|
Each z/OS PKCS #11 token record and token object record begins with the
same 188 bytes of data. The remainder of the record is specific to
the token or object.
Common section of the token and object records
Every record in the token data set, with the exception of the header
record, begins with these 188 bytes of data.
Table 32. Format of the common section of the token and object records| Offset (decimal) | Length of field (bytes) | Description |
|---|
| 0 | 72 | Handle of token or object
- Bytes 0-31:
- Token name
- Bytes 32-39:
- Sequence number
- Byte 40:
- Character "T" for token object
- Bytes 41-43
- Blank characters
- Bytes 44-71:
- Binary zeros
| | 72 | 8 | Reserved for IBM's use | | 80 | 8 | The date that this record was created, in the
format yyyymmdd | | 88 | 8 | The time that this record was created, in the
format hhmmssth | | 96 | 8 | The most recent date that this record was updated,
in the format yyyymmdd | | 104 | 8 | The most recent time that this record was updated,
in the format hhmmssth | | 112 | 4 | Length of the entire TKDS record entry | | 116 | 20 | Reserved for IBM's use | | 136 | 52 | User data | | 188 | variable | The TKDS token or object (see mappings) | Format of the token-specific section of the token record
Each z/OS PKCS #11 token record begins with the 188 bytes. The remainder
of the record contains the contents of the token. The mapping of
the record shows the data beginning at offset 0, which is its offset
into the token-specific portion of the record; however, that
portion of the record is at an offset of 188 into the entire record.
Table 33. Format of the unique section of the token record|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| 0 | 4 | Eye catcher for token: "TOKN" | | 4 | 2 | Version number of structure: EBCDIC '00' | | 6 | 2 | Length of structure in bytes | | 8 | 4 | Reserved for IBM's use. Must be zeros. | | 12 | 8 | Last assigned sequence number | | 20 | 32 | Manufacturer identification | | 52 | 16 | Model | | 68 | 16 | Serial number | | 84 | 8 | Date of the most recent update to this token,
expressed as Coordinated Universal Time (UTC) in the format yyyymmdd.
This includes any update to token information or to a token object. | | 92 | 8 | Time of the most recent update to this token,
expressed as Coordinated Universal Time (UTC) in the format hhmmssth.
This includes any update to token information or to a token object. | | 100 | 44 | Reserved for IBM's use | | 144 | | End of token | Format of the object-specific sections of the token
object records
The following classes of objects can be associated with a z/OS PKCS #11 token:
- Certificate
- Public key
- Private key
- Secret key
- Data objects
- Domain parameters
The token object record for each begins with the common section
described Common section of the token and object records, followed by a section specific
to the class of object. Each of the object-specific sections
begins with a 12-byte header record, followed by a variable-length
section. Each 12-byte header contains a 4-byte flag
field that has the same mapping for all classes of objects.
Table 34. Format of the token object flags This 4-byte flag field occurs
in the object header section of each token object record.| Offset (decimal) | Field name | Description |
|---|
| Flag byte 1 | | Bit 0 | OBJ_IS_TOKOBJ | When on, the object is a token object. When
off, the object is a session object. | | Bit 1 | OBJ_IS_PRVOBJ | When on, the object is a private object. When
off, the object is a public object. | | Bit 2 | OBJ_IS_MODOBJ | When on, the object is modifiable. | | Bit 3 | KEY_DERIVE | When on, the key supports key derivation. | | Bit 4 | KEY_LOCAL | When on, the key was generated locally. | | Bit 5 | KEY_ENCRYPT | When on, the key supports encryption. | | Bit 6 | KEY_DECRYPT | When on, the key supports decryption. | | Bit 7 | KEY_VERIFYA | When on, the key supports verification where
