diff --git a/clients/client-payment-cryptography-data/src/commands/DecryptDataCommand.ts b/clients/client-payment-cryptography-data/src/commands/DecryptDataCommand.ts index edfdff86eb63..deb83480482f 100644 --- a/clients/client-payment-cryptography-data/src/commands/DecryptDataCommand.ts +++ b/clients/client-payment-cryptography-data/src/commands/DecryptDataCommand.ts @@ -37,9 +37,10 @@ export interface DecryptDataCommandOutput extends DecryptDataOutput, __MetadataB /** * @public - *

Decrypts ciphertext data to plaintext using symmetric, asymmetric, or DUKPT data encryption key. For more information, see Decrypt data in the Amazon Web Services Payment Cryptography User Guide.

+ *

Decrypts ciphertext data to plaintext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Decrypt data in the Amazon Web Services Payment Cryptography User Guide.

*

You can use an encryption key generated within Amazon Web Services Payment Cryptography, or you can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Decrypt. In asymmetric decryption, Amazon Web Services Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of Amazon Web Services Payment Cryptography, you can export the public component of the asymmetric key pair by calling GetPublicCertificate.

- *

For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For asymmetric decryption, Amazon Web Services Payment Cryptography supports RSA. When you use DUKPT, for TDES algorithm, the ciphertext data length must be a multiple of 16 bytes. For AES algorithm, the ciphertext data length must be a multiple of 32 bytes.

+ *

For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV decryption, Amazon Web Services Payment Cryptography supports TDES algorithms. For asymmetric decryption, Amazon Web Services Payment Cryptography supports RSA.

+ *

When you use TDES or TDES DUKPT, the ciphertext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the ciphertext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

*

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

*

* Cross-account use: This operation can't be used across different Amazon Web Services accounts.

@@ -88,6 +89,14 @@ export interface DecryptDataCommandOutput extends DecryptDataOutput, __MetadataB * DukptKeyVariant: "STRING_VALUE", * InitializationVector: "STRING_VALUE", * }, + * Emv: { // EmvEncryptionAttributes + * MajorKeyDerivationMode: "STRING_VALUE", // required + * PrimaryAccountNumber: "STRING_VALUE", // required + * PanSequenceNumber: "STRING_VALUE", // required + * SessionDerivationData: "STRING_VALUE", // required + * Mode: "STRING_VALUE", + * InitializationVector: "STRING_VALUE", + * }, * }, * }; * const command = new DecryptDataCommand(input); diff --git a/clients/client-payment-cryptography-data/src/commands/EncryptDataCommand.ts b/clients/client-payment-cryptography-data/src/commands/EncryptDataCommand.ts index 6141f9a75aef..3ef8c231036c 100644 --- a/clients/client-payment-cryptography-data/src/commands/EncryptDataCommand.ts +++ b/clients/client-payment-cryptography-data/src/commands/EncryptDataCommand.ts @@ -37,9 +37,11 @@ export interface EncryptDataCommandOutput extends EncryptDataOutput, __MetadataB /** * @public - *

Encrypts plaintext data to ciphertext using symmetric, asymmetric, or DUKPT data encryption key. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

- *

You can generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside Amazon Web Services Payment Cryptography by calling ImportKey).

- *

for symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA. To encrypt using DUKPT, you must already have a DUKPT key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey.

+ *

Encrypts plaintext data to ciphertext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

+ *

You can generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside Amazon Web Services Payment Cryptography by calling ImportKey.

+ *

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV encryption, Amazon Web Services Payment Cryptography supports TDES algorithms.For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA.

+ *

When you use TDES or TDES DUKPT, the plaintext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the plaintext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

+ *

To encrypt using DUKPT, you must already have a BDK (Base Derivation Key) key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey. To encrypt using EMV, you must already have an IMK (Issuer Master Key) key in your account with KeyModesOfUse set to DeriveKey.

*

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

*

* Cross-account use: This operation can't be used across different Amazon Web Services accounts.

@@ -93,6 +95,14 @@ export interface EncryptDataCommandOutput extends EncryptDataOutput, __MetadataB * DukptKeyVariant: "STRING_VALUE", * InitializationVector: "STRING_VALUE", * }, + * Emv: { // EmvEncryptionAttributes + * MajorKeyDerivationMode: "STRING_VALUE", // required + * PrimaryAccountNumber: "STRING_VALUE", // required + * PanSequenceNumber: "STRING_VALUE", // required + * SessionDerivationData: "STRING_VALUE", // required + * Mode: "STRING_VALUE", + * InitializationVector: "STRING_VALUE", + * }, * }, * }; * const command = new EncryptDataCommand(input); diff --git a/clients/client-payment-cryptography-data/src/commands/GenerateMacCommand.ts b/clients/client-payment-cryptography-data/src/commands/GenerateMacCommand.ts index 8e32270de23e..381bb18fc093 100644 --- a/clients/client-payment-cryptography-data/src/commands/GenerateMacCommand.ts +++ b/clients/client-payment-cryptography-data/src/commands/GenerateMacCommand.ts @@ -33,7 +33,8 @@ export interface GenerateMacCommandOutput extends GenerateMacOutput, __MetadataB /** * @public *

Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography.

