This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
Amazon Payment Cryptography Data Plane examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon Payment Cryptography Data Plane.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use decrypt-data
.
- Amazon CLI
-
To decrypt ciphertext
The following
decrypt-data
example decrypts ciphertext data using a symmetric key. For this operation, the key must haveKeyModesOfUse
set toDecrypt
andKeyUsage
set toTR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY
.aws payment-cryptography-data decrypt-data \ --key-identifier
arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h
\ --cipher-text33612AB9D6929C3A828EB6030082B2BD
\ --decryption-attributes 'Symmetric={Mode=CBC}
'Output:
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h", "KeyCheckValue": "71D7AE", "PlainText": "31323334313233343132333431323334" }
For more information, see Decrypt data
in the Amazon Payment Cryptography User Guide. -
For API details, see DecryptData
in Amazon CLI Command Reference.
-
The following code example shows how to use encrypt-data
.
- Amazon CLI
-
To encrypt data
The following
encrypt-data
example encrypts plaintext data using a symmetric key. For this operation, the key must haveKeyModesOfUse
set toEncrypt
andKeyUsage
set toTR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY
.aws payment-cryptography-data encrypt-data \ --key-identifier
arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h
\ --plain-text31323334313233343132333431323334
\ --encryption-attributes 'Symmetric={Mode=CBC}
'Output:
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h", "KeyCheckValue": "71D7AE", "CipherText": "33612AB9D6929C3A828EB6030082B2BD" }
For more information, see Encrypt data
in the Amazon Payment Cryptography User Guide. -
For API details, see EncryptData
in Amazon CLI Command Reference.
-
The following code example shows how to use generate-card-validation-data
.
- Amazon CLI
-
To generate a CVV
The following
generate-card-validation-data
example generates a CVV/CVV2.aws payment-cryptography-data generate-card-validation-data \ --key-identifier
arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h
\ --primary-account-number=171234567890123 \ --generation-attributesCardVerificationValue2={CardExpiryDate=0123}
Output:
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h", "KeyCheckValue": "CADDA1", "ValidationData": "801" }
For more information, see Generate card data
in the Amazon Payment Cryptography User Guide. -
For API details, see GenerateCardValidationData
in Amazon CLI Command Reference.
-
The following code example shows how to use generate-mac
.
- Amazon CLI
-
To generate a MAC
The following
generate-card-validation-data
example generates a Hash-Based Message Authentication Code (HMAC) for card data authentication using the algorithm HMAC_SHA256 and an HMAC encryption key. The key must haveKeyUsage
set toTR31_M7_HMAC_KEY
andKeyModesOfUse
toGenerate
.aws payment-cryptography-data generate-mac \ --key-identifier
arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h
\ --message-data"3b313038383439303031303733393431353d32343038323236303030373030303f33"
\ --generation-attributesAlgorithm=HMAC_SHA256
Output:
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2:123456789012:key/kwapwa6qaifllw2h, "KeyCheckValue": "2976E7", "Mac": "ED87F26E961C6D0DDB78DA5038AA2BDDEA0DCE03E5B5E96BDDD494F4A7AA470C" }
For more information, see Generate MAC
in the Amazon Payment Cryptography User Guide. -
For API details, see GenerateMac
in Amazon CLI Command Reference.
-
The following code example shows how to use generate-pin-data
.
- Amazon CLI
-
To generate a PIN
The following
generate-card-validation-data
example generate a new random PIN using the Visa PIN scheme.aws payment-cryptography-data generate-pin-data \ --generation-key-identifier
arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2
\ --encryption-key-identifierarn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt
\ --primary-account-number171234567890123
\ --pin-block-formatISO_FORMAT_0
\ --generation-attributesVisaPin={PinVerificationKeyIndex=1}
Output:
{ "GenerationKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2", "GenerationKeyCheckValue": "7F2363", "EncryptionKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt", "EncryptionKeyCheckValue": "7CC9E2", "EncryptedPinBlock": "AC17DC148BDA645E", "PinData": { "VerificationValue": "5507" } }
For more information, see Generate PIN data
in the Amazon Payment Cryptography User Guide. -
For API details, see GeneratePinData
in Amazon CLI Command Reference.
-
The following code example shows how to use re-encrypt-data
.
- Amazon CLI
-
To re-encrypt data with a different key
The following
re-encrypt-data
example decrypts cipher text that was encrypted using an AES symmetric key and re-encrypts it using a Derived Unique Key Per Transaction (DUKPT) key.aws payment-cryptography-data re-encrypt-data \ --incoming-key-identifier
arn:aws:payment-cryptography:us-west-2:111122223333:key/hyvv7ymboitd4vfy
\ --outgoing-key-identifierarn:aws:payment-cryptography:us-west-2:111122223333:key/jl6ythkcvzesbxen
\ --cipher-text4D2B0BDBA192D5AEFEAA5B3EC28E4A65383C313FFA25140101560F75FE1B99F27192A90980AB9334
\ --incoming-encryption-attributes"Dukpt={Mode=ECB,KeySerialNumber=0123456789111111}"
\ --outgoing-encryption-attributes '{"Symmetric": {"Mode": "ECB"}}
'Output:
{ "CipherText": "F94959DA30EEFF0C035483C6067667CF6796E3C1AD28C2B61F9CFEB772A8DD41C0D6822931E0D3B1", "KeyArn": "arn:aws:payment-cryptography:us-west-2:111122223333:key/jl6ythkcvzesbxen", "KeyCheckValue": "2E8CD9" }
For more information, see Encrypt and decrypt data
in the Amazon Payment Cryptography User Guide. -
For API details, see ReEncryptData
in Amazon CLI Command Reference.
