Skip to content

Commit

Permalink
feat(client-payment-cryptography-data): Add ECDH support on PIN opera…
Browse files Browse the repository at this point in the history 
…tions.
  • Loading branch information
awstools committed Oct 23, 2024
1 parent 3435c99 commit 2f74e23
Show file tree
Hide file tree
Showing 10 changed files with 396 additions and 15 deletions.
2 changes: 1 addition & 1 deletion clients/client-payment-cryptography-data/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ AWS SDK for JavaScript PaymentCryptographyData Client for Node.js, Browser and R

## Installing

To install the this package, simply type add or install @aws-sdk/client-payment-cryptography-data
To install this package, simply type add or install @aws-sdk/client-payment-cryptography-data
using your favorite package manager:

- `npm install @aws-sdk/client-payment-cryptography-data`
Expand Down
8 changes: 8 additions & 0 deletions clients/client-payment-cryptography-data/src/commands/DecryptDataCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,14 @@ export interface DecryptDataCommandOutput extends DecryptDataOutput, __MetadataB
* WrappedKey: { // WrappedKey
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
* Tr31KeyBlock: "STRING_VALUE",
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
* PublicKeyCertificate: "STRING_VALUE", // required
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
* SharedInformation: "STRING_VALUE", // required
* },
* },
* KeyCheckValueAlgorithm: "STRING_VALUE",
* },
Expand Down
8 changes: 8 additions & 0 deletions clients/client-payment-cryptography-data/src/commands/EncryptDataCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,14 @@ export interface EncryptDataCommandOutput extends EncryptDataOutput, __MetadataB
* WrappedKey: { // WrappedKey
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
* Tr31KeyBlock: "STRING_VALUE",
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
* PublicKeyCertificate: "STRING_VALUE", // required
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
* SharedInformation: "STRING_VALUE", // required
* },
* },
* KeyCheckValueAlgorithm: "STRING_VALUE",
* },
Expand Down
17 changes: 16 additions & 1 deletion clients/client-payment-cryptography-data/src/commands/GeneratePinDataCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ export interface GeneratePinDataCommandOutput extends GeneratePinDataOutput, __M
/**
* <p>Generates pin-related data such as PIN, PIN Verification Value (PVV), PIN Block, and PIN Offset during new card issuance or reissuance. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/generate-pin-data.html">Generate PIN data</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
* <p>PIN data is never transmitted in clear to or from Amazon Web Services Payment Cryptography. This operation generates PIN, PVV, or PIN Offset and then encrypts it using Pin Encryption Key (PEK) to create an <code>EncryptedPinBlock</code> for transmission from Amazon Web Services Payment Cryptography. This operation uses a separate Pin Verification Key (PVK) for VISA PVV generation. </p>
* <p>Using ECDH key exchange, you can receive cardholder selectable PINs into Amazon Web Services Payment Cryptography. The ECDH derived key protects the incoming PIN block. You can also use it for reveal PIN, wherein the generated PIN block is protected by the ECDH derived key before transmission from Amazon Web Services Payment Cryptography. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Generating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
* <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
* <p>
* <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p>
Expand Down Expand Up @@ -104,7 +105,21 @@ export interface GeneratePinDataCommandOutput extends GeneratePinDataOutput, __M
* },
* PinDataLength: Number("int"),
* PrimaryAccountNumber: "STRING_VALUE", // required
* PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3", // required
* PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
* EncryptionWrappedKey: { // WrappedKey
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
* Tr31KeyBlock: "STRING_VALUE",
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
* PublicKeyCertificate: "STRING_VALUE", // required
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
* SharedInformation: "STRING_VALUE", // required
* },
* },
* KeyCheckValueAlgorithm: "STRING_VALUE",
* },
* };
* const command = new GeneratePinDataCommand(input);
* const response = await client.send(command);
Expand Down
16 changes: 16 additions & 0 deletions clients/client-payment-cryptography-data/src/commands/ReEncryptDataCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,12 +110,28 @@ export interface ReEncryptDataCommandOutput extends ReEncryptDataOutput, __Metad
* IncomingWrappedKey: { // WrappedKey
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
* Tr31KeyBlock: "STRING_VALUE",
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
* PublicKeyCertificate: "STRING_VALUE", // required
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
* SharedInformation: "STRING_VALUE", // required
* },
* },
* KeyCheckValueAlgorithm: "STRING_VALUE",
* },
* OutgoingWrappedKey: {
* WrappedKeyMaterial: {// Union: only one key present
* Tr31KeyBlock: "STRING_VALUE",
* DiffieHellmanSymmetricKey: {
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
* PublicKeyCertificate: "STRING_VALUE", // required
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
* SharedInformation: "STRING_VALUE", // required
* },
* },
* KeyCheckValueAlgorithm: "STRING_VALUE",
* },
Expand Down
22 changes: 20 additions & 2 deletions clients/client-payment-cryptography-data/src/commands/TranslatePinDataCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,10 @@ export interface TranslatePinDataCommandOutput extends TranslatePinDataOutput, _

