Decryption

  • Last updated:

SDKMS provides multiple interfaces to application developers. For C/C++ programmers, SDKMS provides a PKCS#11 interface through a library. For Java programmers, SDKMS can be accessed through the JCE interface. SDKMS can also be accessed through its RESTful interface, documented at https://www.fortanix.com/api/

We provide examples for using SDKMS in 3 languages – a C++ program using the PKCS#11 interface, a Java program using the JCE interface, and a Python program using the REST interface.

The example programs can be downloaded in full at the Downloads page.

C++

string decrypt(CK_FUNCTION_LIST_PTR p11, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, string iv_cipher) {
CK_RV rv;
CK_BYTE *plain;
CK_ULONG plain_len;
string iv;
string cipher;

Base64::Decode(iv_cipher.substr(0, iv_cipher.find(':')), &iv);
CK_MECHANISM mechanism = {
CKM_AES_CBC_PAD, (CK_BYTE_PTR) iv.c_str(), iv.length()
};

rv = p11->C_DecryptInit(hSession, &mechanism, hKey);
if (rv == CKR_OK) {
Base64::Decode(iv_cipher.substr(iv_cipher.find(':')+1, iv_cipher.length() - iv_cipher.find(':') + 1), &cipher);
rv = p11->C_Decrypt(hSession, (CK_BYTE_PTR) cipher.c_str(), cipher.length(), NULL, &plain_len);
if (rv == CKR_OK) {
plain = (CK_BYTE *)malloc(plain_len * sizeof(CK_BYTE));
rv = p11->C_Decrypt(hSession, (CK_BYTE_PTR) cipher.c_str(), cipher.length(), plain, &plain_len);
}
}
if (rv != CKR_OK) {
cout << "Decryption failed. Error code = " << rv << endl;
return string();
}
return string((char*)plain, plain_len);
}

C#

public void decrypt() {
    DecryptRequest decReq = new DecryptRequest(Alg: ObjectType.AES, Mode: CryptMode.CBC, Cipher: cipher, Iv: encResp.Iv);
    DecryptResponse decResp = encApi.Decrypt(key.Kid, decReq);
}

Golang

func decrypt() {
  decryptionRequest := sdkms.DecryptRequest{
    Alg:    &sdkms.AES,
    Mode:   &sdkms.CBC,
    Cipher: encryptionResponse.Cipher,
    Iv:     encryptionResponse.Iv,
  }
  decryptionResponse, _, _ := client.EncryptionAndDecryptionApi.Decrypt(ctx, securityObjectResponse.Kid, decryptionRequest)
}

Java

private static String decrypt(Provider provider, SecretKey key, String cipherStruct, String mode) {
    try {
        String[] ivAndCipherText = cipherStruct.split(":");
        byte[] iv = new Base64().decode(ivAndCipherText[0]);
        byte[] cipherText = new Base64().decode(ivAndCipherText[1]);
        Cipher cipher = Cipher.getInstance(mode, provider);
        cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
        byte[] bytePlainText = cipher.doFinal(cipherText);

        return new String(bytePlainText);
    } catch (Exception e) {
        System.out.println("Decryption failed: " + e);
        return null;
    }
}

Python

def decrypt_key():
    api_instance = sdkms.v1.EncryptionAndDecryptionApi(api_client=client)
    decryption_request = sdkms.v1.DecryptRequest(alg=ObjectType.AES,
            mode=CipherMode.CBC, cipher=encryption_response.cipher,
            iv=encryption_response.iv)
    try:
        decryption_response = api_instance.decrypt(key_id, decryption_request)
    except ApiException as e:
        print 'Exception when calling EncryptionAndDecryptionApi->decrypt: %s\n' % e)