RSA Public Key Token
An RSA public key token contains the following sections:
- A required token header, starting with the token identifier X'1E'
- A required RSA public key section, starting with the section identifier X'04'
Table 58 presents the format of an RSA public key
token. All length fields are in binary. All binary fields (exponents,
lengths, and so on) are stored with the high-order byte first (left,
low-address, S/390 format).
Table 58. RSA Public Key Token| Offset (Dec) | Number of Bytes | Description |
|---|
| Token Header (required) | | 000 | 001 | Token identifier. X'1E' indicates
an external token. | | 001 | 001 | Version, X'00'. | | 002 | 002 | Length of the key token structure. | | 004 | 004 | Ignored. Should be zero. | | RSA Public Key Section (required) | | 000 | 001 | X'04', section identifier,
RSA public key. | | 001 | 001 | X'00', version. | | 002 | 002 | Section length, 12+xxx+yyy. | | 004 | 002 | Reserved field. | | 006 | 002 | RSA public key exponent field length
in bytes, "xxx". | | 008 | 002 | Public key modulus length in bits. | | 010 | 002 | RSA public key modulus field length
in bytes, "yyy". | | 012 | xxx | Public key exponent (this is generally
a 1-, 3-, or 64- to 512-byte quantity), e. e must be odd
and 1<e<n. (Frequently, the value of e is 16+1) | | 12+xxx | yyy | Modulus, n. | RSA Private External Key Token
An RSA private external key token contains the following sections:
- A required PKA token header starting with the token identifier X'1E'
- A required RSA private key section starting with one of the following
section identifiers:
- X'02' which indicates a modulus-exponent form RSA private
key section (not optimized) with modulus length of up to 1024 bits
for use with the Cryptographic Coprocessor Feature or the PCI Cryptographic Coprocessor.
- X'08' which indicates an optimized Chinese Remainder Theorem
form private key section with modulus bit length of up to 4096 bits
for use with the PCICC, PCIXCC, CEX2C, or CEX3C.
- X'09' which indicates a modulus-exponent form RSA private
key section (not optimized) with modulus length of up to 4096 bits
for use with the CEX2C or CEX3C.
- A required RSA public key section, starting with the section identifier X'04'
- An optional private key name section, starting with the section
identifier X'10'
Table 59 presents the basic record format of an RSA
private external key token. All length fields are in binary. All binary
fields (exponents, lengths, and so on) are stored with the high-order
byte first (left, low-address, S/390 format). All binary fields (exponents,
modulus, and so on) in the private sections of tokens are right-justified
and padded with zeros to the left.
Table 59. RSA Private External Key Token Basic Record Format| Offset (Dec) | Number of Bytes | Description |
|---|
| Token Header (required) | | 000 | 001 | Token identifier. X'1E' indicates
an external token. The private key is either in cleartext or enciphered
with a transport key-encrypting key. | | 001 | 001 | Version, X'00'. | | 002 | 002 | Length of the key token structure. | | 004 | 004 | Ignored. Should be zero. | | RSA Private Key Section (required)
| | RSA Public Key Section (required) | | 000 | 001 | X'04', section identifier,
RSA public key. | | 001 | 001 | X'00', version. | | 002 | 002 | Section length, 12+xxx. | | 004 | 002 | Reserved field. | | 006 | 002 | RSA public key exponent field length
in bytes, "xxx". | | 008 | 002 | Public key modulus length in bits. | | 010 | 002 | RSA public key modulus field length
in bytes, which is zero for a private token.
Note:
In an
RSA private key token, this field should be zero. The RSA private
key section contains the modulus. | | 012 | xxx | Public key exponent, e (this is generally
a 1-, 3-, or 64- to 512-byte quantity). e must be odd and
1<e<n. (Frequently, the value of e is 16+1 (=65,537). | | Private Key Name (optional) | | 000 | 001 | X'10', section identifier,
private key name. | | 001 | 001 | X'00', version. | | 002 | 002 | Section length, X'0044' (68
decimal). | | 004 | 064 | Private key name (in ASCII), left-justified,
padded with space characters (X'20'). An access control system
can use the private key name to verify that the calling application
is entitled to use the key. | RSA Private Key Token, 1024-bit Modulus-Exponent External Form
This RSA private key token and the external X'02' token
is supported on the Cryptographic Coprocessor Feature and PCI Cryptographic Coprocessor.
