@aws-sdk/client-payment-cryptography-data 3.901.0 → 3.906.0

package/dist-es/PaymentCryptographyData.js

@@ -6,6 +6,7 @@ import { GenerateMacCommand } from "./commands/GenerateMacCommand";
 import { GenerateMacEmvPinChangeCommand, } from "./commands/GenerateMacEmvPinChangeCommand";
 import { GeneratePinDataCommand, } from "./commands/GeneratePinDataCommand";
 import { ReEncryptDataCommand, } from "./commands/ReEncryptDataCommand";
+import { TranslateKeyMaterialCommand, } from "./commands/TranslateKeyMaterialCommand";
 import { TranslatePinDataCommand, } from "./commands/TranslatePinDataCommand";
 import { VerifyAuthRequestCryptogramCommand, } from "./commands/VerifyAuthRequestCryptogramCommand";
 import { VerifyCardValidationDataCommand, } from "./commands/VerifyCardValidationDataCommand";
@@ -20,6 +21,7 @@ const commands = {
     GenerateMacEmvPinChangeCommand,
     GeneratePinDataCommand,
     ReEncryptDataCommand,
+    TranslateKeyMaterialCommand,
     TranslatePinDataCommand,
     VerifyAuthRequestCryptogramCommand,
     VerifyCardValidationDataCommand,

package/dist-es/commands/TranslateKeyMaterialCommand.js

@@ -0,0 +1,23 @@
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { commonParams } from "../endpoint/EndpointParameters";
+import { TranslateKeyMaterialInputFilterSensitiveLog, TranslateKeyMaterialOutputFilterSensitiveLog, } from "../models/models_0";
+import { de_TranslateKeyMaterialCommand, se_TranslateKeyMaterialCommand } from "../protocols/Aws_restJson1";
+export { $Command };
+export class TranslateKeyMaterialCommand extends $Command
+    .classBuilder()
+    .ep(commonParams)
+    .m(function (Command, cs, config, o) {
+    return [
+        getSerdePlugin(config, this.serialize, this.deserialize),
+        getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+})
+    .s("PaymentCryptographyDataPlane", "TranslateKeyMaterial", {})
+    .n("PaymentCryptographyDataClient", "TranslateKeyMaterialCommand")
+    .f(TranslateKeyMaterialInputFilterSensitiveLog, TranslateKeyMaterialOutputFilterSensitiveLog)
+    .ser(se_TranslateKeyMaterialCommand)
+    .de(de_TranslateKeyMaterialCommand)
+    .build() {
+}

package/dist-es/commands/index.js

@@ -5,6 +5,7 @@ export * from "./GenerateMacCommand";
 export * from "./GenerateMacEmvPinChangeCommand";
 export * from "./GeneratePinDataCommand";
 export * from "./ReEncryptDataCommand";
+export * from "./TranslateKeyMaterialCommand";
 export * from "./TranslatePinDataCommand";
 export * from "./VerifyAuthRequestCryptogramCommand";
 export * from "./VerifyCardValidationDataCommand";

