1e41f4b71Sopenharmony_ci# Encryption and Decryption by Segment with an AES Symmetric Key (GCM Mode) (C/C++) 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ci 4e41f4b71Sopenharmony_ciFor details about the algorithm specifications, see [AES](crypto-sym-encrypt-decrypt-spec.md#aes). 5e41f4b71Sopenharmony_ci 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ci## Adding the Dynamic Library in the CMake Script 8e41f4b71Sopenharmony_ci```txt 9e41f4b71Sopenharmony_ci target_link_libraries(entry PUBLIC libohcrypto.so) 10e41f4b71Sopenharmony_ci``` 11e41f4b71Sopenharmony_ci 12e41f4b71Sopenharmony_ci## How to Develop 13e41f4b71Sopenharmony_ci 14e41f4b71Sopenharmony_ci**Encryption** 15e41f4b71Sopenharmony_ci 16e41f4b71Sopenharmony_ci 17e41f4b71Sopenharmony_ci1. Use [OH_CryptoSymKeyGenerator_Create](../../reference/apis-crypto-architecture-kit/_crypto_sym_key_api.md#oh_cryptosymkeygenerator_create) and [OH_CryptoSymKeyGenerator_Generate](../../reference/apis-crypto-architecture-kit/_crypto_sym_key_api.md#oh_cryptosymkeygenerator_generate) to generate a 128-bit AES symmetric key (**OH_CryptoSymKey**). 18e41f4b71Sopenharmony_ci 19e41f4b71Sopenharmony_ci In addition to the example in this topic, [AES](crypto-sym-key-generation-conversion-spec.md#aes) and [Randomly Generating a Symmetric Key](crypto-generate-sym-key-randomly-ndk.md) may help you better understand how to generate an AES symmetric key. Note that the input parameters in the reference documents may be different from those in the example below. 20e41f4b71Sopenharmony_ci 21e41f4b71Sopenharmony_ci2. Use [OH_CryptoSymCipher_Create](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipher_create) with the string parameter **'AES128|GCM|PKCS7'** to create a **Cipher** instance. The key type is **AES128**, block cipher mode is **GCM**, and the padding mode is **PKCS7**. 22e41f4b71Sopenharmony_ci 23e41f4b71Sopenharmony_ci3. Use [OH_CryptoSymCipherParams_Create](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipherparams_create) to create a symmetric cipher parameter instance, and use [OH_CryptoSymCipherParams_SetParams](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipherparams_setparam) to set cipher parameters. 24e41f4b71Sopenharmony_ci 25e41f4b71Sopenharmony_ci4. Use [OH_CryptoSymCipher_Init](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipher_init) to initialize the **Cipher** instance. Specifically, set **mode** to **CRYPTO_ENCRYPT_MODE**, and specify the key for encryption (**OH_CryptoSymKey**) and the encryption parameter instance (**OH_CryptoSymCipherParams**) corresponding to the GCM mode. 26e41f4b71Sopenharmony_ci 27e41f4b71Sopenharmony_ci5. Set the size of the data to be passed in each time to 20 bytes, and call [OH_CryptoSymCipher_Update](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipher_update) multiple times to pass in the data (plaintext) to be encrypted. 28e41f4b71Sopenharmony_ci 29e41f4b71Sopenharmony_ci - Currently, the amount of data to be passed in by a single **OH_CryptoSymCipher_Update()** is not limited. You can determine how to pass in data based on the data volume. 30e41f4b71Sopenharmony_ci - You are advised to check the result of each **OH_CryptoSymCipher_Update()**. If the result is not **null**, obtain the data and combine the data segments into complete ciphertext. The **OH_CryptoSymCipher_Update()** result may vary with the key specifications. 