Skip to content

Latest commit

 

History

History
1838 lines (1370 loc) · 65.5 KB

API_Reference.md

File metadata and controls

1838 lines (1370 loc) · 65.5 KB

eHSM REST API Reference

Currently, the eHSM-KMS-Service now provides the following restful APIs to the customers :

Common Prameters

This section describes the parameters that are common to all API requests and responses.

Name Type Reference Value Description
appid string 12345678-0123-4567-*** An unique id to request ehsm in a domain, which is requested
from ehsm service maintainer
timestamp string 1643050812444 The timestamp of sending request; 30 minute validity;Taking the current time as the benchmark, detect timestamp within 30 minutes, which cannot be repeated
sign string iw6mkXDqNipxweCH**** The signature string of the current request.

Notes: Before to request the ehsm-kms cryptographic APIs, the cutomer should to request the unique appid and APIKey from the ehsm kms service maintainer, and make sure they are securely stored.
The API key will participate in the signature, but does not participate in the parameter transfer.

Signature= base64(HMAC-SHA256(APIKey, RequestData)),
where, RequestData=[appid=<appid>&payload=<payload>&timestamp=<timestamp>] ordered in ASCII ascending, and the parameter must also be ordered.
payload Object payload ={
"keyspec":"EH_RSA_3072",
"origin": "EH_INTERNAL_KEY"
}
The specific parameters of each method call.

Createkey

Create a customer master key(CMK) for the user, which can be a symmetric or an asymmetric key, for the symmetric cmk mainly used to wrap the datakey, also can be used to encrypted an arbitrary set of bytes data(<6KB). And for the asymmetric cmk mainly used to sign/verify or asymmetric encrypt/decrypt datas(not for the datakey.)

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=CreateKey

  • Request Payload:

    Name Type Reference Value Description
    Keyspec String EH_AES_GCM_128 The keyspec the user want to create, it can be the following one:
    EH_AES_GCM_128
    EH_AES_GCM_192
    EH_AES_GCM_256
    EH_RSA_2048
    EH_RSA_3072
    EH_RSA_4096
    EH_EC_P224
    EH_EC_P256
    EH_EC_P384
    EH_EC_P521
    EH_SM2
    EH_SM4_CTR
    EH_SM4_CBC
    EH_HMAC

    Notes: EH_HMAC is not supported at present, and will be supported later.
    origin String EH_INTERNAL_KEY The source about the cmk comes from, it can be:
    EH_INTERNAL_KEY (generated from the eHSM inside)
    EH_EXTERNAL_KEY (generated by the customer and want to import into the eHSM)

    Notes: currently it only support the type of EH_INTERNAL_KEY.
    purpose String EH_PURPOSE_NONE Record the usage range of the cmk, it can be:
    EH_PURPOSE_ENCRYPT_DECRYPT
    EH_PURPOSE_SIGN_VERIFY

    Notes: currently this item can be vacant.
    padding mode String EH_PAD_RSA_PKCS1 The padding mode users can use:
    EH_PAD_RSA_PKCS1
    EH_PAD_RSA_PKCS1_OAEP
    EH_PAD_RSA_PKCS1_PSS
    EH_PAD_RSA_NO

    Notes: Currently, the padding mode is used only for RSA encryption, decryption, and RSA signature verify. RSA encryption and decryption use EH_PAD_RSA_PKCS1_OAEP and EH_PAD_RSA_PKCS1. RSA signature and verify use EH_PAD_RSA_PKCS1_PSS and EH_PAD_RSA_PKCS1. EH_PAD_RSA_NO Currently not supported.
    digest mode String EH_SHA_2_256 The digest mode users can use:
    EH_SHA_2_224
    EH_SHA_2_256
    EH_SHA_2_384
    EH_SHA_2_512
    EH_SM3

    Notes: Currently, digest mode is used only for asymmetric key signature verify, and sm2 signature verify only for SM3 digest mode.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    keyid String "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef" A uinque keyid of the cmk.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["keyspec"] = "EH_RSA_3072"
      payload["origin"] = "EH_INTERNAL_KEY"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=CreateKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
          "code": 200,
          "message": "success!",
          "result": {
              "keyid":"aac3e45a-d3dc-4791-89b6-4ada0e38e6ef"
          }
      }

    (return to the Cryptographic Functionalities APIs.)


