> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/ecom/es/integre-la-api-de-d1/cifrar-datos-confidenciales.md). # Cifrar datos confidenciales Para intercambiar información sensible, el backend de D1 eCom Enablement espera recibir (o enviar) datos sensibles cifrados usando el formato estándar JWE ( ). La información sensible se codifica en formato JSON antes del cifrado. El backend de D1 eCom Enablement utiliza la siguiente configuración para JWE: * Cadena JWE codificada en base64url * Parámetro de encabezado "alg" (Algoritmo): **ECDH-ES** * Parámetro de encabezado "enc" (Algoritmo de cifrado): **A256GCM** * Parámetro de encabezado "kid" (ID de clave): Identificador de clave correspondiente a la clave pública EC del destinatario * Curva EC: **P-256** ### Ejemplos de cifrado de datos sensibles Esta sección proporciona ejemplos para cifrar campos sensibles como un JWE compacto. #### Ejemplo: cifrar credenciales de tarjeta | Campo JSON | Descripción | Obligatorio | Longitud | | ---------- | ---------------------------------------- | ----------- | -------- | | pan | El Número de Cuenta Principal | Sí | Hasta 19 | | exp | La fecha de caducidad en el formato MMYY | Sí | 4 | Clave pública EC: ```json { "kty": "EC", "kid": "ASDsL-Jx2XOkRnFtqW-QblWY-mDnQW2LgapadFx75tA", "crv": "P-256", "x": "UbInEqNbZZZ9SJptBwKTKO6qslSyuWvMkVK44Bx_d8U", "y": "PUxeHMNVL0VRxOYJrkHcpe6sap7IG-Are0QborZDngI" } ``` Datos en claro: ```json { "pan":"1234567891234567", "exp":"1223" } ``` Ejemplos de código: {% tabs %} {% tab title="JavaScript con node-jose" %} ```javascript const jose = require("node-jose"); const keystore = jose.JWK.createKeyStore(); const publicKey = JSON.stringify({ "kty": "EC", "kid": "ASDsL-Jx2XOkRnFtqW-QblWY-mDnQW2LgapadFx75tA", "crv": "P-256", "x": "UbInEqNbZZZ9SJptBwKTKO6qslSyuWvMkVK44Bx_d8U", "y": "PUxeHMNVL0VRxOYJrkHcpe6sap7IG-Are0QborZDngI", }); const fields = { "alg":"ECDH-ES", "enc":"A256GCM", }; const payload = { "pan":"1234567891234567", "exp":"1223" }; (async () => { const ecPublicJWK = await keystore.add(publicKey, 'json'); const encryptedData = await jose.JWE.createEncrypt({ format: "compact", fields}, ecPublicJWK).update(JSON.stringify(payload)).final(); console.log('encryptedData', encryptedData); })(); // output : encryptedData eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImtpZCI6IkFTRHNMLUp4MlhPa1JuRnRxVy1RYmxXWS1tRG5RVzJMZ2FwYWRGeDc1dEEiLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJoWGpLdmNWa3d2ZHR4M19sdnJqTmJtQkZfZW9BZjNMeGJCblBNVFJxY2JvIiwieSI6IlJHOEN5WDV5bW9oTGV0cTFhVzgzVG96UU1EaEdQbTNHNXlwZERmVy1mSlUifX0..6L__CO5yA3g4tkLY.HysY-036kmszNeXDdgP375x0NfFlobYYGoL51A5PQ4Js9y287qZZ.QFYcZCfC6JAo1-snZ6O5Cw ``` {% endtab %} {% tab title="Java con jose4j" %} ```java import java.security.Key; import java.security.spec.InvalidKeySpecException; import java.text.ParseException; import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers; import org.jose4j.jwe.JsonWebEncryption; import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers; import org.jose4j.jwk.PublicJsonWebKey; import org.jose4j.lang.JoseException; public class testEncryptJWE { public static void main(String[] args) throws InvalidKeySpecException, JoseException { String publicKey = "{\r\n" + " \"kty\": \"EC\",\r\n" + " \"kid\": \"ASDsL-Jx2XOkRnFtqW-QblWY-mDnQW2LgapadFx75tA\",\r\n" + " \"crv\": \"P-256\",\r\n" + " \"x\": \"UbInEqNbZZZ9SJptBwKTKO6qslSyuWvMkVK44Bx_d8U\",\r\n" + " \"y\": \"PUxeHMNVL0VRxOYJrkHcpe6sap7IG-Are0QborZDngI\"\r\n" + "}"; String sensitive = "{\r\n" + " \"pan\":\"1234567891234567\",\r\n" + " \"exp\":\"1223\"\r\n" + "}"; PublicJsonWebKey k = PublicJsonWebKey.Factory.newPublicJwk(publicKey); Key key = k.getPublicKey(); JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setPayload(sensitive); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_256_GCM); jwe.setKey(key); String serializedJwe = jwe.getCompactSerialization(); System.out.println("Serialized Encrypted JWE: " + serializedJwe); } } // output : Serialized Encrypted JWE: eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsIngiOiJiazF2cEFyM3lyZ3REQXVIazRrRnZ1WWVOSFFlM0dYRTcwS1Z3RU4xRTJ3IiwieSI6IjU5dEhKRnBfSHJ5UWFWN1NuTjRKZTFMVmJ1MTYwTGgxS3R1cnVyZWlTNkkiLCJjcnYiOiJQLTI1NiJ9fQ..XAjvjhUrGgQ9zu9u.crUDhRWdvW6J0NbHw2rW8S1Gn9hdLxLwAtkF-FIcR3IaF2P4_VLyQsXjZ544pb83l7x6ols.jtk3rzcjl2sLQFmYZtI7sg ``` {% endtab %} {% tab title="Rust con josekit" %} ```rust use josekit::{JoseError, jwe::{self, JweHeader, ECDH_ES}}; use std::str; const PUBLIC_KEY: &str = "-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUbInEqNbZZZ9SJptBwKTKO6qslSy uWvMkVK44Bx/d8U9TF4cw1UvRVHE5gmuQdyl7qxqnsgb4Ct7RBuitkOeAg== -----END PUBLIC KEY-----"; const CLEAR_DATA: &str = "{\"pan\":\"1234567891234567\",\"exp\":\"1223\"}"; fn main() -> Result<(), JoseError> { let encrypter = ECDH_ES.encrypter_from_pem(&PUBLIC_KEY)?; let mut header = JweHeader::new(); header.set_algorithm("ECDH-ES"); header.set_content_encryption("A256GCM"); let ciphered_data = jwe::serialize_compact(CLEAR_DATA.as_bytes(), &header, &encrypter)?; println!("ciphered data: {}", &ciphered_data); Ok(()) } // output: ciphered data: eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ims5V2UxazAyaGgzeFl1UWJMWm03bDJFX3pSZTQyalVQZXFsRjBhVlZENWciLCJ5IjoiYmgtdnJVOEhUYzZpZlNSVW1TNVByVF85c0tTb0VwQVFGaC1neHY4SW9aUSJ9fQ..eHijOIFaK-t7XhuD.MixYNb6bwnI3It_ul3t2xJLv65toe9EVNoA6hmUGZFzy477XTT5F.GhmSCoCoNKlxCBUH13_D4A ``` {% endtab %} {% endtabs %} ### Ejemplos de descifrado de datos sensibles En esta sección puede encontrar algunos ejemplos de descifrado de un objeto JWE. {% tabs %} {% tab title="JavaScript con node-jose" %} ```javascript const jose = require("node-jose"); const jwe = "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImtpZCI6IkFTRHNMLUp4MlhPa1JuRnRxVy1RYmxXWS1tRG5RVzJMZ2FwYWRGeDc1dEEiLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJoWGpLdmNWa3d2ZHR4M19sdnJqTmJtQkZfZW9BZjNMeGJCblBNVFJxY2JvIiwieSI6IlJHOEN5WDV5bW9oTGV0cTFhVzgzVG96UU1EaEdQbTNHNXlwZERmVy1mSlUifX0..6L__CO5yA3g4tkLY.HysY-036kmszNeXDdgP375x0NfFlobYYGoL51A5PQ4Js9y287qZZ.QFYcZCfC6JAo1-snZ6O5Cw"; const privateKey = "-----BEGIN EC PRIVATE KEY-----\r\nMHcCAQEEIFUvax1cOkuRkKFmypV7FtN5GR+1PjSXJ3yS0yGcn0R7oAoGCCqGSM49\r\nAwEHoUQDQgAEUbInEqNbZZZ9SJptBwKTKO6qslSyuWvMkVK44Bx/d8U9TF4cw1Uv\r\nRVHE5gmuQdyl7qxqnsgb4Ct7RBuitkOeAg==\r\n-----END EC PRIVATE KEY-----"; const keystore = jose.JWK.createKeyStore(); (async () => { const ecJWK = await keystore.add(privateKey, "pem"); const result = await jose.JWE.createDecrypt(ecJWK).decrypt(jwe); console.log("Resultado del descifrado:", result.plaintext.toString()); })(); // Salida: // Resultado del descifrado: {"pan":"1234567891234567","exp":"1223"} ``` {% endtab %} {% tab title="Java con jose4j" %} ```java import java.security.Key; import java.security.spec.InvalidKeySpecException; import java.util.HashMap; import java.util.Map; import org.jose4j.jwe.JsonWebEncryption; import org.jose4j.jwk.EllipticCurveJsonWebKey; import org.jose4j.lang.JoseException; public class testEncryptJWE { public static void main(String[] args) throws InvalidKeySpecException, JoseException { Map privateKey = new HashMap(); privateKey.put("x", "UbInEqNbZZZ9SJptBwKTKO6qslSyuWvMkVK44Bx_d8U"); privateKey.put("y", "PUxeHMNVL0VRxOYJrkHcpe6sap7IG-Are0QborZDngI"); privateKey.put("d", "VS9rHVw6S5GQoWbKlXsW03kZH7U-NJcnfJLTIZyfRHs"); privateKey.put("crv", "P-256"); privateKey.put("kid", "ASDsL-Jx2XOkRnFtqW-QblWY-mDnQW2LgapadFx75tA"); EllipticCurveJsonWebKey k = new EllipticCurveJsonWebKey(privateKey); Key key = k.getEcPrivateKey(); String cipheredData = "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImtpZCI6IkFTRHNMLUp4MlhPa1JuRnRxVy1RYmxXWS1tRG5RVzJMZ2FwYWRGeDc1dEEiLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJoWGpLdmNWa3d2ZHR4M19sdnJqTmJtQkZfZW9BZjNMeGJCblBNVFJxY2JvIiwieSI6IlJHOEN5WDV5bW9oTGV0cTFhVzgzVG96UU1EaEdQbTNHNXlwZERmVy1mSlUifX0..6L__CO5yA3g4tkLY.HysY-036kmszNeXDdgP375x0NfFlobYYGoL51A5PQ4Js9y287qZZ.QFYcZCfC6JAo1-snZ6O5Cw"; JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setKey(key); jwe.setCompactSerialization(cipheredData); System.out.println("Carga útil descifrada: " + jwe.getPayload()); } } // output: Carga útil descifrada: {"pan":"1234567891234567","exp":"1223"} ``` {% endtab %} {% tab title="Rust con josekit" %} ```rust use josekit::{JoseError, jwe::{self, ECDH_ES}}; use std::str; const PRIVATE_KEY: &str = "-----BEGIN EC PRIVATE KEY----- MHcCAQEEIFUvax1cOkuRkKFmypV7FtN5GR+1PjSXJ3yS0yGcn0R7oAoGCCqGSM49 AwEHoUQDQgAEUbInEqNbZZZ9SJptBwKTKO6qslSyuWvMkVK44Bx/d8U9TF4cw1Uv RVHE5gmuQdyl7qxqnsgb4Ct7RBuitkOeAg== -----END EC PRIVATE KEY-----"; const JWE_FROM_SAMPLE: &str = "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImtpZCI6IkFTRHNMLUp4MlhPa1JuRnRxVy1RYmxXWS1tRG5RVzJMZ2FwYWRGeDc1dEEiLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJoWGpLdmNWa3d2ZHR4M19sdnJqTmJtQkZfZW9BZjNMeGJCblBNVFJxY2JvIiwieSI6IlJHOEN5WDV5bW9oTGV0cTFhVzgzVG96UU1EaEdQbTNHNXlwZERmVy1mSlUifX0..6L__CO5yA3g4tkLY.HysY-036kmszNeXDdgP375x0NfFlobYYGoL51A5PQ4Js9y287qZZ.QFYcZCfC6JAo1-snZ6O5Cw"; fn main() -> Result<(), JoseError> { let decrypter = ECDH_ES.decrypter_from_pem(&PRIVATE_KEY)?; let (payload, _) = jwe::deserialize_compact(&JWE_FROM_SAMPLE, &decrypter)?; println!("Carga útil descifrada: {}", str::from_utf8(&payload).unwrap()); Ok(()) } // Salida: // Carga útil descifrada: {"pan":"1234567891234567","exp":"1223"} ``` {% endtab %} {% endtabs %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.payments.thalescloud.io/ecom/es/integre-la-api-de-d1/cifrar-datos-confidenciales.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.