Skip navigation links

• Overview
• Package
• Class
• Tree
• Deprecated
• Index
• Help

• Prev Class
• Next Class

• Frames
• No Frames

• All Classes

• Summary:
• Nested |
• Field |
• Constr |
• Method

• Detail:
• Field |
• Constr |
• Method

com.pax.dal

Interface IPedKeyIsolationMixedManager

public interface IPedKeyIsolationMixedManager

PED密钥隔离混合管理模块。

The PED key isolation mixed manager module.

Method Summary

Modifier and Type	Method and Description
byte[]	calcAes(byte keyIndex, byte[] initVector, byte[] dataIn, byte mode) 使用AES算法进行加密和解密 Use AES algorithm for encryption and decryption.
DUKPTResult	calcAesDUKPTData(byte groupIndex, byte keyVarType, byte[] iv, byte[] dataIn, EAlgorithmType algorithmType, byte mode) 使用 AES DUKPT 的数据加解密密钥，对输入缓存内数据进行加密或解密。 Use the AES DUKPT data encryption and decryption key to encrypt or decrypt the data in the input buffer.
byte[]	calcDes(byte keyIndex, byte[] dataIn, byte mode) 使用TDK对dataIn数据进行DES/TDES运算，使用DES或TDES根据密钥的长度而定。除0，1模式没有向量外，其他模式有向量但默认为NULL。 To use TDK encrypt or decrypt data by DES/TDES.
byte[]	calcDesExMode(byte keyIndex, byte[] initVector, byte[] dataIn, byte mode) 使用TDK对数据进行DES/TDES解密或加密运算，输出明文或密文；一个指定的 TDK，只能用于加密或解密运算。 Use TDK to perform DES/TDES decryption or encryption operations on data, and output plaintext or ciphertext; a specified TDK can only be used for encryption or decryption operations
DUKPTResult	calcDUKPTDes(byte groupIndex, byte keyVarType, byte[] iv, byte[] dataIn, byte mode) 使用DUKPT的MAC密钥或DES密钥，对输入缓存内数据进行加密或解密。 Use MAC key or DES key of DUKPT to encrypt or decrypt the data in the input buffer.
void	deriveKeyBySecureData(byte srcKeyType, byte srcKeyIdx, byte dstKeyType, byte dstKeyIdx, byte secureDataIndex, byte[] additionalDataIn, byte derivationMode) 使用SecureData作为datain发散目的密钥。 Use SecureData as the datain divergence key.
void	eraseAppKeys(int mode) 删除应用密钥。 delete app key.
void	eraseKey(byte keyType, byte keyIndex) 擦除指定的密钥。 Erases the specified key.
void	genRsaKey(byte mode, byte prvKeyIdx, byte pubKeyIdx, short modLenBit, byte pubExpType) 生成RSA密钥对然后注入PED。 Generate RSA key pair and inject into PED.
DUKPTResult	getAesDUKPTMac(byte groupIndex, byte[] dataIn, EAlgorithmType algorithmType, byte mode) 使用 AES DUKPT 的 MAC 密钥计算 MAC。 Use AES DUKPT's MAC key to calculate MAC.
DUKPTResult	getAesDUKPTPin(byte groupIndex, java.lang.String exPinLen, byte[] dataIn, EAlgorithmType algorithmType, byte mode, long timeoutMs) 在 PED 上输入 PIN,并使 AES DUKPT 的 PIN 密钥计算 PINBlock。 Enter the PIN on the PED, and use the PIN key of AES DUKPT to calculate the PINBlock.
byte[]	getDUKPTKsn(byte groupIndex) 读取下一次计算的KSN。 KSN Reading the KSN which will be computed at next time.
DUKPTResult	getDUKPTMac(byte groupIndex, byte[] dataIn, byte mode) 使用DUKPT的MAC密钥计算MAC。 Use MAC Key to calculate MAC.
DUKPTResult	getDUKPTPin(byte groupIndex, java.lang.String expPinLen, byte[] dataIn, byte mode, int timeoutMs) 在PED上输入PIN，并使DUKPT的PIN密钥计算PINBlock。 PINBlock Input the PIN on PED,and use the PINkey of DUKPT to calculate the PINBlock.
byte[]	getKCV(byte type, byte keyIndex, byte checkMode, byte[] checkBuf) 获取密钥的KCV值，以供对话双方进行密钥验证，用指定的密钥及算法对一段数据进行加密， Getting value of KCV for key verification of to side, using specific key and algorithm to encrypt data, and then return part of cryptograph.
byte[]	getMac(byte keyIndex, byte[] dataIn, byte mode) 用KeyIdx指定的MAC密钥对DataIn进行mode指定的算法进行MAC运算，将MAC结果返回。 To use KeyIdx MAC key calculate the DataIn following the specified Mode algorithm, return the MAC result.
byte[]	getMacAes(byte keyIdx, byte[] dataIn, byte mode) 使用AES_TAK对DataIn用Mode指定的算法进行MAC运算，将16字节的MAC结果输出， MAC运算密钥是主密钥/工作密钥体系或固定密钥体系密钥或DUKPT密钥体系。 用法： 1.敏感服务授权：在此接口内部，先进行认证以获取敏感服务授权，若授权失败则退出。 2.补零规则：将报文数据分割成若干16个字节的BLOCK，最后一个BLOCK不满16个字节则后补0x00。 Use AES_TAK to perform MAC operation on dataIn with the algorithm specified by Mode, and output the 16-byte MAC result.
byte[]	getPinBlock(byte keyIdx, java.lang.String expPinLen, byte[] dataIn, byte mode, int timeoutMs) 扫描键盘上输入的PIN并输出由 Mode指定算法加密的 PIN BLOCK。 Scan the PIN entered on the keyboard and output the PIN BLOCK encrypted by the algorithm specified by Mode.
byte[]	getPinBlock(byte keyIdx, java.lang.String expPinLen, byte[] dataIn, byte mode, int timeoutMs, int controlTime) 扫描键盘上输入的PIN并输出由 Mode指定算法加密的 PIN BLOCK。 Scan the PIN entered on the keyboard and output the PIN BLOCK encrypted by the algorithm specified by Mode.
void	incDUKPTKsn(byte groupIndex) 每个KSN对应的DUKPT密钥，最多只能使用256次，当单个密钥使用 256次后，将返回EPedDevException.PED_ERR_DUKPT_NEED_INC_KSN异常， 需要调用该接口，给 KSN加1。 The DUKPT key corresponding to each KSN can only be used up to 256 times.
void	injectKeyBlock(byte format, byte srcKeyType, byte srcKeyIdx, byte dstKeyIdx, byte[] keyBlock) 往PED中注入一个密钥 Inject a key into the PED.
RSAKeyInfo	readRSAKey(byte rsaKeyIndex) 读取RSA公钥密钥。 Read rsa public key.
RSARecoverInfo	RSARecover(byte rsaKeyIndex, byte[] dataIn) 用存储在PED的RSA密钥进行数据RSA数据运算。 注意: 1.该函数对dataIn进行RSA加解密运算，运算结果输出到RSARecoverInfo 2.当rsaKeyIndex指定的密钥为私钥时，如果dataIn是对应公钥的加密密文，则RSARecoverInfo为dataIn的明文，否则RSARecoverInfo为dataIn的RSA密文； 3.当rsaKeyIndex指定的密钥为公钥时，如果dataIn是对应私钥的加密密文，则RSARecoverInfo为dataIn的明文，否则RSARecoverInfo为dataIn的RSA密文； 4.该方法可实现长度不超过4096bits的RSA运算。 Using the RSA key stored in PED to do the RSA data operation.
void	setInputPinListener(IPed.IPedInputPinListener listener) 设置输入PIN监听器。 Set the input PIN listener.
void	writeAesDUKPTTIK(byte groupIndex, byte srcKeyIndex, byte[] keyValue, byte[] ksn, byte checkMode, byte[] checkBuf) 写入 AES DUKPT 初始密钥 AESTIK，并可以选择使用 KCV 验证密钥正确性。 Write the AES DUKPT initial key AESTIK, and you can choose to use KCV to verify the correctness of the key.
void	writeAesKey(byte srcKeyType, byte srcKeyIndex, byte destKeyType, byte destKeyIndex, byte[] destKeyValue, byte checkMode, byte[] checkBuf) 写入一个AES密钥，并可以选择使用KCV验证密钥正确性。 To write Aes key to PED, and use KCV to check the key correction.
void	writeKey(byte srcKeyType, byte srcKeyIndex, byte dstKeyType, byte dstKeyIndex, byte[] destKeyValue, ECheckMode checkMode, byte[] checkBuf) 写入一个密钥，包括TLK，TMK和TWK的写入、发散，并可以选择使用KCV验证密钥正确性。
void	writeKeyEx(byte srcKeyType, byte srcKeyIndex, byte dstKeyType, byte dstKeyIndex, byte[] dstKeyValue, ECheckMode checkMode, byte[] checkBuf, byte[] keyVarIn, byte keyVarMode) 写入一个密钥，包括TLK，TMK和TWK的写入、发散，并可以选择使用KCV验证密钥正确性。
void	writeRSAKey(byte rsaKeyIndex, RSAKeyInfo info) 1.注入RSA密钥到PED 2.PED最多支持10组RSA密钥,目前最长只支持256字节长的RSA密钥。 3.存储的RSA密钥是公钥还是私钥由密钥的指数长度决定,当密钥指数和模等长时,是私钥。 4.PED通过writeRSAKey注入RSA密钥。 5.通过RSARecover使用已注入的密钥进行RSA运算。 6.任何时候,RSA密钥可以进行重写。
void	writeTIK(byte groupIndex, byte srcKeyIndex, byte[] keyValue, byte[] ksn, ECheckMode checkMode, byte[] checkBuf) 写入TIK，并可以选择使用KCV验证密钥正确性。 Write in TIK, and can check the key correction by using KCV.

Method Detail

setInputPinListener

void setInputPinListener(IPed.IPedInputPinListener listener)

设置输入PIN监听器。

Set the input PIN listener.

Parameters:

listener - IPed.IPedInputPinListener

calcAesDUKPTData

DUKPTResult calcAesDUKPTData(byte groupIndex,
                             byte keyVarType,
                             byte[] iv,
                             byte[] dataIn,
                             EAlgorithmType algorithmType,
                             byte mode)
                      throws PedDevException

使用 AES DUKPT 的数据加解密密钥，对输入缓存内数据进行加密或解密。

Use the AES DUKPT data encryption and decryption key to encrypt or decrypt the data in the input buffer.

Parameters:

groupIndex -

AES DUKPT密钥组索引。范围1~40。

AES DUKPT key group index. The range is 1~40.

keyVarType -

• 0x01: 用 AES DUKPT 数据加解密密钥运算。
• 0x04: 使用应答数据密钥，仅支持加密模式，即mode 值只能为 0x01、0x03。
• 0x05: 使用请求数据密钥，仅支持解密模式，即mode 值只能为 0x00、0x02。

• 0x01: Use AES DUKPT data encryption and decryption key operations.
• 0x04: Using the response data key, only supports the encryption mode, that is, the mode value can only be 0x01, 0x03.
• 0x05: When using the requested data key, only the decryption mode is supported, that is, the mode value can only be 0x00, 0x02.

iv -

8/16字节初始向量，CBC加解密时需要，如果传入NULL，将默认用“\x00\x00\x00\x00\x00\x00\x00\x00”或 “\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00”作为初始向量

8/16 bytes initialization vector, used for CBC encryption or decryption. If set it to NULL, it will use “\x00\x00\x00\x00\x00\x00\x00\x00” or “\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00” as the initialization vector by default.

dataIn -

需要进行运算的数据。数据长度<=8192，8(TDES)/16(AES)整除。

The data to be calculated. Data length<=8192, evenly divided by 8(TDES)/16(AES).

algorithmType -

• 为EAlgorithmType._2TDEA_或EAlgorithmType._3TDEA_时，使用TDES算法计算。
• 为EAlgorithmType._AES128_或EAlgorithmType._AES192_或EAlgorithmType._AES256_时，使用AES算法计算。

• When it is EAlgorithmType._2TDEA_ or EAlgorithmType._3TDEA_, use the TDES algorithm for calculation.
• When it is EAlgorithmType._AES128_ or EAlgorithmType._AES192_ or EAlgorithmType._AES256_, use the AES algorithm for calculation.

mode -

• 0x00: ECB 解密
• 0x01: ECB 加密
• 0x02: CBC 解密
• 0x03: CBC 加密

• 0x00: ECB decryption.
• 0x01: ECB encryption.
• 0x02: CBC decryption.
• 0x03: CBC encryption.

