108

As the title says, I am getting:

Invalid length for a Base-64 char array.

I have read about this problem on here and it seems that the suggestion is to store ViewState in SQL if it is large. I am using a wizard with a good deal of data collection so chances are my ViewState is large. But, before I turn to the "store-in-DB" solution, maybe somebody can take a look and tell me if I have other options?

I construct the email for delivery using the below method:

public void SendEmailAddressVerificationEmail(string userName, string to)
{
    string msg = "Please click on the link below or paste it into a browser to verify your email account.<BR><BR>" +
                    "<a href=\"" + _configuration.RootURL + "Accounts/VerifyEmail.aspx?a=" +
                    userName.Encrypt("verify") + "\">" +
                    _configuration.RootURL + "Accounts/VerifyEmail.aspx?a=" +
                    userName.Encrypt("verify") + "</a>";

    SendEmail(to, "", "", "Account created! Email verification required.", msg);
}

The Encrypt method looks like this: 

public static string Encrypt(string clearText, string Password)
{

    byte[] clearBytes = System.Text.Encoding.Unicode.GetBytes(clearText);

    PasswordDeriveBytes pdb = new PasswordDeriveBytes(Password, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });


    byte[] encryptedData = Encrypt(clearBytes, pdb.GetBytes(32), pdb.GetBytes(16));

    return Convert.ToBase64String(encryptedData);
}

Here is what the HTML looks like in hotmail:

Please click on the link below or paste it into a browser to verify your email account.

http://localhost:1563/Accounts/VerifyEmail.aspx?a=YOHY57xYRENEOu3H+FGq1Rf09AZAI56EPjfwuK8XWKg=

On the receiving end, the VerifyEmail.aspx.cs page has the line:

 string username = Cryptography.Decrypt(_webContext.UserNameToVerify, "verify");

Here is the getter for UserNameToVerify:

public string UserNameToVerify
{
    get
    {
        return GetQueryStringValue("a").ToString();
    }
}

And here is the GetQueryStringValue method:

private static string GetQueryStringValue(string key)
{
    return HttpContext.Current.Request.QueryString.Get(key);
}

And the decrypt method looks like:

public static string Decrypt(string cipherText, string password)
{

    **// THE ERROR IS THROWN HERE!!**
    byte[] cipherBytes = Convert.FromBase64String(cipherText);

Can this error be remedied with a code fix or must I store ViewState in the database?

Vadim Ovchinnikov
  • 13,327
  • 5
  • 62
  • 90
Peter
  • 5,251
  • 16
  • 63
  • 98

7 Answers7

242

The length of a base64 encoded string is always a multiple of 4. If it is not a multiple of 4, then = characters are appended until it is. A query string of the form ?name=value has problems when the value contains = charaters (some of them will be dropped, I don't recall the exact behavior). You may be able to get away with appending the right number of = characters before doing the base64 decode.

Edit 1

You may find that the value of UserNameToVerify has had "+"'s changed to " "'s so you may need to do something like so:

a = a.Replace(" ", "+");

This should get the length right;

int mod4 = a.Length % 4;
if (mod4 > 0 )
{
    a += new string('=', 4 - mod4);
}

Of course calling UrlEncode (as in LukeH's answer) should make this all moot.

Vadim Ovchinnikov
  • 13,327
  • 5
  • 62
  • 90
  • 9
    Thanks Brad - It was actually this little bit of code that did the job: a = a.Replace(" ","+"); – Peter May 28 '10 at 07:46
  • 1
    @Code Sherpa: if that is the case, your best choice is to urlencode before sending the string, and urldecode on receipt. Otherwise if another url significant character gets into your string then you'll have to add another `Replace` statement. Encoding is a coverall that protects you regardless. – Matt Ellen Oct 20 '10 at 10:57
  • 6
    You do not to to UrlDecode your string on receipt as request parameters are already UrlDecoded by ASP.Net. You should however UrlEncode when sending. – bleeeah Oct 30 '12 at 10:38
  • Or if you want an inline version: `a = a + new string('=', (4 - a.Length % 4) % 4)`. Example to decode [RFC 4648 URL-safe Base64](http://en.wikipedia.org/wiki/Base64#Variants_summary_table): `public string base64urlDecode(string encoded) { return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encoded.Replace("_","/").Replace("-","+") + new string('=', (4 - encoded.Length % 4) % 4))); }` – gregmac Feb 05 '15 at 16:01
  • 1
    "You do not to to UrlDecode" - THIS! Stepping through my code I could see the parameter was already decoded, the problem was me running it through `UrlDecode` which whas removing characters. Thanks @MattEllen – GJKH Mar 18 '16 at 12:36
  • The 2nd part appending any missing characters with '=' worked fo rme – neildt Dec 15 '20 at 18:10
33

My guess is that you simply need to URL-encode your Base64 string when you include it in the querystring.

Base64 encoding uses some characters which must be encoded if they're part of a querystring (namely + and /, and maybe = too). If the string isn't correctly encoded then you won't be able to decode it successfully at the other end, hence the errors.

