Trusted block sections
A trusted block is a concatenation of a header followed by an unordered set of sections. The data structures of these sections are summarized in the following table:
| Section | Reference | Usage |
|---|---|---|
| Header | Table 1 | Trusted block token header |
| X'11' | Table 2 | Trusted block public key |
| X'12' | Table 3 | Trusted block rule |
| X'13' | Table 10 | Trusted block name (key label) |
| X'14' | Table 11 | Trusted block information |
| X'15' | Table 15 | Trusted block application-defined data |
- An external header (first byte X'1E'), created by the Trusted Block Create verb
- An internal header (first byte X'1F'), imported from an active external trusted block by the PKA Key Import verb
Following the token header of a trusted block is an unordered set of sections. A trusted block is formed by concatenating these sections to a trusted block header:
- An optional public-key section (trusted block section identifier X'11')
The trusted block trusted RSA public-key section includes the key itself in addition to a key-usage flag. No multiple sections are allowed.
- An optional rule section (trusted block section identifier X'12')
A trusted block may have zero or more rule sections.
- A trusted block with no rule sections can be used by the PKA Key Token Change and PKA Key Import callable services. A trusted block with no rule sections can also be used by the Digital Signature Verify verb, provided there is an RSA public-key section that has its key-usage flag bits set to allow digital signature operations.
- At least one rule section is required when the Remote Key Export
verb is used to:
- Generate an RKX key-token
- Export an RKX key-token
- Export a CCA DES key-token
- Encrypt the clear generated or exported key using the provided vendor certificate
- If a trusted block has multiple rule sections, each rule section must have a unique 8-character Rule ID.
- An optional name (key label) section (trusted block section identifier X'13')
The trusted block name section provides a 64-byte variable to identify the trusted block, just as key labels are used to identify other CCA keys. This name, or label, enables a host access-control system such as RACF to use the name to verify that the application has authority to use the trusted block. No multiple sections are allowed.
- A required information section (trusted block section identifier X'14')
The trusted block information section contains control and security information related to the trusted block. The information section is required while the others are optional. This section contains the cryptographic information that guarantees its integrity and binds it to the local system. No multiple sections are allowed.
- An optional application-defined data section (trusted block section
identifier X'15')
The trusted block application-defined data section can be used to include application-defined data in the trusted block. The purpose of the data in this section is defined by the application. CCA does not examine or use this data in any way. No multiple sections are allowed.