PIN operations using PKI

Get TZPK for set PIN

This operation retrieves temporary PIN enryption key used for setting PIN. Returned tzpk is encrypted with the provided RSA public key.

Example flow

Step 1, executed on the CARD-HOLDER DEVICE, generating an RSA key pair

// generate RSA key pair var kpg = KeyPairGenerator.getInstance(“RSA”); kpg.initialize(2048); var keyPair = kpg.generateKeyPair(); var publicKey = Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded());

Step 2, executed on the CLIENT BACK-END, requesting the encrypted TZPK from the API

// controlId received from pincontrol API var controlId = “83fa5f55-3dd7-453a-8233-4242a6bad179”;

// public RSA key, generated by the card-holder device in Step 1 var publicKey = // fetched from the device

// make request var tzpkResponse = pinApiClient.post() .uri(“/pin/v3/set/tzpk?auditUser=”, “test”) .bodyValue(Map.of( “controlId”, controlId, “publicKey”, publicKey )) .retrieve() .bodyToMono(TzpkResponse.class) .block();

Step 3, executed on the CARD-HOLDER DEVICE, decrypting the TZPK (temporary key for PIN encryption)

// response from the API call done in Step 2, given by the backend var tzpkResponse = // given by the backend

// decrypt tzpk with private key var rsa = Cipher.getInstance(“RSA/ECB/OAEPPadding”); rsa.init(Cipher.DECRYPT_MODE, keyPair.getPrivate(), new OAEPParameterSpec(“SHA-256”, “MGF1”, MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT)); var decryptedTzpk = rsa.doFinal(Base64.getDecoder().decode(tzpkResponse.getTzpk())); // convert double-length key to triple-length - used if the library support only triple-length 3DES var tzpk = new byte[24]; System.arraycopy(decryptedTzpk, 0, tzpk, 0, 16); System.arraycopy(decryptedTzpk, 0, tzpk, 16, 8);

POST

set

tzpk

Get TZPK for set PIN

curl --request POST \
  --url https://integration-api-cat1./%7B{environment}%7D.ext.%7B{realm}%7D.cia.enfuce.com/pin/v3/set/tzpk \
  --header 'Content-Type: application/json' \
  --data '{
  "controlId": "83fa5f55-3dd7-453a-8233-4242a6bad179",
  "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP7yu/kPSEPHjqsUYIfarstoX4mx9PeJPZl/2zYFbN3dOAk0YnJYYC5udW+fkfNoaj2cf20XMrXGAatK/N30P9YoksJg8SINss+zn+/suDL/cRDXnVvYUn8fHwMcNNFYx7RbpYGaZHqshp5D96yfTTESu90nP8wrnjXH8iY4JIewIDAQAB"
}'

{
  "tzpk": "i6IWYm4FzTTBrtGF0FFdcHjEEQh8X3qCUcKkNgIXs2R4jLhECfoUHULWoyUu8T9R90MFZnPOuY5tel1Pww4iyKpRG2ChAwPWaHO2g0j9/xKYDBQHY57HklwBdazp03qU9vJIbmwpEOkrJIW1AW7FpypY4amoO565bCg2WfyG69U="
}

Query Parameters

auditUser

string

required

The audit user to log the request

Body

application/json

The related PIN control request data

The body is of type object.

Response

200

application/json

The response is of type object.

Set PINThis operation sets the card PIN. Provided PIN must be in ISO format 1 and encrypted with the tzpk received from the "Get tzpk" API call. ### Example flow #### Step 1, executed on the CARD-HOLDER DEVICE, encrypting the PIN block with the TZPK // PIN 1234 in ISO format 1 (xxYYYYxxxxxxxxxx) where YYYY is the PIN var pinBlock = "141234AAAAAAAAAA"; // encrypt pinBlock with previously received tzpk var des = Cipher.getInstance("DESede/ECB/NoPadding"); des.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(tzpk, "DESede")); var encryptedPinBlock = des.doFinal(Hex.decode(pinBlock.getBytes())); #### Step 2, executed on the CLIENT BACK-END, sending the encrypted PIN block recieved from the device, to the API // var encryptedPinBlock = // Received from the device // make request pinApiClient.post() .uri("/pin/v3/set?auditUser={user}", "test") .bodyValue(Map.of( "controlId", controlId, "pinBlock", Base64.getEncoder().encodeToString(encryptedPinBlock) )) .retrieve() .bodyToMono(Object.class) .block();

Get TZPK for set PIN

curl --request POST \
  --url https://integration-api-cat1./%7B{environment}%7D.ext.%7B{realm}%7D.cia.enfuce.com/pin/v3/set/tzpk \
  --header 'Content-Type: application/json' \
  --data '{
  "controlId": "83fa5f55-3dd7-453a-8233-4242a6bad179",
  "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP7yu/kPSEPHjqsUYIfarstoX4mx9PeJPZl/2zYFbN3dOAk0YnJYYC5udW+fkfNoaj2cf20XMrXGAatK/N30P9YoksJg8SINss+zn+/suDL/cRDXnVvYUn8fHwMcNNFYx7RbpYGaZHqshp5D96yfTTESu90nP8wrnjXH8iY4JIewIDAQAB"
}'

{
  "tzpk": "i6IWYm4FzTTBrtGF0FFdcHjEEQh8X3qCUcKkNgIXs2R4jLhECfoUHULWoyUu8T9R90MFZnPOuY5tel1Pww4iyKpRG2ChAwPWaHO2g0j9/xKYDBQHY57HklwBdazp03qU9vJIbmwpEOkrJIW1AW7FpypY4amoO565bCg2WfyG69U="
}

Payment API

Account Details

Authorisation Control

Authorisation Forwarding

Card details

Customer

Exchange Rates API

ID

Instalment

Invoice

Notification

PIN

PIN Control

Purchase Details

Repricing

Transaction

Transfer API

Wallet

Test API

Hierarchy API

Spend Control API

Get TZPK for set PIN

Example flow

Step 1, executed on the CARD-HOLDER DEVICE, generating an RSA key pair

Step 2, executed on the CLIENT BACK-END, requesting the encrypted TZPK from the API

Step 3, executed on the CARD-HOLDER DEVICE, decrypting the TZPK (temporary key for PIN encryption)

Query Parameters

Body

Response