6

I am using Jasypt's CLI for testing encryption and decryption. The encryption is successful for all the algorithms but decryption fails for stronger algorithms. Here is the encryption and decryption for PBEWithMD5AndDES:

Encryption: 

prakash@prakash:~$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar  org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI password=secret algorithm=PBEWITHMD5ANDDES input=encryptThis

----ENVIRONMENT-----------------

Runtime: Oracle Corporation OpenJDK 64-Bit Server VM 11.0.2+9-Ubuntu-3ubuntu118.04.3 



----ARGUMENTS-------------------

input: encryptThis
password: secret
algorithm: PBEWITHMD5ANDDES



----OUTPUT----------------------

pZRJ9Egt+OcjBX28cSJUYDbvqiKIUVxR

Decryption: 

prakash@prakash:~$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar  org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI password=secret algorithm=PBEWITHMD5ANDDES input=pZRJ9Egt+OcjBX28cSJUYDbvqiKIUVxR

----ENVIRONMENT-----------------

Runtime: Oracle Corporation OpenJDK 64-Bit Server VM 11.0.2+9-Ubuntu-3ubuntu118.04.3 



----ARGUMENTS-------------------

input: pZRJ9Egt+OcjBX28cSJUYDbvqiKIUVxR
password: secret
algorithm: PBEWITHMD5ANDDES



----OUTPUT----------------------

encryptThis

Now If I change the algorithm to PBEWITHHMACSHA1ANDAES_128, here are the results:

Encryption:

prakash@prakash:~$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar  org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI password=secret algorithm=PBEWITHHMACSHA1ANDAES_128 input=encryptThis

----ENVIRONMENT-----------------

Runtime: Oracle Corporation OpenJDK 64-Bit Server VM 11.0.2+9-Ubuntu-3ubuntu118.04.3 



----ARGUMENTS-------------------

input: encryptThis
password: secret
algorithm: PBEWITHHMACSHA1ANDAES_128



----OUTPUT----------------------

tAIe6mUS6uBCG/OkHJWT2LWRagHOMBxwK/v9L7SGZIA=

Decryption:

prakash@prakash:~$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar  org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI password=secret algorithm=PBEWITHHMACSHA1ANDAES_128 input=tAIe6mUS6uBCG/OkHJWT2LWRagHOMBxwK/v9L7SGZIA=

----ENVIRONMENT-----------------

Runtime: Oracle Corporation OpenJDK 64-Bit Server VM 11.0.2+9-Ubuntu-3ubuntu118.04.3 



----ARGUMENTS-------------------

input: tAIe6mUS6uBCG/OkHJWT2LWRagHOMBxwK/v9L7SGZIA=
password: secret
algorithm: PBEWITHHMACSHA1ANDAES_128



----ERROR-----------------------

Operation not possible (Bad input or parameters)

The jasypt version I'm using is 2.0.0 and I've tried this on both java-8 and java-11. In both the machines I've JCE's unlimited strength policy enabled.

The list of Algorithms that were decrypted successfully are: PBEWITHMD5ANDDES, PBEWITHMD5ANDTRIPLEDES, PBEWITHSHA1ANDDESEDE, PBEWITHSHA1ANDRC2_128, PBEWITHSHA1ANDRC2_40, PBEWITHSHA1ANDRC4_128, PBEWITHSHA1ANDRC4_40. The algorithms with which decryption fails are: PBEWITHHMACSHA1ANDAES_128
PBEWITHHMACSHA1ANDAES_256
PBEWITHHMACSHA224ANDAES_128 PBEWITHHMACSHA224ANDAES_256 PBEWITHHMACSHA256ANDAES_128 PBEWITHHMACSHA256ANDAES_256 PBEWITHHMACSHA384ANDAES_128 PBEWITHHMACSHA384ANDAES_256 PBEWITHHMACSHA512ANDAES_128 PBEWITHHMACSHA512ANDAES_256.

I've been stuck at this problem for three days. Someone please help me out!

Edit: After suggestions from Maarten, I went ahead and copied the code from JasyptPBEStringDecryptionCLI and made my own class in hope to reproduce the error through code and get the stacktrace. Here is the code I wrote:

package com.example.HelloWorldApiUbuntu;
import java.util.Properties;
import org.jasypt.intf.service.JasyptStatelessService;

public class TestingJasyptStringDecryptionCLI {
    public static void main(final String[] args) throws Exception{

        final JasyptStatelessService service = new JasyptStatelessService();
        String input = "P/25Hp3CKdFj7pz85eJyHETugwX5ZxWEF7PpzJ/fBGI=";

        final String result =
            service.decrypt(
                    input, 
                    "secret",
                    null,
                    null,
                    "PBEWITHHMACSHA512ANDAES_128",
                    null,
                    null,
                    "1000",
                    null,
                    null,
                    "org.jasypt.salt.RandomSaltGenerator",
                    null,
                    null,
                    "SunJCE",
                    null,
                    null,
                    /*argumentValues.getProperty(ArgumentNaming.ARG_PROVIDER_CLASS_NAME)*/null,
                    null,
                    null,
                    /*argumentValues.getProperty(ArgumentNaming.ARG_STRING_OUTPUT_TYPE)*/null,
                    null,
                    null);

