@aws-sdk/client-payment-cryptography-data 3.899.0 → 3.903.0

package/dist-types/commands/TranslateKeyMaterialCommand.d.ts

@@ -0,0 +1,112 @@
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+import { TranslateKeyMaterialInput, TranslateKeyMaterialOutput } from "../models/models_0";
+import { PaymentCryptographyDataClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../PaymentCryptographyDataClient";
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link TranslateKeyMaterialCommand}.
+ */
+export interface TranslateKeyMaterialCommandInput extends TranslateKeyMaterialInput {
+}
+/**
+ * @public
+ *
+ * The output of {@link TranslateKeyMaterialCommand}.
+ */
+export interface TranslateKeyMaterialCommandOutput extends TranslateKeyMaterialOutput, __MetadataBearer {
+}
+declare const TranslateKeyMaterialCommand_base: {
+    new (input: TranslateKeyMaterialCommandInput): import("@smithy/smithy-client").CommandImpl<TranslateKeyMaterialCommandInput, TranslateKeyMaterialCommandOutput, PaymentCryptographyDataClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    new (input: TranslateKeyMaterialCommandInput): import("@smithy/smithy-client").CommandImpl<TranslateKeyMaterialCommandInput, TranslateKeyMaterialCommandOutput, PaymentCryptographyDataClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
+};
+/**
+ * <p>Translates an encryption key between different wrapping keys without importing the key into Amazon Web Services Payment Cryptography.</p> <p>This operation can be used when key material is frequently rotated, such as during every card transaction, and there is a need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. It translates short-lived transaction keys such as Pin Encryption Key (PEK) generated for each transaction and wrapped with an ECDH (Elliptic Curve Diffie-Hellman) derived wrapping key to another KEK (Key Encryption Key) wrapping key. </p> <p>Before using this operation, you must first request the public key certificate of the ECC key pair generated within Amazon Web Services Payment Cryptography to establish an ECDH key agreement. In <code>TranslateKeyData</code>, the service uses its own ECC key pair, public certificate of receiving ECC key pair, and the key derivation parameters to generate a derived key. The service uses this derived key to unwrap the incoming transaction key received as a TR31WrappedKeyBlock and re-wrap using a user provided KEK to generate an outgoing Tr31WrappedKeyBlock. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Creating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>. </p> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html">CreateKey</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html">GetPublicCertificate</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a> </p> </li> </ul>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { PaymentCryptographyDataClient, TranslateKeyMaterialCommand } from "@aws-sdk/client-payment-cryptography-data"; // ES Modules import
+ * // const { PaymentCryptographyDataClient, TranslateKeyMaterialCommand } = require("@aws-sdk/client-payment-cryptography-data"); // CommonJS import
+ * // import type { PaymentCryptographyDataClientConfig } from "@aws-sdk/client-payment-cryptography-data";
+ * const config = {}; // type is PaymentCryptographyDataClientConfig
+ * const client = new PaymentCryptographyDataClient(config);
+ * const input = { // TranslateKeyMaterialInput
+ *   IncomingKeyMaterial: { // IncomingKeyMaterial Union: only one key present
+ *     DiffieHellmanTr31KeyBlock: { // IncomingDiffieHellmanTr31KeyBlock
+ *       PrivateKeyIdentifier: "STRING_VALUE", // required
+ *       CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
+ *       PublicKeyCertificate: "STRING_VALUE", // required
+ *       DeriveKeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256" || "HMAC_SHA256" || "HMAC_SHA384" || "HMAC_SHA512" || "HMAC_SHA224", // required
+ *       KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
+ *       KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
+ *       DerivationData: { // DiffieHellmanDerivationData Union: only one key present
+ *         SharedInformation: "STRING_VALUE",
+ *       },
+ *       WrappedKeyBlock: "STRING_VALUE", // required
+ *     },
+ *   },
+ *   OutgoingKeyMaterial: { // OutgoingKeyMaterial Union: only one key present
+ *     Tr31KeyBlock: { // OutgoingTr31KeyBlock
+ *       WrappingKeyIdentifier: "STRING_VALUE", // required
+ *     },
+ *   },
+ *   KeyCheckValueAlgorithm: "STRING_VALUE",
+ * };
+ * const command = new TranslateKeyMaterialCommand(input);
+ * const response = await client.send(command);
+ * // { // TranslateKeyMaterialOutput
+ * //   WrappedKey: { // WrappedWorkingKey
+ * //     WrappedKeyMaterial: "STRING_VALUE", // required
+ * //     KeyCheckValue: "STRING_VALUE", // required
+ * //     WrappedKeyMaterialFormat: "STRING_VALUE", // required
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param TranslateKeyMaterialCommandInput - {@link TranslateKeyMaterialCommandInput}
+ * @returns {@link TranslateKeyMaterialCommandOutput}
+ * @see {@link TranslateKeyMaterialCommandInput} for command's `input` shape.
+ * @see {@link TranslateKeyMaterialCommandOutput} for command's `response` shape.
+ * @see {@link PaymentCryptographyDataClientResolvedConfig | config} for PaymentCryptographyDataClient's `config` shape.
+ *
+ * @throws {@link AccessDeniedException} (client fault)
+ *  <p>You do not have sufficient access to perform this action.</p>
+ *
+ * @throws {@link InternalServerException} (server fault)
+ *  <p>The request processing has failed because of an unknown error, exception, or failure.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>The request was denied due to an invalid resource error.</p>
+ *
+ * @throws {@link ThrottlingException} (client fault)
+ *  <p>The request was denied due to request throttling.</p>
+ *
+ * @throws {@link ValidationException} (client fault)
+ *  <p>The request was denied due to an invalid request error.</p>
+ *
+ * @throws {@link PaymentCryptographyDataServiceException}
+ * <p>Base exception class for all service exceptions from PaymentCryptographyData service.</p>
+ *
+ *
+ * @public
+ */
+export declare class TranslateKeyMaterialCommand extends TranslateKeyMaterialCommand_base {
+    /** @internal type navigation helper, not in runtime. */
+    protected static __types: {
+        api: {
+            input: TranslateKeyMaterialInput;
+            output: TranslateKeyMaterialOutput;
+        };
+        sdk: {
+            input: TranslateKeyMaterialCommandInput;
+            output: TranslateKeyMaterialCommandOutput;
+        };
+    };
+}