Returns:

DUKPTResult

Throws:

PedDevException - PedDevException

Since:

V4.00.00

getAesDUKPTMac

DUKPTResult getAesDUKPTMac(byte groupIndex,
                           byte[] dataIn,
                           EAlgorithmType algorithmType,
                           byte mode)
                    throws PedDevException

使用 AES DUKPT 的 MAC 密钥计算 MAC。

Use AES DUKPT's MAC key to calculate MAC.

Parameters:

groupIndex -

AES DUKPT密钥组索引。范围1~40。

AES DUKPT key group index. The range is 1~40.

dataIn -

要进行 MAC 运算的数据内容。数据的长度<=2048，长度不能被 8(TDES)/16(AES)整除，则自动补 0x00。

The data content to be MAC operation. The length of the data <=2048, and the length cannot be divisible by 8(TDES)/16(AES), then 0x00 will be automatically added.

algorithmType -

• 为EAlgorithmType._2TDEA_或EAlgorithmType._3TDEA_时，使用TDES算法计算。
• 为EAlgorithmType._AES128_或EAlgorithmType._AES192_或EAlgorithmType._AES256_时，使用AES算法计算。
• 为EAlgorithmType._HMAC128_或EAlgorithmType._HMAC192_或EAlgorithmType._HMAC256_时，仅支持HMAC-SHA256算法计算。即mode为0x25/0x45/0x65。

• When it is EAlgorithmType._2TDEA_ or EAlgorithmType._3TDEA_, use the TDES algorithm for calculation.
• When it is EAlgorithmType._AES128_ or EAlgorithmType._AES192_ or EAlgorithmType._AES256_, use the AES algorithm for calculation.
• When it is EAlgorithmType._HMAC128_ or EAlgorithmType._HMAC192_ or EAlgorithmType._HMAC256_, only HMAC-SHA256 algorithm calculation is supported. That is, the mode is 0x25/0x45/0x65.

mode -

• 0x20: 根据ANSI X9.9规范，将 BLOCK1 用 MAC密钥做 TDES/AES 加密，加密结果与 BLOCK2进行逐位异或后再用MAC密钥做 TDES/AES加密，依次进行得到 8(TDES)/16(AES)字节的加密结果。 KSN 不自动加 1。
• 0x21: Hypercom Fast Mode，将 BLOCK1 和BLOCK2 进行逐位异或，异或结果与 BLOCK3进 行 逐 位 异 或 ， 依 次 进 行 ， 最 后 得 到8(TDES)/16(AES)字节的异或结果，将该结果用MAC 密钥进行 TDES/AES 加密运算。KSN 不自动加 1。
• 0x22: 根据 ANSIX9.19 规范，将 BLOCK1 用MAC密钥做DES 加密(只取前8个字节的key)，加密结果与 BLOCK2 进行逐位异或后再用MAC 密钥做 DES 加密，依次进行得到 8 字节的加密结果，直到最后一次采用 TDES 加密。 KSN不自动加 1。 (不支持 AES 算法。)
• 0x23: CMAC算法。 KSN不自动加1。其它值保留扩展MAC算法。
• 0x25: HMAC-SHA256算法。 KSN不自动加1。
• 0x40: 根据ANSI X9.9规范，将 BLOCK1 用 MAC密钥做 TDES/AES 加密，加密结果与 BLOCK2进行逐位异或后再用MAC密钥做 TDES/AES加密，依次进行得到 8(TDES)/16(AES)字节的加密结果。 KSN 不自动加 1。
• 0x41: Hypercom Fast Mode，将 BLOCK1 和BLOCK2 进行逐位异或，异或结果与 BLOCK3进 行 逐 位 异 或 ， 依 次 进 行 ， 最 后 得 到8(TDES)/16(AES)字节的异或结果，将该结果用MAC 密钥进行 TDES/AES 加密运算。KSN 不自动加 1 。
• 0x42: 根据 ANSIX9.19 规范，将 BLOCK1 用MAC密钥做DES 加密(只取前8个字节的key)，加密结果与 BLOCK2 进行逐位异或后再用MAC 密钥做 DES 加密，依次进行得到 8 字节的加密结果，直到最后一次采用 TDES 加密。 KSN不自动加 1。 (不支持 AES 算法。)
• 0x43: CMAC算法。 KSN不自动加1。其它值保留扩展MAC算法。
• 0x45: HMAC-SHA256算法。 KSN不自动加1。
• 0x60: 据ANSI X9.9规范，将 BLOCK1 用 MAC密钥做 TDES/AES 加密，加密结果与 BLOCK2进行逐位异或后再用MAC密钥做 TDES/AES加密，依次进行得到 8(TDES)/16(AES)字节的加密结果。 KSN 不自动加 1。
• 0x61: Hypercom Fast Mode，将 BLOCK1 和BLOCK2 进行逐位异或，异或结果与 BLOCK3进 行 逐 位 异 或 ， 依 次 进 行 ， 最 后 得 到8(TDES)/16(AES)字节的异或结果，将该结果用MAC 密钥进行 TDES/AES 加密运算。KSN 不自动加 1。
• 0x62: 根据 ANSIX9.19 规范，将 BLOCK1 用MAC密钥做DES 加密(只取前8个字节的key)，加密结果与 BLOCK2 进行逐位异或后再用MAC 密钥做 DES 加密，依次进行得到 8 字节的加密结果，直到最后一次采用 TDES 加密。 KSN不自动加 1。 (不支持 AES 算法。)
• 0x63: CMAC算法。KSN不自动加1。 其它值保留扩展MAC算法。
• 0x65: HMAC-SHA256算法。 KSN不自动加1。

• 0x20: According to the ANSI X9.9 specification, BLOCK1 is encrypted with MAC key for TDES/AES, the encrypted result is XORed with BLOCK2 bit by bit, and then the MAC key is used for TDES/AES encryption, and then proceed to get 8(TDES)/16( AES) byte encryption result. KSN does not automatically increase by 1.
• 0x21: In Hypercom Fast Mode, BLOCK1 and BLOCK2 are XORed bit by bit, and the XOR result is XORed bit by bit with BLOCK3, and then proceeded in sequence. Finally, an XOR result of 8 (TDES)/16 (AES) bytes is obtained. Use this result The MAC key performs TDES/AES encryption operations. KSN does not automatically increase by 1.
• 0x22: According to the ANSIX9.19 specification, BLOCK1 is encrypted with MAC key for DES (only the key of the first 8 bytes is taken), and the encrypted result is XORed with BLOCK2 bit by bit, and then the MAC key is used for DES encryption, and then proceed to get 8 The result of byte encryption until the last TDES encryption. KSN does not automatically increase by 1. (The AES algorithm is not supported.)
• 0x23: CMAC algorithm. KSN does not automatically increase by 1. Other values retain the extended MAC algorithm.
• 0x25: HMAC-SHA256 algorithm. KSN does not automatically increase by 1.
• 0x40: According to the ANSI X9.9 specification, BLOCK1 is encrypted with MAC key for TDES/AES, the encrypted result is XORed with BLOCK2 bit by bit, and then the MAC key is used for TDES/AES encryption, and then proceed to get 8(TDES)/16( AES) byte encryption result. KSN does not automatically increase by 1.
• 0x41: In Hypercom Fast Mode, BLOCK1 and BLOCK2 are XORed bit by bit, and the XOR result is XORed bit by bit with BLOCK3, and then proceeded in sequence. Finally, an XOR result of 8 (TDES)/16 (AES) bytes is obtained. Use this result The MAC key performs TDES/AES encryption operations. KSN does not automatically increase by 1.
• 0x42: According to the ANSIX9.19 specification, BLOCK1 is encrypted with MAC key for DES (only the key of the first 8 bytes is taken), and the encrypted result is XORed with BLOCK2 bit by bit, and then the MAC key is used for DES encryption, and then proceed to get 8 The result of byte encryption until the last TDES encryption. KSN does not automatically increase by 1. (The AES algorithm is not supported.)
• 0x43: CMAC algorithm. KSN does not automatically increase by 1. Other values retain the extended MAC algorithm.
• 0x45: HMAC-SHA256 algorithm. KSN does not automatically increase by 1.
• 0x60: According to the ANSI X9.9 specification, BLOCK1 is encrypted with MAC key for TDES/AES, the encrypted result is XORed with BLOCK2 bit by bit, and then the MAC key is used for TDES/AES encryption, and then proceed to get 8(TDES)/16( AES) byte encryption result. KSN does not automatically increase by 1.
• 0x61: In Hypercom Fast Mode, BLOCK1 and BLOCK2 are XORed bit by bit, and the XOR result is XORed bit by bit with BLOCK3, and then proceeded in sequence. Finally, an XOR result of 8 (TDES)/16 (AES) bytes is obtained. Use this result The MAC key performs TDES/AES encryption operations. KSN does not automatically increase by 1.
• 0x62: According to the ANSIX9.19 specification, BLOCK1 is encrypted with MAC key for DES (only the key of the first 8 bytes is taken), and the encrypted result is XORed with BLOCK2 bit by bit, and then the MAC key is used for DES encryption, and then proceed to get 8 The result of byte encryption until the last TDES encryption. KSN does not automatically increase by 1. (The AES algorithm is not supported.)
• 0x63: CMAC algorithm. KSN does not automatically increase by 1. Other values retain the extended MAC algorithm.
• 0x65: HMAC-SHA256 algorithm. KSN does not automatically increase by 1.

Returns:

DUKPTResult

当mode等于HMAC-SHA256算法是，输出长度为32字节。

When the mode is equal to the HMAC-SHA256 algorithm, the output length is 32 bytes.

Throws:

PedDevException - PedDevException

Since:

V4.00.00

getAesDUKPTPin

DUKPTResult getAesDUKPTPin(byte groupIndex,
                           java.lang.String exPinLen,
                           byte[] dataIn,
                           EAlgorithmType algorithmType,
                           byte mode,
                           long timeoutMs)
                    throws PedDevException

在 PED 上输入 PIN,并使 AES DUKPT 的 PIN 密钥计算 PINBlock。

Enter the PIN on the PED, and use the PIN key of AES DUKPT to calculate the PINBlock.

Parameters:

groupIndex -

AES DUKPT密钥组索引。范围1~40。

AES DUKPT key group index. The range is 1~40.

exPinLen -

可输入的合法密码长度字符串，应用程序把允许的密码长度全部枚举出来，并且用","号隔开每个长度，密码长度的有效取值为：0，4~12。若允许输入 4、6 位密码并且允许无密码直接按确认，则该字符串应该设置为"0，4，6"。 若枚举 0 长度则示意可以不输任何数字而直接按确认键返回。若枚举字符串中存在长度的无效值，比如"2，6，7，10"，无效值将被忽略。

The valid password length string that can be entered, the application enumerates all the allowable password lengths, and separates each length with a "," sign. The valid value of the password length is 0, 4~12. If 4 or 6-digit passwords are allowed and you can press confirm without a password, the character string should be set to "0, 4, 6". If the length of the enumeration is 0, it means that you can directly press the enter key to return without entering any number. If there are invalid values of length in the enumerated string, such as "2, 6, 7, 10", the invalid value will be ignored.

dataIn -

• 当mode=0x20时，dataIn指向卡号移位后生成的16位主帐号，不包含校验位。
• 当mode=0x21时，dataIn未使用，但是不能为NULL。
• 当mode=0x22时，dataIn指向卡号移位后生成的16位主帐号，不包含校验位。
• 当mode=0x23时，为交易流水号ISN [6 Bytes,ASCII码]。
• 当mode=0x24时，dataIn为主账号。

• When mode=0x20, dataIn points to the 16-bit primary account generated after the card number shift, excluding the check bit.
• When mode=0x21, dataIn is not in use, but cannot be NULL.
• When mode=0x22, dataIn points to the 16-bit primary account generated after the card number shift, excluding the check bit.
• When mode=0x23, is the transaction current number [6 Bytes,ASCII code].
• When mode=0x24, dataIn is primary account.

algorithmType - EAlgorithmType

• 为EAlgorithmType._2TDEA_或者EAlgorithmType._3TDEA_时，使用 TDES算法计算(mode不能为0x24)。
• 为EAlgorithmType._AES128_或者EAlgorithmType._AES192_或者EAlgorithmType._AES256_时，使用 AES 算法计算(mode只能为0x24)。

• When it is EAlgorithmType._2TDEA_ or EAlgorithmType._3TDEA_, use the TDES algorithm for calculation (mode cannot be 0x24).
• When it is EAlgorithmType._AES128_ or EAlgorithmType._AES192_ or EAlgorithmType._AES256_, use the AES algorithm for calculation (mode can only be 0x24).

mode -

• 0x20:ISO9564 格式0，KSN不自动加1。
• 0x21:ISO9564 格式1，KSN不自动加1。
• 0x22:ISO9564 格式3，KSN不自动加1。
• 0x23:HK EPS格式， KSN不自动加1。
• 0x24:ISO9564 格式4，KSN不自动加1。

• 0x20:ISO9564 format 0,KSN doesn't automatically add 1。
• 0x21:ISO9564 format 1,KSN doesn't automatically add 1。
• 0x22:ISO9564 format 3,KSN doesn't automatically add 1。
• 0x23:HK EPS format, KSN doesn't automatically add 1。
• 0x24:ISO9564 format 4,KSN doesn't automatically add 1。

timeoutMs -

Returns:

输入 PIN 的超时时间。单位：毫秒，最大值为 300000ms。0表示没有超时时间，PED 不做超时控制。

Enter the PIN timeout period. Unit: milliseconds, the maximum value is 300000ms. 0 means there is no timeout period, and PED does not do timeout control.