31e41f4b71Sopenharmony_ci 32e41f4b71Sopenharmony_ci If a block cipher mode (ECB or CBC) is used, data is encrypted and output based on the block size. That is, if the data of an **OH_CryptoSymCipher_Update()** operation matches the block size, the ciphertext is output. Otherwise, **null** is output, and the plaintext will be combined with the input data of the next **OH_CryptoSymCipher_Update()** to form a block. When **OH_CryptoSymCipher_Update()** is called, the unencrypted data is padded to the block size based on the specified padding mode, and then encrypted. The **OH_CryptoSymCipher_Update()** API works in the same way in decryption. 33e41f4b71Sopenharmony_ci 34e41f4b71Sopenharmony_ci If a stream cipher mode (CTR or OFB) is used, the ciphertext length is usually the same as the plaintext length. 35e41f4b71Sopenharmony_ci 36e41f4b71Sopenharmony_ci5. Use [OH_CryptoSymCipher_Final](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipher_final) to generate the ciphertext. 37e41f4b71Sopenharmony_ci 38e41f4b71Sopenharmony_ci - If data has been passed in by **OH_CryptoSymCipher_Update()**, pass in **null** in the **data** parameter of **OH_CryptoSymCipher_Final**. 39e41f4b71Sopenharmony_ci - The output of **OH_CryptoSymCipher_Final** may be **null**. To avoid exceptions, always check whether the result is **null** before accessing specific data. 40e41f4b71Sopenharmony_ci 41e41f4b71Sopenharmony_ci6. Use [OH_CryptoSymCipherParams_SetParams](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipherparams_setparam) to set **authTag** as the authentication information for decryption. 42e41f4b71Sopenharmony_ci 43e41f4b71Sopenharmony_ci In GCM mode, extract the last 16 bytes from the encrypted data as the authentication information for initializing the **Cipher** instance in decryption. In the example, **authTag** is of 16 bytes. 44e41f4b71Sopenharmony_ci 45e41f4b71Sopenharmony_ci7. Use [OH_CryptoSymKeyGenerator_Destroy](../../reference/apis-crypto-architecture-kit/_crypto_sym_key_api.md#oh_cryptosymkeygenerator_destroy), [OH_CryptoSymCipher_Destroy](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipher_destroy), and [OH_CryptoSymCipherParams_Destroy](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipherparams_destroy) to destroy the instances created. 46e41f4b71Sopenharmony_ci 47e41f4b71Sopenharmony_ci**Decryption** 48e41f4b71Sopenharmony_ci 49e41f4b71Sopenharmony_ci 50e41f4b71Sopenharmony_ci1. Use [OH_CryptoSymCipher_Init](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipher_init) to initialize the **Cipher** instance. Specifically, set **mode** to **CRYPTO_DECRYPT_MODE**, and specify the key for decryption (**OH_CryptoSymKey**) and the decryption parameter instance (**OH_CryptoSymCipherParams**) corresponding to the GCM mode. 51e41f4b71Sopenharmony_ci 52e41f4b71Sopenharmony_ci2. Set the size of the data to be passed in each time to 20 bytes, and call [OH_CryptoSymCipher_Update](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipher_update) multiple times to pass in the data (ciphertext) to be decrypted. 53e41f4b71Sopenharmony_ci 54e41f4b71Sopenharmony_ci3. Use [OH_CryptoSymCipher_Final](../../reference/apis-crypto-architecture-kit/_crypto_sym_cipher_api.md#oh_cryptosymcipher_final) to generate the plaintext. 