This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

AES Encryption or Decryption within an Apigee Edge policy flow? YES.

on ‎05-20-2016 07:51 PM

DChiesa
Staff
7 6 4,836

Today someone asked if it were possible to Encrypt or Decrypt data using a policy in Apigee Edge.

Of course that's possible - it's just software, right? But there is no out-of-the-box policy that performs crypto of arbitrary data. But let's constrain the goal a little bit further. Rather than saying "encryption", what if we constrain it to "AES Encryption"?

Announcing the AesCrypto callout!

As with other custom policies we've published recently, this is open source code, released under the Apache 2.0 source license. Also, though we have released the Java source code, you CAN use this policy without compiling anything. It's ready to use, just specify your configuration in the policy file, as with any other policy.

Check the Readme on that for full details on how to use the policy. The basic configuration is like this:

<JavaCallout name="Java-AesEncrypt1">
  <Properties>
    <Property name='action'>encrypt</Property>
    <Property name='passphrase'>{request.queryparam.passphrase}</Property>
    <Property name='encode-result'>base64</Property>
  </Properties>
  <ClassName>com.dinochiesa.edgecallouts.AesCryptoCallout</ClassName>
  <ResourceURL>java://edge-callout-aes-encryptor-1.0.jar</ResourceURL>
</JavaCallout>

What this does:

No source property is specified, therefore this policy configuration will encrypt the message.content. Specifying the passphrase means that a key and IV will be derived using PBKDF2. There is no pbkdf2-iterations property, so the policy will use its default value of 128001 iterations. There is no salt specified, so the policy uses its default of "Apigee-IloveAPIs". There's no key-strength property, so the default of 128 bits applies. There is no mode specified, so CBC is used. The result is encoded via base64, and placed into the context variable "crypto_output".

There are lots of options supported on the policy. Check it out. I'd love to hear your feedback here.

A couple notes:

  • The PBKDF2 uses the method described in IETF RFC 2898 to derive a key and IV. It uses 128,001 iterations, but you can change that if you like. Deriving a new key every time you use the policy will mean that performance will be sub-optimal at high load. It will perform better at load if you specify the key explicitly, and do not ask the policy to perform the calculations to derive the key. You can specify the key directly as a hex-encoded string.
  • It encrypts and decrypts. On encryption, you can configure the policy to encode the output in hex or base64. Upon decryption, you can even UTF-8 decode the clear text into a String.

I'd love to hear your feedback.

Topic Labels
Comments
gnanasekaran
Staff
‎05-21-2016 07:29 PM

Great article Dino!, in the past I have used Crypto-JS to do all the crypto tasks - very helpful if you prefer js

Not applicable
‎02-14-2018 01:14 PM

Hi Dino, we are using this policy, but while decryption in utf-8, the output is coming as blank.

priyankajayavel
New Member
‎05-01-2020 10:12 AM

Hi Dino,

Thanks for sharing the information. I tried using your bundle and run the encrypt1 and decrypt1 using passphrase.
encrypt1 is successful but decrypt1 is failing at java decrypt step
https://sdsds.apigee.net/aes-crypto/decrypt1?passphrase=welcome&source_decoding=5XyuR2cJJag2qC3gPlr4...+

ava.lang.IllegalArgumentException: No enum constant com.google.apigee.edgecallouts.AesCryptoCallout.EncodingType.5XYUR2CJJAG2QC3GPLR42RMESOKFXJR6YAPD9H6 SPNCWG38W0CLDKB8Z5AFHAR at java.lang.Enum.valueOf(Enum.java:238) at com.google.apigee.edgecallouts.AesCryptoCallout$EncodingType.valueOf(AesCryptoCallout.java:101) at com.google.apigee.edgecallouts.AesCryptoCallout._getEncodingTypeProperty(AesCryptoCallout.java:186) at com.google.apigee.edgecallouts.AesCryptoCallout.execute(AesCryptoCallout.java:470) at

Could you please help on this error

Regards,
Priyanka

dchiesa1
Staff
‎05-05-2020 04:54 PM

Hi Priyanka,

I think you want

curl -i -X POST "https://$ORG-$ENV.apigee.net/aes-crypto/decrypt1?passphrase=welcome&source_decoding=base64" \
 -d "5XyuR2cJJag2qC3gPlr42rMESoKFxJr6YapD9H6+sPNcWG38W0cLdkB8z5aFHAr+"

The source_decoding should be base64.

And also, specify the ciphertext as the POST body.

The README wasn't very clear on that. Sorry!

When I run that command, I get: 

HTTP/1.1 200 OK
Date: Tue, 05 May 2020 23:58:23 GMT
Content-Type: application/json
Content-Length: 111
Connection: keep-alive


{
  "output": "{\n\t\"firstname\":\"abcd\",\n\t\"lastname\":\"efgh\"\n}",
  "cipher": "AES/CBC/PKCS5PADDING"
}
deepeshm
New Member
‎11-21-2020 12:24 AM

Hi Dino, I am trying to use java callout policy under extensions but it says "you can use java callout only in APIGEE Edge". Why is it so? Is it paid service?

dchiesa1
Staff
‎12-09-2020 09:26 AM

Hmmm, yes, Java callout nominally are supported only in the paid version of Apigee.

If you want a commercial evaluation version of Apigee, you can contact us.

Version history
Last update:
‎05-20-2016 07:51 PM
Updated by: