# Wrap/Unwrap #### Allowed users {% tabs %} {% tab title="User" %} Allowed {% endtab %} {% tab title="Master" %} Not allowed {% endtab %} {% tab title="ExtAuth" %} Allowed {% endtab %} {% endtabs %} #### Required access scope {% tabs %} {% tab title="Main" %} `keymgmt:use:` where `` is a Key ID as a 32-character hexadecimal string {% endtab %} {% endtabs %} ## Wrap ## Wrap a message `POST` `https://my.ence.do/api/crypto/cipher/wrap` Wrap plain message using the NIST Key Wrapping scheme. #### Headers | Name | Type | Description | | ----------------------------------------------- | ------ | ----------------- | | Authorization\* | String | Bearer JWT\_TOKEN | | Content-Type\* | String | application/json | #### Request Body | Name | Type | Description | | --------------------------------------- | ------ | ------------------------------------------------------- | | `alg` | String | Algorithm to use (e.g. AES256) | | `ext_kid` | String | External Key ID, 32 chars hex string | | `kid`\* | String | Key ID, 32 chars hex string | | `msg`\* | String | Data message to wrap (max. 2048 bytes) | | `pubkey` | String | Base64 encoded external public key | | `ctx` | String | Additional context data (HKDF argument) (max. 64 bytes) | | `iv` | String | Optional IV data | #### Response status code {% tabs %} {% tab title="200: Operation successful" %} ```javascript { "wrapped": "ot5cd+SCF6w9dxdjtLnnr96yIMJQWVzb" } ``` {% endtab %} {% tab title="400: Incorrect arguments" %} {% endtab %} {% tab title="401: Missing or invalid JWT\_TOKEN" %} {% endtab %} {% tab title="403: Incorrect access scope" %} {% endtab %} {% tab title="406: Operation failed" %} {% endtab %} {% tab title="409: Incorrect internal state" %} {% endtab %} {% tab title="418: TLS connection required" %} {% endtab %} {% endtabs %} {% hint style="info" %} The key type pointed to `ext_kid` or represented by `pubkey` MUST be the same as the `kid` key type. Otherwise, indirect ECDH will fail. {% endhint %} #### Possible `alg` values | Value | Description | | ------ | ------------------------- | | AES128 | Regarding NIST SP 800-38F | | AES192 | Regarding NIST SP 800-38F | | AES256 | Regarding NIST SP 800-38F | #### Response data for successful operation
NameTypeDescription
wrappedStringBase64 encoded wrapped data
#### Log entries
EventResultSource
LOG_TYPE_FAILED_SCOPE_CHECKLOG_RESULT_FAILED403
LOG_TYPE_CRYPTO_WRAPLOG_RESULT_ERROR400
LOG_TYPE_CRYPTO_WRAPLOG_RESULT_FAILED406
LOG_TYPE_CRYPTO_WRAPLOG_RESULT_OK200
## Unwrap ## Unwarp a message `POST` `https://my.ence.do/api/crypto/cipher/unwrap` Unwrap the encrypted message using the NIST Key Wrapping scheme. #### Headers | Name | Type | Description | | ----------------------------------------------- | ------ | ----------------- | | Authorization\* | String | Bearer JWT\_TOKEN | | Content-Type\* | String | application/json | #### Request Body | Name | Type | Description | | --------------------------------------- | ------ | ------------------------------------------------------- | | `alg` | String | Algorithm to use (e.g. AES256) | | `ext_kid` | String | External Key ID, 32 chars hex string | | `iv` | String | Ciphertext IV | | `kid`\* | String | Key ID, 32 chars hex string | | `msg`\* | String | Data message to unwrap (max. 2048 bytes) | | `pubkey` | String | Base64 encoded external public key | | `ctx` | String | Additional context data (HKDF argument) (max. 64 bytes) | #### Response status code {% tabs %} {% tab title="200: Operation successful" %} ```javascript { "unwrapped": "SGVsbG9Xb3JsZDAxMjM0NQ==" } ``` {% endtab %} {% tab title="400: Incorrect argument(s)" %} {% endtab %} {% tab title="401: Missing or invalid JWT\_TOKEN" %} {% endtab %} {% tab title="403: Incorrect access scope" %} {% endtab %} {% tab title="406: Operation failed" %} {% endtab %} {% tab title="409: Incorrect internal state" %} {% endtab %} {% tab title="418: TLS connection required" %} {% endtab %} {% endtabs %} {% hint style="info" %} The key type pointed to `ext_kid` or represented by `pubkey` MUST be the same as the `kid` key type. Otherwise, indirect ECDH will fail. {% endhint %} #### Possible `alg` values Check the list [here](#possible-alg-values). #### Response data for successful operation
NameTypeDescription
unwrappedStringBase64 encoded unwraped data
#### Log entries
EventResultSource
LOG_TYPE_FAILED_SCOPE_CHECKLOG_RESULT_FAILED403
LOG_TYPE_CRYPTO_UNWRAPLOG_RESULT_ERROR400
LOG_TYPE_CRYPTO_UNWRAPLOG_RESULT_FAILED406
LOG_TYPE_CRYPTO_UNWRAPLOG_RESULT_OK200