2

I have an encrypt and a decrypt function for aes256cbc (with PAD_PKCS5) in PL/SQL which seems to work fine.

DECLARE
   -- https://docs.oracle.com/database/121/ARPLS/d_crypto.htm#ARPLS65690
   input_string      CLOB := 'Secret Message';
   output_string     CLOB;
   encrypted_raw     RAW (2000);
   decrypted_raw     RAW (2000);
   iv_raw            RAW (16);
   encryption_type   PLS_INTEGER
      :=   DBMS_CRYPTO.ENCRYPT_AES256
         + DBMS_CRYPTO.CHAIN_CBC
         + DBMS_CRYPTO.PAD_PKCS5;

   FUNCTION getBase64StringOfRaw (s IN RAW)
      RETURN VARCHAR
   IS
      l_output   VARCHAR (4000);
   BEGIN
      SELECT UTL_RAW.cast_to_varchar2 (UTL_ENCODE.base64_encode (s))
        INTO l_output
        FROM DUAL;

      RETURN l_output;
   END;

   FUNCTION getRawOfBase64String (s IN VARCHAR)
      RETURN RAW
   IS
      l_output   RAW (4000);
   BEGIN
      SELECT UTL_ENCODE.base64_decode (RAWTOHEX (s)) INTO l_output FROM DUAL;

      RETURN l_output;
   END;
BEGIN
   DBMS_OUTPUT.PUT_LINE ('Original string: ' || input_string);

   iv_raw := DBMS_CRYPTO.RANDOMBYTES (16);

   encrypted_raw :=
      DBMS_CRYPTO.ENCRYPT (
         src   => UTL_I18N.STRING_TO_RAW (input_string, 'AL32UTF8'),
         typ   => encryption_type,
         key   => UTL_I18N.STRING_TO_RAW ('000102030405060708090a0b0c0d0e0f', -- key length 256 bits (32 bytes)
                                          'AL32UTF8'),
         iv    => iv_raw);

   DBMS_OUTPUT.PUT_LINE ('iv_raw:        ' || iv_raw);
   DBMS_OUTPUT.PUT_LINE ('iv_base64 hex: ' || UTL_ENCODE.base64_encode (iv_raw));
   DBMS_OUTPUT.PUT_LINE ('iv_base64 str: ' || getBase64StringOfRaw (iv_raw));

   DBMS_OUTPUT.PUT_LINE ('encrypted_raw:        ' || encrypted_raw);
   DBMS_OUTPUT.PUT_LINE ('encrypted_base64 hex: ' || UTL_ENCODE.base64_encode (encrypted_raw));
   DBMS_OUTPUT.PUT_LINE ('encrypted_base64 str: ' || getBase64StringOfRaw (encrypted_raw));


   -- Decrypt
   decrypted_raw :=
      DBMS_CRYPTO.DECRYPT (
         src   => encrypted_raw,
         typ   => encryption_type,
         key   => UTL_I18N.STRING_TO_RAW ('000102030405060708090a0b0c0d0e0f', -- key length 256 bits (32 bytes)
                                          'AL32UTF8'),
         iv    => iv_raw);

   output_string := UTL_I18N.RAW_TO_CHAR (decrypted_raw, 'AL32UTF8');
   DBMS_OUTPUT.PUT_LINE ('Decrypted string: ' || output_string);
END;

But if i want to decrypt the base64 String in Java, i run into problems.

Mainly I just take the base64 strings (init-Vector and the encrypted string itself) and the encryption key from above and put it into Java. In the Java code below I just try to convert the base64 string back into binary (see function base64StringToByteArray) and use them for decryption.

See the output I get below, too.

import java.io.UnsupportedEncodingException;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.bouncycastle.crypto.DataLengthException;
import org.bouncycastle.crypto.InvalidCipherTextException;

public class TEST2 {

    private static final String encryptedStringStringBase64 = "tbk4CwUgpNCzhhJMnoY4yg==";
    private static final String key = "000102030405060708090a0b0c0d0e0f";
    private static final String initVector = "UuwLncc76wWYpMRGeJQ6Sw==";

    public static void main(String[] args) throws DataLengthException, InvalidCipherTextException, UnsupportedEncodingException {

        System.out.println("Decrypted Text:\t" + decrypt(encryptedStringStringBase64));

    }


    // https://stackoverflow.com/questions/51999575/how-to-decrypt-aes-256-cbc-in-java
    public static String decrypt(String encrypted) {
        try {
            System.out.println("initVector:\t" + base64StringToByteArray(initVector));
            System.out.println("cipher:\t\t" + base64StringToByteArray(encrypted));
            IvParameterSpec iv = new IvParameterSpec(DatatypeConverter.parseHexBinary(base64StringToByteArray(initVector)));
            SecretKeySpec skeySpec = new SecretKeySpec(DatatypeConverter.parseHexBinary(key), "AES");

            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
            cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv);
            byte[] original = cipher.doFinal(DatatypeConverter.parseHexBinary(base64StringToByteArray(encrypted)));

            return new String(original, "UTF-8");
        } catch (Exception ex) {
            ex.printStackTrace();
        }

        return null;
    }

    public static String base64StringToByteArray(String base64String) throws UnsupportedEncodingException
    {
        byte[] byteArray = Base64.getDecoder().decode(base64String.getBytes("UTF-8"));
        return DatatypeConverter.printHexBinary(byteArray);
    }

}

This is the Java output:

initVector: 52EC0B9DC73BEB0598A4C44678943A4B
cipher:     B5B9380B0520A4D0B386124C9E8638CA
Decrypted Text: a???D?OhGf??

I guess I have some character encoding problems in Java. Or even in PL/SQL? Or did I some stupid things in Java?

I appreciate any help. :)

Java Version: 1.8.0_221, Oracle: 12c (12.2.0.1.0)

bob
  • 21
  • 1

1 Answers1

0

According to the PL/SQL-code, the key isn't used as a 16 byte key (corresponding to AES-128), but as a 32 byte key (corresponding to AES-256). For the Java-code to be functionally identical, the line 

SecretKeySpec skeySpec = new SecretKeySpec(DatatypeConverter.parseHexBinary(key), "AES");

would have to be replaced by 

SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");

in the decrypt-methode.

In addition, the expression 

DatatypeConverter.parseHexBinary(base64StringToByteArray(<xxx>))

seems to provide only a Base64-decoding, so that it could be replaced by 

Base64.getUrlDecoder().decode(<xxx>)

Of course, the last point doesn't produce a wrong result, but is unnecessary and only reduces performance.

With these changes, the output is:

Decrypted Text: Secret Medssage
Topaco
  • 40,594
  • 4
  • 35
  • 62