AsymmetricDecrypt - Key Management Service - Alibaba Cloud Documentation Center

Operation description

Usage notes

For information about the access policy required for a RAM user or RAM role to call this API operation, see Resource Access Management.
You can call this operation using a shared gateway or a dedicated gateway. For more information, see Alibaba Cloud SDK.
- Shared gateway: You can access KMS over the Internet or a VPC. To access KMS over the Internet, you must enable the public endpoint. For more information, see Access keys in a KMS instance over the Internet.
- Dedicated gateway: You can access KMS using the private endpoint of KMS (<YOUR_KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com).

QPS limits

If you use a shared gateway, the queries per second (QPS) limit for each Alibaba Cloud account is 200. If the QPS exceeds the limit, the API call is throttled. This can affect your business. We recommend that you plan your calls to avoid exceeding this limit.
If you use a dedicated gateway, the QPS limit for each Alibaba Cloud account is subject to the performance specifications of your KMS instance. For more information, see Performance metrics.

Description

This operation supports only asymmetric keys for which the Usage parameter is set to ENCRYPT/DECRYPT. The following table describes the supported encryption algorithms.

KeySpec	Algorithm	Description	Ciphertext length (bytes)
RSA_2048	RSAES_OAEP_SHA_256	RSAES-OAEP using SHA-256 and MGF1 with SHA-256	256
RSA_2048	RSAES_OAEP_SHA_1	RSAES-OAEP using SHA1 and MGF1 with SHA1	256
RSA_3072	RSAES_OAEP_SHA_256	RSAES-OAEP using SHA-256 and MGF1 with SHA-256	384
RSA_3072	RSAES_OAEP_SHA_1	RSAES-OAEP using SHA1 and MGF1 with SHA1	384
EC_SM2	SM2PKE	SM2 elliptic curve public key encryption algorithm	Maximum 6,144

This topic provides an example of how to use the asymmetric key whose ID is key-hzz630494463ejqjx**** and version ID is 2ab1a983-7072-4bbc-a582-584b5bd8**** to decrypt the ciphertext BQKP+1zK6+ZEMxTP5qaVzcsgXtWplYBKm0NXdSnB5FzliFxE1bSiu4dnEIlca2JpeH7yz1/S6fed630H+hIH6DoM25fTLNcKj+mFB0Xnh9m2+HN59Mn4qyTfcUeadnfCXSWcGBouhXFwcdd2rJ3n337bzTf4jm659gZu3L0i6PLuxM9p7mqdwO0cKJPfGVfhnfMz+f4alMg79WB/NNyE2lyX7/qxvV49ObNrrJbKSFiz8Djocaf0IESNLMbfYI5bXjWkJlX92DQbKhibtQW8ZOJ//ZC6t0AWcUoKL6QDm/dg5koQalcleRinpB+QadFm894sLbVZ9+N4GVsv1W****== using the RSAES_OAEP_SHA_1 decryption algorithm.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
CiphertextBlob	string	Yes	The ciphertext to be decrypted. The ciphertext is encoded in Base64. Note You can call the AsymmetricEncrypt operation to generate a ciphertext.	BQKP+1zK6+ZEMxTP5qaVzcsgXtWplYBKm0NXdSnB5FzliFxE1bSiu4dnEIlca2JpeH7yz1/S6fed630H+hIH6DoM25fTLNcKj+mFB0Xnh9m2+HN59Mn4qyTfcUeadnfCXSWcGBouhXFwcdd2rJ3n337bzTf4jm659gZu3L0i6PLuxM9p7mqdwO0cKJPfGVfhnfMz+f4alMg79WB/NNyE2lyX7/qxvV49ObNrrJbKSFiz8Djocaf0IESNLMbfYI5bXjWkJlX92DQbKhibtQW8ZOJ//ZC6t0AWcUoKL6QDm/dg5koQalcleRinpB+QadFm894sLbVZ9+N4GVsv1W****==
KeyId	string	Yes	The ID of the key. You can also specify the alias or Amazon Resource Name (ARN) of the key. For more information about aliases, see Manage aliases. Note When you access a key in another Alibaba Cloud account, you must specify the ARN of the key. The ARN of a key is in the `acs:kms:${region}:${account}:key/${keyid}` format.	5c438b18-05be-40ad-b6c2-3be6752c****
KeyVersionId	string	Yes	The ID of the key version. The globally unique identifier of the key version.	2ab1a983-7072-4bbc-a582-584b5bd8****
Algorithm	string	Yes	The decryption algorithm.	RSAES_OAEP_SHA_1
DryRun	string	No	Specifies whether to enable the dry run feature. true: enables the dry run feature. false: disables the dry run feature. This is the default value. The dry run feature is used to test API calls, verify the permissions on the specified resources, and check the validity of the request parameters. If you enable the dry run feature, KMS always returns a failure response and the cause of the failure. The causes of the failure include the following: DryRunOperationError: The request would have succeeded if the DryRun parameter is not specified. ValidationError: The specified parameter in the request is invalid. AccessDeniedError: You are not authorized to perform this operation on the KMS resource.	false

Response parameters

Parameter	Type	Description	Example
	object
KeyVersionId	string	The version of the master key that was used to encrypt the plaintext.	2ab1a983-7072-4bbc-a582-584b5bd8****
KeyId	string	The ID of the key. If the KeyId parameter in the request is a key alias or key ARN, the key ID is also returned in the response.	5c438b18-05be-40ad-b6c2-3be6752c****
RequestId	string	The ID of the request. This ID is a unique identifier that is generated by Alibaba Cloud for the request. You can use the ID to troubleshoot issues.	475f1620-b9d3-4d35-b5c6-3fbdd941423d
Plaintext	string	The decrypted plaintext. The plaintext is encoded in Base64.	SGVsbG8gd29ybGQ=

Examples

Success response

JSON format

{
  "KeyVersionId": "2ab1a983-7072-4bbc-a582-584b5bd8****",
  "KeyId": "5c438b18-05be-40ad-b6c2-3be6752c****",
  "RequestId": "475f1620-b9d3-4d35-b5c6-3fbdd941423d",
  "Plaintext": "SGVsbG8gd29ybGQ="
}

Error codes

HTTP status code	Error code	Error message	Description
400	Rejected.UnsupportedOperation	Unsupported operation.	The operation is not supported.
404	Forbidden.AliasNotFound	The specified Alias is not found.	The error message returned because the specified alias does not exist.
404	Forbidden.KeyNotFound	The specified Key is not found.	The error message returned because the specified CMK does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.