Skip to main content
R
rickmaz
Inspiring
March 13, 2025
Question

decrypt issue

  • March 13, 2025
  • 2 replies
  • 1471 views

I have an application client side both in php and cf code which does simliar things. Both post to cf server 2021 upadate 18. i believe the update 18 is cuasing the issue but i would have to roll back to 17 to test this. In my logs everything was fine until 2/20/2025 and in my installer downloads on the CF server i see on 2/19 i downloaded update 18 so i assume it was intalled on the 19th or early on 20th of feb. Every since then I have the problem. I am not 100% certain that is the issue but if that makes sense to anyone let me know. Now for the issue. To be clear If i encrypt on a CF server which front end app is (also update 18) and then decrpt on 2nd CF server update 18th this still works even after update 18 installed on 2/20. My issue is with PHP front end. I am encrypting with php page and posting to cf server (same one as the cf front end app) and this now does not work. Both php and cf front end worked fine before update 18. 

For Cf front end i am using basic: function encryptData(data) {
var encryptionKey = generateEncryptionKey();
var jsonData = serializeJSON(data);
var encryptedString = encrypt(jsonData, encryptionKey, "AES", "hex");
return encryptedString;
}

on backend to decypt i am using: function decryptData(encryptedString, accountID, secretKey) {
var encryptionKey = generateEncryptionKey(accountID, secretKey);
var decryptedJSON = decrypt(encryptedString, encryptionKey, "AES", "hex");
return deserializeJSON(decryptedJSON);
}

this seems to work. BUT if i send encryption using this function on php to encrypt: function encryptForReauthenticationWC($data, $client) {
try {
$keyBytes = base64_decode($client['encryption_key']);
$ivBytes = base64_decode($client['iv']);

// Ensure data is UTF-8 encoded
$dataBytes = mb_convert_encoding($data, 'UTF-8');

// Apply PKCS7 padding manually
$blockSize = 16;
$padSize = $blockSize - (strlen($dataBytes) % $blockSize);
$dataBytes .= str_repeat(chr($padSize), $padSize);

$encryptedBytes = openssl_encrypt($dataBytes, 'AES-256-CBC', $keyBytes, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $ivBytes);
$encryptedData = customUrlEncode($encryptedBytes);

logMessage_check("Custom encoded data length: " . strlen($encryptedData), $client);
return $encryptedData;
} catch (Exception $e) {
logMessage_check("Encryption failed: " . $e->getMessage(), $client);
return "";
}


the decryption fails i have a failver on the backend if the normal decrypt data function does not work to try this way: <cfif NOT isDecrypted>
<cftry>
<!--- Decode the custom encoded data --->
<cfset customEncodedData = url.data>
<cfset base64EncodedData = replace(replace(replace(customEncodedData, '-', '+', 'all'), '_', '/', 'all'), ',', '=', 'all')>
<cfset encryptedBytes = binaryDecode(base64EncodedData, "base64")>

<!--- Log received data info --->
<cflog file="check_api_auth_log" text="Received data length: #len(customEncodedData)#" type="information">
<cflog file="check_api_auth_log" text="Decoded data length: #arrayLen(encryptedBytes)#" type="information">


<!--- Decode the Base64 encryption key and IV --->
<cfset keyBytes = binaryDecode(clientDetails.encryption_key, "base64")>
<cfset ivBytes = binaryDecode(clientDetails.iv, "base64")>

<!--- Create SecretKeySpec and IvParameterSpec --->
<cfset secretKeySpec = createObject("java", "javax.crypto.spec.SecretKeySpec").init(keyBytes, "AES")>
<cfset ivParameterSpec = createObject("java", "javax.crypto.spec.IvParameterSpec").init(ivBytes)>

<!--- Create Cipher instance --->
<cfset cipher = createObject("java", "javax.crypto.Cipher").getInstance("AES/CBC/PKCS7Padding")>

<!--- Initialize cipher for decryption --->
<cfset cipher.init(cipher.DECRYPT_MODE, secretKeySpec, ivParameterSpec)>

<cfset decryptedBytes = cipher.doFinal(encryptedBytes)>
<cfset decryptedString = toString(decryptedBytes, "UTF-8")>


<!--- Log decrypted data info --->
<cflog file="check_api_auth_log" text="Decrypted data length: #len(decryptedString)#" type="information">

