------------------------------
Ashok Beshra
------------------------------

Dear Gabriel...

Thanks for reminding on this post. The issue was fixed and the root cause of the issue was, "RandomNo" variable was having null value when crypto.createDecipherIv method was executed and hence the decryption result was returned as NULL with above error. I have fixed the code to populate value for "RandomNo"(Which in my case is the asymmetric random session key used for encryption/decryption of the API request and response payload) and the above code works perfectly for asymmetric encryption/decryption in APIC Gatewayscript. Thanks 

------------------------------
Ashok Beshra
------------------------------

Original Message:
Sent: Wed April 19, 2023 09:00 AM
From: Ashok Beshra
Subject: Unable to decrypt in APIC using crypto module createDecipheriv method

Hi Team...

 

We have encrypted the API request JSON data in Java using a random string key and IV key using the below code and it works fine,

 

public static String encrypt(String value, String key, String iv) throws Exception

 {

try

{

  IvParameterSpec IV = new IvParameterSpec(iv.getBytes("UTF-8"));

SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");

cipher.init(Cipher.ENCRYPT_MODE, skeySpec,IV);

byte encrypted[] = cipher.doFinal(value.getBytes());

return Base64.getEncoder().encodeToString(encrypted);

}

catch(Exception ex)

{

ex.printStackTrace();

throw new Exception(ex.getMessage());

}

//return null;

 }

 

In the API Connect gateway script code, I am trying to decrypt using crypto module as below and getting error during decryption. Please find below the code and please advise how to do decryption using the key and IV.

 

Gatewayscript code

==================

var apim = require('apim');

 

var body = apim.getvariable('message.body');

var xmlString = XML.stringify(body);

 

var request = apim.getvariable('request.body');

 

console.error("Root", request);

 

var domTree;

try {

    // use XML.parse() to parse the xmlString into a DOM tree structure

    domTree = XML.parse(xmlString);

} catch (error) {

    // there was an error while parsing the XML string

    console.error('error parsing XML string ' + error);

    throw error;

}

console.error("domTree :",domTree.toString());

var transform = require('transform');

//Get the root tag of decrypted random response

var decryptedRandomResp = domTree.getElementsByTagName("decryptedResponse").item(0);

var decryptedRandomNo = decryptedRandomResp.getElementsByTagName("decryptedText");

//Get the decrypted Random No

let RandomNo = decryptedRandomNo.item(0).textContent;

console.error("Random No :",RandomNo);

 

var AccountNo = request.AccountInquiryReq.AccountId;

console.error("AccountNo :",AccountNo);

//var IV = RandomNo.toString().substring(8);

var IV ="EE8C7035E524A55C";

var crypto = require('crypto');

var decipher = crypto.createDecipheriv('aes256-cbc',Buffer.from(RandomNo, 'utf8'),Buffer.from(IV, 'utf8')); 

console.error("Decipheriv :",decipher);

decipher.update(AccountNo,'base64')

console.error("AccountDecipher :",decipher);

var originalPlainText = decipher.final();

console.error("AccountNo :",originalPlainText);

 

The below error is encountered while doing decryption. Please advise how to implement decryption.

The APIProbePeering gateway peering instance in the APICSIT domain is configured to use the system default for its password alias. This configuration is classified as a security vulnerability.

The GatewayServicePeering gateway peering instance in the APICSIT domain is configured to use the system default for its password alias. This configuration is classified as a security vulnerability.

The RateLimitPeering gateway peering instance in the APICSIT domain is configured to use the system default for its password alias. This configuration is classified as a security vulnerability.

The ScriptRateLimitPeering gateway peering instance in the APICSIT domain is configured to use the system default for its password alias. This configuration is classified as a security vulnerability.

The SubscriptionPeering gateway peering instance in the APICSIT domain is configured to use the system default for its password alias. This configuration is classified as a security vulnerability.

The TokenManagerPeering gateway peering instance in the APICSIT domain is configured to use the system default for its password alias. This configuration is classified as a security vulnerability.