        System.out.println(result);
    }
}

This class produces same behaviour as JasyptPBEStringDecryptionCLI and works for same algorithms listed above and fails on stronger ones. Here is the little error stacktrace:

Exception in thread "main" org.jasypt.exceptions.EncryptionOperationNotPossibleException
    at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1055)
    at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:725)
    at org.jasypt.intf.service.JasyptStatelessService.decrypt(JasyptStatelessService.java:595)
    at com.example.HelloWorldApiUbuntu.TestingJasyptStringDecryptionCLI.main(TestingJasyptStringDecryptionCLI.java:12)

I know the problem is with jasypt and not my java because I ran this code to test encryption-decryption on my local with stronger algorithms and it works perfectly.

Edit 2: I also tried the solution given at https://github.com/melloware/jasypt, it gives me the same result.

prakasht
  • 448
  • 4
  • 16
  • Three days? Oh, in that case you've stepped through `JasyptPBEStringDecryptionCLI ` and have a full stacktrace ready for us, right? – Maarten Bodewes Jul 19 '19 at 23:33
  • 1
    @MaartenBodewes Do note that Jasypt has the irritating "security feature" of constantly swallowing stack traces and returning frustratingly opaque errors. – chrylis -cautiouslyoptimistic- Jul 19 '19 at 23:51
  • @MaartenBodewes I've added the stacktrace, but as chrylis pointed out, I doubt it will be of much help – prakasht Jul 20 '19 at 05:40
  • 3
    Ugh, encryption not possible exception on *decryption*. I hate code that is conceptually not even reasonable. Anyway, these are exceptions that happen if the input is considered too small. Maybe it is a good idea to file a bug report, but be sure that you use the latest version of the code if you do (and list that version). – Maarten Bodewes Jul 20 '19 at 08:36
  • So you're implying that this is a bug in jasypt library and there's nothing I can do right now to make my code work for all algorithms? – prakasht Jul 20 '19 at 09:28
  • 1
    This is probably a bug in Jasypt 1.9.2 that has been fixed in Jasypt 1.9.3, see [ChangeLog](http://www.jasypt.org/changelogs/jasypt/ChangeLog.txt), 1.9.3 Fixed #32. Note that the signatures of the `encrypt`- and `decrypt`-method have changed in version 1.9.3 (three additional parameters), see docs in [jasypt 1.9.2](https://repo1.maven.org/maven2/org/jasypt/jasypt/1.9.2/) und [jasypt 1.9.3](https://repo1.maven.org/maven2/org/jasypt/jasypt/1.9.3/). – Topaco Jul 20 '19 at 14:57
  • @Topaco Thanks a lot good sir, this instantly solved my problem. Foolish me!!!!!!! – prakasht Jul 20 '19 at 18:33
  • @prakasht If it is working for all algorithms, can you share one sample command for JasyptPBEStringDecryptionCLI. I was stuck here and had a same problem like you. – Prakash Sep 09 '20 at 14:41
  • @Topaco For me JasyptPBEStringDecryptionCLI is only working for PBEWITHMD5ANDDES algorithm, but not working for PBEWithMD5AndTripleDES. I refer the documentation that shared in above command, but not able to find solution. You said like (three additional parameters). What three additional parameters need to pass to make this work for PBEWithMD5AndTripleDES algorithm. – Prakash Sep 10 '20 at 03:49
  • @Prakash - Please ask a new question, describe the problem and provide any information you think might help to solve it. In general, a comment is not enough, and this question already has too many comments anyway. You can reference this answer in your new question if necessary. – Topaco Sep 10 '20 at 06:26
  • @Prakash Increasing the version enabled me to use stronger algorithms. You can check for few things your case: 1. Check for JCE Unlimited strength 2. Use the extra params provided in new version. An example: `java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.3/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=Text-to-be-encrypted password=Encryption-password algorithm=PBEWithHMACSHA256AndAES_256 ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator` As @Topaco said, it's probably better to ask a new question – prakasht Sep 10 '20 at 19:42
  • @prakasht Thanks. It is working for me. – Prakash Sep 11 '20 at 12:34

2 Answers2

3

It works with Jasypt 1.9.3 with additional parameter ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator

Encryption:

java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.3/jasypt-1.9.2.jar  org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI password=secret algorithm=PBEWITHHMACSHA1ANDAES_128 input=encryptThis ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator

Decryption:

java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.3/jasypt-1.9.2.jar  org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI password=secret algorithm=PBEWITHHMACSHA1ANDAES_128 input=j5oaiHBv5RB8MOxQekM/b/AMWxgOCmgB91X/ObBpyA0lr57z7ecrcVGZN0LtcFan ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator
Sujith Nair
  • 367
  • 3
  • 9
0

This is a bug in jasypt. it fixed with this patch. See this link too. I fixed my similar problem with this patch and version 1.9.4 CLI.

s nabavi
  • 1