<!-- Parse the decrypted string into a struct -->
<cfset decryptedParts = listToArray(decryptedString, "|")>
<cfset decryptedData = {
userID: decryptedParts[1],
timestamp: decryptedParts[2]
}>
<cfset isDecrypted = true>
<cfcatch>
<cflog file="check_api_auth_log" text="Error: WC re-authentication decryption failed. Error: #cfcatch.message#" type="error">
<cfoutput>Error: Invalid verification data.</cfoutput>
<cfabort>
</cfcatch>
</cftry>
</cfif>
In my logs for the php attempt the log error i am seeing is Error: cannot fine any provider supporting AES/CBC/PKCS7Padding

neither work and it completely fails. AGain all worked before update 18 I can try to roll back unless someone can see something obvious but of course I would like to solve it becuase it all worked before update 18 and i need to upate at some point. Thanks in advance

    2 replies

    Brian__
    Brian__
    Participating Frequently
    March 14, 2025

    I agree with @Charlie Arehart that CF2021U18 is unlikely to be the reason for this not working.  I don't have a complete solution, but I have a few observations that might put you on the right track - 

     

    1) The javax.crypto.Cipher class doesn't appear to support PKCS7Padding - see https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/crypto/Cipher.html.  

     

    But PKCS7Padding and PKCS5Padding are practically the same -- PKCS5Padding is for ciphers that have a blocksize of 8 bytes, and PKCS7Padding can support a variable blocksize between 1 and 255 bytes.  (AES has a blocksize of 16 bytes, but since 16 is a multiple of 8, PKCS5Padding works fine with AES.)

     

    But when I change your code to:

     

     

    <cfset cipher = createObject("java", "javax.crypto.Cipher").getInstance("AES/CBC/PKCS5Padding")>

     

     

    I get the following erorr:

     

    The init method was not found

     

     

    Is there a reason you're using the javax.crypto.Cipher class here instead of ColdFusion's native encrypt()/decrypt() functions?

     

    2)  encrypt(jsonData, encryptionKey, "AES", "hex"); will use AES in ECB mode, but your other code uses AES in CBC mode.

     

    After the updates in APSB24-41 from June 2024, 'AES/CBC/PKCS5Padding' is the default alogoithm (i.e., if you call encrypt()/decrypt() without specifying an algorithm), but ECB is still the default mode of operation if you explicitly specify "AES" as the algorithm with no other options.

     

    I don't know what your expected program flow is, but it looks like you are using two different encryption/decryption configurations.

     

    R
    rickmazAuthor
    Inspiring
    March 14, 2025

    i dont know either but i can tell you I have the app installed on 6 different linux servers php 7 and 8 encrypting the exact same way, 7-10 a day since august -- the code did not change on encryption side -- The EXACT day i installed update 18 that code stopped working. I can only guess maybe something that should not have worked before did and Adobe cleaned it up, forgot to document it or just decided not to since it was something technically that should not have worked in some versions? I dont know. I had to recode theentire thing to get it to work but now it does yes using different method. I just dont understand why things break liek this. I go out of my way to look at the release notes before the upgrades and try to test but its all good. I think you for the replies as it helped me know where to look or what to maybe eliminate. 

    Brian__
    Brian__
    Participating Frequently
    March 14, 2025

    In that case, I'm stumped! 🙂 

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    March 13, 2025

    Let me first help others looking at this by noting that he shows using an encryption algorithm ("aes") for his encrypt and decrypt functions in cfml, so this not about the change introduced by the June 2024 cf update (u14 of his cf2021). So there would seem to be another explanation. 

     

    It seems you're saying the error is on the code doing this:

     

     

    <cfset cipher = createObject("java", "javax.crypto.Cipher").getInstance("AES/CBC/PKCS7Padding")>

     

     

    ... as that's what's using the "AES/CBC/PKCS7Padding" that your error is reporting. That createObject call is pointing to a class that Cf will be finding in some jar, somewhere on its classpath. We can't know. But you're thinking "update 18 must have changed it". 

     

    But I will be VERY surprised if that's so. Update 18 was an update SOLELY about the pmt agent (cf's built-in monitoring solution), having nothing to do with encryption--that I know of. 

     

    So first, yes, you could try rolling back to update 17. If that worked, it may seem to prove your point that "18 broke it".

     

    But it may also be that either update 18 OR 17 had a failure in the update, and in that case it's not clear if either "worked", and so we could not blame either--if the update failed. And you can view that (without uninstalling the update) by viewing the update install log, found within the hf-updates folder under the instance, likely cfusion. Look at about line 70 for the count of any fatalerrors or no fatal errors, for both update 18 and 17. 

     

    Let us know what you find, or if you try the uninstall, or if you learn anything else. Or maybe someone else will have a different suggestion.

     

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices