-1

I am using ESAPI Base64 encryption and decryption shown as is in: http://www.programcreek.com/java-api-examples/index.php?api=org.owasp.esapi.codecs.Base64

This is how my code looks:

import org.owasp.esapi.crypto.CipherText;
import org.owasp.esapi.crypto.PlainText;
import org.owasp.esapi.errors.EncryptionException;
import org.owasp.esapi.reference.crypto.JavaEncryptor;
import javax.crypto.EncryptedPrivateKeyInfo
import org.owasp.esapi.ESAPI
import org.owasp.esapi.ValidationErrorList
import org.owasp.esapi.Validator
import org.apache.commons.codec.binary.Base64;
class SampleMain {
public String decrypt2(String cryptedText){
    String clearText=null;
    try {
        CipherText cipherText=CipherText.fromPortableSerializedBytes(Base64.decodeBase64(cryptedText));
        clearText=ESAPI.encryptor().decrypt(cipherText).toString();     
    }
    catch (  EncryptionException e) {
        System.out.println("EsapiEncryptor.decrypt: " + e.getMessage(),e);
    }
    return clearText.toString();
}

public String encrypt2(String clearText){
    String cryptedText=null;
    try {
        CipherText cipherText=ESAPI.encryptor().encrypt(new PlainText(clearText));
        cryptedText=Base64.encodeBase64(cipherText.asPortableSerializedByteArray());
    }
    catch (  EncryptionException e) {
        System.out.println("EsapiEncryptor.encrypt: " + e.getMessage(),e);
    }
    return cryptedText;
}

public static void main(String[] args) throws EncryptionException{

            String myplaintext = "MyPlaintext";
            SampleMain sample = new SampleMain();

            String enString = sample.encrypt2(myplaintext);
            System.out.println("-----------enString-----------: " + enString);

            String deString = sample.decrypt2(enString);
            System.out.println("-----------deString-----------: " + deString);  

        }

}

But when I try to run this simple program i get the following exception:

Apr 01, 2017 12:43:30 PM org.owasp.esapi.reference.JavaLogFactory$JavaLogger log
WARNING: [SECURITY FAILURE Anonymous:null@unknown -> /DefaultName/IntrusionDetector] Likely tampering with KDF version on serialized ciphertext.KDF version read from serialized ciphertext (123190483) is out of range. Valid range for KDF version is [20110203, 99991231].
org.owasp.esapi.errors.EncryptionException: Version info from serialized ciphertext not in valid range.
    at org.owasp.esapi.crypto.CipherTextSerializer.convertToCipherText(CipherTextSerializer.java:299)
    at org.owasp.esapi.crypto.CipherTextSerializer.<init>(CipherTextSerializer.java:80)
    at org.owasp.esapi.crypto.CipherText.fromPortableSerializedBytes(CipherText.java:176)
    at org.owasp.esapi.crypto.CipherText$fromPortableSerializedBytes$0.call(Unknown Source)
    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125)
    at gov.gsa.dss.test.SampleMain.decrypt2(SampleMain.groovy:30)
    at gov.gsa.dss.test.SampleMain$decrypt2$0.call(Unknown Source)
    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125)
    at gov.gsa.dss.test.SampleMain.main(SampleMain.groovy:59)

Any ideas why I would be getting this error or such a simple program. Thanks.

TechDiva
  • 1
  • 1
  • 2
  • Why not show the output of the program as well? You only show the exception. – President James K. Polk Apr 01 '17 at 17:33
  • This is how the output looks: ----------enString-----------: [B@1e800aaa Apr 01, 2017 12:43:30 PM org.owasp.esapi.reference.JavaLogFactory$JavaLogger log WARNING: [SECURITY FAILURE Anonymous:null@unknown -> /DefaultName/CryptoHelper] Possible data tampering. Encountered invalid KDF version #. Apr 01, 2017 12:43:30 PM org.owasp.esapi.reference.JavaLogFactory$JavaLogger log.... – TechDiva Apr 01 '17 at 17:38
  • Your code doesn't even compile, yet you have provided the stack trace to a runtime exception from successfully compiled code. Why not show the code that actually is causing your problem, rather than some unrelated code? – President James K. Polk Apr 01 '17 at 17:54
  • Sorry, I should have mentioned that this is groovy code and not entirely Java code. It does compile though. – TechDiva Apr 01 '17 at 18:03

1 Answers1

0

This works for me:

public String decrypt2(String encryptedText) {
    byte[] encryptedTextTextAsBytes = encryptedText.getBytes(StandardCharsets.UTF_8)
    CipherText cipherText = CipherText.fromPortableSerializedBytes(Base64.decodeBase64(encryptedTextTextAsBytes))
    ESAPI.encryptor().decrypt(cipherText).toString()
}

public String encrypt2(String clearText) {
    CipherText cipherText = ESAPI.encryptor().encrypt(new PlainText(clearText))
    new String(Base64.encodeBase64(cipherText.asPortableSerializedByteArray()), StandardCharsets.UTF_8)
}

You are passing a String to Base64.decodeBase64(), it might compile but I'm not sure of what Groovy does with that. You should pass a bytes[] (see how I obtain encryptedTextTextAsBytes). It might explain your error, it might not. I guess you did not post the exact code that produces the error you mention.

Hugues M.
  • 19,846
  • 6
  • 37
  • 65
  • Thank you @Hugues Moreau, you are right I had to pass bytes[] and it worked for me. (The code in the original post is the exact code that produced the error for me). Appreciate your help!!! – TechDiva Apr 02 '17 at 02:48