Trouble encrypting json data in Apigee X

abhijithsh · 05-17-2022 07:45 AM

I am trying to return an encrypted string as a response, replacing the original json value returned from the target server. This data will be a json structure looking like this.

{
    "apis": [
    {
      "resId": "nksjdna090232nnasd2092dfsdff",
      "api": "/api/v1/abc?cde=blue",
      "action": [
        "GET",
        "POST"
      ]
    },
    {
      "resId": "nksjdna090232nnasd2092dfsdff",
      "api": "/api/v1/abc?cde=green",
      "action": [
        "GET",
        "PUT",
        "POST"
      ]
    },
    {
      "resId": "nksjdna090232nnasd2092dfsdff",
      "api": "/api/v1/abc?cde=yellow",
      "action": [
        "GET",
        "PUT",
        "POST"
      ]
    }]
}

Question is , can I accomplish this using Key value map? If not, is there any other built in policies to do this. If both are not an option I was thinking of using JavaScript and cryptojs since I am not familiar with Java. Is it recommended ?

dchiesa1

I am trying to return an encrypted string as a response,

There are lots of ways to do encryption within an Apigee API proxy. JWE is one of the built-in ways. But lots of others based on Java callouts - AES encryption, RSA-based hybrid encryption, ECDSA encryption... You can google around to find more details on any of these. Or you can peruse the list of community-contributed Java callouts and find the ones related to encryption.

can I accomplish this using Key value map?

You definitely cannot encrypt payloads via an Apigee KeyValueMap. A KVM is used to store values. It doesn't encrypt.

I was thinking of using JavaScript and cryptojs since I am not familiar with Java. Is it recommended ?

Well if you want to write your own crypto, sure you can use cryptojs. It won't perform very well at scale. Using one of the previously contributed community callouts would probably be a better idea. In most (all?) cases you don't need to know Java in order to use these callouts.

abhijithsh

Thanks for the quick response. I was thinking of an alternative to save the encrypted data in key value map store mapping it to the jwt id used for authentication. Is there any built in policies, available strategies to remove this mapping (delete key value map) once the jwt token is expired

dchiesa1

It sounds like you want to store data associated to a token, and have that data disappear when the token expires. This is the purpose of the custom attribute on the Apigee access token. This is what the feature is designed for. Maybe check the documentation on that "custom attributes" feature, it might help you.

API-Evangelist

Keep it simple @abhijithsh & this is very common in handling pci data to do last mile encryption/decryption.

Just to perform standard encryption any arbitrary string just use java callout(refer dino's reply) to perform & manipulate the json & send it.

If you requirement is just to mask and not really encrypt then you can use mask feature in apigee

https://docs.apigee.com/api-platform/security/data-masking

abhijithsh

I am very new to this platform. Requesting some clarifications

1. I was not aware there is an option to store values which can clear itself. Is it using a specific policy.

2. I could not find the "custom attributes" feature documentation. I am aware about the possibility to add custom attributes. However, not sure how it can be used for the purpose of clearing kvm value (or any value having an environment scope) when jwt token is expired.

3. Is it possible to do an AES 256 encryption while encrypting jwt within Apigee.

3.

dchiesa1

re: "Maybe check the documentation on that "custom attributes" feature, it might help you. "

LMGTFY.

re: "Is it possible to do an AES 256 encryption while encrypting jwt within Apigee."

LMGTFY