Encryption

  • Last updated:

SDKMS provides multiple interfaces to application developers. For C/C++ programmers, SDKMS provides a PKCS#11 interface through a library. For Java programmers, SDKMS can be accessed through the JCE interface. SDKMS can also be accessed through its RESTful interface, documented at https://www.fortanix.com/api/

We provide examples for using SDKMS in 3 languages – a C++ program using the PKCS#11 interface, a Java program using the JCE interface, and a Python program using the REST interface.

The example programs can be downloaded in full at the Downloads page.

C++

string encrypt(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, string plain) {
CK_RV rv;
CK_BYTE *iv;
CK_ULONG iv_len;
string iv_b64;
CK_BYTE *cipher;
CK_ULONG cipher_len;
string cipher_b64;

iv_len = (CK_ULONG) AES_KEYLENGTH/8;
iv = (CK_BYTE *)malloc(iv_len * sizeof(CK_BYTE));
CK_MECHANISM mechanism = {
CKM_AES_CBC_PAD, iv, iv_len
};
Base64::Encode(string((char *)iv, iv_len), &iv_b64);

rv = p11->C_EncryptInit(hSession, &mechanism, hKey);
if (rv == CKR_OK) {
rv = p11->C_Encrypt(hSession, (CK_BYTE_PTR) plain.c_str(), plain.length(), NULL, &cipher_len);
if (rv == CKR_OK) {
cipher = (CK_BYTE *)malloc(cipher_len * sizeof(CK_BYTE));
rv = p11->C_Encrypt(hSession, (CK_BYTE_PTR) plain.c_str(), plain.length(), cipher, &cipher_len);
}
}
if (rv != CKR_OK) {
cout << "Encryption failed. Error code = " << rv << endl;
return string();
}
Base64::Encode(string((char *)cipher, cipher_len), &cipher_b64);
return iv_b64 + ":" + cipher_b64;
}

C#

public void encrypt() {
  EncryptRequest encReq = new EncryptRequest(Alg: ObjectType.AES, Mode: CryptMode.CBC, Plain: Encoding.ASCII.GetBytes("ABCD"));
  EncryptionAndDecryptionApi encApi = new EncryptionAndDecryptionApi();
  EncryptResponse encResp = encApi.Encrypt(key.Kid, encReq);
}

Golang

func encrypt() {
  encryptionRequest := sdkms.EncryptRequest{
    Alg:   &sdkms.AES,
    Plain: plain,
    Mode:  &sdkms.CBC,
  }
  encryptionResponse, _, _ := client.EncryptionAndDecryptionApi.Encrypt(ctx, securityObjectResponse.Kid, encryptionRequest)
}

Java

private static String encrypt(Provider provider, SecretKey key, String plain, String mode, int length) {
    byte[] iv = new byte[length / 8];
    SecureRandom prng = new SecureRandom();
    prng.nextBytes(iv);

    try {
        Cipher cipher = Cipher.getInstance(mode, provider);
        cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
        byte[] byteCipherText = cipher.doFinal(plain.getBytes());
        String cryptStruct = new Base64().encodeAsString(iv) + ":" + new Base64().encodeAsString(byteCipherText);
        return cryptStruct;
    } catch (Exception e) {
        System.out.println("Encryption failed: " + e);
        return null;
    }
}

Python

def encrypt_key():
  api_instance = sdkms.v1.EncryptionAndDecryptionApi(api_client=client)
  request = sdkms.v1.EncryptRequest(alg=ObjectType.AES, plain=plain, mode=CipherMode.CBC)
  try:
    encryption_response = api_instance.encrypt(key_id, request)
    return encryption_response
  except ApiException as e:
    print("Exception when calling EncryptionAndDecryptionApi->encrypt: %s\n" % e)
    return None