55e41f4b71Sopenharmony_ci 56e41f4b71Sopenharmony_ci**Example** 57e41f4b71Sopenharmony_ci 58e41f4b71Sopenharmony_ci```c++ 59e41f4b71Sopenharmony_ci#include <string.h> 60e41f4b71Sopenharmony_ci#include "CryptoArchitectureKit/crypto_common.h" 61e41f4b71Sopenharmony_ci#include "CryptoArchitectureKit/crypto_sym_cipher.h" 62e41f4b71Sopenharmony_ci 63e41f4b71Sopenharmony_ci#define OH_CRYPTO_GCM_TAG_LEN 16 64e41f4b71Sopenharmony_cistatic OH_Crypto_ErrCode doTestAesGcmSeg() 65e41f4b71Sopenharmony_ci{ 66e41f4b71Sopenharmony_ci OH_CryptoSymKeyGenerator *genCtx = nullptr; 67e41f4b71Sopenharmony_ci OH_CryptoSymCipher *encCtx = nullptr; 68e41f4b71Sopenharmony_ci OH_CryptoSymCipher *decCtx = nullptr; 69e41f4b71Sopenharmony_ci OH_CryptoSymKey *keyCtx = nullptr; 70e41f4b71Sopenharmony_ci OH_CryptoSymCipherParams *params = nullptr; 71e41f4b71Sopenharmony_ci 72e41f4b71Sopenharmony_ci uint8_t plainText[] = "aaaaa.....bbbbb.....ccccc.....ddddd.....eee"; 73e41f4b71Sopenharmony_ci Crypto_DataBlob msgBlob = {.data = reinterpret_cast<uint8_t *>(plainText), .len = sizeof(plainText)}; 74e41f4b71Sopenharmony_ci 75e41f4b71Sopenharmony_ci uint8_t aad[8] = {0}; 76e41f4b71Sopenharmony_ci uint8_t tagArr[16] = {0}; 77e41f4b71Sopenharmony_ci uint8_t iv[12] = {0}; 78e41f4b71Sopenharmony_ci Crypto_DataBlob tag = {.data = nullptr, .len = 0}; 79e41f4b71Sopenharmony_ci Crypto_DataBlob ivBlob = {.data = iv, .len = sizeof(iv)}; 80e41f4b71Sopenharmony_ci Crypto_DataBlob aadBlob = {.data = aad, .len = sizeof(aad)}; 81e41f4b71Sopenharmony_ci Crypto_DataBlob outUpdate = {.data = nullptr, .len = 0}; 82e41f4b71Sopenharmony_ci Crypto_DataBlob decUpdate = {.data = nullptr, .len = 0}; 83e41f4b71Sopenharmony_ci Crypto_DataBlob tagInit = {.data = tagArr, .len = sizeof(tagArr)}; 84e41f4b71Sopenharmony_ci int32_t cipherLen = 0; 85e41f4b71Sopenharmony_ci int blockSize = 20; 86e41f4b71Sopenharmony_ci int32_t randomLen = sizeof(plainText); 87e41f4b71Sopenharmony_ci int cnt = randomLen / blockSize; 88e41f4b71Sopenharmony_ci int rem = randomLen % blockSize; 89e41f4b71Sopenharmony_ci uint8_t cipherText[sizeof(plainText) + 16] = {0}; 90e41f4b71Sopenharmony_ci Crypto_DataBlob cipherBlob = {.data = reinterpret_cast<uint8_t *>(cipherText), .len = (size_t)cipherLen}; 91e41f4b71Sopenharmony_ci 92e41f4b71Sopenharmony_ci // Generate a key. 93e41f4b71Sopenharmony_ci OH_Crypto_ErrCode ret; 94e41f4b71Sopenharmony_ci ret = OH_CryptoSymKeyGenerator_Create("AES128", &genCtx); 95e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 96e41f4b71Sopenharmony_ci goto end; 97e41f4b71Sopenharmony_ci } 98e41f4b71Sopenharmony_ci ret = OH_CryptoSymKeyGenerator_Generate(genCtx, &keyCtx); 99e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 100e41f4b71Sopenharmony_ci goto end; 101e41f4b71Sopenharmony_ci } 102e41f4b71Sopenharmony_ci 103e41f4b71Sopenharmony_ci // Set parameters. 104e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipherParams_Create(¶ms); 105e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 106e41f4b71Sopenharmony_ci goto end; 107e41f4b71Sopenharmony_ci } 108e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipherParams_SetParam(params, CRYPTO_IV_DATABLOB, &ivBlob); 109e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 110e41f4b71Sopenharmony_ci goto end; 111e41f4b71Sopenharmony_ci } 112e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipherParams_SetParam(params, CRYPTO_AAD_DATABLOB, &aadBlob); 113e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 114e41f4b71Sopenharmony_ci goto end; 115e41f4b71Sopenharmony_ci } 116e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipherParams_SetParam(params, CRYPTO_TAG_DATABLOB, &tagInit); 117e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 118e41f4b71Sopenharmony_ci goto end; 119e41f4b71Sopenharmony_ci } 120e41f4b71Sopenharmony_ci 121e41f4b71Sopenharmony_ci // Encrypt data. 122e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipher_Create("AES128|GCM|PKCS7", &encCtx); 