package/dist-types/commands/TranslatePinDataCommand.d.ts

@@ -27,7 +27,7 @@ declare const TranslatePinDataCommand_base: {
     getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
 };
 /**
- * <p>Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html">Translate PIN data</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>PIN block translation involves changing a PIN block from one encryption key to another and optionally change its format. PIN block translation occurs entirely within the HSM boundary and PIN data never enters or leaves Amazon Web Services Payment Cryptography in clear text. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK.</p> <p>Amazon Web Services Payment Cryptography also supports use of dynamic keys and ECDH (Elliptic Curve Diffie-Hellman) based key exchange for this operation.</p> <p>Dynamic keys allow you to pass a PEK as a TR-31 WrappedKeyBlock. They can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the <code>keyARN</code> is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html">Using Dynamic Keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>Using ECDH key exchange, you can receive cardholder selectable PINs into Amazon Web Services Payment Cryptography. The ECDH derived key protects the incoming PIN block, which is translated to a PEK encrypted PIN block for use within the service. You can also use ECDH for reveal PIN, wherein the service translates the PIN block from PEK to a ECDH derived encryption key. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Generating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation. </p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <note> <p>Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.</p> </note> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a>GeneratePinData</a> </p> </li> <li> <p> <a>VerifyPinData</a> </p> </li> </ul>
+ * <p>Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html">Translate PIN data</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>PIN block translation involves changing a PIN block from one encryption key to another and optionally change its format. PIN block translation occurs entirely within the HSM boundary and PIN data never enters or leaves Amazon Web Services Payment Cryptography in clear text. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK.</p> <p>Amazon Web Services Payment Cryptography also supports use of dynamic keys and ECDH (Elliptic Curve Diffie-Hellman) based key exchange for this operation.</p> <p>Dynamic keys allow you to pass a PEK as a TR-31 WrappedKeyBlock. They can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the <code>keyARN</code> is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html">Using Dynamic Keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>Using ECDH key exchange, you can receive cardholder selectable PINs into Amazon Web Services Payment Cryptography. The ECDH derived key protects the incoming PIN block, which is translated to a PEK encrypted PIN block for use within the service. You can also use ECDH for reveal PIN, wherein the service translates the PIN block from PEK to a ECDH derived encryption key. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Creating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation. </p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <note> <p>Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.</p> </note> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a>GeneratePinData</a> </p> </li> <li> <p> <a>VerifyPinData</a> </p> </li> </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

