feat(client-payment-cryptography-data): Added a new API - translateKeyMaterial; allows keys wrapped by ECDH derived keys to be rewrapped under a static AES keyblock without first importing the key into the service.

Author: awstools

clients/client-payment-cryptography-data/README.md

@@ -258,6 +258,14 @@ ReEncryptData
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/payment-cryptography-data/command/ReEncryptDataCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-payment-cryptography-data/Interface/ReEncryptDataCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-payment-cryptography-data/Interface/ReEncryptDataCommandOutput/)
 
+</details>
+<details>
+<summary>
+TranslateKeyMaterial
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/payment-cryptography-data/command/TranslateKeyMaterialCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-payment-cryptography-data/Interface/TranslateKeyMaterialCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-payment-cryptography-data/Interface/TranslateKeyMaterialCommandOutput/)
+
 </details>
 <details>
 <summary>

clients/client-payment-cryptography-data/src/PaymentCryptographyData.ts

@@ -25,6 +25,11 @@ import {
   ReEncryptDataCommandInput,
   ReEncryptDataCommandOutput,
 } from "./commands/ReEncryptDataCommand";
+import {
+  TranslateKeyMaterialCommand,
+  TranslateKeyMaterialCommandInput,
+  TranslateKeyMaterialCommandOutput,
+} from "./commands/TranslateKeyMaterialCommand";
 import {
   TranslatePinDataCommand,
   TranslatePinDataCommandInput,
@@ -56,6 +61,7 @@ const commands = {
   GenerateMacEmvPinChangeCommand,
   GeneratePinDataCommand,
   ReEncryptDataCommand,
+  TranslateKeyMaterialCommand,
   TranslatePinDataCommand,
   VerifyAuthRequestCryptogramCommand,
   VerifyCardValidationDataCommand,
@@ -156,6 +162,23 @@ export interface PaymentCryptographyData {
     cb: (err: any, data?: ReEncryptDataCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link TranslateKeyMaterialCommand}
+   */
+  translateKeyMaterial(
+    args: TranslateKeyMaterialCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<TranslateKeyMaterialCommandOutput>;
+  translateKeyMaterial(
+    args: TranslateKeyMaterialCommandInput,
+    cb: (err: any, data?: TranslateKeyMaterialCommandOutput) => void
+  ): void;
+  translateKeyMaterial(
+    args: TranslateKeyMaterialCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: TranslateKeyMaterialCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link TranslatePinDataCommand}
    */

clients/client-payment-cryptography-data/src/PaymentCryptographyDataClient.ts

@@ -66,6 +66,10 @@ import {
 } from "./commands/GenerateMacEmvPinChangeCommand";
 import { GeneratePinDataCommandInput, GeneratePinDataCommandOutput } from "./commands/GeneratePinDataCommand";
 import { ReEncryptDataCommandInput, ReEncryptDataCommandOutput } from "./commands/ReEncryptDataCommand";
+import {
+  TranslateKeyMaterialCommandInput,
+  TranslateKeyMaterialCommandOutput,
+} from "./commands/TranslateKeyMaterialCommand";
 import { TranslatePinDataCommandInput, TranslatePinDataCommandOutput } from "./commands/TranslatePinDataCommand";
 import {
   VerifyAuthRequestCryptogramCommandInput,
@@ -99,6 +103,7 @@ export type ServiceInputTypes =
   | GenerateMacEmvPinChangeCommandInput
   | GeneratePinDataCommandInput
   | ReEncryptDataCommandInput
+  | TranslateKeyMaterialCommandInput
   | TranslatePinDataCommandInput
   | VerifyAuthRequestCryptogramCommandInput
   | VerifyCardValidationDataCommandInput
@@ -116,6 +121,7 @@ export type ServiceOutputTypes =
   | GenerateMacEmvPinChangeCommandOutput
   | GeneratePinDataCommandOutput
   | ReEncryptDataCommandOutput
+  | TranslateKeyMaterialCommandOutput
   | TranslatePinDataCommandOutput
   | VerifyAuthRequestCryptogramCommandOutput
   | VerifyCardValidationDataCommandOutput

clients/client-payment-cryptography-data/src/commands/GenerateMacCommand.ts

@@ -37,7 +37,7 @@ export interface GenerateMacCommandInput extends GenerateMacInput {}
 export interface GenerateMacCommandOutput extends GenerateMacOutput, __MetadataBearer {}
 