-
The following code example shows how to use translate-pin-data
.
- Amazon CLI
-
To translate PIN data
The following
translate-pin-data
example translates a PIN from PEK TDES encryption using ISO 0 PIN block to an AES ISO 4 PIN Block using the DUKPT algorithm.aws payment-cryptography-data translate-pin-data \ --encrypted-pin-block
"AC17DC148BDA645E"
\ --incoming-translation-attributes=IsoFormat0='{PrimaryAccountNumber=171234567890123}' \ --incoming-key-identifierarn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt
\ --outgoing-key-identifierarn:aws:payment-cryptography:us-east-2:111122223333:key/4pmyquwjs3yj4vwe
\ --outgoing-translation-attributes IsoFormat4="{PrimaryAccountNumber=171234567890123}" \ --outgoing-dukpt-attributes KeySerialNumber="FFFF9876543210E00008"Output:
{ "PinBlock": "1F4209C670E49F83E75CC72E81B787D9", "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt "KeyCheckValue": "7CC9E2" }
For more information, see Translate PIN data
in the Amazon Payment Cryptography User Guide. -
For API details, see TranslatePinData
in Amazon CLI Command Reference.
-
The following code example shows how to use verify-auth-request-cryptogram
.
- Amazon CLI
-
To verify an auth request
The following
verify-auth-request-cryptogram
example verifies an Authorization Request Cryptogram (ARQC).aws payment-cryptography-data verify-auth-request-cryptogram \ --auth-request-cryptogram
F6E1BD1E6037FB3E
\ --auth-response-attributes '{"ArpcMethod1": {"AuthResponseCode": "1111"}}
' \ --key-identifierarn:aws:payment-cryptography:us-west-2:111122223333:key/pboipdfzd4mdklya
\ --major-key-derivation-mode"EMV_OPTION_A"
\ --session-key-derivation-attributes '{"EmvCommon": {"ApplicationTransactionCounter": "1234","PanSequenceNumber": "01","PrimaryAccountNumber": "471234567890123"}}
' \ --transaction-data"123456789ABCDEF"
Output:
{ "AuthResponseValue": "D899B8C6FBF971AA", "KeyArn": "arn:aws:payment-cryptography:us-west-2:111122223333:key/pboipdfzd4mdklya", "KeyCheckValue": "985792" }
For more information, see Verify auth request (ARQC) cryptogram
in the Amazon Payment Cryptography User Guide. -
For API details, see VerifyAuthRequestCryptogram
in Amazon CLI Command Reference.
-
The following code example shows how to use verify-card-validation-data
.
- Amazon CLI
-
To validate a CVV
The following
verify-card-validation-data
example validates a CVV/CVV2 for a PAN.aws payment-cryptography-data verify-card-validation-data \ --key-identifier
arn:aws:payment-cryptography:us-east-2:111122223333:key/tqv5yij6wtxx64pi
\ --primary-account-number=171234567890123 \ --verification-attributesCardVerificationValue2={CardExpiryDate=0123}
\ --validation-data801
Output:
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/tqv5yij6wtxx64pi", "KeyCheckValue": "CADDA1" }
For more information, see Verify card data
in the Amazon Payment Cryptography User Guide. -
For API details, see VerifyCardValidationData
in Amazon CLI Command Reference.
-
The following code example shows how to use verify-mac
.
- Amazon CLI
-
To verify a MAC
The following
verify-mac
example verifies a Hash-Based Message Authentication Code (HMAC) for card data authentication using the algorithm HMAC_SHA256 and an HMAC encryption key.aws payment-cryptography-data verify-mac \ --key-identifier
arn:aws:payment-cryptography:us-east-2:111122223333:key/qnobl5lghrzunce6
\ --message-data"3b343038383439303031303733393431353d32343038323236303030373030303f33"
\ --verification-attributes='Algorithm=HMAC_SHA256' \ --macED87F26E961C6D0DDB78DA5038AA2BDDEA0DCE03E5B5E96BDDD494F4A7AA470C
Output:
{ "KeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/qnobl5lghrzunce6, "KeyCheckValue": "2976E7", }
For more information, see Verify MAC
in the Amazon Payment Cryptography User Guide. -
For API details, see VerifyMac
in Amazon CLI Command Reference.
-
The following code example shows how to use verify-pin-data
.
- Amazon CLI
-
To verify a PIN
The following
verify-pin-data
example validates a PIN for a PAN.aws payment-cryptography-data verify-pin-data \ --verification-key-identifier
arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2
\ --encryption-key-identifierarn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt
\ --primary-account-number171234567890123
\ --pin-block-formatISO_FORMAT_0
\ --verification-attributes VisaPin="{PinVerificationKeyIndex=1,VerificationValue=5507}" \ --encrypted-pin-blockAC17DC148BDA645E
Output:
{ "VerificationKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/37y2tsl45p5zjbh2", "VerificationKeyCheckValue": "7F2363", "EncryptionKeyArn": "arn:aws:payment-cryptography:us-east-2:111122223333:key/ivi5ksfsuplneuyt", "EncryptionKeyCheckValue": "7CC9E2", }
For more information, see Verify PIN data
in the Amazon Payment Cryptography User Guide. -
For API details, see VerifyPinData
in Amazon CLI Command Reference.
-