yes

#1. I have a JWE callout which can encrypt arbitrary data using an X509 certificate which embeds an RSA key. The result is a JWE, which looks a lot like a JWT, but it's different. The ciphertext of this JWE can then only be descrypted with the holder of the corresponding private key. Find it here: https://github.com/DinoChiesa/ApigeeEdge-CustomPolicy-EncryptedJWT

This repo says "encrypted JWT" in the name, but it handles both encrypted JWT and JWE (generally). Check the readme for details.

While JWE is part of the JSON Object Signing and Encryption (JOSE) standards, don't be misled: you can encrypt any bytestream with a JWE. The part that requires JSON is the header, which provides the metadata about the encryption. The key id, the encryption algorithms, and so on.

#2. Use the RSACrypto callout. https://github.com/DinoChiesa/ApigeeEdge-CustomPolicy-RsaCrypto

This is a much more limited use case; it can encrypt only a small payload with an RSA public key (perhaps specified via a certificate). Check the readme for details.

You could combine this with the AES Crypto callout to encipher data streams larger than 245 bytes. https://github.com/DinoChiesa/ApigeeEdge-CustomPolicy-AesCrypto

If you provide more context around your use case I might be able to help further.