Dears,

Is there any way to pass to the Encrypt/Decrypt action a dynamic Crypto Key?,

I explain:

A client sends a request using a custom token header (with the name of a Crypto Key already created in DataPower), is there any way to pass dynamically this Crypto Key to the Decrypt action?

Regards,

Hi,

What kind of content are you trying to decrypt? Is it possible for you to just use custom XSLT with dp:decrypt-data function?

--HP

Thanks for your response HP, we are currently using Gatewayscript, but we would like to start using the Encrypt/Decrypt action in our processing rules. ¿isn't it possible?

Regards

Sorry, I specify,

the content is just a request encrypted from the client that has a custom header encoded with the name of the Crypto Key to be decrypted in DataPower.

Thank you!

The reason why I was asking was that if you are using for example standard XML encryption the clients can relay the key name inside KeyInfo element and there is no need to use custom headers. But if you are not following any standard, then I am not really sure what is the advantage of using OOTB decrypt action...

--HP

Dear HP,

I appreciate your response,

What do you mean by OOTB decrypt action? , we are using a standardized authentication scheme used with a custom header, we have a AAA info file with the corresponding key names.

How could I call those crypto keys within the DataPower decrypt action?

Thank you!

The OOTB decrypt action just referred to the drag-and-drop policy rule actions. Are you trying to achieve XML decryption or JSON Web Security related decryption? Any example on the message you are trying to decrypt?

--HP

Thanks HP,

Sure, the client requests in JSON, something like:

{

XXXX: {data_encrypted}

}

So, basically the idea is to pass this request to the Decrypt action and from the custom header (that contains the key name) decrypt it.

The main problem would be how to call that particular - already created key - in DataPower from the Decrypt action.

Thank you!

Ok, I see. So there are couple of ways you can refer key objects in a "dynamic way". However, this requires you to use JOSE recipient/key id header with JSON Web Security decryption or Keyinfo element following the XML encryption standard.

The third option is to customize the standard template store://decrypt.xsl and through the advanced tab of decrypt processing action change the stylesheet. However, this is not a simple task as the template xsl includes store://dp/decrypt-node.xsl that defines the decrypt key as dpconfig parameter. In order to achieve your goal, I think you might also have to customize decrypt-node.xsl file. To make things even more difficult the dp folder is hidden so basically you cannot see (anymore) the template calls that decrypt-node.xsl has. So basically, the third option probably isn't worth the effort if you already have a working Gatewayscipt to decrypt the message. You can just check the contents of the AAA file in GW script and decide what key to use for the decryption.

Long and complicated explanation, but hope it gives you an idea what is feasible.

--HP