Unwraps a wrapped private key and then decrypts the content encryption key that is encrypted to the public key.
HTTP request
POST https://BASE_URL/privatekeydecrypt
Replace BASE_URL
with the base URL.
Path parameters
None.
Request body
The request body contains data with the following structure:
JSON representation | |
---|---|
{ "authentication": string, "authorization": string, "algorithm": string, "encrypted_data_encryption_key": string, "rsa_oaep_label": string, "reason": string, "wrapped_private_key": string } |
Fields | |
---|---|
authentication |
A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens. |
authorization |
A JWT asserting that the user is allowed to unwrap a key for |
algorithm |
The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption. |
encrypted_data_encryption_key |
Base64-encoded encrypted content encryption key, which is encrypted with the public key associated with the private key. Max size: 1 KB. |
rsa_oaep_label |
Base64-encoded label L, if the algorithm is RSAES-OAEP. If the algorithm is not RSAES-OAEP, this field is ignored. |
reason |
A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |
wrapped_private_key |
The base64-encoded wrapped private key. Max size: 8 KB. |
Response body
If successful, this method returns a base64 data encryption key.
If the operation fails, a structured error reply is returned.
JSON representation | |
---|---|
{ "data_encryption_key": string } |
Fields | |
---|---|
data_encryption_key |
A base64-encoded data encryption key. |
Example
This example provides a sample request and response for the privatekeydecrypt
method.
Request
POST https://mykacls.example.org/v1/privatekeydecrypt
{
"wrapped_private_key": "wHrlNOTI9mU6PBdqiq7EQA...",
"encrypted_data_encryption_key": "dGVzdCB3cmFwcGVkIGRlaw...",
"authorization": "eyJhbGciOi...",
"authentication": "eyJhbGciOi...",
"algorithm": "RSA/ECB/PKCS1Padding",
"reason": "decrypt"
}
Response
{
"data_encryption_key": "akRQtv3nr+jUhcFL6JmKzB+WzUxbkkMyW5kQsqGUAFc="
}