- *

You can use this operation when keys won't be shared but mutual data is present on both ends for validation. In this case, known data values are used to generate a MAC on both ends for comparision without sending or receiving data in ciphertext or plaintext. You can use this operation to generate a DUPKT, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for KeyUsage such as TR31_M7_HMAC_KEY for HMAC generation, and they key must have KeyModesOfUse set to Generate and Verify.

+ *

You can use this operation to authenticate card-related data by using known data values to generate MAC for data validation between the sending and receiving parties. This operation uses message data, a secret encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC must use the same message data, secret encryption key and MAC algorithm to reproduce another MAC value for comparision.

+ *

You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for KeyUsage such as TR31_M7_HMAC_KEY for HMAC generation, and they key must have KeyModesOfUse set to Generate and Verify.

*

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

*

* Cross-account use: This operation can't be used across different Amazon Web Services accounts.

diff --git a/clients/client-payment-cryptography-data/src/commands/TranslatePinDataCommand.ts b/clients/client-payment-cryptography-data/src/commands/TranslatePinDataCommand.ts index 8d7dfbeade31..51e8fd333459 100644 --- a/clients/client-payment-cryptography-data/src/commands/TranslatePinDataCommand.ts +++ b/clients/client-payment-cryptography-data/src/commands/TranslatePinDataCommand.ts @@ -37,11 +37,11 @@ export interface TranslatePinDataCommandOutput extends TranslatePinDataOutput, _ /** * @public *

Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see Translate PIN data in the Amazon Web Services Payment Cryptography User Guide.

- *

PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports TDES and AES key derivation type for DUKPT tranlations. You can use this operation for P2PE (Point to Point Encryption) use cases where the encryption keys should change but the processing system either does not need to, or is not permitted to, decrypt the data.

+ *

PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports TDES and AES key derivation type for DUKPT translations.

*

The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation.

*

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

* - *

At this time, Amazon Web Services Payment Cryptography does not support translations to PIN format 4.

+ *

Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.

* *

* Cross-account use: This operation can't be used across different Amazon Web Services accounts.

diff --git a/clients/client-payment-cryptography-data/src/commands/VerifyMacCommand.ts b/clients/client-payment-cryptography-data/src/commands/VerifyMacCommand.ts index 82d409e6b5c5..135d677852bb 100644 --- a/clients/client-payment-cryptography-data/src/commands/VerifyMacCommand.ts +++ b/clients/client-payment-cryptography-data/src/commands/VerifyMacCommand.ts @@ -33,7 +33,7 @@ export interface VerifyMacCommandOutput extends VerifyMacOutput, __MetadataBeare /** * @public *

Verifies a Message Authentication Code (MAC).

- *

You can use this operation when keys won't be shared but mutual data is present on both ends for validation. In this case, known data values are used to generate a MAC on both ends for verification without sending or receiving data in ciphertext or plaintext. You can use this operation to verify a DUPKT, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. Use the same encryption key for MAC verification as you use for GenerateMac.

+ *

You can use this operation to verify MAC for message data authentication such as . In this operation, you must use the same message data, secret encryption key and MAC algorithm that was used to generate MAC. You can use this operation to verify a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values.

*

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

*

* Cross-account use: This operation can't be used across different Amazon Web Services accounts.

diff --git a/clients/client-payment-cryptography-data/src/models/models_0.ts b/clients/client-payment-cryptography-data/src/models/models_0.ts index fc3ac732b058..58a3614282be 100644 --- a/clients/client-payment-cryptography-data/src/models/models_0.ts +++ b/clients/client-payment-cryptography-data/src/models/models_0.ts @@ -723,7 +723,7 @@ export interface DukptEncryptionAttributes { /** * @public - *

The block cipher mode of operation. Block ciphers are designed to encrypt a block of data of fixed size, for example, 128 bits. The size of the input block is usually same as the size of the encrypted output block, while the key length can be different. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

+ *

The block cipher method to use for encryption.

*

The default is CBC.

