WSS Security -- Encryption and Decryption of payload

Hi,

I am looking for help with achieveing WSS based encryption/decryption in Apigee proxy using following algorithms combination.

Security Token profile: X509v3

Key Encryption method: rsa-1_5

Content Encryption method: aes256-cbc

Basically, we have requirement to decrypt a payload that looks like below (the encrypted content is changed to ****)

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="EncCertId-2045221500" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">********************************************************************************************************************************************************************************************************************************</wsse:BinarySecurityToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference><wsse:Reference URI="#EncCertId-2045221500" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData><xenc:CipherValue>********************************************************************************************************************************************************************************************</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList><xenc:DataReference URI="#EncDataId-1457291972"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security></SOAP-ENV:Header><SOAP-ENV:Body><ns0:GetCustomerPartyListVBMResponse xmlns:ns0="http://xxx.xxx.com/schema/xxx/customer/customer-party/v1"><xenc:EncryptedData Id="EncDataId-1457291972" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><xenc:CipherData><xenc:CipherValue>
*****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns0:GetCustomerPartyListVBMResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>

You’d have to implement this using a Java callout. I haven’t tried this, but I think WSS4J might help you here.

All the documentation reg. Wss4j points to configuration based implementations for app servers.

any pointers for plain Java code that I can use for call out?

I have used wss4j inside a Java callout. But I have not done decryption of payload.

After a lot of research and effort, I was able to achieve this using java callout. I have another question regarding making certificate reference configurable in apigee here.

https://community.apigee.com/questions/32070/making-certificate-reference-configurable-in-wss4j.html

Do you a sample policy to share to implement wss security encryption/decryption?