Encrypt

Encrypt an arbitrary set of bytes using the CMK.(only support symmetric types).

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=Encrypt

  • Request Payload:

    Name Type Reference Value Description
    aad String "Y2hhbGxlbmdl" Some extra datas input by the user, which could help to to ensure data integrity, and not be included in the cipherblobs. The aad stored in BASE64 string.
    keyid String "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef" The keyid of the cmk you want to use which must be a symmetric key.
    plaintext String "cGxhaW50ZXh0" The datas of the plaintext which in based64 encoding.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    ciphertext String "uSDos6NLWNVp4sQZS2+mzLvDw***" The result in json object for the Ciphertext which in based64 encoding.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["aad"] = "Y2hhbGxlbmdl"
      payload["keyid"] = "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef"
      payload["plaintext"] = "cGxhaW50ZXh0"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=Encrypt", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "ciphertext": "uSDos6NLWNVp4sQZS2+mzLvDw***"
        }
      }

    (return to the Cryptographic Functionalities APIs.)


Decrypt

Encrypt an arbitrary set of bytes using the CMK.(only support symmetric types).

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=Decrypt

  • Request Payload:

    Name Type Reference Value Description
    aad String "Y2hhbGxlbmdl" Some extra datas input by the user, which could help to to ensure data integrity, and not be included in the cipherblobs. The aad stored in BASE64 string.
    keyid String "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef" The keyid of the symmetric cmk which used to decryt the ciphertext.
    ciphertext String "uSDos6NLWNVp4sQZS2+mzLvDw***" Ciphertext to be decrypted in BASE64 string.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    plaintext String "VGVzdDEyMzQtQU***" Plain data after decrypt and stored in BASE64 string.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["aad"] = "Y2hhbGxlbmdl"
      payload["keyid"] = "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef"
      payload["ciphertext"] = "uSDos6NLWNVp4sQZS2+mzLvDw***"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=Decrypt", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "plaintext": "VGVzdDEyMzQtQU***"
        }
      }

    (return to the Cryptographic Functionalities APIs.)


AsymmetricEncrypt

Encrypt an arbitrary set of bytes using the CMK.(only support asymmetric types).

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=AsymmetricEncrypt

  • Request Payload:

    Name Type Reference Value Description
    keyid String "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e" A unique keyid for asymmetric key.
    plaintext String "cGxhaW50ZXh0" The datas of the plaintext which in based64 encoding.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    ciphertext String "EhGpx8pMYFRDr28xT4dJvrMg5***" The data of the ciphertext stores in BASE64 string.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["keyid"] = "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e"
      payload["plaintext"] = "cGxhaW50ZXh0"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=AsymmetricEncrypt", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "ciphertext": "EhGpx8pMYFRDr28xT4dJvrMg5***"
        }
      }

    (return to the Cryptographic Functionalities APIs.)


AsymmetricDecrypt

Decrypt an arbitrary set of bytes using the CMK.(only support asymmetric types).

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=AsymmetricDecrypt

  • Request Payload:

    Name Type Reference Value Description
    keyid String "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e" The keyid of the asymmetric cmk.
    ciphertext String "EhGpx8pMYFRDr28xT4dJvrMg5***" The data of the ciphertext in BASE64 string.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    plaintext String "VGVzdFJTQS0zMDcyAAAAAAAAAAAAAA***" Plaint data after decrypt and stored in BASE64 string.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["keyid"] = "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e"
      payload["ciphertext"] = "EhGpx8pMYFRDr28xT4dJvrMg5***"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=AsymmetricDecrypt", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "plaintext": "VGVzdFJTQS0zMDcyAAAAAAAAAAAAAA***"
        }
      }

    (return to the Cryptographic Functionalities APIs.)


Sign

Performs sign operation using the cmk(only support asymmetric keyspec).

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=Sign

  • Request Payload:

    Name Type Reference Value Description
    keyid String "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e" A unique keyid of asymmetric cmk.
    digest String "ZGlnZXN0" The hash of datas want to be signed, and stored in BASE64 string.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    signature String "KkUO2y2IJVdsahlUL4GA0fYf4y9wPaaocdEtfG3***" The calculated signature value stores in BASE64 string.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["keyid"] = "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e"
      payload["digest"] = "ZGlnZXN0"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=Sign", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "signature": "KkUO2y2IJVdsahlUL4GA0fYf4y9wPaaocdEtfG3***"
        }
      }

    (return to the Cryptographic Functionalities APIs.)


