#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    19
    Rep Power
    0

    Coldfusion Encrypt and Decrypt AES 256


    Hello forum, I have been working on a project that encrypts a string with CF and Decrypts the response from Cfhttp.FileContent. However, I am having issues using a static key to do both. Is there anyone that could possibly tell me where I am going wrong in the following script.

    FYI the keys are supposed to stay the same while encrypting and decrypting.
    Code:
    <cfif (request_method is "Post") AND (isDefined("form.saveccdetails"))>
    	<cfquery datasource="#application.dsn#" name="checkSession">
    		SELECT [webserviceID],bankname,userID,clientID,[session],[Key],IsActive
    		  ,DATEDIFF(hour, DateCreated, getDate()) as TotalHours,requestType,password,DateCreated
    		FROM webservice
    		Where Webserviceid = <cfqueryparam value="1" cfsqltype="cf_sql_numeric" />
    		AND   IsActive = <cfqueryparam value="1" cfsqltype="cf_sql_bit" />
    	</cfquery>
    	<cfset uniquerequestid = dateformat(now(),'mmddyy') & timeformat(now(),'mmss') & NumberFormat(randrange(1,9999), '00000000')>
    	<cfset TheKey = '9PZuobjN0J!a01lFeT1$$$$$$$$8tq3Z'>
    	<cfset theAlgorithm  = "AES/CBC/PKCS5Padding" />
    	<cfset theEncoding = "base64" />
    	<cfset strName = leaddetail.leadlast&','&leaddetail.leadfirst />
    	<cfset stFields ={requesttype = "eftaddonetimecompletetransaction"
    			,clientid = "XXXXXXXX"
    			,urltoredirect = "#RedirectURl#"
    			,customerid = "#leaddetail.leadid#"
    			,isdebitcardonly = "No"
    			,customername = "#strName#"
    			,customeraddress1 = "#form.billingaddress#"
    			,customercity = "#form.billingcity#"
    			,customerstate = "#form.billingstate#"
    			,customerzip = "#form.billingzip#"
    			,cardbillingaddr1 = "#form.billingaddress#"
    			,cardbillingcity = "#form.billingcity#"
    			,cardbillingstate = "#form.billingstate#"
    			,cardbillingzip = "#form.billingzip#"
    			,accounttype = "CC"
    			,name_on_card = "#form.leadname#"
    			,accountnumber = "#form.ccacctnum#"
    			,expmonth = "#Left(form.ccexpdate,2)#"
    			,expyear = "#Right(form.ccexpdate,2)#"
    			,cvvcode = "#form.ccv2#"
    			,amount = "#NumberFormat(esigninfo.esignpayamt,'9999.99')#"
    			,startdate = "#DateFormat(Now(),'YYYY-MM-DD')#"
    			,transactiontypecode = "WEB"}/>
    	<cfset theEncryptedString = encrypt(serializeJson(stFields),thkey,theAlgorithm,theEncoding)>
    					<!--- shake hands and login to api --->
    	<cfhttp url="https://www.vancodev.com/cgi-bin/wsnvptest.vps" method="post" charset="ISO-8859-1" throwonerror="yes" result="httpResponse">
    				<!--- vanco login Variables --->
        	<cfhttpparam type="Header" name="User-Agent" value="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41">
    		<cfhttpparam type="header" name="Content-Type" value="application/x-www-form-urlencoded" >
        	<cfhttpparam type="header" name="Accept" value="application/json" >
    				<!--- Login Credentials --->
    		<cfhttpparam type="formfield"name="nvpvar"value="''"/>
    		<cfhttpparam type="formfield"name="requesttype"value="login"/>
    		<cfhttpparam type="formfield"name="userid"value="XXXXXXXX"/>
    		<cfhttpparam type="formfield"name="password"value="XXXXXXXX"/>
    		<cfhttpparam type="formfield"name="requestid"value="#uniquerequestid#"/>
    		<cfhttpparam type="formfield"name="PostData" value="#theEncryptedString#"/>
    		<cfif isDefined('CheckSession.sessionID') AND CheckSession.sessionID NEQ ''>
    			<cfhttpparam type="formfield"name="sessionid" value="#checkSession.sessionID#"/>
    		</cfif>
    	</cfhttp>
    	<cfif checkSession.totalHours GT 23 OR checkSession.totalHours EQ ''>
    		<cfquery datasource="#application.dsn#" name="updateSession" maxrows="1">
    			UPDATE webservice
    	   			SET [session] =#thesession#
    	      		,DateCreated = GetDate()
    	 		WHERE WebserviceID = <cfqueryparam value="1" cfsqltype="cf_sql_numeric" />
    		</cfquery>
    	</cfif>
    </cfif>
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    19
    Rep Power
    0
    Also I wanted to say that I have already enabled Unlimited Strength Cryptography in ColdFusion by replacing the 2 files from sun.
  4. #3
  5. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,307
    Rep Power
    971
    Without knowing where it's failing, it's hard to say. You've got a lot going on there. It could be as simple as the case of the keys in your structure.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2003
    Posts
    19
    Rep Power
    0
    Yes It seems as if I have a lot goin on however, it all works accept the encryption part. When I try to encrypt with a static key sent by the third party. It seems that the key or something I am doing is wrong. I can post and get a response from the server no problem. Its just the fact that when using a static key to encrypt and decrypt is the problem. I have never had such a problem with encrypting with a static key in the past and with earlier versions of CF. Now I believe they want to use a function called GenerateKey("AES",256). But the key needs to stay the same in all instances including encrypt and decrypt. Any words of wisdom would be great. Not looking for someone to re-write the code. The code works accept the decrypt and encrypt function with a static key.
  8. #5
  9. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,307
    Rep Power
    971
    I would start by using cfdump to output the data you're about to encrypt, as well as the serialized JSON string, to make sure it is EXACTLY correct. One character off and the encrypted string will be incorrect. As I said, make sure the keys in the structure you're creating have the correct case, are spelled correctly, etc. I'd also make sure the key is exactly correct, that you're positive the encryption settings are correct, etc.
  10. #6
  11. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,307
    Rep Power
    971
    To add, you can also create the encrypted string and compare that to a known good encrypted string, and then decrypt both of those using the same settings to confirm that you get back out the original data.
  12. #7
  13. No Profile Picture
    Moderator

    Join Date
    Jun 2002
    Location
    Raleigh, NC
    Posts
    5,307
    Rep Power
    971
    Finally, as far as I know, "AES/CBC/PKCS5Padding" isn't a valid algorithm choice. https://wikidocs.adobe.com/wiki/disp...sionen/Encrypt

IMN logo majestic logo threadwatch logo seochat tools logo