 /**
- * <p>Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography. </p> <p>You can use this operation to authenticate card-related data by using known data values to generate MAC for data validation between the sending and receiving parties. This operation uses message data, a secret encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC must use the same message data, secret encryption key and MAC algorithm to reproduce another MAC value for comparision.</p> <p>You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for <code>KeyUsage</code> such as <code>TR31_M7_HMAC_KEY</code> for HMAC generation, and they key must have <code>KeyModesOfUse</code> set to <code>Generate</code> and <code>Verify</code>.</p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>. </p> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a>VerifyMac</a> </p> </li> </ul>
+ * <p>Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography. </p> <p>You can use this operation to authenticate card-related data by using known data values to generate MAC for data validation between the sending and receiving parties. This operation uses message data, a secret encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC must use the same message data, secret encryption key and MAC algorithm to reproduce another MAC value for comparision.</p> <p>You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for <code>KeyUsage</code> such as <code>TR31_M7_HMAC_KEY</code> for HMAC generation, and the key must have <code>KeyModesOfUse</code> set to <code>Generate</code> and <code>Verify</code>.</p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>. </p> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a>VerifyMac</a> </p> </li> </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

clients/client-payment-cryptography-data/src/commands/GeneratePinDataCommand.ts

@@ -81,8 +81,8 @@ export interface GeneratePinDataCommandOutput extends GeneratePinDataOutput, __M
  *     },
  *   },
  *   PinDataLength: Number("int"),
- *   PrimaryAccountNumber: "STRING_VALUE", // required
- *   PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
+ *   PrimaryAccountNumber: "STRING_VALUE",
+ *   PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_1" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
  *   EncryptionWrappedKey: { // WrappedKey
  *     WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
  *       Tr31KeyBlock: "STRING_VALUE",

clients/client-payment-cryptography-data/src/commands/TranslateKeyMaterialCommand.ts

