Menu
▾
▴
1 Attachments
#32 encryption works but decryption does not, Java 8 (JCE jars installed).
For the following PBE algorithms decryption is not working throwing org.jasypt.exceptions.EncryptionOperationNotPossibleException:
PBEWITHHMACSHA1ANDAES_128 PBEWITHHMACSHA1ANDAES_256 PBEWITHHMACSHA224ANDAES_128 PBEWITHHMACSHA224ANDAES_256 PBEWITHHMACSHA256ANDAES_128 PBEWITHHMACSHA256ANDAES_256 PBEWITHHMACSHA384ANDAES_128 PBEWITHHMACSHA384ANDAES_256 PBEWITHHMACSHA512ANDAES_128 PBEWITHHMACSHA512ANDAES_256
Tested on:
1. Oracle JDK (1.8.0_05) on Debian 3.2.54-2 x86_64
2. Oracle JDK (1.8.0) on Mac OS X 10.9.4 (13E28)
The output for the simple tests (code is below and in the attachment):
A. Without JCE jars installed:
-------------------------------------------------------------------------------- Version: 1.8.0, max key length: 128 (JCE: NO) -------------------------------------------------------------------------------- Algorithm Result -------------------------------------------------------------------------------- PBEWITHHMACSHA1ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA1ANDAES_256 NOT_POSSIBLE PBEWITHHMACSHA224ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA224ANDAES_256 NOT_POSSIBLE PBEWITHHMACSHA256ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA256ANDAES_256 NOT_POSSIBLE PBEWITHHMACSHA384ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA384ANDAES_256 NOT_POSSIBLE PBEWITHHMACSHA512ANDAES_128 NOT_POSSIBLE_DECRYPT PBEWITHHMACSHA512ANDAES_256 NOT_POSSIBLE PBEWITHMD5ANDDES OK PBEWITHMD5ANDTRIPLEDES NOT_POSSIBLE PBEWITHSHA1ANDDESEDE OK PBEWITHSHA1ANDRC2_128 OK PBEWITHSHA1ANDRC2_40 OK PBEWITHSHA1ANDRC4_128 OK PBEWITHSHA1ANDRC4_40 OK --------------------------------------------------------------------------------
B. With JCE jars installed:
Version: 1.8.0, max key length: 2147483647 (JCE: YES)
Algorithm Result
PBEWITHHMACSHA1ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA1ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA224ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA224ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA256ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA256ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA384ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA384ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA512ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA512ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHMD5ANDDES OK
PBEWITHMD5ANDTRIPLEDES OK
PBEWITHSHA1ANDDESEDE OK
PBEWITHSHA1ANDRC2_128 OK
PBEWITHSHA1ANDRC2_40 OK
PBEWITHSHA1ANDRC4_128 OK
PBEWITHSHA1ANDRC4_40 OK
The code below lists all existing PBE algorithms with AlgorithmRegistry.getAllPBEAlgorithms() and applies a simple test for each algorithm (encrypt and the decrypt with the same StandardPBEStringEncryptor).
package com.nobullet.encryption.test; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.List; import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; import javax.crypto.Cipher; import org.jasypt.encryption.pbe.StandardPBEStringEncryptor; import org.jasypt.registry.AlgorithmRegistry; /** * Main encryption tests. * * @author nobulletnav */ public class Main { static final String DATA = "{json:{userId:'12345678901234567890'}}"; static final Logger logger = Logger.getGlobal(); public static void main(String[] args) { String format = "%s\t%s"; String line = padTo("", '-', 80); int keyLength = getJCEMaxKeyLength(); String jce = keyLength == Integer.MAX_VALUE ? "YES" : "NO"; // Collect test results. Set<String> algorithms = (Set<String>) AlgorithmRegistry.getAllPBEAlgorithms(); List<String> result = new ArrayList<>(); for (String algorithm : algorithms) { AlgoritmTestResult works = testAlgorithm(algorithm); result.add(String.format(format, padTo(algorithm), padTo(works.toString()))); } // Print response. System.out.println(line); System.out.println(String.format("Version: %s, max key length: %d (JCE: %s)", System.getProperty("java.version"), keyLength, jce) + "\n" + line); System.out.println(String.format(format, padTo("Algorithm"), padTo("Result")) + "\n" + line); for (String r : result) { System.out.println(r); } } public static int getJCEMaxKeyLength() { try { return Cipher.getMaxAllowedKeyLength("AES"); } catch (NoSuchAlgorithmException ex) { return -1; } } public static AlgoritmTestResult testAlgorithm(String algorithm) { boolean isEncrypted = false; try { StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); encryptor.setPassword("wiu34we233[]weuokw/12340645798/3@#4"); encryptor.setAlgorithm(algorithm); encryptor.setKeyObtentionIterations(1); String encrypted = encryptor.encrypt(DATA); isEncrypted = true; return DATA.equals(encryptor.decrypt(encrypted)) ? AlgoritmTestResult.OK : AlgoritmTestResult.DECRYPT_FAIL; } catch (org.jasypt.exceptions.EncryptionOperationNotPossibleException e) { logger.log(Level.WARNING, "Error while using " + algorithm + " ", e); return isEncrypted ? AlgoritmTestResult.NOT_POSSIBLE_DECRYPT : AlgoritmTestResult.NOT_POSSIBLE; } catch (Exception e) { logger.log(Level.WARNING, "Error while using " + algorithm + " ", e); return AlgoritmTestResult.UNKNOWN; } } public static String padTo(String s) { return padTo(s, 30); } public static String padTo(String s, char c, int length) { if (s.length() < length) { StringBuilder sb = new StringBuilder(s); for (int i = 0; i < length - s.length(); i++) { sb.append(c); } return sb.toString(); } return s; } public static String padTo(String s, int length) { return padTo(s, ' ', length); } public static enum AlgoritmTestResult { OK, DECRYPT_FAIL, NOT_POSSIBLE, NOT_POSSIBLE_DECRYPT, UNKNOWN; } }
In case anyone runs accross this thread in the future, RedHat has actually forked this project to support new ciphers and Java versions as a part of their JBOSS Fuse platform. Their public GitHub repo can be found here:
https://github.com/jboss-fuse/jasypt/tree/master/jasypt
Compile this just like upstream jasypt (mvn clean:clean install) and it'll produce the same JAR artifacts. I've tested this with JDK 1.8 and it works flawlessly to encrypt/decrypt PBEWITHHMACSHA512ANDAES_256. As that's the highest cipher suite available, my hope is all other ciphers will work equally as well although I haven't personally confirmed this.
