Filter
Top Products
PKA_Key_Generate CCA Release 2.54
Note: When using the RETAINED key option, the key label supplied in the
skeleton key-token references the key storage within the Coprocessor, and in this
case must not reference a record in the host-system key-storage.
The rule-array keyword CLONE flags a generated and retained RSA private key as
usable in an engine “cloning” process. Cloning is a technique for copying sensitive
Coprocessor information from one Coprocessor to another. (See “Understanding
and Managing Master Keys” on page 2-12.)
If you include a public-key certificate section within the skeleton key token, you
cause the cryptographic engine to sign a certificate with the key that is designated
in the public-key certificate signature subsection. Using this technique, you can
cause the cryptographic engine to sign the newly generated public key using
another key that has been retained within the engine, including the newly generated
key (producing a “self-signature”). You can obtain more than one signature on the
public key when you include multiple signature subsections in the skeleton key
token. See “RSA Public-Key Certificate Section” on page B-17.
Note: The verb will return a “section X'06'” private-key token format when you
request a modulus-exponent internal key even though you have specified a type
X'02' skeleton token.
Restrictions
1. Not all IBM implementations of CCA may support a CRT form of the RSA
private key; check the product-specific literature. The IBM 4758 product family
implementation supports an optimized RSA private key (a key in “Chinese
Remainder” form). The formats vary between versions.
2. See “RSA PKA Key-Tokens” on page B-6 for the formats used when
generating the various forms of key token.
3. When generating a key for use with ANSI X9.31 digital signatures, the
modulus-length (key-length) must be one of 1024, 1280, 1536, 1792, or 2048
bits.
4. The key label used for a Retained key must not exist in the external key
storage held on DASD.
Format
CSNDPKG
return_code Output Integer
reason_code Output Integer
exit_data_length In/Output Integer
exit_data In/Output String exit_data_length bytes
rule_array_count Input Integer one or two
rule_array Input String
array
rule_array_count * 8 bytes
regeneration_data_length Input Integer
regeneration_data Input String regeneration_data_length
bytes
skeleton_key_token_length Input Integer
skeleton_key_token Input String skeleton_key_token_length
bytes
transport_key_identifier Input String 64 bytes
generated_key_identifier_length In/Output Integer
generated_key_identifier In/Output String generated_key_identifier_length
bytes
3-8 IBM 4758 CCA Basic Services, Release 2.54, February 2005