@@ -0,0 +1,142 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  TranslateKeyMaterialInput,
+  TranslateKeyMaterialInputFilterSensitiveLog,
+  TranslateKeyMaterialOutput,
+  TranslateKeyMaterialOutputFilterSensitiveLog,
+} from "../models/models_0";
+import {
+  PaymentCryptographyDataClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../PaymentCryptographyDataClient";
+import { de_TranslateKeyMaterialCommand, se_TranslateKeyMaterialCommand } from "../protocols/Aws_restJson1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link TranslateKeyMaterialCommand}.
+ */
+export interface TranslateKeyMaterialCommandInput extends TranslateKeyMaterialInput {}
+/**
+ * @public
+ *
+ * The output of {@link TranslateKeyMaterialCommand}.
+ */
+export interface TranslateKeyMaterialCommandOutput extends TranslateKeyMaterialOutput, __MetadataBearer {}
+
+/**
+ * <p>Translates an encryption key between different wrapping keys without importing the key into Amazon Web Services Payment Cryptography.</p> <p>This operation can be used when key material is frequently rotated, such as during every card transaction, and there is a need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. It translates short-lived transaction keys such as Pin Encryption Key (PEK) generated for each transaction and wrapped with an ECDH (Elliptic Curve Diffie-Hellman) derived wrapping key to another KEK (Key Encryption Key) wrapping key. </p> <p>Before using this operation, you must first request the public key certificate of the ECC key pair generated within Amazon Web Services Payment Cryptography to establish an ECDH key agreement. In <code>TranslateKeyData</code>, the service uses its own ECC key pair, public certificate of receiving ECC key pair, and the key derivation parameters to generate a derived key. The service uses this derived key to unwrap the incoming transaction key received as a TR31WrappedKeyBlock and re-wrap using a user provided KEK to generate an outgoing Tr31WrappedKeyBlock. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Creating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>. </p> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html">CreateKey</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html">GetPublicCertificate</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a> </p> </li> </ul>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { PaymentCryptographyDataClient, TranslateKeyMaterialCommand } from "@aws-sdk/client-payment-cryptography-data"; // ES Modules import
+ * // const { PaymentCryptographyDataClient, TranslateKeyMaterialCommand } = require("@aws-sdk/client-payment-cryptography-data"); // CommonJS import
+ * // import type { PaymentCryptographyDataClientConfig } from "@aws-sdk/client-payment-cryptography-data";
+ * const config = {}; // type is PaymentCryptographyDataClientConfig
+ * const client = new PaymentCryptographyDataClient(config);
+ * const input = { // TranslateKeyMaterialInput
+ *   IncomingKeyMaterial: { // IncomingKeyMaterial Union: only one key present
+ *     DiffieHellmanTr31KeyBlock: { // IncomingDiffieHellmanTr31KeyBlock
+ *       PrivateKeyIdentifier: "STRING_VALUE", // required
+ *       CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
+ *       PublicKeyCertificate: "STRING_VALUE", // required
+ *       DeriveKeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256" || "HMAC_SHA256" || "HMAC_SHA384" || "HMAC_SHA512" || "HMAC_SHA224", // required
+ *       KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
+ *       KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
+ *       DerivationData: { // DiffieHellmanDerivationData Union: only one key present
+ *         SharedInformation: "STRING_VALUE",
+ *       },
+ *       WrappedKeyBlock: "STRING_VALUE", // required
+ *     },
+ *   },
+ *   OutgoingKeyMaterial: { // OutgoingKeyMaterial Union: only one key present
+ *     Tr31KeyBlock: { // OutgoingTr31KeyBlock
+ *       WrappingKeyIdentifier: "STRING_VALUE", // required
+ *     },
+ *   },
+ *   KeyCheckValueAlgorithm: "STRING_VALUE",
+ * };
+ * const command = new TranslateKeyMaterialCommand(input);
+ * const response = await client.send(command);
+ * // { // TranslateKeyMaterialOutput
+ * //   WrappedKey: { // WrappedWorkingKey
+ * //     WrappedKeyMaterial: "STRING_VALUE", // required
+ * //     KeyCheckValue: "STRING_VALUE", // required
+ * //     WrappedKeyMaterialFormat: "STRING_VALUE", // required
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param TranslateKeyMaterialCommandInput - {@link TranslateKeyMaterialCommandInput}
+ * @returns {@link TranslateKeyMaterialCommandOutput}
+ * @see {@link TranslateKeyMaterialCommandInput} for command's `input` shape.
+ * @see {@link TranslateKeyMaterialCommandOutput} for command's `response` shape.
+ * @see {@link PaymentCryptographyDataClientResolvedConfig | config} for PaymentCryptographyDataClient's `config` shape.
+ *
+ * @throws {@link AccessDeniedException} (client fault)
+ *  <p>You do not have sufficient access to perform this action.</p>
+ *
+ * @throws {@link InternalServerException} (server fault)
+ *  <p>The request processing has failed because of an unknown error, exception, or failure.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>The request was denied due to an invalid resource error.</p>
+ *
+ * @throws {@link ThrottlingException} (client fault)
+ *  <p>The request was denied due to request throttling.</p>
+ *
+ * @throws {@link ValidationException} (client fault)
+ *  <p>The request was denied due to an invalid request error.</p>
+ *
+ * @throws {@link PaymentCryptographyDataServiceException}
+ * <p>Base exception class for all service exceptions from PaymentCryptographyData service.</p>
+ *
+ *
+ * @public
+ */
+export class TranslateKeyMaterialCommand extends $Command
+  .classBuilder<
+    TranslateKeyMaterialCommandInput,
+    TranslateKeyMaterialCommandOutput,
+    PaymentCryptographyDataClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: PaymentCryptographyDataClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("PaymentCryptographyDataPlane", "TranslateKeyMaterial", {})
+  .n("PaymentCryptographyDataClient", "TranslateKeyMaterialCommand")
+  .f(TranslateKeyMaterialInputFilterSensitiveLog, TranslateKeyMaterialOutputFilterSensitiveLog)
+  .ser(se_TranslateKeyMaterialCommand)
+  .de(de_TranslateKeyMaterialCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: TranslateKeyMaterialInput;
+      output: TranslateKeyMaterialOutput;
+    };
+    sdk: {
+      input: TranslateKeyMaterialCommandInput;
+      output: TranslateKeyMaterialCommandOutput;
+    };
+  };
+}