package/dist-es/models/models_0.js

@@ -240,6 +240,14 @@ export var DerivationMethodAttributes;
         return visitor._(value.$unknown[0], value.$unknown[1]);
     };
 })(DerivationMethodAttributes || (DerivationMethodAttributes = {}));
+export var DiffieHellmanDerivationData;
+(function (DiffieHellmanDerivationData) {
+    DiffieHellmanDerivationData.visit = (value, visitor) => {
+        if (value.SharedInformation !== undefined)
+            return visitor.SharedInformation(value.SharedInformation);
+        return visitor._(value.$unknown[0], value.$unknown[1]);
+    };
+})(DiffieHellmanDerivationData || (DiffieHellmanDerivationData = {}));
 export const MacAlgorithm = {
     CMAC: "CMAC",
     HMAC: "HMAC",
@@ -308,6 +316,7 @@ export var PinGenerationAttributes;
 })(PinGenerationAttributes || (PinGenerationAttributes = {}));
 export const PinBlockFormatForPinData = {
     ISO_FORMAT_0: "ISO_FORMAT_0",
+    ISO_FORMAT_1: "ISO_FORMAT_1",
     ISO_FORMAT_3: "ISO_FORMAT_3",
     ISO_FORMAT_4: "ISO_FORMAT_4",
 };
@@ -321,6 +330,22 @@ export var PinData;
         return visitor._(value.$unknown[0], value.$unknown[1]);
     };
 })(PinData || (PinData = {}));
+export var IncomingKeyMaterial;
+(function (IncomingKeyMaterial) {
+    IncomingKeyMaterial.visit = (value, visitor) => {
+        if (value.DiffieHellmanTr31KeyBlock !== undefined)
+            return visitor.DiffieHellmanTr31KeyBlock(value.DiffieHellmanTr31KeyBlock);
+        return visitor._(value.$unknown[0], value.$unknown[1]);
+    };
+})(IncomingKeyMaterial || (IncomingKeyMaterial = {}));
+export var OutgoingKeyMaterial;
+(function (OutgoingKeyMaterial) {
+    OutgoingKeyMaterial.visit = (value, visitor) => {
+        if (value.Tr31KeyBlock !== undefined)
+            return visitor.Tr31KeyBlock(value.Tr31KeyBlock);
+        return visitor._(value.$unknown[0], value.$unknown[1]);
+    };
+})(OutgoingKeyMaterial || (OutgoingKeyMaterial = {}));
 export var ReEncryptionAttributes;
 (function (ReEncryptionAttributes) {
     ReEncryptionAttributes.visit = (value, visitor) => {
@@ -331,6 +356,11 @@ export var ReEncryptionAttributes;
         return visitor._(value.$unknown[0], value.$unknown[1]);
     };
 })(ReEncryptionAttributes || (ReEncryptionAttributes = {}));
+export const WrappedKeyMaterialFormat = {
+    KEY_CRYPTOGRAM: "KEY_CRYPTOGRAM",
+    TR31_KEY_BLOCK: "TR31_KEY_BLOCK",
+    TR34_KEY_BLOCK: "TR34_KEY_BLOCK",
+};
 export var TranslationIsoFormats;
 (function (TranslationIsoFormats) {
     TranslationIsoFormats.visit = (value, visitor) => {
@@ -529,15 +559,11 @@ export const EncryptionDecryptionAttributesFilterSensitiveLog = (obj) => {
     if (obj.$unknown !== undefined)
         return { [obj.$unknown[0]]: "UNKNOWN" };
 };
-export const EcdhDerivationAttributesFilterSensitiveLog = (obj) => ({
-    ...obj,
-    ...(obj.PublicKeyCertificate && { PublicKeyCertificate: SENSITIVE_STRING }),
-});
 export const WrappedKeyMaterialFilterSensitiveLog = (obj) => {
     if (obj.Tr31KeyBlock !== undefined)
         return { Tr31KeyBlock: SENSITIVE_STRING };
     if (obj.DiffieHellmanSymmetricKey !== undefined)
-        return { DiffieHellmanSymmetricKey: EcdhDerivationAttributesFilterSensitiveLog(obj.DiffieHellmanSymmetricKey) };
+        return { DiffieHellmanSymmetricKey: obj.DiffieHellmanSymmetricKey };
     if (obj.$unknown !== undefined)
         return { [obj.$unknown[0]]: "UNKNOWN" };
 };
@@ -735,6 +761,19 @@ export const Ibm3624PinVerificationFilterSensitiveLog = (obj) => ({
     ...(obj.PinValidationData && { PinValidationData: SENSITIVE_STRING }),
     ...(obj.PinOffset && { PinOffset: SENSITIVE_STRING }),
 });
+export const IncomingDiffieHellmanTr31KeyBlockFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.DerivationData && { DerivationData: obj.DerivationData }),
+    ...(obj.WrappedKeyBlock && { WrappedKeyBlock: SENSITIVE_STRING }),
+});
+export const IncomingKeyMaterialFilterSensitiveLog = (obj) => {
+    if (obj.DiffieHellmanTr31KeyBlock !== undefined)
+        return {
+            DiffieHellmanTr31KeyBlock: IncomingDiffieHellmanTr31KeyBlockFilterSensitiveLog(obj.DiffieHellmanTr31KeyBlock),
+        };
+    if (obj.$unknown !== undefined)
+        return { [obj.$unknown[0]]: "UNKNOWN" };
+};
 export const ReEncryptionAttributesFilterSensitiveLog = (obj) => {
     if (obj.Symmetric !== undefined)
         return { Symmetric: SymmetricEncryptionAttributesFilterSensitiveLog(obj.Symmetric) };
@@ -759,6 +798,21 @@ export const ReEncryptDataOutputFilterSensitiveLog = (obj) => ({
     ...obj,
     ...(obj.CipherText && { CipherText: SENSITIVE_STRING }),
 });
+export const TranslateKeyMaterialInputFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.IncomingKeyMaterial && {
+        IncomingKeyMaterial: IncomingKeyMaterialFilterSensitiveLog(obj.IncomingKeyMaterial),
+    }),
+    ...(obj.OutgoingKeyMaterial && { OutgoingKeyMaterial: obj.OutgoingKeyMaterial }),
+});
+export const WrappedWorkingKeyFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.WrappedKeyMaterial && { WrappedKeyMaterial: SENSITIVE_STRING }),
+});
+export const TranslateKeyMaterialOutputFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.WrappedKey && { WrappedKey: WrappedWorkingKeyFilterSensitiveLog(obj.WrappedKey) }),
+});
 export const TranslationPinDataIsoFormat034FilterSensitiveLog = (obj) => ({
     ...obj,
     ...(obj.PrimaryAccountNumber && { PrimaryAccountNumber: SENSITIVE_STRING }),

