IBM Crypto Education Community

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

Thanks,

Mark

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

Thanks,

Mark

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Yes, you can use CSNDPKB.  Here is some sample rexx.

RSA_Mod2048_public_exponent = '00010001'x                               
RSA_Mod2048_modulus = ,                                                 
'C22B24A1DA33FBB74F9B152A32DF35F4DD501F35684E4A4DE2B1344E93C00B27'x||,  
'1A3DC0321B1D71A96ED3BB14D46FC4B8814964B20879BB64CD293336543878F2'x||,  
'B35BE326A4F18BA3A1322D31AB5358C4BA91E90B67FCAB5D084E14D5B70BF738'x||,  
'2753480B7318AFB98409FF9CBE38421B7BCCBCF1978FEF5F63D79CFFA8251838'x||,  
'2AA8D48C7E71BBE26B68970F7AA06FBC5E684362DCBC9FB269C357C2F8505778'x||,  
'CAD327B0F893C532636C50E15A593B42EB74EE178530B2B9462E9C2620CCFE93'x||,  
'8C145E40EEEB50218EBE04E7951FDB8F47675F0E61ACF363B36AFF3D87E76924'x||,  
'29339BEBAF8D7956E151706F978EDFA0CD91B3CC38D460491149A6F9ACEA8403'x     
                                                                        
/*********************************************************************/ 
/* Build the RSA public key                                          */ 
/*********************************************************************/ 
PKB_rule_array_count    = '00000001'x                                   
PKB_rule_array          = 'RSA-PUBL' ;                                  
PKB_kvs                 = '0800'x ||, /* modulus bit length    */       
                          '0100'x ||, /* modulus field length  */       
                          '0004'x ||, /* pub exp field length  */       
                          '0000'x ||, /* priv exp field length */       
                          RSA_Mod2048_modulus ||,                       
                          RSA_Mod2048_public_exponent                   
PKB_kvs_length          = d2c(length(PKB_kvs),4)                        

Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

Thanks,

Mark

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Ms Chan,

Thanks very much for the big help.  I had no idea that creating a new RSA token could also create an instantly workable token.  For some reason I was under the impression a create or import function was required to make the new token usable.

I'll test this out today.

Sincerely,

Mark

Yes, you can use CSNDPKB.  Here is some sample rexx.

RSA_Mod2048_public_exponent = '00010001'x                               
RSA_Mod2048_modulus = ,                                                 
'C22B24A1DA33FBB74F9B152A32DF35F4DD501F35684E4A4DE2B1344E93C00B27'x||,  
'1A3DC0321B1D71A96ED3BB14D46FC4B8814964B20879BB64CD293336543878F2'x||,  
'B35BE326A4F18BA3A1322D31AB5358C4BA91E90B67FCAB5D084E14D5B70BF738'x||,  
'2753480B7318AFB98409FF9CBE38421B7BCCBCF1978FEF5F63D79CFFA8251838'x||,  
'2AA8D48C7E71BBE26B68970F7AA06FBC5E684362DCBC9FB269C357C2F8505778'x||,  
'CAD327B0F893C532636C50E15A593B42EB74EE178530B2B9462E9C2620CCFE93'x||,  
'8C145E40EEEB50218EBE04E7951FDB8F47675F0E61ACF363B36AFF3D87E76924'x||,  
'29339BEBAF8D7956E151706F978EDFA0CD91B3CC38D460491149A6F9ACEA8403'x     
                                                                        
/*********************************************************************/ 
/* Build the RSA public key                                          */ 
/*********************************************************************/ 
PKB_rule_array_count    = '00000001'x                                   
PKB_rule_array          = 'RSA-PUBL' ;                                  
PKB_kvs                 = '0800'x ||, /* modulus bit length    */       
                          '0100'x ||, /* modulus field length  */       
                          '0004'x ||, /* pub exp field length  */       
                          '0000'x ||, /* priv exp field length */       
                          RSA_Mod2048_modulus ||,                       
                          RSA_Mod2048_public_exponent                   
PKB_kvs_length          = d2c(length(PKB_kvs),4)                        

Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

Thanks,

Mark

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

I've had some partial success.  I was able to create the token with a public key.  Like the example shared above, it only used one rule RSA-PUBL.   I got back a 276 byte token.

I've then used that token to export with SYX, an existing CKDS labled DES token.   It's a 128bit, EXPORTER key with XPORT-OK and it is active.