package/dist-types/commands/VerifyPinDataCommand.d.ts

@@ -52,8 +52,8 @@ declare const VerifyPinDataCommand_base: {
  *     },
  *   },
  *   EncryptedPinBlock: "STRING_VALUE", // required
- *   PrimaryAccountNumber: "STRING_VALUE", // required
- *   PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
+ *   PrimaryAccountNumber: "STRING_VALUE",
+ *   PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_1" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
  *   PinDataLength: Number("int"),
  *   DukptAttributes: { // DukptAttributes
  *     KeySerialNumber: "STRING_VALUE", // required

package/dist-types/commands/index.d.ts

@@ -5,6 +5,7 @@ export * from "./GenerateMacCommand";
 export * from "./GenerateMacEmvPinChangeCommand";
 export * from "./GeneratePinDataCommand";
 export * from "./ReEncryptDataCommand";
+export * from "./TranslateKeyMaterialCommand";
 export * from "./TranslatePinDataCommand";
 export * from "./VerifyAuthRequestCryptogramCommand";
 export * from "./VerifyCardValidationDataCommand";

package/dist-types/models/models_0.d.ts

@@ -1365,6 +1365,36 @@ export declare namespace DerivationMethodAttributes {
     }
     const visit: <T>(value: DerivationMethodAttributes, visitor: Visitor<T>) => T;
 }
+/**
+ * <p>The shared information used when deriving a key using ECDH.</p>
+ * @public
+ */
+export type DiffieHellmanDerivationData = DiffieHellmanDerivationData.SharedInformationMember | DiffieHellmanDerivationData.$UnknownMember;
+/**
+ * @public
+ */
+export declare namespace DiffieHellmanDerivationData {
+    /**
+     * <p>A string containing information that binds the ECDH derived key to the two parties involved or to the context of the key.</p> <p>It may include details like identities of the two parties deriving the key, context of the operation, session IDs, and optionally a nonce. It must not contain zero bytes. It is not recommended to reuse shared information for multiple ECDH key derivations, as it could result in derived key material being the same across different derivations.</p>
+     * @public
+     */
+    interface SharedInformationMember {
+        SharedInformation: string;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     */
+    interface $UnknownMember {
+        SharedInformation?: never;
+        $unknown: [string, any];
+    }
+    interface Visitor<T> {
+        SharedInformation: (value: string) => T;
+        _: (name: string, value: any) => T;
+    }
+    const visit: <T>(value: DiffieHellmanDerivationData, visitor: Visitor<T>) => T;
+}
 /**
  * <p>Parameters that are used for Derived Unique Key Per Transaction (DUKPT) derivation algorithm.</p>
  * @public
@@ -2120,6 +2150,7 @@ export declare namespace PinGenerationAttributes {
  */
 export declare const PinBlockFormatForPinData: {
     readonly ISO_FORMAT_0: "ISO_FORMAT_0";
+    readonly ISO_FORMAT_1: "ISO_FORMAT_1";
     readonly ISO_FORMAT_3: "ISO_FORMAT_3";
     readonly ISO_FORMAT_4: "ISO_FORMAT_4";
 };
@@ -2155,9 +2186,9 @@ export interface GeneratePinDataInput {
      * <p>The Primary Account Number (PAN), a unique identifier for a payment credit or debit card that associates the card with a specific account holder.</p>
      * @public
      */
-    PrimaryAccountNumber: string | undefined;
+    PrimaryAccountNumber?: string | undefined;
     /**