package/dist-es/protocols/Aws_restJson1.js

@@ -124,6 +124,21 @@ export const se_ReEncryptDataCommand = async (input, context) => {
     b.m("POST").h(headers).b(body);
     return b.build();
 };
+export const se_TranslateKeyMaterialCommand = async (input, context) => {
+    const b = rb(input, context);
+    const headers = {
+        "content-type": "application/json",
+    };
+    b.bp("/keymaterial/translate");
+    let body;
+    body = JSON.stringify(take(input, {
+        IncomingKeyMaterial: (_) => _json(_),
+        KeyCheckValueAlgorithm: [],
+        OutgoingKeyMaterial: (_) => _json(_),
+    }));
+    b.m("POST").h(headers).b(body);
+    return b.build();
+};
 export const se_TranslatePinDataCommand = async (input, context) => {
     const b = rb(input, context);
     const headers = {
@@ -338,6 +353,20 @@ export const de_ReEncryptDataCommand = async (output, context) => {
     Object.assign(contents, doc);
     return contents;
 };
+export const de_TranslateKeyMaterialCommand = async (output, context) => {
+    if (output.statusCode !== 200 && output.statusCode >= 300) {
+        return de_CommandError(output, context);
+    }
+    const contents = map({
+        $metadata: deserializeMetadata(output),
+    });
+    const data = __expectNonNull(__expectObject(await parseBody(output.body, context)), "body");
+    const doc = take(data, {
+        WrappedKey: _json,
+    });
+    Object.assign(contents, doc);
+    return contents;
+};
 export const de_TranslatePinDataCommand = async (output, context) => {
     if (output.statusCode !== 200 && output.statusCode >= 300) {
         return de_CommandError(output, context);

package/dist-types/PaymentCryptographyData.d.ts

@@ -6,6 +6,7 @@ import { GenerateMacCommandInput, GenerateMacCommandOutput } from "./commands/Ge
 import { GenerateMacEmvPinChangeCommandInput, GenerateMacEmvPinChangeCommandOutput } from "./commands/GenerateMacEmvPinChangeCommand";
 import { GeneratePinDataCommandInput, GeneratePinDataCommandOutput } from "./commands/GeneratePinDataCommand";
 import { ReEncryptDataCommandInput, ReEncryptDataCommandOutput } from "./commands/ReEncryptDataCommand";
+import { TranslateKeyMaterialCommandInput, TranslateKeyMaterialCommandOutput } from "./commands/TranslateKeyMaterialCommand";
 import { TranslatePinDataCommandInput, TranslatePinDataCommandOutput } from "./commands/TranslatePinDataCommand";
 import { VerifyAuthRequestCryptogramCommandInput, VerifyAuthRequestCryptogramCommandOutput } from "./commands/VerifyAuthRequestCryptogramCommand";
 import { VerifyCardValidationDataCommandInput, VerifyCardValidationDataCommandOutput } from "./commands/VerifyCardValidationDataCommand";
@@ -55,6 +56,12 @@ export interface PaymentCryptographyData {
     reEncryptData(args: ReEncryptDataCommandInput, options?: __HttpHandlerOptions): Promise<ReEncryptDataCommandOutput>;
     reEncryptData(args: ReEncryptDataCommandInput, cb: (err: any, data?: ReEncryptDataCommandOutput) => void): void;
     reEncryptData(args: ReEncryptDataCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: ReEncryptDataCommandOutput) => void): void;
+    /**
+     * @see {@link TranslateKeyMaterialCommand}
+     */
+    translateKeyMaterial(args: TranslateKeyMaterialCommandInput, options?: __HttpHandlerOptions): Promise<TranslateKeyMaterialCommandOutput>;
+    translateKeyMaterial(args: TranslateKeyMaterialCommandInput, cb: (err: any, data?: TranslateKeyMaterialCommandOutput) => void): void;
+    translateKeyMaterial(args: TranslateKeyMaterialCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: TranslateKeyMaterialCommandOutput) => void): void;
     /**
      * @see {@link TranslatePinDataCommand}
      */