*/ Mode?: DukptEncryptionMode; @@ -743,7 +743,77 @@ export interface DukptEncryptionAttributes { /** * @public - *

An input to cryptographic primitive used to provide the intial state. Typically the InitializationVector must have a random or psuedo-random value, but sometimes it only needs to be unpredictable or unique. If you don't provide a value, Amazon Web Services Payment Cryptography generates a random value.

+ *

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

+ */ + InitializationVector?: string; +} + +/** + * @public + * @enum + */ +export const EmvMajorKeyDerivationMode = { + EMV_OPTION_A: "EMV_OPTION_A", + EMV_OPTION_B: "EMV_OPTION_B", +} as const; + +/** + * @public + */ +export type EmvMajorKeyDerivationMode = (typeof EmvMajorKeyDerivationMode)[keyof typeof EmvMajorKeyDerivationMode]; + +/** + * @public + * @enum + */ +export const EmvEncryptionMode = { + CBC: "CBC", + ECB: "ECB", +} as const; + +/** + * @public + */ +export type EmvEncryptionMode = (typeof EmvEncryptionMode)[keyof typeof EmvEncryptionMode]; + +/** + * @public + *

Parameters for plaintext encryption using EMV keys.

+ */ +export interface EmvEncryptionAttributes { + /** + * @public + *

The EMV derivation mode to use for ICC master key derivation as per EMV version 4.3 book 2.

+ */ + MajorKeyDerivationMode: EmvMajorKeyDerivationMode | undefined; + + /** + * @public + *

The Primary Account Number (PAN), a unique identifier for a payment credit or debit card and associates the card to a specific account holder.

+ */ + PrimaryAccountNumber: string | undefined; + + /** + * @public + *

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

+ */ + PanSequenceNumber: string | undefined; + + /** + * @public + *

The derivation value used to derive the ICC session key. It is typically the application transaction counter value padded with zeros or previous ARQC value padded with zeros as per EMV version 4.3 book 2.

+ */ + SessionDerivationData: string | undefined; + + /** + * @public + *

The block cipher method to use for encryption.

+ */ + Mode?: EmvEncryptionMode; + + /** + * @public + *

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

*/ InitializationVector?: string; } @@ -775,13 +845,13 @@ export type EncryptionMode = (typeof EncryptionMode)[keyof typeof EncryptionMode export interface SymmetricEncryptionAttributes { /** * @public - *

The block cipher mode of operation. Block ciphers are designed to encrypt a block of data of fixed size (for example, 128 bits). The size of the input block is usually same as the size of the encrypted output block, while the key length can be different. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

+ *

The block cipher method to use for encryption.

*/ Mode: EncryptionMode | undefined; /** * @public - *

An input to cryptographic primitive used to provide the intial state. The InitializationVector is typically required have a random or psuedo-random value, but sometimes it only needs to be unpredictable or unique. If a value is not provided, Amazon Web Services Payment Cryptography generates a random value.

+ *

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

*/ InitializationVector?: string; @@ -799,6 +869,7 @@ export interface SymmetricEncryptionAttributes { export type EncryptionDecryptionAttributes = | EncryptionDecryptionAttributes.AsymmetricMember | EncryptionDecryptionAttributes.DukptMember + | EncryptionDecryptionAttributes.EmvMember | EncryptionDecryptionAttributes.SymmetricMember | EncryptionDecryptionAttributes.$UnknownMember; @@ -814,6 +885,7 @@ export namespace EncryptionDecryptionAttributes { Symmetric: SymmetricEncryptionAttributes; Asymmetric?: never; Dukpt?: never; + Emv?: never; $unknown?: never; } @@ -825,6 +897,7 @@ export namespace EncryptionDecryptionAttributes { Symmetric?: never; Asymmetric: AsymmetricEncryptionAttributes; Dukpt?: never; + Emv?: never; $unknown?: never; } @@ -836,6 +909,19 @@ export namespace EncryptionDecryptionAttributes { Symmetric?: never; Asymmetric?: never; Dukpt: DukptEncryptionAttributes; + Emv?: never; + $unknown?: never; + } + + /** + * @public + *

Parameters for plaintext encryption using EMV keys.

