Decrypting Product/Device Secret¶
When obtaining product secret or device secret via APIs, the returned values are encrypted. Follow the steps below to obtain and decrypt product and device secrets.
Note
Only when using the V2.4 APIs of Connection Service, the returned values of product/device secret are encrypted. The API versions before V2.4 are not affected.
Prerequisites¶
Ensure that the service account for authentication has been obtained and authorized. For more information, see API Authentication.
For obtaining the RSA key pair of the service account in EnOS Management Console > Identity and Access Management, ensure that:
EnOS 2.4 CU1 has been installed in your environment.
The service account has been authorized with the permission of the OU administrator.
Decrypting Product Secret¶
Operation Permissions ¶
Before using APIs to obtain product secret, ensure that the service account has been granted with policies that contain the following services and operation permissions. For more information on authorizing service accounts, see Managing Service Accounts.
Required Service |
Required Operation Permission |
---|---|
Product |
Create or Update |
Procedure¶
Taking Search Product as an example, the steps to obtain and decrypt the product secret are introduced.
Create or obtain RSA private key files for the service account according to Managing RSA Key Pairs. The private key is as follows:
-----BEGIN PRIVATE KEY----- PrivateKeyABC123 -----END PRIVATE KEY-----
Follow How to Invoke an EnOS API to invoke the Search Product API and request the following parameters. Ensure that an RSA key pair has been created for the service account before you set the
requireSecret
parameter totrue
in the request.url: https://{apigw-address}/connect-service/v2.4/products?action=search&orgId=yourOrgId method: POST requestBody: { "expression":"modelId=\"TestModel\"", "pagination":{ "pageNo":1, "pageSize":1 }, "requireSecret": true, "populateLastUpdateInfo": true }
You will obtain the following return content:
{ "code":0, "msg":"OK", "requestId":"5428977e-c820-4595-9566-c1ba11c62438", "data":[ { "orgId":"yourOrgId", "productKey":"RuWKBPGM", "productName":{ "defaultValue":"product01", "i18nValue":{} }, "productSecret":"EcryptedProductSecret", "sessionKey":"EcryptedsessionKey1", "productDesc":"", "productType":"Device", "dataFormat":"Json", "productTags":null, "protocolGatewayIds":null, "modelId":"TestModel", "dynamicActiveEnabled":false, "biDirectionalAuth":true, "createBy":"u15927947823741", "createTime":"1680514029150", "updateBy":"u15927947823741", "updateTime":1680514029150 } ], "pagination":{ "sortedBy":null, "pageNo":1, "pageSize":1, "totalSize":1980 } }
Use the RSA decryption tool with the RSA private key as the key to calculate the actual sessionKey.
Key:
PrivateKeyABC123
Ciphertext:
EcryptedsessionKey1
Private key password: The private key password set when creating the key pair. Leave it blank if not set.
Padding: PKCS1_Padding
The resulting sessionKey is as follows:
[1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
Use the AES decryption tool to calculate the actual product secret.
Key:
[1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
Ciphertext:
EcryptedProductSecret
Mode: ECB
Padding: PKCS7
Ciphertext Encoding: Base64
The generated plaintext is the product secret.
Decrypting Device Secret¶
Operation Permissions ¶
Before using APIs to obtain device secret, make sure that the service account has been granted with policies that contain the following services and operation permissions. For more information on authorizing service accounts, see Managing Service Accounts.
Required Resource |
Required Operation Permissions |
---|---|
Device Management Service |
Full Access |
Procedure¶
Taking Search Device API as an example, the steps to obtain and decrypt the device secret are introduced.
Create or obtain RSA private key files for the service account according to Managing RSA Key Pairs. The private key has the following format:
-----BEGIN PRIVATE KEY----- PrivateKeyABC123 -----END PRIVATE KEY-----
Follow How to Invoke an EnOS API to invoke the Search Device API and request the following parameters. Ensure that an RSA key pair has been created for the service account before you set the
requireSecret
parameter totrue
in the request.url:https://{apigw-address}/connect-service/v2.4/devices?action=search&orgId=yourOrgId method: POST requestBody: { "expression": "assetId = 'ABC1234'", "pagination":{ "pageNo":1, "pageSize":1 }, "requireSecret": true, "populateLastUpdateInfo": true }
You will obtain the following return content:
{ "code":0, "msg":"OK", "requestId":"5ee49000-11e0-476f-8a71-ca4f1b975422", "data":[ { "orgId":"yourOrgId", "assetId":"yourAssetId", "modelId":"AT_certificate_certBase_model_1", "modelIdPath":"/AT_certificate_certBase_model_1", "productKey":"productKey", "productName":{ "defaultValue":"AT_certificate_certBase_product_1", "i18nValue":{ "zh_CN": null, "en_ES": null, "ja_JP": null, "en_US": null } }, "productType":"Device", "dataFormat":"Custom", "deviceKey":"deviceKey", "deviceName":{ "defaultValue":"AT_cert", "i18nValue":{ } }, "deviceSecret":"EcrypteddeviceSecret", "sessionKey":"EcryptedsessionKey2", "deviceDesc":null, "timezone":"+09:00", "deviceAttributes":{ "invType": 0, "Capacity": 123.0 }, "deviceTags":{ }, "mirrorSource": null, "firmwareVersion": null, "createTime":1679556857342, "status":"inactive", "activeTime":0, "lastOnlineTime":0, "lastOfflineTime":0, "measurepointLastUpdate":null, "eventLastUpdate":null, "attributeLastUpdate":null, "featureLastUpdate":null } ], "pagination":{ "sortedBy":null, "pageNo":1, "pageSize":2, "totalSize":211 } }
Use the RSA decryption tool with the RSA private key as the key to calculate the actual sessionKey.
Key:
PrivateKeyABC123
Ciphertext:
EcryptedsessionKey2
Private key password: The private key password set when creating the key pair. Leave it blank if not set.
Padding: PKCS1_Padding
The resulting sessionKey is as follows:
[10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0]
Use the AES decryption tool to calculate the actual device secret.
Key:
[10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0]
Ciphertext:
EcrypteddeviceSecret
Mode: ECB
Padding: PKCS7
Ciphertext Encoding: Base64
The generated plaintext is the device secret.