AI 助理
备案控制台
官方文档
输入文档关键字查找
首页 密钥管理服务 密钥管理服务KMS 开发参考 SDK参考 KMS实例SDK KMS实例SDK(PHP) 加密解密示例

加密解密示例

更新时间:
产品详情
我的收藏

初始化KMS实例SDK客户端后,您可以通过客户端调用EncryptDecrypt接口对数据进行加密解密。本文介绍加密解密的代码示例。

完整代码示例

集成KMS进行对称加密解密包含三个步骤:

  1. 初始化调用KMS接口的客户端。

  2. 使用客户端调用Encrypt接口对数据进行加密。

  3. 使用客户端调用Decrypt接口对密文数据进行解密。

源码github地址:AesEncryptDecrypt.php

加密解密完整代码示例

<?php

if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}

use AlibabaCloud\Dkms\Gcs\OpenApi\Util\Models\RuntimeOptions;
use AlibabaCloud\Dkms\Gcs\Sdk\Client as AlibabaCloudDkmsGcsSdkClient;
use AlibabaCloud\Dkms\Gcs\OpenApi\Models\Config as AlibabaCloudDkmsGcsOpenApiConfig;
use AlibabaCloud\Dkms\Gcs\Sdk\Models\DecryptRequest;
use AlibabaCloud\Dkms\Gcs\Sdk\Models\EncryptRequest;
use AlibabaCloud\Tea\Utils\Utils as AlibabaCloudTeaUtils;

/**
 * ClientKey传参支持以下三种方式:
 * 1、通过指定ClientKey.json文件路径方式
 * 示例:
 *      String clientKeyFile = "<your client key file path>";
 *      String password = "<your client key password>";
 *      Config cfg = new Config();
 *      cfg.setClientKeyFile(clientKeyFile);
 *      cfg.setPassword(password);
 *
 * 2、通过指定ClientKey内容方式
 * 示例:
 *      String clientKeyContent = "<your client key content>";
 *      String password = "<your client key password>";
 *      Config cfg = new Config();
 *      cfg.setClientKeyContent(clientKeyContent);
 *      cfg.setPassword(password);
 *
 * 3、通过指定私钥和AccessKeyId
 * 示例:
 *      String accessKeyId = "<your client key KeyId>";
 *      String privateKey = "<parse from your client key PrivateKeyData>";
 *      Config cfg = new Config();
 *      cfg.setAccessKeyId(accessKeyId);
 *      cfg.setPrivateKey(privateKey);
 *
 */

// 填写您在KMS应用管理获取的ClientKey文件路径
// $clientKeyFile = '<your client key file path>';

// 或者,填写您在KMS应用管理获取的ClientKey文件内容
$clientKeyContent = '<your client key content>';

// 填写您在KMS应用管理创建ClientKey时输入的加密口令
$password = getenv('CLIENT_KEY_PASSWORD');

// 填写您的KMS实例VPC地址
$endpoint = '<your dkms instance service address>';

// 填写您在KMS创建的主密钥Id
$keyId = '<your cmk id>';

// 加解密算法
$algorithm = '<your encrypt algorithm>';

// 待加密明文
$plaintext = 'encrypt plaintext';

// KMS实例SDK Client对象
$client = getDkmsGcsSdkClient();
if (is_null($client)) exit(1);

//使用KMS进行对称密钥加解密示例
aesEncryptDecryptSample();

/**
 * 使用KMS实例进行加解密示例
 * @return void
 */
function aesEncryptDecryptSample()
{
    global $client, $keyId, $plaintext, $algorithm;

    $cipherCtx = aesEncryptSample($client, $keyId, $plaintext, $algorithm);
    if ($cipherCtx !== null) {
        $decryptResult = AlibabaCloudTeaUtils::toString(aesDecryptSample($client, $cipherCtx));
        if ($plaintext !== $decryptResult) {
            echo 'decrypt result not match the plaintext' . PHP_EOL;
        } else {
            echo 'aesEncryptDecryptSample success' . PHP_EOL;
        }
    }
}