I get back ret 8 reason 39 (decimal) indicating a vector problem.   I'm not sure which key has the problem.  

Would it be possible to get a hint on where I should look next to solve this problem?  I do not know that there is anything wrong with either key that would create this error.

Helpful hints would be greatly appreciated.

Sincerely,

Mark

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC

Original Message:
Sent: Fri February 16, 2024 12:23 PM
From: Mark Vollmer
Subject: using just the RSA keys without certificate wrappers

Ms Chan,

Thanks very much for the big help.  I had no idea that creating a new RSA token could also create an instantly workable token.  For some reason I was under the impression a create or import function was required to make the new token usable.

I'll test this out today.

Sincerely,

Mark

Yes, you can use CSNDPKB.  Here is some sample rexx.

RSA_Mod2048_public_exponent = '00010001'x                               
RSA_Mod2048_modulus = ,                                                 
'C22B24A1DA33FBB74F9B152A32DF35F4DD501F35684E4A4DE2B1344E93C00B27'x||,  
'1A3DC0321B1D71A96ED3BB14D46FC4B8814964B20879BB64CD293336543878F2'x||,  
'B35BE326A4F18BA3A1322D31AB5358C4BA91E90B67FCAB5D084E14D5B70BF738'x||,  
'2753480B7318AFB98409FF9CBE38421B7BCCBCF1978FEF5F63D79CFFA8251838'x||,  
'2AA8D48C7E71BBE26B68970F7AA06FBC5E684362DCBC9FB269C357C2F8505778'x||,  
'CAD327B0F893C532636C50E15A593B42EB74EE178530B2B9462E9C2620CCFE93'x||,  
'8C145E40EEEB50218EBE04E7951FDB8F47675F0E61ACF363B36AFF3D87E76924'x||,  
'29339BEBAF8D7956E151706F978EDFA0CD91B3CC38D460491149A6F9ACEA8403'x     
                                                                        
/*********************************************************************/ 
/* Build the RSA public key                                          */ 
/*********************************************************************/ 
PKB_rule_array_count    = '00000001'x                                   
PKB_rule_array          = 'RSA-PUBL' ;                                  
PKB_kvs                 = '0800'x ||, /* modulus bit length    */       
                          '0100'x ||, /* modulus field length  */       
                          '0004'x ||, /* pub exp field length  */       
                          '0000'x ||, /* priv exp field length */       
                          RSA_Mod2048_modulus ||,                       
                          RSA_Mod2048_public_exponent                   
PKB_kvs_length          = d2c(length(PKB_kvs),4)                        

Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

Thanks,

Mark

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Mark -

The CV violation is referring to the EXPORTER passed in the source_key_identifier field.  The callable service is expecting a DES DATA key in this field. 

I've had some partial success.  I was able to create the token with a public key.  Like the example shared above, it only used one rule RSA-PUBL.   I got back a 276 byte token.

I've then used that token to export with SYX, an existing CKDS labled DES token.   It's a 128bit, EXPORTER key with XPORT-OK and it is active.

I get back ret 8 reason 39 (decimal) indicating a vector problem.   I'm not sure which key has the problem.  

Would it be possible to get a hint on where I should look next to solve this problem?  I do not know that there is anything wrong with either key that would create this error.

Helpful hints would be greatly appreciated.

Sincerely,

Mark

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC

Original Message:
Sent: Fri February 16, 2024 12:23 PM
From: Mark Vollmer
Subject: using just the RSA keys without certificate wrappers

Ms Chan,

Thanks very much for the big help.  I had no idea that creating a new RSA token could also create an instantly workable token.  For some reason I was under the impression a create or import function was required to make the new token usable.

I'll test this out today.

Sincerely,

Mark

Yes, you can use CSNDPKB.  Here is some sample rexx.

