Key blobs are encode in a simple, TLV encoded key blob format.

Each item is encoded as follows:

Tag	Lengh	Value
2 bytes	4 bytes	Length bytes

Items can also encapsulate other items.

Currently two types of key blobs are defined:

Simple Blob
This format is returned by the CryptoServerCXI.CryptoServerCXI.exportKey and CryptoServerCXI.CryptoServerCXI.exportClearKey method.
It contains the key properties and key components.
The key components may be encrypted by another wrapping key.
Backup Blob
This format is returned by the CryptoServerCXI.CryptoServerCXI.backupKey method.
It basically contains the key properties, public and secret key part and a check value.
The secret key part is always encrypted with the CryptoServer's Master Backup Key (MBK).
The check value is a MAC over all preceding blob data, calculated with another key derived from the MBK.

Note
As the key check value is verified on restore of the key, a Backup Blob may not be modified.

The class CryptoServerCXI.CryptoServerCXI.Key is used to handle with Backup Blobs.

Format of Simple Blobs

A Simple Blob is encoded as follows:

RSA key blobs may contain the following key component items:

Item

Tag

Public Exponent

"PE"

Modulus

"MO"

Secret (Private) Exponent

"SE"

Prime P

"P "

Prime Q

"Q "

U := Q^-1 mod P

"U "

dP := D mod P-1

"DP"

dQ := D mod Q-1

"DQ"

ECDSA key blobs may contain the following key component items:

Item	Tag
Public Key	"PK"
Secret (Private) Key	"SK"

On DES or AES key blobs the key components directly contain the key value.

Format of Backup Blobs

A Backup Blob is encoded as follows:

Backup Blob
"PL"	length(PL)	Properties	"PK"	length(PK)	Public Key	"SK"	length(SK)	Secret (Private) Key	"CV"	length(CV)	Check Value