Verify

Performs verify operation using the cmk(only support asymmetric keyspec).

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=Verify

  • Request Payload:

    Name Type Reference Value Description
    keyid String "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e" The keyid of the asymmetric cmk.
    digest String "ZGlnZXN0" The hash of datas want to be signed, and stored in BASE64 string.
    signature String "KkUO2y2IJVdsahlUL4GA0fYf4y9wPaaocdEtfG3***" The signature of the digest signed by the cmk in BASE64 string.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    result bool true True or False: indicate whether the signature passed the verification.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["keyid"] = "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e"
      payload["digest"] = "ZGlnZXN0"
      payload["signature"] = "KkUO2y2IJVdsahlUL4GA0fYf4y9wPaaocdEtfG3***"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=Verify", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "result": true
        }
      }

    (return to the Cryptographic Functionalities APIs.)


Generatedatakey

Generates a random data key that is used to locally encrypt data. the DataKey will be wrapped by the specified CMK(only support asymmetric keyspec), and it will return the plaintext and ciphertext of the data key.

You can use the plaintext of the data key to locally encrypt your data without using KMS and store the encrypted data together with the ciphertext of the data key, then clear the plaintext data from memory as soon as possible.

when you want to obtain the plaintext of datakey again, you can call the Decrypt with the cmk to get the plaintext data.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=GenerateDataKey

  • Request Payload:

    Name Type Reference Value Description
    aad String "Y2hhbGxlbmdl" Some extra datas input by the user, which could help to to ensure data integrity, and not be included in the cipherblobs. The aad stored in BASE64 string.
    keyid String "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef" A unique id of the specified symmetric CMK.
    keylen int 16 Specifies the length of the plaintext, length is 0~1024 bytes.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    plaintext String "JzoxG7io20MgbbvVnbDhquaZ9nZtZXwRlA***" Plain data key stores in BASE64 string.
    ciphertext String "J/qC8IwEnhsjFjzIf***" The cipher text of the data key stores in BASE64 string.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["aad"] = "Y2hhbGxlbmdl"
      payload["keyid"] = "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef"
      payload["keylen"] = 16
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=GenerateDataKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "plaintext": "JzoxG7io20MgbbvVnbDhquaZ9nZtZXwRlA***",
            "ciphertext": "J/qC8IwEnhsjFjzIf***"
        }
      }

    (return to the Cryptographic Functionalities APIs.)


Generatedatakeywithoutplaintext

The same as GenerateDataKey, but it doesn’t return plaintext of generated DataKey.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=GenerateDataKeyWithoutPlaintext

  • Request Payload:

    Name Type Reference Value Description
    aad String "Y2hhbGxlbmdl" Some extra datas input by the user, which could help to to ensure data integrity, and not be included in the cipherblobs. The aad stored in BASE64 string.
    keyid String "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef" The unique keyid of the specified symmetric CMK.
    keylen int 16 Specifies the length of the plaintext, length is 0~1024 bytes.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    ciphertext String "J/qC8IwEnhsjFjzIf***" The cipher text of the data key stores in BASE64 string.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["aad"] = "Y2hhbGxlbmdl"
      payload["keyid"] = "AAAAAAAAAAAAAAAAAAAAAGCcKdP/fwA***"
      payload["keylen"] = 16
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
    
      requests.post(url="<ehsm_srv_address>/ehsm?Action=GenerateDataKeyWithoutPlaintext", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "ciphertext": "J/qC8IwEnhsjFjzIf***"
        }
      }

    (return to the Cryptographic Functionalities APIs.)