-     * <p>The PIN encoding format for pin data generation as specified in ISO 9564. Amazon Web Services Payment Cryptography supports <code>ISO_Format_0</code> and <code>ISO_Format_3</code>.</p> <p>The <code>ISO_Format_0</code> PIN block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1 PIN block formats. It is similar to a VISA-4 PIN block format. It supports a PIN from 4 to 12 digits in length.</p> <p>The <code>ISO_Format_3</code> PIN block format is the same as <code>ISO_Format_0</code> except that the fill digits are random values from 10 to 15.</p>
+     * <p>The PIN encoding format for pin data generation as specified in ISO 9564. Amazon Web Services Payment Cryptography supports <code>ISO_Format_0</code>, <code>ISO_Format_3</code> and <code>ISO_Format_4</code>.</p> <p>The <code>ISO_Format_0</code> PIN block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1 PIN block formats. It is similar to a VISA-4 PIN block format. It supports a PIN from 4 to 12 digits in length.</p> <p>The <code>ISO_Format_3</code> PIN block format is the same as <code>ISO_Format_0</code> except that the fill digits are random values from 10 to 15.</p> <p>The <code>ISO_Format_4</code> PIN block format is the only one supporting AES encryption. It is similar to <code>ISO_Format_3</code> but doubles the pin block length by padding with fill digit A and random values from 10 to 15.</p>
      * @public
      */
     PinBlockFormat: PinBlockFormatForPinData | undefined;
@@ -2270,6 +2301,123 @@ export interface Ibm3624PinVerification {
      */
     PinOffset: string | undefined;
 }
+/**
+ * <p>Parameter information of a TR31KeyBlock wrapped using an ECDH derived key.</p>
+ * @public
+ */
+export interface IncomingDiffieHellmanTr31KeyBlock {
+    /**
+     * <p>The <code>keyARN</code> of the asymmetric ECC key pair.</p>
+     * @public
+     */
+    PrivateKeyIdentifier: string | undefined;
+    /**
+     * <p>The <code>keyArn</code> of the certificate that signed the client's <code>PublicKeyCertificate</code>.</p>
+     * @public
+     */
+    CertificateAuthorityPublicKeyIdentifier: string | undefined;
+    /**
+     * <p>The client's public key certificate in PEM format (base64 encoded) to use for ECDH key derivation.</p>
+     * @public
+     */
+    PublicKeyCertificate: string | undefined;
+    /**
+     * <p>The key algorithm of the derived ECDH key.</p>
+     * @public
+     */
+    DeriveKeyAlgorithm: SymmetricKeyAlgorithm | undefined;
+    /**
+     * <p>The key derivation function to use for deriving a key using ECDH.</p>
+     * @public
+     */
+    KeyDerivationFunction: KeyDerivationFunction | undefined;
+    /**
+     * <p>The hash type to use for deriving a key using ECDH.</p>
+     * @public
+     */
+    KeyDerivationHashAlgorithm: KeyDerivationHashAlgorithm | undefined;
+    /**
+     * <p>The shared information used when deriving a key using ECDH.</p>
+     * @public
+     */
+    DerivationData: DiffieHellmanDerivationData | undefined;
+    /**
+     * <p>The WrappedKeyBlock containing the transaction key wrapped using an ECDH dervied key. </p>
+     * @public
+     */
+    WrappedKeyBlock: string | undefined;
+}
+/**
+ * <p>Parameter information of the incoming WrappedKeyBlock containing the transaction key.</p>
+ * @public
+ */
+export type IncomingKeyMaterial = IncomingKeyMaterial.DiffieHellmanTr31KeyBlockMember | IncomingKeyMaterial.$UnknownMember;
+/**
+ * @public
+ */
+export declare namespace IncomingKeyMaterial {
+    /**
