Hey @dchiesa1 , We are storing the privatekey for signing & publickey for JWE in the KVM & retrieving below code for signing & it works. It is not working for JWE.

<GenerateJWS name="Generate-JWS">
  <DisplayName>Generate JWS</DisplayName>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PrivateKey>
    <Value ref="private.signprivatekey"/>
  </PrivateKey>
  <Payload ref="request.content"/>
  <AdditionalHeaders>
    <Claim name="issuedby">apigeex</Claim>
  </AdditionalHeaders>
  <OutputVariable>signed_payload</OutputVariable>
</GenerateJWS>

and

<JavaCallout continueOnError="false" enabled="true" name="JC-GenerateJWE">
  <DisplayName>JC-GenerateJWE</DisplayName>
  <Properties>
    <Property name="key-encryption">RSA-OAEP-256</Property>
    <Property name="content-encryption">A256GCM</Property>
    <Property name="payload">{signed_payload}</Property>
    <Property name="expiry">1h</Property>
    <!-- the context variable "my_public_key" must hold a PEM-encoded RSA public
         key -->
    <Property name="public-key">{private.publickey}</Property>
  </Properties>
  <ClassName>com.google.apigee.callouts.GenerateEncryptedJwt</ClassName>
  <ResourceURL>java://apigee-callout-encrypted-jwt-20250403.jar</ResourceURL>
</JavaCallout>

do you think that the className that I used above is correct for generating JWE ? Also can I use

<Property name="public-key">

<Value ref="private.publickey"/>

</Property>

instead of  <Property name="public-key">{private.publickey}</Property> ?

ok but you did not answer my question. I asked you:

What is contained in the variable private.publickey ? 

Can you verify / check the contents of that variable?  The error is telling you that the Callout cannot find a public key there.  You have showed me another policy that works. But that other policy is not reading the  private.publickey variable.  You have not told me what is in that variable.  

The information I have is pointing to that variable. The custom policy is telling you that variable does not contain a public key of the form I showed. You need to check the variable. 

By the way, I recorded a screencast for this scenario Signed JWT wrapped in JWE,  a few weeks ago.

---

@raghunathapalle wrote:

do you think that the className that I used above is correct for generating JWE ?

---

First, We need to be careful about terms. JWE is a general thing, and encrypted JWT is a specific kind of JWE.  I've gone over this distinction before, here on the community site, and in YT screencasts I've recorded, I think like this one. Basically a JWE is an encrypted wrapper on "anything" and an encrypted JWT is a specific kind of JWE which is an encrypted wrapper on a JSON payload.  It's something like "All squares are rectangles; some rectangles are not squares."  All encrypted JWT are JWE; some JWE are encrypted JWT.  

The class name you are using, com.google.apigee.callouts.GenerateEncryptedJwt , comes from this custom Callout project.  When you use that, it generates an encrypted JWT, which is also a JWE.  I don't know if that's what you want. Only you can say. 

Even so , the GenerateEncryptedJwt and the GenerateJwe works the same with respect to de-serializing the public key.  The class name, regardless whether it is the one you want or not, is not the source of the problem you are observing.  

---

@raghunathapalle wrote:

Also can I use

<Property name="public-key">

<Value ref="private.publickey"/>

</Property>

instead of  <Property name="public-key">{private.publickey}</Property> ?

---

No.  The README for the Callout shows you how to do it.  Assuming the value of the  private.publickey variable is good, this is the correct configuration syntax: 

  <Property name="public-key">{private.publickey}</Property>