Adding a JSON Web decrypt action

How to define a JSON Web decrypt action.

About this task

A JSON Web decrypt action uses the input document as a JWE object and does decryption. The output is deciphered plain text.

Decryption uses the key transport algorithm in the incoming document.

Attention:

For HSM-equipped appliances with component firmware 2.09-0702 and later, the following restrictions apply.

The key transport algorithm must be rsa-oaep-mgf1p or rsa-oaep.
OAEP parameters are unsupported.
The OAEP digest algorithm cannot be md5 and ripemd160.
For the rsa-oaep key transport algorithm, the OAEP digest algorithm and the MGF algorithm must match.

For HSM-equipped appliances with component firmware 2.04-49 and earlier, the key transport algorithm must be rsa-1_5.

Drag the Decrypt icon to the configuration path.
Double-click the Decrypt icon.
From the Standard list, select JSON Web Security.
Select the Identifier type to verify the recipient.

Recipient identifiers

Use one or more Recipient Identifier configurations to decipher the JWE Encrypted Key for one of the recipients.

Single identifier - private key

Use a key alias to decipher the JWE Encrypted Key for the recipients.

Single identifier - shared secret key

Use a shared secret key to decipher the JWE Encrypted Key for the recipients.

Direct key

Use a shared secret key as the CEK.
Define the identifier: Recipient identifiers or a single key or shared secret key identifier.
- When the Identifier type is Recipient identifiers, manage recipient identifiers.
- When the Identifier type is Single identifier - private key, select a key alias.
- When the Identifier type is Single identifier - shared secret key or Direct key, select a shared secret key.
In the Output field, specify the context of the message after processing.
Click Done.

If this action is the last one for the rule, click Apply policy. Otherwise, drag another icon to the configuration path.