Throws:

PedDevException - PedDevException

Since:

V4.00.00

writeAesDUKPTTIK

void writeAesDUKPTTIK(byte groupIndex,
                      byte srcKeyIndex,
                      byte[] keyValue,
                      byte[] ksn,
                      byte checkMode,
                      byte[] checkBuf)
               throws PedDevException

写入 AES DUKPT 初始密钥 AESTIK，并可以选择使用 KCV 验证密钥正确性。

Write the AES DUKPT initial key AESTIK, and you can choose to use KCV to verify the correctness of the key.

Parameters:

groupIndex -

AES DUKPT密钥组索引。范围1~40。

AES DUKPT key group index. The range is 1~40.

srcKeyIndex -

用于分散的密钥的密钥索引。范围0~1。目前仅支持明文写入，索引仅支持0。

The key index for the decentralized key. The range is 0~1. Currently, only plaintext writing is supported, and the index only supports 0.

keyValue -

AESTIK 的明文。目前AES DUKPT 算法支持 16/24/32 字节长度的密钥。

The plain text of AESTIK. Currently, the AES DUKPT algorithm supports keys with a length of 16/24/32 bytes.

ksn -

初始化 KSN。长度10/12 字节，只有在兼容模式才会是 10 字节。

Initialize KSN. The length is 10/12 bytes, only in compatibility mode will it be 10 bytes.

checkMode -

验证模式。

• 0x00:无校验。
• 0x05:对16个字节的 0x00进行AES加密,得到的密文的前3个字节即为KCV。
• 0x06:对16个字节的 0x00进行AES CMAC加密,得到的密文的前3个字节即为KCV。

Check mode.

• 0x00: No check.
• 0x05:Perform AES encryption on the 16 bytes of 0x00, and the first 3 bytes of the ciphertext obtained are KCV.
• 0x06:Perform AES CMAC encryption on the 16 bytes of 0x00, and the first 3 bytes of the ciphertext obtained are KCV.

checkBuf -

• 当checkMode=0x00时，checkBuf的值无效，系统认为不验证KCV。
• 当checkMode=0x05/0x06时，checkBuf[0]=KCV的长度，checkBuf[1]开始是KCV的值。

• When checkMode=0x00, the value of checkBuf is invalid, and the system considers that KCV is not verified.
• When checkMode=0x05/0x06, checkBuf[0]=KCV length, checkBuf[1] starts with the value of KCV.

Throws:

PedDevException - PedDevException

Since:

V4.00.00

calcAes

byte[] calcAes(byte keyIndex,
               byte[] initVector,
               byte[] dataIn,
               byte mode)
        throws PedDevException

使用AES算法进行加密和解密

Use AES algorithm for encryption and decryption.

Parameters:

keyIndex -

AES_TDK密钥序号: 1~100

[1~100] AES_TDK index

initVector -

ECB模式: 初始向量为空。 CBC/OFB模式: 初始向量, 16字节。

ECB mode: init vector is null .CBC/OFB mode: init vector, 16 bytes.

dataIn -

用于加密或解密的数据，最大长度 <= 1024, 且为16的倍数。

the data to be calculated. The maximum length is <= 1024, and is a multiple of 16.

mode -

• 0x00: ECB模式解密
• 0x01: ECB模式加密
• 0x02: CBC模式解密
• 0x03: CBC模式加密
• 0x04: OFB模式解密
• 0x05: OFB模式加密

• 0x00: DECRYPT#ECB
• 0x01: ENCRYPT#ECB
• 0x02: DECRYPT#CBC
• 0x03: ENCRYPT#CBC
• 0x04: DECRYPT#OFB
• 0x05: ENCRYPT#OFB

Returns:

返回运算后的数据

the data after calculation.

Throws:

PedDevException

Since:

V4.00.00

calcDes

byte[] calcDes(byte keyIndex,
               byte[] dataIn,
               byte mode)
        throws PedDevException

使用TDK对dataIn数据进行DES/TDES运算，使用DES或TDES根据密钥的长度而定。除0，1模式没有向量外，其他模式有向量但默认为NULL。

To use TDK encrypt or decrypt data by DES/TDES. Using DES or TDES depends on the key length. Except for 0, 1 mode which does not have a vector, other modes have a vector but default to NULL.

Parameters:

keyIndex -

[1~100] TDK的索引 。

[1~100] TDK index.

dataIn -

用于运算的数据.除ECB和CBC最大支持8K bytes，其他模式的输入长度最大支持2048。

Data used for calculation. Except for ECB and CBC, which support a maximum of 8K bytes, other modes supports a maximum of 2048.

mode -

• 0x00: ECB模式解密
• 0x01: ECB模式加密
• 0x02: CBC模式解密
• 0x03: CBC模式加密
• 0x04: OFB模式解密
• 0x05: OFB模式加密
• 0x06: CFB8模式解密
• 0x07: CFB8模式加密

• 0x00: DECRYPT#ECB
• 0x01: ENCRYPT#ECB
• 0x02: DECRYPT#CBC
• 0x03: ENCRYPT#CBC
• 0x04: DECRYPT#OFB
• 0x05: ENCRYPT#OFB
• 0x06: DECRYPT#CFB8
• 0x07: ENCRYPT#CFB8

Returns:

运算后的数据 。

The data which have been calculated.

Throws:

PedDevException

calcDesExMode

byte[] calcDesExMode(byte keyIndex,
                     byte[] initVector,
                     byte[] dataIn,
                     byte mode)
              throws PedDevException

使用TDK对数据进行DES/TDES解密或加密运算，输出明文或密文；一个指定的 TDK，只能用于加密或解密运算。

Use TDK to perform DES/TDES decryption or encryption operations on data, and output plaintext or ciphertext; a specified TDK can only be used for encryption or decryption operations

Parameters:

keyIndex -

[1~100] TDK的索引

[1~100] TDK index

initVector -

加解密运算的初始向量，长度为8字节，无论长度多少，只有前8字节有效。

The initial vector for encryption and decryption operations, the length is 8 bytes, no matter how long it is, only the first 8 bytes are valid.

dataIn -

需要进行运算的数据,以字节为单位, 除0,1模式最大支持8K之外，其他模式最大支持1024

The data that needs to be calculated, in bytes, except for the 0,1 mode that supports a maximum of 8K, other modes support a maximum of 1024.

mode -

• 0x00: CBC模式解密
• 0x01: CBC模式加密
• 0x04: OFB模式解密
• 0x05: OFB模式加密
• 0x06: CFB8模式解密
• 0x07: CFB8模式加密

• 0x00: DECRYPT#CBC
• 0x01: ENCRYPT#CBC
• 0x04: DECRYPT#OFB
• 0x05: ENCRYPT#OFB
• 0x06: DECRYPT#CFB8
• 0x07: ENCRYPT#CFB8

Returns:

返回运算后的数据

the data after calculation.

Throws:

PedDevException

Since:

V4.00.00

calcDUKPTDes

DUKPTResult calcDUKPTDes(byte groupIndex,
                         byte keyVarType,
                         byte[] iv,
                         byte[] dataIn,
                         byte mode)
                  throws PedDevException

使用DUKPT的MAC密钥或DES密钥，对输入缓存内数据进行加密或解密。

Use MAC key or DES key of DUKPT to encrypt or decrypt the data in the input buffer.

Parameters:

groupIndex -

[1~100] DUKPT密钥组索引号

[1~100] DUKPT group ID

keyVarType -

• 0x00: 使用请求和应答MAC密钥。
• 0x01: 使用DUKPT DES密钥运算。
• 0x02: 使用DUKPT PIN密钥做ECB加密。Mode 只能取值 0x01:ECB 加密。
• 0x03: 使用应答 MAC 密钥。仅支持加密模式，mode只能是0x01、0x03、0x05。
• 0x04: 使用应答 DES 密钥。仅支持加密模式，mode只能是0x01、0x03、0x05。

• 0x00: Use request and response MAC key.
• 0x01: Use DUKPT DES key operation.
• 0x02: Use DUKPT PIN key to do the ECB encryption. mode can only be 0x01:ENCRYPT#ECB.
• 0x03: Use the response MAC key. Only encryption mode is supported, mode can only be 0x01、0x03、0x05.
• 0x04: Use the response DES key. Only encryption mode is supported, mode can only be 0x01、0x03、0x05.

iv -

8字节初始向量，CBC加解密时需要，如果传入NULL，将默认用“\x00\x00\x00\x00\x00\x00\x00\x00”作为初始向量

8 bytes initialization vector, used for CBC encryption or decryption. If set it to NULL, it will use “\x00\x00\x00\x00\x00\x00\x00\x00” as the initialization vector by default.

dataIn -

指向需要进行运算的数据, 数据长度<=8192，8整除

Point to the data which need to be computed.Data length less than or equal to 8192, it is divisible by 8.

mode -

• 0x00: ECB模式解密
• 0x01: ECB模式加密
• 0x02: CBC模式解密
• 0x03: CBC模式加密
• 0x04: OFB模式解密
• 0x05: OFB模式加密

• 0x00: DECRYPT#ECB
• 0x01: ENCRYPT#ECB
• 0x02: DECRYPT#CBC
• 0x03: ENCRYPT#CBC
• 0x04: DECRYPT#OFB
• 0x05: ENCRYPT#OFB

Returns:

DUKPTResult

Throws:

PedDevException

Since:

V4.00.00

getPinBlock

byte[] getPinBlock(byte keyIdx,
                   java.lang.String expPinLen,
                   byte[] dataIn,
                   byte mode,
                   int timeoutMs)
            throws PedDevException

扫描键盘上输入的PIN并输出由 Mode指定算法加密的 PIN BLOCK。

Scan the PIN entered on the keyboard and output the PIN BLOCK encrypted by the algorithm specified by Mode.

Parameters:

keyIdx -

[1~100] TPK的索引

[1~100] TPK index

expPinLen -

可输入的合法密码长度字符串，应用程序把允许的密码长度全部枚举出来，并且用","号隔开每个长度，密码长度的有效取值为：0，4~12。若允许输入 4、6 位密码并且允许无密码直接按确认，则该字符串应该设置为"0，4，6"。 若枚举 0 长度则示意可以不输任何数字而直接按确认键返回。若枚举字符串中存在长度的无效值，比如"2，6，7，10"，无效值将被忽略。

当mode=0x05的时候，该参数为"5"

The legal password length string that can be input. The application enumerates all the allowed password lengths and separates each length with "," signs. The valid values for password lengths are: 0,4 to 12. If 4 or 6-digit passwords are allowed to be entered and direct confirmation without a password is permitted, the string should be set to "0,4,6". If the enumeration length is 0, it indicates that no numbers can be entered and the confirmation key can be directly pressed to return. If there are invalid values of length in the enumeration string, such as "2,6,7,10", the invalid values will be ignored.

