Decrypting Product/Device Secret


When obtaining product secret or device secret via APIs, the returned values are encrypted. Follow the steps below to obtain and decrypt product and device secrets.


Note

Only when using the V2.4 APIs of Connection Service, the returned values of product/device secret are encrypted. The API versions before V2.4 are not affected.

Prerequisites


  • Ensure that the service account for authentication has been obtained and authorized. For more information, see API Authentication.

  • For obtaining the RSA key pair of the service account in EnOS Management Console > Identity and Access Management, ensure that:

    • EnOS 2.4 CU1 has been installed in your environment.

    • The service account has been authorized with the permission of the OU administrator.

Decrypting Product Secret

Operation Permissions


Before using APIs to obtain product secret, ensure that the service account has been granted with policies that contain the following services and operation permissions. For more information on authorizing service accounts, see Managing Service Accounts.

Required Service

Required Operation Permission

Product

Create or Update

Procedure


Taking Search Product as an example, the steps to obtain and decrypt the product secret are introduced.

  1. Create or obtain RSA private key files for the service account according to Managing RSA Key Pairs. The private key is as follows:

    -----BEGIN PRIVATE KEY-----
    PrivateKeyABC123
    -----END PRIVATE KEY-----
    
  2. Follow How to Invoke an EnOS API to invoke the Search Product API and request the following parameters. Ensure that an RSA key pair has been created for the service account before you set the requireSecret parameter to true in the request.

    url: https://{apigw-address}/connect-service/v2.4/products?action=search&orgId=yourOrgId
    method: POST
    requestBody:
    {
        "expression":"modelId=\"TestModel\"",
        "pagination":{
            "pageNo":1,
            "pageSize":1
        },
        "requireSecret": true,
        "populateLastUpdateInfo": true
    }
    
  3. You will obtain the following return content:

    {
        "code":0,
        "msg":"OK",
        "requestId":"5428977e-c820-4595-9566-c1ba11c62438",
        "data":[
            {
                "orgId":"yourOrgId",
                "productKey":"RuWKBPGM",
                "productName":{
                    "defaultValue":"product01",
                    "i18nValue":{}
                },
                "productSecret":"EcryptedProductSecret",
                "sessionKey":"EcryptedsessionKey1",
                "productDesc":"",
                "productType":"Device",
                "dataFormat":"Json",
                "productTags":null,
                "protocolGatewayIds":null,
                "modelId":"TestModel",
                "dynamicActiveEnabled":false,
                "biDirectionalAuth":true,
                "createBy":"u15927947823741",
                "createTime":"1680514029150",
                "updateBy":"u15927947823741",
                "updateTime":1680514029150
            }
        ],
        "pagination":{
            "sortedBy":null,
            "pageNo":1,
            "pageSize":1,
            "totalSize":1980
        }
    }
    
  4. Use the RSA decryption tool with the RSA private key as the key to calculate the actual sessionKey.

    • Key:

      PrivateKeyABC123
      
    • Ciphertext:

      EcryptedsessionKey1
      
    • Private key password: The private key password set when creating the key pair. Leave it blank if not set.

    • Padding: PKCS1_Padding

  5. The resulting sessionKey is as follows:

    [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
    
  6. Use the AES decryption tool to calculate the actual product secret.

    • Key:

      [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
      
    • Ciphertext:

      EcryptedProductSecret
      
    • Mode: ECB

    • Padding: PKCS7

    • Ciphertext Encoding: Base64

  7. The generated plaintext is the product secret.

Decrypting Device Secret

Operation Permissions


Before using APIs to obtain device secret, make sure that the service account has been granted with policies that contain the following services and operation permissions. For more information on authorizing service accounts, see Managing Service Accounts.

Required Resource

Required Operation Permissions

Device Management Service

Full Access

Procedure


Taking Search Device API as an example, the steps to obtain and decrypt the device secret are introduced.

  1. Create or obtain RSA private key files for the service account according to Managing RSA Key Pairs. The private key has the following format:


    -----BEGIN PRIVATE KEY-----
    PrivateKeyABC123
    -----END PRIVATE KEY-----
    
  2. Follow How to Invoke an EnOS API to invoke the Search Device API and request the following parameters. Ensure that an RSA key pair has been created for the service account before you set the requireSecret parameter to true in the request.


    url:https://{apigw-address}/connect-service/v2.4/devices?action=search&orgId=yourOrgId
    method: POST
    requestBody:
    {
        "expression": "assetId = 'ABC1234'",
        "pagination":{
            "pageNo":1,
            "pageSize":1
        },
        "requireSecret": true,
        "populateLastUpdateInfo": true
    }
    
  3. You will obtain the following return content:


    {
        "code":0,
        "msg":"OK",
        "requestId":"5ee49000-11e0-476f-8a71-ca4f1b975422",
        "data":[
            {
                "orgId":"yourOrgId",
                "assetId":"yourAssetId",
                "modelId":"AT_certificate_certBase_model_1",
                "modelIdPath":"/AT_certificate_certBase_model_1",
                "productKey":"productKey",
                "productName":{
                    "defaultValue":"AT_certificate_certBase_product_1",
                    "i18nValue":{
                        "zh_CN": null,
                        "en_ES": null,
                        "ja_JP": null,
                        "en_US": null
                    }
                },
                "productType":"Device",
                "dataFormat":"Custom",
                "deviceKey":"deviceKey",
                "deviceName":{
                    "defaultValue":"AT_cert",
                    "i18nValue":{
                    }
                },
                "deviceSecret":"EcrypteddeviceSecret",
                "sessionKey":"EcryptedsessionKey2",
                "deviceDesc":null,
                "timezone":"+09:00",
                "deviceAttributes":{
                    "invType": 0,
                    "Capacity": 123.0
                },
                "deviceTags":{
    
                },
                "mirrorSource": null,
                "firmwareVersion": null,
                "createTime":1679556857342,
                "status":"inactive",
                "activeTime":0,
                "lastOnlineTime":0,
                "lastOfflineTime":0,
                "measurepointLastUpdate":null,
                "eventLastUpdate":null,
                "attributeLastUpdate":null,
                "featureLastUpdate":null
            }
        ],
        "pagination":{
            "sortedBy":null,
            "pageNo":1,
            "pageSize":2,
            "totalSize":211
        }
    }
    
  4. Use the RSA decryption tool with the RSA private key as the key to calculate the actual sessionKey.

    • Key:

      PrivateKeyABC123
      
    • Ciphertext:

      EcryptedsessionKey2
      
    • Private key password: The private key password set when creating the key pair. Leave it blank if not set.

    • Padding: PKCS1_Padding

  5. The resulting sessionKey is as follows:

    [10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0]
    
  6. Use the AES decryption tool to calculate the actual device secret.

    • Key:

      [10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0]
      
    • Ciphertext:

      EcrypteddeviceSecret
      
    • Mode: ECB

    • Padding: PKCS7

    • Ciphertext Encoding: Base64

  7. The generated plaintext is the device secret.