Hi,
We are using OFBiz (revision *4955*) since 2005 and recently upgraded to the
branch *0904*. We have some encrypted data in the DB.
In most of the cases OFBiz is successfully decrypting the values (as
EntityCrypto.decrypt() catches the exception and then uses
"useOldFunnyKeyHash" attribute as "true" to get the SecretKey).
But in some of the cases it is not returning any value. We observed that new
hash method (see code fragment below) doesn't throw exception and consequent
call to "UtilObject.getObject()" encounters exception, prints error messages
and returns "null". As a result EntityCrypto.decrypt() method to return null
instead of trying the old hash algoritm.
code snippet:
==========
SecretKey decryptKey = this.getKey(keyName, false);
byte[] decryptedBytes = DesCrypt.decrypt(decryptKey, encryptedBytes);
decryptedObj = UtilObject.getObject(decryptedBytes);
log from console.log
===============
2009-07-16 11:16:59,893 (default-invoker-Thread-6) [
UtilObject.java:127:ERROR]
---- exception report ----------------------------------------------------------
Exception: java.io.StreamCorruptedException
Message: invalid stream header: E4F9F18A
---- stack trace ---------------------------------------------------------------
java.io.StreamCorruptedException: invalid stream header: E4F9F18A
java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:783)
java.io.ObjectInputStream.<init>(ObjectInputStream.java:280)
org.ofbiz.base.util.ObjectInputStream.<init>(ObjectInputStream.java:35)
org.ofbiz.base.util.UtilObject.getObject(UtilObject.java:122)
org.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:90)
org.ofbiz.entity.GenericDelegator.decryptFields(GenericDelegator.java:3325)
We have tested for this scenario by calling old hash technique which
returns the decrypted value. I'm adding the code that I used to get my
result.
Modied test code "EntityCrypto.decrypt()" that returns expected value
====================================================
/** Decrypts a hex encoded String into an Object */
public Object decrypt(String keyName, String encryptedString) throws
EntityCryptoException {
Object decryptedObj = null;
byte[] encryptedBytes = StringUtil.fromHexString(encryptedString);
try {
SecretKey decryptKey = this.getKey(keyName, false);
byte[] decryptedBytes = DesCrypt.decrypt(decryptKey,
encryptedBytes);
decryptedObj = UtilObject.getObject(decryptedBytes);
////////// added following block to get result /////////////
if (null != encryptedString && null == decryptedObj) {
String errStr = "returned null or had error in decryptedObj.
trying oldHash method.";
Debug.logError(errStr, module);
throw new GeneralException(errStr);
}
//////////////////////////////////////////////////////////////////////////////
} catch (GeneralException e) {
try {
// try using the old/bad hex encoding approach; this is
another path the code may take, ie if there is an exception thrown in
decrypt
Debug.logVerbose("Decrypt with DES key from standard key
name hash failed, trying old/funny variety of key name hash", module);
SecretKey decryptKey = this.getKey(keyName, true);
byte[] decryptedBytes = DesCrypt.decrypt(decryptKey,
encryptedBytes);
decryptedObj = UtilObject.getObject(decryptedBytes);
//Debug.logInfo("Old/funny variety succeeded: Decrypted
value [" + encryptedString + "]", module);
} catch (GeneralException e1) {
// NOTE: this throws the original exception back, not the
new one if it fails using the other approach
throw new EntityCryptoException(e);
}
}
// NOTE: this is definitely for debugging purposes only, do not
uncomment in production server for security reasons:
Debug.logInfo("Decrypted value [" + encryptedString + "] to result: " +
decryptedObj, module);
return decryptedObj;
}
So, please let me know if this scenario has been taken care of already.
Regards,
Rajib
