This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

AES Decryption in APIGEE: crypto_error: decryption failed

Posted on 02-15-2022 08:54 AM
MerinJose
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Dino,

I am making use of the reusable jar for AES Encryption and Decryption requirement from below

https://github.com/DinoChiesa/Apigee-CustomPolicy-AesCrypto

Example: 128-bit AES GCM decyption -- This is the example I followed for working on AES 256 GCM Encryption and Decryption need.

I am seeing a crypto-error:decryption failed in my trace. The only difference as per documentation is just that I am using a 256 bit key. I am not sure of the exact reason of what could have gone wrong.

Also I am using the Verify JWE (DinoChiesa/Apigee-CustomPolicy-EncryptedJWT) and getting a proper response (ciphertext, iv, key, aad and tag) which is then passed onto AES Decryption.

0 3 483
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Sorry, can you explain why you are using the AesCrypto callout? 

The VerifyJWE policy that you referenced will decrypt the encrypted JWT.  You don't need to use a separate policy to decrypt. https://www.youtube.com/watch?v=KreuWmVka1s#t=8m0s

If you are "getting a proper response", then you're done. 

But to specifically address "crypto_error: decryption failed".  that happens when the key cannot decrypt the ciphertext. So I guess you're supplying data to that callout that doesn't "match". The key is not the one used to encrypt the ciphertext, or the ciphertext is not valid, or the IV is incorrect, or the mode is wrong, and so on.  But as I said above, it seems likely you do not need to AES decrypt anything. IF you've got an encrypted JWT or a JWE, then the encrypted JWT callout  you referenced is all you need.

 

0 Likes

Posted on --/--/---- --:-- AM
wizsid
Bronze 3
Bronze 3
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino,

 

We intending on encrypting a JSON payload with a dynamically generated CEK using AES256GCM and then encrypting the CEK using a RSA-OAEP-256 algorithm and sending it to the Apigee proxy as an encrypted JWT.

Does the verifyEncryptedJWT callout https://github.com/DinoChiesa/Apigee-CustomPolicy-EncryptedJWT also decrypt the payload as well apart from decrypting the key? 

 

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to wizsid
Reply posted on --/--/---- --:-- AM

Hi

This seems like a totally new question, unrelated to the AesCrypto callout that was the original subject. Can you please ask a new question?

ask-a-new-question.png

0 Likes
Top Solution Authors
View all