the signature is an appendix to the data. | | Flag byte 2 | | Bit 0 | KEY_VERIFYR | When on, the key supports verification where
the data is recovered from the signature | | Bit 1 | KEY_SIGA | When on, the key supports signatures where the
signature is an appendix to the data. | | Bit 2 | KEY_SIGR | When on, the key supports signatures where the
data is recovered from the signature. | | Bit 3 | KEY_WRAP | When on, the key supports wrapping. | | Bit 4 | KEY_UNWRAP | When on, the key supports unwrapping. | | Bit 5 | KEY_EXTRACT | When on, the key is extractable. | | Bit 6 | KEY_IS_SENSITIVE | When on, the key is sensitive. | | Bit 7 | KEY_IS_ALWAYS_SENSITIVE | When on, the SENSITIVE attribute (KEY_IS_SENSITIVE)
is always true. | | Flag byte 3 | | Bit 0 | KEY_NEVER_EXTRACT | When on, the EXTRACTABLE attribute (KEY_EXTRACT)
is never true. When off, the EXTRACTABLE attribute (KEY_EXTRACT) can
be true. | | Bit 1 | OBJ_IS_TRUSTED | When on, the certificate can be trusted for
the application for which it was created. | | Bit 2 | CERT_IS_DEFAULT | When on, this is the default certificate. | | Bit 3 | FIPS140 | When on, key is only to be used in a FIPS-compliant
manner. | | Bits 4-7 | | Reserved for IBM's use | | Flag byte 4 | | Bits 0-7 | | Reserved for IBM's use |
Table 35. Format of the token certificate object|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for certificate object: "CERT" | | 4 | 2 | Version: EBCDIC '00' | | 6 | 2 | Length of the object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 |
TYPE attribute:
X'00000000': CKC_X_509
| | 16 | 4 | Certificate category
- 0
- Undefined
- 1
- Token user
- 2
- Certificate authority
- 3
- Other entity
| | 20 | 8 | Reserved for IBM's use | | 28 | 32 | Reserved for IBM's use | | 60 | 2 | Length of SUBJECT attribute in bytes (aa) | | 62 | 2 | Length of ID attribute in bytes (bb) | | 64 | 2 | Length of ISSUER attribute in bytes (cc) | | 66 | 2 | Length of SERIAL_NUMBER attribute in bytes (dd) | | 68 | 2 | Length of VALUE attribute in bytes (ee) | | 70 | 2 | Length of LABEL attribute in bytes (ff) | | 72 | 2 | Length of APPLICATION attribute in bytes (gg) | | 74 | 22 | Reserved for IBM's use | | 96 | 4 | Offset of SUBJECT attribute in bytes | | 100 | 4 | Offset of ID attribute in bytes | | 104 | 4 | Offset of ISSUER attribute in bytes | | 108 | 4 | Offset of SERIAL_NUMBER attribute in bytes | | 112 | 4 | Offset of VALUE attribute in bytes | | 116 | 4 | Offset of LABEL attribute in bytes | | 120 | 4 | Offset of APPLICATION attribute in bytes | | 124 | 44 | Reserved for IBM's use | | 168 | aa + bb + cc + dd + ee + ff + gg | Certificate attributes (variable length) | | 168 + aa + bb + cc + dd + ee + ff + gg | | End of certificate object |
Table 36. Format of the token public key object (Version 0)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for public key object: "PUBK" | | 4 | 2 | Version: EBCDIC '00' | | 6 | 2 | Length of the object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 |
TYPE attribute:
CKK_RSA
| | 16 | 8 | Start date for the key, in the format yyyymmdd | | 24 | 8 | End date for the key, in the format yyyymmdd | | 32 | 4 |
Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
