Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: JRuby 1.7.0.RC2
    • Fix Version/s: JRuby 1.7.2, JRuby-OSSL 0.8.1
    • Component/s: OpenSSL
    • Labels:
      None
    • Environment:
      jruby 1.7.0.RC2 (1.9.3p203) 2012-10-17 10a52b3 on Java HotSpot(TM) 64-Bit Server VM 1.7.0_07-b10 [darwin-x86_64]
    • Number of attachments :
      0

      Description

      I am hunting down a problem with the multipass gem that started appearing when we switched to jruby. I have narrowed down the problem to jruby generating encrypted data that another openssl implementation (such as MRI Ruby) is unable to decrypt.

      See my session below. I encrypt a message in jruby and then successfully decrypt it in jruby. But I am unable to decrypt it in MRI Ruby.

      $ rvm use jruby-head
      Using /Users/tim/.rvm/gems/jruby-head
      $ ruby --version
      jruby 1.7.0.RC2 (1.9.3p203) 2012-10-17 10a52b3 on Java HotSpot(TM) 64-Bit Server VM 1.7.0_07-b10 [darwin-x86_64]
      $ irb
      jruby-1.7.0.RC2 :006 > c = OpenSSL::Cipher::Cipher.new('aes-128-cbc')
       => #<OpenSSL::Cipher::Cipher:0x23a86a12> 
      jruby-1.7.0.RC2 :007 > c.encrypt
       => #<OpenSSL::Cipher::Cipher:0x23a86a12> 
      jruby-1.7.0.RC2 :008 > c.key = '1234567890123456'
       => "1234567890123456" 
      jruby-1.7.0.RC2 :009 > c.padding = 1
       => 1 
      jruby-1.7.0.RC2 :010 > encrypted = c.update('secret message') + c.final
       => "\xB4\x15\xE0`\xAC^\xBDq~b.\x96\xB3\xCB$\xD1" 
      jruby-1.7.0.RC2 :011 > require 'base64'
       => false 
      jruby-1.7.0.RC2 :012 > encoded = Base64.encode64 encrypted
       => "tBXgYKxevXF+Yi6Ws8sk0Q==\n" 
      jruby-1.7.0.RC2 :013 > decoded = Base64.decode64 encoded
       => "\xB4\x15\xE0`\xAC^\xBDq~b.\x96\xB3\xCB$\xD1" 
      jruby-1.7.0.RC2 :015 > c2 = OpenSSL::Cipher::Cipher.new('aes-128-cbc')
       => #<OpenSSL::Cipher::Cipher:0x73607ba9> 
      jruby-1.7.0.RC2 :016 > c2.decrypt
       => #<OpenSSL::Cipher::Cipher:0x73607ba9> 
      jruby-1.7.0.RC2 :017 > c2.key = '1234567890123456'
       => "1234567890123456" 
      jruby-1.7.0.RC2 :018 > c.padding = 1
       => 1 
      jruby-1.7.0.RC2 :019 > c2.padding = 1
       => 1 
      jruby-1.7.0.RC2 :020 > decrypted = c2.update(decoded) + c2.final
       => "secret message" 
      jruby-1.7.0.RC2 :021 > 
      
