RSA private external key token
Read the contained information about the basic structure of RSA private external key tokens.
An RSA private external key token contains the following sections:
- a required PKA token header starting with the token identifier X'1E'
- a required RSA private key section, one of those shown in Table 1, each starting with a certain section identifiers
- a required RSA public key section, starting with the section identifier X'04'
- an optional private key name section, starting with the section identifier X'10'.
Table 1 presents the basic record format of an RSA private
external key token. All length fields are in binary. All binary fields (exponents, lengths, and so
on) are stored with the high-order byte first (big-endian format). All binary fields (exponents,
modulus, and so on) in the private sections of tokens are right-aligned and padded with zeros to the
left.
| Offset (decimal) | Length (bytes) | Description |
|---|---|---|
| Token Header (Required) | ||
| 000 | 001 | Token identifier. X'1E' indicates an external token. The private key is either in cleartext or enciphered with a transport key-encrypting key. |
| 001 | 001 | Version, X'00'. |
| 002 | 002 | Length of the key token structure. |
| 004 | 004 | Ignored. Should be zero. |
| RSA Private Key Section
(Required) See the following sections:
|
||
| RSA Public Key Section (Required) | ||
| 000 | 001 | X'04', section identifier, RSA public key. |
| 001 | 001 | X'00', version. |
| 002 | 002 | Section length, 12 + xxx. |
| 004 | 002 | Reserved field. |
| 006 | 002 | RSA public key exponent field length in bytes, xxx. |
| 008 | 002 | Public key modulus length in bits. |
| 010 | 002 | RSA public key modulus field length in bytes, which is zero for a private token. Note: In an
RSA private key token, this field should be zero. The RSA private key section contains the
modulus.
|
| 012 | xxx | Public key exponent, e (this is generally a 1, 3, or 64 - 256-byte quantity). e must be odd
and 1 < e < n. (Frequently, the value of e is 216 + 1 (= 65,537). Note: You can
import an RSA public key having an exponent valued to two (2). Such a public key can correctly
validate an ISO 9796-1 digital signature. However, the current product implementation does not
generate an RSA key with a public exponent valued to two (a Rabin key).
|
| Private Key Name (Optional) | ||
| 000 | 001 | X'10', section identifier, private key name. |
| 001 | 001 | X'00', version. |
| 002 | 002 | Section length, X'0044' (68 decimal). |
| 004 | 064 | Private key name (in ASCII), left-aligned, padded with space characters (X'20'). An access control system can use the private key name to verify the calling application is entitled to use the key. When generating an RSA retained private key, the name supplied in this part of the skeleton key-token is subsequently used in the coprocessor to locate the retained key. |