aws_sdk_paymentcryptography/operation/export_key/builders.rs
1// Code generated by software.amazon.smithy.rust.codegen.smithy-rs. DO NOT EDIT.
2pub use crate::operation::export_key::_export_key_output::ExportKeyOutputBuilder;
3
4pub use crate::operation::export_key::_export_key_input::ExportKeyInputBuilder;
5
6impl crate::operation::export_key::builders::ExportKeyInputBuilder {
7 /// Sends a request with this input using the given client.
8 pub async fn send_with(
9 self,
10 client: &crate::Client,
11 ) -> ::std::result::Result<
12 crate::operation::export_key::ExportKeyOutput,
13 ::aws_smithy_runtime_api::client::result::SdkError<
14 crate::operation::export_key::ExportKeyError,
15 ::aws_smithy_runtime_api::client::orchestrator::HttpResponse,
16 >,
17 > {
18 let mut fluent_builder = client.export_key();
19 fluent_builder.inner = self;
20 fluent_builder.send().await
21 }
22}
23/// Fluent builder constructing a request to `ExportKey`.
24///
25/// <p>Exports a key from Amazon Web Services Payment Cryptography.</p>
26/// <p>Amazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With <code>ExportKey</code> you can export symmetric keys using either symmetric and asymmetric key exchange mechanisms. Using this operation, you can share your Amazon Web Services Payment Cryptography generated keys with other service partners to perform cryptographic operations outside of Amazon Web Services Payment Cryptography</p>
27/// <p>For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange mechanism. Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK). After which you can export working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.</p>
28/// <p>The TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block. With RSA wrap and unwrap, you can exchange both 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram format and you will need to specify the key attributes during import.</p>
29/// <p>You can also use <code>ExportKey</code> functionality to generate and export an IPEK (Initial Pin Encryption Key) from Amazon Web Services Payment Cryptography using either TR-31 or TR-34 export key exchange. IPEK is generated from BDK (Base Derivation Key) and <code>ExportDukptInitialKey</code> attribute KSN (<code>KeySerialNumber</code>). The generated IPEK does not persist within Amazon Web Services Payment Cryptography and has to be re-generated each time during export.</p>
30/// <p>For key exchange using TR-31 or TR-34 key blocks, you can also export optional blocks within the key block header which contain additional attribute information about the key. The <code>KeyVersion</code> within <code>KeyBlockHeaders</code> indicates the version of the key within the key block. Furthermore, <code>KeyExportability</code> within <code>KeyBlockHeaders</code> can be used to further restrict exportability of the key after export from Amazon Web Services Payment Cryptography.</p>
31/// <p>The <code>OptionalBlocks</code> contain the additional data related to the key. For information on data type that can be included within optional blocks, refer to <a href="https://webstore.ansi.org/standards/ascx9/ansix91432022">ASC X9.143-2022</a>.</p><note>
32/// <p>Data included in key block headers is signed but transmitted in clear text. Sensitive or confidential information should not be included in optional blocks. Refer to ASC X9.143-2022 standard for information on allowed data type.</p>
33/// </note>
34/// <p><b>To export initial keys (KEK) or IPEK using TR-34</b></p>
35/// <p>Using this operation, you can export initial key using TR-34 asymmetric key exchange. You can only export KEK generated within Amazon Web Services Payment Cryptography. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During key export process, KDH is Amazon Web Services Payment Cryptography which initiates key export and KRD is the user receiving the key.</p>
36/// <p>To initiate TR-34 key export, the KRD must obtain an export token by calling <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport.html">GetParametersForExport</a>. This operation also generates a key pair for the purpose of key export, signs the key and returns back the signing public key certificate (also known as KDH signing certificate) and root certificate chain. The KDH uses the private key to sign the the export payload and the signing public key certificate is provided to KRD to verify the signature. The KRD can import the root certificate into its Hardware Security Module (HSM), as required. The export token and the associated KDH signing certificate expires after 7 days.</p>
37/// <p>Next the KRD generates a key pair for the the purpose of encrypting the KDH key and provides the public key cerificate (also known as KRD wrapping certificate) back to KDH. The KRD will also import the root cerificate chain into Amazon Web Services Payment Cryptography by calling <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a> for <code>RootCertificatePublicKey</code>. The KDH, Amazon Web Services Payment Cryptography, will use the KRD wrapping cerificate to encrypt (wrap) the key under export and signs it with signing private key to generate a TR-34 WrappedKeyBlock. For more information on TR-34 key export, see section <a href="https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-export.html">Exporting symmetric keys</a> in the <i>Amazon Web Services Payment Cryptography User Guide</i>.</p>
