KMIP Encrypt

KMIP Encrypt request includes information about the cryptographic parameters, mode, and padding method, data to be encrypted and the IV to be used. In case of AES/CBC/PKCS5Padding or AES/CBC/NoPadding, If the encrypt request does not contain the IV, a random IV is generated on behalf of the client.

The response includes the key i.e. the unique identifier of the managed cryptographic object, the encrypted text and the randomly generated IV used for encryption (in case the algorithm requires an IV for encryption and no IV has been provided in request).

For AES

KMIPCipher cipher = KMIPCipher.getInstance(string algoName);
KMIPIvSpec spec = new KMIPIvSpec(byte[] iv);
cipher.init(KMIPCipher.ENCRYPT_MODE, KMIPIvSpec spec, KMIPSession session, String uid);
KMIPCryptoResult res=cipher.doFinal(byte[] data);

Example

KMIPCipher cipher = KMIPCipher.getInstance("AES/CBC/PKCS5Padding");
KMIPIvSpec spec = new KMIPIvSpec("0123456701234567".getBytes());
cipher.init(KMIPCipher.ENCRYPT_MODE, spec, session,"516BB93CF328774BA0545BC819FE26ACA8054430B0FF32BA9EA119BF6187A075");
KMIPCryptoResult result = cipher.doFinal("hello".getBytes());

Instead of UID, keyName can also be used. Check overloaded API for same.

For AES/GCM

KMIPCipher cipher = KMIPCipher.getInstance(string algoName);
KMIPGCMSpec spec = new KMIPGCMSpec(int tagLength, byte[] bytes));

Note:
— For AES/GCM, an IV of size between 1 to 16 bytes is mandatory. The recommended size for IV is 12 bytes.
— The Auth Tag Length is mandatory for AES/GCM and must be a value from [4, 8, 12, 13, 14, 15, and 16]
— KMIP does not support AAD.

For RSA

KMIPCipher cipher = KMIPCipher.getInstance(string algoName);
cipher.init(KMIPCipher.ENCRYPT_MODE, KMIPSession session, String uid);
KMIPCryptoResult result = cipher.doFinal(byte[] data);

Note:
— Only PKCS1Padding is supported for RSA.
— Use other overloaded API to use keyName. RSA does not require spec. Refer to javadocs for more details.