I think I've got it decrypting now. The Shiro author gave me some tips:
When the cookie is read from a request, the process is reversed:
byte[] combined = Base64.decrypt(cookieValue);
//The first 128 bits (16 bytes) are the prepended IV:
byte[] iv = combined[0]..combined[15];
//The remaining is the actual encrypted data:
byte[] encrypted = combined[16]..combined[combined.length-1];
byte[] serializedPrincipals = decrypt(encrypted, key, iv);
PrincipalCollection principals = jdkDeserialize(serializedPrincipals);
In Shiro 1.1.0, the AesCipherService's default settings for byte array
encryption were:
Key size: 128 (bits)
Block size: 128 (bits)
Mode of operation: CFB
Padding scheme: PKCS5
Initialization Vector size: 128 (bits)
Autogenerate and prefix IVs: true
When I changed my code to the following, I was able to see Java class names
in the output:
var decrypt = function (input, password, callback) {
// Decode input from base64 to binary string
var decoded = new Buffer(input, 'base64').toString('binary');
// The first 128 bits (16 bytes) are the prepended IV
var iv = decoded.slice(0,16);
// The remaining is the actual encrypted data
var data = decoded.slice(16);
// Decode password from Base64
var key = new Buffer(password, 'base64').toString('binary');
// Decipher encrypted data
var decipher = crypto.createDecipheriv('aes-128-cfb', key, iv);
decipher.setAutoPadding(false);
var decrypted = decipher.update(data, 'binary') +
decipher.final('binary');
var plaintext = new Buffer(decrypted, 'binary').toString('ascii');
// Return decrypted text
callback(plaintext);
};
var key = 'UaNG2oxPGFh1kC4QS0/1Rw==';
// Real rememberMe for 'testuser' using key on development environment
var rememberMe =
'jVIfq39P7KmDZDEI5vY7+wlhe0dA2J7wd5Sak9AIeVXfuyB6KtGNMIg3LLNLELhQ7BjaO+k5XjoHX7CepC3+YeP9/s4F+dZcfs69UMLZEo1rk1knf/bXK3/90q2ksVQuIVFVtKy0OYU22f1eQX01SHw6btK2sZ+WBmFNDYzJAcX2kSTgENgIqSrRqH/W9ora1NaOlxKy5+VKs7qU1AocLUmoO5AKqg3EaXs99PjykzadD8Wc/kCIz5tBmpQbxjC/By7f7Aqs7U2nxxkzXo68TTDLtZu4u4XhcVvk7+goCWYZT35zN3pWkoOLiMsy4pH5DVRnaOEdCE4NGUKOnomcrvEdChkZoNE+Q7FYPBtz1mEf5EXsNOOl5iAa2etVbmN9VtWDlfsvOCKq2KHBcR+EWYILOEFAGjEUKWS6pz0ISKl8ftqX8LC3E/m3t4aAJMRIWXdf+K6EQ8EYbAfVjRC0xnDRzmAHxdF5RHj27vQI14znuvOg8oynoj/5TliOq3xxpzUdgnCbxQBEquqDC4IO8Wpaftm7NZt/b/KP6+jo7NNXqoliicgsc0iaHc7PVkny9Xrp34Da5lUS3UFaJLGHAQ==';
decrypt(rememberMe, key, function(output) {
console.log(output);
});
However, the data is a byte array of serialized Java objects, so it isn't
very useful. If only I could figure out how to parse and find the ID number
from it (should contain 1834 somewhere)!
��sr2org.apache.shiro.subject.SimplePrincipalCollection�X%JLrealmPrincipalstLjava/util/Map;xpsrjava.util.LinkedHashMap4�N\l��Z
accessOrderxrjava.util.HashMap���`�F
loadFactorI thresholdxp?@
t
SprtzRealmsrjava.util.LinkedHashSet�l�Z��*xrjava.util.HashSet�D�����4xpw
[email protected];���̏#�Jvaluexrjava.lang.Number���
���xp*xxwq~x
I'm not quite sure where to go from here. But maybe the decryption steps
above will help someone else.
Tauren
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