+     * <p>Parameter information of the TR31WrappedKeyBlock containing the transaction key wrapped using an ECDH dervied key.</p>
+     * @public
+     */
+    interface DiffieHellmanTr31KeyBlockMember {
+        DiffieHellmanTr31KeyBlock: IncomingDiffieHellmanTr31KeyBlock;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     */
+    interface $UnknownMember {
+        DiffieHellmanTr31KeyBlock?: never;
+        $unknown: [string, any];
+    }
+    interface Visitor<T> {
+        DiffieHellmanTr31KeyBlock: (value: IncomingDiffieHellmanTr31KeyBlock) => T;
+        _: (name: string, value: any) => T;
+    }
+    const visit: <T>(value: IncomingKeyMaterial, visitor: Visitor<T>) => T;
+}
+/**
+ * <p>Parameter information of the TR31WrappedKeyBlock containing the transaction key wrapped using a KEK.</p>
+ * @public
+ */
+export interface OutgoingTr31KeyBlock {
+    /**
+     * <p>The <code>keyARN</code> of the KEK used to wrap the transaction key.</p>
+     * @public
+     */
+    WrappingKeyIdentifier: string | undefined;
+}
+/**
+ * <p>Parameter information of the outgoing TR31WrappedKeyBlock containing the transaction key.</p>
+ * @public
+ */
+export type OutgoingKeyMaterial = OutgoingKeyMaterial.Tr31KeyBlockMember | OutgoingKeyMaterial.$UnknownMember;
+/**
+ * @public
+ */
+export declare namespace OutgoingKeyMaterial {
+    /**
+     * <p>Parameter information of the TR31WrappedKeyBlock containing the transaction key wrapped using a KEK.</p>
+     * @public
+     */
+    interface Tr31KeyBlockMember {
+        Tr31KeyBlock: OutgoingTr31KeyBlock;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     */
+    interface $UnknownMember {
+        Tr31KeyBlock?: never;
+        $unknown: [string, any];
+    }
+    interface Visitor<T> {
+        Tr31KeyBlock: (value: OutgoingTr31KeyBlock) => T;
+        _: (name: string, value: any) => T;
+    }
+    const visit: <T>(value: OutgoingKeyMaterial, visitor: Visitor<T>) => T;
+}
 /**
  * <p>Parameters that are required to perform reencryption operation.</p>
  * @public
@@ -2372,6 +2520,70 @@ export interface ReEncryptDataOutput {
      */
     CipherText: string | undefined;
 }
+/**
+ * @public
+ */
+export interface TranslateKeyMaterialInput {
+    /**
+     * <p>Parameter information of the TR31WrappedKeyBlock containing the transaction key.</p>
+     * @public
+     */
+    IncomingKeyMaterial: IncomingKeyMaterial | undefined;
+    /**
+     * <p>Parameter information of the wrapping key used to wrap the transaction key in the outgoing TR31WrappedKeyBlock.</p>
+     * @public
+     */
+    OutgoingKeyMaterial: OutgoingKeyMaterial | undefined;
+    /**
+     * <p>The key check value (KCV) algorithm used for calculating the KCV.</p>
+     * @public
+     */
+    KeyCheckValueAlgorithm?: KeyCheckValueAlgorithm | undefined;
+}
+/**
+ * @public
+ * @enum
+ */
+export declare const WrappedKeyMaterialFormat: {
+    readonly KEY_CRYPTOGRAM: "KEY_CRYPTOGRAM";
+    readonly TR31_KEY_BLOCK: "TR31_KEY_BLOCK";
+    readonly TR34_KEY_BLOCK: "TR34_KEY_BLOCK";
+};
+/**
+ * @public
+ */
+export type WrappedKeyMaterialFormat = (typeof WrappedKeyMaterialFormat)[keyof typeof WrappedKeyMaterialFormat];
+/**
+ * <p>The parameter information of the outgoing wrapped key block.</p>
+ * @public
+ */
+export interface WrappedWorkingKey {
+    /**
+     * <p>The wrapped key block of the outgoing transaction key.</p>
+     * @public
+     */
