reEncryptData method
Re-encrypt ciphertext using DUKPT or Symmetric data encryption keys.
You can either generate an encryption key within Amazon Web Services
Payment Cryptography by calling CreateKey
or import your own encryption key by calling ImportKey.
The KeyArn for use with this operation must be in a
compatible key state with KeyModesOfUse set to
Encrypt.
This operation also supports dynamic keys, allowing you to pass a dynamic
encryption key as a TR-31 WrappedKeyBlock. This can be used when key
material is frequently rotated, such as during every card transaction, and
there is need to avoid importing short-lived keys into Amazon Web Services
Payment Cryptography. To re-encrypt using dynamic keys, the
keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped
encryption key material. The incoming wrapped key shall have a key purpose
of D0 with a mode of use of B or D. For more information, see Using
Dynamic Keys in the Amazon Web Services Payment Cryptography User
Guide.
For symmetric and DUKPT encryption, Amazon Web Services Payment
Cryptography supports TDES and AES algorithms.
To encrypt using DUKPT, a DUKPT key must already exist within your account
with KeyModesOfUse set to DeriveKey or a new
DUKPT can be generated by calling CreateKey.
For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.
Cross-account use: This operation supports cross-account use when the key has a resource-based policy that grants access. For more information, see Resource-based policies.
Related operations:
May throw AccessDeniedException.
May throw InternalServerException.
May throw ResourceNotFoundException.
May throw ThrottlingException.
May throw ValidationException.
Parameter cipherText :
Ciphertext to be encrypted. The minimum allowed length is 16 bytes and
maximum allowed length is 4096 bytes.
Parameter incomingEncryptionAttributes :
The attributes and values for incoming ciphertext.
Parameter incomingKeyIdentifier :
The keyARN of the encryption key of incoming ciphertext data.
When a WrappedKeyBlock is provided, this value will be the identifier to the key wrapping key. Otherwise, it is the key identifier used to perform the operation.
Parameter outgoingEncryptionAttributes :
The attributes and values for outgoing ciphertext data after encryption by
Amazon Web Services Payment Cryptography.
Parameter outgoingKeyIdentifier :
The keyARN of the encryption key of outgoing ciphertext data
after encryption by Amazon Web Services Payment Cryptography.
Parameter incomingWrappedKey :
The WrappedKeyBlock containing the encryption key of incoming ciphertext
data.
Parameter outgoingWrappedKey :
The WrappedKeyBlock containing the encryption key of outgoing ciphertext
data after encryption by Amazon Web Services Payment Cryptography.
Implementation
Future<ReEncryptDataOutput> reEncryptData({
required String cipherText,
required ReEncryptionAttributes incomingEncryptionAttributes,
required String incomingKeyIdentifier,
required ReEncryptionAttributes outgoingEncryptionAttributes,
required String outgoingKeyIdentifier,
WrappedKey? incomingWrappedKey,
WrappedKey? outgoingWrappedKey,
}) async {
final $payload = <String, dynamic>{
'CipherText': cipherText,
'IncomingEncryptionAttributes': incomingEncryptionAttributes,
'OutgoingEncryptionAttributes': outgoingEncryptionAttributes,
'OutgoingKeyIdentifier': outgoingKeyIdentifier,
if (incomingWrappedKey != null) 'IncomingWrappedKey': incomingWrappedKey,
if (outgoingWrappedKey != null) 'OutgoingWrappedKey': outgoingWrappedKey,
};
final response = await _protocol.send(
payload: $payload,
method: 'POST',
requestUri:
'/keys/${Uri.encodeComponent(incomingKeyIdentifier)}/reencrypt',
exceptionFnMap: _exceptionFns,
);
return ReEncryptDataOutput.fromJson(response);
}