123e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 124e41f4b71Sopenharmony_ci goto end; 125e41f4b71Sopenharmony_ci } 126e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipher_Init(encCtx, CRYPTO_ENCRYPT_MODE, keyCtx, params); 127e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 128e41f4b71Sopenharmony_ci goto end; 129e41f4b71Sopenharmony_ci } 130e41f4b71Sopenharmony_ci 131e41f4b71Sopenharmony_ci for (int i = 0; i < cnt; i++) { 132e41f4b71Sopenharmony_ci msgBlob.len = blockSize; 133e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipher_Update(encCtx, &msgBlob, &outUpdate); 134e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 135e41f4b71Sopenharmony_ci goto end; 136e41f4b71Sopenharmony_ci } 137e41f4b71Sopenharmony_ci msgBlob.data += blockSize; 138e41f4b71Sopenharmony_ci memcpy(&cipherText[cipherLen], outUpdate.data, outUpdate.len); 139e41f4b71Sopenharmony_ci cipherLen += outUpdate.len; 140e41f4b71Sopenharmony_ci } 141e41f4b71Sopenharmony_ci if (rem > 0) { 142e41f4b71Sopenharmony_ci msgBlob.len = rem; 143e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipher_Update(encCtx, (Crypto_DataBlob *)&msgBlob, &outUpdate); 144e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 145e41f4b71Sopenharmony_ci goto end; 146e41f4b71Sopenharmony_ci } 147e41f4b71Sopenharmony_ci memcpy(&cipherText[cipherLen], outUpdate.data, outUpdate.len); 148e41f4b71Sopenharmony_ci cipherLen += outUpdate.len; 149e41f4b71Sopenharmony_ci } 150e41f4b71Sopenharmony_ci cipherBlob.len = cipherLen; 151e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipher_Final(encCtx, nullptr, &tag); 152e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 153e41f4b71Sopenharmony_ci goto end; 154e41f4b71Sopenharmony_ci } 155e41f4b71Sopenharmony_ci 156e41f4b71Sopenharmony_ci // Decrypt data. 157e41f4b71Sopenharmony_ci msgBlob.data -= sizeof(plainText) - rem; 158e41f4b71Sopenharmony_ci msgBlob.len = sizeof(plainText); 159e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipher_Create("AES128|GCM|PKCS7", &decCtx); 160e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 161e41f4b71Sopenharmony_ci goto end; 162e41f4b71Sopenharmony_ci } 163e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipherParams_SetParam(params, CRYPTO_TAG_DATABLOB, &tag); 164e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 165e41f4b71Sopenharmony_ci goto end; 166e41f4b71Sopenharmony_ci } 167e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipher_Init(decCtx, CRYPTO_DECRYPT_MODE, keyCtx, params); 168e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 169e41f4b71Sopenharmony_ci goto end; 170e41f4b71Sopenharmony_ci } 171e41f4b71Sopenharmony_ci ret = OH_CryptoSymCipher_Final(decCtx, &cipherBlob, &decUpdate); 172e41f4b71Sopenharmony_ci if (ret != CRYPTO_SUCCESS) { 173e41f4b71Sopenharmony_ci goto end; 174e41f4b71Sopenharmony_ci } 175e41f4b71Sopenharmony_ci 176e41f4b71Sopenharmony_ciend: 177e41f4b71Sopenharmony_ci OH_CryptoSymCipherParams_Destroy(params); 178e41f4b71Sopenharmony_ci OH_CryptoSymCipher_Destroy(encCtx); 179e41f4b71Sopenharmony_ci OH_CryptoSymCipher_Destroy(decCtx); 180e41f4b71Sopenharmony_ci OH_CryptoSymKeyGenerator_Destroy(genCtx); 181e41f4b71Sopenharmony_ci OH_CryptoSymKey_Destroy(keyCtx); 182e41f4b71Sopenharmony_ci OH_Crypto_FreeDataBlob(&outUpdate); 183e41f4b71Sopenharmony_ci OH_Crypto_FreeDataBlob(&tag); 184e41f4b71Sopenharmony_ci OH_Crypto_FreeDataBlob(&decUpdate); 185e41f4b71Sopenharmony_ci return ret; 186e41f4b71Sopenharmony_ci} 187e41f4b71Sopenharmony_ci``` 188