38/// <p>Set the following parameters:</p>
39/// <ul>
40/// <li>
41/// <p><code>ExportAttributes</code>: Specify export attributes in case of IPEK export. This parameter is optional for KEK export.</p></li>
42/// <li>
43/// <p><code>ExportKeyIdentifier</code>: The <code>KeyARN</code> of the KEK or BDK (in case of IPEK) under export.</p></li>
44/// <li>
45/// <p><code>KeyMaterial</code>: Use <code>Tr34KeyBlock</code> parameters.</p></li>
46/// <li>
47/// <p><code>CertificateAuthorityPublicKeyIdentifier</code>: The <code>KeyARN</code> of the certificate chain that signed the KRD wrapping key certificate.</p></li>
48/// <li>
49/// <p><code>ExportToken</code>: Obtained from KDH by calling <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForImport.html">GetParametersForImport</a>.</p></li>
50/// <li>
51/// <p><code>WrappingKeyCertificate</code>: The public key certificate in PEM format (base64 encoded) of the KRD wrapping key Amazon Web Services Payment Cryptography uses for encryption of the TR-34 export payload. This certificate must be signed by the root certificate (CertificateAuthorityPublicKeyIdentifier) imported into Amazon Web Services Payment Cryptography.</p></li>
52/// </ul>
53/// <p>When this operation is successful, Amazon Web Services Payment Cryptography returns the KEK or IPEK as a TR-34 WrappedKeyBlock.</p>
54/// <p><b>To export initial keys (KEK) or IPEK using RSA Wrap and Unwrap</b></p>
55/// <p>Using this operation, you can export initial key using asymmetric RSA wrap and unwrap key exchange method. To initiate export, generate an asymmetric key pair on the receiving HSM and obtain the public key certificate in PEM format (base64 encoded) for the purpose of wrapping and the root certifiate chain. Import the root certificate into Amazon Web Services Payment Cryptography by calling <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a> for <code>RootCertificatePublicKey</code>.</p>
56/// <p>Next call <code>ExportKey</code> and set the following parameters:</p>
57/// <ul>
58/// <li>
59/// <p><code>CertificateAuthorityPublicKeyIdentifier</code>: The <code>KeyARN</code> of the certificate chain that signed wrapping key certificate.</p></li>
60/// <li>
61/// <p><code>KeyMaterial</code>: Set to <code>KeyCryptogram</code>.</p></li>
62/// <li>
63/// <p><code>WrappingKeyCertificate</code>: The public key certificate in PEM format (base64 encoded) obtained by the receiving HSM and signed by the root certificate (CertificateAuthorityPublicKeyIdentifier) imported into Amazon Web Services Payment Cryptography. The receiving HSM uses its private key component to unwrap the WrappedKeyCryptogram.</p></li>
64/// </ul>
65/// <p>When this operation is successful, Amazon Web Services Payment Cryptography returns the WrappedKeyCryptogram.</p>
66/// <p><b>To export working keys or IPEK using TR-31</b></p>
67/// <p>Using this operation, you can export working keys or IPEK using TR-31 symmetric key exchange. In TR-31, you must use an initial key such as KEK to encrypt or wrap the key under export. To establish a KEK, you can use <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html">CreateKey</a> or <a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a>.</p>
68/// <p>Set the following parameters:</p>
69/// <ul>
70/// <li>
71/// <p><code>ExportAttributes</code>: Specify export attributes in case of IPEK export. This parameter is optional for KEK export.</p></li>
72/// <li>
73/// <p><code>ExportKeyIdentifier</code>: The <code>KeyARN</code> of the KEK or BDK (in case of IPEK) under export.</p></li>
74/// <li>
75/// <p><code>KeyMaterial</code>: Use <code>Tr31KeyBlock</code> parameters.</p></li>
76/// </ul>
77/// <p>When this operation is successful, Amazon Web Services Payment Cryptography returns the working key or IPEK as a TR-31 WrappedKeyBlock.</p>
78/// <p><b>Cross-account use:</b> This operation can't be used across different Amazon Web Services accounts.</p>
79/// <p><b>Related operations:</b></p>
80/// <ul>
81/// <li>
82/// <p><a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport.html">GetParametersForExport</a></p></li>
83/// <li>
84/// <p><a href="https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html">ImportKey</a></p></li>
85/// </ul>
86#[derive(::std::clone::Clone, ::std::fmt::Debug)]
87pub struct ExportKeyFluentBuilder {
88 handle: ::std::sync::Arc<crate::client::Handle>,
89 inner: crate::operation::export_key::builders::ExportKeyInputBuilder,
90 config_override: ::std::option::Option<crate::config::Builder>,
91}
92impl crate::client::customize::internal::CustomizableSend<crate::operation::export_key::ExportKeyOutput, crate::operation::export_key::ExportKeyError>
93 for ExportKeyFluentBuilder
94{
95 fn send(
96 self,
97 config_override: crate::config::Builder,
98 ) -> crate::client::customize::internal::BoxFuture<
99 crate::client::customize::internal::SendResult<crate::operation::export_key::ExportKeyOutput, crate::operation::export_key::ExportKeyError>,
100 > {
101 ::std::boxed::Box::pin(async move { self.config_override(config_override).send().await })
102 }
103}
104impl ExportKeyFluentBuilder {
105 /// Creates a new `ExportKeyFluentBuilder`.
