[accless] Add Decrypt FFI Wrapper For abe4

csegarragonz · csegarragonz · commit 629194146d51 · 2025-11-01T14:59:58.000Z
diff --git a/accless/README.md b/accless/README.md
@@ -0,0 +1,13 @@
+# Accless Core Library
+
+To build:
+
+```bash
+accli docker run --mount --cwd /code/accless/accless python3 build.py [-- --clean]
+```
+
+To test:
+
+```bash
+accli docker run --mount --cwd /code/accless/accless/build-native  ctest -- --output-on-failure
+```
diff --git a/accless/build.py b/accless/build.py
@@ -6,6 +6,7 @@
 from sys import argv, exit
 
 ACCLESS_ROOT = dirname(realpath(__file__))
+PROJ_ROOT = dirname(ACCLESS_ROOT)
 
 
 def compile(wasm=False, native=False, debug=False, time=False):
@@ -54,6 +55,8 @@ def compile(wasm=False, native=False, debug=False, time=False):
     elif len(argv) == 2 and argv[1] == "--clean":
         rmtree(join(ACCLESS_ROOT, "build-native"), ignore_errors=True)
         rmtree(join(ACCLESS_ROOT, "build-wasm"), ignore_errors=True)
+        run("cargo clean -p accless-abe4", shell=True, check=True, cwd=PROJ_ROOT)
+        run("cargo clean -p accless-jwt", shell=True, check=True, cwd=PROJ_ROOT)
 
     # Build the microbenchmarks
     compile(wasm=True, debug=debug)
diff --git a/accless/libs/abe4/cpp-bindings/abe4.cpp b/accless/libs/abe4/cpp-bindings/abe4.cpp
@@ -3,6 +3,7 @@
 
 #include <cstring> // For std::memcpy
 #include <nlohmann/json.hpp>
+#include <optional>
 
 namespace accless::abe4 {
 
@@ -53,6 +54,22 @@ EncryptOutput encrypt(const std::string &mpk, const std::string &policy) {
     return {result_json["gt"], result_json["ciphertext"]};
 }
 
+std::optional<std::string> decrypt(const std::string &usk,
+                                   const std::string &gid,
+                                   const std::string &policy,
+                                   const std::string &ct) {
+    char *result =
+        decrypt_abe4(usk.c_str(), gid.c_str(), policy.c_str(), ct.c_str());
+    if (!result) {
+        return std::nullopt;
+    }
+
+    std::string gt_b64(result);
+    free_string(result);
+
+    return gt_b64;
+}
+
 std::map<std::string, std::vector<uint8_t>>
 unpackFullKey(const std::vector<uint8_t> &full_key_bytes) {
     std::map<std::string, std::vector<uint8_t>> result;
diff --git a/accless/libs/abe4/cpp-bindings/abe4.h b/accless/libs/abe4/cpp-bindings/abe4.h
@@ -2,6 +2,7 @@
 
 #include <cstdint>
 #include <map>
+#include <optional>
 #include <string>
 #include <vector>
 
@@ -11,6 +12,9 @@ char *setup_abe4(const char *auths_json);
 char *keygen_abe4(const char *gid, const char *msk_b64,
                   const char *user_attrs_json);
 char *encrypt_abe4(const char *mpk_b64, const char *policy_str);
+char *decrypt_abe4(const char *usk_b64, const char *gid, const char *policy_str,
+                   const char *ct_b64);
+
 } // extern "C"
 
 namespace accless::abe4 {
@@ -65,6 +69,29 @@ std::string keygen(const std::string &gid, const std::string &msk,
  */
 EncryptOutput encrypt(const std::string &mpk, const std::string &policy);
 
+/**
+ * @brief Decrypts a ciphertext using a User Secret Key (USK), group ID, policy,
+ * and ciphertext.
+ *
+ * This function acts as a C++ wrapper around the Rust `decrypt` FFI function.
+ * It takes a base64 encoded User Secret Key, group ID, policy string, and
+ * base64 encoded ciphertext. It calls the Rust FFI function, and returns an
+ * `std::optional<std::string>` containing the base64 encoded `Gt` if decryption
+ * is successful, or `std::nullopt` otherwise.
+ *
+ * @param usk A base64 encoded string representing the User Secret Key.
+ * @param gid The group ID associated with the decryption.
+ * @param policy A string representing the access policy used for encryption.
+ * @param ct A base64 encoded string representing the ciphertext to be
+ * decrypted.
+ * @return An `std::optional<std::string>` containing the base64 encoded `Gt` on
+ * success, or `std::nullopt` on failure.
+ */
+std::optional<std::string> decrypt(const std::string &usk,
+                                   const std::string &gid,
+                                   const std::string &policy,
+                                   const std::string &ct);
+
 /**
  * @brief Unpacks a serialized FullKey (e.g., MPK or MSK) into a map of
  * authority to its partial key.
diff --git a/accless/libs/abe4/cpp-bindings/tests.cpp b/accless/libs/abe4/cpp-bindings/tests.cpp
@@ -1,6 +1,7 @@
 #include "abe4.h"
 #include "base64.h" // New include
 #include <gtest/gtest.h>
+#include <optional>
 
