GetParametersForExport
Gets the export token and the signing key certificate to initiate a TR-34 key export from AWS Payment Cryptography.
The signing key certificate signs the wrapped key under export within the TR-34 key payload. The export token and signing key certificate must be in place and operational before calling ExportKey. The export token expires in 7 days. You can use the same export token to export multiple keys from your service account.
Cross-account use: This operation can't be used across different AWS accounts.
Related operations:
Request Syntax
{
"KeyMaterialType": "string",
"SigningKeyAlgorithm": "string"
}Request Parameters
The request accepts the following data in JSON format.
- KeyMaterialType
-
The key block format type (for example, TR-34 or TR-31) to use during key material export. Export token is only required for a TR-34 key export,
TR34_KEY_BLOCK. Export token is not required for TR-31 key export.Type: String
Valid Values:
TR34_KEY_BLOCK | TR31_KEY_BLOCK | ROOT_PUBLIC_KEY_CERTIFICATE | TRUSTED_PUBLIC_KEY_CERTIFICATE | KEY_CRYPTOGRAMRequired: Yes
- SigningKeyAlgorithm
-
The signing key algorithm to generate a signing key certificate. This certificate signs the wrapped key under export within the TR-34 key block.
RSA_2048is the only signing key algorithm allowed.Type: String
Valid Values:
TDES_2KEY | TDES_3KEY | AES_128 | AES_192 | AES_256 | RSA_2048 | RSA_3072 | RSA_4096 | ECC_NIST_P256 | ECC_NIST_P384Required: Yes
Response Syntax
{
"ExportToken": "string",
"ParametersValidUntilTimestamp": number,
"SigningKeyAlgorithm": "string",
"SigningKeyCertificate": "string",
"SigningKeyCertificateChain": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- ExportToken
-
The export token to initiate key export from AWS Payment Cryptography. The export token expires after 7 days. You can use the same export token to export multiple keys from the same service account.
Type: String
Pattern:
export-token-[0-9a-zA-Z]{16,64} - ParametersValidUntilTimestamp
-
The validity period of the export token.
Type: Timestamp
- SigningKeyAlgorithm
-
The algorithm of the signing key certificate for use in TR-34 key block generation.
RSA_2048is the only signing key algorithm allowed.Type: String
Valid Values:
TDES_2KEY | TDES_3KEY | AES_128 | AES_192 | AES_256 | RSA_2048 | RSA_3072 | RSA_4096 | ECC_NIST_P256 | ECC_NIST_P384 - SigningKeyCertificate
-
The signing key certificate in PEM format (base64 encoded) of the public key for signature within the TR-34 key block. The certificate expires after 7 days.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 32768.
Pattern:
[^\[;\]<>]+ - SigningKeyCertificateChain
-
The root certificate authority (CA) that signed the signing key certificate in PEM format (base64 encoded).
Type: String
Length Constraints: Minimum length of 1. Maximum length of 32768.
Pattern:
[^\[;\]<>]+
Errors
- AccessDeniedException
-
You do not have sufficient access to perform this action.
HTTP Status Code: 400
- ConflictException
-
This request can cause an inconsistent state for the resource.
HTTP Status Code: 400
- InternalServerException
-
The request processing has failed because of an unknown error, exception, or failure.
HTTP Status Code: 500
- ResourceNotFoundException
-
The request was denied due to an invalid resource error.
HTTP Status Code: 400
- ServiceQuotaExceededException
-
This request would cause a service quota to be exceeded.
HTTP Status Code: 400
- ServiceUnavailableException
-
The service cannot complete the request.
HTTP Status Code: 500
- ThrottlingException
-
The request was denied due to request throttling.
HTTP Status Code: 400
- ValidationException
-
The request was denied due to an invalid request error.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