When mode=0x05，it should be "5"

dataIn -

• 当mode=0x00时, DataIn指向卡号移位后生成的16位主帐号。
• 当mode=0x01时, 输入参数为参与PinBlock的格式化,8字节数据(根据ISO9564的规范,该数据可以是随机数、交易流水号或时间戳等)。
• 当mode=0x02时, DataIn指向卡号移位后生成的16位主帐号,DataIn+16指向参与PinBlock格式化的8字节数据(根据ISO9564的规范 ,该数据可以是随机数、交易流水号或时间戳等,但是每个字节的高4位和低4位,均必须在0xA~0xF之间,所以当Mode为0x02时,应用需要将该8字节的数据做此检查,如果不满足要求将返回错误)
• 当mode=0x03时, 为交易流水号ISN [6 Bytes,ASCII码]
• 当Mode=0x05时, DataIn包含卡账号和CCS数据，格式为PANlen(1个字节) + CCSlen（1个字节） + PAN（PANlen个字节） + CCS（CCSlen个字节）。其中PAN为卡账号（ASCII码），目前限定PANlen必须为18，CCSlen必须为0或者8，CCS为ASCII码格式。
• 当mode=0x14时，DataIn为原始主帐号。

• When mode=0x00, DataIn is the 16 bytes primary account number after shifting.
• When mode=0x01, Input parameters for participation in PinBlock formatting, 8 bytes data. (refer to ISO9564 standard, this data can be Random number, the transaction serial number or time stamp, etc.)
• When mode=0x02, DataIn is the 16 bytes primary account number after shifting. DataIn+16 point to the 8 bytes data which has participated in PinBlock formatting. (refer to ISO9564 standard, this data can be Random number, the transaction serial number or time stamp,etc. But the higher 4 bits and lower 4 bits of each byte should between 0xA~0xF. So, if the Mode=0x02, the bottom level will do this check for the 8 bytes data, it will return an error if does not meet the requirement.).
• When mode=0x03, dataIn is ISN [6 Bytes, ASCII code]
• When Mode=0x05, DataIn contains card account and CCS data. The format is PANlen (1 bytes) + CCSlen (1 bytes) + PAN (PANlen byte) + CCS (CCSlen byte). In which PAN is a card account (ASCII code), the current limited PANlen must be 18, CCSlen must be 0 or 8, CCS is ASCII code format.
• When mode=0x14, DataIn is the original primary account.

mode -

PIN BLOCK的格式

• 0x00:ISO9564_0
• 0x01:ISO9564_1
• 0x02:ISO9564_3
• 0x03:HK EPS
• 0x04:预留
• 0x05:Italy 专用模式
• 0x06:AS2805 zero length PIN block mode。不会要求输入PIN，不会弹出输PIN窗口，expPinLen必须为0。
• 0x11:使用AES_TPK加密,pinblock是日本的hit特殊模式
• 0x12:使用AES_TPK加密,pinblock是日本的PKCS7模式
• 0x14:使用AES_TPK加密,pinblock是ISO9564 格式4
• 0x50:3DES-CBC

PIN BLOCK Format

• 0x00:ISO9564_0
• 0x01:ISO9564_1
• 0x02:ISO9564_3
• 0x03:HK EPS -EPS PINBLOCK Format
• 0x04:Reserved
• 0x05:Italy special mode
• 0x06:AS2805 zero length PIN block mode。The pin input window will not pop up. expPinLen must be 0.
• 0x11:Using AES_TPK encryption, pinblock is Japan's hit special mode
• 0x12:Using AES_TPK encryption, pinblock is Japan's PKCS7 mode
• 0x14:Using AES_TPK encryption, pinblock is in ISO9564 format 4
• 0x50:3DES-CBC

timeoutMs -

输入PIN的超时时间,单位：毫秒 最大值为300000ms

The timeout of PIN entry [unit:ms] Maximum is 300000ms.

Returns:

8/16字节的PINBlock(Mode是0x11/0x12/0x14是16字节)

8/16 bytes of PINBlock (16 bytes when Mode is 0x11/0x12/0x14).

Throws:

PedDevException

Since:

V4.00.00

getPinBlock

byte[] getPinBlock(byte keyIdx,
                   java.lang.String expPinLen,
                   byte[] dataIn,
                   byte mode,
                   int timeoutMs,
                   int controlTime)
            throws PedDevException

扫描键盘上输入的PIN并输出由 Mode指定算法加密的 PIN BLOCK。

Scan the PIN entered on the keyboard and output the PIN BLOCK encrypted by the algorithm specified by Mode.

Parameters:

keyIdx -

[1~100] TPK的索引

[1~100] TPK index

expPinLen -

可输入的合法密码长度字符串，应用程序把允许的密码长度全部枚举出来，并且用","号隔开每个长度，密码长度的有效取值为：0，4~12。若允许输入 4、6 位密码并且允许无密码直接按确认，则该字符串应该设置为"0，4，6"。 若枚举 0 长度则示意可以不输任何数字而直接按确认键返回。若枚举字符串中存在长度的无效值，比如"2，6，7，10"，无效值将被忽略。

当mode=0x05的时候，该参数为"5"

The legal password length string that can be input. The application enumerates all the allowed password lengths and separates each length with "," signs. The valid values for password lengths are: 0,4 to 12. If 4 or 6-digit passwords are allowed to be entered and direct confirmation without a password is permitted, the string should be set to "0,4,6". If the enumeration length is 0, it indicates that no numbers can be entered and the confirmation key can be directly pressed to return. If there are invalid values of length in the enumeration string, such as "2,6,7,10", the invalid values will be ignored.

When mode=0x05，it should be "5"

dataIn -

• 当mode=0x00时, DataIn指向卡号移位后生成的16位主帐号。
• 当mode=0x01时, 输入参数为参与PinBlock的格式化,8字节数据(根据ISO9564的规范,该数据可以是随机数、交易流水号或时间戳等)。
• 当mode=0x02时, DataIn指向卡号移位后生成的16位主帐号,DataIn+16指向参与PinBlock格式化的8字节数据(根据ISO9564的规范 ,该数据可以是随机数、交易流水号或时间戳等,但是每个字节的高4位和低4位,均必须在0xA~0xF之间,所以当Mode为0x02时,应用需要将该8字节的数据做此检查,如果不满足要求将返回错误)
• 当mode=0x03时, 为交易流水号ISN [6 Bytes,ASCII码]
• 当Mode=0x05时, DataIn包含卡账号和CCS数据，格式为PANlen(1个字节) + CCSlen（1个字节） + PAN（PANlen个字节） + CCS（CCSlen个字节）。其中PAN为卡账号（ASCII码），目前限定PANlen必须为18，CCSlen必须为0或者8，CCS为ASCII码格式。
• 当mode=0x14时，DataIn为原始主帐号。

• When mode=0x00, DataIn is the 16 bytes primary account number after shifting.
• When mode=0x01, Input parameters for participation in PinBlock formatting, 8 bytes data. (refer to ISO9564 standard, this data can be Random number, the transaction serial number or time stamp, etc.)
• When mode=0x02, DataIn is the 16 bytes primary account number after shifting. DataIn+16 point to the 8 bytes data which has participated in PinBlock formatting. (refer to ISO9564 standard, this data can be Random number, the transaction serial number or time stamp,etc. But the higher 4 bits and lower 4 bits of each byte should between 0xA~0xF. So, if the Mode=0x02, the bottom level will do this check for the 8 bytes data, it will return an error if does not meet the requirement.).
• When mode=0x03, dataIn is ISN [6 Bytes, ASCII code]
• When Mode=0x05, DataIn contains card account and CCS data. The format is PANlen (1 bytes) + CCSlen (1 bytes) + PAN (PANlen byte) + CCS (CCSlen byte). In which PAN is a card account (ASCII code), the current limited PANlen must be 18, CCSlen must be 0 or 8, CCS is ASCII code format.
• When mode=0x14, DataIn is the original primary account.

mode -

PIN BLOCK的格式

• 0x00:ISO9564_0
• 0x01:ISO9564_1
• 0x02:ISO9564_3
• 0x03:HK EPS
• 0x04:预留
• 0x05:Italy 专用模式
• 0x11:使用AES_TPK加密,pinblock是日本的hit特殊模式
• 0x12:使用AES_TPK加密,pinblock是日本的PKCS7模式
• 0x14:使用AES_TPK加密,pinblock是ISO9564 格式4
• 0x50:3DES-CBC

PIN BLOCK Format

• 0x00:ISO9564_0
• 0x01:ISO9564_1
• 0x02:ISO9564_3
• 0x03:HK EPS -EPS PINBLOCK Format
• 0x04:Reserved
• 0x05:Italy special mode
• 0x11:Using AES_TPK encryption, pinblock is Japan's hit special mode
• 0x12:Using AES_TPK encryption, pinblock is Japan's PKCS7 mode
• 0x14:Using AES_TPK encryption, pinblock is in ISO9564 format 4
• 0x50:3DES-CBC

timeoutMs -

输入PIN的超时时间,单位：毫秒 最大值为300000ms

The timeout of PIN entry [unit:ms] Maximum is 300000ms.

controlTime -

等待第二个及之后的按键的超时时间,单位：毫秒(超过30s的为30s)

The time-out for waiting for the second and subsequent keys in milliseconds (30 seconds for more than 30 seconds)

Returns:

8/16字节的PINBlock(Mode是0x11/0x12/0x14是16字节)

8/16 bytes of PINBlock (16 bytes when Mode is 0x11/0x12/0x14).

Throws:

PedDevException

Since:

V4.00.00

getMac

byte[] getMac(byte keyIndex,
              byte[] dataIn,
              byte mode)
       throws PedDevException

用KeyIdx指定的MAC密钥对DataIn进行mode指定的算法进行MAC运算，将MAC结果返回。

To use KeyIdx MAC key calculate the DataIn following the specified Mode algorithm, return the MAC result.

Parameters:

keyIndex -

[1~100] TAK的索引

[1~100] TAK index

dataIn -

需进行 MAC 运算的数据包.DataIn在mode=0和2时最大支持8K bytes,其他模式最大2048 bytes, 长度不为8字节整除，则自动补"\x00"。

The data packets that need to perform MAC operations. DataIn supports a maximum of 8K bytes when mode=0 and 2, and a maximum of 2048 bytes in other modes. If the length is not divisible by 8 bytes, "\x00" will be automatically filled.

mode -

• 0x00:将BLOCK1用MAC密钥做DES/TDES加密，加密结果与BLOCK2进行逐位异或后再用TAK做DES/TDES加密，依次进行得到8字节的加密结果。
• 0x01:将BLOCK1和BLOCK2进行逐位异或，异或结果与BLOCK3进行逐位异或，依次进行，最后得到8字节的异或结果，将该结果用TAK进行DES/TDES加密运算。
• 0x02:ANSIX9.19规范，将BLOCK1用TAK做DES加密(只取前8个字节的key)，加密结果与BLOCK2进行逐位异或后再用TAK做DES加密，依次进行得到8字节的加密结果，直到最后一次采用DES/TDES加密。
• 0x03:CMAC算法。
• 0x05: hmac-sha256算法。

• 0x00: Doing DES/TDES encryption for BLOCK1 by usingMAC key. Doing DES/TDES encryption again by using TAK when and after bitwise XOR the previous encryption result with BLOCK2. Processing in turn to get the 8 bytes encryption result.
• 0x01: Doing bitwise XOR for BLOCK1 and BLOCK2; Do bitwise XOR again by using previous XOR result with BLOCK3. Do it in turn and finally get the 8 bytes XOR result. Using TAK to process DES/TDES encryption for the result
• 0x02: ANSIX9.19 standard, Do DES encryption for BLOCK1 by using TAK (only take the first 8 bytes of key). The encryption result wills bitwise XOR with BLOCK2,and then doing DES encryption by using TAK again. Do it in turn and get the 8 bytes encryption result. Using DES/TDES to encrypt in the last time.
• 0x03: CMAC algorithm.
• 0x05: HMAC-SHA256 algorithm.