ExportDataKey

ehsm-core enclave will decrypt user-supplied ciphertextblob with specified CMK to get the plaintext of DataKey, then use the user-supplied Public key to encrypt this DataKey(aka ExportedDataKey). This ExportedDataKey (ciphertext) will be returned to caller.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=ExportDataKey

  • Request Payload:

    Name Type Reference Value Description
    aad String "Y2hhbGxlbmdl" Some extra datas input by the user, which could help to to ensure data integrity. The aad stored in BASE64 string.
    keyid String "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef" The unique keyid of specified symmetric CMK.
    olddatakey String "J/qC8IwEnhsjFjzIf***" The ciphertext of the datakey wrapped by the cmk in BASE64 string.
    ukeyid String "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e" The unique keyid of the asymmetric CMK which used to export.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    newdatakey String "a4cN1k8QcXLhxm8dUoVHbXWB4P1v/kr***" The ciphertext of the datakey wrapped by the ukey stores in BASE64 string.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["aad"] = "Y2hhbGxlbmdl"
      payload["keyid"] = "aac3e45a-d3dc-4791-89b6-4ada0e38e6ef"
      payload["olddatakey"] = "J/qC8IwEnhsjFjzIf***"
      payload["ukeyid"] = "ec1ccb09-4dd5-4af9-b04b-a97c4613cd7e"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=ExportDataKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
            "newdatakey": "a4cN1k8QcXLhxm8dUoVHbXWB4P1v/kr***"
        }
      }

    (return to the Cryptographic Functionalities APIs.)


GetVersion

Query the KMS server version.

  • Rest API format:

    GET <ehsm_srv_address>/ehsm?Action=GetVersion

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    version String "0.2.0" The version of eHSM-KMS server.
    git_sha String "c14b8b8" THe git_sha of the currently running code
  • Example

    • Request sample in Shell
      $ curl <ehsm_srv_address>/ehsm?Action=GetVersion
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
           "version": "0.2.0",
           "git_sha": "c14b8b8"
        }
      }

    (return to the Key Management APIs.)


Enroll

Obtain a valid access keypair (APPID and APIKey) which is MUST before request the public cryptographic APIs.

Notes: This operation only need to do once. After get the APPID and APIKey, user should be responsible for managing the keypair.

  • Rest API format:

    GET <ehsm_srv_address>/ehsm?Action=Enroll

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    apikey String "44RPFy3SEqLbAahaP9PXSGQ6ABB6gctr" the API access key to the eHSM-KMS server.
    appid String "3309ecfa-d02f-49b3-a107-b47d6c7d3854" An uuid which represent the customer app.
  • Example

    • Request sample in Shell
      $ curl <ehsm_srv_address>/ehsm?Action=Enroll
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
           "apikey": "44RPFy3SEqLbAahaP9PXSGQ6ABB6gctr",
           "appid": "3309ecfa-d02f-49b3-a107-b47d6c7d3854"
        }
      }

    (return to the Key Management APIs.)


ListKey

Query all the CMKs generated by the current account.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=ListKey

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    list JsonArray [
     {
      "keyid": "2de54366-30f9-6829-8391-c4eba∗∗∗",
      "creationDate": 1645152619225,
      "expireTime": 1676688619225,
      "alias": "alias_name",
      "keyspec": "EH_RSA_3072",
      "keyState": 1
     }
    ]

    The information of each CMK is a JsonObject.
     keyid: ID of CMK
     creationDate: Creation date of CMK
     expireTime: Expire time of CMK
     alias: Alias of CMK
     keyspec: keyspec of CMK
     keyState: State of CMK, 1 (Enable) | 0 (Disable).
  • Example

    • Request sample in python
      params = OrderedDict()
      params["appid"] = appid
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=ListKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
           "list": [
               {
                  "keyid": "2de54366-30f9-6829-8391-c4eba***", 
                  "creationDate": 1645152619225, 
                  "expireTime": 1676688619225, 
                  "alias": "alias_name", 
                  "keyspec": "EH_RSA_3072", 
                  "keyState": 1
               }
           ]
        }
      }

    (return to the Key Management APIs.)


DeleteKey

Delete a specific CMK generated by the current account.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=DeleteKey

  • Request Payload:

    Name Type Reference Value Description
    keyid String "2de54366-30f9-6829-8391-c4eba∗∗∗" ID of the CMK you want to delete

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["keyid"] = "2de54366-30f9-6829-8391-c4eba***"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=DeleteKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {}
      }

    (return to the Key Management APIs.)


DeleteALLKey

Delete all the CMKs generated by the current account.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=DeleteALLKey

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
  • Example

    • Request sample in python
      params = OrderedDict()
      params["appid"] = appid
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=DeleteALLKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {}
      }

    (return to the Key Management APIs.)


