I used DataPower AES encryption method to encrypt a file (see detail below) and send the encrypted file to client. My question is how I can use a OpenSSL command to decrypt the DataPower AES encrypted file to verify if encryption work before I ask our business partner to use OpenSSL Command to decrypt it after our DataPower send the encrypted file to them.

Here are how I implement DataPower encryption using AES

1. Using following OpenSSL command to create key and IV

C:\OpenSSL>openssl enc -aes-256-cbc -k secret -P -md sha256

salt=3F5FECB253106AAB

key=EBDDCE6D1D5B911040E304C289E2981107DD52FCD41E87FC2A52C0445F2ED97F

iv =7E3517DE1AB2F826FB984FF0CA8999CA

1. Create a DataPower multiple protocol gateway SafehorizonPoller that will poll a file and then encrypt it and send to client, the encryption file encryption_service.xsl is as below

<xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:dp = "http://www.datapower.com/extensions" xmlns:tns = "http://www.nypd.org/SharedKeys" extension-element-prefixes = "dp">

<dp:input-mapping href = "store:///pkcs7-convert-input.ffd" type = "ffd"/>

<xsl:output omit-xml-declaration = "yes"/>

<xsl:template match = "/">

<xsl:variable name = "raw-data" select = "dp:decode(dp:binary-encode(/object/message/node()), 'base-64')"/>

<xsl:variable select="dp:variable('var://context/client/keyVal')" name="lookupKey"/>

<xsl:variable name = "acctkey" select = "document('local:///SharedKeys.xml')//tns:SharedKeys/tns:Accounts/tns:Account[=$lookupKey]"/>

<xsl:variable name = "keyType">

<xsl:value-of select = "string($acctkey//)"/>

</xsl:variable>

<xsl:variable name = "algorithm">

<xsl:value-of select = "$acctkey//tns:Algorithm/text()"/>

</xsl:variable>

<xsl:variable name = "sharedSecretKey">

<xsl:value-of select = "$acctkey//tns:Passphrase/text()"/>

</xsl:variable>

<xsl:variable name = "encrypted" select = "dp:encrypt-string($algorithm,concat($keyType,':',$sharedSecretKey), $raw-data)"/>

<xsl:copy-of select = "$encrypted"/>

</xsl:template>

</xsl:stylesheet>

the key configuration file SharedKeys.xml is below

<?xml version="1.0" encoding="UTF-8"?>

<tns:SharedKeys xmlns:tns = "http://www.nypd.org/SharedKeys" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation = "http://www.nypd.org/SharedKeys SharedKeys.xsd ">

<tns:Accounts>

<tns:Account accountName = "safehorizon_encrypt" keyType = "hex">

<tns:Algorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</tns:Algorithm>

<tns:Passphrase>EBDDCE6D1D5B911040E304C289E2981107DD52FCD41E87FC2A52C0445F2ED97F</tns:Passphrase>

</tns:Account>

</tns:Accounts>

</tns:SharedKeys>

The above solution works. I could encrypt a file and decrypt a file using DataPower AES decryption method, which I implemented in a different multiple protocol gateway.

But our business partner will need to use OpenSSL command to decrypt the DataPower AES decrypted file. So I tried using follow OpenSSL command to decrypt the DataPower decrypted file as below

C:\OpenSSL>openssl aes-256-cbc -d -a -in testfile.csv.enc -out testfile.csv -K EBDDCE6D1D5B911040E304C289E2981107DD52FCD41E87FC2A52C0445F2ED97F -iv 7E3517DE1AB2F826FB984FF0CA8999CA

but I got following error

bad decrypt

15212:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:518:

I googled a lot and tried different suggestions. But I failed to make it work. What is the right OpenSSL command to decrypt it?

Thanks,

Tang

DataPower prefixes the encrypted data with the IV.

So the receiver needs to use first 128bit of message as IV, the remainder of massage as encrypted data.