RSA_Mod2048_public_exponent = '00010001'x                               
RSA_Mod2048_modulus = ,                                                 
'C22B24A1DA33FBB74F9B152A32DF35F4DD501F35684E4A4DE2B1344E93C00B27'x||,  
'1A3DC0321B1D71A96ED3BB14D46FC4B8814964B20879BB64CD293336543878F2'x||,  
'B35BE326A4F18BA3A1322D31AB5358C4BA91E90B67FCAB5D084E14D5B70BF738'x||,  
'2753480B7318AFB98409FF9CBE38421B7BCCBCF1978FEF5F63D79CFFA8251838'x||,  
'2AA8D48C7E71BBE26B68970F7AA06FBC5E684362DCBC9FB269C357C2F8505778'x||,  
'CAD327B0F893C532636C50E15A593B42EB74EE178530B2B9462E9C2620CCFE93'x||,  
'8C145E40EEEB50218EBE04E7951FDB8F47675F0E61ACF363B36AFF3D87E76924'x||,  
'29339BEBAF8D7956E151706F978EDFA0CD91B3CC38D460491149A6F9ACEA8403'x     
                                                                        
/*********************************************************************/ 
/* Build the RSA public key                                          */ 
/*********************************************************************/ 
PKB_rule_array_count    = '00000001'x                                   
PKB_rule_array          = 'RSA-PUBL' ;                                  
PKB_kvs                 = '0800'x ||, /* modulus bit length    */       
                          '0100'x ||, /* modulus field length  */       
                          '0004'x ||, /* pub exp field length  */       
                          '0000'x ||, /* priv exp field length */       
                          RSA_Mod2048_modulus ||,                       
                          RSA_Mod2048_public_exponent                   
PKB_kvs_length          = d2c(length(PKB_kvs),4)                        

Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

Thanks,

Mark

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Ms Chan,

I'm curious to know why we can't export anything but DATA keys.   Can you help me understand?

Mark -

The CV violation is referring to the EXPORTER passed in the source_key_identifier field.  The callable service is expecting a DES DATA key in this field. 

I've had some partial success.  I was able to create the token with a public key.  Like the example shared above, it only used one rule RSA-PUBL.   I got back a 276 byte token.

I've then used that token to export with SYX, an existing CKDS labled DES token.   It's a 128bit, EXPORTER key with XPORT-OK and it is active.

I get back ret 8 reason 39 (decimal) indicating a vector problem.   I'm not sure which key has the problem.  

Would it be possible to get a hint on where I should look next to solve this problem?  I do not know that there is anything wrong with either key that would create this error.

Helpful hints would be greatly appreciated.

Sincerely,

Mark

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC

Original Message:
Sent: Fri February 16, 2024 12:23 PM
From: Mark Vollmer
Subject: using just the RSA keys without certificate wrappers

Ms Chan,

Thanks very much for the big help.  I had no idea that creating a new RSA token could also create an instantly workable token.  For some reason I was under the impression a create or import function was required to make the new token usable.

I'll test this out today.

Sincerely,

Mark

Yes, you can use CSNDPKB.  Here is some sample rexx.

RSA_Mod2048_public_exponent = '00010001'x                               
RSA_Mod2048_modulus = ,                                                 
'C22B24A1DA33FBB74F9B152A32DF35F4DD501F35684E4A4DE2B1344E93C00B27'x||,  
'1A3DC0321B1D71A96ED3BB14D46FC4B8814964B20879BB64CD293336543878F2'x||,  
'B35BE326A4F18BA3A1322D31AB5358C4BA91E90B67FCAB5D084E14D5B70BF738'x||,  
'2753480B7318AFB98409FF9CBE38421B7BCCBCF1978FEF5F63D79CFFA8251838'x||,  
'2AA8D48C7E71BBE26B68970F7AA06FBC5E684362DCBC9FB269C357C2F8505778'x||,  
'CAD327B0F893C532636C50E15A593B42EB74EE178530B2B9462E9C2620CCFE93'x||,  
'8C145E40EEEB50218EBE04E7951FDB8F47675F0E61ACF363B36AFF3D87E76924'x||,  
'29339BEBAF8D7956E151706F978EDFA0CD91B3CC38D460491149A6F9ACEA8403'x     
                                                                        
/*********************************************************************/ 
/* Build the RSA public key                                          */ 
/*********************************************************************/ 
PKB_rule_array_count    = '00000001'x                                   
PKB_rule_array          = 'RSA-PUBL' ;                                  
PKB_kvs                 = '0800'x ||, /* modulus bit length    */       
                          '0100'x ||, /* modulus field length  */       
                          '0004'x ||, /* pub exp field length  */       
                          '0000'x ||, /* priv exp field length */       
                          RSA_Mod2048_modulus ||,                       
                          RSA_Mod2048_public_exponent                   
PKB_kvs_length          = d2c(length(PKB_kvs),4)                        

Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

Thanks,

Mark

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------

Hi Mark,

The reason that CSNSSYX can only export DATA keys has security backgrounds.

