Re: facing problems in EntityCrypto.decrypt() method

Thu, 20 Aug 2009 04:02:35 -0700 

Hi  Rajib
Can u please provide some more details like the value of the encrypted bytes and the entity column on which are you are working as per my view whenever there is a decryption if key or encrypted value is not match it gives result null.There are different approach of encryption in ofbiz for example entity engine uses EntittyCrypto class for encrption and decryption which uses a different approach rather than hashCrypt which uses SHA algoritham for encryption. 

Regards
Prateek Jain





Rajib Khan wrote:

Hi,

We are using OFBiz (revision *4955*) since 2005 and recently upgraded to the
branch *0904*. We have some encrypted data in the DB.
In most of the cases OFBiz is successfully decrypting the values (as
EntityCrypto.decrypt() catches the exception and then uses
"useOldFunnyKeyHash" attribute as "true" to get the SecretKey).

But in some of the cases it is not returning any value. We observed that new
hash method (see code fragment below) doesn't throw exception and consequent
call to "UtilObject.getObject()" encounters exception, prints error messages
and returns "null". As a result EntityCrypto.decrypt() method to return null
instead of trying the old hash algoritm.

code snippet:
==========

SecretKey decryptKey = this.getKey(keyName, false);
byte[] decryptedBytes = DesCrypt.decrypt(decryptKey, encryptedBytes);
decryptedObj = UtilObject.getObject(decryptedBytes);

log from console.log
===============

2009-07-16 11:16:59,893 (default-invoker-Thread-6) [
UtilObject.java:127:ERROR]
---- exception report ----------------------------------------------------------
Exception: java.io.StreamCorruptedException
Message: invalid stream header: E4F9F18A
---- stack trace ---------------------------------------------------------------
java.io.StreamCorruptedException: invalid stream header: E4F9F18A
java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:783)
java.io.ObjectInputStream.<init>(ObjectInputStream.java:280)
org.ofbiz.base.util.ObjectInputStream.<init>(ObjectInputStream.java:35)
org.ofbiz.base.util.UtilObject.getObject(UtilObject.java:122)
org.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:90)
org.ofbiz.entity.GenericDelegator.decryptFields(GenericDelegator.java:3325)


We have tested for this scenario by calling  old hash technique which
returns the decrypted value. I'm adding the code that I used to get my
result.


Modied test code "EntityCrypto.decrypt()" that returns expected value
====================================================
/** Decrypts a hex encoded String into an Object */
    public Object decrypt(String keyName, String encryptedString) throws
EntityCryptoException {
        Object decryptedObj = null;
        byte[] encryptedBytes = StringUtil.fromHexString(encryptedString);
        try {
            SecretKey decryptKey = this.getKey(keyName, false);
            byte[] decryptedBytes = DesCrypt.decrypt(decryptKey,
encryptedBytes);
            decryptedObj = UtilObject.getObject(decryptedBytes);

             ////////// added following block to get result /////////////
            if (null != encryptedString && null == decryptedObj) {
                String errStr = "returned null or had error in decryptedObj.
trying oldHash method.";
                Debug.logError(errStr, module);
                throw new GeneralException(errStr);
            }

//////////////////////////////////////////////////////////////////////////////

        } catch (GeneralException e) {
            try {
                // try using the old/bad hex encoding approach; this is
another path the code may take, ie if there is an exception thrown in
decrypt
                Debug.logVerbose("Decrypt with DES key from standard key
name hash failed, trying old/funny variety of key name hash", module);
                SecretKey decryptKey = this.getKey(keyName, true);
                byte[] decryptedBytes = DesCrypt.decrypt(decryptKey,
encryptedBytes);
                decryptedObj = UtilObject.getObject(decryptedBytes);
                //Debug.logInfo("Old/funny variety succeeded: Decrypted
value [" + encryptedString + "]", module);
            } catch (GeneralException e1) {
                // NOTE: this throws the original exception back, not the
new one if it fails using the other approach
                throw new EntityCryptoException(e);
            }
        }

        // NOTE: this is definitely for debugging purposes only, do not
uncomment in production server for security reasons:
Debug.logInfo("Decrypted value [" + encryptedString + "] to result: " +
decryptedObj, module);
        return decryptedObj;
    }


So, please let me know if this scenario has been taken care of already.


Regards,
Rajib


  
























					Reply via email to