/**
* <p>Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html">Translate PIN data</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
* <p>PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports <code>TDES</code> and <code>AES</code> key derivation type for DUKPT translations. </p>
* <p>This operation also supports dynamic keys, allowing you to pass a dynamic PEK as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the <code>keyARN</code> is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html">Using Dynamic Keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
* <p>PIN block translation involves changing a PIN block from one encryption key to another and optionally change its format. PIN block translation occurs entirely within the HSM boundary and PIN data never enters or leaves Amazon Web Services Payment Cryptography in clear text. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK.</p>
* <p>Amazon Web Services Payment Cryptography also supports use of dynamic keys and ECDH (Elliptic Curve Diffie-Hellman) based key exchange for this operation.</p>
* <p>Dynamic keys allow you to pass a PEK as a TR-31 WrappedKeyBlock. They can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the <code>keyARN</code> is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html">Using Dynamic Keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
* <p>Using ECDH key exchange, you can receive cardholder selectable PINs into Amazon Web Services Payment Cryptography. The ECDH derived key protects the incoming PIN block, which is translated to a PEK encrypted PIN block for use within the service. You can also use ECDH for reveal PIN, wherein the service translates the PIN block from PEK to a ECDH derived encryption key. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Generating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
* <p>The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation. </p>
* <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
* <note>
Expand Down Expand Up @@ -107,12 +109,28 @@ export interface TranslatePinDataCommandOutput extends TranslatePinDataOutput, _
* IncomingWrappedKey: { // WrappedKey
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
* Tr31KeyBlock: "STRING_VALUE",
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
* PublicKeyCertificate: "STRING_VALUE", // required
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
* SharedInformation: "STRING_VALUE", // required
* },
* },
* KeyCheckValueAlgorithm: "STRING_VALUE",
* },
* OutgoingWrappedKey: {
* WrappedKeyMaterial: {// Union: only one key present
* Tr31KeyBlock: "STRING_VALUE",
* DiffieHellmanSymmetricKey: {
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
* PublicKeyCertificate: "STRING_VALUE", // required
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
* SharedInformation: "STRING_VALUE", // required
* },
* },
* KeyCheckValueAlgorithm: "STRING_VALUE",
* },
Expand Down
16 changes: 15 additions & 1 deletion clients/client-payment-cryptography-data/src/commands/VerifyPinDataCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,12 +75,26 @@ export interface VerifyPinDataCommandOutput extends VerifyPinDataOutput, __Metad
* },
* EncryptedPinBlock: "STRING_VALUE", // required
* PrimaryAccountNumber: "STRING_VALUE", // required
* PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3", // required
* PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
* PinDataLength: Number("int"),
* DukptAttributes: { // DukptAttributes
* KeySerialNumber: "STRING_VALUE", // required
* DukptDerivationType: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* },
* EncryptionWrappedKey: { // WrappedKey
* WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
* Tr31KeyBlock: "STRING_VALUE",
* DiffieHellmanSymmetricKey: { // EcdhDerivationAttributes
* CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
* PublicKeyCertificate: "STRING_VALUE", // required
* KeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256", // required
* KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
* KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
* SharedInformation: "STRING_VALUE", // required
* },
* },
* KeyCheckValueAlgorithm: "STRING_VALUE",
* },
* };
* const command = new VerifyPinDataCommand(input);
* const response = await client.send(command);
Expand Down
Loading

0 comments on commit 2f74e23

Please sign in to comment.