Returns:

返回MAC结果。当mode等于0x05，输出长度为32字节。其他为8字节。

return the MAC data。When the mode is 0x05, the output length is 32 bytes. Others are 8 bytes.

Throws:

PedDevException

Since:

V4.00.00

getDUKPTPin

DUKPTResult getDUKPTPin(byte groupIndex,
                        java.lang.String expPinLen,
                        byte[] dataIn,
                        byte mode,
                        int timeoutMs)
                 throws PedDevException

在PED上输入PIN，并使DUKPT的PIN密钥计算PINBlock。

PINBlock Input the PIN on PED,and use the PINkey of DUKPT to calculate the PINBlock.

Parameters:

groupIndex -

[1~100] DUKPT密钥组索引号

[1~100] DUKPT key group id

expPinLen -

可输入的合法密码长度字符串，应用程序把允许的密码长度全部枚举出来，并且用","号隔开每个长度，密码长度的有效取值为：0，4~12。若允许输入 4、6 位密码并且允许无密码直接按确认，则该字符串应该设置为"0，4，6"。 若枚举 0 长度则示意可以不输任何数字而直接按确认键返回。若枚举字符串中存在长度的无效值，比如"2，6，7，10"，无效值将被忽略。

The legal password length string that can be input. The application enumerates all the allowed password lengths and separates each length with "," signs. The valid values for password lengths are: 0,4 to 12. If 4 or 6-digit passwords are allowed to be entered and direct confirmation without a password is permitted, the string should be set to "0,4,6". If the enumeration length is 0, it indicates that no numbers can be entered and the confirmation key can be directly pressed to return. If there are invalid values of length in the enumeration string, such as "2,6,7,10", the invalid values will be ignored.

dataIn -

• 当mode=0时, DataIn指向卡号移位后生成的16位主帐号。
• 当mode=1时, 输入参数为参与PinBlock的格式化,8字节数据(根据ISO9564的规范,该数据可以是随机数、交易流水号或时间戳等)。
• 当mode=2时, DataIn指向卡号移位后生成的16位主帐号,DataIn+16指向参与PinBlock格式化的8字节数据(根据ISO9564的规范 ,该数据可以是随机数、交易流水号或时间戳等,但是每个字节的高4位和低4位,均必须在0xA~0xF之间,所以当Mode为0x02时,应用需要将该8字节的数据做此检查,如果不满足要求将返回错误)
• 当mode=3时, 为交易流水号ISN [6 Bytes,ASCII码]

• When mode=0, DataIn is the 16 bytes primary account number after shifting.
• When mode=1, Input parameters for participation in PinBlock formatting, 8 bytes data. (refer to ISO9564 standard, this data can be Random number, the transaction serial number or time stamp, etc.)
• When mode=2, DataIn is the 16 bytes primary account number after shifting. DataIn+16 point to the 8 bytes data which has participated in PinBlock formatting. (refer to ISO9564 standard, this data can be Random number, the transaction serial number or time stamp,etc. But the higher 4 bits and lower 4 bits of each byte should between 0xA~0xF. So, if the Mode=0x02, the bottom level will do this check for the 8 bytes data, it will return an error if does not meet the requirement.).
• When mode=3, dataIn is ISN [6 Bytes, ASCII code]

mode -

• 0: ISO9564 格式 0 KSN 自动加 1
• 1: ISO9564 格式 1 KSN 自动加 1
• 2: ISO9564 格式 3 KSN 自动加 1
• 3: HK EPS 格式 KSN 自动加 1
• 6: AS2805 zero length PIN block mode。该模式不会要求输入PIN，不会弹出输PIN窗口。KSN 自动加1
• 20: ISO9564 格式 0 KSN 不自动加 1
• 21: ISO9564 格式 1 KSN 不自动加 1
• 22: ISO9564 格式 3 KSN 不自动加 1
• 23: HK EPS 格式 KSN 不自动加 1
• 26:AS2805 zero length PIN block mode。该模式不会要求输入PIN，不会弹出输PIN窗口。KSN 不自动加1

• 0: ISO9564_0, KSN automatically incremented by 1
• 1: ISO9564_1, KSN automatically incremented by 1
• 2: ISO9564_3, KSN automatically incremented by 1
• 3: HK EPS,KSN automatically incremented by 1
• 6: AS2805 zero length PIN block mode. This mode will not ask for a PIN, and will not pop up a PIN input window. KSN automatically incremented by 1
• 20: ISO9564_0, KSN does not automatically increase by 1
• 21: ISO9564_1, KSN does not automatically increase by 1
• 22: ISO9564_3, KSN does not automatically increase by 1
• 23: HK EPS, KSN does not automatically increase by 1
• 26: AS2805 zero length PIN block mode. This mode will not ask for a PIN, and will not pop up a PIN input window. KSN does not automatically incremented by 1

timeoutMs -

输入PIN的超时时间,单位：毫秒 最大值为300000ms

The timeout of PIN entry [unit:ms] Maximum is 300000ms.

Returns:

DUKPTResult DUKPTResult

Throws:

PedDevException

Since:

V4.00.00

getDUKPTMac

DUKPTResult getDUKPTMac(byte groupIndex,
                        byte[] dataIn,
                        byte mode)
                 throws PedDevException

使用DUKPT的MAC密钥计算MAC。

Use MAC Key to calculate MAC.

Parameters:

groupIndex -

[1~100] DUKPT密钥组索引号

[1~100] DUKPT key group index id

dataIn -

指向需要计算MAC的数据内容

The MAC data content needs to be calculated

mode -

• 0:将 BLOCK1 用 MAC 密钥做 TDES 加密,加密结果与 BLOCK2 进行逐位异或后再用 MAC 密钥 做 TDES 加密,依次进行得到 8 字节的加密结果。 KSN 自动加 1
• 1:将 BLOCK1 和 BLOCK2 进行逐位异或,异或结果与 BLOCK3 进行逐位异或,依次进行,最后得 到 8 字节的异或结果,将该结果用 MAC 密钥进行TDES 加密运算。 KSN 自动加 1
• 2: ANSIX9.19 规范,将 BLOCK1 用 MAC 密钥做DES 加密(只取前 8 个字节的 key), 加密结果与BLOCK2进行逐位异或后再用 MAC 密钥做 DES 加密,依次进行得到 8 字节的加密结果, 直到最后一次采用TDES 加密。 KSN 自动加 1
• 5: hmac-sha256模式。将MAC密钥作为hmac 密钥。使用DUKPT_MAC_BOTH_KEY（request and response MAC密钥），KSN 自动加 1
• 20:将 BLOCK1 用 MAC 密钥做 TDES 加密,加密结果与 BLOCK2 进行逐位异或后再用 MAC 密钥 做 TDES 加密,依次进行得到 8 字节的加密结果。 KSN 不自动加1
• 21:将 BLOCK1 和 BLOCK2 进行逐位异或,异或结果与 BLOCK3 进行逐位异或,依次进行,最后得 到 8 字节的异或结果,将该结果用 MAC 密钥进行TDES 加密运算。 KSN 不自动加 1
• 22:ANSIX9.19 规范,将 BLOCK1 用 MAC 密钥做DES加密(只取前 8个字节的 key), 加密结果与 BLOCK2 进行逐位异或后再用 MAC 密钥做 DES 加密,依次进行得到 8 字节的加密结果, 直到最后一次采用TDES 加密。 KSN 不自动加 1其它值保留扩展 MAC 算法。
• 25: hmac-sha256模式。将MAC密钥作为hmac 密钥。使用DUKPT_MAC_BOTH_KEY（request and response MAC密钥），KSN 不自动加1
• 40: 将 BLOCK1 用 MAC 密钥做 TDES 加密,加密结果与 BLOCK2 进行逐位异或后再用 MAC 密钥 做 TDES 加密,依次进行得到 8 字节的加密结果。 KSN 不自动加 1
• 41:将 BLOCK1 和 BLOCK2 进行逐位异或,异或结果与 BLOCK3 进行逐位异或,依次进行,最后得 到 8 字节的异或结果,将该结果用 MAC 密钥进行TDES 加密运算。 KSN 不自动加 1
• 42:ANSIX9.19 规范,将 BLOCK1 用 MAC 密钥做DES加密(只取前 8个字节的 key),加密结果与 BLOCK2 进行逐位异或后再用 TAK 做 DES 加密,依次进行得到 8 字节的加密结果,直到最后一次采用 TDES加密。 KSN 不自动加 1 其它值保留扩展 MAC 算法。
• 45:hmac-sha256模式。将MAC密钥作为hmac 密钥。使用DUKPT_MAC_RSP_KEY（response MAC密钥），KSN 不自动加1

• 0:Doing TDES encryption for BLOCK1 by using MAC key. Doing TDES encryption again by using MAC key when and after bitwise XOR the previous encryption result with BLOCK2. Processing in turn to get the 8 bytes encryption result.KSN auto-add 1
• 1:Doing bitwise XOR for BLOCK1 and BLOCK2; Do bitwise XOR again by using previous XOR result with BLOCK3. Do it in turn and finally get the 8 bytes XOR result. Using MAC key to process TDES encryption for the result.KSN auto-add 1
• 2:ANSIX9.19 standard, Do DES encryption for BLOCK1 by using MAC key (only take the first 8 bytes of key). The encryption result wills bitwise XOR with BLOCK2,and then doing DES encryption by using MAC key again. Do it in turn and get the 8 bytes encryption result. Using TDES to encrypt in the last time.KSN auto-add 1
• 5:hmac-sha256 mode. Use the MAC key as the hmac key. Using DUKPT_MAC_BOTH_KEY (request and response MAC key), KSN is automatically incremented by 1
• 20: Doing TDES encryption for BLOCK1 by using MAC key. Doing TDES encryption again by using MAC key when and after bitwise XOR the previous encryption result with BLOCK2. Processing in turn to get the 8 bytes encryption result.KSN won't auto-add 1
• 21:Doing bitwise XOR for BLOCK1 and BLOCK2; Do bitwise XOR again by using previous XOR result with BLOCK3. Do it in turn and finally get the 8 bytes XOR result. Using MAC key to process TDES encryption for the result.KSN won't auto-add 1
• 22: ANSIX9.19 standard, Do DES encryption for BLOCK1 by using MAC key (only take the first 8 bytes of key). The encryption result wills bitwise XOR with BLOCK2,and then doing DES encryption by using MAC key again. Do it in turn and get the 8 bytes encryption result. Using TDES to encrypt in the last time.KSN won't auto-add 1
• 25:hmac-sha256 mode. Use the MAC key as the hmac key. With DUKPT_MAC_BOTH_KEY (request and response MAC key), KSN is not automatically incremented by 1
• 40:Doing TDES encryption for BLOCK1 by using MAC key. Doing TDES encryption again by using MAC key when and after bitwise XOR the previous encryption result with BLOCK2. Processing in turn to get the 8 bytes encryption result.KSN won't auto-add 1
• 41: Doing bitwise XOR for BLOCK1 and BLOCK2; Do bitwise XOR again by using previous XOR result with BLOCK3. Do it in turn and finally get the 8 bytes XOR result. Using MAC key to process TDES encryption for the result.KSN won't auto-add 1
• 42:ANSIX9.19 standard, Do DES encryption for BLOCK1 by using MAC key (only take the first 8 bytes of key). The encryption result wills bitwise XOR with BLOCK2,and then doing DES encryption by using MAC key again. Do it in turn and get the 8 bytes encryption result. Using TDES to encrypt in the last time.KSN won't auto-add 1
• 45:hmac-sha256 mode. Use the MAC key as the hmac key. If DUKPT_MAC_RSP_KEY (response MAC key) is used, KSN is not automatically incremented by 1

Returns:

DUKPTResult

Throws:

PedDevException

Since:

V4.00.00

getKCV

byte[] getKCV(byte type,
              byte keyIndex,
              byte checkMode,
              byte[] checkBuf)
       throws PedDevException

获取密钥的KCV值，以供对话双方进行密钥验证，用指定的密钥及算法对一段数据进行加密，

Getting value of KCV for key verification of to side, using specific key and algorithm to encrypt data, and then return part of cryptograph.