+    WrappedKeyMaterial: string | undefined;
+    /**
+     * <p>The key check value (KCV) of the key contained within the outgoing TR31WrappedKeyBlock.</p> <p> The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. For more information on KCV, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/terminology.html#terms.kcv">KCV</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
+     * @public
+     */
+    KeyCheckValue: string | undefined;
+    /**
+     * <p>The key block format of the wrapped key.</p>
+     * @public
+     */
+    WrappedKeyMaterialFormat: WrappedKeyMaterialFormat | undefined;
+}
+/**
+ * @public
+ */
+export interface TranslateKeyMaterialOutput {
+    /**
+     * <p>The outgoing KEK wrapped TR31WrappedKeyBlock.</p>
+     * @public
+     */
+    WrappedKey: WrappedWorkingKey | undefined;
+}
 /**
  * <p>Parameters that are required for tranlation between ISO9564 PIN format 0,3,4 tranlation.</p>
  * @public
@@ -2979,7 +3191,7 @@ export interface VerifyPinDataInput {
      * <p>The Primary Account Number (PAN), a unique identifier for a payment credit or debit card that associates the card with a specific account holder.</p>
      * @public
      */
-    PrimaryAccountNumber: string | undefined;
+    PrimaryAccountNumber?: string | undefined;
     /**
      * <p>The PIN encoding format for pin data generation as specified in ISO 9564. Amazon Web Services Payment Cryptography supports <code>ISO_Format_0</code> and <code>ISO_Format_3</code>.</p> <p>The <code>ISO_Format_0</code> PIN block format is equivalent to the ANSI X9.8, VISA-1, and ECI-1 PIN block formats. It is similar to a VISA-4 PIN block format. It supports a PIN from 4 to 12 digits in length.</p> <p>The <code>ISO_Format_3</code> PIN block format is the same as <code>ISO_Format_0</code> except that the fill digits are random values from 10 to 15.</p>
      * @public
@@ -3094,10 +3306,6 @@ export declare const SymmetricEncryptionAttributesFilterSensitiveLog: (obj: Symm
  * @internal
  */
 export declare const EncryptionDecryptionAttributesFilterSensitiveLog: (obj: EncryptionDecryptionAttributes) => any;
-/**
- * @internal
- */
-export declare const EcdhDerivationAttributesFilterSensitiveLog: (obj: EcdhDerivationAttributes) => any;
 /**
  * @internal
  */
@@ -3218,6 +3426,14 @@ export declare const GeneratePinDataOutputFilterSensitiveLog: (obj: GeneratePinD
  * @internal
  */
 export declare const Ibm3624PinVerificationFilterSensitiveLog: (obj: Ibm3624PinVerification) => any;
+/**
+ * @internal
+ */
+export declare const IncomingDiffieHellmanTr31KeyBlockFilterSensitiveLog: (obj: IncomingDiffieHellmanTr31KeyBlock) => any;
+/**
+ * @internal
+ */
+export declare const IncomingKeyMaterialFilterSensitiveLog: (obj: IncomingKeyMaterial) => any;
 /**
  * @internal
  */
@@ -3230,6 +3446,18 @@ export declare const ReEncryptDataInputFilterSensitiveLog: (obj: ReEncryptDataIn
  * @internal
  */
 export declare const ReEncryptDataOutputFilterSensitiveLog: (obj: ReEncryptDataOutput) => any;
+/**
+ * @internal
+ */
+export declare const TranslateKeyMaterialInputFilterSensitiveLog: (obj: TranslateKeyMaterialInput) => any;
+/**
+ * @internal
+ */
+export declare const WrappedWorkingKeyFilterSensitiveLog: (obj: WrappedWorkingKey) => any;
+/**
+ * @internal
+ */
+export declare const TranslateKeyMaterialOutputFilterSensitiveLog: (obj: TranslateKeyMaterialOutput) => any;
 /**
  * @internal
  */

