We have a specific requirement to store our 3DES 128bit key in AWS Payment Cryptography. Im using NodeJS SDK to do the needful, but getting validation error.
ERROR: ValidationException: KeyBlock data in the imported payload is invalid.
So, there are 3steps of implementation: 1. Get RSA public key. 2. Wrap my 3DES 128 bit key that I have. 3. Import the key in aws payment cryptography.
Error I’m getting is might be because of Step:2, I might be making some mistake in wrapping my key. I didn’t get any help anywhere other than aws document only. I’m attaching documents that Im referring which might be useful.
Documentation that I’m referring to :
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/payment-cryptography/command/ImportKeyCommand/
Any help will be most appreciated!!!!! THANK YOU!!!!
Code that I’m using to import key:
import { PaymentCryptographyClient, GetParametersForImportCommand, ImportKeyCommand } from "@aws-sdk/client-payment-cryptography";
import crypto, { publicEncrypt} from "crypto"; // To wrap the key
const client = new PaymentCryptographyClient({
region: "ap-southeast-1", credentials: {
accessKeyId: "", // replace with your AWS Access Key ID
secretAccessKey: "" // replace with your AWS Secret Access Key
}
});
async function import3DESKey() {
try {
// Step 1: Get import parameters
const getParamsInput = {
KeyMaterialType: "KEY_CRYPTOGRAM",
WrappingKeyAlgorithm: "RSA_2048" // Ensure this matches the actual wrapping algorithm
};
const getParamsCommand = new GetParametersForImportCommand(getParamsInput);
const getParamsResponse = await client.send(getParamsCommand);
console.log({ getParamsResponse });
const { ImportToken, WrappingKeyCertificate } = getParamsResponse;
// Step 2: Prepare key wrapping
const threeDESKey = Buffer.from("404142434445464748494A4B4C4D4E4F", "hex");
// Decode the wrapping key certificate
const wrappingCertPem = Buffer.from(WrappingKeyCertificate, "base64").toString("utf8");
// Wrap the 3DES key using the RSA public key from the certificate
const wrappedKey = publicEncrypt({
key: wrappingCertPem,
// padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,// Double-check if OAEP or PKCS1 padding is expected by AWS
padding: crypto.constants.RSA_PKCS1_PADDING,// Double-check if OAEP or PKCS1 padding is expected by AWS
}, threeDESKey);
// Convert wrapped key to base64 format (AWS often expects base64)
// const wrappedKeyBase64 = wrappedKey.toString("base64");
// // Convert wrapped key to hex format
const wrappedKeyHex = wrappedKey.toString("hex").toUpperCase();
// Step 3: Import the wrapped key
const importKeyInput = {
KeyMaterial: {
KeyCryptogram: {
KeyAttributes: {
KeyUsage: "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY",
KeyClass: "SYMMETRIC_KEY",
KeyAlgorithm: "TDES_2KEY",
KeyModesOfUse: {
NoRestrictions:true
},
},
Exportable: false, // Depending on your requirement
// WrappedKeyCryptogram: wrappedKeyBase64, // Hex format of the wrapped key
WrappedKeyCryptogram: wrappedKeyHex, // Hex format of the wrapped key
ImportToken: ImportToken,
},
},
KeyCheckValueAlgorithm: "ANSI_X9_24", // Typically used for 3DES
Enabled: true,
};
const importKeyCommand = new ImportKeyCommand(importKeyInput);
const response = await client.send(importKeyCommand);
console.log("Imported Key ARN:", response.Key.KeyArn);
} catch (error) {
console.error("Error importing key:", error);
}
}
import3DESKey();
Any help will be most appreciated!!!!! THANK YOU!!!!