Hi Jay...
Thanks for your reply on this topic, we were able to use dp:encrypt-key() method to encrypt the 32 byte random string using the certificate key.
Original Message:
Sent: Sun April 16, 2023 03:20 AM
From: Ashok Beshra
Subject: Gateway script encryption / decryption using API Connect certificate key
Hi Jay....
We have the XSLT already and we are able to encrypt and decrypt the 32 byte random string. My query is, while doing encryption, we get the encrypted public key with the encrypted random string data. We wanted to know, how datapower generates this encrypted public key so that, we wanted to generate it and send it for decryption. In this case, an external consumer will be doing 32 byte random string encryption and datapower will be doing the decryption.
------------------------------
Ashok Beshra
Original Message:
Sent: Sat April 15, 2023 06:57 AM
From: Ashok Beshra
Subject: Gateway script encryption / decryption using API Connect certificate key
Hi Jay...
We are using AES256GCM algorithm to encrypt the 32-byte secret key.
------------------------------
Ashok Beshra
Original Message:
Sent: Thu April 13, 2023 09:42 AM
From: Jayprakash Yadav
Subject: Gateway script encryption / decryption using API Connect certificate key
What type of Encryption algorithm you are planning to do? On basis of that I can share you the xslt that can be used to decrypt at Datapower.
------------------------------
Jayprakash Yadav
Original Message:
Sent: Thu April 13, 2023 09:27 AM
From: Ashok Beshra
Subject: Gateway script encryption / decryption using API Connect certificate key
Hi...
We have followed the below approach for encryption / decryption using assymmetric key approach.
1. We were able to generate 32 byte random string and encryt the string using API Gateway public key
2. We have created Datapower MPGW to decrypt using the API Gateway private key
3. This MPGW uses the decrypt action in the datapower processing policy to decrypt the 32 byte random string
4. This process requires an encrypted public key to be passed along with encrypted random string and we wanted to know how it can be generated when encryption is done outside datapower(for example in a Java application).
Query
Basically, if you encrypt a string in datapower, this gives public key(EncryptedPublicKey) and an encrypted value (EncryptedValue) so that Datapower can decrypt using Encrypted pubilc key and private key. But, if encryption is done outside datapower, how can the EncryptedPublicKey be generated to decrypt in datapower
------------------------------
Ashok Beshra
Original Message:
Sent: Mon April 10, 2023 09:53 AM
From: Jayprakash Yadav
Subject: Gateway script encryption / decryption using API Connect certificate key
This completely depends on what type of Encryption you are planning to encrypt the key. As you mentioned private key will be used so as per my thought you might be going for asymmetric Encryption approach i.e. RSA with PKCS1 padding.
Original Message:
Sent: 4/10/2023 9:45:00 AM
From: Ashok Beshra
Subject: RE: Gateway script encryption / decryption using API Connect certificate key
Hi Jay...
Thanks for your response. I have a clarification on the above approach.
1. My response message is JSON and I need to pass a XML message to transform.xslt function in order to encrypt using asymmetric key approach. Please let me know how to implement asymmetric encryption using XSLT as the link which you have provided is not working
2. I also got the below github solution where encryption/decryption was implemented using JOSE module and JWK using set variable. Please let me know whether the below approach will work for my encryption scenario?
https://github.com/sachinjha/apiconnect/blob/master/EncryptionDecryption/encryptAndDecryptPII.md
------------------------------
Ashok Beshra
Original Message:
Sent: Mon April 10, 2023 12:46 AM
From: Jayprakash Yadav
Subject: Gateway script encryption / decryption using API Connect certificate key
Dear Ashok,
For the 3rd step you will required to use asymmetric encryption, which is not possible in Gatewayscript, as Datapower crypto module only provide Symmetric encryption functions.
So to do this, you can write XSL stylesheet to implement RSA Encryption. Store that XSL File at datapower file management. Now from Gatewayscript you can use Transform module to execute the xsl stylesheet placed at datapower.
Reference to do Asymmetric Encryption (32-byte key encryption)
https://www.ibm.com/mysupport/s/topic/0TO0z000000RdtIGAS/dpencryptkey?language=th
Reference to use Transform module to execute Xslt from Gatewayscript code.
https://www.ibm.com/docs/en/datapower-gateway/7.5.0?topic=methods-transform-module
------------------------------
Jayprakash Yadav
Original Message:
Sent: Sun April 09, 2023 03:56 AM
From: Ashok Beshra
Subject: Gateway script encryption / decryption using API Connect certificate key
Hi Team...
I am implementing encryption/decryption logic in API Connect gateway assembly. The encryption logic for the fields in my API response to consumer should be as below,
1. Generate a 32 byte random key
2. Use the 32 byte random key to encrypt API response fields from algorithms like HMAC or SHA256
3. Load the API Connect certificate / private key (stored in the datapower) in the gateway script code and use it to encrypt the 32 byte random key.
Please advise on how the 3rd step can be achieved using gateway script code.
------------------------------
Ashok Beshra
------------------------------