Skip to content

/AWS1/IF_PCD=>REENCRYPTDATA()

About ReEncryptData

Re-encrypt ciphertext using DUKPT or Symmetric data encryption keys.

You can either generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey or import your own encryption key by calling ImportKey. The KeyArn for use with this operation must be in a compatible key state with KeyModesOfUse set to Encrypt.

This operation also supports dynamic keys, allowing you to pass a dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To re-encrypt using dynamic keys, the keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped encryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see Using Dynamic Keys in the Amazon Web Services Payment Cryptography User Guide.

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. To encrypt using DUKPT, a DUKPT key must already exist within your account with KeyModesOfUse set to DeriveKey or a new DUKPT can be generated by calling CreateKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

Method Signature

METHODS /AWS1/IF_PCD~REENCRYPTDATA
  IMPORTING
    !IV_INCOMINGKEYIDENTIFIER TYPE /AWS1/PCDKEYARNORKEYALIASTYPE OPTIONAL
    !IV_OUTGOINGKEYIDENTIFIER TYPE /AWS1/PCDKEYARNORKEYALIASTYPE OPTIONAL
    !IV_CIPHERTEXT TYPE /AWS1/PCDCIPHERTEXTTYPE OPTIONAL
    !IO_INCOMINGENCATTRIBUTES TYPE REF TO /AWS1/CL_PCDREENCATTRIBUTES OPTIONAL
    !IO_OUTGOINGENCATTRIBUTES TYPE REF TO /AWS1/CL_PCDREENCATTRIBUTES OPTIONAL
    !IO_INCOMINGWRAPPEDKEY TYPE REF TO /AWS1/CL_PCDWRAPPEDKEY OPTIONAL
    !IO_OUTGOINGWRAPPEDKEY TYPE REF TO /AWS1/CL_PCDWRAPPEDKEY OPTIONAL
  RETURNING
    VALUE(OO_OUTPUT) TYPE REF TO /aws1/cl_pcdreencryptdataout
  RAISING
    /AWS1/CX_PCDACCESSDENIEDEX
    /AWS1/CX_PCDINTERNALSERVEREX
    /AWS1/CX_PCDRESOURCENOTFOUNDEX
    /AWS1/CX_PCDTHROTTLINGEX
    /AWS1/CX_PCDVALIDATIONEX
    /AWS1/CX_PCDCLIENTEXC
    /AWS1/CX_PCDSERVEREXC
    /AWS1/CX_RT_TECHNICAL_GENERIC
    /AWS1/CX_RT_SERVICE_GENERIC.

IMPORTING

Required arguments:

iv_incomingkeyidentifier TYPE /AWS1/PCDKEYARNORKEYALIASTYPE /AWS1/PCDKEYARNORKEYALIASTYPE

The keyARN of the encryption key of incoming ciphertext data.

When a WrappedKeyBlock is provided, this value will be the identifier to the key wrapping key. Otherwise, it is the key identifier used to perform the operation.

iv_outgoingkeyidentifier TYPE /AWS1/PCDKEYARNORKEYALIASTYPE /AWS1/PCDKEYARNORKEYALIASTYPE

The keyARN of the encryption key of outgoing ciphertext data after encryption by Amazon Web Services Payment Cryptography.

iv_ciphertext TYPE /AWS1/PCDCIPHERTEXTTYPE /AWS1/PCDCIPHERTEXTTYPE

Ciphertext to be encrypted. The minimum allowed length is 16 bytes and maximum allowed length is 4096 bytes.

io_incomingencattributes TYPE REF TO /AWS1/CL_PCDREENCATTRIBUTES /AWS1/CL_PCDREENCATTRIBUTES

The attributes and values for incoming ciphertext.

io_outgoingencattributes TYPE REF TO /AWS1/CL_PCDREENCATTRIBUTES /AWS1/CL_PCDREENCATTRIBUTES

The attributes and values for outgoing ciphertext data after encryption by Amazon Web Services Payment Cryptography.

