1

The Salesforce developer has encrypted a string, eg. 0050000162 in SalesForce using encryptWithManagedIV and a key that he has shared with me and the encryption standard AES-256 CBC and passed it along in a url eg. https://a.domain.com/vEmJWoxXyhfTDSrRstf1NYpIB+s5LObcstvFVTUAcb8=

I have tried to decrypted as such

openssl_decrypt("vEmJWoxXyhfTDSrRstf1NYpIB+s5LObcstvFVTUAcb8=", "aes-256-cbc", SHARED_CRYPT_KEY);

also

openssl_decrypt(urldecode("vEmJWoxXyhfTDSrRstf1NYpIB+s5LObcstvFVTUAcb8="), "aes-256-cbc", SHARED_CRYPT_KEY);

and

openssl_decrypt(base64url_decode("vEmJWoxXyhfTDSrRstf1NYpIB+s5LObcstvFVTUAcb8="), "aes-256-cbc", SHARED_CRYPT_KEY);
function base64url_decode($base64url)
{
    $base64 = strtr($base64url, '-_', '+/');
    $plainText = base64_decode($base64);
    return ($plainText);
}

The other developer has been able to decrypt in SalesForce with below code

Blob bEncryptKey = Blob.valueOf(encryptKey);
Blob bDataToEncrypt = EncodingUtil.base64Decode(quoteNumberEncrypted);
Blob decrypted = Crypto.decryptWithManagedIV('AES256', bEncryptKey, bDataToEncrypt);
sQuoteNumberEncrypted =  decrypted.toString();

What am I missing ?

Thanks

Frank

Franck
  • 81
  • 1
  • 2
  • 8
  • You need to remove IV from the binary blob and pass the remaining blob and extracted IV to openssl_decrypt - translate [this example](https://salesforce.stackexchange.com/questions/271648/encrypting-and-or-decrypting-ciphertext-with-the-provided-initialization-vector/) to PHP. You will also need to deal with padding. Salesforce uses PKCS7 padding and so does [openssl](https://stackoverflow.com/questions/56165071/php-mcrypt-to-openssl-bf-cbc-how-to-get-the-same-encrypted-value/) by default, you'll need to make sure the data blob will remain correctly padded after you break out the IV. – identigral May 03 '21 at 03:17
  • Not sure what you mean. I am being sent an encrypted string via url that was encrypted in SalesForce with encryptWithManagedIV. Not sure if you re telling to tell the SalesForce developer to do something or your instructions are for me in PHP. – Franck May 03 '21 at 14:13
  • Instructions are for you in PHP – identigral May 03 '21 at 14:28
  • Can you clarify this "you'll need to make sure the data blob will remain correctly padded after you break out the IV" Here is what I got so far ``` $uuid = "vEmJWoxXyhfTDSrRstf1NYpIB+s5LObcstvFVTUAcb8=""; $encodedCipherTextAndIV = bin2hex($uuid); $encodedCiphertext = substr($encodedCipherTextAndIV, 32); $encodedIV = substr($encodedCipherTextAndIV, 0, 32); $ciphertext = hex2bin($encodedCiphertext); $IV = hex2bin($encodedIV); var_dump( openssl_decrypt($ciphertext, QUOTE_CRYPT_CIPHER, QUOTE_CRYPT_KEY,0,$IV) ); ``` outputs false – Franck May 03 '21 at 15:20
  • You'll have to play with padding based on the referenced answer above and make sure the padding from Salesforce matches the padding in your deconstructed blobs – identigral May 03 '21 at 16:18
  • ...and the padding in deconstructed blobs matches padding expected by openssl_decrypt – identigral May 03 '21 at 16:37

0 Answers0