Skip to content

Commit 2f74e23

Browse files
author
awstools
committed
feat(client-payment-cryptography-data): Add ECDH support on PIN operations.
1 parent 3435c99 commit 2f74e23

File tree

10 files changed

+396
-15
lines changed

10 files changed

+396
-15
lines changed

clients/client-payment-cryptography-data/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ AWS SDK for JavaScript PaymentCryptographyData Client for Node.js, Browser and R
1111

1212
## Installing
1313

14-
To install the this package, simply type add or install @aws-sdk/client-payment-cryptography-data
14+
To install this package, simply type add or install @aws-sdk/client-payment-cryptography-data
1515
using your favorite package manager:
1616

1717
- `npm install @aws-sdk/client-payment-cryptography-data`

clients/client-payment-cryptography-data/src/commands/DecryptDataCommand.ts

+8
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,14 @@ export interface DecryptDataCommandOutput extends DecryptDataOutput, __MetadataB
102102
* WrappedKey: { // WrappedKey
103103
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
104104
* Tr31KeyBlock: "STRING_VALUE",
105+
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
106+
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
107+
* PublicKeyCertificate: "STRING_VALUE", // required
108+
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
109+
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
110+
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
111+
* SharedInformation: "STRING_VALUE", // required
112+
* },
105113
* },
106114
* KeyCheckValueAlgorithm: "STRING_VALUE",
107115
* },

clients/client-payment-cryptography-data/src/commands/EncryptDataCommand.ts

+8
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,14 @@ export interface EncryptDataCommandOutput extends EncryptDataOutput, __MetadataB
109109
* WrappedKey: { // WrappedKey
110110
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
111111
* Tr31KeyBlock: "STRING_VALUE",
112+
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
113+
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
114+
* PublicKeyCertificate: "STRING_VALUE", // required
115+
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
116+
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
117+
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
118+
* SharedInformation: "STRING_VALUE", // required
119+
* },
112120
* },
113121
* KeyCheckValueAlgorithm: "STRING_VALUE",
114122
* },

clients/client-payment-cryptography-data/src/commands/GeneratePinDataCommand.ts

+16-1
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ export interface GeneratePinDataCommandOutput extends GeneratePinDataOutput, __M
3939
/**
4040
* <p>Generates pin-related data such as PIN, PIN Verification Value (PVV), PIN Block, and PIN Offset during new card issuance or reissuance. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/generate-pin-data.html">Generate PIN data</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
4141
* <p>PIN data is never transmitted in clear to or from Amazon Web Services Payment Cryptography. This operation generates PIN, PVV, or PIN Offset and then encrypts it using Pin Encryption Key (PEK) to create an <code>EncryptedPinBlock</code> for transmission from Amazon Web Services Payment Cryptography. This operation uses a separate Pin Verification Key (PVK) for VISA PVV generation. </p>
42+
* <p>Using ECDH key exchange, you can receive cardholder selectable PINs into Amazon Web Services Payment Cryptography. The ECDH derived key protects the incoming PIN block. You can also use it for reveal PIN, wherein the generated PIN block is protected by the ECDH derived key before transmission from Amazon Web Services Payment Cryptography. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Generating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
4243
* <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
4344
* <p>
4445
* <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p>
@@ -104,7 +105,21 @@ export interface GeneratePinDataCommandOutput extends GeneratePinDataOutput, __M
104105
* },
105106
* PinDataLength: Number("int"),
106107
* PrimaryAccountNumber: "STRING_VALUE", // required
107-
* PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3", // required
108+
* PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
109+
* EncryptionWrappedKey: { // WrappedKey
110+
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
111+
* Tr31KeyBlock: "STRING_VALUE",
112+
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
113+
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
114+
* PublicKeyCertificate: "STRING_VALUE", // required
115+
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
116+
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
117+
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
118+
* SharedInformation: "STRING_VALUE", // required
119+
* },
120+
* },
121+
* KeyCheckValueAlgorithm: "STRING_VALUE",
122+
* },
108123
* };
109124
* const command = new GeneratePinDataCommand(input);
110125
* const response = await client.send(command);