Table 60. RSA Private Key Token, 1024-bit Modulus-Exponent External Format| Offset (Dec) | Number of Bytes | Description |
|---|
| 000 | 001 | X'02', section identifier,
RSA private key, modulus-exponent format (RSA-PRIV) | | 001 | 001 | X'00', version. | | 002 | 002 | Length of the RSA private key section X'016C' (364
decimal). | | 004 | 020 | SHA-1 hash value of the private key
subsection cleartext, offset 28 to the section end. This hash value
is checked after an enciphered private key is deciphered for use. | | 024 | 004 | Reserved; set to binary zero. | | 028 | 001 | Key format and security:
- X'00'
- Unencrypted RSA private key subsection identifier.
- X'82'
- Encrypted RSA private key subsection identifier.
| | 029 | 001 | Reserved, binary zero. | | 030 | 020 | SHA-1 hash of the optional key-name
section. If there is no key-name section, then 20 bytes of X'00'. | | 050 | 004 | Key use flag bits.
- Bit
- Meaning When Set On
- 0
- Key management usage permitted.
- 1
- Signature usage not permitted.
- 6
- The key is translatable.
All other bits reserved, set to binary zero. | | 054 | 006 | Reserved; set to binary zero. | | 060 | 024 | Reserved; set to binary zero. | | 084 | Start
of the optionally-encrypted secure subsection. | | 084 | 024 | Random number, confounder. | | 108 | 128 | Private-key exponent, d. -1 mod((p-1)(q-1)), and 1<d<n
where e is the public exponent. | | End
of the optionally-encrypted subsection; the confounder field and the
private-key exponent field are enciphered for key confidentiality
when the key format and security flags (offset 28) indicate that the
private key is enciphered. They are enciphered under a double-length
transport key using the ede2 algorithm. | | 236 | 128 | Modulus, n. n=pq where p and q are
prime and 1024. | RSA Private Key Token, 4096-bit Modulus-Exponent External Form
This RSA private key token and the external X'09' token
is supported on the Crypto Express2 Coprocessor and Crypto Express3
Coprocessor.
Table 61. RSA Private Key Token, 4096-bit Modulus-Exponent External Format| Offset (Dec) | Number of Bytes | Description |
|---|
| 000 | 001 | X'09', section identifier,
RSA private key, modulus-exponent format (RSAMEVAR). | | 001 | 001 | X'00', version. | | 002 | 002 | Length of the RSA private key section
132+ddd+nnn+xxx. | | 004 | 020 | SHA-1 hash value of the private key
subsection cleartext, offset 28 to the section end. This hash value
is checked after an enciphered private key is deciphered for use. | | 024 | 002 | Length of the encrypted private key
section 8+ddd+xxx. | | 026 | 002 | Reserved; set to binary zero. | | 028 | 001 | Key format and security:
- X'00'
- Unencrypted RSA private key subsection identifier.
- X'82'
- Encrypted RSA private key subsection identifier.
| | 029 | 001 | Reserved, set to binary zero. | | 030 | 020 | SHA-1 hash of the optional key-name
section. If there is no key-name section, then 20 bytes of X'00'. | | 050 | 001 | Key use flag bits.
- Bit
- Meaning When Set On
- 0
- Key management usage permitted.
- 1
- Signature usage not permitted.