package/dist-types/PaymentCryptographyDataClient.d.ts

@@ -14,6 +14,7 @@ import { GenerateMacCommandInput, GenerateMacCommandOutput } from "./commands/Ge
 import { GenerateMacEmvPinChangeCommandInput, GenerateMacEmvPinChangeCommandOutput } from "./commands/GenerateMacEmvPinChangeCommand";
 import { GeneratePinDataCommandInput, GeneratePinDataCommandOutput } from "./commands/GeneratePinDataCommand";
 import { ReEncryptDataCommandInput, ReEncryptDataCommandOutput } from "./commands/ReEncryptDataCommand";
+import { TranslateKeyMaterialCommandInput, TranslateKeyMaterialCommandOutput } from "./commands/TranslateKeyMaterialCommand";
 import { TranslatePinDataCommandInput, TranslatePinDataCommandOutput } from "./commands/TranslatePinDataCommand";
 import { VerifyAuthRequestCryptogramCommandInput, VerifyAuthRequestCryptogramCommandOutput } from "./commands/VerifyAuthRequestCryptogramCommand";
 import { VerifyCardValidationDataCommandInput, VerifyCardValidationDataCommandOutput } from "./commands/VerifyCardValidationDataCommand";
@@ -25,11 +26,11 @@ export { __Client };
 /**
  * @public
  */
-export type ServiceInputTypes = DecryptDataCommandInput | EncryptDataCommandInput | GenerateCardValidationDataCommandInput | GenerateMacCommandInput | GenerateMacEmvPinChangeCommandInput | GeneratePinDataCommandInput | ReEncryptDataCommandInput | TranslatePinDataCommandInput | VerifyAuthRequestCryptogramCommandInput | VerifyCardValidationDataCommandInput | VerifyMacCommandInput | VerifyPinDataCommandInput;
+export type ServiceInputTypes = DecryptDataCommandInput | EncryptDataCommandInput | GenerateCardValidationDataCommandInput | GenerateMacCommandInput | GenerateMacEmvPinChangeCommandInput | GeneratePinDataCommandInput | ReEncryptDataCommandInput | TranslateKeyMaterialCommandInput | TranslatePinDataCommandInput | VerifyAuthRequestCryptogramCommandInput | VerifyCardValidationDataCommandInput | VerifyMacCommandInput | VerifyPinDataCommandInput;
 /**
  * @public
  */
-export type ServiceOutputTypes = DecryptDataCommandOutput | EncryptDataCommandOutput | GenerateCardValidationDataCommandOutput | GenerateMacCommandOutput | GenerateMacEmvPinChangeCommandOutput | GeneratePinDataCommandOutput | ReEncryptDataCommandOutput | TranslatePinDataCommandOutput | VerifyAuthRequestCryptogramCommandOutput | VerifyCardValidationDataCommandOutput | VerifyMacCommandOutput | VerifyPinDataCommandOutput;
+export type ServiceOutputTypes = DecryptDataCommandOutput | EncryptDataCommandOutput | GenerateCardValidationDataCommandOutput | GenerateMacCommandOutput | GenerateMacEmvPinChangeCommandOutput | GeneratePinDataCommandOutput | ReEncryptDataCommandOutput | TranslateKeyMaterialCommandOutput | TranslatePinDataCommandOutput | VerifyAuthRequestCryptogramCommandOutput | VerifyCardValidationDataCommandOutput | VerifyMacCommandOutput | VerifyPinDataCommandOutput;
 /**
  * @public
  */

