Any methods to verify if it's PKCS7 vs PKCS5? Like how they did it here: https://stackoverflow.com/questions/67891550/detect-if-a-text-encrypted-using-aes-cbc-is-padded-or-not
On Fri, Jan 30, 2026 at 8:37 PM Nick Couchman <[email protected]> wrote: > Hello, devs, > I need a bit of help getting some of the encryption/decryption working > with the guacamole-auth-json module. Specifically, I'm trying to do > the encryption of the JSON data with JavaScript, and am hitting a > couple of issues. The basic JavaScript code I've got going is > relatively simple: > > === > var json = '{ ... }' > var encoder = new TextEncoder(); > var encoded = encoder.encode(json); > var key = '2c1a6b6438c580e4281ded6639f22e65'; > var keyData = encoder.encode(key); > var keyObj1 = await > window.crypto.subtle.importKey("raw",keyData,{name:"HMAC", > hash:"SHA-256"},false,["sign"]); > var signature = await window.crypto.subtle.sign("HMAC", keyObj1, encoded); > var signedData = signature.toString() + json; > var zeroiv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, > 0]); > let keyObj2 = await > > window.crypto.subtle.importKey("raw",keyData,{name:"AES-CBC"},false,["encrypt"]); > let encrypted = await crypto.subtle.encrypt({name:"AES-CBC", zeroiv}, > keyObj2, encoder.encode(signedData)); > var base64String = btoa(String.fromCharCode.apply(null, new > Uint8Array(encrypted))); > == > > When I take the base64 output and feed it to a curl command: > > curl --data-urlencode "data=<base64String from above>" -k > https://server.example.com/api/tokens > > I get an error: > > == > {"message":"Permission > > denied.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Permission > > denied."}},"statusCode":null,"expected":[],"patches":null,"type":"INVALID_CREDENTIALS"} > == > > And, if I look at my Tomcat logs, I see the following: > > == > ERROR: o.a.g.auth.json.user.UserDataService - Decryption of received > data failed: javax.crypto.BadPaddingException: Given final block not > properly padded. Such issues can arise if a bad key is used during > decryption. > == > > From my reading about JavaScript's subtle crypto methods, it looks > like it is using PKCS7 padding, whereas the JSON module uses > AES/CBC/PKCS5Padding. However, I found a couple of assertions that > Java actually uses PKCS7 rather than PKCS5, and that the PKCS5 name is > actually a misnomer: https://crypto.stackexchange.com/a/9044. > > Any hints on this? > > -Nick > -- *Tenay Lowden* Ph: (405)589-6374 Email: [email protected]