A DATA key is a relative harmeless type of key, where an EXPORTER or PIN key, can do much more harm.

The CSNDSYX verb cannot control the quality of your Public key.

Nobody can prevent a malicious user to generate his own PR/PU key pair in the clear and then use that compromised
Public key in the CSNDSYX  verb and nobody can prevent you to introduce a self built DATA key in that system .

There is a way to export eg. an EXPORTER key, but then you should then the CSNDSYG verb that has a lot of more options 
in the key types that it can export.

But... the key to be exported will then be generated whitin the CSNDSYG verb. So CSNDSYG can give you 2 instances of the same key.

First instance of the key, Exported (wrapped by) the PU key and another copy wrapped by your own Local Symmetric Master key (for your own usage) 

It is similar to CSNBKGN, where you generate a key pair in OPEX form.

Hope this helps

Ms Chan,

I'm curious to know why we can't export anything but DATA keys.   Can you help me understand?

Mark -

The CV violation is referring to the EXPORTER passed in the source_key_identifier field.  The callable service is expecting a DES DATA key in this field. 

I've had some partial success.  I was able to create the token with a public key.  Like the example shared above, it only used one rule RSA-PUBL.   I got back a 276 byte token.

I've then used that token to export with SYX, an existing CKDS labled DES token.   It's a 128bit, EXPORTER key with XPORT-OK and it is active.

I get back ret 8 reason 39 (decimal) indicating a vector problem.   I'm not sure which key has the problem.  

Would it be possible to get a hint on where I should look next to solve this problem?  I do not know that there is anything wrong with either key that would create this error.

Helpful hints would be greatly appreciated.

Sincerely,

Mark

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC

Original Message:
Sent: Fri February 16, 2024 12:23 PM
From: Mark Vollmer
Subject: using just the RSA keys without certificate wrappers

Ms Chan,

Thanks very much for the big help.  I had no idea that creating a new RSA token could also create an instantly workable token.  For some reason I was under the impression a create or import function was required to make the new token usable.

I'll test this out today.

Sincerely,

Mark

Yes, you can use CSNDPKB.  Here is some sample rexx.

RSA_Mod2048_public_exponent = '00010001'x                               
RSA_Mod2048_modulus = ,                                                 
'C22B24A1DA33FBB74F9B152A32DF35F4DD501F35684E4A4DE2B1344E93C00B27'x||,  
'1A3DC0321B1D71A96ED3BB14D46FC4B8814964B20879BB64CD293336543878F2'x||,  
'B35BE326A4F18BA3A1322D31AB5358C4BA91E90B67FCAB5D084E14D5B70BF738'x||,  
'2753480B7318AFB98409FF9CBE38421B7BCCBCF1978FEF5F63D79CFFA8251838'x||,  
'2AA8D48C7E71BBE26B68970F7AA06FBC5E684362DCBC9FB269C357C2F8505778'x||,  
'CAD327B0F893C532636C50E15A593B42EB74EE178530B2B9462E9C2620CCFE93'x||,  
'8C145E40EEEB50218EBE04E7951FDB8F47675F0E61ACF363B36AFF3D87E76924'x||,  
'29339BEBAF8D7956E151706F978EDFA0CD91B3CC38D460491149A6F9ACEA8403'x     
                                                                        
/*********************************************************************/ 
/* Build the RSA public key                                          */ 
/*********************************************************************/ 
PKB_rule_array_count    = '00000001'x                                   
PKB_rule_array          = 'RSA-PUBL' ;                                  
PKB_kvs                 = '0800'x ||, /* modulus bit length    */       
                          '0100'x ||, /* modulus field length  */       
                          '0004'x ||, /* pub exp field length  */       
                          '0000'x ||, /* priv exp field length */       
                          RSA_Mod2048_modulus ||,                       
                          RSA_Mod2048_public_exponent                   
PKB_kvs_length          = d2c(length(PKB_kvs),4)                        

Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

Thanks,

Mark

CSNDSYX will accept 

• an RSA public key token or key label
• an RSA private key token or key label
• an X.509 certificate containing the RSA public key

I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

Mulitiple Clear Key Import does not work on RSA keys.

Guidance on how to make this happen would very much be appreciated.

Thanks,

------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------