Wrap/Unwrap

These two endpoint implements the NIST Key Wrapping scheme.

Allowed users

Allowed

Required access scope

keymgmt:use:<KID>

where <KID> is a Key ID as 32 chars hexadecimal string

Wrap

Wrap a message

POST https://my.ence.do/api/crypto/cipher/wrap

Wrap plain message using NIST Key Wrapping scheme.

Headers

Name
Type
Description

Authorization*

String

Bearer JWT_TOKEN

Content-Type*

String

application/json

Request Body

Name
Type
Description

alg

String

Algorithm to use (e.g. AES256)

ext_kid

String

External Key ID, 32 chars hex string

kid*

String

Key ID, 32 chars hex string

msg*

String

Data message to wrap

pubkey

String

Base64 encoded external public key

ctx

String

Additional context data (HKDF argument)

iv

String

Optional IV data

{
  "wrapped": "ot5cd+SCF6w9dxdjtLnnr96yIMJQWVzb"
}

The key type pointed by ext_kid or represented by pubkey MUST be the same as the kid key type. Otherwise, indirect ECDH will be failed.

Possible alg values

Value
Description

AES128

Regard to NIST SP 800-38F

AES192

Regard to NIST SP 800-38F

AES256

Regard to NIST SP 800-38F

Response data for successful operation

Name
Type
Description

wrapped

String

Base64 encoded wraped data

Log entries

Event
Result
Source

LOG_TYPE_FAILED_SCOPE_CHECK

LOG_RESULT_FAILED

403

LOG_TYPE_CRYPTO_WRAP

LOG_RESULT_ERROR

400

LOG_TYPE_CRYPTO_WRAP

LOG_RESULT_FAILED

406

LOG_TYPE_CRYPTO_WRAP

LOG_RESULT_OK

200

Unwrap

Unwarp a message

POST https://my.ence.do/api/crypto/cipher/unwrap

Unwrap encrypted message using the NIST Key Wrapping scheme.

Headers

Name
Type
Description

Authorization*

String

Bearer JWT_TOKEN

Content-Type*

String

application/json

Request Body

Name
Type
Description

alg

String

Algorithm to use (e.g. AES256)

ext_kid

String

External Key ID, 32 chars hex string

iv

String

Ciphertext IV

kid*

String

Key ID, 32 chars hex string

msg*

String

Data message to unwrap

pubkey

String

Base64 encoded external public key

ctx

String

Additional context data (HKDF argument)

{
  "unwrapped": "SGVsbG9Xb3JsZDAxMjM0NQ=="
}

The key type pointed by ext_kid or represented by pubkey MUST be the same as the kid key type. Otherwise, indirect ECDH will be failed.

Possible alg values

Check the list here.

Response data for successful operation

Name
Type
Description

unwrapped

String

Base64 encoded unwraped data

Log entries

Event
Result
Source

LOG_TYPE_FAILED_SCOPE_CHECK

LOG_RESULT_FAILED

403

LOG_TYPE_CRYPTO_UNWRAP

LOG_RESULT_ERROR

400

LOG_TYPE_CRYPTO_UNWRAP

LOG_RESULT_FAILED

406

LOG_TYPE_CRYPTO_UNWRAP

LOG_RESULT_OK

200

PreviousEncryption/DecryptionNextAudit log

Last updated