- 6
- The key is translatable
All other bits reserved, set to binary zero. | | 051 | 001 | Reserved; set to binary zero. | | 052 | 048 | Reserved; set to binary zero. | | 100 | 016 | Reserved; set to binary zero. | | 116 | 002 | Length of private exponent, d, in
bytes: ddd. | | 118 | 002 | Length of modulus, n, in bytes: nnn. | | 120 | 002 | Length of padding field, in bytes:
xxx. | | 122 | 002 | Reserved; set to binary zero. | | 124 | Start
of the optionally-encrypted secure subsection. | | 124 | 008 | Random number, confounder. | | 132 | ddd | Private-key exponent, d. -1 mod((p-1)(q-1)), and 1<d<n
where e is the public exponent. | | 132+ddd | xxx | X'00' padding of length xxx
bytes such that the length from the start of the random number above
to the end of the padding field is a multiple of eight bytes. | | End
of the optionally-encrypted subsection; the confounder field and the
private-key exponent field are enciphered for key confidentiality
when the key format and security flags (offset 28) indicate that the
private key is enciphered. They are enciphered under a double-length
transport key using the ede2 algorithm. | | 132+ddd+xxx | nnn | Modulus, n. n=pq where p and q are
prime and 4096. | RSA Private Key Token, 4096-bit Chinese Remainder Theorem External
Form
This RSA private key token (up to 2048-bit modulus) is supported
on the PCICC, PCIXCC, CEX2C, or CEX3C. The 4096-bit modulus
private key token is supported on the z9 EC, z9 BC, z10 EC and z10
BC with the Nov. 2007 or later version of the licensed internal
code installed on the CEX2C or CEX3C.
Table 62. RSA Private Key Token, 4096-bit Chinese Remainder Theorem External Format| Offset (Dec) | Number of Bytes | Description |
|---|
| 000 | 001 | X'08', section identifier,
RSA private key, CRT format (RSA-CRT) | | 001 | 001 | X'00', version. | | 002 | 002 | Length of the RSA private-key section,
132 + ppp + qqq + rrr + sss + uuu + xxx + nnn. | | 004 | 020 | SHA-1 hash value of the private key
subsection cleartext, offset 28 to the end of the modulus. | | 024 | 004 | Reserved; set to binary zero. | | 028 | 001 | Key format and security:
- X'40'
- Unencrypted RSA private-key subsection identifier, Chinese Remainder
form.
- X'42'
- Encrypted RSA private-key subsection identifier, Chinese Remainder
form.
| | 029 | 001 | Reserved; set to binary zero. | | 030 | 020 | SHA-1 hash of the optional key-name
section and any following optional sections. If there are no optional
sections, then 20 bytes of X'00'. | | 050 | 004 | Key use flag bits.
- Bit
- Meaning When Set On
- 0
- Key management usage permitted.
- 1
- Signature usage not permitted.
- 6
- The key is translatable.
All other bits reserved, set to binary zero. | | 054 | 002 | Length of prime number, p, in bytes:
ppp. | | 056 | 002 | Length of prime number, q, in bytes:
qqq. | | 058 | 002 | Length of dp,
in bytes: rrr. | | 060 | 002 | Length of dq,
in bytes: sss. | | 062 | 002 | Length of U, in bytes: uuu. | | 064 | 002 | Length of modulus, n, in bytes: nnn. | | 066 | 004 | Reserved; set to binary zero. | | 070 | 002 | Length of padding field, in bytes:
xxx. | | 072 | 004 | Reserved, set to binary zero. | | 076 | 016 | Reserved, set to binary zero. | | 092 | 032 | Reserved; set to binary zero. | | 124 | Start
of the optionally-encrypted secure subsection. | | 124 | 008 | Random number, confounder. | | 132 | ppp | Prime number, p. | | 132 + ppp | qqq | Prime number, q | | 132 + ppp + qqq | rrr | dp = d
mod(p - 1) | | 132 + ppp + qqq + rrr | sss | dq = d
mod(q - 1) | | 132 + ppp + qqq + rrr + sss | uuu | U = q –1mod(p). | | 132 + ppp + qqq + rrr + sss + uuu | xxx | X'00' padding of length xxx
bytes such that the length from the start of the random number above
to the end of the padding field is a multiple of eight bytes. | | End
of the optionally-encrypted secure subsection; all of the fields starting
with the confounder field and ending with the variable length pad
field are enciphered for key confidentiality when the key format-and-security
flags (offset 28) indicate that the private key is enciphered. They
are enciphered under a double-length transport key using the TDES
(CBC outer chaining) algorithm. | | 132 + ppp + qqq + rrr + sss + uuu
+ xxx | nnn | Modulus, n. n = pq where p and q
are prime and | RSA Private Internal Key Token
An RSA private internal key token contains the following sections:
- A required PKA token header, starting with the token identifier X'1F'
- basic record format of an RSA private internal key token. All
length fields are in binary. All binary fields (exponents, lengths,
and so on) are stored with the high-order byte first (left, low-address, S/390
format). All binary fields (exponents, modulus, and so on) in the
private sections of tokens are right-justified and padded with zeros
to the left.
