public key section, starting with the section identifier X'04'
An optional private key name section, starting with the section identifier X'10'

Table 1 presents the basic record format of an RSA private external key token. All length fields are in binary. All binary fields (exponents, lengths, and so on) are stored with the high-order byte first. All binary fields (exponents, modulus, and so on) in the private sections of tokens are right-justified and padded with zeros to the left.

Table 1. RSA Private External Key Token Basic Record Format
Offset (Dec)	Number of Bytes	Description
		*Token Header (required)*
000	001	Token identifier. X'1E' indicates an external token. The private key is either in cleartext or enciphered with a transport key-encrypting key.
001	001	Version, X'00'.
002	002	Length of the key token structure.
004	004	Ignored. Should be zero.
		*RSA Private Key Section (required)* For 1024-bit Modulus-Exponent form refer to RSA private key token, 1024-bit modulus-exponent external format. For 4096-bit Modulus-Exponent form refer to RSA private key token, 4096-bit modulus-exponent external format. For 4096-bit Chinese Remainder Theorem form refer to RSA private key token, 4096-bit chinese remainder Theorem external format. For 4096-bit Modulus-Exponent form with AES OPK refer to RSA private key, 4096-bit modulus-exponent format with AES encrypted OPK section (X'30') external form. For 4096-bit Chinese Remainder Theorem form with AES OPK refer to RSA private key, 4096-bit chinese remainder Theorem format with AES encrypted OPK section (X'31') external form.
		*RSA Public Key Section (required)*
000	001	X'04', section identifier, RSA public key.
001	001	X'00', version.
002	002	Section length, 12+xxx.
004	002	Reserved field.
006	002	RSA public key exponent field length in bytes, "xxx".
008	002	Public key modulus length in bits.
010	002	RSA public key modulus field length in bytes, which is zero for a private token. Note: In an RSA private key token, this field should be zero. The RSA private key section contains the modulus.
012	xxx	Public key exponent, e (this is generally a 1-, 3-, or 64- to 512-byte quantity). e must be odd and 1<e<n. (Frequently, the value of e is ¹⁶+1 2**16+1 (=65,537).
		*Private Key Name (optional)*
000	001	X'10', section identifier, private key name.
001	001	X'00', version.
002	002	Section length, X'0044' (68 decimal).
004	064	Private key name (in ASCII), left-justified, padded with space characters (X'20'). An access control system can use the private key name to verify that the calling application is entitled to use the key.

RSA private key token, 1024-bit modulus-exponent external format

Table 2. RSA Private Key Token, 1024-bit Modulus-Exponent external format
Offset (Dec)	Number of Bytes	Description
000	001	X'02', section identifier, RSA private key, modulus-exponent format (RSA-PRIV)
001	001	X'00', version.
002	002	Length of the RSA private key section X'016C' (364 decimal).
004	020	SHA-1 hash value of the private key subsection cleartext, offset 28 to the section end. This hash value is checked after an enciphered private key is deciphered for use.
024	004	Reserved; set to binary zero.
028	001	Key format and security: X'00' Unencrypted RSA private key subsection identifier. X'82' Encrypted RSA private key subsection identifier.
029	001	Reserved, binary zero.
030	020	SHA-1 hash of the optional key-name section. If there is no key-name section, then 20 bytes of X'00'.
050	004	Key use flag bits. Bit Meaning When Set On 0 Key management usage permitted. 1 Signature usage not permitted. 6 The key is translatable. All other bits reserved, set to binary zero.
054	006	Reserved; set to binary zero.
060	024	Reserved; set to binary zero.
		Start of the optionally-encrypted secure subsection.
084	024	Random number, confounder.
108	128	Private-key exponent, d. d=(e**-1) mod((p-1)(q-1)), and 1<d<n where e is the public exponent.
		End of the optionally-encrypted subsection; the confounder field and the private-key exponent field are enciphered for key confidentiality when the key format and security flags (offset 28) indicate that the private key is enciphered. They are enciphered under a double-length transport key using the ede2 algorithm.
236	128	Modulus, n. n=pq where p and q are prime and ¹⁰²⁴. 1<n<2**1024.

RSA private key token, 4096-bit modulus-exponent external format

This RSA private key token and the external X'09' token is supported on a CCA Crypto Express coprocessor.

