API Connect

 View Only
  • 1.  Decryption using RSA/ECB/OAEPPADDING in Gatewayscript

    Posted Thu February 29, 2024 08:42 AM
    Edited by Stefen Salvatore Thu February 29, 2024 09:17 AM

    Hi @Steve Linn , @Hermann Stamm-Wilbrandt , @Joseph Morgan  and Team,

    Java:
    private static String getEncryptHeader(String keyPlainText, String publicKeyStr) {
        try {
            byte[] keyByteArr = keyPlainText.getBytes();
            PublicKey key = getPublicKey(publicKeyStr);
            Cipher cipher = Cipher.getInstance('RSA/ECB/OAEPPADDING');
            cipher.init(Cipher.ENCRYPT_MODE, key);
            byte[] encryptedByte = cipher.doFinal(keyByteArr);
            System.out.println("EncryptedHeaders:" + Base64.getEncoder().encodeToString(encryptedByte));
            return Base64.getEncoder().encodeToString(encryptedByte);
        } catch (Exception e) {
            e.printStackTrace();
            return "";
        }
    }
    Iam Unable to decrypt it using crypto module since invalid algorithm and unable to decrypt using jose since the body is not parsed when i use jose.parse.
    So could anyone Please provide equivalent gatewayscript code if Datapower supports the above java functionality.





    ------------------------------
    Stefen Salvatore
    ------------------------------



  • 2.  RE: Decryption using RSA/ECB/OAEPPADDING in Gatewayscript

    Posted Thu February 29, 2024 09:30 AM

    Hi Stefen,

    I ported the publicly available samplev5 user defined policies that were jose based GatewayScript into API Gateway user defined policies.  Perhaps those samples will help, see https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies.

    Regards,

    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------



  • 3.  RE: Decryption using RSA/ECB/OAEPPADDING in Gatewayscript

    Posted Fri March 01, 2024 12:04 AM
    Edited by Stefen Salvatore Fri March 01, 2024 12:26 AM

