0

I am experiencing an issue when decrypting a string using sunjce :

javax.crypto.Cipher cipher =
      javax.crypto.Cipher.getInstance("AES/GCM/NoPadding", new BouncyCastleProvider());
  GCMParameterSpec spec = new GCMParameterSpec(Constants.GCM_TAG_BYTES * 8, nonce);
  cipher.init(javax.crypto.Cipher.DECRYPT_MODE, dataKey, spec);

  cipher.update(ciphertext);
  
  return cipher.doFinal();

if I pass the whole ciphertext to doFinal it works correctly but if I call it correctly it only returns partial string. FOr instance for the input

String jsonExample = "{\"dataType\":\"STRING\",\"strValue\":\"000000\"}";

The decrypted bytes only contain "000000" but if I use

return cipher.doFinal(ciphertext);

and remove the update so it correctly prints the original string. What might be the reason? if I pass an empty byte array to doFinal after the update it also results in the same data loss. I want to know the logic behind it, it passes for small texts but for texts of this size it simply does not work.

this is my input

String jsonExample = "{\"dataType\":\"STRING\",\"strValue\":\"000000\"}";

This is how I am printing the decrypted string

String decryptedString = new String(decrypted, StandardCharsets.UTF_8);

This is how I am passing the input string as bytes to the encrypt function

text = jsonExample.getBytes(StandardCharsets.UTF_8)

this is how I am calling encrypt

GCMParameterSpec spec = new GCMParameterSpec(Constants.GCM_TAG_BYTES * 8, nonce);
try {
  cipher.init(javax.crypto.Cipher.ENCRYPT_MODE, dek, spec);
  byte[] ciphertext = cipher.doFinal(text);

When I use cipher.update(ciphertext) during decryption followed by cipher.doFinal() or cipher.doFInal(new byte[0]) it only returns

"000000" after I use the returned byte[] to String decryptedString = new String(decrypted, StandardCharsets.UTF_8);

But if I directly call cipher.doFInal(cipherText) during decryption the result string I get is the original string.

P basak
  • 4,874
  • 11
  • 40
  • 63
  • What is your actual problem? What is the output you wanted vs. what you actually got. How are you 'printing' these outputs? Make a self-contained example. The accompanying text is not at all clear. A self-contained example bridges over almost all problems with explaining it. – rzwitserloot Feb 01 '23 at 00:13
  • It's clearer now, but the effect you observe is not possible. Most likely something unrelated to what you describe is going on. A self-contained example would be a good idea here. – rzwitserloot Feb 01 '23 at 01:52
  • And for some reason, it only happens in our production, same code. Do you suspect any environmental variables? – P basak Feb 01 '23 at 02:01
  • 1
    it works for me. But you have little tiny confusing snippets. A complete [mre] would not take much more space. – President James K. Polk Feb 01 '23 at 02:04

1 Answers1

0

You're not using SunJCE, you're using the BouncyCastle provider. (You are using the Sun/Oracle API -- JCA, Java Crypto Architecture -- if that's what you meant to say, but not the provider SunJCE.)

Most Ciphers in JCA return partial data from each or any update call (in either encrypt or decrypt direction), thus in general if you use update you must concatenate that value (or those values if multiple calls) plus any value returned from doFinal before using the result for anything that needs it to be complete, such as decoding UTF8. (Typically the easiest way is to .write them all to a ByteArrayOutputStream, or .put them all to a ByteBuffer, but there are other options.) However the SunJCE provider does NOT do this for GCM, in the decryption direction only, apparently because the spec (SP800-38D) calls for the plaintext not to be released if the authentication fails, which can only be determined at .doFinal time, and then it returns all the plaintext.

The Bouncy provider does 'stream' GCM decryption, arguably in violation of the spec but consistent with usual and traditional JCA behavior, so most of the data is returned from the update call with only the last few bytes from doFinal and you need to concatenate these as above -- or, as you've found, just don't use update at all: if the data all fit in one buffer when encrypting, it should also fit when decrypting.

The Bouncy provider must buffer an amount of data equal to the tag so that it can remove and verify said tag; the "small texts" where your code works -- because decrypt .update returns nothing -- will be ones up to but not exceeding your tag size, which is apparently 8 bytes.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • I used sun jce too same output. – P basak Feb 01 '23 at 04:31
  • Actually i used sun jce before and update returned an empty array. And my ciphertext already contains the tag. I am sending an empty byte array to diFinal. But this makes the doFinal return value truncated. Is this a bug? – P basak Feb 01 '23 at 06:48
  • Your comments conflict. SunJCE returns _empty_ on update and _everything_ on doFinal; this is NOT the same as Bouncy which returns most of the data on update and only the last part on doFinal. I explained both of these. Calling doFinal with an empty byte-array is exactly the same as calling with no argument at all; I didn't distinguish these because they don't need to be distinguished. What does need to be distinguished is the provider. – dave_thompson_085 Feb 05 '23 at 11:18