Menu
▾
▴
1 Attachments
#32 encryption works but decryption does not, Java 8 (JCE jars installed).
For the following PBE algorithms decryption is not working throwing org.jasypt.exceptions.EncryptionOperationNotPossibleException:
PBEWITHHMACSHA1ANDAES_128 PBEWITHHMACSHA1ANDAES_256 PBEWITHHMACSHA224ANDAES_128 PBEWITHHMACSHA224ANDAES_256 PBEWITHHMACSHA256ANDAES_128 PBEWITHHMACSHA256ANDAES_256 PBEWITHHMACSHA384ANDAES_128 PBEWITHHMACSHA384ANDAES_256 PBEWITHHMACSHA512ANDAES_128 PBEWITHHMACSHA512ANDAES_256
Tested on:
1. Oracle JDK (1.8.0_05) on Debian 3.2.54-2 x86_64
2. Oracle JDK (1.8.0) on Mac OS X 10.9.4 (13E28)
The output for the simple tests (code is below and in the attachment):
A. Without JCE jars installed:
-------------------------------------------------------------------------------- Version: 1.8.0, max key length: 128 (JCE: NO) -------------------------------------------------------------------------------- Algorithm Result -------------------------------------------------------------------------------- PBEWITHHMACSHA1ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA1ANDAES_256 NOT_POSSIBLE PBEWITHHMACSHA224ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA224ANDAES_256 NOT_POSSIBLE PBEWITHHMACSHA256ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA256ANDAES_256 NOT_POSSIBLE PBEWITHHMACSHA384ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA384ANDAES_256 NOT_POSSIBLE PBEWITHHMACSHA512ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA512ANDAES_256 NOT_POSSIBLE PBEWITHMD5ANDDES OK PBEWITHMD5ANDTRIPLEDES NOT_POSSIBLE PBEWITHSHA1ANDDESEDE OK PBEWITHSHA1ANDRC2_128 OK PBEWITHSHA1ANDRC2_40 OK PBEWITHSHA1ANDRC4_128 OK PBEWITHSHA1ANDRC4_40 OK --------------------------------------------------------------------------------
B. With JCE jars installed:
Version: 1.8.0, max key length: 2147483647 (JCE: YES)
Algorithm Result
PBEWITHHMACSHA1ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA1ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA224ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA224ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA256ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA256ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA384ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA384ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA512ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA512ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHMD5ANDDES OK
PBEWITHMD5ANDTRIPLEDES OK
PBEWITHSHA1ANDDESEDE OK
PBEWITHSHA1ANDRC2_128 OK
PBEWITHSHA1ANDRC2_40 OK
PBEWITHSHA1ANDRC4_128 OK
PBEWITHSHA1ANDRC4_40 OK
The code below lists all existing PBE algorithms with AlgorithmRegistry.getAllPBEAlgorithms() and applies a simple test for each algorithm (encrypt and the decrypt with the same StandardPBEStringEncryptor).
package com.nobullet.encryption.test; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.List; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; import javax.crypto.Cipher; import org.jasypt.encryption.pbe.StandardPBEStringEncryptor; import org.jasypt.registry.AlgorithmRegistry; /** * Main encryption tests. * * @author nobulletnav */ public class Main { static final String DATA = "{json:{userId:'12345678901234567890'}}"; static final Logger logger = Logger.getGlobal(); public static void main(String[] args) { String format = "%s\t%s"; String line = padTo("", '-', 80); int keyLength = getJCEMaxKeyLength(); String jce = keyLength == Integer.MAX_VALUE ? "YES" : "NO"; // Collect test results. Set<String> algorithms = (Set<String>) AlgorithmRegistry.getAllPBEAlgorithms(); List<String> result = new ArrayList<>(); for (String algorithm : algorithms) { AlgoritmTestResult works = testAlgorithm(algorithm); result.add(String.format(format, padTo(algorithm), padTo(works.toString()))); } // Print response. System.out.println(line); System.out.println(String.format("Version: %s, max key length: %d (JCE: %s)", System.getProperty("java.version"), keyLength, jce) + "\n" + line); System.out.println(String.format(format, padTo("Algorithm"), padTo("Result")) + "\n" + line); for (String r : result) { System.out.println(r); } } public static int getJCEMaxKeyLength() { try { return Cipher.getMaxAllowedKeyLength("AES"); } catch (NoSuchAlgorithmException ex) { return -1; } } public static AlgoritmTestResult testAlgorithm(String algorithm) { boolean isEncrypted = false; try { StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); encryptor.setPassword("wiu34we233[]weuokw/12340645798/3@#4"); encryptor.setAlgorithm(algorithm); encryptor.setKeyObtentionIterations(1); String encrypted = encryptor.encrypt(DATA); isEncrypted = true; return DATA.equals(encryptor.decrypt(encrypted)) ? AlgoritmTestResult.OK : AlgoritmTestResult.DECRYPT_FAIL; } catch (org.jasypt.exceptions.EncryptionOperationNotPossibleException e) { logger.log(Level.WARNING, "Error while using " + algorithm + " ", e); return isEncrypted ? AlgoritmTestResult.NOT_POSSIBLE_DECRYPT : AlgoritmTestResult.NOT_POSSIBLE; } catch (Exception e) { logger.log(Level.WARNING, "Error while using " + algorithm + " ", e); return AlgoritmTestResult.UNKNOWN; } } public static String padTo(String s) { return padTo(s, 30); } public static String padTo(String s, char c, int length) { if (s.length() < length) { StringBuilder sb = new StringBuilder(s); for (int i = 0; i < length - s.length(); i++) { sb.append(c); } return sb.toString(); } return s; } public static String padTo(String s, int length) { return padTo(s, ' ', length); } public static enum AlgoritmTestResult { OK, DECRYPT_FAIL, NOT_POSSIBLE, NOT_POSSIBLE_DECRYPT, UNKNOWN; } }
Sorry, I can't find the edit button.
