1

My code:

<?php

$a = 'MIIFzzCCBLegAwIBAgIDAfdlMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9LcmFqb3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMSQwIgYDVQQDDBtDT1BFIFNaQUZJUiAtIEt3YWxpZmlrb3dhbnkxFDASBgNVBAUTC05yIHdwaXN1OiA2MB4XDTExMTEwOTA2MDAwMFoXDTEzMTEwOTA2MDAwMFowgdkxCzAJBgNVBAYTAlBMMRwwGgYDVQQKDBNVcnrEhWQgTWlhc3RhIEdkeW5pMRswGQYDVQQFExJQRVNFTDogNjEwNjA2MDMxMTgxGTAXBgNVBAMMEEplcnp5IFByemV3b3Jza2kxTzBNBgNVBBAwRgwiQWwuIE1hcnN6YcWCa2EgUGnFgnN1ZHNraWVnbyA1Mi81NAwNODEtMzgyIEdkeW5pYQwGUG9sc2thDAlwb21vcnNraWUxDjAMBgNVBCoMBUplcnp5MRMwEQYDVQQEDApQcnpld29yc2tpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMm5vjGqHPthJCMqKpqssSISRos0PYDTcEQzyyurfX67EJWKtZj6HNwuDMEGJ02iBNZfjUl7r8dIi28bSKhNlsfycXZKYRcIjp0+r5RqtR2auo9GQ6veKb61DEAGIqaR+uLLcJVTHCu0w9oXLGbRlGth5eNoj03CxXVAH2IfhbNwIDAQABo4IChzCCAoMwDAYDVR0TAQH/BAIwADCCAUgGA1UdIAEB/wSCATwwggE4MIIBNAYJKoRoAYb3IwEBMIIBJTCB3QYIKwYBBQUHAgIwgdAMgc1EZWtsYXJhY2phIHRhIGplc3Qgb8Wbd2lhZGN6ZW5pZW0gd3lkYXdjeSwgxbxlIHRlbiBjZXJ0eWZpa2F0IHpvc3RhxYIgd3lkYW55IGpha28gY2VydHlmaWthdCBrd2FsaWZpa293YW55IHpnb2RuaWUgeiB3eW1hZ2FuaWFtaSB1c3Rhd3kgbyBwb2RwaXNpZSBlbGVrdHJvbmljem55bSBvcmF6IHRvd2FyenlzesSFY3ltaSBqZWogcm96cG9yesSFZHplbmlhbWkuMEMGCCsGAQUFBwIBFjdodHRwOi8vd3d3Lmtpci5jb20ucGwvY2VydHlmaWthY2phX2tsdWN6eS9wb2xpdHlrYS5odG1sMAkGA1UdCQQCMAAwIQYDVR0RBBowGIEWai5wcnpld29yc2tpQGdkeW5pYS5wbDAOBgNVHQ8BAf8EBAMCBkAwgZ4GA1UdIwSBljCBk4AU3TGldJXipN4oGS3ZYmnBDMFs8gKhd6R1MHMxCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9LcmFqb3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMSQwIgYDVQQDDBtDT1BFIFNaQUZJUiAtIEt3YWxpZmlrb3dhbnkxFDASBgNVBAUTC05yIHdwaXN1OiA2ggJb9jBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vd3d3Lmtpci5jb20ucGwvY2VydHlmaWthY2phX2tsdWN6eS9DUkxfT1pLMzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBYPIqnAreyeql7/opJjcar/qWZy9ruhB2q0lZFsJOhwgMnbQXzp/4vv93YJqcHGAXdHP6EO8FQX47mjo2ZKQmi+cIHJHLONdX/3Im+M17V0iNAh7Z1lOSfTRT+iiwe/F8phcEaD5q2RmvYusR7zXZq/cLL0If0hXoPZ/EHQxjN8pxzxiUx6bJAgturnIMEfRNesxwghdr1dkUjOhGLf3kHVzgM6j3VAM7oFmMUb5y5s96Bzl10DodWitjOEH0vvnIcsppSxH1C1dCAi0o9f/1y2XuLNhBNHMAyTqpYPX8Yvav1c+Z50OMaSXHAnTa20zv8UtiHbaAhwlifCelUMj93S';

echo strlen(base64_decode($a)) . "\n\n";
echo strlen(sodium_base642bin($a, SODIUM_BASE64_VARIANT_ORIGINAL_NO_PADDING));

base64_decode decodes that string just fine but sodium_base642bin fails, regardless of what the $id parameter is (SODIUM_BASE64_VARIANT_ORIGINAL, SODIUM_BASE64_VARIANT_ORIGINAL_NO_PADDING, SODIUM_BASE64_VARIANT_URLSAFE and SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING). More specifically, sodium_base642bin throws the following (useless) exception:

Fatal error: Uncaught SodiumException: sodium_base642bin(): Argument #1 ($string) must be a valid base64 string

Any ideas?

neubert
  • 15,947
  • 24
  • 120
  • 212
  • 1
    What is the output of your echo statement? – Mike Stratton Aug 19 '22 at 05:10
  • @MikeStratton - the first echo statement gives 1491 as the output. The second one throws an exception. – neubert Aug 19 '22 at 05:18
  • @MikeStratton - see https://php.net/sodium-base642bin . If you want further assistance installing libsodium I recommend you post a new SO question – neubert Aug 19 '22 at 05:23
  • 1
    Interesting question, to say the least. Thanks for sharing. – Mike Stratton Aug 19 '22 at 05:40
  • 1
    This is most likely due to filtering done by the `base64_decode` method. If you look at the [PHP docs](https://www.php.net/manual/en/function.base64-decode.php) you can see that `strict` defaults to `false` which will filter out non-base64 characters (see: sanitise). If you set the second argument to `true`, your first string will return `false`. – Rylee Aug 19 '22 at 05:42
  • @Rylee - if there was an invalid character I'd expect https://base64.guru/tools/validator to identify that invalid character. If I add a `&` to the middle of the string I get a `The following characters are not suitable for the specified standard: &` from that tool. So what's wrong with the base64 string I'm trying to decode? If it's an invalid character then what is it? – neubert Aug 19 '22 at 05:49

1 Answers1

3

As stated in a comment by @Rylee, your base64 string is malformed. Since base64_decode tends to ignore some errors by working in non-strict mode by default, it does'nt fail. But by setting the strict parameter to true, the function will return false.

To check whats going wrong, you can use a tool like this base64 validator, it will say that it's invalid, and even propose you to repair it.

Once repaired, if you diff char by char the result with your encoded string, you find out that the last character S must be removed in order to get a fully valid base64 encoded string.

Jordan Breton
  • 1,167
  • 10
  • 17