    Hi @Steve Linn,

    I have gone through the repository where I found jose.parse() again in the decryption policy.
    Use Case Description:
    Sample Final Encrypted Payload:
    T0JOYzhRK2F2bk1iUG5PL3Jhb3l2bE5nZHYzZ0dHZ2F2RU90UTk2RkRUSzIwYnMwOWNBaW9BOC9wUmNGT1ZiR0xSanhIVFFPdkN6THN3TjUyWGFnS1BGN2dZRlhSZDdpVTM0SHE4bXBwSW56SW5HSktmSWZreU9EUllFcHI0M0Z3VmZEWjhxV2FJMGhXS0JmZENJQUR0OFl0VWQxMThVaC9xTHFyV1VBT2QzUmdtU05Gb1RWMmI0TFh2VGwrWVc3VGJ2eWpwaERpVEUzbUJGdTBGT3V0Vk92bkN3YjBGWVpva0hIcVR0K2NEa2VuSjBZbFQ4WGROV1N2Vm5DeStnOSt5WnByQXBGZ0cxUnFWWlJERW5lOVkxT1huQ0hSVGlWTHQ5dyswNFNNREhOZ2E0c1FRY1N3NDVQZUtFQktUeklFYmg3TWhiYWs5anRxcUtpRithRjJrTXFGekVXREdZSFFFT3YyUkhCWklBK2ZkWWR3cGd5UjJlK0phQ2t4N2RLLzB6d1JCQXVJVVFpR1h1R1BvdnJqUFRSYUNWY243LzBwcmlwYStDMDJIOERGOWVvTTNYYmVDZFJOc0c5NmRCVFBjaGxPN1o1elh4eGdJZnI3aEUzY3djTXdQVERobE1mZHhWZGVNQ3JDaDU2Tit1REVoOTk5UnJ5WGJ0VUhtL3BOOEdqRHo0bHFLNVp2NHV0cmlZTG5GaEY1SUIrdUk2Rm56U3NpZUM2MDBweUQ0cGNXV29BNWU2V2tZT1M0clJtaDFsQUp4QzNBQ3pjRE1KeGtSb1RCUEIwSW4ybEZwRzAwL1RmdkxIN0EzN0ZCZE9lbEI2ZzhIazY1MnAxSG5PeUNqemZ1TThqN3RLMG03Q25SNzl1Nlh4M09DblJaQTRUaXF6S0hXa2NuWW89OkVwelBtOWZMcTZSN0tVQU5hc1ZiSElPQVR1S3FqYmJ2SEc2alAxOVBtcXpUNUV3M3FpZmFTQmF4dkNhbW9Vb2p6N0hNbWV1RFUrOXFGSjBrTlhJRnJFSE5xL3N2Q1VmbHphQXgweldvMHQ5Wm1EdU9GaGV0N3c2MnRZTDgwU085UnVnOEFnK21RRmpFaWdqb21YOGpLcVFiTW80UUo2cXpkTENJeVF6RmxSb2szVEhvYUFFbWxtb0FuREpLdFlOaDpIOTV4dVlsdWd0K0hUVm9sSVYwckIxVlptMDN6RGFqQkdNbEwxekdjZlltcFJicDFHTHlkTkYydzMxblRNUldlS1Q0N01HU3pWTVlWWjBqdkFyM201b3ZlQUYwTllLdXVMUDRucG04aWVMblRqNzFXV1EwSWpiTStjcElwWk1kMnJUdmtqcENZLzBKK2VSRXdXUjZGS2o0aDU1L3A3Ym1iSmJQek53cW40TmJieE9BbWt4QVZEQ2pVbUx6bnA0UXAzMWtnNGRxQVBaYVE2SGxLNGZPOHg5Y0ZoRVNIVER3NVpJM0h1YUVXaXlVS2phZmNMREI0d2lNMXQ4RkxkL1FsSEgxM0hkeTZEZWtobllJU243S0l3RVA0bnlnTEtwaGRKMENCa2s5ZVdGazA0WHFBam1PVGdBbmhtSU10eEVKMlZnNnNBTVFicG4wWGdHdTRJb2kxZ2hvaU5neXg3UUNzRFV3UHljRVNZTzhvWkJ6aWk5M1l2SEJ4VlpJdTR1VzJEa1A0akk1VllrOUlEcnl2Q3liV2pIZ2VHbmw0Mm82YmZ4UWY1dU9VbjE0aGtyM1JrQzZqMDAwNnR5ZTRyVmQ2M0xMZzhXbUpLblcrOTRlWlVNTVErV0dGVWt0bE5JSzcvVUx3dkpWNmVOanNIdXU3L0VwNy9RMjlBVjJMblF1NmwrRmwwck1MVm5LYVR4NmVKU0g0dGVrYVRrUTdUSXZnVW5EaXV6MVpLVzlhTmZRSVlONnpVTjliT1BBbitEanp6bk1HVmI5SW5sK1dqMm11MEoyK3dJOXNzdUdOeDdjbm4vUTZ1RFBkY2loTmZGcStUSGV1OVVRWUhTN3pHVDJBMnpsVStYcytWdjFUU0dCVHY0QlpmTlRkTndmL25KSUk4T210UG42aDYraz0=
    After Base64 Decode:
    OBNc8Q+avnMbPnO/raoyvlNgdv3gGGgavEOtQ96FDTK20bs09cAioA8/pRcFOVbGLRjxHTQOvCzLswN52XagKPF7gYFXRd7iU34Hq8mppInzInGJKfIfkyODRYEpr43FwVfDZ8qWaI0hWKBfdCIADt8YtUd118Uh/qLqrWUAOd3RgmSNFoTV2b4LXvTl+YW7TbvyjphDiTE3mBFu0FOutVOvnCwb0FYZokHHqTt+cDkenJ0YlT8XdNWSvVnCy+g9+yZprApFgG1RqVZRDEne9Y1OXnCHRTiVLt9w+04SMDHNga4sQQcSw45PeKEBKTzIEbh7Mhbak9jtqqKiF+aF2kMqFzEWDGYHQEOv2RHBZIA+fdYdwpgyR2e+JaCkx7dK/0zwRBAuIUQiGXuGPovrjPTRaCVcn7/0pripa+C02H8DF9eoM3XbeCdRNsG96dBTPchlO7Z5zXxxgIfr7hE3cwcMwPTDhlMfdxVdeMCrCh56N+uDEh999RryXbtUHm/pN8GjDz4lqK5Zv4utriYLnFhF5IB+uI6FnzSsieC600pyD4pcWWoA5e6WkYOS4rRmh1lAJxC3ACzcDMJxkRoTBPB0In2lFpG00/TfvLH7A37FBdOelB6g8Hk652p1HnOyCjzfuM8j7tK0m7CnR79u6Xx3OCnRZA4TiqzKHWkcnYo=
    :
    EpzPm9fLq6R7KUANasVbHIOATuKqjbbvHG6jP19PmqzT5Ew3qifaSBaxvCamoUojz7HMmeuDU+9qFJ0kNXIFrEHNq/svCUflzaAx0zWo0t9ZmDuOFhet7w62tYL80SO9Rug8Ag+mQFjEigjomX8jKqQbMo4QJ6qzdLCIyQzFlRok3THoaAEmlmoAnDJKtYNh
    :
    H95xuYlugt+HTVolIV0rB1VZm03zDajBGMlL1zGcfYmpRbp1GLydNF2w31nTMRWeKT47MGSzVMYVZ0jvAr3m5oveAF0NYKuuLP4npm8ieLnTj71WWQ0IjbM+cpIpZMd2rTvkjpCY/0J+eREwWR6FKj4h55/p7bmbJbPzNwqn4NbbxOAmkxAVDCjUmLznp4Qp31kg4dqAPZaQ6HlK4fO8x9cFhESHTDw5ZI3HuaEWiyUKjafcLDB4wiM1t8FLd/QlHH13Hdy6DekhnYISn7KIwEP4nygLKphdJ0CBkk9eWFk04XqAjmOTgAnhmIMtxEJ2Vg6sAMQbpn0XgGu4Ioi1ghoiNgyx7QCsDUwPycESYO8oZBzii93YvHBxVZIu4uW2DkP4jI5VYk9IDryvCybWjHgeGnl42o6bfxQf5uOUn14hkr3RkC6j0006tye4rVd63LLg8WmJKnW+94eZUMMQ+WGFUktlNIK7/ULwvJV6eNjsHuu7/Ep7/Q29AV2LnQu6l+Fl0rMLVnKaTx6eJSH4tekaTkQ7TIvgUnDiuz1ZKW9aNfQIYN6zUN9bOPAn+DjzznMGVb9Inl+Wj2mu0J2+wI9ssuGNx7cnn/Q6uDPdcihNfFq+THeu9UQYHS7zGT2A2zlU+Xs+Vv1TSGBTv4BZfNTdNwf/nJII8OmtPn6h6+k=