EnableKey

Enable a CMK for the current account.
Only when the CMK is enabled, it could be used to perform cryptographic operations.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=EnableKey

  • Request Payload:

    Name Type Reference Value Description
    keyid String "2de54366-30f9-6829-8391-c4eba∗∗∗" ID of the CMK you want to enable

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["keyid"] = "2de54366-30f9-6829-8391-c4eba***"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=EnableKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {}
      }

    (return to the Key Management APIs.)


DisableKey

Disables a specified CMK.
If a CMK is disabled, it can't be used until you re-enable it by the EnableKey API.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=DisableKey

  • Request Payload:

    Name Type Reference Value Description
    keyid String "2de54366-30f9-6829-8391-c4eba∗∗∗" ID of the CMK you want to disable

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["keyid"] = "2de54366-30f9-6829-8391-c4eba***"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=DisableKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {}
      }

    (return to the Key Management APIs.)


GenerateQuote

Generate a quote of the eHSM-KMS core enclave for user used to do the SGX DCAP Remote Attestation. User may send it to a remote reliable third party or directly send it to eHSM-KMS via VerifyQuote API to do the quote verification.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=GenerateQuote

  • Request Payload:

    Name Type Reference Value Description
    challenge String "Y2hhbGxlbmdl" A challenge in BASE64 string.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    challenge String "Y2hhbGxlbmdl" A challenge in BASE64 string.
    quote String "AwACAAAAAAAHAAwAk5pB∗∗∗" A quote for the eHSM-KMS core enclave format in BASE64 string.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["challenge"] = "Y2hhbGxlbmdl"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=DisableKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
           "quote": "Y2hhbGxlbmdl"
           "quote": "AwACAAAAAAAHAAwAk5pB***"
        }
      }

    (return to the Key Management APIs.)


VerifyQuote

Users are expected already got a valid DCAP format QUOTE. And it could use this API to send it to eHSM-KMS to do a quote verification.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=VerifyQuote

  • Request Payload:

    Name Type Reference Value Description
    quote String "AwACAAAAAAAHAAwAk5pB∗∗∗" A valid DCAP quote in BASE64 string.
    nonce String "bm9uY2U=" A nonce in BASE64 string.
    policyId String "326f2049-56ab-474f-a1c0-516de230****" quote policy ID.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    result bool "true or false" The result of quote verification
    nonce String "bm9uY2U=" The nonce in BASE64 string.
    mr_enclave String "870c42c59bc74c7ad22869411709e4f78ac3c76add6693bb43296b03362e5038" stores the hash value of the enclave measurement.
    mr_signer String "c30446b4be9baf0f69728423ea613ef81a63e72acf7439fa0549001fd5482835" stores the hash value of the enclave author’s public key.
    sign String "T4DRCEZAPLBbb+d3ObD∗∗∗" The HAMC sign of result and nonce calculated by the API Key.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["nonce"] = "bm9uY2U="
      payload["policyId"] = "326f2049-56ab-474f-a1c0-516de230****"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=DisableKey", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
           "result": true,
           "nonce": "bm9uY2U=",
           "mr_enclave": "870c42c59bc74c7ad22869411709e4f78ac3c76add6693bb43296b03362e5038",
           "mr_signer": "c30446b4be9baf0f69728423ea613ef81a63e72acf7439fa0549001fd5482835",
           "sign": "T4DRCEZAPLBbb+d3ObD***"
        }
      }

    (return to the Key Management APIs.)


UploadQuotePolicy

The UploadQuotePolicy Support uploading MRenclave and MRsigner and returning new policyid.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=UploadQuotePolicy

  • Request Payload:

    Name Type Reference Value Description
    mr_enclave String "870c42c59bc74c7ad22869411709e4f78ac3c76add6693bb43296b03362e5038" stores the hash value of the enclave measurement.
    mr_signer String "c30446b4be9baf0f69728423ea613ef81a63e72acf7439fa0549001fd5482835" stores the hash value of the enclave author’s public key.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    policyId String "15ca0dd5-2d34-4221-a708-3171ffe6∗∗∗" a new policy ID
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["mr_enclave"] = "870c42c59bc74c7ad22869411709e4f78ac3c76add6693bb43296b03362e5038"
      payload["mr_signer"] = "c30446b4be9baf0f69728423ea613ef81a63e72acf7439fa0549001fd5482835"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=UploadQuotePolicy", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
           "policyId": "15ca0dd5-2d34-4221-a708-3171ffe6***"
        }
      }

    (return to the Key Management APIs.)


