in client/securesession/securesession.go [642:700]
func (c *SecureSessionClient) ConfidentialUnwrap(ctx context.Context, keyPath, resourceName string, wrappedBlob []byte) ([]byte, error) {
if c.state != clientStateAttestationAccepted {
return nil, errors.New("Called ConfidentialUnwrap with unestablished secure session")
}
// Create an UnwrapRequest, marshal, then session-encrypt it.
unwrapReq := &cwpb.UnwrapRequest{
KeyPath: keyPath,
WrappedBlob: wrappedBlob,
AdditionalContext: &cwpb.RequestContext{
RelativeResourceName: resourceName,
AccessReasonContext: &cwpb.AccessReasonContext{Reason: cwpb.AccessReasonContext_CUSTOMER_INITIATED_ACCESS},
},
AdditionalAuthenticatedData: nil,
KeyUriPrefix: "",
}
marshaledUnwrapReq, err := proto.Marshal(unwrapReq)
if err != nil {
return nil, fmt.Errorf("error marshalling UnwrapRequest: %v", err)
}
if _, err := c.tls.Write(marshaledUnwrapReq); err != nil {
return nil, fmt.Errorf("error writing UnwrapRequest to TLS session: %v", err)
}
req := &cwpb.ConfidentialUnwrapRequest{
SessionContext: c.ctx,
TlsRecords: c.shim.DrainSendBuf(),
RequestMetadata: &cwpb.RequestMetadata{
KeyPath: unwrapReq.GetKeyPath(),
KeyUriPrefix: unwrapReq.GetKeyUriPrefix(),
AdditionalContext: unwrapReq.GetAdditionalContext(),
},
}
// Make RPC, session-decrypt the records, and unmarshal the inner WrapResponse.
resp, err := c.client.ConfidentialUnwrap(ctx, req)
if err != nil {
return nil, fmt.Errorf("error session-decrypting the records: %v", err)
}
records := resp.GetTlsRecords()
c.shim.QueueReceiveBuf(records)
readBuf := make([]byte, recordBufferSize)
n, err := c.tls.Read(readBuf)
if err != nil {
return nil, fmt.Errorf("error reading UnwrapResponse from TLS session: %v", err)
}
var unwrapResp cwpb.UnwrapResponse
if err = proto.Unmarshal(readBuf[:n], &unwrapResp); err != nil {
return nil, fmt.Errorf("error parsing UnwrapResponse: %v", err)
}
return unwrapResp.GetPlaintext(), nil
}