You can use bash to split "file":

$ head --bytes 16 file > iv

$ tail --bytes +17 file > encMsg

$

Hi Sir,

I tried and I still got same error.

I tested like below

1. I created file TestAES.csv with content

1,2,3

4,5,6

1. Sent to DataPower service I created to encrypt with the key shown in my question. And I got the encrypted file with content

C:\OpenSSL>cat TestAES.csv.enc

34jlPrW9srlCKwGTzZZyhQ6T9Av11mTBVqM3nxJmHJw=

1. I then run the following command to get the encrypted content after removing IV

C:\OpenSSL>tail --bytes +17 TestAES.csv.enc > TestAES.csv.enc1

The TestAES.csv.enc1 has following content

C:\OpenSSL>cat TestAES.csv.enc1

zZZyhQ6T9Av11mTBVqM3nxJmHJw=

1. Then I ran the following OpenSSl command to decrypted the file TestAES.csv.enc1 and I got same error as before

C:\OpenSSL>openssl aes-256-cbc -d -a -in TestAES.csv.enc1 -out TestAES.csv.enc1.dec -K EBDDCE6D1D5B911040E304C289E2981107DD52FCD41E87FC2A52C0445F2ED97F -iv 7E3517DE1AB2F826FB984FF0CA8999CA

bad decrypt

4294956672:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:520:

but I could use DataPower decryption service to decrypt encrypted file TestAES.csv.enc

Any ideas why I could not decrypt with OpenSSL command?

Thanks,

Tang

Hi Sir,

Sorry, I realized I didn't use the prefixed IV from the encrypted file in OpenSSL command. Now I got it and convert to HEX and reran the OpenSSL command with the IV, but I still got same error

C:\OpenSSL>head --bytes 16 Testsafehorizon.csv.enc > Testsafehorizon.csv.iv

head: cannot open 'Testsafehorizon.csv.enc' for reading: No such file or directory

C:\OpenSSL>head --bytes 16 TestAES.csv.enc > TestAES.csv.enc.iv

C:\OpenSSL>cat TestAES.csv.enc.iv

34jlPrW9srlCKwGT

I converted 34jlPrW9srlCKwGT to HEX

33346a6c5072573973726c434b774754

Note: I used this tool http://string-functions.com/string-hex.aspx to convert 34jlPrW9srlCKwGT to 33346a6c5072573973726c434b774754

Then I reran the OpenSSL command

C:\OpenSSL>openssl aes-256-cbc -d -a -in TestAES.csv.enc1 -out TestAES.csv.enc1.dec -K EBDDCE6D1D5B911040E304C289E2981107DD52FCD41E87FC2A52C0445F2ED97F -iv 33346a6c5072573973726c434b774754

bad decrypt

4294956672:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:520:

Did I do it correctly?

Thanks,

Tang

Hi Sir,

If you can give a working openssl command to decrypt the DataPower AES encrypted file, that will be great. I spent a lot time and still could not make it work.

Thanks,

Tang

You need to split the binary data, bot the base64 encoded form. And you need to use the IV used by DataPower, the first 16 bytes (that is different to what you specified). I don't know how to pass binary files into OpenSSL commands, you need to find out:

$ base64 -d TestAES.csv.enc | tail --bytes +17 > TestAES.csv.enc1

$ base64 -d TestAES.csv.enc | tail --bytes 16 > TestAES.csv.iv

$ od -Ax -tx1 TestAES.csv.iv

000000 0e 93 f4 0b f5 d6 64 c1 56 a3 37 9f 12 66 1c 9c

000010

$

Hi Tangw,

I would first confirm that the encryption process is correct, I would add a new Processing Rule just for testing and add a decrypt action to it, using your favorite testing tool, copy the encrypted data and request DataPower for decrypting it.

- Don´t forget to see logs whatever the response is, sometimes there are errors even when a process seems to be successful.

-Squiroga