You can use the HttpUtility.UrlEncode method to encode your Base64 string:

string msg = "Please click on the link below or paste it into a browser "
             + "to verify your email account.<br /><br /><a href=\""
             + _configuration.RootURL + "Accounts/VerifyEmail.aspx?a="
             + HttpUtility.UrlEncode(userName.Encrypt("verify")) + "\">"
             + _configuration.RootURL + "Accounts/VerifyEmail.aspx?a="
             + HttpUtility.UrlEncode(userName.Encrypt("verify")) + "</a>";
LukeH
  • 263,068
  • 57
  • 365
  • 409
  • Thanks. Just tried your suggestion Luke but that didn't work :(. – Peter May 27 '10 at 23:49
  • @Sherpa - Keep working it, the problem is almost certainly with the trailing `=` characters. –  May 27 '10 at 23:53
  • Luke - I have a feeling you are right. Will try this at home. Thanks a bundle. FYI - I added what the string looks like in my hotmail inbox in my original post. – Peter May 27 '10 at 23:59
  • uncle brad is right, I had the same issue last week and the problem was a trailing "=" character ._. – Marcote May 28 '10 at 01:21
12

I'm not Reputable enough to upvote or comment yet, but LukeH's answer was spot on for me.

As AES encryption is the standard to use now, it produces a base64 string (at least all the encrypt/decrypt implementations I've seen). This string has a length in multiples of 4 (string.length % 4 = 0)

The strings I was getting contained + and = on the beginning or end, and when you just concatenate that into a URL's querystring, it will look right (for instance, in an email you generate), but when the the link is followed and the .NET page recieves it and puts it into this.Page.Request.QueryString, those special characters will be gone and your string length will not be in a multiple of 4.

As the are special characters at the FRONT of the string (ex: +), as well as = at the end, you can't just add some = to make up the difference as you are altering the cypher text in a way that doesn't match what was actually in the original querystring.

So, wrapping the cypher text with HttpUtility.URLEncode (not HtmlEncode) transforms the non-alphanumeric characters in a way that ensures .NET parses them back into their original state when it is intepreted into the querystring collection.

The good thing is, we only need to do the URLEncode when generating the querystring for the URL. On the incoming side, it's automatically translated back into the original string value.

Here's some example code

string cryptostring = MyAESEncrypt(MySecretString);
string URL = WebFunctions.ToAbsoluteUrl("~/ResetPassword.aspx?RPC=" + HttpUtility.UrlEncode(cryptostring));
Ken Forslund
  • 340
  • 2
  • 9
8

My initial guess without knowing the data would be that the UserNameToVerify is not a multiple of 4 in length. Check out the FromBase64String on msdn.

// Ok
byte[] b1 = Convert.FromBase64String("CoolDude");
// Exception
byte[] b2 = Convert.FromBase64String("MyMan");
Vadim Ovchinnikov
  • 13,327
  • 5
  • 62
  • 90
SwDevMan81
  • 48,814
  • 22
  • 151
  • 184
  • Thanks SwDevMan81. Just now leaving work but will try this later tonight. Thanks for your help. – Peter May 27 '10 at 23:51
  • No problem, the fix would be to pad with a character to get a string that is a multiple of 4. – SwDevMan81 May 27 '10 at 23:53
  • Thanks again SwDevMan81. I'll take a look at that. I posted UserNameToVeryify in my original post (FYI). OK... now I really need to go or I am going to get in trouble with the real boss :) – Peter May 28 '10 at 00:04
  • Looks like this post might help as well: http://stackoverflow.com/questions/1392970/httpserverutility-urltokendecode-fails-sometimes-invalid-length-for-a-base-64 – SwDevMan81 May 28 '10 at 00:39
2

The encrypted string had two special characters, + and =.

'+' sign was giving the error, so below solution worked well:

//replace + sign

encryted_string = encryted_string.Replace("+", "%2b");

//`%2b` is HTTP encoded string for **+** sign

OR 

//encode special charactes 

encryted_string = HttpUtility.UrlEncode(encryted_string);

//then pass it to the decryption process
...
Vikrant
  • 4,920
  • 17
  • 48
  • 72
0
    string stringToDecrypt = CypherText.Replace(" ", "+");
    int len = stringToDecrypt.Length;
    byte[] inputByteArray = Convert.FromBase64String(stringToDecrypt);
Code
  • 679
  • 5
  • 9
0

While Encrypting use

HttpUtility.UrlEncode(Encryptedtext));

While Decrypting,

use

        value = HttpUtility.UrlDecode(value);
        value = value.Replace(" ", "+");//to remove any empty spaces
        value = value.Replace('-', '+').Replace('_', '/');//replace special char
        while (value.Length % 4 != 0) value += '='; //it should be divisible by 4 or append =

Then send this value for decryption

BIJIN PALAKKAL
  • 186
  • 1
  • 4