 TEST(abe4, setup) {
     std::vector<std::string> auths = {"auth1", "auth2"};
@@ -64,3 +65,23 @@ TEST(Abe4Test, Encrypt) {
     EXPECT_FALSE(encrypt_output.gt.empty());
     EXPECT_FALSE(encrypt_output.ciphertext.empty());
 }
+
+TEST(Abe4Test, Decrypt) {
+    std::vector<std::string> auths = {"auth1", "auth2"};
+    accless::abe4::SetupOutput setup_output = accless::abe4::setup(auths);
+
+    std::string gid = "test_gid";
+    std::vector<accless::abe4::UserAttribute> user_attrs = {
+        {"auth1", "label1", "attr1"}, {"auth2", "label2", "attr2"}};
+    std::string usk_b64 =
+        accless::abe4::keygen(gid, setup_output.msk, user_attrs);
+
+    std::string policy = "auth1.label1:attr1 and auth2.label2:attr2";
+    accless::abe4::EncryptOutput encrypt_output =
+        accless::abe4::encrypt(setup_output.mpk, policy);
+
+    std::optional<std::string> decrypted_gt =
+        accless::abe4::decrypt(usk_b64, gid, policy, encrypt_output.ciphertext);
+    ASSERT_TRUE(decrypted_gt.has_value());
+    EXPECT_EQ(decrypted_gt.value(), encrypt_output.gt);
+}
diff --git a/accless/libs/abe4/src/lib.rs b/accless/libs/abe4/src/lib.rs
@@ -11,7 +11,7 @@ pub use scheme::{decrypt, encrypt, iota, keygen, setup, tau};
 use scheme::{
     iota::Iota,
     tau::Tau,
-    types::{Ciphertext, MPK, MSK},
+    types::{Ciphertext, MPK, MSK, USK},
 };
 use serde::{Deserialize, Serialize};
 use std::{
@@ -141,3 +141,45 @@ pub unsafe extern "C" fn encrypt_abe4(
     let output_json = serde_json::to_string(&output).unwrap();
     CString::new(output_json).unwrap().into_raw()
 }
+
+#[allow(clippy::missing_safety_doc)]
+#[unsafe(no_mangle)]
+pub unsafe extern "C" fn decrypt_abe4(
+    usk_b64: *const c_char,
+    gid: *const c_char,
+    policy_str: *const c_char,
+    ct_b64: *const c_char,
+) -> *mut c_char {
+    let usk_b64_cstr = unsafe { CStr::from_ptr(usk_b64) };
+    let gid_cstr = unsafe { CStr::from_ptr(gid) };
+    let policy_cstr = unsafe { CStr::from_ptr(policy_str) };
+    let ct_b64_cstr = unsafe { CStr::from_ptr(ct_b64) };
+
+    let usk_bytes = general_purpose::STANDARD
+        .decode(usk_b64_cstr.to_str().unwrap())
+        .unwrap();
+    let usk: USK = USK::deserialize_compressed(&usk_bytes[..]).unwrap();
+
+    let policy = Policy::parse(policy_cstr.to_str().unwrap()).unwrap();
+    let tau = Tau::new(&policy);
+
+    let user_attrs = usk.get_user_attributes();
+    let iota = Iota::new(&user_attrs);
+
+    let ct_bytes = general_purpose::STANDARD
+        .decode(ct_b64_cstr.to_str().unwrap())
+        .unwrap();
+    let ct: Ciphertext = Ciphertext::deserialize_compressed(&ct_bytes[..]).unwrap();
+
+    let result = decrypt(&usk, gid_cstr.to_str().unwrap(), &iota, &tau, &policy, &ct);
+
+    match result {
+        Some(gt) => {
+            let mut gt_bytes = Vec::new();
+            gt.serialize_compressed(&mut gt_bytes).unwrap();
+            let gt_b64 = general_purpose::STANDARD.encode(&gt_bytes);
+            CString::new(gt_b64).unwrap().into_raw()
+        }
+        None => std::ptr::null_mut(),
+    }
+}
