Edit

Share via

EnclaveUnsealData function (winenclaveapi.h)

  • Article

Decrypts an encrypted binary large object (blob).

Syntax

HRESULT EnclaveUnsealData(
  [in]            const VOID       *ProtectedBlob,
  [in]            UINT32           ProtectedBlobSize,
  [out]           PVOID            DecryptedData,
  [in]            UINT32           BufferSize,
  [out]           UINT32           *DecryptedDataSize,
  [out, optional] ENCLAVE_IDENTITY *SealingIdentity,
  [out, optional] UINT32           *UnsealingFlags
);

Parameters

[in] ProtectedBlob

A pointer to the sealed data to unseal. This data may be stored either within the address range of the enclave or within the address space of the host process

[in] ProtectedBlobSize

The size of the sealed data to unseal, in bytes.

[out] DecryptedData

A pointer to a buffer where the unencrypted data should be placed. This data may be stored either within the address range of the enclave or within the address space of the host process. If this parameter is NULL, only the size of the decrypted data is calculated.

[in] BufferSize

The size of the buffer to which the DecryptedData parameter points, in bytes. If DecryptedData is NULL, BufferSize must be zero. If DecryptedData is not NULL, and if the size of the decrypted data is larger than this value, an error is returned.

[out] DecryptedDataSize

A pointer to a variable that receives the actual size of the decrypted data, in bytes.

[out, optional] SealingIdentity

An optional pointer to a buffer that should be filled with the identity of the enclave that sealed the data. If this pointer is NULL, the identity of the sealing enclave is not returned.

[out, optional] UnsealingFlags

An optional pointer to a variable that receives zero or more of the following flags that describe the encrypted binary large object.

Value Meaning
ENCLAVE_UNSEAL_FLAG_STALE_KEY
1		 The data was encrypted with a stale key. Sealing keys are rotated when required for security, and the system can only maintain a fixed number of recently known keys. An enclave that determines that data was encrypted with a stale key should re-encrypt the data with a current key to minimize the chances that the key used to encrypt the data is no longer maintained in the key list.

Return value

If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.

Remarks

The enclave that calls EnclaveUnsealData must meet the criteria that correspond to the value of the ENCLAVE_SEALING_IDENTITY_POLICY that was specified by the enclave that sealed the data by calling EnclaveSealData.

EnclaveUnsealData must be called from within an enclave, and is only supported within enclaves that have the ENCLAVE_TYPE_VBS enclave type.

Requirements

Requirement Value
Minimum supported client Windows 10, version 1709 [desktop apps only]
Minimum supported server Windows Server 2016 [desktop apps only]
Target Platform Windows
Header winenclaveapi.h
Library Vertdll.lib
DLL Vertdll.dll

See also

Enclave functions

ENCLAVE_SEALING_IDENTITY_POLICY

EnclaveSealData

Vertdll APIs available in VBS enclaves