+ */ + export interface EmvMember { + Symmetric?: never; + Asymmetric?: never; + Dukpt?: never; + Emv: EmvEncryptionAttributes; $unknown?: never; } @@ -846,6 +932,7 @@ export namespace EncryptionDecryptionAttributes { Symmetric?: never; Asymmetric?: never; Dukpt?: never; + Emv?: never; $unknown: [string, any]; } @@ -853,6 +940,7 @@ export namespace EncryptionDecryptionAttributes { Symmetric: (value: SymmetricEncryptionAttributes) => T; Asymmetric: (value: AsymmetricEncryptionAttributes) => T; Dukpt: (value: DukptEncryptionAttributes) => T; + Emv: (value: EmvEncryptionAttributes) => T; _: (name: string, value: any) => T; } @@ -860,6 +948,7 @@ export namespace EncryptionDecryptionAttributes { if (value.Symmetric !== undefined) return visitor.Symmetric(value.Symmetric); if (value.Asymmetric !== undefined) return visitor.Asymmetric(value.Asymmetric); if (value.Dukpt !== undefined) return visitor.Dukpt(value.Dukpt); + if (value.Emv !== undefined) return visitor.Emv(value.Emv); return visitor._(value.$unknown[0], value.$unknown[1]); }; } @@ -899,13 +988,14 @@ export interface DecryptDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue: string | undefined; /** * @public - *

The decrypted plaintext data.

+ *

The decrypted plaintext data in hexBinary format.

*/ PlainText: string | undefined; } @@ -1081,6 +1171,9 @@ export interface EncryptDataInput { /** * @public *

The plaintext to be encrypted.

+ * + *

For encryption using asymmetric keys, plaintext data length is constrained by encryption key strength that you define in KeyAlgorithm and padding type that you define in AsymmetricEncryptionAttributes. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

+ * */ PlainText: string | undefined; @@ -1103,7 +1196,8 @@ export interface EncryptDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue?: string; @@ -1155,7 +1249,8 @@ export interface GenerateCardValidationDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue: string | undefined; @@ -1389,7 +1484,7 @@ export namespace MacAttributes { /** * @public - *

Parameters that are required for MAC generation or verification using DUKPT ISO 9797 algorithm2.

+ *

Parameters that are required for MAC generation or verification using DUKPT ISO 9797 algorithm3.

*/ export interface DukptIso9797Algorithm3Member { Algorithm?: never; @@ -1456,7 +1551,7 @@ export interface GenerateMacInput { /** * @public - *

The data for which a MAC is under generation.

+ *

The data for which a MAC is under generation. This value must be hexBinary.

*/ MessageData: string | undefined; @@ -1485,7 +1580,8 @@ export interface GenerateMacOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue: string | undefined; @@ -1891,7 +1987,8 @@ export interface GeneratePinDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ GenerationKeyCheckValue: string | undefined; @@ -1903,7 +2000,8 @@ export interface GeneratePinDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ EncryptionKeyCheckValue: string | undefined; @@ -2052,7 +2150,8 @@ export interface ReEncryptDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue: string | undefined; @@ -2190,13 +2289,13 @@ export interface TranslatePinDataInput { /** * @public - *

The format of the incoming PIN block data for tranlation within Amazon Web Services Payment Cryptography.

+ *

The format of the incoming PIN block data for translation within Amazon Web Services Payment Cryptography.

*/ IncomingTranslationAttributes: TranslationIsoFormats | undefined; /** * @public - *

The format of the outgoing PIN block data after tranlation by Amazon Web Services Payment Cryptography.

+ *

The format of the outgoing PIN block data after translation by Amazon Web Services Payment Cryptography.

*/ OutgoingTranslationAttributes: TranslationIsoFormats | undefined; @@ -2208,7 +2307,7 @@ export interface TranslatePinDataInput { /** * @public - *

The attributes and values to use for incoming DUKPT encryption key for PIN block tranlation.

+ *

The attributes and values to use for incoming DUKPT encryption key for PIN block translation.

*/ IncomingDukptAttributes?: DukptDerivationAttributes; @@ -2225,7 +2324,7 @@ export interface TranslatePinDataInput { export interface TranslatePinDataOutput { /** * @public - *

The ougoing encrypted PIN block data after tranlation.

+ *

The outgoing encrypted PIN block data after translation.

*/ PinBlock: string | undefined; @@ -2237,7 +2336,8 @@ export interface TranslatePinDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue: string | undefined; } @@ -2566,7 +2666,8 @@ export interface VerifyAuthRequestCryptogramOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue: string | undefined; @@ -2618,7 +2719,8 @@ export interface VerifyCardValidationDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue: string | undefined; } @@ -2635,7 +2737,7 @@ export interface VerifyMacInput { /** * @public - *

The data on for which MAC is under verification.

+ *

The data on for which MAC is under verification. This value must be hexBinary.