| | 36 | 36 | Reserved | | 72 | 4 | Length in bits of modulus n | | 76 | 256 | Modulus n | | 332 | 256 | Reserved | | 588 | 256 | Public exponent e | | 844 | 256 | Reserved | | 1100 | 2 | Length of SUBJECT attribute in bytes (aa) | | 1102 | 2 | Length of ID attribute in bytes (bb) | | 1104 | 2 | Length of LABEL attribute in bytes (cc) | | 1106 | 2 | Length of APPLICATION attribute in bytes (dd) | | 1108 | 20 | Reserved | | 1128 | 4 | Offset of SUBJECT attribute in bytes | | 1132 | 4 | Offset of ID attribute in bytes | | 1136 | 4 | Offset of LABEL attribute in bytes | | 1140 | 4 | Offset of APPLICATION attribute in bytes | | 1144 | 40 | Reserved | | 1184 | aa+bb+cc+dd | Public key attributes (variable length) | | 1184+aa+bb+cc+dd | | End of public key object |
Table 37. Format of the token public key object (Version 1)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for public key object: "PUBK" | | 4 | 2 | Version: EBCDIC '01' | | 6 | 2 | Length of the object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 |
TYPE attribute:
CKK_RSA, CKK_DSA, CKK_EC, or CKK_DH
| | 16 | 8 | Start date for the key, in the format yyyymmdd | | 24 | 8 | End date for the key, in the format yyyymmdd | | 32 | 4 |
Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
| | 36 | 36 | Reserved | | Algorithm-specific
section (RSA) | | 72 | 4 | Length in bits of modulus n | | 76 | 512 | Modulus n | | 588 | 512 | Public exponent e | | Algorithm-specific
section (DSA) | | 72 | 4 | Length in bits of prime p | | 76 | 128 | Reserved | | 204 | 128 | Prime p | | 332 | 128 | Reserved | | 460 | 128 | Base g | | 588 | 128 | Reserved | | 716 | 128 | Value y | | 844 | 20 | Reserved | | 864 | 20 | Subprime q | | 884 | 216 | Reserved | | Algorithm-specific
section (DH) | | 72 | 4 | Length in bits of prime p | | 76 | 256 | Prime p | | 332 | 256 | Base g | | 588 | 256 | Value y | | 844 | 256 | Reserved | | Algorithm-specific
section (EC) | | 72 | 4 | EC params curve constant -
x'00000001' secp192r1
- { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
- { 1 3 132 0 33 }
x'00000003' secp256r1
- { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
- { 1 3 132 0 34 }
x'00000005' secp521r1
- { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
- { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
- { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
- { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
- { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
- { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
- { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
- { 1 3 36 3 3 2 8 1 1 13 }
| | 76 | 128 | Reserved | | 204 | 136 | EC point Q (DER encoded) | | 340 | 760 | Reserved | | Variable length
attribute section | | 1100 | 2 | Length of SUBJECT attribute in bytes (aa) | | 1102 | 2 | Length of ID attribute in bytes (bb) | | 1104 | 2 | Length of LABEL attribute in bytes (cc) | | 1106 | 2 | Length of APPLICATION attribute in bytes (dd) | | 1108 | 20 | Reserved | | 1128 | 4 | Offset of SUBJECT attribute in bytes | | 1132 | 4 | Offset of ID attribute in bytes | | 1136 | 4 | Offset of LABEL attribute in bytes | | 1140 | 4 | Offset of APPLICATION attribute in bytes | | 1144 | 40 | Reserved | | 1184 | aa+bb+cc+dd | Public key attributes (variable length) | | 1184+aa+bb+cc+dd | | End of public key object |
Table 38. Format of the token public key object (Version 2)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for public key object: "PUBK" | | 4 | 2 | Version: EBCDIC '02' | | 6 | 2 | Length of the object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 |
TYPE attribute:
CKK_RSA, CKK_DSA, CKK_EC, or CKK_DH
| | 16 | 8 | Start date for the key, in the format yyyymmdd | | 24 | 8 | End date for the key, in the format yyyymmdd | | 32 | 4 |
Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
| | 36 | 36 | Reserved | | Algorithm-specific
section (RSA) | | 72 | 4 | Length in bits of modulus n | | 76 | 512 | Modulus n | | 588 | 512 | Public exponent e | | Algorithm-specific
