PaymentCryptographyControlPlane / Client / export_key

export_key#

PaymentCryptographyControlPlane.Client.export_key(**kwargs)#

Exports a key from Amazon Web Services Payment Cryptography using either ANSI X9 TR-34 or TR-31 key export standard.

Amazon Web Services Payment Cryptography simplifies main or root key exchange process by eliminating the need of a paper-based key exchange process. It takes a modern and secure approach based of the ANSI X9 TR-34 key exchange standard.

You can use ExportKey to export main or root keys such as KEK (Key Encryption Key), using asymmetric key exchange technique following ANSI X9 TR-34 standard. The ANSI X9 TR-34 standard uses asymmetric keys to establishes bi-directional trust between the two parties exchanging keys. After which you can export working keys using the ANSI X9 TR-31 symmetric key exchange standard as mandated by PCI PIN. Using this operation, you can share your Amazon Web Services Payment Cryptography generated keys with other service partners to perform cryptographic operations outside of Amazon Web Services Payment Cryptography

TR-34 key export

Amazon Web Services Payment Cryptography uses TR-34 asymmetric key exchange standard to export main keys such as KEK. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Host (KRH). In key export process, KDH is Amazon Web Services Payment Cryptography which initiates key export. KRH is the user receiving the key. Before you initiate TR-34 key export, you must obtain an export token by calling GetParametersForExport. This operation also returns the signing key certificate that KDH uses to sign the wrapped key to generate a TR-34 wrapped key block. The export token expires after 7 days.

Set the following parameters:

CertificateAuthorityPublicKeyIdentifier

The KeyARN of the certificate chain that will sign the wrapping key certificate. This must exist within Amazon Web Services Payment Cryptography before you initiate TR-34 key export. If it does not exist, you can import it by calling ImportKey for RootCertificatePublicKey.

ExportToken

Obtained from KDH by calling GetParametersForExport.

WrappingKeyCertificate

Amazon Web Services Payment Cryptography uses this to wrap the key under export.

When this operation is successful, Amazon Web Services Payment Cryptography returns the TR-34 wrapped key block.

TR-31 key export

Amazon Web Services Payment Cryptography uses TR-31 symmetric key exchange standard to export working keys. In TR-31, you must use a main key such as KEK to encrypt or wrap the key under export. To establish a KEK, you can use CreateKey or ImportKey. When this operation is successful, Amazon Web Services Payment Cryptography returns a TR-31 wrapped key block.

Cross-account use: This operation can’t be used across different Amazon Web Services accounts.

Related operations:

  • GetParametersForExport

  • ImportKey

See also: AWS API Documentation

Request Syntax

response = client.export_key(
    ExportKeyIdentifier='string',
    KeyMaterial={
        'Tr31KeyBlock': {
            'WrappingKeyIdentifier': 'string'
        },
        'Tr34KeyBlock': {
            'CertificateAuthorityPublicKeyIdentifier': 'string',
            'ExportToken': 'string',
            'KeyBlockFormat': 'X9_TR34_2012',
            'RandomNonce': 'string',
            'WrappingKeyCertificate': 'string'
        }
    }
)
Parameters:

  • ExportKeyIdentifier (string) –

    [REQUIRED]

    The KeyARN of the key under export from Amazon Web Services Payment Cryptography.

  • KeyMaterial (dict) –

    [REQUIRED]

    The key block format type, for example, TR-34 or TR-31, to use during key material export.

    Note

    This is a Tagged Union structure. Only one of the following top level keys can be set: Tr31KeyBlock, Tr34KeyBlock.

    • Tr31KeyBlock (dict) –

      Parameter information for key material export using TR-31 standard.

      • WrappingKeyIdentifier (string) – [REQUIRED]

        The KeyARN of the the wrapping key. This key encrypts or wraps the key under export for TR-31 key block generation.

    • Tr34KeyBlock (dict) –

      Parameter information for key material export using TR-34 standard.

      • CertificateAuthorityPublicKeyIdentifier (string) – [REQUIRED]

        The KeyARN of the certificate chain that signs the wrapping key certificate during TR-34 key export.

      • ExportToken (string) – [REQUIRED]

        The export token to initiate key export from Amazon Web Services Payment Cryptography. It also contains the signing key certificate that will sign the wrapped key during TR-34 key block generation. Call GetParametersForExport to receive an export token. It expires after 7 days. You can use the same export token to export multiple keys from the same service account.

      • KeyBlockFormat (string) – [REQUIRED]

        The format of key block that Amazon Web Services Payment Cryptography will use during key export.

      • RandomNonce (string) –

        A random number value that is unique to the TR-34 key block generated using 2 pass. The operation will fail, if a random nonce value is not provided for a TR-34 key block generated using 2 pass.

      • WrappingKeyCertificate (string) – [REQUIRED]

        The KeyARN of the wrapping key certificate. Amazon Web Services Payment Cryptography uses this certificate to wrap the key under export.

Return type:

dict

Returns:

Response Syntax

{
    'WrappedKey': {
        'KeyMaterial': 'string',
        'WrappedKeyMaterialFormat': 'KEY_CRYPTOGRAM'|'TR31_KEY_BLOCK'|'TR34_KEY_BLOCK',
        'WrappingKeyArn': 'string'
    }
}

Response Structure

  • (dict) –

    • WrappedKey (dict) –

      The key material under export as a TR-34 or TR-31 wrapped key block.

      • KeyMaterial (string) –

        Parameter information for generating a wrapped key using TR-31 or TR-34 standard.

      • WrappedKeyMaterialFormat (string) –

        The key block format of a wrapped key.

      • WrappingKeyArn (string) –

        The KeyARN of the wrapped key.

Exceptions

  • PaymentCryptographyControlPlane.Client.exceptions.ServiceUnavailableException

  • PaymentCryptographyControlPlane.Client.exceptions.ValidationException

  • PaymentCryptographyControlPlane.Client.exceptions.ConflictException

  • PaymentCryptographyControlPlane.Client.exceptions.AccessDeniedException

  • PaymentCryptographyControlPlane.Client.exceptions.ResourceNotFoundException

  • PaymentCryptographyControlPlane.Client.exceptions.ThrottlingException

  • PaymentCryptographyControlPlane.Client.exceptions.InternalServerException