Parameters:

type -

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x07:TIK
• 0x32:SM4_TMK
• 0x33:SM4_TPK
• 0x34:SM4_TAK
• 0x35:SM4_TDK
• 0x44:PPAD_TPK
• 0x45:TIDK
• 0x22:AES_TMK
• 0x23:AES_TPK
• 0x24:AES_TAK
• 0x20:AES_TDK
• 0x51:AES_TIK

keyIndex -

密钥的索引号

• TLK, keyIndex只能为1
• TMK, 取值[1~100]
• TWK,取值[1~100]
• TIK,取值[1~100]

key index

• TLK, keyIndex can only be 1.
• TMK, can select from [1~100].
• TWK, can select from [1~100].
• TIK, can select from [1~100].

checkMode -

• checkMode=0x00时， 使用该密钥对一段数据进行DES/TDES加密运算，生成的密文的前4个字节即为KCV,该模式适用于TLK/TMK/TAK/TPK/TDK/PPAD_TXK。
• checkMode=0x00时， 返回注入密钥时写入的KCV值。该模式适用于TIK/AES_TIK。
• checkMode=0x03时， 使用该密钥对一段数据进行CMAC加密运算，生成的密文的前5个字节即为KCV。该模式适用于TLK/TMK/TAK/TPK/TDK/PPAD_TXK/AES_TLK/AES_TMK/AES_TAK/AES_TPK/AES_TDK。
• checkMode=0x04时， 使用该密钥对一段数据进行SM4加密运算，生成的密文的前4个字节即为KCV。该模式适用于SM4_TMK/SM4_TAK/SM4_TPK/SM4_TDK。

• When checkMode=0x00, use this key pair to do DES/TDES entryption for a block of data, the first 4 bytes of the generated ciphertext is KCV.This mode is suitable for TLK/TMK/TAK/TPK/TDK/PPAD_TXK.
• When checkMode=0x00, the KCV value written during key injection is returned. This mode is suitable for TIK/AES_TIK.
• When checkMode=0x03, use this key to do CMAC encryption operation for a block of data, and the first 5 bytes of the generated ciphertext are KCV. This mode is suitable for TLK/ TMK/ TAK/ TPK/ TDK/ PPAD_TXK/ AES_TLK/ AES_TMK/ AES_TAK/ AES_TPK/ AES_TDK.
• When checkMode=0x04, use this key to do SM4 encryption operation for a block of data, and the first 4 bytes of the generated ciphertext are KCV. This mode is suitable for SM4_TMK/ SM4_TAK/ SM4_TPK/ SM4_TDK.

checkBuf -

• 当checkMode =0x00/0x04时, 指向需运算的数据,进行运算的数据必须是8/16的倍数

• When checkMode=0x00/0x04, The data needing to compute must be a multiple of 8/16.

Returns:

Kcv 信息(4 字节)

Kcv information (4 bytes)

Throws:

PedDevException

Since:

V4.00.00

getDUKPTKsn

byte[] getDUKPTKsn(byte groupIndex)
            throws PedDevException

读取下一次计算的KSN。

KSN Reading the KSN which will be computed at next time.

Parameters:

groupIndex -

[1~100] DUKPT密钥组索引号

[1~100] DUKPT group index ID

Returns:

当前的KSN

KSN currently.

Throws:

PedDevException

Since:

V4.00.00

incDUKPTKsn

void incDUKPTKsn(byte groupIndex)
          throws PedDevException

每个KSN对应的DUKPT密钥，最多只能使用256次，当单个密钥使用 256次后，将返回EPedDevException.PED_ERR_DUKPT_NEED_INC_KSN异常， 需要调用该接口，给 KSN加1。

The DUKPT key corresponding to each KSN can only be used up to 256 times. When a single key is used 256 times, it will return EPedDevException.PED_ERR_DUKPT_NEED_INC_KSN exception, To call this interface, increment KSN by 1.

Parameters:

groupIndex -

[1~100] DUKPT密钥组索引号

[1~100] DUKPT group ID

Throws:

PedDevException

Since:

V4.00.00

readRSAKey

RSAKeyInfo readRSAKey(byte rsaKeyIndex)
               throws PedDevException

读取RSA公钥密钥。

Read rsa public key.

Parameters:

rsaKeyIndex -

RSA密钥索引[1-10]

RSA key index [1-10]

Returns:

RSAKeyInfo

RSAKeyInfo

Throws:

PedDevException

Since:

V4.00.00

RSARecover

RSARecoverInfo RSARecover(byte rsaKeyIndex,
                          byte[] dataIn)
                   throws PedDevException

用存储在PED的RSA密钥进行数据RSA数据运算。
注意: 1.该函数对dataIn进行RSA加解密运算，运算结果输出到RSARecoverInfo
2.当rsaKeyIndex指定的密钥为私钥时，如果dataIn是对应公钥的加密密文，则RSARecoverInfo为dataIn的明文，否则RSARecoverInfo为dataIn的RSA密文；
3.当rsaKeyIndex指定的密钥为公钥时，如果dataIn是对应私钥的加密密文，则RSARecoverInfo为dataIn的明文，否则RSARecoverInfo为dataIn的RSA密文；
4.该方法可实现长度不超过4096bits的RSA运算。

Using the RSA key stored in PED to do the RSA data operation.
Note: 1. This function performs RSA encryption and decryption operation on dataIn, and the operation result is output to RSARecoverInfo
2. When the key specified by rsaKeyIndex is a private key, if dataIn is the encrypted ciphertext corresponding to the public key, then RSARecoverInfo is the plaintext of dataIn, otherwise RSARecoverInfo is the RSA ciphertext of dataIn;
3. When the key specified by rsaKeyIndex is a public key, if dataIn is the encrypted ciphertext corresponding to the private key, then RSARecoverInfo is the plaintext of dataIn, otherwise RSARecoverInfo is the RSA ciphertext of dataIn;
4. This method can realize the RSA operation whose length does not exceed 4096bits.

Parameters:

rsaKeyIndex -

密钥索引[1~10]

Key Index [1~10]

dataIn -

被加解密的数据，和模等长

The encrypted/decrypted data, which has the same length as the modulus.

Returns:

RSARecoverInfo

Throws:

PedDevException

Since:

V4.00.00

writeKey

void writeKey(byte srcKeyType,
              byte srcKeyIndex,
              byte dstKeyType,
              byte dstKeyIndex,
              byte[] destKeyValue,
              ECheckMode checkMode,
              byte[] checkBuf)
       throws PedDevException

写入一个密钥，包括TLK，TMK和TWK的写入、发散，并可以选择使用KCV验证密钥正确性。

当写入PED_TLK时，PED首先格式化，清除所有已经下载的密钥，再写入PED_TLK。 当明文写入密钥时，srcKeyIndex=0。

Write in one key includes write in and divergent of TLK, TMK and TWK. And use KCV to check the key correction.

When write PED_TLK,PED will format ,clear all the key has been downloaded,then write in PED_TLK. When srckeyindex = 0, the plaintext key is written.

Parameters:

srcKeyType -

源密钥类型,它的级别不能低于destKeyType, SM4类型秘钥只能用TLK和SM4_TMK发散。

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x11:FACE_TDK
• 0x32:SM4_TMK

Source Key Type，its level cannot be lower than destKeyType, SM4 type keys can only be diverged with TLK and SM4_TMK.

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x11:FACE_TDK
• 0x32:SM4_TMK

srcKeyIndex -

源密钥索引

Source Key Index

dstKeyType -

目的密钥类型

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x11:FACE_TDK
• 0x32:SM4_TMK
• 0x33:SM4_TPK
• 0x34:SM4_TAK
• 0x35:SM4_TDK
• 0x36:SM4_TCHDK
• 0x37:SM4_FACE_TDK

Destination Key Type

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x11:FACE_TDK
• 0x32:SM4_TMK
• 0x33:SM4_TPK
• 0x34:SM4_TAK
• 0x35:SM4_TDK
• 0x36:SM4_TCHDK
• 0x37:SM4_FACE_TDK

dstKeyIndex -

目的密钥索引

Destination Key Index

destKeyValue -

密钥明文或密文,长度可为8,16,24

Plaintext or ciphertext key, the length can be 8, 16, 24

checkMode - ECheckMode

校验模式

• ECheckMode.KCV_NONE
• ECheckMode.KCV_ENCRYPT_0
• ECheckMode.KCV_ENCRYPT_FIX_DATA
• ECheckMode.KCV_MAC_INPUT_DATA
• ECheckMode.KCV_SM4_ENCRYPT_0

Check Mode

• When checkMode=KCV_NONE -No Check
• When checkMode=KCV_ENCRYPT_0 -Perform DES/TDES encryption on 8 bytes 0x00, and use first 4 bytes as KCV.
• When checkMode=KCV_ENCRYPT_FIX_DATA -Perform parity check first, then perform DES/TDES encryption on 8 bytes―\x12\x34\x56\x78\x90\x12\x34\x56, and use first 4 bytes as KCV.
• When iCheckMode=KCV_MAC_INPUT_DATA -Send in data KcvData, use source key to perform specified mode of MAC on [aucDesKeyValue +KcvData], and use the 8 bytes result as KCV.
• When iCheckMode=KCV_SM4_ENCRYPT_0 -Perform TDES encryption on 16 bytes 0x00 by SM4, and use first 4 bytes as KCV.

checkBuf -

校验数据缓冲区

• 当checkMode=ECheckMode.KCV_NONE时 checkBuf的值无效,系统认为不验证KCV,可以为null
• 当checkMode=ECheckMode.KCV_ENCRYPT_0,4字节的kcv
• 当checkMode=ECheckMode.KCV_ENCRYPT_FIX_DATA,4字节的kcv
• 当iCheckMode=ECheckMode.KCV_MAC_INPUT_DATA时按以下规则提供checkBuf:

  checkBuf[0]= KcvData长度(KcvDataLen)

  checkBuf+1: KcvData

  checkBuf[1+KcvDataLen]=MAC运算模式,参考getMac(byte, byte[], byte)中的mode参数

  checkBuf[2+KcvDataLen]=KCV长度

  checkBuf[3+KcvDataLen]是KCV的值

• 当checkMode=ECheckMode.KCV_SM4_ENCRYPT_0,4字节的kcv

Check Data Buffer

• When checkMode=KCV_NONE -PED wont check KCV, this data is no meaning.
• When checkMode=KCV_ENCRYPT_0 -4 bytes key check value
• When checkMode=KCV_ENCRYPT_FIX_DATA -4 bytes key check value
• When iCheckMode=KCV_MAC_INPUT_DATA - checkBuf as follows: checkBuf[0] = length of KcvData checkBuf+1: kcvData checkBuf[1+kcvDataLen]: MAC computation mode getMac(byte, byte[], byte) checkBuf[2+kcvDataLen]:KCV length checkBuf[3+kcvDataLen]:KCV Value
• When checkMode=KCV_SM4_ENCRYPT_0 -4 bytes key check value

Throws:

PedDevException

Since:

V4.00.00

writeAesKey

void writeAesKey(byte srcKeyType,
                 byte srcKeyIndex,
                 byte destKeyType,
                 byte destKeyIndex,
                 byte[] destKeyValue,
                 byte checkMode,
                 byte[] checkBuf)
          throws PedDevException

写入一个AES密钥，并可以选择使用KCV验证密钥正确性。

To write Aes key to PED, and use KCV to check the key correction.

Parameters:

srcKeyType -

源密钥类型。不得低于destKeyType所在的密钥级别。

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x20:TAESK

Source Key Type. Must not be lower than the key level of destKeyType.

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x20:TAESK

srcKeyIndex -

原密钥索引。

当srcKeyIndex = 0，密钥将以明文形式写入PED。

Source Key Index.

when srcKeyIndex = 0，The key will be written to PED in clear text.

destKeyType -

目的密钥类型。

• 0x20:TAESK(AES_TDK).
• 0x23:AES_TPK.

Destination Key Type.