section (DSA) | | 72 | 4 | Length in bits of prime p | | 76 | 256 | Prime p | | 332 | 256 | Base g | | 588 | 256 | Value y | | 844 | 8 | Reserved | | 852 | 32 | Subprime q | | 884 | 216 | Reserved | | Algorithm-specific
section (DH) | | 72 | 4 | Length in bits of prime p | | 76 | 256 | Prime p | | 332 | 256 | Base g | | 588 | 256 | Value y | | 844 | 256 | Reserved | | Algorithm-specific
section (EC) | | 72 | 4 | EC params curve constant -
x'00000001' secp192r1
- { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
- { 1 3 132 0 33 }
x'00000003' secp256r1
- { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
- { 1 3 132 0 34 }
x'00000005' secp521r1
- { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
- { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
- { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
- { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
- { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
- { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
- { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
- { 1 3 36 3 3 2 8 1 1 13 }
| | 76 | 128 | Reserved | | 204 | 136 | EC point Q (DER encoded) | | 340 | 760 | Reserved | | Variable length
attribute section | | 1100 | 2 | Length of SUBJECT attribute in bytes (aa) | | 1102 | 2 | Length of ID attribute in bytes (bb) | | 1104 | 2 | Length of LABEL attribute in bytes (cc) | | 1106 | 2 | Length of APPLICATION attribute in bytes (dd) | | 1108 | 20 | Reserved | | 1128 | 4 | Offset of SUBJECT attribute in bytes | | 1132 | 4 | Offset of ID attribute in bytes | | 1136 | 4 | Offset of LABEL attribute in bytes | | 1140 | 4 | Offset of APPLICATION attribute in bytes | | 1144 | 40 | Reserved | | 1184 | aa+bb+cc+dd | Public key attributes (variable length) | | 1184+aa+bb+cc+dd | | End of public key object |
Table 39. Format of the token private key object (Version 0)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for private key object: "PRIV" | | 4 | 2 | Version: EBCDIC '00' | | 6 | 2 | Length of object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 |
Type attribute: CKK_RSA
| | 16 | 8 | Start date for the key (in the format yyyymmdd) | | 24 | 8 | End date for the key (in the format yyyymmdd) | | 32 | 4 |
Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
| | 36 | 36 | Reserved | | 72 | 4 | Length in bits of modulus n | | 76 | 256 | Modulus: modulus n | | 332 | 256 | Reserved | | 588 | 256 | Public exponent e | | 844 | 256 | Reserved | | 1100 | 32 | Reserved | | 1132 | 256 | Private exponent d | | 1388 | 256 | Reserved | | 1644 | 136 | Prime p | | 1780 | 128 | Reserved | | 1908 | 128 | Prime q | | 2036 | 128 | Reserved | | 2172 | 136 | Private exponent d modulo p-1 | | 2300 | 128 | Reserved | | 2428 | 128 | Private exponent d modulo q-1 | | 2556 | 128 | Reserved | | 2684 | 136 | CRT coefficient q-1 mod p | | 2820 | 128 | Reserved | | 2948 | 2 | Length of SUBJECT attribute in bytes (xx) | | 2950 | 2 | Length of ID attribute in bytes (yy) | | 2952 | 2 | Length of LABEL attribute in bytes (zz) | | 2954 | 2 | Length of APPLICATION attribute in bytes (ww) | | 2956 | 20 | Reserved | | 2976 | 4 | Offset of SUBJECT attribute in bytes | | 2980 | 4 | Offset of ID attribute in bytes | | 2984 | 4 | Offset of LABEL attribute in bytes | | 2988 | 4 | Offset of APPLICATION attribute in bytes | | 2992 | 40 | Reserved | | 3032 | xx+yy+zz+ww | Private key attributes (variable length) | | 3032+xx+yy+zz+ww | | End of private key object |
Table 40. Format of the token private key object (Version 1)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for private key object: "PRIV" | | 4 | 2 | Version: EBCDIC '01' | | 6 | 2 | Length of object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 |
Type attribute: CKK_RSA, CKK_DSA,
CKK_EC, or CKK_DH