GetQuotePolicy

Query a quote policy information by policyid.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=GetQuotePolicy

  • Request Payload:

    Name Type Reference Value Description
    policyId String "15ca0dd5-2d34-4221-a708-3171ffe6∗∗∗" a policy ID

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "success" The description of result.
    policyId String "15ca0dd5-2d34-4221-a708-3171ffe6∗∗∗" a policy ID
    mr_enclave String "870c42c59bc74c7ad22869411709e4f78ac3c76add6693bb43296b03362e5038" stores the hash value of the enclave measurement.
    mr_signer String "c30446b4be9baf0f69728423ea613ef81a63e72acf7439fa0549001fd5482835" stores the hash value of the enclave author’s public key.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["policyId"] = "15ca0dd5-2d34-4221-a708-3171ffe6***"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=UploadQuotePolicy", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "success!",
        "result": {
           "policyId": "15ca0dd5-2d34-4221-a708-3171ffe6***"
           "mr_enclave": "870c42c59bc74c7ad22869411709e4f78ac3c76add6693bb43296b03362e5038"
           "mr_signer": "c30446b4be9baf0f69728423ea613ef81a63e72acf7439fa0549001fd5482835"
        }
      }

    (return to the Key Management APIs.)


CreateSecret

Creates a secret and stores its initial version.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=CreateSecret

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Yes "secretName01" The name of the secret.
    secretData String Yes "secretData01" The value of the secret.
    encryptionKeyId String Optional "0197ad2d-c4be-4948-996d-513c6f1e∗∗∗" The ID of the CMK that is used to encrypt the secret value.
    description String Optional "desc01" The description of the secret.
    rotationInterval String Optional "30d" The interval for automatic rotation. format: integer[unit],
    unit can be d (day), h (hour), m (minute), or s (second)
    defalut='30d'

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "The secretName01 create success." The description of result.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["description"] = "desc01"
      payload["encryptionKeyId"] = "0197ad2d-c4be-4948-996d-513c6f1e***"
      payload["rotationInterval"] = "30d"
      payload["secretData"] = "secretData01"
      payload["secretName"] = "secretName01"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=CreateSecret", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "The secretName01 create success.",
        "result": {
        }
      }

    (return to the Key Management APIs.)


UpdateSecretDesc

Update the description of a secret.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=UpdateSecretDesc

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Yes "secretName01" The name of the secret.
    description String Optional "newDesc" A new description of the secret.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "Update secret description success." The description of result.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["description"] = "newDesc"
      payload["secretName"] = "secretName01"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=UpdateSecretDesc", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "Update secret description success.",
        "result": {
        }
      }

    (return to the Key Management APIs.)


PutSecretValue

Stores the secret value of a new version into a secret object.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=PutSecretValue

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Yes "secretName01" The name of the secret.
    secretData String Yes "secretData02" The value of the secret.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "The secretName01 new version put success." The description of result.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["secretData"] = "secretData02"
      payload["secretName"] = "secretName01"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=PutSecretValue", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "The secretName01 new version put success.",
        "result": {
        }
      }

    (return to the Key Management APIs.)


ListSecretVersionIds

Queries all versions of a secret. Maximum 4000 line.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=ListSecretVersionIds

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Yes "secretName01" The name of the secret.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "List secret versionIds success." The description of result.
    secretName String "secretName01" The name of the secret.
    totalCount int 2 The number of returned secrets.
    versionIds JsonArray [{"versionId":2,"createTime":1661393991091},{"versionId":1,"createTime":1661393990546}] The list of secret versions.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["secretName"] = "secretName01"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=ListSecretVersionIds", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "List secret versionIds success.",
        "result": {
          "secretName": "secretName01",
          "totalCount": 2,
          "versionIds": [
            {
              "versionId": 2,
              "createTime": 1661393991091
            }, {
              "versionId": 1,
              "createTime": 1661393990546
            }
          ]
        }
      }

    (return to the Key Management APIs.)