*/ MessageData: string | undefined; @@ -2670,7 +2772,8 @@ export interface VerifyMacOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ KeyCheckValue: string | undefined; } @@ -2815,7 +2918,8 @@ export interface VerifyPinDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ VerificationKeyCheckValue: string | undefined; @@ -2827,7 +2931,8 @@ export interface VerifyPinDataOutput { /** * @public - *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

+ *

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

+ *

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

*/ EncryptionKeyCheckValue: string | undefined; } @@ -2840,6 +2945,15 @@ export const DukptEncryptionAttributesFilterSensitiveLog = (obj: DukptEncryption ...(obj.InitializationVector && { InitializationVector: SENSITIVE_STRING }), }); +/** + * @internal + */ +export const EmvEncryptionAttributesFilterSensitiveLog = (obj: EmvEncryptionAttributes): any => ({ + ...obj, + ...(obj.PrimaryAccountNumber && { PrimaryAccountNumber: SENSITIVE_STRING }), + ...(obj.InitializationVector && { InitializationVector: SENSITIVE_STRING }), +}); + /** * @internal */ @@ -2855,6 +2969,7 @@ export const EncryptionDecryptionAttributesFilterSensitiveLog = (obj: Encryption if (obj.Symmetric !== undefined) return { Symmetric: SymmetricEncryptionAttributesFilterSensitiveLog(obj.Symmetric) }; if (obj.Asymmetric !== undefined) return { Asymmetric: obj.Asymmetric }; if (obj.Dukpt !== undefined) return { Dukpt: DukptEncryptionAttributesFilterSensitiveLog(obj.Dukpt) }; + if (obj.Emv !== undefined) return { Emv: EmvEncryptionAttributesFilterSensitiveLog(obj.Emv) }; if (obj.$unknown !== undefined) return { [obj.$unknown[0]]: "UNKNOWN" }; }; diff --git a/clients/client-payment-cryptography-data/src/protocols/Aws_restJson1.ts b/clients/client-payment-cryptography-data/src/protocols/Aws_restJson1.ts index 66fa0e02c370..3f0c23161890 100644 --- a/clients/client-payment-cryptography-data/src/protocols/Aws_restJson1.ts +++ b/clients/client-payment-cryptography-data/src/protocols/Aws_restJson1.ts @@ -64,6 +64,7 @@ import { DukptEncryptionAttributes, DynamicCardVerificationCode, DynamicCardVerificationValue, + EmvEncryptionAttributes, EncryptionDecryptionAttributes, Ibm3624NaturalPin, Ibm3624PinFromOffset, @@ -828,6 +829,8 @@ const de_VerificationFailedExceptionRes = async ( // se_DynamicCardVerificationValue omitted. +// se_EmvEncryptionAttributes omitted. + // se_EncryptionDecryptionAttributes omitted. // se_Ibm3624NaturalPin omitted. diff --git a/codegen/sdk-codegen/aws-models/payment-cryptography-data.json b/codegen/sdk-codegen/aws-models/payment-cryptography-data.json index 7773e40d66bd..b2296ee18b8a 100644 --- a/codegen/sdk-codegen/aws-models/payment-cryptography-data.json +++ b/codegen/sdk-codegen/aws-models/payment-cryptography-data.json @@ -313,7 +313,7 @@ } ], "traits": { - "smithy.api#documentation": "

Decrypts ciphertext data to plaintext using symmetric, asymmetric, or DUKPT data encryption key. For more information, see Decrypt data in the Amazon Web Services Payment Cryptography User Guide.

\n

You can use an encryption key generated within Amazon Web Services Payment Cryptography, or you can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Decrypt. In asymmetric decryption, Amazon Web Services Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of Amazon Web Services Payment Cryptography, you can export the public component of the asymmetric key pair by calling GetPublicCertificate.

\n

For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For asymmetric decryption, Amazon Web Services Payment Cryptography supports RSA. When you use DUKPT, for TDES algorithm, the ciphertext data length must be a multiple of 16 bytes. For AES algorithm, the ciphertext data length must be a multiple of 32 bytes.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", + "smithy.api#documentation": "

Decrypts ciphertext data to plaintext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Decrypt data in the Amazon Web Services Payment Cryptography User Guide.

\n

You can use an encryption key generated within Amazon Web Services Payment Cryptography, or you can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Decrypt. In asymmetric decryption, Amazon Web Services Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of Amazon Web Services Payment Cryptography, you can export the public component of the asymmetric key pair by calling GetPublicCertificate.

\n

For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV decryption, Amazon Web Services Payment Cryptography supports TDES algorithms. For asymmetric decryption, Amazon Web Services Payment Cryptography supports RSA.

