Response Encryption Failure for ECDH_ES_A256KW, AES_192_GCM Using Custom Script in Apigee Edge

@dchiesa1 As part of Response Encryption, I used external JWKS URL to fetch the key with key type “EC” where i am able to create public key but while trying to encrypt the payload with algorithms ECDH_ES_A256KW, AES_192_GCM along with custom jar file its getting failed with java.lang.IllegalStateException: that key-encryption algorithm name is unsupported. but the jar file is supposed to handle that encryption algorithm.
Jarfile Name: apigee-callout-encrypted-jwt-20250403.jar

I followed the procedure from the below url

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> JC-JWKS ECDH-ES+A256KW A192GCMKW {"sub":"dino", "unk":"600c3efa-e48e-49c8-b6d9-e6bb9b94ad52"} {jwk.ec_public} com.google.apigee.callouts.GenerateEncryptedJwt java://apigee-callout-encrypted-jwt-20250403.jar

Also followed belows step for genarating the jar file that supports java version 8 (52) but still it was returning the same error as key encryption not supported.
fix: allow building on Java8 too · DinoChiesa/Apigee-Java-Transform-Jwks@00819d5 · GitHub

I am looking at THIS custom policy.

It looks like you tried to paste that into your message but the angle brackets are not appearing.
I will guess you are trying to use ECDH-ES+A256KW . Is that correct?

To help me,
use the editor toolbar to insert a code block so that the policy configuration you are using appears correctly. It should look something like this ::

<JavaCallout name="Java-JWTGeneration-EC-1">
  <Properties>
    <Property name='key-encryption'>ECDH-ES+A128KW</Property>
    <Property name='content-encryption'>A256GCM</Property>
    <Property name='payload'>{ "sub":"dino", "unk":"600c3efa-e48e-49c8-b6d9-e6bb9b94ad52"}</Property>
    <Property name='expiry'>1h</Property>
    <!-- the context variable "my_public_key" must hold a PEM-encoded EC public key -->
    <Property name='public-key'>{my_public_key}</Property>
  </Properties>
  <ClassName>com.google.apigee.callouts.GenerateEncryptedJwt</ClassName>
  <ResourceURL>java://apigee-callout-encrypted-jwt-20250403.jar</ResourceURL>
</JavaCallout>

The code that generates the error message that rejects a key encryption algorithm uses a simple pattern match. It looks like this:

    Matcher m = kekNamePattern.matcher(alg);
    if (!m.matches()) {
      throw new IllegalStateException(
          String.format("that key-encryption algorithm name (%s) is unsupported.", alg));
    }

If the configuration value does not match the pattern, you will see that error message. BUT PLEASE NOTE: in the current code, the error message includes the rejected key encryption algorithm name. In the screenshot you showed, that value is not present. In other words, the message you are observing is not of the form I would expect, with the current JAR. The code change that altered this message to its current form, was committed in June 2024.

What that tells me is, you are using an older version of the runtime Jar.

So I suggest you check your proxy bundle, and also any environment-scoped resources, for stale versions of that jar. Clean them out, and make sure you are using the latest version of the compiled jar.

Good luck.

Hi! Sir, I hope so that you are going well. Actually after carefully analyzing the information you have provided i request you to kindly recheck the few errors. Like Algorithmic identifiers in your XLM and sir kindly ensure that you are using JOSE complaint name. Kindly confirm me EC key is on P256.

Yes the EC keys is on P256

Yes i am trying to use ECDH-ES+A256KW algorithm and as apigee edge supports only java class up to 52 i have used the instruction that you shared in in gitlab url to genarate the jar file and if possible can you share the latest jar file that supports java version 8 with above algorithm.

Yes, I’ve updated the repo to include a dist directory; it contains the JDK8-compatible JAR.

@dchiesa1 But for that if i pass the key encryption as ECDH-ES+A256KW its returning error as the key-encryption algorithm name is unsupported but if i pass the RSA-OAEP-A256 it was accepting the key encryption algorithm.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> JC-JWKS RSA-OAEP-256 A256GCM {"sub":"dino", "unk":"600c3efa-e48e-49c8-b6d9-e6bb9b94ad52"} {jwk.ec_public} com.google.apigee.callouts.GenerateEncryptedJwt java://apigee-callout-encrypted-jwt-20250403.jar

But as per your instructions this should work with ECDH encryption algorithm need your help in getting this issue resolved.

This is a different error.

The error you are showing in the screenshot is a BouncyCastle permissions error. In other words, Apigee is unable to find the required JAR and Apigee is refusing to satisfy the requirement using the Apigee-builtin-in JARs.

Apigee has recently changed the way it satisfies dependencies in Java callouts, and that is why you are seeing this problem. I don’t know the version or variant of Apigee you are using , but there have been changes across all of the current ones.

I suggest you search the archives here for hints on how to resolve the Java permissions error around the bouncycastle library. You will probably need to directly supply that dependent JAR file, either as a proxy-specific resource or an environment-scoped resource. There may be other required JARs; there may be a cascade of dependencies. The best way to determine them is run the build yourself. If you cannot, you may need to get some help to be able to run the build.

Or, connect with Apigee support and get advice on how to satisfy the BouncyCastle requirement.

Good luck!

Yes I covered that.