I also forked this project: https://github.com/melloware/jasypt
And released to Maven Central:
That's great to hear. But why can't the standard "jasypt:jasypt" be updated and released?
Martin, I agree with you but its been 5 years with no activity. I have absolutely NO idea but one thing to speculate is the project owner/author is possibly no longer alive. He has not posted a single thing or response in 4 years.
Just received good news from Hoki Torres Erausquin - they'll return to the project, migrate it to GitHub and plan to release a new version hopefully within the next 6 weeks.
Fixed in 1.9.3.
Tested using previously posted test code. For secure hashing algorithms...
1.9.2 NOT_POSSIBLE DECRYPT
1.9.3 NOT_POSSIBLE
melloware fork (1.9.3, 1.9.4) OK
compile group: 'org.jasypt', name: 'jasypt', version: '1.9.2'
Version: 1.8.0_152, max key length: 2147483647 (JCE: YES)
Algorithm Result
PBEWITHHMACSHA1ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA1ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA224ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA224ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA256ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA256ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA384ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA384ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA512ANDAES_128 NOT_POSSIBLE_DECRYPT
PBEWITHHMACSHA512ANDAES_256 NOT_POSSIBLE_DECRYPT
PBEWITHMD5ANDDES OK
PBEWITHMD5ANDTRIPLEDES OK
PBEWITHSHA1ANDDESEDE OK
PBEWITHSHA1ANDRC2_128 OK
PBEWITHSHA1ANDRC2_40 OK
PBEWITHSHA1ANDRC4_128 OK
PBEWITHSHA1ANDRC4_40 OK
compile group: 'org.jasypt', name: 'jasypt', version: '1.9.3'
Version: 1.8.0_152, max key length: 2147483647 (JCE: YES)
Algorithm Result
PBEWITHHMACSHA1ANDAES_128 NOT_POSSIBLE
PBEWITHHMACSHA1ANDAES_256 NOT_POSSIBLE
PBEWITHHMACSHA224ANDAES_128 NOT_POSSIBLE
PBEWITHHMACSHA224ANDAES_256 NOT_POSSIBLE
PBEWITHHMACSHA256ANDAES_128 NOT_POSSIBLE
PBEWITHHMACSHA256ANDAES_256 NOT_POSSIBLE
PBEWITHHMACSHA384ANDAES_128 NOT_POSSIBLE
PBEWITHHMACSHA384ANDAES_256 NOT_POSSIBLE
PBEWITHHMACSHA512ANDAES_128 NOT_POSSIBLE
PBEWITHHMACSHA512ANDAES_256 NOT_POSSIBLE
PBEWITHMD5ANDDES OK
PBEWITHMD5ANDTRIPLEDES OK
PBEWITHSHA1ANDDESEDE OK
PBEWITHSHA1ANDRC2_128 OK
PBEWITHSHA1ANDRC2_40 OK
PBEWITHSHA1ANDRC4_128 OK
PBEWITHSHA1ANDRC4_40 OK
compile group: 'com.melloware', name: 'jasypt', version: '1.9.4'** (OR 1.9.3)
Version: 1.8.0_152, max key length: 2147483647 (JCE: YES)
Algorithm Result
PBEWITHHMACSHA1ANDAES_128 OK
PBEWITHHMACSHA1ANDAES_256 OK
PBEWITHHMACSHA224ANDAES_128 OK
PBEWITHHMACSHA224ANDAES_256 OK
PBEWITHHMACSHA256ANDAES_128 OK
PBEWITHHMACSHA256ANDAES_256 OK
PBEWITHHMACSHA384ANDAES_128 OK
PBEWITHHMACSHA384ANDAES_256 OK
PBEWITHHMACSHA512ANDAES_128 OK
PBEWITHHMACSHA512ANDAES_256 OK
PBEWITHMD5ANDDES OK
PBEWITHMD5ANDTRIPLEDES OK
PBEWITHSHA1ANDDESEDE OK
PBEWITHSHA1ANDRC2_128 OK
PBEWITHSHA1ANDRC2_40 OK
PBEWITHSHA1ANDRC4_128 OK
PBEWITHSHA1ANDRC4_40 OK
Any guidance?
Last edit: Mark Grimes 2019-05-31
PBEWithDigestAndAESalgorithms (from the JCE Provider of JAVA 8) are supported. They require an initialization vector (IV) parameter. By defaultJasypt PBExxEncryptorsuse aNoIvGeneratorfor maintaining backwards compatibility and decrypt values encrypted with previous Jasypt versions.Establishing a
IvGeneratorwill solve the issue. The IV should be random and only used one time, soorg.jasypt.RandomIvGeneratoris the recommended one:encryptor.setIvGenerator(new RandomIvGenerator());Thank you Hoki! It works beautifully!