package/dist-types/protocols/Aws_restJson1.d.ts

@@ -7,6 +7,7 @@ import { GenerateMacCommandInput, GenerateMacCommandOutput } from "../commands/G
 import { GenerateMacEmvPinChangeCommandInput, GenerateMacEmvPinChangeCommandOutput } from "../commands/GenerateMacEmvPinChangeCommand";
 import { GeneratePinDataCommandInput, GeneratePinDataCommandOutput } from "../commands/GeneratePinDataCommand";
 import { ReEncryptDataCommandInput, ReEncryptDataCommandOutput } from "../commands/ReEncryptDataCommand";
+import { TranslateKeyMaterialCommandInput, TranslateKeyMaterialCommandOutput } from "../commands/TranslateKeyMaterialCommand";
 import { TranslatePinDataCommandInput, TranslatePinDataCommandOutput } from "../commands/TranslatePinDataCommand";
 import { VerifyAuthRequestCryptogramCommandInput, VerifyAuthRequestCryptogramCommandOutput } from "../commands/VerifyAuthRequestCryptogramCommand";
 import { VerifyCardValidationDataCommandInput, VerifyCardValidationDataCommandOutput } from "../commands/VerifyCardValidationDataCommand";
@@ -40,6 +41,10 @@ export declare const se_GeneratePinDataCommand: (input: GeneratePinDataCommandIn
  * serializeAws_restJson1ReEncryptDataCommand
  */
 export declare const se_ReEncryptDataCommand: (input: ReEncryptDataCommandInput, context: __SerdeContext) => Promise<__HttpRequest>;
+/**
+ * serializeAws_restJson1TranslateKeyMaterialCommand
+ */
+export declare const se_TranslateKeyMaterialCommand: (input: TranslateKeyMaterialCommandInput, context: __SerdeContext) => Promise<__HttpRequest>;
 /**
  * serializeAws_restJson1TranslatePinDataCommand
  */
@@ -88,6 +93,10 @@ export declare const de_GeneratePinDataCommand: (output: __HttpResponse, context
  * deserializeAws_restJson1ReEncryptDataCommand
  */
 export declare const de_ReEncryptDataCommand: (output: __HttpResponse, context: __SerdeContext) => Promise<ReEncryptDataCommandOutput>;
+/**
+ * deserializeAws_restJson1TranslateKeyMaterialCommand
+ */
+export declare const de_TranslateKeyMaterialCommand: (output: __HttpResponse, context: __SerdeContext) => Promise<TranslateKeyMaterialCommandOutput>;
 /**
  * deserializeAws_restJson1TranslatePinDataCommand
  */

package/dist-types/ts3.4/PaymentCryptographyData.d.ts

@@ -27,6 +27,10 @@ import {
   ReEncryptDataCommandInput,
   ReEncryptDataCommandOutput,
 } from "./commands/ReEncryptDataCommand";
+import {
+  TranslateKeyMaterialCommandInput,
+  TranslateKeyMaterialCommandOutput,
+} from "./commands/TranslateKeyMaterialCommand";
 import {
   TranslatePinDataCommandInput,
   TranslatePinDataCommandOutput,
@@ -140,6 +144,19 @@ export interface PaymentCryptographyData {
     options: __HttpHandlerOptions,
     cb: (err: any, data?: ReEncryptDataCommandOutput) => void
   ): void;
+  translateKeyMaterial(
+    args: TranslateKeyMaterialCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<TranslateKeyMaterialCommandOutput>;
+  translateKeyMaterial(
+    args: TranslateKeyMaterialCommandInput,
+    cb: (err: any, data?: TranslateKeyMaterialCommandOutput) => void
+  ): void;
+  translateKeyMaterial(
+    args: TranslateKeyMaterialCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: TranslateKeyMaterialCommandOutput) => void
+  ): void;
   translatePinData(
     args: TranslatePinDataCommandInput,
     options?: __HttpHandlerOptions

