How to decrypt a CAMT.053 file

Here we have a pseudo code to decrypt a CAMT.053 file.

Rest API Endpoint (pushUri)

Implement an Rest API endpoint that can receive content-type multipart/form-data. This endpoint will receive two parts and must process the statement file as described below.

  • statement(binary encrypted file)
  • metadata(json)

Below is sample code for clarification, you decide you to implement this.

API POST /statement/receive
    Content-Type: 
    INPUT:
        statement  → multipart file (encrypted content)
        metadata   → metadata json object (encryption details)

    PROCESS:
        # Step 1: Load RSA private key
        privateKey = loadPrivateKey(your_private_key)

        # Step 2: Decode Base64 encrypted Key and then Decrypt AES key
        decrypteAESKey = unwrapAESKey(metadata.base64EncryptedKey,      metadata.keyEncryptionAlgorithm(), privateKey)

        # Step 3: Open input stream from uploaded file
        encryptedFile = statement.getFile()

        # Step 4: Decrypt the incoming stream using metadata + private key
        decryptedXmlContent = decrypt(encryptedFile,decrypteAESKey, metadata.base64PayloadNonce, metadata.payloadEncryptionAlgorithm)

        # Step 5: Return HTTP 200 OK
        RETURN HTTP_RESPONSE(status = 200)

Decrypting AES Key

FUNCTION unwrapAESKey(base64WrappedKey, keyEncryptionAlgorithm, privateKey):

    wrappedKeyBytes = BASE64_DECODE(base64WrappedKey)

    rsaCipher = INIT_CIPHER(
        algorithm = algorithm,
        mode = DECRYPT_MODE,
        key = privateKey
    )
    aesKeyBytes = rsaCipher.DECRYPT(wrappedKeyBytes)
    RETURN CREATE_AES_SECRET_KEY(aesKeyBytes)

Decrypting Content

FUNCTION decryptFileWithKey(encryptedFile, decryptedAESKey,base64PayloadNonce, payloadEncryptionAlgorithm):

  
    # Step 1: Decode IV (nonce)
    iv = BASE64_DECODE(metadata.base64PayloadNonce)

    # Step 2: Initialize AES-GCM cipher
    cipher = INIT_CIPHER(
        algorithm = payloadEncryptionAlgorithm,
        mode = DECRYPT_MODE,
        key = aesKey,
        iv = iv,
        tagLength = GCM_TAG_LENGTH_BITS
    )

    # Step 3: Return stream that decrypts on read
    RETURN CREATE_DECRYPTED_FILE(encryptedFile, cipher)