0

I am trying to decypher an AES-256-CBC encrypted string using OpenSSL. My encrypted string is encrypted using c# code mentioned here (OpenSSL encryption using .NET classes)

I first tried decrypting using the following openssl command as below,

openssl enc -d -base64 -aes-256-cbc -md md5 -pass pass:mypass -in my_file.sh_enc -out myfile.sh

but this command returns an error as,

error reading input file

so instead of -base64 I tried using -A as well as -a but both command returns bad magic number.

I searched for a while and found that I need to decode the base64 string first and then decrypt. So I ran the command,

base64 -d my_file.sh_enc | openssl enc -d -aes-256-cbc -md md5 -pass pass:mypass -out myfile.sh

This command worked perfectly when tried to execute as such from the terminal. (Ubuntu 20.04).

But when I add the same command in a .sh bash script, I am getting an error as,

WARNING:deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140285552608576:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:

I tried to store the base64 result in a temp file and then pass the temp file to OpenSSL as -in arg, but still, I'm facing the same issue. Can anyone please help me understand and also provide a solution on how to tackle this?

(please forgive me if my explanation is not proper. Please leave a comment and I'll try to elaborate it on what is not understood)

Update 1 : Below is my bash file My bash script

Mike Ross
  • 29
  • 1
  • 7
  • Did you copy-paste the exact command that worked in the shell into the script, or did you make some minor modifications to it (e.g. putting the filename or password in a variable)? How did you run the script? – that other guy Dec 14 '21 at 19:24
  • i stored my password in a variable as pass="mypass" and used **-pass pass:$pass** in the command. Other than that, I did not make any changes. @thatotherguy – Mike Ross Dec 14 '21 at 19:58
  • Do a `which openssl` from the terminal and write a bash script which executes `which openssl` and make sure they match. – Vercingatorix Dec 14 '21 at 20:16
  • @Vercingatorix They do match. Both points to /usr/bin/openssl. I tried `whereis` also. And they too match. – Mike Ross Dec 14 '21 at 20:28
  • Hmm. Puzzling. Only remaining thing I can think of is use `#!/bin/bash -x` and see what it prints out. I don't see how that would clarify anything, but it's worth a shot. – Vercingatorix Dec 14 '21 at 20:33
  • @Vercingatorix Still the same. I assume you are mentioning about the bash header and added **-x** but still the same error. I get the warning and the same bad decrypt. By the way, what is the difference between `#!/bin/bash` and `#!/bin/bash -x` , just curious. – Mike Ross Dec 14 '21 at 20:37
  • `-x` tells it to echo the commands. It will give you the same error but you can see what it is trying to validate the command. Do you have `OPENSSL_CONF` set at all? – Vercingatorix Dec 14 '21 at 20:38
  • @Vercingatorix do I have to do something different with the piping ? like ```variable=echo `` ``` as in, ```variable=echo `base64 -d my_file.sh_enc | openssl enc -d -aes-256-cbc -md md5 -pass pass:mypass -out myfile.sh` ``` – Mike Ross Dec 14 '21 at 20:39
  • @MikeRoss No, you don't have to do that. – Vercingatorix Dec 14 '21 at 20:42
  • @Vercingatorix I did not get any difference of output between with -x and without. {thinking}, I did not explicitly set any OPENSSL_CONF. How do I do that and if possible can you refer some link. I'm new to using OpenSSL and I'm not sure if I have to set any env variables or conf. – Mike Ross Dec 14 '21 at 20:42
  • @MikeRoss You shouldn't need an `OPENSSL_CONF` but if you have one defined in `.profile` or something and it's necessary, trying to invoke OpenSSL in a script may get fouled up. Do an `echo ${OPENSSL_CONF}` from your terminal and see if anything comes out. – Vercingatorix Dec 14 '21 at 20:50
  • @Vercingatorix as far I know I haven't added anything specific to conf and nothing comes up in `echo ${OPENSSL_CONF}` command too. Just an empty line. – Mike Ross Dec 14 '21 at 20:53

1 Answers1

1

Your password is not getting passed correctly. Put pass:$pass in double quotes. You may need to escape it for the shell. Double any backslashes, and put a backslash before any $.

This is how I know:

$ echo Hello, world | openssl enc -e -a -aes-256-cbc -md md5 -pass pass:foo -out /tmp/enc
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
$ openssl enc -d -a -aes-256-cbc -md md5 -pass pass:foo -in /tmp/enc
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
Hello, world
$ openssl enc -d -a -aes-256-cbc -md md5 -pass pass:foof -in /tmp/enc
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140045393098112:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:
Vercingatorix
  • 1,838
  • 1
  • 13
  • 22
  • Yes this was the issue. The password was the culprit and after properly using the password with quotes and escaping the output file path, the command works fine. Thank you so much for the help. Been stuck up with such a common mistake all day. Saved me so much of trouble. Much appreciated @Vercingatorix – Mike Ross Dec 14 '21 at 21:06
  • @MikeRoss Glad I could help. OpenSSL could use more user-friendly error messages, eh? – Vercingatorix Dec 14 '21 at 21:07
  • @Vercingtorix Absolutely. Uff !! Why does it have to be so cryptic ? Maybe because of the cryptography, I don't know :p Thanks for your help in trying it out for me. I'm actually upgrading one of my applications from using AES-128-CBC to 256 bit which serves as a bridge between a local server and a cron script. And I'm now ready to test its cases thanks to you. :) – Mike Ross Dec 14 '21 at 21:23
  • In the beginning, the `openssl` command line program was only meant for use as a testing/debugging tool. It was never meant for production use. – President James K. Polk Dec 15 '21 at 13:28