package/dist-types/ts3.4/PaymentCryptographyDataClient.d.ts

@@ -73,6 +73,10 @@ import {
   ReEncryptDataCommandInput,
   ReEncryptDataCommandOutput,
 } from "./commands/ReEncryptDataCommand";
+import {
+  TranslateKeyMaterialCommandInput,
+  TranslateKeyMaterialCommandOutput,
+} from "./commands/TranslateKeyMaterialCommand";
 import {
   TranslatePinDataCommandInput,
   TranslatePinDataCommandOutput,
@@ -108,6 +112,7 @@ export type ServiceInputTypes =
   | GenerateMacEmvPinChangeCommandInput
   | GeneratePinDataCommandInput
   | ReEncryptDataCommandInput
+  | TranslateKeyMaterialCommandInput
   | TranslatePinDataCommandInput
   | VerifyAuthRequestCryptogramCommandInput
   | VerifyCardValidationDataCommandInput
@@ -121,6 +126,7 @@ export type ServiceOutputTypes =
   | GenerateMacEmvPinChangeCommandOutput
   | GeneratePinDataCommandOutput
   | ReEncryptDataCommandOutput
+  | TranslateKeyMaterialCommandOutput
   | TranslatePinDataCommandOutput
   | VerifyAuthRequestCryptogramCommandOutput
   | VerifyCardValidationDataCommandOutput

package/dist-types/ts3.4/commands/TranslateKeyMaterialCommand.d.ts

@@ -0,0 +1,51 @@
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+import {
+  TranslateKeyMaterialInput,
+  TranslateKeyMaterialOutput,
+} from "../models/models_0";
+import {
+  PaymentCryptographyDataClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../PaymentCryptographyDataClient";
+export { __MetadataBearer };
+export { $Command };
+export interface TranslateKeyMaterialCommandInput
+  extends TranslateKeyMaterialInput {}
+export interface TranslateKeyMaterialCommandOutput
+  extends TranslateKeyMaterialOutput,
+    __MetadataBearer {}
+declare const TranslateKeyMaterialCommand_base: {
+  new (
+    input: TranslateKeyMaterialCommandInput
+  ): import("@smithy/smithy-client").CommandImpl<
+    TranslateKeyMaterialCommandInput,
+    TranslateKeyMaterialCommandOutput,
+    PaymentCryptographyDataClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >;
+  new (
+    input: TranslateKeyMaterialCommandInput
+  ): import("@smithy/smithy-client").CommandImpl<
+    TranslateKeyMaterialCommandInput,
+    TranslateKeyMaterialCommandOutput,
+    PaymentCryptographyDataClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >;
+  getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
+};
+export declare class TranslateKeyMaterialCommand extends TranslateKeyMaterialCommand_base {
+  protected static __types: {
+    api: {
+      input: TranslateKeyMaterialInput;
+      output: TranslateKeyMaterialOutput;
+    };
+    sdk: {
+      input: TranslateKeyMaterialCommandInput;
+      output: TranslateKeyMaterialCommandOutput;
+    };
+  };
+}

package/dist-types/ts3.4/commands/index.d.ts

@@ -5,6 +5,7 @@ export * from "./GenerateMacCommand";
 export * from "./GenerateMacEmvPinChangeCommand";
 export * from "./GeneratePinDataCommand";
 export * from "./ReEncryptDataCommand";
+export * from "./TranslateKeyMaterialCommand";
 export * from "./TranslatePinDataCommand";
 export * from "./VerifyAuthRequestCryptogramCommand";
 export * from "./VerifyCardValidationDataCommand";