• 0x20:TAESK(AES_TDK).
• 0x23:AES_TPK.

destKeyIndex -

目的密钥索引

Destination Key Index

destKeyValue -

密钥明文或密文,16/24/32 bytes

Plaintext or ciphertext key, the length can be 16/24/32bytes

checkMode -

校验模式

• checkMode=0x00 -无验证.
• checkMode=0x01 -对16个字节的0x00进行AES ECB模式加密运算，得到的密文的前4个字节即为KCV值。
• checkMode=0x02 -对16字节长度 ―\x12\x34\x56\x78\x90\x12\x34\x56\x12\x34\x56\x78\x90\x12\x34\x56 进行AES ECB模式的加密运算，得到的密文的前4个字节即为KCV值。
• checkMode=0x03 -传入一串数据KcvData，使用源密钥对[destKeyValue(密文)+ KcvData]进行指定模式的MAC运算，得到的8个字节的MAC值即为KCV值。

Check Mode

• When checkMode=0x00 -No Check
• When checkMode=0x01 -Perform AES ECB mode encryption on 16 bytes 0x00, and use first 4 bytes as KCV.
• When checkMode=0x02 -Perform AES ECB mode encryption on 16 bytes―\x12\x34\x56\x78\x90\x12\x34\x56\x12\x34\x56\x78\x90\x12\x34\x56, and use first 4 bytes as KCV.
• When checkMode=0x03 -Send in data KcvData, use source key to perform specified mode of MAC on [destKeyValue(ciphertext) +KcvData], and use the 8 bytes result as KCV.

checkBuf -

校验数据缓冲区

• 当checkMode=0x00时，checkBuf的值无效,系统认为不验证KCV
• 当checkMode=0x01时，checkBuf[0]= KCV的长度(4)，checkBuf + 1指向KCV的值。/li>
• 当checkMode=0x02时，checkBuf[0]= KCV的长度(4)，checkBuf + 1指向KCV的值。
• 当checkMode=0x03时按以下规则提供checkBuf:

  checkBuf[0]= KcvData长度(KcvDataLen)

  checkBuf+1: KcvData

  checkBuf[1+KcvDataLen]=MAC运算模式,参考getMacAes(byte, byte[], byte)中的mode参数

  checkBuf[2+KcvDataLen]=KCV长度

  checkBuf[3+KcvDataLen]是KCV的值

Check Data Buffer

• When checkMode=0x00 -PED won't check KCV, this data is no meaning.
• When checkMode=0x01 -checkBuf[0] = length of KCV (4), checkBuf + 1 points to the value of KCV.
• When checkMode=0x02 -checkBuf[0] = length of KCV (4), checkBuf + 1 points to the value of KCV.
• When checkMode=0x03 - checkBuf as follows: checkBuf[0] = length of KcvData checkBuf+1: kcvData checkBuf[1+kcvDataLen]: MAC computation mode getMacAes(byte, byte[], byte) checkBuf[2+kcvDataLen]:KCV length checkBuf[3+kcvDataLen]:KCV Value

Throws:

PedDevException

Since:

V4.00.00

writeRSAKey

void writeRSAKey(byte rsaKeyIndex,
                 RSAKeyInfo info)
          throws PedDevException

1.注入RSA密钥到PED
2.PED最多支持10组RSA密钥,目前最长只支持256字节长的RSA密钥。
3.存储的RSA密钥是公钥还是私钥由密钥的指数长度决定,当密钥指数和模等长时,是私钥。
4.PED通过writeRSAKey注入RSA密钥。
5.通过RSARecover使用已注入的密钥进行RSA运算。
6.任何时候,RSA密钥可以进行重写。

1. Import RSA to the PED

2. PED can support 10 sets of RSA Key at most, current can supports a maximum length of 256 bytes RSA key.

3. Whether the stored RSA is the public key or private key will be determined by the exponent length. If the length of key exponent is equal to modulus, it is a private key.

4. PED uses writeRsaKey to Import RSA key.

5. Use the imported key to do the RSA operation by calling PedRsaRecover.

6. RSA key can be rewritten at any time

Parameters:

rsaKeyIndex -

RSA密钥索引[1~10]

RSA Key Index [1~10]

info - RSAKeyInfo

Throws:

PedDevException

Since:

V4.00.00

writeTIK

void writeTIK(byte groupIndex,
              byte srcKeyIndex,
              byte[] keyValue,
              byte[] ksn,
              ECheckMode checkMode,
              byte[] checkBuf)
       throws PedDevException

写入TIK，并可以选择使用KCV验证密钥正确性。

Write in TIK, and can check the key correction by using KCV.

Parameters:

groupIndex -

[1~100] DUKPT密钥组索引号

[1~100]DUKPT key group id

srcKeyIndex -

[1] 用于分散的密钥的密钥索引

[1] The key index for diversified key.

keyValue -

指向TIK的密文,现 DUKPT 算法支持 8/16 字节长度的密钥

Point to TIK cipher text. Now the DUKPT algorithm supports keys with a length of 8/16 bytes

ksn -

指向初始化KSN

Point to KSN initialization.

checkMode -

ECheckMode

reference writeKey(byte, byte, byte, byte, byte[], com.pax.dal.entity.ECheckMode, byte[]) checkMode

checkBuf -

参考writeKey(byte, byte, byte, byte, byte[], com.pax.dal.entity.ECheckMode, byte[]) writeKey}关于checkBuf说明

reference writeKey(byte, byte, byte, byte, byte[], com.pax.dal.entity.ECheckMode, byte[]) the information about checkBuf

Throws:

PedDevException

Since:

V4.00.00

deriveKeyBySecureData

void deriveKeyBySecureData(byte srcKeyType,
                           byte srcKeyIdx,
                           byte dstKeyType,
                           byte dstKeyIdx,
                           byte secureDataIndex,
                           byte[] additionalDataIn,
                           byte derivationMode)
                    throws PedDevException

使用SecureData作为datain发散目的密钥。

Use SecureData as the datain divergence key.

Parameters:

srcKeyType -

source key type, must be TMK(0x02) in DerivationMode 0

srcKeyIdx -

source key index, 1-100 in TMK area

dstKeyType -

destination key type, must be TMK(0x02) in DerivationMode 0

dstKeyIdx -

destination key, 1-100 in TMK area

secureDataIndex -

SecureData Index in working key area, 1-100

additionalDataIn -

64 bytes Additional Data, can be null if not used. DerivationMode 0: not used, can be null.

derivationMode -

only support 0, GOWF algorithm

Throws:

PedDevException

Since:

V4.00.00

eraseAppKeys

void eraseAppKeys(int mode)
           throws PedDevException

删除应用密钥。

delete app key.

Parameters:

mode -

模式 0:表示删除密钥 ,目前仅支持0

Mode 0: means to delete the key, currently only supports 0

Throws:

PedDevException

Since:

V4.00.00

eraseKey

void eraseKey(byte keyType,
              byte keyIndex)
       throws PedDevException

擦除指定的密钥。

Erases the specified key.

Parameters:

keyType -

密钥类型。

• 0x02: TMK
• 0x0A: TWK
• 0x07: TIK
• 0x51: AES_TIK
• 0x61: ECC
• 0x0B: RSA
• 0x30: SM2_PVT_KEY
• 0x31: SM2_PUB_KEY

Key type.

• 0x02: TMK
• 0x0A: TWK
• 0x07: TIK
• 0x51: AES_TIK
• 0x61: ECC
• 0x0B: RSA
• 0x30: SM2_PVT_KEY
• 0x31: SM2_PUB_KEY

keyIndex -

密钥索引。

• TMK [1~100]
• TWK [1~100]
• TIK [1~100]
• RSA [1~10]
• ECC [1~20]
• SM2_PVT_KEY [1~20]
• SM2_PUB_KEY [1~20]

Key index.

• TMK [1~100]
• TWK [1~100]
• TIK [1~100]
• RSA [1~10]
• ECC [1~20]
• SM2_PVT_KEY [1~20]
• SM2_PUB_KEY [1~20]

Throws:

PedDevException

Since:

V4.00.00

genRsaKey

void genRsaKey(byte mode,
               byte prvKeyIdx,
               byte pubKeyIdx,
               short modLenBit,
               byte pubExpType)
        throws PedDevException

生成RSA密钥对然后注入PED。

Generate RSA key pair and inject into PED.

Parameters:

mode -

• mode = 0, 等同于IPed.genRSAKey(byte, byte, short, byte)
• mode = 1, 等同于IPedTrSys.genRsaKey(byte, byte, byte, short, byte)
• mode = 2, 跟模式0一样，唯一区别是，私钥注入的是TYPE_AS2805_TCU_RSA类型的RSA。

• mode = 0, same as IPed.genRSAKey(byte, byte, short, byte)
• mode = 1, same as IPedTrSys.genRsaKey(byte, byte, byte, short, byte)
• mode = 2, same as mode 0, the only difference is that the private key is injected into RSA of type TYPE_AS2805_TCU_RSA.

prvKeyIdx -

• mode = 0, 私钥索引为 1-10
• mode = 1, 私钥索引只支持 1
• mode = 2, 私钥索引为 1-10

• mode = 0, the private key index is 1-10
• mode = 1, the private key index only supports 1
• mode = 2, the private key index is 1-10

pubKeyIdx -

• mode = 0, 公钥索引为 1-10
• mode = 1, 公钥索引只支持 2
• mode = 2, 公钥索引为 1-10

• mode = 0, the public key index is 1-10
• mode = 1, the public key index only supports 2
• mode = 2, the public key index is 1-10

modLenBit -

Modulus 长度,支持 512,1024,2048.

Modulus length, support 512,1024,2048.

pubExpType -

公共指数类型 0x00:3 , 0x01:65537

public exponent type 0x00:3 , 0x01:65537

Throws:

PedDevException

Since:

V4.00.00

writeKeyEx

void writeKeyEx(byte srcKeyType,
                byte srcKeyIndex,
                byte dstKeyType,
                byte dstKeyIndex,
                byte[] dstKeyValue,
                ECheckMode checkMode,
                byte[] checkBuf,
                byte[] keyVarIn,
                byte keyVarMode)
         throws PedDevException

写入一个密钥，包括TLK，TMK和TWK的写入、发散，并可以选择使用KCV验证密钥正确性。

当写入PED_TLK时，PED首先格式化，清除所有已经下载的密钥，再写入PED_TLK。 明文写入密钥时，srcKeyIndex=0。

Write in one key includes write in and divergent of TLK, TMK and TWK. And use KCV to check the key correction.

When write PED_TLK,PED will format ,clear all the key has been downloaded,then write in PED_TLK. Writing the plaintext into a key, when scrKeyIndex=0.

Parameters:

srcKeyType -

源密钥类型,它的级别不能低于destKeyType, SM4类型秘钥只能用TLK和SM4_TMK发散。

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x11:FACE_TDK
• 0x32:SM4_TMK

Source Key Type，its level cannot be lower than destKeyType, SM4 type keys can only be diverged with TLK and SM4_TMK.

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x11:FACE_TDK
• 0x32:SM4_TMK

srcKeyIndex -

源密钥索引

Source Key Index

dstKeyType -

目的密钥类型

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x11:FACE_TDK
• 0x32:SM4_TMK
• 0x33:SM4_TPK
• 0x34:SM4_TAK
• 0x35:SM4_TDK
• 0x36:SM4_TCHDK
• 0x37:SM4_FACE_TDK

Destination Key Type

• 0x01:TLK
• 0x02:TMK
• 0x03:TPK
• 0x04:TAK
• 0x05:TDK
• 0x11:FACE_TDK
• 0x32:SM4_TMK
• 0x33:SM4_TPK
• 0x34:SM4_TAK
• 0x35:SM4_TDK
• 0x36:SM4_TCHDK
• 0x37:SM4_FACE_TDK

dstKeyIndex -

目的密钥索引

Destination Key Index

dstKeyValue -

密钥明文或密文,长度可为8,16,24

Plaintext or ciphertext key, the length can be 8, 16, 24

checkMode - ECheckMode

校验模式

• ECheckMode.KCV_NONE
• ECheckMode.KCV_ENCRYPT_0
• ECheckMode.KCV_ENCRYPT_FIX_DATA
• ECheckMode.KCV_MAC_INPUT_DATA
• ECheckMode.KCV_SM4_ENCRYPT_0

Check Mode

• When checkMode=KCV_NONE -No Check
• When checkMode=KCV_ENCRYPT_0 -Perform DES/TDES encryption on 8 bytes 0x00, and use first 4 bytes as KCV.
• When checkMode=KCV_ENCRYPT_FIX_DATA -Perform parity check first, then perform DES/TDES encryption on 8 bytes―\x12\x34\x56\x78\x90\x12\x34\x56, and use first 4 bytes as KCV.
• When iCheckMode=KCV_MAC_INPUT_DATA -Send in data KcvData, use source key to perform specified mode of MAC on [aucDesKeyValue +KcvData], and use the 8 bytes result as KCV.
• When iCheckMode=KCV_SM4_ENCRYPT_0 -Perform TDES encryption on 16 bytes 0x00 by SM4, and use first 4 bytes as KCV.