    Encrypted DynamicKey ( decrypt using pvt key + RSA/ECB/OAEPPADDING): Encrypted Payload (using plain dynamic key + A256GCM): Signature (RSA-SHA256)

    I Can able to implement below 2

    Encrypted  and Decrypt Payload (using plain dynamic key + A256GCM) : Signature and Verification (RSA-SHA256)

    Kindly help me regarding this.



    ------------------------------
    Stefen Salvatore
    ------------------------------



  • 4.  RE: Decryption using RSA/ECB/OAEPPADDING in Gatewayscript

    Posted Fri March 01, 2024 03:14 PM

    Hi Stefan,
    I'm not exactly sure what you're asking in your bolded text of your response.  Please advise of any specific questions you have.

    The policy samples referenced in my previous comments do use the jose module, and use for the encrypt algorithm
                    //   - A128CBC-HS256
                    //   - A192CBC-HS384
                    //   - A256CBC-HS512
                    //   - A128GCM
                    //   - A192GCM
                    //   - A256GCM
    and the key encryption algorithm
                    //    - RSA1_5        (Key Encryption algorithm)
                    //    - RSA-OAEP      (Key Encryption algorithm)
                    //    - RSA-OAEP-256  (Key Encryption algorithm)
                    //    - A128KW        (Key Wrapping algorithm)
                    //    - A192KW        (Key Wrapping algorithm)
                    //    - A256KW        (Key Wrapping algorithm)
    and for sign/verify, the signing algorithm
                    //    HS256
                    //    HS384
                    //    HS512
                    //    RS256
                    //    RS384
                    //    RS512
                    //    ES256
                    //    ES384
                    //    ES512
                    //    PS256
                    //    PS384
                    //    PS512
    The policies are meant to be dynamic, so they specify an enumeration for these properties when the policy is added to an API assembly, those values are made available to the GatewayScript which is using them in the JOSE functions.  If you're requiring algorithms not specified about, then that would need to be a request for enhancement.

    Please reference the jose module documentation at https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=apis-jose-module and use the GatewayScript code in the encrypt, decrypt, sign and verify sample policies as an example of code using that module to do what you'd need to do.

    Regards,
    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------