/**
 * 加密示例
 * @param AlibabaCloudDkmsGcsSdkClient $client
 * @param string $keyId
 * @param string $plaintext
 * @param string $algorithm
 * @return AesEncryptContext
 */
function aesEncryptSample($client, $keyId, $plaintext, $algorithm)
{
    // 构建加密请求
    $encryptRequest = new EncryptRequest();
    $encryptRequest->keyId = $keyId;
    $encryptRequest->algorithm = $algorithm;
    $encryptRequest->plaintext = AlibabaCloudTeaUtils::toBytes($plaintext);
    $runtimeOptions = new RuntimeOptions();
    // 忽略服务端证书
    //$runtimeOptions->ignoreSSL = true;

    try {
        // 调用加密接口进行加密
        $encryptResponse = $client->encryptWithOptions($encryptRequest, $runtimeOptions);
        // 密钥ID
        $keyId = $encryptResponse->keyId;
        // 主密钥是对称密钥时,decrypt接口需要加密返回的Iv
        $iv = $encryptResponse->iv;
        // 数据密文
        $cipher = $encryptResponse->ciphertextBlob;
        // 加密算法
        $algorithm = $encryptResponse->algorithm;
        var_dump($encryptResponse->toMap());
        return new AesEncryptContext([
            'keyId' => $keyId,
            'iv' => $iv,
            'ciphertextBlob' => $cipher,
            'algorithm' => $algorithm
        ]);
    } catch (\Exception $error) {
        if ($error instanceof \AlibabaCloud\Tea\Exception\TeaError) {
            var_dump($error->getErrorInfo());
        }
        var_dump($error->getMessage());
        var_dump($error->getTraceAsString());
    }
    return null;
}

/**
 * 解密示例
 * @param AlibabaCloudDkmsGcsSdkClient $client
 * @param AesEncryptContext $ctx
 * @return int[]|null
 */
function aesDecryptSample($client, $ctx)
{
    // 构建解密请求对象
    $decryptRequest = new DecryptRequest();
    $decryptRequest->keyId = $ctx->keyId;
    $decryptRequest->ciphertextBlob = $ctx->ciphertextBlob;
    $decryptRequest->algorithm = $ctx->algorithm;
    $decryptRequest->iv = $ctx->iv;
    $runtimeOptions = new RuntimeOptions();
    // 忽略证书
    //$runtimeOptions->ignoreSSL = true;

    try {
        // 调用解密接口进行解密
        $decryptResponse = $client->decryptWithOptions($decryptRequest, $runtimeOptions);
        var_dump($decryptResponse->toMap());
        return $decryptResponse->plaintext;
    } catch (Exception $error) {
        if ($error instanceof \AlibabaCloud\Tea\Exception\TeaError) {
            var_dump($error->getErrorInfo());
        }
        var_dump($error->getMessage());
        var_dump($error->getTraceAsString());
    }
    return null;
}

/**
 * 构建KMS实例SDK Client对象
 * @return AlibabaCloudDkmsGcsSdkClient
 */
function getDkmsGcsSdkClient()
{
    global $clientKeyContent, $password, $endpoint;

    // 构建KMS实例SDK Client配置
    $config = new AlibabaCloudDkmsGcsOpenApiConfig();
    //连接协议请设置为"https"。KMS实例服务仅允许通过HTTPS协议访问。
    $config->protocol = 'https';
    //Client Key。
    $config->clientKeyContent = $clientKeyContent;
    //Client Key口令。
    $config->password = $password;
    //设置endpoint为<your KMS Instance Id>.cryptoservice.kms.aliyuncs.com。
    $config->endpoint = $endpoint;
    // 实例CA证书
    $config->caFilePath = 'path/to/caCert.pem';

    // 构建KMS实例SDK Client对象
    return new AlibabaCloudDkmsGcsSdkClient($config);
}


/**
 * The aes encrypt context may be stored
 */
class AesEncryptContext
{
    public function __construct($config = [])
    {
        if (!empty($config)) {
            foreach ($config as $k => $v) {
                $this->{$k} = $v;
            }
        }
    }
    /**
     * @var string
     */
    public $keyId;

    /**
     * @var int[]
     */
    public $iv;

    /**
     * @var int[]
     */
    public $ciphertextBlob;

    /**
     * @var string
     * Use default algorithm value, if the value is not set
     */
    public $algorithm;
}