Optional arguments:

io_incomingwrappedkey TYPE REF TO /AWS1/CL_PCDWRAPPEDKEY /AWS1/CL_PCDWRAPPEDKEY

The WrappedKeyBlock containing the encryption key of incoming ciphertext data.

io_outgoingwrappedkey TYPE REF TO /AWS1/CL_PCDWRAPPEDKEY /AWS1/CL_PCDWRAPPEDKEY

The WrappedKeyBlock containing the encryption key of outgoing ciphertext data after encryption by Amazon Web Services Payment Cryptography.

RETURNING

oo_output TYPE REF TO /aws1/cl_pcdreencryptdataout /AWS1/CL_PCDREENCRYPTDATAOUT

Domain /AWS1/RT_ACCOUNT_ID
Primitive Type NUMC

Examples

Syntax Example

This is an example of the syntax for calling the method. It includes every possible argument and initializes every possible value. The data provided is not necessarily semantically accurate (for example the value "string" may be provided for something that is intended to be an instance ID, or in some cases two arguments may be mutually exclusive). The syntax shows the ABAP syntax for creating the various data structures.

DATA(lo_result) = lo_client->reencryptdata(
  io_incomingencattributes = new /aws1/cl_pcdreencattributes(
    io_dukpt = new /aws1/cl_pcddukptencattributes(
      iv_dukptkeyderivationtype = |string|
      iv_dukptkeyvariant = |string|
      iv_initializationvector = |string|
      iv_keyserialnumber = |string|
      iv_mode = |string|
    )
    io_symmetric = new /aws1/cl_pcdsymmetricencattrs(
      iv_initializationvector = |string|
      iv_mode = |string|
      iv_paddingtype = |string|
    )
  )
  io_incomingwrappedkey = new /aws1/cl_pcdwrappedkey(
    io_wrappedkeymaterial = new /aws1/cl_pcdwrappedkeymaterial(
      io_diffiehellmansymmetrickey = new /aws1/cl_pcdecdhderivationat00(
        iv_certauthoritypublickeyid = |string|
        iv_keyalgorithm = |string|
        iv_keyderivationfunction = |string|
        iv_keyderivationhashalg = |string|
        iv_publickeycertificate = |string|
        iv_sharedinformation = |string|
      )
      iv_tr31keyblock = |string|
    )
    iv_keycheckvaluealgorithm = |string|
  )
  io_outgoingencattributes = new /aws1/cl_pcdreencattributes(
    io_dukpt = new /aws1/cl_pcddukptencattributes(
      iv_dukptkeyderivationtype = |string|
      iv_dukptkeyvariant = |string|
      iv_initializationvector = |string|
      iv_keyserialnumber = |string|
      iv_mode = |string|
    )
    io_symmetric = new /aws1/cl_pcdsymmetricencattrs(
      iv_initializationvector = |string|
      iv_mode = |string|
      iv_paddingtype = |string|
    )
  )
  io_outgoingwrappedkey = new /aws1/cl_pcdwrappedkey(
    io_wrappedkeymaterial = new /aws1/cl_pcdwrappedkeymaterial(
      io_diffiehellmansymmetrickey = new /aws1/cl_pcdecdhderivationat00(
        iv_certauthoritypublickeyid = |string|
        iv_keyalgorithm = |string|
        iv_keyderivationfunction = |string|
        iv_keyderivationhashalg = |string|
        iv_publickeycertificate = |string|
        iv_sharedinformation = |string|
      )
      iv_tr31keyblock = |string|
    )
    iv_keycheckvaluealgorithm = |string|
  )
  iv_ciphertext = |string|
  iv_incomingkeyidentifier = |string|
  iv_outgoingkeyidentifier = |string|
).

This is an example of reading all possible response values

lo_result = lo_result.
IF lo_result IS NOT INITIAL.
  lv_keyarn = lo_result->get_keyarn( ).
  lv_keycheckvalue = lo_result->get_keycheckvalue( ).
  lv_ciphertexttype = lo_result->get_ciphertext( ).
ENDIF.