| | 16 | 8 | Start date for the key (in the format yyyymmdd) | | 24 | 8 | End date for the key (in the format yyyymmdd) | | 32 | 4 |
Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
| | 36 | 36 | Reserved | | Algorithm-specific
section (RSA) | | 72 | 4 | Length in bits of modulus n | | 76 | 512 | Modulus: modulus n | | 588 | 512 | Public exponent e | | 1100 | 32 | Reserved | | 1132 | 512 | Private exponent d | | 1644 | 264 | Prime p | | 1908 | 256 | Prime q | | 2164 | 264 | Private exponent d modulo p-1 | | 2428 | 256 | Private exponent d modulo q-1 | | 2684 | 264 | CRT coefficient q-1 mod p | | Algorithm-specific
section (DSA) | | 72 | 4 | Length in bits of prime p | | 76 | 128 | Reserved | | 204 | 128 | Prime p | | 332 | 128 | Reserved | | 460 | 128 | Base g | | 588 | 236 | Reserved | | 824 | 20 | Value x | | 844 | 20 | Reserved | | 864 | 20 | Subprime q | | 884 | 2064 | Reserved | | Algorithm-specific
section (DH) | | 72 | 4 | Length in bits of prime p | | 76 | 256 | Prime p | | 332 | 256 | Base g | | 588 | 236 | Reserved | | 824 | 20 | Value x | | 844 | 2104 | Reserved | | Algorithm-specific
section (EC) | | 72 | 4 | EC params curve constant -
x'00000001' secp192r1
- { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
- { 1 3 132 0 33 }
x'00000003' secp256r1
- { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
- { 1 3 132 0 34 }
x'00000005' secp521r1
- { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
- { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
- { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
- { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
- { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
- { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
- { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
- { 1 3 36 3 3 2 8 1 1 13 }
| | 76 | 64 | Reserved | | 140 | 66 | Value d | | 206 | 2742 | Reserved | | Variable length
attribute section | | 2948 | 2 | Length of SUBJECT attribute in bytes (xx) | | 2950 | 2 | Length of ID attribute in bytes (yy) | | 2952 | 2 | Length of LABEL attribute in bytes (zz) | | 2954 | 2 | Length of APPLICATION attribute in bytes (ww) | | 2956 | 20 | Reserved | | 2976 | 4 | Offset of SUBJECT attribute in bytes | | 2980 | 4 | Offset of ID attribute in bytes | | 2984 | 4 | Offset of LABEL attribute in bytes | | 2988 | 4 | Offset of APPLICATION attribute in bytes | | 2992 | 40 | Reserved | | 3032 | xx+yy+zz+ww | Private key attributes (variable length) | | 3032+xx+yy+zz+ww | | End of private key object |
Table 41. Format of the token private key object (Version 2)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for private key object: "PRIV" | | 4 | 2 | Version: EBCDIC '02' | | 6 | 2 | Length of object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 |
Type attribute: CKK_RSA, CKK_DSA,
CKK_EC, or CKK_DH
| | 16 | 8 | Start date for the key (in the format yyyymmdd) | | 24 | 8 | End date for the key (in the format yyyymmdd) | | 32 | 4 |
Key generate mechanism:
CK_UNAVAILABLE_INFORMATION
| | 36 | 36 | Reserved | | Algorithm-specific
section (RSA) | | 72 | 4 | Length in bits of modulus n | | 76 | 512 | Modulus: modulus n | | 588 | 512 | Public exponent e | | 1100 | 32 | Reserved | | 1132 | 512 | Private exponent d | | 1644 | 264 | Prime p | | 1908 | 256 | Prime q | | 2164 | 264 | Private exponent d modulo p-1 | | 2428 | 256 | Private exponent d modulo q-1 | | 2684 | 264 | CRT coefficient q-1 mod p | | Algorithm-specific
section (DSA) | | 72 | 4 | Length in bits of prime p | | 76 | 256 | Prime p | | 332 | 256 | Base g | | 588 | 224 | Reserved | | 812 | 32 | Value x | | 844 | 8 | Reserved | | 852 | 32 | Subprime q | | 884 | 2064 | Reserved | | Algorithm-specific