代码示例解析

初始化客户端

关于初始化客户端的详细介绍,请参见初始化客户端

<?php

use AlibabaCloud\Dkms\Gcs\Sdk\Client as AlibabaCloudDkmsGcsSdkClient;
use AlibabaCloud\Dkms\Gcs\OpenApi\Models\Config as AlibabaCloudDkmsGcsOpenApiConfig;


function getDkmsGcsSdkClient()
{
    global $clientKeyContent, $password, $endpoint;

    // 构建KMS实例SDK Client配置
    $config = new AlibabaCloudDkmsGcsOpenApiConfig();
    //连接协议请设置为"https"。KMS实例服务仅允许通过HTTPS协议访问。
    $config->protocol = 'https';
    //Client Key。
    $config->clientKeyContent = $clientKeyContent;
    //Client Key口令。
    $config->password = $password;
    //设置endpoint为<your KMS Instance Id>.cryptoservice.kms.aliyuncs.com。
    $config->endpoint = $endpoint;
    // 实例CA证书
    $config->caFilePath = 'path/to/caCert.pem';

    // 构建KMS实例SDK Client对象
    return new AlibabaCloudDkmsGcsSdkClient($config);
}

调用Encrypt接口使用对称密钥对数据加密

/**
 * 加密示例
 * @param AlibabaCloudDkmsGcsSdkClient $client
 * @param string $keyId
 * @param string $plaintext
 * @param string $algorithm
 * @return AesEncryptContext
 */
function aesEncryptSample($client, $keyId, $plaintext, $algorithm)
{
    // 构建加密请求
    $encryptRequest = new EncryptRequest();
    $encryptRequest->keyId = $keyId;
    $encryptRequest->algorithm = $algorithm;
    $encryptRequest->plaintext = AlibabaCloudTeaUtils::toBytes($plaintext);
    $runtimeOptions = new RuntimeOptions();
    // 忽略服务端证书
    //$runtimeOptions->ignoreSSL = true;

    try {
        // 调用加密接口进行加密
        $encryptResponse = $client->encryptWithOptions($encryptRequest, $runtimeOptions);
        // 密钥ID
        $keyId = $encryptResponse->keyId;
        // 主密钥是对称密钥时,decrypt接口需要加密返回的Iv
        $iv = $encryptResponse->iv;
        // 数据密文
        $cipher = $encryptResponse->ciphertextBlob;
        // 加密算法
        $algorithm = $encryptResponse->algorithm;
        var_dump($encryptResponse->toMap());
        return new AesEncryptContext([
            'keyId' => $keyId,
            'iv' => $iv,
            'ciphertextBlob' => $cipher,
            'algorithm' => $algorithm
        ]);
    } catch (\Exception $error) {
        if ($error instanceof \AlibabaCloud\Tea\Exception\TeaError) {
            var_dump($error->getErrorInfo());
        }
        var_dump($error->getMessage());
        var_dump($error->getTraceAsString());
    }
    return null;
}

调用Decrypt接口使用对称密钥解密密文

/**
 * 解密示例
 * @param AlibabaCloudDkmsGcsSdkClient $client
 * @param AesEncryptContext $ctx
 * @return int[]|null
 */
function aesDecryptSample($client, $ctx)
{
    // 构建解密请求对象
    $decryptRequest = new DecryptRequest();
    $decryptRequest->keyId = $ctx->keyId;
    $decryptRequest->ciphertextBlob = $ctx->ciphertextBlob;
    $decryptRequest->algorithm = $ctx->algorithm;
    $decryptRequest->iv = $ctx->iv;
    $runtimeOptions = new RuntimeOptions();
    // 忽略证书
    //$runtimeOptions->ignoreSSL = true;

    try {
        // 调用解密接口进行解密
        $decryptResponse = $client->decryptWithOptions($decryptRequest, $runtimeOptions);
        var_dump($decryptResponse->toMap());
        return $decryptResponse->plaintext;
    } catch (Exception $error) {
        if ($error instanceof \AlibabaCloud\Tea\Exception\TeaError) {
            var_dump($error->getErrorInfo());
        }
        var_dump($error->getMessage());
        var_dump($error->getTraceAsString());
    }
    return null;
}

上一篇:初始化客户端下一篇:签名验签示例