pub fn decrypt_uri(
encrypted_uri: &str,
secret_key: &[u8],
context: &[u8],
) -> Result<String, String>Expand description
Decrypts a URI that was encrypted with encrypt_uri.
Expects either:
- A URI with a plaintext scheme followed by base64-encoded encrypted components
- A path-only URI that is entirely base64-encoded
Validates the authentication tags (SIVs) for each component (computed from accumulated hasher state) to ensure integrity and authenticity before returning the decrypted URI.
§Arguments
encrypted_uri- The encrypted URI (with or without plaintext scheme)secret_key- Secret key used for encryption (must match)context- Context data used for encryption (must match)
§Returns
Ok(String)- The decrypted URI if authentication succeedsErr(String)- Error message if decryption or authentication fails
§Errors
Returns Err("Decryption failed") for ALL failure cases to prevent
timing and padding oracle attacks. This includes:
- Invalid base64 encoding
- Malformed encrypted data
- Authentication failures (wrong key/context)
- Invalid format
§Example
use uricrypt::{encrypt_uri, decrypt_uri};
// With scheme
let encrypted_uri = encrypt_uri(
"https://example.com",
b"secret_key",
b"app_context"
);
let decrypted = decrypt_uri(
&encrypted_uri,
b"secret_key",
b"app_context"
).unwrap();
// Without scheme (path-only)
let encrypted_path = encrypt_uri(
"/path/to/file",
b"secret_key",
b"app_context"
);
let decrypted = decrypt_uri(
&encrypted_path,
b"secret_key",
b"app_context"
).unwrap();