IBM Crypto Education Community

Expand all | Collapse all

using just the RSA keys without certificate wrappers

  • 1.  using just the RSA keys without certificate wrappers

    Posted Thu February 15, 2024 10:39 AM

    I get to work with a system that does not supply public keys in certificate form.  I get only the key.  I'm supposed to use a default for the exponent.

    One call I'd like to make is to use the RSA public key to encrypt a DES key.  I believe that I'd use Symmetric Key Export (CSNDSYX) to perform that function.   However, reading the documentation does appear to require x.509 certificates for the RSA keys.    Am I reading this wrong? 

    Should I and could I get the RSA key into some CCA token form that is usable by CSNDSYX? 

    Mulitiple Clear Key Import does not work on RSA keys.

    Guidance on how to make this happen would very much be appreciated.

    Thanks,



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 2.  RE: using just the RSA keys without certificate wrappers

    Posted Thu February 15, 2024 10:53 AM

    CSNDSYX will accept 

    • an RSA public key token or key label
    • an RSA private key token or key label
    • an X.509 certificate containing the RSA public key


    ------------------------------
    Eleanor Chan
    ------------------------------



  • 3.  RE: using just the RSA keys without certificate wrappers

    Posted Thu February 15, 2024 11:03 PM

    Thanks.   Unfortunately all I have is a public 256 byte RSA key.  I've looked into PKA Key Import function.   It says it imports only pub-priv key pairs.   And all I have is a public RSA key.

    Can the PKA Key Import function import just a 256 byte RSA key?   Is there another function I can use to import this RSA key into a token I can use for the CSNDSYX call?

    Thanks,

    Mark



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 4.  RE: using just the RSA keys without certificate wrappers

    Posted Thu February 15, 2024 11:08 PM

    I believe that PKA Key Token Build (CSNDPKB and CSNFPKB) with the RSA-PUBL rule will do exactly what you need. I'm not at my PC right now but can find an example if that would help



    ------------------------------
    Eric Rossman
    ------------------------------



  • 5.  RE: using just the RSA keys without certificate wrappers

    Posted Fri February 16, 2024 07:22 AM

    Yes, you can use CSNDPKB.  Here is some sample rexx.

    RSA_Mod2048_public_exponent = '00010001'x                               
    RSA_Mod2048_modulus = ,                                                 
    'C22B24A1DA33FBB74F9B152A32DF35F4DD501F35684E4A4DE2B1344E93C00B27'x||,  
    '1A3DC0321B1D71A96ED3BB14D46FC4B8814964B20879BB64CD293336543878F2'x||,  
    'B35BE326A4F18BA3A1322D31AB5358C4BA91E90B67FCAB5D084E14D5B70BF738'x||,  
    '2753480B7318AFB98409FF9CBE38421B7BCCBCF1978FEF5F63D79CFFA8251838'x||,  
    '2AA8D48C7E71BBE26B68970F7AA06FBC5E684362DCBC9FB269C357C2F8505778'x||,  
    'CAD327B0F893C532636C50E15A593B42EB74EE178530B2B9462E9C2620CCFE93'x||,  
    '8C145E40EEEB50218EBE04E7951FDB8F47675F0E61ACF363B36AFF3D87E76924'x||,  
    '29339BEBAF8D7956E151706F978EDFA0CD91B3CC38D460491149A6F9ACEA8403'x     
                                                                            
    /*********************************************************************/ 
    /* Build the RSA public key                                          */ 
    /*********************************************************************/ 
    PKB_rule_array_count    = '00000001'x                                   
    PKB_rule_array          = 'RSA-PUBL' ;                                  
    PKB_kvs                 = '0800'x ||, /* modulus bit length    */       
                              '0100'x ||, /* modulus field length  */       
                              '0004'x ||, /* pub exp field length  */       
                              '0000'x ||, /* priv exp field length */       
                              RSA_Mod2048_modulus ||,                       
                              RSA_Mod2048_public_exponent                   
    PKB_kvs_length          = d2c(length(PKB_kvs),4)                        



    ------------------------------
    Eleanor Chan
    ------------------------------



  • 6.  RE: using just the RSA keys without certificate wrappers

    Posted Fri February 16, 2024 03:27 PM

    Ms Chan,

    Thanks very much for the big help.  I had no idea that creating a new RSA token could also create an instantly workable token.  For some reason I was under the impression a create or import function was required to make the new token usable.

    I'll test this out today.

    Sincerely,

    Mark



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------



  • 7.  RE: using just the RSA keys without certificate wrappers

    Posted Fri February 16, 2024 06:03 PM

    I've had some partial success.  I was able to create the token with a public key.  Like the example shared above, it only used one rule RSA-PUBL.   I got back a 276 byte token.

    I've then used that token to export with SYX, an existing CKDS labled DES token.   It's a 128bit, EXPORTER key with XPORT-OK and it is active.

    I get back ret 8 reason 39 (decimal) indicating a vector problem.   I'm not sure which key has the problem.  

    Would it be possible to get a hint on where I should look next to solve this problem?  I do not know that there is anything wrong with either key that would create this error.

    Helpful hints would be greatly appreciated.

    Sincerely,

    Mark



    ------------------------------
    Mark Vollmer
    Developer, but does everything.
    CV Systems, LLC
    ------------------------------