AES Encryption or Decryption within an Apigee Edge policy flow? YES.

anonymous · May 21, 2016, 2:51am

Today someone asked if it were possible to Encrypt or Decrypt data using a policy in Apigee Edge.

Of course that’s possible - it’s just software, right? But there is no out-of-the-box policy that performs crypto of arbitrary data. But let’s constrain the goal a little bit further. Rather than saying “encryption”, what if we constrain it to “AES Encryption”?

Announcing the AesCrypto callout!

As with other custom policies we’ve published recently, this is open source code, released under the Apache 2.0 source license. Also, though we have released the Java source code, you CAN use this policy without compiling anything. It’s ready to use, just specify your configuration in the policy file, as with any other policy.

Check the Readme on that for full details on how to use the policy. The basic configuration is like this:

<JavaCallout name="Java-AesEncrypt1">
  <Properties>
    <Property name='action'>encrypt</Property>
    <Property name='passphrase'>{request.queryparam.passphrase}</Property>
    <Property name='encode-result'>base64</Property>
  </Properties>
  <ClassName>com.dinochiesa.edgecallouts.AesCryptoCallout</ClassName>
  <ResourceURL>java://edge-callout-aes-encryptor-1.0.jar</ResourceURL>
</JavaCallout>

What this does:

No source property is specified, therefore this policy configuration will encrypt the message.content. Specifying the passphrase means that a key and IV will be derived using PBKDF2. There is no pbkdf2-iterations property, so the policy will use its default value of 128001 iterations. There is no salt specified, so the policy uses its default of “Apigee-IloveAPIs”. There’s no key-strength property, so the default of 128 bits applies. There is no mode specified, so CBC is used. The result is encoded via base64, and placed into the context variable “crypto_output”.

There are lots of options supported on the policy. Check it out. I’d love to hear your feedback here.

A couple notes:

The PBKDF2 uses the method described in IETF RFC 2898 to derive a key and IV. It uses 128,001 iterations, but you can change that if you like. Deriving a new key every time you use the policy will mean that performance will be sub-optimal at high load. It will perform better at load if you specify the key explicitly, and do not ask the policy to perform the calculations to derive the key. You can specify the key directly as a hex-encoded string.
It encrypts and decrypts. On encryption, you can configure the policy to encode the output in hex or base64. Upon decryption, you can even UTF-8 decode the clear text into a String.

I’d love to hear your feedback.

gnanasekaran · May 22, 2016, 2:29am

Great article Dino!, in the past I have used Crypto-JS to do all the crypto tasks - very helpful if you prefer js

anonymous · February 14, 2018, 9:14pm

Hi Dino, we are using this policy, but while decryption in utf-8, the output is coming as blank.

anonymous · May 1, 2020, 5:12pm

Hi Dino,

Thanks for sharing the information. I tried using your bundle and run the encrypt1 and decrypt1 using passphrase.
encrypt1 is successful but decrypt1 is failing at java decrypt step
https://sdsds.apigee.net/aes-crypto/decrypt1?passphrase=welcome&source_decoding=5XyuR2cJJag2qC3gPlr42rMESoKFxJr6YapD9H6+sPNcWG38W0cLdkB8z5aFHAr+

ava.lang.IllegalArgumentException: No enum constant com.google.apigee.edgecallouts.AesCryptoCallout.EncodingType.5XYUR2CJJAG2QC3GPLR42RMESOKFXJR6YAPD9H6 SPNCWG38W0CLDKB8Z5AFHAR at java.lang.Enum.valueOf(Enum.java:238) at com.google.apigee.edgecallouts.AesCryptoCallout$EncodingType.valueOf(AesCryptoCallout.java:101) at com.google.apigee.edgecallouts.AesCryptoCallout._getEncodingTypeProperty(AesCryptoCallout.java:186) at com.google.apigee.edgecallouts.AesCryptoCallout.execute(AesCryptoCallout.java:470) at

Could you please help on this error

Regards,
Priyanka

dchiesa1 · May 5, 2020, 11:54pm

Hi Priyanka,

I think you want

curl -i -X POST "https://$ORG-$ENV.apigee.net/aes-crypto/decrypt1?passphrase=welcome&source_decoding=base64" \
 -d "5XyuR2cJJag2qC3gPlr42rMESoKFxJr6YapD9H6+sPNcWG38W0cLdkB8z5aFHAr+"

The source_decoding should be base64.

And also, specify the ciphertext as the POST body.

The README wasn’t very clear on that. Sorry!

When I run that command, I get:

HTTP/1.1 200 OK
Date: Tue, 05 May 2020 23:58:23 GMT
Content-Type: application/json
Content-Length: 111
Connection: keep-alive

{
  "output": "{\n\t\"firstname\":\"abcd\",\n\t\"lastname\":\"efgh\"\n}",
  "cipher": "AES/CBC/PKCS5PADDING"
}

anonymous · November 21, 2020, 8:24am

Hi Dino, I am trying to use java callout policy under extensions but it says “you can use java callout only in APIGEE Edge”. Why is it so? Is it paid service?

dchiesa1 · December 9, 2020, 5:26pm

Hmmm, yes, Java callout nominally are supported only in the paid version of Apigee.

If you want a commercial evaluation version of Apigee, you can contact us.

Topic		Replies	Views
How to perform AES-256 symmetric field Level Encryption using Javascript/Node in Apigee Apigee api-runtime	3	16	December 19, 2017
AES256 - java callout Apigee api-runtime	3	9	December 20, 2017
DES Encryption Javascript Policy using Crypto.js Knowledge Hub apigee	0	21	February 16, 2017

AES Encryption or Decryption within an Apigee Edge policy flow? YES.

AI Suggested topics