ListSecrets

Queries all secrets created by your appid. Maximum 4000 line.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=ListSecrets

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Optional "secretName01" The name of the secret.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "List secrets success." The description of result.
    totalCount int 2 The number of returned secrets.
    secretList JsonArray [{"secretName":"secretName01","description":"myNewSecret","createTime":1661393990546},{"secretName":"secretName002","description":"mysecret","createTime":1661393990764}] The list of secret.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["secretName"] = "secretName01"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=ListSecrets", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "List secrets success.",
        "result": {
          "totalCount": 1,
          "secretList": [
            {
              "secretName": "secretName01",
              "description": "myNewSecret",
              "createTime": 1661393990546
            }
          ]
        }
      }

    (return to the Key Management APIs.)


DescribeSecret

Obtains the metadata of a secret.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=DescribeSecret

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Yes "secretName01" The name of the secret.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "List secrets success." The description of result.
    secretName String "secretName01" The description of the secret.
    description String "desc01" The number of returned secrets.
    createTime long 1661393990546 The time when the secret was created.
    plannedDeleteTime long 1659519772925 The time when the secret is scheduled to be deleted.
    rotationInterval String "30h" The interval for automatic rotation.
    lastRotationDate long 1661393990546 The time when the last rotation was performed.
    nextRotationDate long 1661501990546 The time when the next rotation will be performed.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["secretName"] = "secretName01"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=DescribeSecret", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "Describe secrets success.",
        "result": {
          "secretName": "secretName01",
          "description": "desc01",
          "createTime": 1661393990546,
          "rotationInterval": "30h",
          "lastRotationDate": "",
          "nextRotationDate": 1661501990546
        }
      }

    (return to the Key Management APIs.)


DeleteSecret

Force delete secret or schedule a time to delete secret.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=DeleteSecret

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Yes "secretName01" The name of the secret.
    recoveryPeriod int Optional 50 Specifies the recovery period of the secret, if you do not forcibly delete it, the unit is day.
    defalut=30
    forceDelete String Optional "true" Specifies whether to forcibly delete the secret. If this parameter is set to true, the secret cannot be recovered. defalut="false"

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "The secretName01 will be deleted after 50 days." The description of result.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["secretName"] = "secretName01"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=DeleteSecret", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "The secretName01 will be deleted after 50 days.",
        "result": {
        }
      }

    (return to the Key Management APIs.)


GetSecretValue

Obtains a secret value.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=GetSecretValue

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Yes "secretName01" The name of the secret.
    versionId int Optional 2 The version number of the secret value.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "successful" The description of result.
    secretName String "secretName01" The name of the secret.
    secretData String "secretData01" The secret value.
    versionId int 2 The version number of the secret value.
    createTime long 1659519772925 The time when the secret value was created, millisecond unit.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["secretName"] = "secretName01"
      payload["versionId"] = 2
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=GetSecretValue", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "successful",
        "result": {
          "secretName": "secretName01",
          "secretData": "secretData02",
          "versionId": 2,
          "createTime": 1661393991091
        }
      }

    (return to the Key Management APIs.)


RestoreSecret

Restores a deleted secret.

  • Rest API format:

    POST <ehsm_srv_address>/ehsm?Action=RestoreSecret

  • Request Payload:

    Name Type Required Reference Value Description
    secretName String Yes "secretName01" The name of the secret.

    Notes: for the common request parameters, please refer to the common params

  • Response Data:

    Name Type Reference Value Description
    code int 200 The result of the method call, 200 is success, others are fail.
    message String "The secretName01 restore success." The description of result.
  • Example

    • Request sample in python
      payload = OrderedDict()
      payload["secretName"] = "secretName01"
    
      params = OrderedDict()
      params["appid"] = appid
      params["payload"] = urllib.parse.unquote_plus(urllib.parse.urlencode(payload))
      params["timestamp"] = str(int(time.time() * 1000))
    
      sign_string = urllib.parse.unquote_plus(urllib.parse.urlencode(params))
      sign = str(base64.b64encode(hmac.new(appkey.encode('utf-8'), sign_string.encode('utf-8'), digestmod=sha256).digest()),'utf-8').upper()
    
      params["payload"] = payload
      params["sign"] = sign
      
      requests.post(url="<ehsm_srv_address>/ehsm?Action=RestoreSecret", data=json.dumps(params), headers=headers)
    • Response data
      Response= {
        "code": 200,
        "message": "The secretName01 restore success.",
        "result": {
        }
      }

    (return to the Key Management APIs.)