Decrypting Product/Device Secret¶

When obtaining product secret or device secret via APIs, the returned values are encrypted. Follow the steps below to obtain and decrypt product and device secrets.

Note

Only when using the V2.4 APIs of Connection Service, the returned values of product/device secret are encrypted. The API versions before V2.4 are not affected.

Prerequisites¶

Ensure that the service account for authentication has been obtained and authorized. For more information, see API Authentication.
For obtaining the RSA key pair of the service account in EnOS Management Console > Identity and Access Management, ensure that the service account has been authorized with the permission of the OU administrator.

Decrypting Product Secret¶

Operation Permissions ¶

Before using APIs to obtain product secret, ensure that the service account has been granted with policies that contain the following services and operation permissions. For more information on authorizing service accounts, see Managing Service Accounts.

Required Service	Required Operation Permission
Product	Create or Update

Procedure¶

Taking Search Product as an example, the steps to obtain and decrypt the product secret are introduced.

Create or obtain RSA private key files for the service account according to Managing RSA Key Pairs. The private key is as follows:

Note

In EnOS Lightweight, you need to contact the system administrator to obtain RSA private key files.

```
-----BEGIN PRIVATE KEY-----
PrivateKeyABC123
-----END PRIVATE KEY-----
```

Follow How to Invoke an EnOS API to invoke the Search Product API and request the following parameters. Ensure that an RSA key pair has been created for the service account before you set the requireSecret parameter to true in the request.

url: https://{apigw-address}/connect-service/v2.4/products?action=search&orgId=yourOrgId
method: POST
requestBody:
{
    "expression":"modelId=\"TestModel\"",
    "pagination":{
        "pageNo":1,
        "pageSize":1
    },
    "requireSecret": true,
    "populateLastUpdateInfo": true
}

You will obtain the following return content:

{
    "code":0,
    "msg":"OK",
    "requestId":"5428977e-c820-4595-9566-c1ba11c62438",
    "data":[
        {
            "orgId":"yourOrgId",
            "productKey":"RuWKBPGM",
            "productName":{
                "defaultValue":"product01",
                "i18nValue":{}
            },
            "productSecret":"EcryptedProductSecret",
            "sessionKey":"EcryptedsessionKey1",
            "productDesc":"",
            "productType":"Device",
            "dataFormat":"Json",
            "productTags":null,
            "protocolGatewayIds":null,
            "modelId":"TestModel",
            "dynamicActiveEnabled":false,
            "biDirectionalAuth":true,
            "createBy":"u15927947823741",
            "createTime":"1680514029150",
            "updateBy":"u15927947823741",
            "updateTime":1680514029150
        }
    ],
    "pagination":{
        "sortedBy":null,
        "pageNo":1,
        "pageSize":1,
        "totalSize":1980
    }
}

Use the RSA decryption tool with the RSA private key as the key to calculate the actual sessionKey.
- Key:
```
PrivateKeyABC123
```
- Ciphertext:
```
EcryptedsessionKey1
```
- Private key password: The private key password set when creating the key pair. Leave it blank if not set.
- Padding: PKCS1_Padding
The resulting sessionKey is as follows:
```
[1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
```
Use the AES decryption tool to calculate the actual product secret.
- Key:
```
[1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
```
- Ciphertext:
```
EcryptedProductSecret
```
- Mode: ECB
- Padding: PKCS7
- Ciphertext Encoding: Base64
The generated plaintext is the product secret.

Decrypting Device Secret¶

Operation Permissions ¶

Before using APIs to obtain device secret, make sure that the service account has been granted with policies that contain the following services and operation permissions. For more information on authorizing service accounts, see Managing Service Accounts.

Required Resource	Required Operation Permissions
Device Management Service	Full Access

Procedure¶

Taking Search Device API as an example, the steps to obtain and decrypt the device secret are introduced.

Create or obtain RSA private key files for the service account according to Managing RSA Key Pairs. The private key has the following format:

Note

In EnOS Lightweight, you need to contact the system administrator to obtain RSA private key files.
```
-----BEGIN PRIVATE KEY-----
PrivateKeyABC123
-----END PRIVATE KEY-----
```

Follow How to Invoke an EnOS API to invoke the Search Device API and request the following parameters. Ensure that an RSA key pair has been created for the service account before you set the requireSecret parameter to true in the request.

url:https://{apigw-address}/connect-service/v2.4/devices?action=search&orgId=yourOrgId
method: POST
requestBody:
{
    "expression": "assetId = 'ABC1234'",
    "pagination":{
        "pageNo":1,
        "pageSize":1
    },
    "requireSecret": true,
    "populateLastUpdateInfo": true
}

You will obtain the following return content:

{
    "code":0,
    "msg":"OK",
    "requestId":"5ee49000-11e0-476f-8a71-ca4f1b975422",
    "data":[
        {
            "orgId":"yourOrgId",
            "assetId":"yourAssetId",
            "modelId":"AT_certificate_certBase_model_1",
            "modelIdPath":"/AT_certificate_certBase_model_1",
            "productKey":"productKey",
            "productName":{
                "defaultValue":"AT_certificate_certBase_product_1",
                "i18nValue":{
                    "zh_CN": null,
                    "en_ES": null,
                    "ja_JP": null,
                    "en_US": null
                }
            },
            "productType":"Device",
            "dataFormat":"Custom",
            "deviceKey":"deviceKey",
            "deviceName":{
                "defaultValue":"AT_cert",
                "i18nValue":{
                }
            },
            "deviceSecret":"EcrypteddeviceSecret",
            "sessionKey":"EcryptedsessionKey2",
            "deviceDesc":null,
            "timezone":"+09:00",
            "deviceAttributes":{
                "invType": 0,
                "Capacity": 123.0
            },
            "deviceTags":{

            },
            "mirrorSource": null,
            "firmwareVersion": null,
            "createTime":1679556857342,
            "status":"inactive",
            "activeTime":0,
            "lastOnlineTime":0,
            "lastOfflineTime":0,
            "measurepointLastUpdate":null,
            "eventLastUpdate":null,
            "attributeLastUpdate":null,
            "featureLastUpdate":null
        }
    ],
    "pagination":{
        "sortedBy":null,
        "pageNo":1,
        "pageSize":2,
        "totalSize":211
    }
}

Use the RSA decryption tool with the RSA private key as the key to calculate the actual sessionKey.
- Key:
```
PrivateKeyABC123
```
- Ciphertext:
```
EcryptedsessionKey2
```
- Private key password: The private key password set when creating the key pair. Leave it blank if not set.
- Padding: PKCS1_Padding
The resulting sessionKey is as follows:
```
[10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0]
```
Use the AES decryption tool to calculate the actual device secret.
- Key:
```
[10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0]
```
- Ciphertext:
```
EcrypteddeviceSecret
```
- Mode: ECB
- Padding: PKCS7
- Ciphertext Encoding: Base64
The generated plaintext is the device secret.