This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Apigee JavaScript - crypto object vs crypto-js library confusion

Posted a week ago
gs3bopar
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

I'm trying to create a JWKS endpoint from Apigee with No Target and confused about crypto capabilities in Apigee JavaScript policies.

What I'm trying to do:

  • Decode Base64 RSA public key
  • Extract modulus/exponent for JWKS

My confusion: I've been trying different approaches but nothing works. I have omitted some code which simply gets the `rsakey` from Apigee KVM cleans it and then tries to decode it. After this my main goal it to retrieve `modulus` and `exponent`.

  • var derBytes = crypto.decodeBase64(pemB64); - doesn't exist
  • atob() - not available
  • Utilities.base64Decode() - not defined
  • java.util.Base64.getDecoder() - property errors

My main questions:

  1. Why is Apigee's crypto object different from the crypto-js library? Is this due to security restrictions?
  2. Should I manually include crypto-js as mentioned in this thread: https://www.googlecloudcommunity.com/gc/Apigee/Using-crypto-js-node-modules-in-Apigee-Javascript-pol...
  3. Or should I use a Java custom policy instead?

@dchiesa1 In the linked conversation above, you recommended Java callouts for crypto operations. Should I go that route instead of struggling with JavaScript?

Bottom line: Should I work with crypto-js (manually imported) or just use Java? Any guidance would be really helpful!

Environment: Apigee X, JavaScript policy

 

Solved Solved
0 2 97
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Why is Apigee's crypto object different from the crypto-js library? Is this due to security restrictions?

I don't know WHY, but the fact is, it's not the same. It's not intended to be the same. It's unfortunate that the names are similar. The Apigee crypto object is not crypto-js.

Should I manually include crypto-js as mentioned in this thread: https://www.googlecloudcommunity.com/gc/Apigee/Using-crypto-js-node-modules-in-Apigee-Javascript-pol...

I dunno. Maybe? Maybe not. It's possible to do, I think. Performing cryptography operations in JavaScript would not be my FIRST choice.

Or should I use a Java custom policy instead?

I don't know that either. It depends on what you're really trying to do.

A few years ago I produced a screencast describing one way you might expose a JWKS with Apigee. This example takes a different approach from what I think you are doing: it pre-computes the JWKS and loads that pre-computed thing into the KVM. And then Apigee is just returning static text , when someone or something requests the JWKS.  When you update the keypairs, then you can re-compute the JWKS, and load it into the KVM again, and Apigee still serve the updated JWKS.   No crypto necessary in Apigee. This seems simpler to me. 

 

Find the screencast here: https://youtu.be/4lCob4k2z0Y

and find the example proxy here: https://github.com/DinoChiesa/Apigee-JWT-with-JWKS

This example used Apigee Edge; the same stuff should work on Apigee X or hybrid.

View solution in original post

Jump to Solution
Reply
2 REPLIES 2

Posted on --/--/---- --:-- AM
AlexET
Staff
Reply posted on --/--/---- --:-- AM

Hello @gs3bopar, we saw your question and wanted to let you know we’re keeping it on our radar. We’ll also invite others in the community to pitch in and share their thoughts.

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Why is Apigee's crypto object different from the crypto-js library? Is this due to security restrictions?

I don't know WHY, but the fact is, it's not the same. It's not intended to be the same. It's unfortunate that the names are similar. The Apigee crypto object is not crypto-js.

Should I manually include crypto-js as mentioned in this thread: https://www.googlecloudcommunity.com/gc/Apigee/Using-crypto-js-node-modules-in-Apigee-Javascript-pol...

I dunno. Maybe? Maybe not. It's possible to do, I think. Performing cryptography operations in JavaScript would not be my FIRST choice.

Or should I use a Java custom policy instead?

I don't know that either. It depends on what you're really trying to do.

A few years ago I produced a screencast describing one way you might expose a JWKS with Apigee. This example takes a different approach from what I think you are doing: it pre-computes the JWKS and loads that pre-computed thing into the KVM. And then Apigee is just returning static text , when someone or something requests the JWKS.  When you update the keypairs, then you can re-compute the JWKS, and load it into the KVM again, and Apigee still serve the updated JWKS.   No crypto necessary in Apigee. This seems simpler to me. 

 

Find the screencast here: https://youtu.be/4lCob4k2z0Y

and find the example proxy here: https://github.com/DinoChiesa/Apigee-JWT-with-JWKS

This example used Apigee Edge; the same stuff should work on Apigee X or hybrid.

Jump to Solution
Reply
Top Solution Authors
View all