Table 3. RSA Private Key Token, 4096-bit Modulus-Exponent external format
Offset (Dec)	Number of Bytes	Description
000	001	X'09', section identifier, RSA private key, modulus-exponent format (RSAMEVAR).
001	001	X'00', version.
002	002	Length of the RSA private key section 132+ddd+nnn+xxx.
004	020	SHA-1 hash value of the private key subsection cleartext, offset 28 to the section end. This hash value is checked after an enciphered private key is deciphered for use.
024	002	Length of the encrypted private key section 8+ddd+xxx.
026	002	Reserved; set to binary zero.
028	001	Key format and security: X'00' Unencrypted RSA private key subsection identifier. X'82' Encrypted RSA private key subsection identifier.
029	001	Reserved, set to binary zero.
030	020	SHA-1 hash of the optional key-name section. If there is no key-name section, then 20 bytes of X'00'.
050	001	Key use flag bits. Bit Meaning When Set On 0 Key management usage permitted. 1 Signature usage not permitted. 6 The key is translatable All other bits reserved, set to binary zero.
051	001	Reserved; set to binary zero.
052	048	Reserved; set to binary zero.
100	016	Reserved; set to binary zero.
116	002	Length of private exponent, d, in bytes: ddd.
118	002	Length of modulus, n, in bytes: nnn.
120	002	Length of padding field, in bytes: xxx.
122	002	Reserved; set to binary zero.
		Start of the optionally-encrypted secure subsection.
124	008	Random number, confounder.
132	ddd	Private-key exponent, d. ^-1 mod((p-1)(q-1)), d=(e**-1) mod((p-1)(q-1)), and 1<d<n where e is the public exponent.
132+ddd	xxx	X'00' padding of length xxx bytes such that the length from the start of the random number above to the end of the padding field is a multiple of eight bytes.
		End of the optionally-encrypted subsection; the confounder field and the private-key exponent field are enciphered for key confidentiality when the key format and security flags (offset 28) indicate that the private key is enciphered. They are enciphered under a double-length transport key using the ede2 algorithm.
132+ddd+xxx	nnn	Modulus, n. n=pq where p and q are prime and ⁴⁰⁹⁶. 1<n<2**4096.

RSA private key token, 4096-bit chinese remainder Theorem external format

This RSA private key token with up to 2048-bit modulus is supported on all coprocessors. The modulus size is increased to 4096-bit on the z9 EC, z9 BC, z10 EC, z10 BC, or later machines with the Nov. 2007 or later version of the licensed internal code installed on the CCA Crypto Express coprocessor.

Table 4. RSA Private Key Token, 4096-bit Chinese Remainder Theorem external format
Offset (Dec)	Number of Bytes	Description
000	001	X'08', section identifier, RSA private key, CRT format (RSA-CRT)
001	001	X'00', version.
002	002	Length of the RSA private-key section, 132 + ppp + qqq + rrr + sss + uuu + xxx + nnn.
004	020	SHA-1 hash value of the private key subsection cleartext, offset 28 to the end of the modulus.
024	004	Reserved; set to binary zero.
028	001	Key format and security: X'40' Unencrypted RSA private-key subsection identifier, Chinese Remainder form. X'42' Encrypted RSA private-key subsection identifier, Chinese Remainder form.
029	001	Reserved; set to binary zero.
030	020	SHA-1 hash of the optional key-name section and any following optional sections. If there are no optional sections, then 20 bytes of X'00'.
050	004	Key use flag bits. Bit Meaning When Set On 0 Key management usage permitted. 1 Signature usage not permitted. 6 The key is translatable. All other bits reserved, set to binary zero.
054	002	Length of prime number, p, in bytes: ppp.
056	002	Length of prime number, q, in bytes: qqq.
058	002	Length of d_p, in bytes: rrr.
060	002	Length of d_q, in bytes: sss.
062	002	Length of U, in bytes: uuu.
064	002	Length of modulus, n, in bytes: nnn.
066	004	Reserved; set to binary zero.
070	002	Length of padding field, in bytes: xxx.
072	004	Reserved, set to binary zero.
076	016	Reserved, set to binary zero.
092	032	Reserved; set to binary zero.
		Start of the optionally-encrypted secure subsection.
124	008	Random number, confounder.
132	ppp	Prime number, p.
132 + ppp	qqq	Prime number, q
132 + ppp + qqq	rrr	d_p = d mod(p - 1)
132 + ppp + qqq + rrr	sss	d_q = d mod(q - 1)
132 + ppp + qqq + rrr + sss	uuu	U = q**-1 mod(p).
132 + ppp + qqq + rrr + sss + uuu	xxx	X'00' padding of length xxx bytes such that the length from the start of the random number above to the end of the padding field is a multiple of eight bytes.
		End of the optionally-encrypted secure subsection; all of the fields starting with the confounder field and ending with the variable length pad field are enciphered for key confidentiality when the key format-and-security flags (offset 28) indicate that the private key is enciphered. They are enciphered under a double-length transport key using the TDES (CBC outer chaining) algorithm.
132 + ppp + qqq + rrr + sss + uuu + xxx	nnn	Modulus, n. n = pq where p and q are prime and 1<n<22048.

RSA private key, 4096-bit modulus-exponent format with AES encrypted OPK section (X'30') external form

This RSA private key token is supported on the Crypto Express3 Coprocessor and Crypto Express4 Coprocessor.