package/dist-types/commands/GenerateMacCommand.d.ts

@@ -27,7 +27,7 @@ declare const GenerateMacCommand_base: {
     getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
 };
 /**
- * <p>Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography. </p> <p>You can use this operation to authenticate card-related data by using known data values to generate MAC for data validation between the sending and receiving parties. This operation uses message data, a secret encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC must use the same message data, secret encryption key and MAC algorithm to reproduce another MAC value for comparision.</p> <p>You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for <code>KeyUsage</code> such as <code>TR31_M7_HMAC_KEY</code> for HMAC generation, and they key must have <code>KeyModesOfUse</code> set to <code>Generate</code> and <code>Verify</code>.</p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>. </p> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a>VerifyMac</a> </p> </li> </ul>
+ * <p>Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography. </p> <p>You can use this operation to authenticate card-related data by using known data values to generate MAC for data validation between the sending and receiving parties. This operation uses message data, a secret encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC must use the same message data, secret encryption key and MAC algorithm to reproduce another MAC value for comparision.</p> <p>You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for <code>KeyUsage</code> such as <code>TR31_M7_HMAC_KEY</code> for HMAC generation, and the key must have <code>KeyModesOfUse</code> set to <code>Generate</code> and <code>Verify</code>.</p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>. </p> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a>VerifyMac</a> </p> </li> </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

package/dist-types/commands/GeneratePinDataCommand.d.ts

@@ -71,8 +71,8 @@ declare const GeneratePinDataCommand_base: {
  *     },
  *   },
  *   PinDataLength: Number("int"),
- *   PrimaryAccountNumber: "STRING_VALUE", // required
- *   PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
+ *   PrimaryAccountNumber: "STRING_VALUE",
+ *   PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_1" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
  *   EncryptionWrappedKey: { // WrappedKey
  *     WrappedKeyMaterial: { // WrappedKeyMaterial Union: only one key present
  *       Tr31KeyBlock: "STRING_VALUE",

