Currently TR-31 Parse Key Block decodes all X9.143 header fields, optional blocks, and PCI compliance flags but stops short of decrypting the encrypted key payload.
What this would add
Given a Key Block Protection Key (KBPK) supplied by the user, decrypt the key payload and surface the clear key material (or at least the unwrapped key check value) in the JSON output.
Scope
- AES key wrapping (KBPK algorithm
A, D binding methods) is the priority — these are the dominant TR-31 profiles in modern acquirer/processor deployments
- TDES/2TDEA key wrapping (
T binding method) is secondary
- The KBPK would be supplied as a recipe arg (clear hex) — this is test-use only
Why it matters
Parsing the header tells you what key is wrapped. Decrypting tells you whether the wrapped payload is consistent with the expected key material. Together they cover the full inspection workflow during HSM migration testing and key-transport debugging.
References
- ANS X9.143 (TR-31 key block standard)
- Existing
TR-31 Parse Key Block operation (ParseTR31KeyBlock.mjs)
Currently
TR-31 Parse Key Blockdecodes all X9.143 header fields, optional blocks, and PCI compliance flags but stops short of decrypting the encrypted key payload.What this would add
Given a Key Block Protection Key (KBPK) supplied by the user, decrypt the key payload and surface the clear key material (or at least the unwrapped key check value) in the JSON output.
Scope
A,Dbinding methods) is the priority — these are the dominant TR-31 profiles in modern acquirer/processor deploymentsTbinding method) is secondaryWhy it matters
Parsing the header tells you what key is wrapped. Decrypting tells you whether the wrapped payload is consistent with the expected key material. Together they cover the full inspection workflow during HSM migration testing and key-transport debugging.
References
TR-31 Parse Key Blockoperation (ParseTR31KeyBlock.mjs)