GetParametersForExport - AWS Payment Cryptography Control Plane

GetParametersForExport

Gets the export token and the signing key certificate to initiate a TR-34 key export from AWS Payment Cryptography.

The signing key certificate signs the wrapped key under export within the TR-34 key payload. The export token and signing key certificate must be in place and operational before calling ExportKey. The export token expires in 7 days. You can use the same export token to export multiple keys from your service account.

Cross-account use: This operation can't be used across different AWS accounts.

Related operations:

Request Syntax

{ "KeyMaterialType": "string", "SigningKeyAlgorithm": "string" }

Request Parameters

The request accepts the following data in JSON format.

KeyMaterialType

The key block format type (for example, TR-34 or TR-31) to use during key material export. Export token is only required for a TR-34 key export, TR34_KEY_BLOCK. Export token is not required for TR-31 key export.

Type: String

Valid Values: TR34_KEY_BLOCK | TR31_KEY_BLOCK | ROOT_PUBLIC_KEY_CERTIFICATE | TRUSTED_PUBLIC_KEY_CERTIFICATE | KEY_CRYPTOGRAM

Required: Yes

SigningKeyAlgorithm

The signing key algorithm to generate a signing key certificate. This certificate signs the wrapped key under export within the TR-34 key block. RSA_2048 is the only signing key algorithm allowed.

Type: String

Valid Values: TDES_2KEY | TDES_3KEY | AES_128 | AES_192 | AES_256 | RSA_2048 | RSA_3072 | RSA_4096

Required: Yes

Response Syntax

{ "ExportToken": "string", "ParametersValidUntilTimestamp": number, "SigningKeyAlgorithm": "string", "SigningKeyCertificate": "string", "SigningKeyCertificateChain": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ExportToken

The export token to initiate key export from AWS Payment Cryptography. The export token expires after 7 days. You can use the same export token to export multiple keys from the same service account.

Type: String

Pattern: ^export-token-[0-9a-zA-Z]{16,64}$

ParametersValidUntilTimestamp

The validity period of the export token.

Type: Timestamp

SigningKeyAlgorithm

The algorithm of the signing key certificate for use in TR-34 key block generation. RSA_2048 is the only signing key algorithm allowed.

Type: String

Valid Values: TDES_2KEY | TDES_3KEY | AES_128 | AES_192 | AES_256 | RSA_2048 | RSA_3072 | RSA_4096

SigningKeyCertificate

The signing key certificate in PEM format (base64 encoded) of the public key for signature within the TR-34 key block. The certificate expires after 7 days.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 32768.

Pattern: ^[^\[;\]<>]+$

SigningKeyCertificateChain

The root certificate authority (CA) that signed the signing key certificate in PEM format (base64 encoded).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 32768.

Pattern: ^[^\[;\]<>]+$

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400

ConflictException

This request can cause an inconsistent state for the resource.

HTTP Status Code: 400

InternalServerException

The request processing has failed because of an unknown error, exception, or failure.

HTTP Status Code: 500

ResourceNotFoundException

The request was denied due to an invalid resource error.

HTTP Status Code: 400

ServiceQuotaExceededException

This request would cause a service quota to be exceeded.

HTTP Status Code: 400

ServiceUnavailableException

The service cannot complete the request.

HTTP Status Code: 500

ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400

ValidationException

The request was denied due to an invalid request error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: