This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Payload signing using asymmetric keys

Posted on 10-19-2021 06:31 PM
srs-api
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Is there a policy that we can use to sign payload using asymmetric keys(public/private keys) instead of HMAC policy ?

Solved Solved
0 6 571
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to srs-api
Reply posted on --/--/---- --:-- AM

OK I've updated the RSA callout to do Signing and Verification, in addition to the  Encryption/Decryption.

Find it here (URL has been updated):

https://github.com/DinoChiesa/Apigee-CustomPolicy-RsaCrypto

View solution in original post

Jump to Solution
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

There are builtin policies for generating signed JWT or JWS with RSA or EC keys. 

There are community-contributed policies - Java callouts - that do other kinds of signing. Think of this as RSA signing or ECDSA signing, without the JOSE wrapper.  There is also an HttpSignature callout.  

What specifically are you looking for? 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
srs-api
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I am looking to sign specific payloads on outgoing messages as well as verify the signature on  the incoming payloads using agreed upon RSA keys. We also want to support this on different content-types. We can surely look at using JWS, but wanted to see if there any other ways to do without the wrapper. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to srs-api
Reply posted on --/--/---- --:-- AM

I just looked and I don't know of a callout that signs using RSA keys. There is a callout that encrypts with RSA, but nothing that does signing. (EDIT: I've updated it, it now does signing).

OLD INFORMATION:

It would take very little work to extend or modify that to also sign with RSA keys. This item was on my "to do" list, but i didn't have anyone specifically asking for it, so I deferred that work.

Do you have specific requirements around padding? PKCS v1.5 vs PSS?

Do you have an example of how you'd like to verify the signatures?

There are a number of options and I'd like to insure interoperability in what I produce.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
srs-api
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for looking into this. We don't have any specific requirements around padding. We should be good using PKCSv1.5. Also we are still hashing this out so I don't have concrete examples on how we intend to verify the signatures.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to srs-api
Reply posted on --/--/---- --:-- AM

OK I've updated the RSA callout to do Signing and Verification, in addition to the  Encryption/Decryption.

Find it here (URL has been updated):

https://github.com/DinoChiesa/Apigee-CustomPolicy-RsaCrypto

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
srs-api
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you very much. I really appreciate your help. Let me try it out and will get back to you if i have any questions.

Jump to Solution
0 Likes
Top Solution Authors
View all