Payment Cryptography Control Plane

2026/04/03 - Payment Cryptography Control Plane - 2 updated api methods

Changes  Adds optional support to retrieve previously generated import and export tokens to simplify import and export functions

GetParametersForExport (updated) Link ¶
Changes (request) 
{'ReuseLastGeneratedToken': 'boolean'}

Gets the export token and the signing key certificate to initiate a TR-34 key export from Amazon Web Services Payment Cryptography.

The signing key certificate signs the wrapped key under export within the TR-34 key payload. The export token and signing key certificate must be in place and operational before calling ExportKey. The export token expires in 30 days. You can use the same export token to export multiple keys from your service account.

To return a previously generated export token and signing key certificate instead of generating new ones, set ReuseLastGeneratedToken to true.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

See also: AWS API Documentation

Request Syntax

client.get_parameters_for_export(
    KeyMaterialType='TR34_KEY_BLOCK'|'TR31_KEY_BLOCK'|'ROOT_PUBLIC_KEY_CERTIFICATE'|'TRUSTED_PUBLIC_KEY_CERTIFICATE'|'KEY_CRYPTOGRAM',
    SigningKeyAlgorithm='TDES_2KEY'|'TDES_3KEY'|'AES_128'|'AES_192'|'AES_256'|'HMAC_SHA256'|'HMAC_SHA384'|'HMAC_SHA512'|'HMAC_SHA224'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'ECC_NIST_P256'|'ECC_NIST_P384'|'ECC_NIST_P521',
    ReuseLastGeneratedToken=True|False
)
type KeyMaterialType:

string

param KeyMaterialType:

[REQUIRED]

The key block format type (for example, TR-34 or TR-31) to use during key material export. Export token is only required for a TR-34 key export, TR34_KEY_BLOCK. Export token is not required for TR-31 key export.

type SigningKeyAlgorithm:

string

param SigningKeyAlgorithm:

[REQUIRED]

The signing key algorithm to generate a signing key certificate. This certificate signs the wrapped key under export within the TR-34 key block. RSA_2048 is the only signing key algorithm allowed.

type ReuseLastGeneratedToken:

boolean

param ReuseLastGeneratedToken:

Specifies whether to reuse the existing export token and signing key certificate. If set to true and a valid export token exists for the same key material type and signing key algorithm with at least 7 days of remaining validity, the existing token and signing key certificate are returned. Otherwise, a new export token and signing key certificate are generated. The default value is false, which generates a new export token and signing key certificate on every call.

rtype:

dict

returns:

Response Syntax

{
    'SigningKeyCertificate': 'string',
    'SigningKeyCertificateChain': 'string',
    'SigningKeyAlgorithm': 'TDES_2KEY'|'TDES_3KEY'|'AES_128'|'AES_192'|'AES_256'|'HMAC_SHA256'|'HMAC_SHA384'|'HMAC_SHA512'|'HMAC_SHA224'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'ECC_NIST_P256'|'ECC_NIST_P384'|'ECC_NIST_P521',
    'ExportToken': 'string',
    'ParametersValidUntilTimestamp': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • SigningKeyCertificate (string) --

      The signing key certificate in PEM format (base64 encoded) of the public key for signature within the TR-34 key block. The certificate expires after 30 days.

    • SigningKeyCertificateChain (string) --

      The root certificate authority (CA) that signed the signing key certificate in PEM format (base64 encoded).

    • SigningKeyAlgorithm (string) --

      The algorithm of the signing key certificate for use in TR-34 key block generation. RSA_2048 is the only signing key algorithm allowed.

    • ExportToken (string) --

      The export token to initiate key export from Amazon Web Services Payment Cryptography. The export token expires after 30 days. You can use the same export token to export multiple keys from the same service account.

    • ParametersValidUntilTimestamp (datetime) --

      The validity period of the export token.

GetParametersForImport (updated) Link ¶
Changes (request) 
{'ReuseLastGeneratedToken': 'boolean'}

Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram import into Amazon Web Services Payment Cryptography.

The wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling ImportKey. The import token expires in 30 days. You can use the same import token to import multiple keys into your service account.

To return a previously generated import token and wrapping key certificate instead of generating new ones, set ReuseLastGeneratedToken to true.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

See also: AWS API Documentation

Request Syntax

client.get_parameters_for_import(
    KeyMaterialType='TR34_KEY_BLOCK'|'TR31_KEY_BLOCK'|'ROOT_PUBLIC_KEY_CERTIFICATE'|'TRUSTED_PUBLIC_KEY_CERTIFICATE'|'KEY_CRYPTOGRAM',
    WrappingKeyAlgorithm='TDES_2KEY'|'TDES_3KEY'|'AES_128'|'AES_192'|'AES_256'|'HMAC_SHA256'|'HMAC_SHA384'|'HMAC_SHA512'|'HMAC_SHA224'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'ECC_NIST_P256'|'ECC_NIST_P384'|'ECC_NIST_P521',
    ReuseLastGeneratedToken=True|False
)
type KeyMaterialType:

string

param KeyMaterialType:

[REQUIRED]

The method to use for key material import. Import token is only required for TR-34 WrappedKeyBlock ( TR34_KEY_BLOCK) and RSA WrappedKeyCryptogram ( KEY_CRYPTOGRAM).

Import token is not required for TR-31, root public key cerificate or trusted public key certificate.

type WrappingKeyAlgorithm:

string

param WrappingKeyAlgorithm:

[REQUIRED]

The wrapping key algorithm to generate a wrapping key certificate. This certificate wraps the key under import.

At this time, RSA_2048 is the allowed algorithm for TR-34 WrappedKeyBlock import. Additionally, RSA_2048, RSA_3072, RSA_4096 are the allowed algorithms for RSA WrappedKeyCryptogram import.

type ReuseLastGeneratedToken:

boolean

param ReuseLastGeneratedToken:

Specifies whether to reuse the existing import token and wrapping key certificate. If set to true and a valid import token exists for the same key material type and wrapping key algorithm with at least 7 days of remaining validity, the existing token and wrapping key certificate are returned. Otherwise, a new import token and wrapping key certificate are generated. The default value is false, which generates a new import token and wrapping key certificate on every call.

rtype:

dict

returns:

Response Syntax

{
    'WrappingKeyCertificate': 'string',
    'WrappingKeyCertificateChain': 'string',
    'WrappingKeyAlgorithm': 'TDES_2KEY'|'TDES_3KEY'|'AES_128'|'AES_192'|'AES_256'|'HMAC_SHA256'|'HMAC_SHA384'|'HMAC_SHA512'|'HMAC_SHA224'|'RSA_2048'|'RSA_3072'|'RSA_4096'|'ECC_NIST_P256'|'ECC_NIST_P384'|'ECC_NIST_P521',
    'ImportToken': 'string',
    'ParametersValidUntilTimestamp': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • WrappingKeyCertificate (string) --

      The wrapping key certificate in PEM format (base64 encoded) of the wrapping key for use within the TR-34 key block. The certificate expires in 30 days.

    • WrappingKeyCertificateChain (string) --

      The Amazon Web Services Payment Cryptography root certificate authority (CA) that signed the wrapping key certificate in PEM format (base64 encoded).

    • WrappingKeyAlgorithm (string) --

      The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock or RSA WrappedKeyCryptogram.

    • ImportToken (string) --

      The import token to initiate key import into Amazon Web Services Payment Cryptography. The import token expires after 30 days. You can use the same import token to import multiple keys to the same service account.

    • ParametersValidUntilTimestamp (datetime) --

      The validity period of the import token.