Table 5. RSA private key, 4096-bit Modulus-Exponent format with AES encrypted OPK section (X'30') external form
Offset (bytes)	Length (bytes)	Description
000	001	Section identifier: X'30' RSA private key, ME format with AES encrypted OPK.
001	001	Section version number (X'00').
002	002	Section length: 122 + nnn + ppp
004	002	Length of “Associated Data” section
006	002	Length of payload data: ppp
008	002	Reserved, binary zero.
		Start of Associated Data
010	001	Associated Data Version: X'02' Version 2
011	001	Key format and security flag: X'00' Unencrypted ME RSA private-key subsection identifier X'82' Encrypted ME RSA private-key subsection identifier
012	001	Key source flag: Reserved, binary zero.
013	001	Reserved, binary zeroes.
014	001	Hash type: X'00' Clear key X'02' SHA-256
015	032	SHA-256 hash of all optional sections that follow the public key section, if any; else 32 bytes of X'00'.
047	003	Reserved, binary zero.
050	001	Key-usage flag: B'11xx xxxx' Only key unwrapping (KM-ONLY) B'10xx xxxx' Both signature generation and key unwrapping (KEY-MGMT) B'01xx xxxx' Undefined B'00xx xxxx' Only signature generation (SIG-ONLY) Translation control: B'xxxx xx1x' Private key translation is allowed (XLATE-OK) B'xxxx xx0x' Private key translation is not allowed (NO-XLATE)
051	001	Reserved, binary zero.
052	002	Length of modulus: nnn bytes
054	002	Length of private exponent: ddd bytes
		End of Associated Data
056	048	16 byte confounder + 32-byte Object Protection Key. OPK used as an AES key. encrypted with an AES KEK.
104	016	Key verification pattern For an encrypted private key, KEK verification pattern (KVP) For a clear private key, binary zeros For a skeleton, binary zeros
120	002	Reserved, binary zeros.
122	nnn	Modulus
122+nnn	ppp	Payload starts here and includes: When this section is unencrypted: Clear private exponent d. Length ppp bytes : ddd + 0 When this section is encrypted: Private exponent d within the AESKW-wrapped payload. Length ppp bytes : ddd + AESKW format overhead

RSA private key, 4096-bit chinese remainder Theorem format with AES encrypted OPK section (X'31') external form

This RSA private key token is supported on the Crypto Express3 Coprocessor and Crypto Express4 Coprocessor.

Table 6. RSA private key, 4096-bit Chinese Remainder Theorem format with AES encrypted OPK section (X'31') external form
Offset (bytes)	Length (bytes)	Description
000	001	Section identifier: X'31' RSA private key, CRT format with AES encrypted OPK
001	001	Section version number (X'00').
002	002	Section length: 134 + nnn + xxx
004	002	Length of “Associated Data” section
006	002	Length of payload data: xxx
008	002	Reserved, binary zero.
		Start of Associated Data
010	001	Associated Data Version: X'03' Version 3
011	001	Key format and security flag: X'40' Unencrypted RSA private-key subsection identifier X'42' Encrypted RSA private-key subsection identifier
012	001	Key source flag: Reserved, binary zero.
013	001	Reserved, binary zeroes.
014	001	Hash type: X'00' Clear key X'01' SHA-256
015	032	SHA-256 hash of all optional sections that follow the public key section, if any; else 32 bytes of X'00'.
047	003	Reserved, binary zero.
050	001	Key-usage flag: B'11xx xxxx' Only key unwrapping (KM-ONLY) B'10xx xxxx' Both signature generation and key unwrapping (KEY-MGMT) B'01xx xxxx' Undefined B'00xx xxxx' Only signature generation (SIG-ONLY) Translation control: B'xxxx xx1x' Private key translation is allowed (XLATE-OK) B'xxxx xx0x' Private key translation is not allowed (NO-XLATE)
051	001	Reserved, binary zero.
052	002	Length of the prime number, p, in bytes: ppp.
054	002	Length of the prime number, q, in bytes: qqq
056	002	Length of dp : rrr.
058	002	Length of dq : sss.
060	002	Length of U: uuu.
062	002	Length of modulus, nnn.
064	002	Reserved, binary zero.
066	002	Reserved, binary zero.
		End of Associated Data
068	048	16 byte confounder + 32-byte Object Protection Key. OPK used as an AES key. External tokens: encrypted with an AES KEK. Internal tokens: encrypted with the ECC master key.
116	016	Key verification pattern For an encrypted private key, KEK verification pattern (KVP) For a clear private key, binary zeros For a skeleton, binary zeros
132	002	Reserved, binary zeros
134	nnn	Modulus, n, n=pq, where p and q are prime.
134+nnn	xxx	Payload starts here and includes: When this section is unencrypted: Clear prime number p Clear prime number q Clear dp Clear dq Clear U Length xxx bytes: ppp + qqq + rrr + sss +uuu + 0 When this section is encrypted: prime number p prime number q dp dq U within the AESKW-wrapped payload. Length xxx bytes : ppp + qqq + rrr + sss +uuu + AESKW format overhead