Table 63. RSA Private Internal Key Token Basic Record Format| Offset (Dec) | Number of Bytes | Description |
|---|
| Token Header (required) | | 000 | 001 | Token identifier. X'1F' indicates
an internal token. The private key is enciphered with a PKA master
key. | | 001 | 001 | Version, X'00'. | | 002 | 002 | Length of the key token structure
excluding the internal information section. | | 004 | 004 | Ignored; should be zero. | | RSA Private Key Section and Secured Subsection
(required)
| | RSA Public Key Section (required) | | 000 | 001 | X'04', section identifier,
RSA public key. | | 001 | 001 | X'00', version. | | 002 | 002 | Section length, 12+xxx. | | 004 | 002 | Reserved field. | | 006 | 002 | RSA public key exponent field length
in bytes, "xxx". | | 008 | 002 | Public key modulus length in bits. | | 010 | 002 | RSA public key modulus field length
in bytes, which is zero for a private token. | | 012 | xxx | Public key exponent (this is generally
a 1, 3, or 64 to 512 byte quantity), e. e must be odd and
1<e<n. (Frequently, the value of e is 16+1 (=65,537). | | Private Key Name (optional) | | 000 | 001 | X'10', section identifier,
private key name. | | 001 | 001 | X'00', version. | | 002 | 002 | Section length, X'0044' (68
decimal). | | 004 | 064 | Private key name (in ASCII), left-justified,
padded with space characters (X'20'). An access control system
can use the private key name to verify that the calling application
is entitled to use the key. | | Internal Information Section (required) | | 000 | 004 | Eye catcher 'PKTN'. | | 004 | 004 | PKA token type.
- Bit
- Meaning When Set On
- 0
- RSA key.
- 1
- DSS key.
- 2
- Private key.
- 3
- Public key.
- 4
- Private key name section exists.
- 5
- Private key unenciphered.
- 6
- Blinding information present.
- 7
- Retained private key.
| | 008 | 004 | Address of token header. | | 012 | 002 | Total length of total structure including
this information section. | | 014 | 002 | Count of number of sections. | | 016 | 016 | PKA master key hash pattern. | | 032 | 001 | Domain of retained key. | | 033 | 008 | Serial number of processor holding
retained key. | | 041 | 007 | Reserved. | RSA Private Key Token, 1024-bit Modulus-Exponent Internal Form
for Cryptographic Coprocessor Feature
Table 64. RSA Private Internal Key Token, 1024-bit ME Form for Cryptographic Coprocessor Feature| Offset (Dec) | Number of Bytes | Description |
|---|
| 000 | 001 | X'02', section identifier,
RSA private key. | | 001 | 001 | X'00', version. | | 002 | 002 | Length of the RSA private key section X'016C' (364
decimal). | | 004 | 020 | SHA-1 hash value of the private key
subsection cleartext, offset 28 to the section end. This hash value
is checked after an enciphered private key is deciphered for use. | | 024 | 004 | Reserved; set to binary zero. | | 028 | 001 | Key format and security:
- X'02'
- RSA private key.
| | 029 | 001 | Format of external key from which
this token was derived:
- X'21'
- External private key was specified in the clear.
