GaneshT.38743 (Customer) asked a question.
We are trying to get the encrypted text using workflows with secret key, AES-256-CBC/SHA-256. we are trying to decrypt the text using the same secret key in a java application. we are unable to decrypt. Kindly help us to find what is the default padding being added by the okta workflows:
Cipher Text: SKhKshDHNA59XOJfzKkmRA==
key y/b+Oe0wP0RWWiLDdBkGjF6LA362SnpQaxeNlCuCask=
javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
at javax.crypto.Cipher.doFinal(Cipher.java:2168)
at com.mulesoft.tools.secureproperties.Aes.decrypt(Aes.java:120)
at com.mulesoft.tools.secureproperties.Aes.main(Aes.java:69)
Hi @GaneshT.38743 (Customer) , Thank you for reaching out to the Okta Community!
I've checked with our Workflows resources and this matter requires and in-depth investigation.
Please open a case to work with one of our Support Engineers.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.
@GaneshT.38743 (Customer)
This should help:
If I encrypt a UTF8 value in Workflows using aes-256-cbc (password=myPass in this example) I can decrypt it in openSSL using the following:
openssl enc -d -nosalt -aes-256-cbc -k myPass -a -A -in WF_Encrypted.data -out UnencryptedTestData.txt
We just tried the same way you have mentioned. Unfortunately, We are unable to decrypt with the openssl command.
openssl enc -d -nosalt -aes-256-cbc -k FCEC262B1B54141512E8B06F8E58D98B086EC518BDB2B6B0D669634E4A8DFA84 -a -A -in cipher.txt -out decrypt.txt
bad decrypt
8645024576:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/AppleInternal/Library/BuildRoots/97f6331a-ba75-11ed-a4bc-863efbbaf80d/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/evp/evp_enc.c:549:
@GaneshT.38743 (Customer) - Looks like something changed from the last time I messed around with this a few months ago and now. I located the exact files I used in testing which were successful then which are now failing. I don't know if the change is on the Workflows or openSSL side. I'll do some digging and see if I can find some more info.
Following up to close the loop.
After a significant amount of investigation it appears this process is not currently possible. This is due to IV generation happening prior to openSSL and no means to replicate this generation outside of Workflows.
It is possible/probable this will be addressed in the future.