Azure API management policy error - Usage of type 'System.Security.Cryptography.Aes' is not supported within expressions

Question

Hi Team,

I have encrypted the text in node js using 'aes-256-cbc' algorithm, this encrypted text will be shared in request header to APIM, but when I tried to decrypt the text using 'System.Security.Cryptography.Aes' in APIM policy, I get the below error.

"Error in element 'set-body' on line 262, column 10: Usage of type 'System.Security.Cryptography.Aes' is not supported within expressions".

However, same c# code execute in .net (6.0).

Node JS code to encrypt data:

[http://tpcg.io/_WZY3P0]

  const crypto = require('crypto');
  const secret_key= 'bf3c199c2470cb477d907b1e0917c17b';
  const secret_iv = "5183666c72eec9e4";
  const ecnryption_method = "aes-256-cbc";
  var Name = 'Jaydeep Suryawanshi';
  const encrypt = ((text) => 
  {
     let cipher = crypto.createCipheriv(ecnryption_method, secret_key,secret_iv);
     let encrypted = cipher.update(text, 'utf8', 'base64');
     encrypted += cipher.final('base64');
     return encrypted.toString();
  });
  console.log(encrypt(Name)); 

APIM policy Code :

 <outbound>
<set-body>@{   
    var aesManaged = Aes.Create();
    aesManaged.IV = System.Text.Encoding.UTF8.GetBytes("5183666c72eec9e4");
    aesManaged.Key = System.Text.Encoding.UTF8.GetBytes("bf3c199c2470cb477d907b1e0917c17b");
    aesManaged.Mode= CipherMode.CBC;

    var memoryStream = new MemoryStream(cipherText);
    var cryptoStream = new CryptoStream(memoryStream,aesCrypto.CreateDecryptor(Key, IV),CryptoStreamMode.Read);
    plaintext = new StreamReader(cryptoStream).ReadToEnd();
    return plaintext;       
}</set-body>
 </outbound> 

Answer 1

Jaydeep Suryawanshi Thank you for posting your question in Microsoft Q&A. Yes System.Security.Cryptography.Aes is not supported in policy expressions and the list of supported CLR types are listed in .NET Framework types allowed in policy expressions.

We do have a sample policy snippet: Encrypt data using expressions.policy to encrypt text using AES algorithm and you can modify it for decrypt scenario like below (default mode is CBC):

<set-body>@{ 
            byte[] IV = System.Text.Encoding.UTF8.GetBytes("5183666c72eec9e4");
            byte[] Key = System.Text.Encoding.UTF8.GetBytes("bf3c199c2470cb477d907b1e0917c17b");
            byte[] textinBytes = Encoding.UTF8.GetBytes("cipherText");
            byte[] decryptedBytes = textinBytes.Decrypt("Aes", Key, IV);            
            string plaintext = Convert.ToBase64String(decryptedBytes);
            return plaintext;       
        }</set-body>

For any feedback on supported policy expressions, feel free to submit via http://aka.ms/apimwish and our product team can review and prioritize it. I hope this helps with your question and let me know if you have any other questions.

---

If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

Answer 2

Hi MuthuKumaran, Thank you for you response.

I had tried this policy earlier which is available in Github (Ref) but it was not working and was throwing below error

"CS1061-'byte[]' does not contain a definition for 'Encrypt' and no accessible extension method 'Encrypt' accepting a first argument of type 'byte[]' could be found (are you missing a using directive or an assembly reference?)".

I revalidated my policy and after doing some minor changes it started working. Pls check below latest code. Thanks for you clue.

byte[] IV = System.Text.Encoding.UTF8.GetBytes("5183666c72eec9e4");
        byte[] Key = System.Text.Encoding.UTF8.GetBytes("bf3c199c2470cb477d907b1e0917c17b");
        byte[] textinBytes = Convert.FromBase64String("t/esIUJIgM5TU5+EsZQASCiAYWrcvMGyBvmvaHcdtdU=");
        var decryptedBytes = textinBytes.Decrypt("Aes", Key, IV);
        return decryptedBytes;