B. With JCE jars installed (well formatted):
I found the same thing today. The actual exception gets swallowed though:
java.security.InvalidAlgorithmParameterException: Missing parameter type: IV expected
Hello,
Any plans to fix this bug soon? Looks like easy job - just add new IvParameterSpec config param when initialising/encrypting/decrypting
Also ran into this issue today while looking at Jasypt
@jacoby any chance you can look at this soon? This makes strong encryption difficult on Java 8.
Replicated with jasypt 1.9.2 on Java(TM) SE Runtime Environment (build 1.8.0_60-b27) for OS X, with JCE Unlimited Strength policies installed.
Last edit: outofcoffee 2016-01-24
The attached patch can only be built/used Java >= 8, as the PBEParameterSpec constructor accepting additional AlgorithmParameterSpec appears to have been added in Java8.
Hopefully this helps, in some way.
Any plans to release an update with this fix? If so is there a timeframe? Thanks
Yeah - came across this and looks like fix is simple - explicitely specify IV during both encryption and decryption.
When the new version is planned?
We are working on this and we expect to have a new version soon, hopefully as soon as May.
Thanks for tth update Hoki!
Hoki, Can you offer any refinement on timeframe for a new jasypt release? Thanks!
We expect to release it for the week of May 29.
I took Andrews patch and applied it to jasypt-1.9.3-SNAPSHOT. I was trying to use PBEWithHmacSHA512AndAES_256 algorithm on apache ActiveMQ, which requires an "iv".
Seems Jasypt / Spring has issues with mapping parameters to beans that are not named in camel case. So getIV()/setIV() basically make it impossible to map the values to the PBEConfig object. When I renamed these as getIv()/setIv() then spring was able to map them.
There also seems to be an issue with setting the parameters to the PBEConfig object instead of directly to the StandardPBEStringEncryptor. So I think there is more work needed.
Modified Main.java example using PBEConfig.
I pointed my project at the latest snapshot and it looks like the fix from Mark Williams above isn't included right now. Is there a plan for when this will be included?
I'm also waiting for this patch. We can't you AES with Java 8 right now.
For what it's worth I found that using AES does work with Bouncy Castle. The bug only affects the Java8 built-in JCE. But naturally not everyone wants to use Bouncy Castle.
Right. But we want to use Java 8 support for x86 AES intrinsics built-in in SunJCE provider
Ryan, could you plese elaborate how did you manage to get AES with Bouncy Castle working? I get the same error "Operation not possible (Bad input or parameters)" both with built-in JCE and BC.
I just installed the policy files into my JVM and then configured bouncy castle. I was then able to use the encrypt and decrypt tools provided with jasypt to encryp and then decrypt a string using PBEWITHSHAAND256BITAES-CBC-BC.
I followed these pages for adding the policy extensions:
http://suhothayan.blogspot.co.uk/2012/05/how-to-install-java-cryptography.html
https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1698523.html
Bouncy castle I installed statically by configuring my JRE and JDK using instructions from this page:
http://www.itcsolutions.eu/2011/08/22/how-to-use-bouncy-castle-cryptographic-api-in-netbeans-or-eclipse-for-java-jse-projects/
@Ryan Dawson thx it worked.
Problem also occur in apache Karaf wiht jasyp properties module and we are witing for update
Thanks Ryan! I followed instructions of installing BC on their site and they didn't mention that "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy" is required too. After installing it all works fine!
Wanted to ask if there's soon a new release with this fix in?
No releases in 4 years? This open issue preventing using encyrption algorithms in JAVA 8. Is this project dead? If so are the devleopers willing to turn it over to people willing to maintain and release it?