\n

When you use TDES or TDES DUKPT, the ciphertext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the ciphertext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", "smithy.api#http": { "method": "POST", "uri": "/keys/{KeyIdentifier}/decrypt", @@ -364,14 +364,14 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }, "PlainText": { "target": "com.amazonaws.paymentcryptographydata#HexEvenLengthBetween16And4096", "traits": { - "smithy.api#documentation": "

The decrypted plaintext data.

", + "smithy.api#documentation": "

The decrypted plaintext data in hexBinary format.

", "smithy.api#required": {} } } @@ -498,7 +498,7 @@ "Mode": { "target": "com.amazonaws.paymentcryptographydata#DukptEncryptionMode", "traits": { - "smithy.api#documentation": "

The block cipher mode of operation. Block ciphers are designed to encrypt a block of data of fixed size, for example, 128 bits. The size of the input block is usually same as the size of the encrypted output block, while the key length can be different. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

\n

The default is CBC.

" + "smithy.api#documentation": "

The block cipher method to use for encryption.

\n

The default is CBC.

" } }, "DukptKeyDerivationType": { @@ -516,7 +516,7 @@ "InitializationVector": { "target": "com.amazonaws.paymentcryptographydata#HexLength16Or32", "traits": { - "smithy.api#documentation": "

An input to cryptographic primitive used to provide the intial state. Typically the InitializationVector must have a random or psuedo-random value, but sometimes it only needs to be unpredictable or unique. If you don't provide a value, Amazon Web Services Payment Cryptography generates a random value.

" + "smithy.api#documentation": "

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

" } } }, @@ -630,6 +630,84 @@ "smithy.api#documentation": "

Parameters that are required to generate or verify Dynamic Card Verification Value (dCVV).

" } }, + "com.amazonaws.paymentcryptographydata#EmvEncryptionAttributes": { + "type": "structure", + "members": { + "MajorKeyDerivationMode": { + "target": "com.amazonaws.paymentcryptographydata#EmvMajorKeyDerivationMode", + "traits": { + "smithy.api#documentation": "

The EMV derivation mode to use for ICC master key derivation as per EMV version 4.3 book 2.

", + "smithy.api#required": {} + } + }, + "PrimaryAccountNumber": { + "target": "com.amazonaws.paymentcryptographydata#NumberLengthBetween12And19", + "traits": { + "smithy.api#documentation": "

The Primary Account Number (PAN), a unique identifier for a payment credit or debit card and associates the card to a specific account holder.

", + "smithy.api#required": {} + } + }, + "PanSequenceNumber": { + "target": "com.amazonaws.paymentcryptographydata#HexLengthEquals2", + "traits": { + "smithy.api#documentation": "

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

", + "smithy.api#required": {} + } + }, + "SessionDerivationData": { + "target": "com.amazonaws.paymentcryptographydata#HexLengthEquals16", + "traits": { + "smithy.api#documentation": "

The derivation value used to derive the ICC session key. It is typically the application transaction counter value padded with zeros or previous ARQC value padded with zeros as per EMV version 4.3 book 2.

", + "smithy.api#required": {} + } + }, + "Mode": { + "target": "com.amazonaws.paymentcryptographydata#EmvEncryptionMode", + "traits": { + "smithy.api#documentation": "

The block cipher method to use for encryption.

" + } + }, + "InitializationVector": { + "target": "com.amazonaws.paymentcryptographydata#HexLength16Or32", + "traits": { + "smithy.api#documentation": "

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Parameters for plaintext encryption using EMV keys.

" + } + }, + "com.amazonaws.paymentcryptographydata#EmvEncryptionMode": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "ECB", + "name": "ECB" + }, + { + "value": "CBC", + "name": "CBC" + } + ] + } + }, + "com.amazonaws.paymentcryptographydata#EmvMajorKeyDerivationMode": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "EMV_OPTION_A", + "name": "EMV_OPTION_A" + }, + { + "value": "EMV_OPTION_B", + "name": "EMV_OPTION_B" + } + ] + } + }, "com.amazonaws.paymentcryptographydata#EncryptData": { "type": "operation", "input": { @@ -656,7 +734,7 @@ } ], "traits": { - "smithy.api#documentation": "

Encrypts plaintext data to ciphertext using symmetric, asymmetric, or DUKPT data encryption key. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

\n

You can generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside Amazon Web Services Payment Cryptography by calling ImportKey).

\n

for symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA. To encrypt using DUKPT, you must already have a DUKPT key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", + "smithy.api#documentation": "

Encrypts plaintext data to ciphertext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

\n

You can generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside Amazon Web Services Payment Cryptography by calling ImportKey.

\n

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV encryption, Amazon Web Services Payment Cryptography supports TDES algorithms.For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA.