section (DH) | | 72 | 4 | Length in bits of prime p | | 76 | 256 | Prime p | | 332 | 256 | Base g | | 588 | 256 | Value x | | 844 | 4 | Length in bits of value x | | 848 | 2100 | Reserved | | Algorithm-specific
section (EC) | | 72 | 4 | EC params curve constant -
x'00000001' secp192r1
- { 1 2 840 10045 3 1 1 }
x'00000002' secp224r1
- { 1 3 132 0 33 }
x'00000003' secp256r1
- { 1 2 840 10045 3 1 7 }
x'00000004' secp384r1
- { 1 3 132 0 34 }
x'00000005' secp521r1
- { 1 3 132 0 35 }
x'00000006' brainpoolP160r1
- { 1 3 36 3 3 2 8 1 1 1 }
x'00000007' brainpoolP192r1
- { 1 3 36 3 3 2 8 1 1 3 }
x'00000008' brainpoolP224r1
- { 1 3 36 3 3 2 8 1 1 5 }
x'00000009' brainpoolP256r1
- { 1 3 36 3 3 2 8 1 1 7 }
x'0000000A' brainpoolP320r1
- { 1 3 36 3 3 2 8 1 1 9 }
x'0000000B' brainpoolP384r1
- { 1 3 36 3 3 2 8 1 1 11 }
x'0000000C' brainpoolP512r1
- { 1 3 36 3 3 2 8 1 1 13 }
| | 76 | 64 | Reserved | | 140 | 66 | Value d | | 206 | 2742 | Reserved | | Variable length
attribute section | | 2948 | 2 | Length of SUBJECT attribute in bytes (xx) | | 2950 | 2 | Length of ID attribute in bytes (yy) | | 2952 | 2 | Length of LABEL attribute in bytes (zz) | | 2954 | 2 | Length of APPLICATION attribute in bytes (ww) | | 2956 | 20 | Reserved | | 2976 | 4 | Offset of SUBJECT attribute in bytes | | 2980 | 4 | Offset of ID attribute in bytes | | 2984 | 4 | Offset of LABEL attribute in bytes | | 2988 | 4 | Offset of APPLICATION attribute in bytes | | 2992 | 40 | Reserved | | 3032 | xx+yy+zz+ww | Private key attributes (variable length) | | 3032+xx+yy+zz+ww | | End of private key object |
Table 42. Format of the token secret key object (Version 0)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for secret key object: "SECK" | | 4 | 2 | Version: EBCDIC '00' | | 6 | 2 | Length of the object in bytes | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 | Type of key: CKK_DES, CKK_DES2, CKK_DES3, CKK_AES | | 16 | 8 | Start date for the key (in the format yyyymmdd) | | 24 | 8 | End date for the key (in the format yyyymmdd) | | 32 | 4 |
Key generate mechanism
CK_UNAVAILABLE_INFORMATION
| | 36 | 2 | Length of the key in bytes | | 38 | 32 | Reserved | | 70 | 64 | VALUE: value of the key | | 134 | 538 | Reserved | | 672 | 4 | Usage counter field | | 676 | 2 | Reserved | | 678 | 2 | Length of LABEL attribute in bytes (xx) | | 680 | 2 | Length of APPLICATION attribute in bytes (yy) | | 682 | 2 | Length of the ID attribute in bytes (zz) | | 684 | 20 | Reserved | | 704 | 4 | Offset of LABEL attribute in bytes | | 708 | 4 | Offset of APPLICATION attribute in bytes | | 712 | 4 | Offset of the ID attribute in bytes | | 716 | 40 | Reserved | | 756 | xx+yy+zz | Secret key attributes (variable length) | | 756+xx+yy+zz | | End of secret key object |
Table 43. Format of the token secret key object (Version 1)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for secret key object: "SECK" | | 4 | 2 | Version: EBCDIC '01' | | 6 | 2 | Length of the object in bytes | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 | Type of key:
CKK_DES, CKK_DES2, CKK_DES3,
CKK_BLOWFISH, CKK_RC4, CKK_GENERIC_SECRET, and CKK_AES. | | 16 | 8 | Start date for the key (in the format yyyymmdd) | | 24 | 8 | End date for the key (in the format yyyymmdd) | | 32 | 4 |
Key generate mechanism
CK_UNAVAILABLE_INFORMATION
| | 36 | 2 | Length of the key in bytes | | 38 | 32 | Reserved | | 70 | 256 | VALUE: value of the key | | 326 | 346 | Reserved | | 672 | 4 | Usage counter field | | 676 | 2 | Reserved | | 678 | 2 | Length of LABEL attribute in bytes (xx) | | 680 | 2 | Length of APPLICATION attribute in bytes (yy) | | 682 | 2 | Length of the ID attribute in bytes (zz) | | 684 | 20 | Reserved | | 704 | 4 | Offset of LABEL attribute in bytes | | 708 | 4 | Offset of APPLICATION attribute in bytes | | 712 | 4 | Offset of the ID attribute in bytes | | 716 | 40 | Reserved | | 756 | xx+yy+zz | Secret key attributes (variable length) | | 756+xx+yy+zz | | End of secret key object |
