IBM Crypto Education Community

Expand all | Collapse all

using just the RSA keys without certificate wrappers

  • 1.  using just the RSA keys without certificate wrappers

    Posted Thu February 15, 2024 10:39 AM

    I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

    One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

    Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

    Mulitiple Clear Key Import does not work on RSA keys.

    Guidance on how to make this happen would very much be appreciated.

    Thanks,



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 2.  RE: using just the RSA keys without certificate wrappers

    Posted Thu February 15, 2024 10:53 AM

    CSNDSYX will accept 

    • an RSA public key token or key label
    • an RSA private key token or key label
    • an X.509 certificate containing the RSA public key


    ------------------------------
    Eleanor Chan
    ------------------------------



  • 3.  RE: using just the RSA keys without certificate wrappers

    Posted Thu February 15, 2024 11:03 PM

    Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

    Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

    Thanks,

    Mark



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 4.  RE: using just the RSA keys without certificate wrappers

    Posted Thu February 15, 2024 11:08 PM

    I believe that PKA Key Token Build (CSNDPKB and CSNFPKB) with the RSA-PUBL rule will do exactly what you need. I'm not at my PC right now but can find an example if that would help



    ------------------------------
    Eric Rossman
    ------------------------------



  • 5.  RE: using just the RSA keys without certificate wrappers

    Posted Fri February 16, 2024 07:22 AM

    Yes, you can use CSNDPKB.  Here is some sample rexx.

    RSA_Mod2048_public_exponent = '00010001'x                               
    RSA_Mod2048_modulus = ,                                                 
    'C22B24A1DA33FBB74F9B152A32DF35F4DD501F35684E4A4DE2B1344E93C00B27'x||,  
    '1A3DC0321B1D71A96ED3BB14D46FC4B8814964B20879BB64CD293336543878F2'x||,  
    'B35BE326A4F18BA3A1322D31AB5358C4BA91E90B67FCAB5D084E14D5B70BF738'x||,  
    '2753480B7318AFB98409FF9CBE38421B7BCCBCF1978FEF5F63D79CFFA8251838'x||,  
    '2AA8D48C7E71BBE26B68970F7AA06FBC5E684362DCBC9FB269C357C2F8505778'x||,  
    'CAD327B0F893C532636C50E15A593B42EB74EE178530B2B9462E9C2620CCFE93'x||,  
    '8C145E40EEEB50218EBE04E7951FDB8F47675F0E61ACF363B36AFF3D87E76924'x||,  
    '29339BEBAF8D7956E151706F978EDFA0CD91B3CC38D460491149A6F9ACEA8403'x     
                                                                            
    /*********************************************************************/ 
    /* Build the RSA public key                                          */ 
    /*********************************************************************/ 
    PKB_rule_array_count    = '00000001'x                                   
    PKB_rule_array          = 'RSA-PUBL' ;                                  
    PKB_kvs                 = '0800'x ||, /* modulus bit length    */       
                              '0100'x ||, /* modulus field length  */       
                              '0004'x ||, /* pub exp field length  */       
                              '0000'x ||, /* priv exp field length */       
                              RSA_Mod2048_modulus ||,                       
                              RSA_Mod2048_public_exponent                   
    PKB_kvs_length          = d2c(length(PKB_kvs),4)                        



    ------------------------------
    Eleanor Chan
    ------------------------------



  • 6.  RE: using just the RSA keys without certificate wrappers

    Posted Fri February 16, 2024 03:27 PM

    Ms Chan,

    Thanks very much for the big help.  I had no idea that creating a new RSA token could also create an instantly workable token.  For some reason I was under the impression a create or import function was required to make the new token usable.

    I'll test this out today.

    Sincerely,

    Mark



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 7.  RE: using just the RSA keys without certificate wrappers

    Posted Fri February 16, 2024 06:03 PM

    I've had some partial success.  I was able to create the token with a public key.  Like the example shared above, it only used one rule RSA-PUBL.   I got back a 276 byte token.

    I've then used that token to export with SYX, an existing CKDS labled DES token.   It's a 128bit, EXPORTER key with XPORT-OK and it is active.

    I get back ret 8 reason 39 (decimal) indicating a vector problem.   I'm not sure which key has the problem.  

    Would it be possible to get a hint on where I should look next to solve this problem?  I do not know that there is anything wrong with either key that would create this error.

    Helpful hints would be greatly appreciated.

    Sincerely,

    Mark



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 8.  RE: using just the RSA keys without certificate wrappers

    Posted Fri February 16, 2024 06:22 PM

    Mark -

    The CV violation is referring to the EXPORTER passed in the source_key_identifier field.  The callable service is expecting a DES DATA key in this field. 



    ------------------------------
    Eleanor Chan
    ------------------------------



  • 9.  RE: using just the RSA keys without certificate wrappers

    Posted Mon February 26, 2024 04:48 PM

    Ms Chan,

    I'm curious to know why we can't export anything but DATA keys.   Can you help me understand?



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 10.  RE: using just the RSA keys without certificate wrappers

    Posted Tue February 27, 2024 01:40 PM

    Hi Mark,

    The reason that CSNSSYX can only export DATA keys has security backgrounds.

    A DATA key is a relative harmeless type of key, where an EXPORTER or PIN key, can do much more harm.

    The CSNDSYX verb cannot control the quality of your Public key.

    Nobody can prevent a malicious user to generate his own PR/PU key pair in the clear and then use that compromised
    Public key in the CSNDSYX  verb and nobody can prevent you to introduce a self built DATA key in that system .

    There is a way to export eg. an EXPORTER key, but then you should then the CSNDSYG verb that has a lot of more options 
    in the key types that it can export.

    But... the key to be exported will then be generated whitin the CSNDSYG verb. So CSNDSYG can give you 2 instances of the same key.

    First instance of the key, Exported (wrapped by) the PU key and another copy wrapped by your own Local Symmetric Master key (for your own usage) 

    It is similar to CSNBKGN, where you generate a key pair in OPEX form.

    Hope this helps



    ------------------------------
    Andries Mulder
    ------------------------------



  • 11.  RE: using just the RSA keys without certificate wrappers

    Posted Tue February 27, 2024 04:45 PM

    Andries,

    Yes, this helps.   I'm not thrilled, but I certainly understand.  I had not seen the CSNDSYG API call before you brought it to my attention.  My first speed read of the API suggests this is a better fit for my needs.  I will look into this.

    Thanks very much.

    And thanks to all those who responded to my question.  I am most grateful for all the help.

    Sincerely,



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------