Any better solution than creating custom scoped app that contains CryptoJS library

lonesoac01 · 4 weeks ago

Hello all,

I am looking for a better solution than the below. Anyone have anything more modern or elegant than this?

Signing API Requests with CryptoJS - Live Coding Happy Hour for 2019-01-18 - YouTube

Thank you.

Naveen20 · 3 weeks ago

Here are alternatives depending on what you need:

1. ServiceNow's Built-in GlideCryptoModule

This is the first thing to check. ServiceNow added native crypto support that covers many common use cases without any third-party library:

javascript

var crypto = new GlideCryptoModule();
// AES encryption/decryption
var encrypted = crypto.encrypt('AES', key, plaintext);
var decrypted = crypto.decrypt('AES', key, encrypted);

It handles AES, HmacSHA256, and other standard algorithms natively. No Script Include bloat needed.

2. GlideDigest for hashing

If you just need HMAC or SHA hashing (not full JWT signing), this is clean and platform-native:

javascript

var gd = new GlideDigest();
var hmac = gd.generateHMAC('SHA-256', secretKey, message);
var hash = gd.getMD5Hash(data); // or SHA1, SHA256

3. Scoped sn_auth.JWT for JWT generation (if applicable)

If the use case is specifically JWT/OAuth, ServiceNow now has built-in JWT support through the OAuth framework — no need to manually sign tokens with jsrsasign.

4. If you truly need jsrsasign-level functionality

If you need RSA signing, PEM key loading, or JWS that the built-in APIs don't cover, the jsrsasign approach from the screenshot is still the most proven path. But you can make it cleaner by only including the specific modules you need rather than the entire jsrsasign-all-min.js — the library is modular on npm, so you could grab just jsrsasign/lib/jsrsasign-jwsjs or similar slices.

5. Mid Server approach for heavy crypto

If this is for an integration (like HP MPS mentioned in the screenshot), running the crypto logic on a MID Server gives you full Java/Node.js capabilities without the scoped app sandbox restrictions. You get javax.crypto.* without the Rhino limitations.

lonesoac01 · 3 weeks ago

At this time, I have not yet validated whether CLEE is enabled in our instance, nor have I tested or followed up on the other suggested options. I plan to confirm CLEE availability and further evaluate the recommended approaches to determine the best path forward for our use case.

I will provide an update once this verification and testing is completed.

I created CS9119041 the same day I created this post. You might want to steal this record from your teammate @Naveen20

lonesoac01 · yesterday

I tried the first solution that @Naveen20 gave me. I am using the code of:

(function execute(inputs, outputs) {
    var apiSecret = inputs.apisecret;
    var responsebody = JSON.parse(inputs.responsebody);
    var encryptedSecret = responsebody.encryptedSecret;
    outputs.encryptedsecret = encryptedSecret;
    var expirydate = responsebody.expiryDate;

    var cry[p]to = new Glidecry[p]toModule();
    var algorithm = 'AES';
    var newSecret = '';

    if (apiSecret && encryptedSecret) {
        try {
            newSecret = cry[p]to.decrypt(algorithm, apiSecret, String(encryptedSecret));
        } catch (e) {
            gs.error('Script step decrypt failed: {0}', e.message || e);
        }
    } else {
        gs.warn('Script step decrypt: missing apisecret or encryptedsecret');
    }

    outputs.newsecret = newSecret;
    outputs.expirydate = expirydate;
})(inputs, outputs);

I am seeing the encryptedsecret and expirydate values being shown in the Action Executions, but I am not seeing the newsecret. What am I missing here?

lonesoac01 · yesterday

My apologies for butchering the word cry[p]to, but this forum would NOT let me post the full word.