2

So I have (this doesn’t work b/c hex is probably wrong and the key and the IV are not converted correctly):

(aesKey and aesIV are provided as hex strings from Third Party)

They look something like this (not the same but should be enough to work with I replaced some values in the keys so they aren’t exactly the same:

<cfparam name="aesKey" default="C20648780E8843795325F3BA5EC43183C8BFA2D26B5470BC309ED5BA6B142EFA"/>
<cfparam name="aesIV" default="A53F0A6E6972A0095CFFDBE4F47C3CF8"/>

<cfset token = Encrypt(encryptString, aesKey, "AES/CBC/PKCS5Padding", "hex", aesIV)>

The error is:

The key specified is not a valid key for this encryption: Illegal key size or default parameters.

(I’m also not sure “hex” is right)

I also have this from third party

Third Party uses the following parameters for AES encryption:
Block Length 256bit
Padding PKCS7
Cipher mode CBC
Key Length 256bit (to be provided by Third Party in hexadecimal format)
Initialization Vector Length 128bit (to be provided by Third Party in hexadecimal format)

The secret (private) key and the initialization vector are used to perform AES encryption on the plaintext token. The encrypted string is then passed to Third Party SSO process where it is decrypted with the matching key and initialization vector.

So I’m not doing any formatting or converting with the key or the iv but the error suggests that I need to manage it.

But that’s where I’m guessing (it does want a string it’s just the string I’m passing is wrong)

I know I’m close and I do have a “Whatever it takes to make it work” solution (where I go from CF to .net and use the sample code provided) but I don’t want to do that, . . . but I do have it. (This would be the second time I went from language B back to language A because I have something that works)

Cœur
  • 37,241
  • 25
  • 195
  • 267
Joshua_OConnorRose
  • 78
  • 7

1 Answers1

7

There are a few things you must do in order to get it work:

  1. By default, you are limited to 128bit keys for AES. To use larger keys, like 256bit, you must first install the (JCE) Unlimited Strength Jurisdiction Policy Files for Java 6, or Java 7 / Java 8 (depending on your JRE version). Copy them into your /lib/security/ directory. (Note: If you have multiple JVM's installed, be sure you update the jars in the correct one ie The one listed in the CF Administrator). Then restart the CF server.

  2. Encrypt() expects keys to be in base64 format. So use binaryDecode/Encode to convert the key from hex to base64:

    <cfset base64Key = binaryEncode(binaryDecode(yourHexKey, "hex"), "base64") />

  3. The iv should be in binary. Again, use binaryDecode to convert it:

    <cfset binaryIV = binaryDecode(yourHexIV, "hex") />

Once you have made those changes, your code should work fine:

Encrypt(encryptString, base64Key, "AES/CBC/PKCS5Padding", "hex", binaryIV)

(Despite the antiquated version in the title, I have found this article on strong encryption to be a great reference for troubleshooting encryption issues)

Community
  • 1
  • 1
Leigh
  • 28,765
  • 10
  • 55
  • 103
  • 1
    Very helpful! Note that the JCE download depends on the JRE version: http://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters – David Hammond Oct 17 '16 at 16:38
  • @DavidHammond - Yep, good point. I updated the answer to make it more obvious. – Leigh Oct 17 '16 at 17:22