package/dist-types/commands/TranslateKeyMaterialCommand.d.ts

@@ -0,0 +1,112 @@
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+import { TranslateKeyMaterialInput, TranslateKeyMaterialOutput } from "../models/models_0";
+import { PaymentCryptographyDataClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../PaymentCryptographyDataClient";
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link TranslateKeyMaterialCommand}.
+ */
+export interface TranslateKeyMaterialCommandInput extends TranslateKeyMaterialInput {
+}
+/**
+ * @public
+ *
+ * The output of {@link TranslateKeyMaterialCommand}.
+ */
+export interface TranslateKeyMaterialCommandOutput extends TranslateKeyMaterialOutput, __MetadataBearer {
+}
+declare const TranslateKeyMaterialCommand_base: {
+    new (input: TranslateKeyMaterialCommandInput): import("@smithy/smithy-client").CommandImpl<TranslateKeyMaterialCommandInput, TranslateKeyMaterialCommandOutput, PaymentCryptographyDataClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    new (input: TranslateKeyMaterialCommandInput): import("@smithy/smithy-client").CommandImpl<TranslateKeyMaterialCommandInput, TranslateKeyMaterialCommandOutput, PaymentCryptographyDataClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
+};
+/**
+ * <p>Translates an encryption key between different wrapping keys without importing the key into Amazon Web Services Payment Cryptography.</p> <p>This operation can be used when key material is frequently rotated, such as during every card transaction, and there is a need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. It translates short-lived transaction keys such as Pin Encryption Key (PEK) generated for each transaction and wrapped with an ECDH (Elliptic Curve Diffie-Hellman) derived wrapping key to another KEK (Key Encryption Key) wrapping key. </p> <p>Before using this operation, you must first request the public key certificate of the ECC key pair generated within Amazon Web Services Payment Cryptography to establish an ECDH key agreement. In <code>TranslateKeyData</code>, the service uses its own ECC key pair, public certificate of receiving ECC key pair, and the key derivation parameters to generate a derived key. The service uses this derived key to unwrap the incoming transaction key received as a TR31WrappedKeyBlock and re-wrap using a user provided KEK to generate an outgoing Tr31WrappedKeyBlock. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Creating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>. </p> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html">CreateKey</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html">GetPublicCertificate</a> </p> </li> <li> <p> <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a> </p> </li> </ul>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { PaymentCryptographyDataClient, TranslateKeyMaterialCommand } from "@aws-sdk/client-payment-cryptography-data"; // ES Modules import
+ * // const { PaymentCryptographyDataClient, TranslateKeyMaterialCommand } = require("@aws-sdk/client-payment-cryptography-data"); // CommonJS import
+ * // import type { PaymentCryptographyDataClientConfig } from "@aws-sdk/client-payment-cryptography-data";
+ * const config = {}; // type is PaymentCryptographyDataClientConfig
+ * const client = new PaymentCryptographyDataClient(config);
+ * const input = { // TranslateKeyMaterialInput
+ *   IncomingKeyMaterial: { // IncomingKeyMaterial Union: only one key present
+ *     DiffieHellmanTr31KeyBlock: { // IncomingDiffieHellmanTr31KeyBlock
+ *       PrivateKeyIdentifier: "STRING_VALUE", // required
+ *       CertificateAuthorityPublicKeyIdentifier: "STRING_VALUE", // required
+ *       PublicKeyCertificate: "STRING_VALUE", // required
+ *       DeriveKeyAlgorithm: "TDES_2KEY" || "TDES_3KEY" || "AES_128" || "AES_192" || "AES_256" || "HMAC_SHA256" || "HMAC_SHA384" || "HMAC_SHA512" || "HMAC_SHA224", // required
+ *       KeyDerivationFunction: "NIST_SP800" || "ANSI_X963", // required
+ *       KeyDerivationHashAlgorithm: "SHA_256" || "SHA_384" || "SHA_512", // required
+ *       DerivationData: { // DiffieHellmanDerivationData Union: only one key present
+ *         SharedInformation: "STRING_VALUE",
+ *       },
+ *       WrappedKeyBlock: "STRING_VALUE", // required
+ *     },
+ *   },
+ *   OutgoingKeyMaterial: { // OutgoingKeyMaterial Union: only one key present
+ *     Tr31KeyBlock: { // OutgoingTr31KeyBlock
+ *       WrappingKeyIdentifier: "STRING_VALUE", // required
+ *     },
+ *   },
+ *   KeyCheckValueAlgorithm: "STRING_VALUE",
+ * };
+ * const command = new TranslateKeyMaterialCommand(input);
+ * const response = await client.send(command);
+ * // { // TranslateKeyMaterialOutput
+ * //   WrappedKey: { // WrappedWorkingKey
+ * //     WrappedKeyMaterial: "STRING_VALUE", // required
+ * //     KeyCheckValue: "STRING_VALUE", // required
+ * //     WrappedKeyMaterialFormat: "STRING_VALUE", // required
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param TranslateKeyMaterialCommandInput - {@link TranslateKeyMaterialCommandInput}
+ * @returns {@link TranslateKeyMaterialCommandOutput}
+ * @see {@link TranslateKeyMaterialCommandInput} for command's `input` shape.
+ * @see {@link TranslateKeyMaterialCommandOutput} for command's `response` shape.
+ * @see {@link PaymentCryptographyDataClientResolvedConfig | config} for PaymentCryptographyDataClient's `config` shape.
+ *
+ * @throws {@link AccessDeniedException} (client fault)
+ *  <p>You do not have sufficient access to perform this action.</p>
+ *
+ * @throws {@link InternalServerException} (server fault)
+ *  <p>The request processing has failed because of an unknown error, exception, or failure.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>The request was denied due to an invalid resource error.</p>
+ *
+ * @throws {@link ThrottlingException} (client fault)
+ *  <p>The request was denied due to request throttling.</p>
+ *
+ * @throws {@link ValidationException} (client fault)
+ *  <p>The request was denied due to an invalid request error.</p>
+ *
+ * @throws {@link PaymentCryptographyDataServiceException}
+ * <p>Base exception class for all service exceptions from PaymentCryptographyData service.</p>
+ *
+ *
+ * @public
+ */
+export declare class TranslateKeyMaterialCommand extends TranslateKeyMaterialCommand_base {
+    /** @internal type navigation helper, not in runtime. */
+    protected static __types: {
+        api: {
+            input: TranslateKeyMaterialInput;
+            output: TranslateKeyMaterialOutput;
+        };
+        sdk: {
+            input: TranslateKeyMaterialCommandInput;
+            output: TranslateKeyMaterialCommandOutput;
+        };
+    };
+}

