View PIN

This operation retrieves card PIN encrypted with temporary PIN encryption key (tzpk) and tzpk encrypted with the provided RSA public key.

Note: The card-holder device must be generating the RSA key, and must not allow any other system to access the private RSA key. The RSA key should be a temporary one-time use key.

Example flow

Step 1, executed on the CARD-HOLDER DEVICE, generating an RSA key pair

// generate RSA key pair var kpg = KeyPairGenerator.getInstance(“RSA”); kpg.initialize(2048); var keyPair = kpg.generateKeyPair(); var publicKey = Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded());

Step 2, executed on the CLIENT BACK-END, requesting the encrypted PIN from the API

// controlId received from pincontrol API var controlId = “83fa5f55-3dd7-453a-8233-4242a6bad179”;

// public RSA key, generated by the card-holder device in Step 1 var publicKey = // fetched from the device

// make request var pinResponse = pinApiClient.post() .uri(“/pin/v3/view?auditUser=”, “test”) .bodyValue(Map.of( “controlId”, controlId, “publicKey”, publicKey )) .retrieve() .bodyToMono(ViewPinResponse.class) .block();

Step 3, executed on the CARD-HOLDER DEVICE, decrypting the PIN

// response from the API call done in Step 2, given by the backend var pinResponse = // given by the backend

// decrypt received tzpk with private key var rsa = Cipher.getInstance(“RSA/ECB/OAEPPadding”); rsa.init(Cipher.DECRYPT_MODE, keyPair.getPrivate(), new OAEPParameterSpec(“SHA-256”, “MGF1”, MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT)); var decryptedTzpk = rsa.doFinal(Base64.getDecoder().decode(pinResponse.getTzpk())); // convert double-length key to triple-length - used if the library support only triple-length 3DES var tzpk = new byte[24]; System.arraycopy(decryptedTzpk, 0, tzpk, 0, 16); System.arraycopy(decryptedTzpk, 0, tzpk, 16, 8); // decrypt pinBlock with tzpk var des = Cipher.getInstance(“DESede/ECB/NoPadding”); des.init(Cipher.DECRYPT_MODE, new SecretKeySpec(tzpk, “DESede”)); var decryptedPinBlock = Hex.toHexString(des.doFinal(Base64.getDecoder().decode(pinResponse.getPinBlock())));

POST

view

curl --request POST \
  --url https://integration-api-cat1./%7B{environment}%7D.ext.%7B{realm}%7D.cia.enfuce.com/pin/v3/view \
  --header 'Content-Type: application/json' \
  --data '{
  "controlId": "83fa5f55-3dd7-453a-8233-4242a6bad179",
  "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP7yu/kPSEPHjqsUYIfarstoX4mx9PeJPZl/2zYFbN3dOAk0YnJYYC5udW+fkfNoaj2cf20XMrXGAatK/N30P9YoksJg8SINss+zn+/suDL/cRDXnVvYUn8fHwMcNNFYx7RbpYGaZHqshp5D96yfTTESu90nP8wrnjXH8iY4JIewIDAQAB"
}'

{
  "pinBlock": "tACuB41yyfU=",
  "tzpk": "i6IWYm4FzTTBrtGF0FFdcHjEEQh8X3qCUcKkNgIXs2R4jLhECfoUHULWoyUu8T9R90MFZnPOuY5tel1Pww4iyKpRG2ChAwPWaHO2g0j9/xKYDBQHY57HklwBdazp03qU9vJIbmwpEOkrJIW1AW7FpypY4amoO565bCg2WfyG69U="
}

Query Parameters

auditUser

string

required

The audit user to log the request

Body

application/json

The related PIN control request data

The body is of type object.

Response

200

application/json

The response is of type object.

Set PIN (Deprecated)Get TZPK for set PIN

curl --request POST \
  --url https://integration-api-cat1./%7B{environment}%7D.ext.%7B{realm}%7D.cia.enfuce.com/pin/v3/view \
  --header 'Content-Type: application/json' \
  --data '{
  "controlId": "83fa5f55-3dd7-453a-8233-4242a6bad179",
  "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP7yu/kPSEPHjqsUYIfarstoX4mx9PeJPZl/2zYFbN3dOAk0YnJYYC5udW+fkfNoaj2cf20XMrXGAatK/N30P9YoksJg8SINss+zn+/suDL/cRDXnVvYUn8fHwMcNNFYx7RbpYGaZHqshp5D96yfTTESu90nP8wrnjXH8iY4JIewIDAQAB"
}'

{
  "pinBlock": "tACuB41yyfU=",
  "tzpk": "i6IWYm4FzTTBrtGF0FFdcHjEEQh8X3qCUcKkNgIXs2R4jLhECfoUHULWoyUu8T9R90MFZnPOuY5tel1Pww4iyKpRG2ChAwPWaHO2g0j9/xKYDBQHY57HklwBdazp03qU9vJIbmwpEOkrJIW1AW7FpypY4amoO565bCg2WfyG69U="
}