Encryption

  • Last updated:
  • access_time Reading time:

 Self-Defending KMS provides multiple interfaces to application developers. For C/C++ programmers, Self-Defending KMS provides a PKCS#11 interface through a library. For Java programmers, Self-Defending KMS can be accessed through the JCE interface and through Java SDK. Self-Defending KMS can also be accessed through its RESTful interface, documented at https://www.fortanix.com/api/

We provide examples for using Self-Defending KMS in 7 languages – a C++ program using the PKCS#11 interface, a Java program using the JCE interface, and other programs using the REST interface through Java, Python, Go, C#, PHP and Javascript SDKs

The example programs can be downloaded in full at the Downloads page.

C++

string encrypt(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, string plain) {
CK_RV rv;
CK_BYTE *iv;
CK_ULONG iv_len;
string iv_b64;
CK_BYTE *cipher;
CK_ULONG cipher_len;
string cipher_b64;

iv_len = (CK_ULONG) AES_KEYLENGTH/8;
iv = (CK_BYTE *)malloc(iv_len * sizeof(CK_BYTE));
CK_MECHANISM mechanism = {
CKM_AES_CBC_PAD, iv, iv_len
};
Base64::Encode(string((char *)iv, iv_len), &iv_b64);

rv = p11->C_EncryptInit(hSession, &mechanism, hKey);
if (rv == CKR_OK) {
rv = p11->C_Encrypt(hSession, (CK_BYTE_PTR) plain.c_str(), plain.length(), NULL, &cipher_len);
if (rv == CKR_OK) {
cipher = (CK_BYTE *)malloc(cipher_len * sizeof(CK_BYTE));
rv = p11->C_Encrypt(hSession, (CK_BYTE_PTR) plain.c_str(), plain.length(), cipher, &cipher_len);
}
}
if (rv != CKR_OK) {
cout << "Encryption failed. Error code = " << rv << endl;
return string();
}
Base64::Encode(string((char *)cipher, cipher_len), &cipher_b64);
return iv_b64 + ":" + cipher_b64;
}

C#

public void encrypt() {
    EncryptRequest encryptRequest = new EncryptRequest(Alg: ObjectType.AES, Mode: CryptMode.CBC, Plain: Encoding.ASCII.GetBytes("Hello World"));
    EncryptionAndDecryptionApi encryptionAndDecryptionApi = new EncryptionAndDecryptionApi();
    EncryptResponse encResp = encryptionAndDecryptionApi.Encrypt(kid, encryptRequest);
}

Go

encryptResponse, err := client.Encrypt(ctx, sdkms.EncryptRequest{
     Key:   sdkms.SobjectByID(*sobject.Kid),
     Alg:   sdkms.AlgorithmAes,
     Plain: []byte("hello, world!"),
     Mode:  sdkms.CryptModeSymmetric(sdkms.CipherModeCbc),
})
if err != nil {
     log.Fatalf("Failed to encrypt: %v", err)
}
fmt.Printf("Ciphertext: %v\n", encryptResponse.Cipher)
fmt.Printf("Initilization Vector: %v\n", *encryptResponse.Iv)

Java

private static EncryptResponse encrypt() {
    String data = "Hello World!";
    byte[] plain = data.getBytes()
    EncryptRequest encryptRequest = new EncryptRequest();
    encryptRequest.alg(ObjectType.AES)
        .plain(plain)
        .mode(CryptMode.CBC);
    try {
        EncryptResponse encryptResponse = 
            encryptionAndDecryptionApi.encrypt(kid, encryptRequest);
        return encryptResponse;
    } catch (Exception e) {
        System.out.println("Encryption failed: " + e);
        return null;
    }
}

Python

def encrypt():
    api_instance = sdkms.v1.EncryptionAndDecryptionApi(api_client=client)
    request = sdkms.v1.EncryptRequest(alg=ObjectType.AES, plain=plain, mode=CipherMode.CBC)
    try:
        encryption_response = api_instance.encrypt(kid, request)
        return encryption_response
    except ApiException as e:
        print("Exception when calling EncryptionAndDecryptionApi->encrypt: %s\n" % e)
        return None

PHP

public function encrypt() {
    $cryptMode = new Swagger\Client\Model\CryptMode();
    $encryptionRequestBody = array('alg' => $objType::AES, 'mode' => $cryptMode::CBC, 'plain' => $plain);
    $encryptionRequest = new Swagger\Client\Model\EncryptRequest($encryptionRequestBody);
    $encryptionAndDecryptionApi = new Swagger\Client\Api\EncryptionAndDecryptionApi($client);
    $encryptionResponse = $encryptionAndDecryptionApi->encrypt($securityObjectResponse["kid"], $encryptionRequest);
}

Javascript

var encryptCallback = function(error, data, response) {
    if (error) {
        console.error("Error: " + JSON.stringify(response));
    } else {
        console.log('Data encrypted successfully. result: ' + JSON.stringify(data));
    }
};

var encryptApi = new FortanixSdkmsRestApi.EncryptionAndDecryptionApi()
var plain = btoa("Hello World!")
var encryptRequest = FortanixSdkmsRestApi.EncryptRequest.constructFromObject({"alg" :"AES", "plain": plain, "mode": "CBC"})
encryptApi.encrypt(data["kid"], encryptRequest, encryptCallback)