package/dist-types/commands/TranslatePinDataCommand.d.ts

@@ -27,7 +27,7 @@ declare const TranslatePinDataCommand_base: {
     getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
 };
 /**
- * <p>Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html">Translate PIN data</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>PIN block translation involves changing a PIN block from one encryption key to another and optionally change its format. PIN block translation occurs entirely within the HSM boundary and PIN data never enters or leaves Amazon Web Services Payment Cryptography in clear text. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK.</p> <p>Amazon Web Services Payment Cryptography also supports use of dynamic keys and ECDH (Elliptic Curve Diffie-Hellman) based key exchange for this operation.</p> <p>Dynamic keys allow you to pass a PEK as a TR-31 WrappedKeyBlock. They can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the <code>keyARN</code> is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html">Using Dynamic Keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>Using ECDH key exchange, you can receive cardholder selectable PINs into Amazon Web Services Payment Cryptography. The ECDH derived key protects the incoming PIN block, which is translated to a PEK encrypted PIN block for use within the service. You can also use ECDH for reveal PIN, wherein the service translates the PIN block from PEK to a ECDH derived encryption key. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Generating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation. </p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <note> <p>Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.</p> </note> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a>GeneratePinData</a> </p> </li> <li> <p> <a>VerifyPinData</a> </p> </li> </ul>
+ * <p>Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/translate-pin-data.html">Translate PIN data</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>PIN block translation involves changing a PIN block from one encryption key to another and optionally change its format. PIN block translation occurs entirely within the HSM boundary and PIN data never enters or leaves Amazon Web Services Payment Cryptography in clear text. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK.</p> <p>Amazon Web Services Payment Cryptography also supports use of dynamic keys and ECDH (Elliptic Curve Diffie-Hellman) based key exchange for this operation.</p> <p>Dynamic keys allow you to pass a PEK as a TR-31 WrappedKeyBlock. They can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the <code>keyARN</code> is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/use-cases-acquirers-dynamickeys.html">Using Dynamic Keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>Using ECDH key exchange, you can receive cardholder selectable PINs into Amazon Web Services Payment Cryptography. The ECDH derived key protects the incoming PIN block, which is translated to a PEK encrypted PIN block for use within the service. You can also use ECDH for reveal PIN, wherein the service translates the PIN block from PEK to a ECDH derived encryption key. For more information on establishing ECDH derived keys, see the <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/create-keys.html">Creating keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <p>The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation. </p> <p>For information about valid keys for this operation, see <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html">Understanding key attributes</a> and <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html">Key types for specific data operations</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p> <note> <p>Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.</p> </note> <p> <b>Cross-account use</b>: This operation can't be used across different Amazon Web Services accounts.</p> <p> <b>Related operations:</b> </p> <ul> <li> <p> <a>GeneratePinData</a> </p> </li> <li> <p> <a>VerifyPinData</a> </p> </li> </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

package/dist-types/commands/VerifyPinDataCommand.d.ts

@@ -52,8 +52,8 @@ declare const VerifyPinDataCommand_base: {
  *     },
  *   },
  *   EncryptedPinBlock: "STRING_VALUE", // required
- *   PrimaryAccountNumber: "STRING_VALUE", // required
- *   PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
+ *   PrimaryAccountNumber: "STRING_VALUE",
+ *   PinBlockFormat: "ISO_FORMAT_0" || "ISO_FORMAT_1" || "ISO_FORMAT_3" || "ISO_FORMAT_4", // required
  *   PinDataLength: Number("int"),
  *   DukptAttributes: { // DukptAttributes
  *     KeySerialNumber: "STRING_VALUE", // required

package/dist-types/commands/index.d.ts

@@ -5,6 +5,7 @@ export * from "./GenerateMacCommand";
 export * from "./GenerateMacEmvPinChangeCommand";
 export * from "./GeneratePinDataCommand";
 export * from "./ReEncryptDataCommand";
+export * from "./TranslateKeyMaterialCommand";
 export * from "./TranslatePinDataCommand";
 export * from "./VerifyAuthRequestCryptogramCommand";
 export * from "./VerifyCardValidationDataCommand";