106 pub(crate) fn new(handle: ::std::sync::Arc<crate::client::Handle>) -> Self {
107 Self {
108 handle,
109 inner: ::std::default::Default::default(),
110 config_override: ::std::option::Option::None,
111 }
112 }
113 /// Access the ExportKey as a reference.
114 pub fn as_input(&self) -> &crate::operation::export_key::builders::ExportKeyInputBuilder {
115 &self.inner
116 }
117 /// Sends the request and returns the response.
118 ///
119 /// If an error occurs, an `SdkError` will be returned with additional details that
120 /// can be matched against.
121 ///
122 /// By default, any retryable failures will be retried twice. Retry behavior
123 /// is configurable with the [RetryConfig](aws_smithy_types::retry::RetryConfig), which can be
124 /// set when configuring the client.
125 pub async fn send(
126 self,
127 ) -> ::std::result::Result<
128 crate::operation::export_key::ExportKeyOutput,
129 ::aws_smithy_runtime_api::client::result::SdkError<
130 crate::operation::export_key::ExportKeyError,
131 ::aws_smithy_runtime_api::client::orchestrator::HttpResponse,
132 >,
133 > {
134 let input = self
135 .inner
136 .build()
137 .map_err(::aws_smithy_runtime_api::client::result::SdkError::construction_failure)?;
138 let runtime_plugins = crate::operation::export_key::ExportKey::operation_runtime_plugins(
139 self.handle.runtime_plugins.clone(),
140 &self.handle.conf,
141 self.config_override,
142 );
143 crate::operation::export_key::ExportKey::orchestrate(&runtime_plugins, input).await
144 }
145
146 /// Consumes this builder, creating a customizable operation that can be modified before being sent.
147 pub fn customize(
148 self,
149 ) -> crate::client::customize::CustomizableOperation<
150 crate::operation::export_key::ExportKeyOutput,
151 crate::operation::export_key::ExportKeyError,
152 Self,
153 > {
154 crate::client::customize::CustomizableOperation::new(self)
155 }
156 pub(crate) fn config_override(mut self, config_override: impl ::std::convert::Into<crate::config::Builder>) -> Self {
157 self.set_config_override(::std::option::Option::Some(config_override.into()));
158 self
159 }
160
161 pub(crate) fn set_config_override(&mut self, config_override: ::std::option::Option<crate::config::Builder>) -> &mut Self {
162 self.config_override = config_override;
163 self
164 }
165 /// <p>The key block format type, for example, TR-34 or TR-31, to use during key material export.</p>
166 pub fn key_material(mut self, input: crate::types::ExportKeyMaterial) -> Self {
167 self.inner = self.inner.key_material(input);
168 self
169 }
170 /// <p>The key block format type, for example, TR-34 or TR-31, to use during key material export.</p>
171 pub fn set_key_material(mut self, input: ::std::option::Option<crate::types::ExportKeyMaterial>) -> Self {
172 self.inner = self.inner.set_key_material(input);
173 self
174 }
175 /// <p>The key block format type, for example, TR-34 or TR-31, to use during key material export.</p>
176 pub fn get_key_material(&self) -> &::std::option::Option<crate::types::ExportKeyMaterial> {
177 self.inner.get_key_material()
178 }
179 /// <p>The <code>KeyARN</code> of the key under export from Amazon Web Services Payment Cryptography.</p>
180 pub fn export_key_identifier(mut self, input: impl ::std::convert::Into<::std::string::String>) -> Self {
181 self.inner = self.inner.export_key_identifier(input.into());
182 self
183 }
184 /// <p>The <code>KeyARN</code> of the key under export from Amazon Web Services Payment Cryptography.</p>
185 pub fn set_export_key_identifier(mut self, input: ::std::option::Option<::std::string::String>) -> Self {
186 self.inner = self.inner.set_export_key_identifier(input);
187 self
188 }
189 /// <p>The <code>KeyARN</code> of the key under export from Amazon Web Services Payment Cryptography.</p>
190 pub fn get_export_key_identifier(&self) -> &::std::option::Option<::std::string::String> {
191 self.inner.get_export_key_identifier()
192 }
193 /// <p>The attributes for IPEK generation during export.</p>
194 pub fn export_attributes(mut self, input: crate::types::ExportAttributes) -> Self {
195 self.inner = self.inner.export_attributes(input);
196 self
197 }
198 /// <p>The attributes for IPEK generation during export.</p>
199 pub fn set_export_attributes(mut self, input: ::std::option::Option<crate::types::ExportAttributes>) -> Self {
200 self.inner = self.inner.set_export_attributes(input);
201 self
202 }
203 /// <p>The attributes for IPEK generation during export.</p>
204 pub fn get_export_attributes(&self) -> &::std::option::Option<crate::types::ExportAttributes> {
205 self.inner.get_export_attributes()
206 }
207}