Table 44. Format of the token domain parameters object (Version 1)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for token domain object: "DOMP" | | 4 | 2 | Version: EBCDIC '01' | | 6 | 2 | Length of the object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 | TYPE attribute: CKK_DSA or CKK_DH | | 16 | 28 | Reserved | | Algorithm-specific
section (DSA) | | 44 | 4 | Length in bits of prime p | | 48 | 128 | Reserved | | 176 | 128 | Prime p | | 304 | 128 | Reserved | | 432 | 128 | Base g | | 560 | 20 | Reserved | | 580 | 20 | Subprime q | | 600 | 636 | Reserved | | Algorithm-specific
section (DH) | | 44 | 4 | Length in bits of prime p | | 48 | 4 | Reserved | | 52 | 256 | Prime p | | 308 | 256 | Reserved | | 564 | 256 | Base g | | 820 | 416 | Reserved | | Variable length attribute section | | 1236 | 2 | Length of LABEL attribute in bytes (aa) | | 1238 | 2 | Length of APPLICATION attribute in bytes (bb) | | 1240 | 20 | Reserved | | 1260 | 4 | Offset of LABEL attribute in bytes | | 1264 | 4 | Offset of APPLICATION attribute in bytes | | 1268 | 40 | Reserved | | 1308 | aa+bb | Domain parameters attributes (variable length) | | 1308+aa+bb | | End of domain parameters object |
Table 45. Format of the token domain parameters object (Version 2)|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for token domain object: "DOMP" | | 4 | 2 | Version: EBCDIC '02' | | 6 | 2 | Length of the object (in bytes) | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 | TYPE attribute: CKK_DSA or CKK_DH | | 16 | 28 | Reserved | | Algorithm-specific
section (DSA) | | 44 | 4 | Length in bits of prime p | | 48 | 256 | Prime p | | 304 | 256 | Base g | | 560 | 8 | Reserved | | 568 | 32 | Subprime q | | 600 | 636 | Reserved | | Algorithm-specific
section (DH) | | 44 | 4 | Length in bits of prime p | | 48 | 4 | Reserved | | 52 | 256 | Prime p | | 308 | 256 | Reserved | | 564 | 256 | Base g | | 820 | 416 | Reserved | | Variable length attribute section | | 1236 | 2 | Length of LABEL attribute in bytes (aa) | | 1238 | 2 | Length of APPLICATION attribute in bytes (bb) | | 1240 | 20 | Reserved | | 1260 | 4 | Offset of LABEL attribute in bytes | | 1264 | 4 | Offset of APPLICATION attribute in bytes | | 1268 | 40 | Reserved | | 1308 | aa+bb | Domain parameters attributes (variable length) | | 1308+aa+bb | | End of domain parameters object |
Table 46. Format of the token data object|
Offset (decimal)
188 +
| Length of field (bytes) | Description |
|---|
| Object header | | 0 | 4 | Eye catcher for data object: "DATA" | | 4 | 2 | Version: EBCDIC '00' | | 6 | 2 | Length of object, in bytes | | 8 | 4 | Flags (see Table 34) | | Object type-specific
section | | 12 | 4 | Reserved for IBM's use | | 16 | 28 | Reserved for IBM's use | | 44 | 2 | Length of VALUE attribute in bytes (aa) | | 46 | 2 | Length of OBJECT_ID attribute in bytes (bb) | | 48 | 2 | Length of LABEL attribute in bytes (cc) | | 50 | 2 | Length of APPLICATION attribute in bytes (dd) | | 52 | 2 | Length of ID attribute in bytes (ee) | | 54 | 22 | Reserved for IBM's use | | 76 | 4 | Offset of VALUE attribute in bytes | | 80 | 4 | Offset of OBJECT_ID attribute in bytes | | 84 | 4 | Offset of LABEL attribute in bytes | | 88 | 4 | Offset of APPLICATION attribute in bytes | | 92 | 4 | Offset of ID attribute in bytes | | 96 | 44 | Reserved for IBM's use | | 140 | aa + bb + cc + dd + ee | Data attributes (variable length) | | 140 + aa + bb + cc + dd + ee | | End of data object |
|
z/OS Cryptographic Services ICSF System Programmer's Guide
Copyright IBM Corporation 1990, 2014