   System Log

Help

Refresh LogTarget:Filter:  

19 Apr 2023 16:49:27

time	category	level	tid	direction	client	msgid	message	Show last   50  100  all
Wednesday, 19 April 2023
16:49:05			21828893	error	10.9.63.91	0x00c30044	apigw (APICSIT): Failed to process the GatewayScript file.
16:49:05			21828893	request	10.9.63.91	0x80c00009	apigw (APICSIT): request default-assembly-func-rule #1 assembly-function-call (default-func-call-global): Performed function call assembly action. failed: Failed to process the GatewayScript file.
16:49:05			21828893	request	10.9.63.91	0x88c00023	apigw (APICSIT): Assembly rule 'default-assembly-rule-global' is interrupted: Failed to process the GatewayScript file..
16:49:05			21828893	request	10.9.63.91	0x80c00009	apigw (APICSIT): request default-assembly-rule-global #3 assembly-function-call (default-func-call-main): Performed function call assembly action. failed: Failed to process the GatewayScript file.
16:49:05			21828893	request	10.9.63.91	0x88c00023	apigw (APICSIT): Assembly rule 'default-assembly-rule-main' is interrupted: Failed to process the GatewayScript file..
16:49:05			21828893	request	10.9.63.91	0x80c00009	apigw (APICSIT): request default-assembly-rule-main #1 api-execute: Performed the API execute action. failed: Failed to process the GatewayScript file.
16:49:05			21828893	request	10.9.63.91	0x88c00023	apigw (APICSIT): Assembly rule 'bankmuscat_sandbox_account_1.0.0_rule_0' is interrupted: Failed to process the GatewayScript file..
16:49:05			21828893	request	10.9.63.91	0x80c00009	apigw (APICSIT): request bankmuscat_sandbox_account_1.0.0_rule_0 #3 assembly-gatewayscript (bankmuscat_sandbox_account_1.0.0_gatewayscript_1): Performed the assembly GatewayScript action. failed: Failed to process the GatewayScript file.
16:49:05			21828893	request	10.9.63.91	0x85800007	apigw (APICSIT): GatewayScript processing Error 'Error: *NULL decryption result* In file 'gatewayscript:///modules/crypto.js' line:688, stack:Error: *NULL decryption result* at drJSDecipher.final (gatewayscript:///modules/crypto.js:688:13) at Object.<anonymous> (temporary:///js/bankmuscat_sandbox_account_1.0.0_gatewayscript_1.js:38:34) at Script.execute (gatewayscript:///datapower.js:158:24) at Object.<anonymous> (gatewayscript:///datapower.js:585:55)'
16:49:05			21828893	request	10.9.63.91	0x8580005c	apigw (APICSIT): *NULL decryption result*
16:49:05			21828893	request	10.9.63.91	0x8580005c	apigw (APICSIT): AccountDecipher : Decipher { _data: Buffers { buffers: [ <Buffer b0 25 45 e4 75 b1 ee a6 b8 81 b6 92 2e df c9 a1 a7 a4 5a 84 a3 e2 71 22 75 10 b1 84 87 80 19 43> ], length: 32 }, _autoPadding: true, _alg: 'aes256-cbc' }
16:49:05			21828893	request	10.9.63.91	0x8580005c	apigw (APICSIT): Decipheriv : Decipher { _data: Buffers { buffers: [], length: 0 }, _autoPadding: true, _alg: 'aes256-cbc' }
16:49:05			21828893	request	10.9.63.91	0x8580005c	apigw (APICSIT): AccountNo : 'sCVF5HWx7qa4gbaSLt/JoaekWoSj4nEidRCxhIeAGUM='
16:49:05			21828893	request	10.9.63.91	0x8580005c	apigw (APICSIT): Random No : '1V1jfXhGhIGDbW9vc0ag4RrCzdUYft9N'
16:49:05			21828893	request	10.9.63.91	0x8580005c	apigw (APICSIT): domTree : '[object Object]'
16:49:05			21828893	request	10.9.63.91	0x8580005c	apigw (APICSIT): Root { AccountInquiryReq: { ClientCode: 'ABC', ReqRefNo: '20191202103800', ReqTimestamp: '2019-12-02T10:38:00.000', Operation: 'GetAccountBalance', CryptoString: 'O19jjIJt5Olwht4du2Y5hPdFTbF9Y6OKCvU8VwIADrhcbNKzfJU9w7MlJye542GkDMTPRLXU27mGjGrEN1oHir1racKY+LzY8UKfaIKcrF13LZ7TTvkwIDZkjuEyfpHUIqdhPocvXJPuSI6C9q/96WgYJ8AxieH//DfuuhNwZzfWGTxDUrwjRRlBvc6eOiDZkV3CYOo3MWKyZ2oKWX51kabWtC+lmsgATE+9inUl8UTet7M1fuisXcxMK9C9589pIkYdzQgq1Qu1JkswZmdecGFDr/0hMHXbl/KaDHiiU7L+D6t3hL40COk5A7gQYw33Ri6+HPz9oMz1IL5hBl/F5Q==', AccountId: 'sCVF5HWx7qa4gbaSLt/JoaekWoSj4nEidRCxhIeAGUM=' } }

------------------------------
Ashok Beshra
------------------------------