- X'22'
- External private key was encrypted.
| | 030 | 020 | SHA-1 hash of the key token structure
contents that follow the public key section. If no sections follow,
this field is set to binary zeros. | | 050 | 001 | Key use flag bits.
- Bit
- Meaning When Set On
- 0
- Key management usage permitted.
- 1
- Signature usage not permitted.
All other bits reserved, set to binary zero. | | 051 | 009 | Reserved; set to binary zero. | | 060 | 048 | Object Protection Key (OPK) encrypted
under a PKA master key—can be under the Signature Master Key
(SMK) or Key Management Master Key (KMMK) depending on key use. | | 108 | 128 | Secret key exponent d, encrypted
under the OPK. -1 mod((p-1)(q-1)) | | 236 | 128 | Modulus, n. n=pq where p and q are
prime and 1024. | RSA Private Key Token, 1024-bit Modulus-Exponent Internal Form
for PCICC, PCIXCC, CEX2C, or CEX3C
Table 65. RSA Private Internal Key Token, 1024-bit ME Form for PCICC, PCIXCC, CEX2C, or CEX3C| Offset (Dec) | Number of Bytes | Description |
|---|
| 000 | 001 | X'06', section identifier,
RSA private key modulus-exponent format (RSA-PRIV). | | 001 | 001 | X'00', version. | | 002 | 002 | Length of the RSA private key section X'0198' (408
decimal) + rrr + iii + xxx. | | 004 | 020 | SHA-1 hash value of the private key
subsection cleartext, offset 28 to and including the modulus at offset
236. | | 024 | 004 | Reserved; set to binary zero. | | 028 | 001 | Key format and security:
- X'02'
- RSA private key.
| | 029 | 001 | Format of external key from which
this token was derived:
- X'21'
- External private key was specified in the clear.
- X'22'
- External private key was encrypted.
- X'23'
- Private key was generated using regeneration data.
- X'24'
- Private key was randomly generated.
| | 030 | 020 | SHA-1 hash of the optional key-name
section and any following optional sections. If there are no optional
sections, this field is set to binary zeros. | | 050 | 004 | Key use flag bits.
- Bit
- Meaning When Set On
- 0
- Key management usage permitted.
- 1
- Signature usage not permitted.
All other bits reserved, set to binary zeros. | | 054 | 006 | Reserved; set to binary zero. | | 060 | 048 | Object Protection Key (OPK) encrypted
under the Asymmetric Keys Master Key using the ede3 algorithm. | | 108 | 128 | Private key exponent d, encrypted
under the OPK using the ede5 algorithm. and 1<d<n
where e is the public exponent. | | 236 | 128 | Modulus, n. n=pq where p and q are
prime and . | | 364 | 016 | Asymmetric-Keys Master Key hash pattern. | | 380 | 020 | SHA-1 hash value of the blinding
information subsection cleartext, offset 400 to the end of the section. | | 400 | 002 | Length of the random number r, in
bytes: rrr. | | 402 | 002 | Length of the random number in bytes: iii. | | 404 | 002 | Length of the padding field, in bytes:
xxx. | | 406 | 002 | Reserved; set to binary zeros. | | 408 | Start
of the encrypted blinding subsection | | 408 | rrr | Random number r (used in blinding). | | 408 + rrr | iii | Random number (used
in blinding). | | 408 + rrr + iii | xxx | X'00' padding of length xxx
bytes such that the length from the start of the encrypted blinding
subsection to the end of the padding field is a multiple of eight
bytes. | | End
of the encrypted blinding subsection; all of the fields starting with
the random number r and ending with the variable length pad field
are encrypted under the OPK using TDES (CBC outer chaining) algorithm. | RSA Private Key Token, 4096-bit Chinese Remainder Theorem Internal
Form
This RSA private key token (up to 2048-bit modulus) is supported
on the PCICC, PCIXCC, CEX2C, or CEX3C. The 4096-bit modulus
private key token is supported on the z9 EC, z9 BC, z10 EC, z10
BC, or z196 with the Nov. 2007 or later
version of the licensed internal code installed on the CEX2C or
CEX3C.
