2

I needed to encrypt a string to AES/CBC. In order to be able to uncrypt it later I have to store the IV in the final result which must be a base64 string.

I manage to do that using this answer and the Crypto++ samples : 

std::string String::AESEncryptString(std::string str, std::string key)
{
    std::string encoded;
    std::string b64Result = "";

    AutoSeededRandomPool prng;

    unsigned char iv[AES::BLOCKSIZE];
    prng.GenerateBlock(iv, sizeof(iv));

    StringSink output(encoded);

    // Put the IV at the begining of the output
    StringSource(iv, sizeof(iv), true,
        new Redirector(output)
    );

    try {
        CBC_Mode<AES>::Encryption encryptor((unsigned char *)key.c_str(), key.length(), iv);

        StringSource s(str, true, 
            new StreamTransformationFilter(encryptor, 
                new Redirector(output), StreamTransformationFilter::PKCS_PADDING
            )
        );

        // Convert to b64
        StringSource (encoded, true,
            new Base64Encoder(
                new StringSink(b64Result),
                false // do not append a newline
            )
        );

        return b64Result;
    } catch (const Exception& e) {
        return "";
    }
}

To decrypt the base64 string I extract the IV first then decrypt the rest of the datas : 

std::string String::AESDecryptString(std::string str, std::string key)
{
    unsigned char iv[AES::BLOCKSIZE];

    std::string b64decoded;
    std::string decoded;

    try {
        StringSource(str, true,
            new Base64Decoder(
                new StringSink(b64decoded)
            )
        );

        StringSource ss(b64decoded, false);

        // Get the IV
        ArraySink ivSink(iv, sizeof(iv));
        ss.Attach(new Redirector(ivSink));
        ss.Pump(AES::BLOCKSIZE);


        CBC_Mode<AES>::Decryption decryptor((unsigned char *)key.c_str(), key.length(), iv);


        ByteQueue queue;
        ss.Detach(
            new StreamTransformationFilter(decryptor,
                new Redirector(queue)
            )
        );
        ss.PumpAll(); // Pump remainder bytes

        StringSink decodedSink(decoded);
        queue.TransferTo(decodedSink);
        return decoded;
    }
    catch (const Exception& e) {
        return "";
    }
}

Everything is working fine, but as I'm just discovering Crypto++ and the pipelining paradigm, I feel that I may have done too many steps to achieve what I want.

Is there more concise or more efficient way of doing that ?

jww
  • 97,681
  • 90
  • 411
  • 885
grunk
  • 14,718
  • 15
  • 67
  • 108
  • 1
    I think that's about the best you can do. You can wrap it in a class if you'd like, but it is just moving the work around. For an example of wrapping it in a class, see the `DefaultEncryptor` and `DefaultEncryptorWithMAC` classes. The classes place seed material in the front of the data, and then derive a key and IV from the seed. (A password is also used during derivation, but the seed needs to be persisted). – jww Oct 17 '19 at 00:38

2 Answers2

1

Create an anchor class for chaining. Following this

#include <iostream>
#include <string>
#include <cstdlib>
#include <cryptopp/osrng.h>
#include <cryptopp/base64.h>
#include <cryptopp/aes.h>
#include <cryptopp/filters.h>
#include <cryptopp/modes.h>
#include <cryptopp/cryptlib.h>

#ifndef CRYPTOPP_NO_GLOBAL_BYTE
namespace CryptoPP { typedef unsigned char byte; }
#endif  // CRYPTOPP_NO_GLOBAL_BYTE

const std::string seckey = "this-has-16-char";

class Anchor : public CryptoPP::Bufferless<CryptoPP::Filter>
{
public:
    Anchor(CryptoPP::BufferedTransformation* attachment = NULL) { Detach(attachment); };
    size_t Put2(const CryptoPP::byte * inString, size_t length, int messageEnd, bool blocking )
    {
        return AttachedTransformation()->Put2(inString, length, messageEnd, blocking );
    }
};

/**
* Encode : return encoded
*
*/
bool Encode(const std::string& input, std::string& output)
{
    if (seckey.length()!=CryptoPP::AES::DEFAULT_KEYLENGTH) return false;
    unsigned char iv[CryptoPP::AES::BLOCKSIZE];
    // CryptoPP::AutoSeededRandomPool prng;
    // prng.GenerateBlock(iv, sizeof(iv));
    memcpy(iv, "this-also-has-16", CryptoPP::AES::BLOCKSIZE);
    output.clear();

    try {

        Anchor anchor;

        // Put the IV at the begining of the output
        anchor.Attach(new CryptoPP::StringSink(output));
        anchor.Put( iv, sizeof(iv) );
        anchor.MessageEnd();
        anchor.Detach();

        CryptoPP::CBC_Mode<CryptoPP::AES>::Encryption encryptor((unsigned char *)seckey.c_str(), seckey.length(), iv);
        anchor.Attach(new CryptoPP::StreamTransformationFilter(encryptor,NULL, CryptoPP::StreamTransformationFilter::PKCS_PADDING));
        anchor.Attach(new CryptoPP::Base64Encoder(NULL, false));
        anchor.Attach(new CryptoPP::StringSink(output));

        anchor.Put( (CryptoPP::byte*)input.c_str(), input.length() );
        anchor.MessageEnd();
    }
    catch (const CryptoPP::Exception& e) {
        return false;
    }
    return true;
}

/**
* Decode : return decoded
*
*/
bool Decode(const std::string& input, std::string& output)
{
    if (seckey.length()!=CryptoPP::AES::DEFAULT_KEYLENGTH) return false;
    if (input.length()<=CryptoPP::AES::BLOCKSIZE) return false; // no iv
    unsigned char iv[CryptoPP::AES::BLOCKSIZE];
    memcpy(iv, input.c_str(), CryptoPP::AES::BLOCKSIZE);

    try {
        // Convert from b64 and decode
        CryptoPP::CBC_Mode<CryptoPP::AES>::Decryption decryptor((unsigned char *)seckey.c_str(), seckey.length(), iv);

        Anchor anchor;
        anchor.Attach(new CryptoPP::Base64Decoder());
        anchor.Attach(new CryptoPP::StreamTransformationFilter( decryptor, NULL));
        anchor.Attach(new CryptoPP::StringSink(output));

        anchor.Put( (const CryptoPP::byte*)&input[CryptoPP::AES::BLOCKSIZE], input.length()-CryptoPP::AES::BLOCKSIZE );
        anchor.MessageEnd();

    }
    catch (const CryptoPP::Exception& e) {
        return false;
    }
    return true;
}

int main()
{

    std::string input = "The five boxing wizards jump quickly.";
    std::string output;
    bool status = Encode(input,output);
    if (status) std::cerr << "Encoded: " << output << std::endl;
    input.clear();
    status = Decode(output,input);
    if (status) std::cerr << "Decoded: " << input << std::endl;

}
SRC
  • 435
  • 4
  • 5
1

You can combine those two steps into one StringSource call:

StringSource s(str, true, 
  new StreamTransformationFilter(
    encryptor, 
    new Base64Encoder(
      new StringSink(b64Result),
      false // do not append a newline
    ),
    StreamTransformationFilter::PKCS_PADDING
  )
);

StringSource s(
  str, true,
  new Base64Decoder(
    new StreamTransformationFilter(decryptor, new StringSink(decoded))
  )
);
xhh
  • 4,002
  • 2
  • 21
  • 17