\n

When you use TDES or TDES DUKPT, the plaintext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the plaintext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

\n

To encrypt using DUKPT, you must already have a BDK (Base Derivation Key) key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey. To encrypt using EMV, you must already have an IMK (Issuer Master Key) key in your account with KeyModesOfUse set to DeriveKey.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", "smithy.api#http": { "method": "POST", "uri": "/keys/{KeyIdentifier}/encrypt", @@ -678,7 +756,7 @@ "PlainText": { "target": "com.amazonaws.paymentcryptographydata#HexEvenLengthBetween16And4064", "traits": { - "smithy.api#documentation": "

The plaintext to be encrypted.

", + "smithy.api#documentation": "

The plaintext to be encrypted.

\n \n

For encryption using asymmetric keys, plaintext data length is constrained by encryption key strength that you define in KeyAlgorithm and padding type that you define in AsymmetricEncryptionAttributes. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

\n ", "smithy.api#required": {} } }, @@ -707,7 +785,7 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

" + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

" } }, "CipherText": { @@ -736,6 +814,12 @@ }, "Dukpt": { "target": "com.amazonaws.paymentcryptographydata#DukptEncryptionAttributes" + }, + "Emv": { + "target": "com.amazonaws.paymentcryptographydata#EmvEncryptionAttributes", + "traits": { + "smithy.api#documentation": "

Parameters for plaintext encryption using EMV keys.

" + } } }, "traits": { @@ -863,7 +947,7 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }, @@ -905,7 +989,7 @@ } ], "traits": { - "smithy.api#documentation": "

Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography.

\n

You can use this operation when keys won't be shared but mutual data is present on both ends for validation. In this case, known data values are used to generate a MAC on both ends for comparision without sending or receiving data in ciphertext or plaintext. You can use this operation to generate a DUPKT, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for KeyUsage such as TR31_M7_HMAC_KEY for HMAC generation, and they key must have KeyModesOfUse set to Generate and Verify.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", + "smithy.api#documentation": "

Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography.

\n

You can use this operation to authenticate card-related data by using known data values to generate MAC for data validation between the sending and receiving parties. This operation uses message data, a secret encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC must use the same message data, secret encryption key and MAC algorithm to reproduce another MAC value for comparision.

\n

You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for KeyUsage such as TR31_M7_HMAC_KEY for HMAC generation, and they key must have KeyModesOfUse set to Generate and Verify.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", "smithy.api#http": { "method": "POST", "uri": "/mac/generate", @@ -926,7 +1010,7 @@ "MessageData": { "target": "com.amazonaws.paymentcryptographydata#HexEvenLengthBetween2And4096", "traits": { - "smithy.api#documentation": "

The data for which a MAC is under generation.

", + "smithy.api#documentation": "

The data for which a MAC is under generation. This value must be hexBinary.

", "smithy.api#required": {} } }, @@ -961,7 +1045,7 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }, @@ -1074,7 +1158,7 @@ "GenerationKeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }, @@ -1088,7 +1172,7 @@ "EncryptionKeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }, @@ -1494,7 +1578,6 @@ "com.amazonaws.paymentcryptographydata#IntegerRangeBetween4And12": { "type": "integer", "traits": { - "smithy.api#default": 0, "smithy.api#range": { "min": 4, "max": 12 @@ -1683,7 +1766,7 @@ "DukptIso9797Algorithm3": { "target": "com.amazonaws.paymentcryptographydata#MacAlgorithmDukpt", "traits": { - "smithy.api#documentation": "

Parameters that are required for MAC generation or verification using DUKPT ISO 9797 algorithm2.

" + "smithy.api#documentation": "

Parameters that are required for MAC generation or verification using DUKPT ISO 9797 algorithm3.

" } }, "DukptCmac": { @@ -2713,7 +2796,7 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }, @@ -2991,14 +3074,14 @@ "Mode": { "target": "com.amazonaws.paymentcryptographydata#EncryptionMode", "traits": { - "smithy.api#documentation": "

The block cipher mode of operation. Block ciphers are designed to encrypt a block of data of fixed size (for example, 128 bits). The size of the input block is usually same as the size of the encrypted output block, while the key length can be different. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

", + "smithy.api#documentation": "

The block cipher method to use for encryption.

", "smithy.api#required": {} } }, "InitializationVector": { "target": "com.amazonaws.paymentcryptographydata#HexLength16Or32", "traits": { - "smithy.api#documentation": "

An input to cryptographic primitive used to provide the intial state. The InitializationVector is typically required have a random or psuedo-random value, but sometimes it only needs to be unpredictable or unique. If a value is not provided, Amazon Web Services Payment Cryptography generates a random value.