Table 66. RSA Private Internal Key Token, 4096-bit Chinese Remainder Theorem Internal Format| Offset (Dec) | Number of Bytes | Description |
|---|
| 000 | 001 | X'08', section identifier,
RSA private key, CRT format (RSA-CRT) | | 001 | 001 | X'00', version. | | 002 | 002 | Length of the RSA private-key section,
132 + ppp + qqq + rrr + sss + uuu + ttt + iii + xxx + nnn. | | 004 | 020 | SHA-1 hash value of the private-key
subsection cleartext, offset 28 to the end of the modulus. | | 024 | 004 | Reserved; set to binary zero. | | 028 | 001 | Key format and security:
- X'08'
- Encrypted RSA private-key subsection identifier, Chinese Remainder
form.
| | 029 | 001 | Key derivation method:
- X'21'
- External private key was specified in the clear.
- X'22'
- External private key was encrypted.
- X'23'
- Private key was generated using regeneration data.
- X'24'
- Private key was randomly generated.
| | 030 | 020 | SHA-1 hash of the optional key-name
section and any following sections. If there are no optional sections,
then 20 bytes of X'00'. | | 050 | 004 | Key use flag bits:
- Bit
- Meaning When Set On
- 0
- Key management usage permitted.
- 1
- Signature usage not permitted.
All other bits reserved, set to binary zero. | | 054 | 002 | Length of prime number, p, in bytes:
ppp. | | 056 | 002 | Length of prime number, q, in bytes:
qqq. | | 058 | 002 | Length of dp,
in bytes: rrr. | | 060 | 002 | Length of dq,
in bytes: sss. | | 062 | 002 | Length of U, in bytes: uuu. | | 064 | 002 | Length of modulus, n, in bytes: nnn. | | 066 | 002 | Length of the random number r, in
bytes: ttt. | | 068 | 002 | Length of the random number in bytes: iii. | | 070 | 002 | Length of padding field, in bytes:
xxx. | | 072 | 004 | Reserved, set to binary zero. | | 076 | 016 | Asymmetric-Keys Master Key hash pattern. | | 092 | 032 | Object Protection Key (OPK) encrypted
under the Asymmetric-Keys Master Key using the TDES (CBC outer chaining)
algorithm. | | 124 | Start
of the encrypted secure subsection, encrypted under the OPK using
TDES (CBC outer chaining). | | 124 | 008 | Random number, confounder. | | 132 | ppp | Prime number, p. | | 132 + ppp | qqq | Prime number, q | | 132 + ppp + qqq | rrr | dp = d
mod(p - 1) | | 132 + ppp + qqq + rrr | sss | dq = d
mod(q - 1) | | 132 + ppp + qqq + rrr + sss | uuu | U = –1mod(p). | | 132 + ppp + qqq + rrr + sss + uuu | ttt | Random number r (used in blinding). | | 132 + ppp + qqq + rrr + sss + uuu
+ ttt | iii | Random number –1 (used
in blinding). | | 132 + ppp + qqq + rrr + sss + uuu
+ ttt + iii | xxx | X'00' padding of length xxx
bytes such that the length from the start of the confounder at offset
124 to the end of the padding field is a multiple of eight bytes. | | End
of the encrypted secure subsection; all of the fields starting with
the confounder field and ending with the variable length pad field
are encrypted under the OPK using TDES (CBC outer chaining) for key
confidentiality. | | 132 + ppp + qqq + rrr + sss + uuu
+ ttt + iii + xxx | nnn | Modulus, n. n = pq where p and q
are prime and |
|
z/OS Cryptographic Services ICSF System Programmer's Guide
Copyright IBM Corporation 1990, 2014