aws-samples · punit84 · Aug 11, 2025 · Aug 27, 2025
diff --git a/java_sdk_example/src/main/java/aws/sample/paymentcryptography/EncryptionUtil.java b/java_sdk_example/src/main/java/aws/sample/paymentcryptography/EncryptionUtil.java
@@ -0,0 +1,123 @@
+package aws.sample.paymentcryptography;
+
+import org.json.JSONObject;
+import software.amazon.awssdk.services.paymentcryptographydata.PaymentCryptographyDataClient;
+import software.amazon.awssdk.services.paymentcryptographydata.model.*;
+
+import java.util.Random;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.math.BigInteger;
+
+public class EncryptionUtil {
+
+    //Decryption API example
+    public String decrypt(String encryptedData, String ksn, String bdkAlias) {//print all arguments
+        Logger.getGlobal().log(Level.INFO,
+                "EncryptionUtil:decrypt Request received with encryptedData {0}, ksn {1}, bdkAlias{2}",
+                new Object[] {encryptedData, ksn, bdkAlias});
+
+        try {
+            PaymentCryptographyDataClient dataPlaneClient = DataPlaneUtils.getDataPlaneClient();
+
+            DukptEncryptionAttributes dukptEncryptionAttributes = DukptEncryptionAttributes
+                    .builder()
+                    .keySerialNumber(ksn)
+                    .mode(ServiceConstants.MODE)
+                    .build();
+
+            EncryptionDecryptionAttributes decryptionAttributes = EncryptionDecryptionAttributes
+                    .builder()
+                    .dukpt(dukptEncryptionAttributes)
+                    .build();
+
+            DecryptDataRequest decryptDataRequest = DecryptDataRequest
+                    .builder()
+                    .cipherText(encryptedData)
+                    .keyIdentifier(bdkAlias)
+                    .decryptionAttributes(decryptionAttributes)
+                    .build();
+
+            Logger.getGlobal()
+                    .log(Level.INFO,"Attempting to decrypt data {0}" ,encryptedData);
+            DecryptDataResponse decryptDataResponse = dataPlaneClient.decryptData(decryptDataRequest);
+
+            Logger.getGlobal()
+                    .log(Level.INFO,"Decrypted data {0}" ,decryptDataResponse.plainText());
+
+            return decryptDataResponse.plainText();
+
+        } catch (Exception exception) {
+            Logger.getGlobal().log(Level.INFO,
+                    "Decrypted: Error occurred when decrypting");
+            JSONObject returnJsonObject = new JSONObject()
+                    .put("response", exception.getMessage());
+            exception.printStackTrace();
+            return returnJsonObject.toString();
+        }
+    }
+
+    //Encryption API example
+    public String encrypt(String track2Data, String ksn, String bdkAlias) {
+        Logger.getGlobal().log(Level.INFO,
+                "EncryptionUtil:encrypt Request received with track2Data {0}, ksn {1}, bdkAlias{2}",
+                new Object[] {track2Data, ksn, bdkAlias});
+
+        try {
+            PaymentCryptographyDataClient dataPlaneClient = DataPlaneUtils.getDataPlaneClient();
+
+            DukptEncryptionAttributes dukptEncryptionAttributes = DukptEncryptionAttributes
+                    .builder()
+                    .keySerialNumber(ksn)
+                    .mode(ServiceConstants.MODE)
+                    .build();
+
+            EncryptionDecryptionAttributes encryptionAttributes = EncryptionDecryptionAttributes
+                    .builder()
+                    .dukpt(dukptEncryptionAttributes)
+                    .build();
+
+            EncryptDataRequest  encryptDataRequest = EncryptDataRequest
+                    .builder()
+                    .plainText(track2Data)
+                    .keyIdentifier(bdkAlias)
+                    .encryptionAttributes(encryptionAttributes)
+                    .build();
+
+            String encryptedData = dataPlaneClient.encryptData(encryptDataRequest).cipherText();
+
+            Logger.getGlobal()
+                    .log(Level.INFO, "Encrypted data {0}", encryptedData);
+
+            return encryptedData;
+
+        } catch (Exception exception) {
+            Logger.getGlobal().log(Level.INFO,
+                    "Encrypted: Error occurred when encrypting");
+            JSONObject returnJsonObject = new JSONObject()
+                    .put("response", exception.getMessage());
+            exception.printStackTrace();
+            return returnJsonObject.toString();
+        }
+    }
+    public static void main(String[] args) {
+
+        EncryptionUtil encryptionUtil = new EncryptionUtil();
+        String ksn = "064E7913030373800000";
+        String encryptedData = "1AA20535832C1E1517C39D09865B6EBB";
+        String bdkAlias = ServiceConstants.BDK_ALIAS_TDES_2KEY;
+        String decryptedData = encryptionUtil.decrypt(encryptedData, ksn, bdkAlias);
+        System.out.println(decryptedData);
+        Logger.getGlobal().log(Level.INFO,
+                "EncryptionUtil:Decrypted data is {0}",
+                new Object[] {decryptedData});
+    }
+
+    protected static String getRandomNumberWithDigitCount(int digCount) {
+        Random rnd = new Random();
+        StringBuilder sb = new StringBuilder(digCount);
+        for (int i = 0; i < digCount; i++)
+            sb.append((char) ('0' + rnd.nextInt(10)));
+        return sb.toString();
+    }
+}
diff --git a/key-import-export/tr34/import_app/import_tr31_raw_key_to_apc.py b/key-import-export/tr34/import_app/import_tr31_raw_key_to_apc.py
@@ -95,7 +95,7 @@ def importTR31(kbpk_clearkey,wk_clearkey,exportmode,keytype,modeofuse,algorithm,
     parser.add_argument("--kbpk_clearkey", help="Clear Text version of KBPK", default="8A8349794C9EE9A4C2927098F249FED6")
     parser.add_argument("--exportmode", "-e", help="Export Mode - E, S or N", default="E",choices=['E', 'S', 'N'])
     parser.add_argument("--algorithm", "-a", help="Algorithm of key - (T)DES or (A)ES", default="T", choices=['A', 'T','R'])
-    parser.add_argument("--keytype", "-t", help="Key Type according to TR-31 norms. For instance K0, B0, etc", default="B0",choices=['K0', 'B0', 'D0','P0','D1'])
+    parser.add_argument("--keytype", "-t", help="Key Type according to TR-31 norms. For instance K0, B0, etc", default="B0",choices=['C0', 'K0', 'K1', 'D0', 'P0', 'V1', 'V2', 'E0', 'E1', 'E2', 'E6', 'B0', 'E4', 'E5', 'M1', 'M3'])
     parser.add_argument("--modeofuse", "-m", help="Mode of use according to TR-31 norms.  For instance B (encrypt/decrypt),X (derive key)", default="X",choices=['B', 'X', 'N','E','D','G','C','V'])
     parser.add_argument("--runmode", help="Run mode. APC will directly import will offline will only produce tr-31 payload", default="APC",choices=['APC', 'OFFLINE'])
     parser.add_argument("--kbpkkey_apcIdentifier","-z", help="Key identifier for KEK that has already been imported into the service. It should have a keytype of K0.", default="",required=True)