Decrypting a PHP generated OpenSSL string in Terminal

Question

This question aids as part two to my previous question.
I have come across other threads with similar questions but due to recent changes in PHP (ie. mcrypt removal), I am seeking some advice as to how I'd best go about this using OpenSSL in 2017/18.

I have devised the following function in a PHP script. It takes a plain text string and encrypts it.

<?php
function encrypt( $myString) {
    $data = $myString;
    $key = 'B374A26A71490437AA024E4FADD5B497FDFF1A8EA6FF12F6FB65AF2720B59CCF';
    $iv = '61736466673534336173646667353433';

    $encrypted = openssl_encrypt($data, 'AES-256-CBC', $key, 0, hex2bin($iv));
    return $encrypted;
}
?>

Returns: 6Q7DM7VGEeJdnGf2h9k1Kg==

My question is quite simple: What is the Terminal decryption equivalent turning the above result back into its plain text?

So far I was able to use the following Terminal commands in AppleScript (for faster variable manipulation) but the do shell script content is Terminal code:

set encKey to "B374A26A71490437AA024E4FADD5B497FDFF1A8EA6FF12F6FB65AF2720B59CCF"
set encIV to "61736466673534336173646667353433"
set stringToEnc to "my plain text string"

set encrypted to (do shell script "echo '" & stringToEnc & "' | openssl enc -aes-256-cbc -a -K " & encKey & " -iv " & encIV)
set decrypted to (do shell script "echo '" & encrypted & "' | openssl enc -aes-256-cbc -a -d -K " & encKey & " -iv " & encIV)

However, while this works as is, setting encrypted (in the script above) to the output of the PHP function, it throws the error:

bad decrypt 140735624655752:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/evp/evp_enc.c:529:

Having studied this, that and similar questions here on SO, I am puzzled why the error keeps occurring. I believe it is because of the encoding of the key and iv (note that I have used hex2bin() in PHP), which will yield a different result if not used.

What's missing in my Terminal command? If someone could help me work out the decryption equivalent, I would really appreciate the assistance.

Answer 1

Just like your last question, you are struggling with encodings a bit. If you carefully consult the documentation for openssl_encrypt, you'll note that both the key and IV should be passed as raw values, not hex.

You did this correctly in your code with the IV, but not the key. You passed the key as a hex value, which means it was twice as long as it needed to be. Just the first 256-bits of the key are used, in this case, B374A26A71490437AA024E4FADD5B497, since you passed 512-bits of key material in total.

So we know that our raw key, when ASCII encoded, is B374A26A71490437AA024E4FADD5B497, which is exactly 256-bits. However, the OpenSSL -K flag that I discussed in your first question requires the key to be passed hex encoded, which means we need to hex encode our key. So we hex encode B374A26A71490437AA024E4FADD5B497 to get 4233373441323641373134393034333741413032344534464144443542343937, which is the actual hex encoded encryption key.

So, in summary, the final command is this, which gives an output of just the byte 0x70, which I assume is correct:

openssl enc -d -K 4233373441323641373134393034333741413032344534464144443542343937 -iv 61736466673534336173646667353433 -in input.bin -out out.bin

This assumes that input.bin is the base64 decoded binary of the base64 ciphertext you provided.