" + "smithy.api#documentation": "

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

" } }, "PaddingType": { @@ -3051,7 +3134,7 @@ } ], "traits": { - "smithy.api#documentation": "

Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see Translate PIN data in the Amazon Web Services Payment Cryptography User Guide.

\n

PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports TDES and AES key derivation type for DUKPT tranlations. You can use this operation for P2PE (Point to Point Encryption) use cases where the encryption keys should change but the processing system either does not need to, or is not permitted to, decrypt the data.

\n

The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n \n

At this time, Amazon Web Services Payment Cryptography does not support translations to PIN format 4.

\n \n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", + "smithy.api#documentation": "

Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see Translate PIN data in the Amazon Web Services Payment Cryptography User Guide.

\n

PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports TDES and AES key derivation type for DUKPT translations.

\n

The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n \n

Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.

\n \n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", "smithy.api#http": { "method": "POST", "uri": "/pindata/translate", @@ -3079,14 +3162,14 @@ "IncomingTranslationAttributes": { "target": "com.amazonaws.paymentcryptographydata#TranslationIsoFormats", "traits": { - "smithy.api#documentation": "

The format of the incoming PIN block data for tranlation within Amazon Web Services Payment Cryptography.

", + "smithy.api#documentation": "

The format of the incoming PIN block data for translation within Amazon Web Services Payment Cryptography.

", "smithy.api#required": {} } }, "OutgoingTranslationAttributes": { "target": "com.amazonaws.paymentcryptographydata#TranslationIsoFormats", "traits": { - "smithy.api#documentation": "

The format of the outgoing PIN block data after tranlation by Amazon Web Services Payment Cryptography.

", + "smithy.api#documentation": "

The format of the outgoing PIN block data after translation by Amazon Web Services Payment Cryptography.

", "smithy.api#required": {} } }, @@ -3100,7 +3183,7 @@ "IncomingDukptAttributes": { "target": "com.amazonaws.paymentcryptographydata#DukptDerivationAttributes", "traits": { - "smithy.api#documentation": "

The attributes and values to use for incoming DUKPT encryption key for PIN block tranlation.

" + "smithy.api#documentation": "

The attributes and values to use for incoming DUKPT encryption key for PIN block translation.

" } }, "OutgoingDukptAttributes": { @@ -3120,7 +3203,7 @@ "PinBlock": { "target": "com.amazonaws.paymentcryptographydata#HexLengthBetween16And32", "traits": { - "smithy.api#documentation": "

The ougoing encrypted PIN block data after tranlation.

", + "smithy.api#documentation": "

The outgoing encrypted PIN block data after translation.

", "smithy.api#required": {} } }, @@ -3134,7 +3217,7 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } } @@ -3391,7 +3474,7 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }, @@ -3492,7 +3575,7 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } } @@ -3530,7 +3613,7 @@ } ], "traits": { - "smithy.api#documentation": "

Verifies a Message Authentication Code (MAC).

\n

You can use this operation when keys won't be shared but mutual data is present on both ends for validation. In this case, known data values are used to generate a MAC on both ends for verification without sending or receiving data in ciphertext or plaintext. You can use this operation to verify a DUPKT, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. Use the same encryption key for MAC verification as you use for GenerateMac.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", + "smithy.api#documentation": "

Verifies a Message Authentication Code (MAC).

\n

You can use this operation to verify MAC for message data authentication such as . In this operation, you must use the same message data, secret encryption key and MAC algorithm that was used to generate MAC. You can use this operation to verify a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values.

\n

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

\n

\n Cross-account use: This operation can't be used across different Amazon Web Services accounts.

\n

\n Related operations:\n

\n ", "smithy.api#http": { "method": "POST", "uri": "/mac/verify", @@ -3551,7 +3634,7 @@ "MessageData": { "target": "com.amazonaws.paymentcryptographydata#HexEvenLengthBetween2And4096", "traits": { - "smithy.api#documentation": "

The data on for which MAC is under verification.

", + "smithy.api#documentation": "

The data on for which MAC is under verification. This value must be hexBinary.

", "smithy.api#required": {} } }, @@ -3593,7 +3676,7 @@ "KeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } } @@ -3715,7 +3798,7 @@ "VerificationKeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }, @@ -3729,7 +3812,7 @@ "EncryptionKeyCheckValue": { "target": "com.amazonaws.paymentcryptographydata#KeyCheckValue", "traits": { - "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", + "smithy.api#documentation": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

\n

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", "smithy.api#required": {} } }