clients/client-payment-cryptography-data/src/commands/ReEncryptDataCommand.ts

+16
Original file line numberDiff line numberDiff line change
@@ -110,12 +110,28 @@ export interface ReEncryptDataCommandOutput extends ReEncryptDataOutput, __Metad
110110
* IncomingWrappedKey: { // WrappedKey
111111
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
112112
* Tr31KeyBlock: "STRING_VALUE",
113+
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
114+
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
115+
* PublicKeyCertificate: "STRING_VALUE", // required
116+
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
117+
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
118+
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
119+
* SharedInformation: "STRING_VALUE", // required
120+
* },
113121
* },
114122
* KeyCheckValueAlgorithm: "STRING_VALUE",
115123
* },
116124
* OutgoingWrappedKey: {
117125
* WrappedKeyMaterial: {// Union: only one key present
118126
* Tr31KeyBlock: "STRING_VALUE",
127+
* DiffieHellmanSymmetricKey: {
128+
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
129+
* PublicKeyCertificate: "STRING_VALUE", // required
130+
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
131+
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
132+
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
133+
* SharedInformation: "STRING_VALUE", // required
134+
* },
119135
* },
120136
* KeyCheckValueAlgorithm: "STRING_VALUE",
121137
* },

clients/client-payment-cryptography-data/src/commands/TranslatePinDataCommand.ts

+20-2
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,10 @@ export interface TranslatePinDataCommandOutput extends TranslatePinDataOutput, _
3838

3939
/**
4040
* <p>Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html">Translate PIN data</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
41-
* <p>PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports <code>TDES</code> and <code>AES</code> key derivation type for DUKPT translations. </p>
42-
* <p>This operation also supports dynamic keys, allowing you to pass a dynamic PEK as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the <code>keyARN</code> is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html">Using Dynamic Keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
41+
* <p>PIN block translation involves changing a PIN block from one encryption key to another and optionally change its format. PIN block translation occurs entirely within the HSM boundary and PIN data never enters or leaves Amazon Web Services Payment Cryptography in clear text. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK.</p>
42+
* <p>Amazon Web Services Payment Cryptography also supports use of dynamic keys and ECDH (Elliptic Curve Diffie-Hellman) based key exchange for this operation.</p>
43+
* <p>Dynamic keys allow you to pass a PEK as a TR-31 WrappedKeyBlock. They can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the <code>keyARN</code> is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html">Using Dynamic Keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
44+
* <p>Using ECDH key exchange, you can receive cardholder selectable PINs into Amazon Web Services Payment Cryptography. The ECDH derived key protects the incoming PIN block, which is translated to a PEK encrypted PIN block for use within the service. You can also use ECDH for reveal PIN, wherein the service translates the PIN block from PEK to a ECDH derived encryption key. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Generating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
4345
* <p>The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation. </p>
4446
* <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
4547
* <note>
@@ -107,12 +109,28 @@ export interface TranslatePinDataCommandOutput extends TranslatePinDataOutput, _
107109
* IncomingWrappedKey: { // WrappedKey
108110
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
109111
* Tr31KeyBlock: "STRING_VALUE",
112+
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
113+
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
114+
* PublicKeyCertificate: "STRING_VALUE", // required
115+
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
116+
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
117+
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
118+
* SharedInformation: "STRING_VALUE", // required
119+
* },
110120
* },
111121
* KeyCheckValueAlgorithm: "STRING_VALUE",
112122
* },
113123
* OutgoingWrappedKey: {
114124
* WrappedKeyMaterial: {// Union: only one key present
115125
* Tr31KeyBlock: "STRING_VALUE",
126+
* DiffieHellmanSymmetricKey: {
127+
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
128+
* PublicKeyCertificate: "STRING_VALUE", // required
129+
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
130+
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
131+
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
132+
* SharedInformation: "STRING_VALUE", // required
133+
* },
116134
* },
117135
* KeyCheckValueAlgorithm: "STRING_VALUE",
118136
* },

clients/client-payment-cryptography-data/src/commands/VerifyPinDataCommand.ts

+15-1
Original file line numberDiff line numberDiff line change
@@ -75,12 +75,26 @@ export interface VerifyPinDataCommandOutput extends VerifyPinDataOutput, __Metad
7575
* },
7676
* EncryptedPinBlock: "STRING_VALUE", // required
7777
* PrimaryAccountNumber: "STRING_VALUE", // required
78-
* PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3", // required
78+
* PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
7979
* PinDataLength: Number("int"),
8080
* DukptAttributes: { // DukptAttributes
8181
* KeySerialNumber: "STRING_VALUE", // required
8282
* DukptDerivationType: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
8383
* },
84+
* EncryptionWrappedKey: { // WrappedKey
85+
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
86+
* Tr31KeyBlock: "STRING_VALUE",
87+
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
88+
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
89+
* PublicKeyCertificate: "STRING_VALUE", // required
90+
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
91+
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
92+
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
93+
* SharedInformation: "STRING_VALUE", // required
94+
* },
95+
* },
96+
* KeyCheckValueAlgorithm: "STRING_VALUE",
97+
* },
8498
* };
8599
* const command = new VerifyPinDataCommand(input);
86100
* const response = await client.send(command);

0 commit comments

Comments
 (0)