checkBuf -

校验数据缓冲区

• 当checkMode=ECheckMode.KCV_NONE时 checkBuf的值无效,系统认为不验证KCV,可以为null
• 当checkMode=ECheckMode.KCV_ENCRYPT_0,4字节的kcv
• 当checkMode=ECheckMode.KCV_ENCRYPT_FIX_DATA,4字节的kcv
• 当iCheckMode=ECheckMode.KCV_MAC_INPUT_DATA时按以下规则提供checkBuf:

  checkBuf[0]= KcvData长度(KcvDataLen)

  checkBuf+1: KcvData

  checkBuf[1+KcvDataLen]=MAC运算模式,参考getMac(byte, byte[], byte)中的mode参数

  checkBuf[2+KcvDataLen]=KCV长度

  checkBuf[3+KcvDataLen]是KCV的值

• 当checkMode=ECheckMode.KCV_SM4_ENCRYPT_0,4字节的kcv

Check Data Buffer

• When checkMode=KCV_NONE -PED wont check KCV, this data is no meaning.
• When checkMode=KCV_ENCRYPT_0 -4 bytes key check value
• When checkMode=KCV_ENCRYPT_FIX_DATA -4 bytes key check value
• When iCheckMode=KCV_MAC_INPUT_DATA - checkBuf as follows: checkBuf[0] = length of KcvData checkBuf+1: kcvData checkBuf[1+kcvDataLen]: MAC computation mode getMac(byte, byte[], byte) checkBuf[2+kcvDataLen]:KCV length checkBuf[3+kcvDataLen]:KCV Value
• When checkMode=KCV_SM4_ENCRYPT_0 -4 bytes key check value

keyVarIn -

由keyVarIn生成dstKeyValue。

dstKeyValue is generated by keyVarIn.

keyVarMode -

• 0x00:同writeKey(byte, byte, byte, byte, byte[], com.pax.dal.entity.ECheckMode, byte[])；
• 0x01:srcKeyIndex密钥和dstKeyIndex密钥的长度都必须是16字节。 srcKeyIndex对应密钥表示SrcKey， SrcKey的左8个字节表示为SrcKey-L。SrcKey的右边8个字节表示为SrcKey-R。 keyVarIn的左8个字节表示为keyVarIn-L。右8字节的keyVarIn表示为keyVarIn-R。 K1 = SrcKey-L XOR keyVarIn-L K2 = SrcKey-R XOR keyVarIn-L K3 = SrcKey-L XOR keyVarIn-R K4 = SrcKey-R XOR keyVarIn-R 使用K1K2解密dstKeyValue的左8字节，然后使用K3K4解密dstKeyValue的右8字节；
• 0x02:使用OWF2算法对源密钥进行解密，解密结果存储为目标密钥；
• 0x03:dstKeyValue将由源密钥用CBC TDES算法解密并存储为目标密钥；
• 0x04:dstKeyValue将由指定的源密钥用CBC TDES算法加密并存储为目标密钥；
• 0x05:使用3DES ECB加密模式从destKeyValue生成普通目的密钥；
• 0x06:源密钥通过OWF2解密dstKeyValue后再异或dstKeyValue得到目的密钥；
• 0x07:源密钥通过GOWF(OWF3)模式解密dstKeyValue得到目的密钥；

• 0x00:like writeKey(byte, byte, byte, byte, byte[], com.pax.dal.entity.ECheckMode, byte[]);
• 0x01:Both the srcKeyIndex key and dstKeyIndex key must be 16 bytes in length. SrcKeyIndex corresponds to the key SrcKey, and the left 8 bytes of the SrcKey are represented as Srckey-L. The 8 bytes to the right of the SrcKey are represented as Srckey-R. The left 8 bytes of keyVarIn are represented as keyvarin-L.The right 8-byte keyVarIn is represented as keyvarin-R. K1 = SrcKey-L XOR keyVarIn-L K2 = SrcKey-R XOR keyVarIn-L K3 = SrcKey-L XOR keyVarIn-R K4 = SrcKey-R XOR keyVarIn-R Decrypt the left 8 bytes of dstKeyValue with K1K2, and then decrypt the right 8 bytes of dstKeyValue with K3K4;
• 0x02:The source key is decrypted using the OWF2 algorithm, and the decryption result is stored as the target key;
• 0x03:The dstKeyValue will be decrypted by the source key using the CBC TDES algorithm and stored as the target key;
• 0x04:The dstKeyValue will be encrypted by the specified source key with the CBC TDES algorithm and stored as the target key;
• 0x05:Generate the general purpose key from dstKeyValue using 3DES ECB encryption mode;
• 0x06:The source key uses OWF2 to decrypt the dstKeyValue and then xOR dstKeyValue to obtain the target key;
• 0x07:The source key uses GOWF(OWF3) mode to decrypt the dstKeyValue to obtain the target key

Throws:

PedDevException

Since:

V4.00.00

getMacAes

byte[] getMacAes(byte keyIdx,
                 byte[] dataIn,
                 byte mode)
          throws PedDevException

使用AES_TAK对DataIn用Mode指定的算法进行MAC运算，将16字节的MAC结果输出， MAC运算密钥是主密钥/工作密钥体系或固定密钥体系密钥或DUKPT密钥体系。
用法：
1.敏感服务授权：在此接口内部，先进行认证以获取敏感服务授权，若授权失败则退出。
2.补零规则：将报文数据分割成若干16个字节的BLOCK，最后一个BLOCK不满16个字节则后补0x00。

Use AES_TAK to perform MAC operation on dataIn with the algorithm specified by Mode, and output the 16-byte MAC result. The MAC operation key is the master key/working key system or fixed key system key or DUKPT key system.
usage:
1.Sensitive service authorization: In this interface, first perform authentication to obtain sensitive service authorization, and exit if authorization fails.
2.Zero-filling rule: divide the message data into 16-byte BLOCKs, and add 0x00 after the last BLOCK is less than 16 bytes.

Parameters:

keyIdx -

AES_TAK 1~100索引

AES_TAK 1~100 index

dataIn -

需进行 MAC 运算的数据包. 长度InLen<=2048，长度不能被16整除时，则自动补0x00

Data packet that needs MAC operation. Length<=2048, when the length is not divisible by 16, it will automatically add 0x00

mode -

• 0x00: 将BLOCK1用MAC密钥做AES加密，加密结果与BLOCK2进行逐位异或后再用MAC密钥做AES加密，依次进行得到16字节的加密结果， KSN不自动加1。
• 0x01: Hypercom Fast Mode，将BLOCK1和BLOCK2进行逐位异或，异或结果与BLOCK3进行逐位异或，依次进行，最后得到16字节的异或结果，将该结果用MAC密钥进行AES加密运算，KSN不自动加1。
• 0x03: CMAC算法，KSN不自动加1。
• 0x05: HMAC-SHA256算法，KSN不自动加1。

• 0x00: Use MAC key for AES encryption of BLOCK1, and perform bitwise XOR between the encrypted result and BLOCK2 and then use MAC key for AES encryption. The 16-byte encryption result is obtained in sequence, and KSN does not automatically add 1.
• 0x01: Hypercom Fast Mode, XOR BLOCK1 and BLOCK2 bit by bit, XOR result and BLOCK3 bit by bit XOR, in turn, finally get a 16-byte XOR result, the result is encrypted with MAC key AES Operation, KSN does not automatically increase by 1.
• 0x03: CMAC algorithm, KSN does not automatically increase by 1.
• 0x05: HMAC-SHA256 algorithm, KSN does not automatically increase by 1.

Returns:

MAC输出，模式5的时候是32字节输出，其他模式16字节输出

MAC output, 32-byte output in mode 5, 16-byte output in other modes

Throws:

PedDevException - PedDevException

Since:

V4.00.00

injectKeyBlock

void injectKeyBlock(byte format,
                    byte srcKeyType,
                    byte srcKeyIdx,
                    byte dstKeyIdx,
                    byte[] keyBlock)
             throws PedDevException

往PED中注入一个密钥

Inject a key into the PED.

Parameters:

format -

固定式:0x08

Fixed: 0x08

srcKeyType -

源密钥类型:

• 0x01: TLK
• 0x02: TMK
• 0x21: AES_TLK
• 0x22: AES_TMK

source key type:

• 0x01: TLK
• 0x02: TMK
• 0x21: AES_TLK
• 0x22: AES_TMK

srcKeyIdx -

源密钥索引.源密钥是TLK/PED_AES_TLK时，索引为1.源密钥是TMK/PED_AES_TMK时，索引为1-100

Source key index. When the source key is TLK/PED_AES_TLK, the index is 1. When the source key is TMK/PED_AES_TMK, the index is 1-100

dstKeyIdx -

目的密钥索引

• TMK [1~100]
• TPK [1~100]
• TAK [1~100]
• TDK [1~100]
• TCHDK [1~100]
• TIK [1~100]
• AES_TMK [1~100]
• AES_TPK [1~100]
• AES_TAK [1~100]
• AES_TDK [1~100]
• AES_TCHDK [1~100]
• AES_TIK [1~100]

destination key index

• TMK [1~100]
• TPK [1~100]
• TAK [1~100]
• TDK [1~100]
• TCHDK [1~100]
• TIK [1~100]
• AES_TMK [1~100]
• AES_TPK [1~100]
• AES_TAK [1~100]
• AES_TDK [1~100]
• AES_TCHDK [1~100]
• AES_TIK [1~100]

keyBlock -

长度16-256,格式如下:
VersionID+Length+Usage+Algorithm+Mode+VersionNumber+Exportability+Number of Optional Blocks+ Reserved+Optional Blocks+Encryption body+MAC

• VersionID:密钥块版本标识,1byte,'B'-TDEA,'D'-AES
• Length:密钥块长度,4byte,十进制ASCII表示
• Usage:密钥类型，2byte,'P0'-PIN encryption,'B1'-DUKPT TIK,'K0'-TMK,'D0'-TDK,'Mx'-TAK,'C1'-TCHDK,'99'-TSK
• Algorithm:密钥算法,1byte,'T'-TDEA,'A'-AES
• Mode:密钥使用方式,1byte,忽略
• VersionNumber:密钥版本,2byte,忽略
• Exportability:输出,1byte,忽略
• Number of Optional Blocks:可选块个数,2byte,00/01/02
• Reserved:保留域.2byte,忽略
• Optional Blocks:可选块，长度是8('B'/TDES)或者16('D'/AES)的倍数，不足时需补充填充块以满足要求
• Encryption body:密文块，2byte+key+padding
• MAC:TDES是16byte， AES是32byte

Length 16-256, the format is as follows:
VersionID+Length+Usage+Algorithm+Mode+VersionNumber+Exportability+Number of Optional Blocks+ Reserved+Optional Blocks+Encryption body+MAC

• VersionID: key block version identifier,1byte, 'B'-TDEA,'D'-AES
• Length: key block length, 4byte,十进制ASCII表示
• Usage: key type，2byte,'P0'-PIN encryption,'B1'-DUKPT TIK,'K0'-TMK,'D0'-TDK,'Mx'-TAK,'C1'-TCHDK,'99'-TSK
• Algorithm: key algorithm, 1byte,'T'-TDEA,'A'-AES
• Mode: key Usage, 1byte, ignorable
• VersionNumber: key version,2byte, ignorable
• Exportability: output, 1byte, ignorable
• Number of Optional Blocks: number of optional blocks, 2byte,00/01/02
• Reserved: reserved domain. 2byte, ignorable
• Optional Blocks:Optional blocks, the length is a multiple of 8('B'/TDES) or 16('D'/AES), if insufficient, fill blocks are required to meet the requirements
• Encryption body: ciphertext block，2byte+key+padding
• MAC: TDES is 16byte, AES is 32byte

Throws:

PedDevException - PedDevException

Since:

V4.00.00

Skip navigation links

• Overview
• Package
• Class
• Tree
• Deprecated
• Index
• Help

• Prev Class
• Next Class

• Frames
• No Frames

• All Classes

• Summary:
• Nested |
• Field |
• Constr |
• Method

• Detail:
• Field |
• Constr |
• Method