      $ rvm use ruby-1.9.3-p194
      Using /Users/tim/.rvm/gems/ruby-1.9.3-p194
      $ ruby --version
      ruby 1.9.3p194 (2012-04-20 revision 35410) [x86_64-darwin11.3.0]
      $ irb
      1.9.3p194 :001 > require 'openssl'
       => true 
      1.9.3p194 :002 > require 'base64'
       => true 
      1.9.3p194 :003 > decoded = Base64.decode64 "tBXgYKxevXF+Yi6Ws8sk0Q==\n"
       => "\xB4\x15\xE0`\xAC^\xBDq~b.\x96\xB3\xCB$\xD1" 
      1.9.3p194 :004 > c2 = OpenSSL::Cipher::Cipher.new('aes-128-cbc')
       => #<OpenSSL::Cipher::Cipher:0x007f9843803fa8> 
      1.9.3p194 :005 > c2.decrypt
       => #<OpenSSL::Cipher::Cipher:0x007f9843803fa8> 
      1.9.3p194 :006 > c2.key = '1234567890123456'
       => "1234567890123456" 
      1.9.3p194 :007 > c2.padding = 1
       => 1 
      1.9.3p194 :008 > c2.update(decoded) + c2.final
      OpenSSL::Cipher::CipherError: bad decrypt
      	from (irb):8:in `final'
      	from (irb):8
      	from /Users/tim/.rvm/rubies/ruby-1.9.3-p194/bin/irb:16:in `<main>'
      1.9.3p194 :009 > 
      

        Activity

        Hide
        Charles Oliver Nutter added a comment -

        Hmm...so who is right? I'm inclined to say MRI, but this should be straightforward.

        Show
        Charles Oliver Nutter added a comment - Hmm...so who is right? I'm inclined to say MRI, but this should be straightforward.
        Hide
        Charles Oliver Nutter added a comment -

        It looks like it's an iv issue. After reading http://stackoverflow.com/questions/8330364/problems-encoding-decoding-using-aes-128-cbc I added lines to set iv for the cipher to a specific value, rather than going with defaults. The resulting encrypted output started to match after that:

        system ~/projects/jruby $ ruby-1.9.3 crypt.rb 
        message: secret message
        encrypted: "\x13[\xA59>\x1EqV&\xEC\x16\xD3V\xFE)="
        encoded: "E1ulOT4ecVYm7BbTVv4pPQ==\n"
        decoded: "\x13[\xA59>\x1EqV&\xEC\x16\xD3V\xFE)="
        decrypted: secret message
        
        system ~/projects/jruby $ jruby crypt.rb 
        cipher: aes/cbc/PKCS5Padding
        cipher: AES/CBC/PKCS5Padding
        message: secret message
        encrypted: "\x13[\xA59>\x1EqV&\xEC\x16\xD3V\xFE)="
        encoded: "E1ulOT4ecVYm7BbTVv4pPQ==\n"
        decoded: "\x13[\xA59>\x1EqV&\xEC\x16\xD3V\xFE)="
        cipher: aes/cbc/PKCS5Padding
        cipher: AES/CBC/PKCS5Padding
        cipher: AES/CBC/PKCS5Padding
        decrypted: secret message
        

        I'll look into default iv and see if there's something we should be doing differently.

        Show
        Charles Oliver Nutter added a comment - It looks like it's an iv issue. After reading http://stackoverflow.com/questions/8330364/problems-encoding-decoding-using-aes-128-cbc I added lines to set iv for the cipher to a specific value, rather than going with defaults. The resulting encrypted output started to match after that: system ~/projects/jruby $ ruby-1.9.3 crypt.rb message: secret message encrypted: "\x13[\xA59>\x1EqV&\xEC\x16\xD3V\xFE)=" encoded: "E1ulOT4ecVYm7BbTVv4pPQ==\n" decoded: "\x13[\xA59>\x1EqV&\xEC\x16\xD3V\xFE)=" decrypted: secret message system ~/projects/jruby $ jruby crypt.rb cipher: aes/cbc/PKCS5Padding cipher: AES/CBC/PKCS5Padding message: secret message encrypted: "\x13[\xA59>\x1EqV&\xEC\x16\xD3V\xFE)=" encoded: "E1ulOT4ecVYm7BbTVv4pPQ==\n" decoded: "\x13[\xA59>\x1EqV&\xEC\x16\xD3V\xFE)=" cipher: aes/cbc/PKCS5Padding cipher: AES/CBC/PKCS5Padding cipher: AES/CBC/PKCS5Padding decrypted: secret message I'll look into default iv and see if there's something we should be doing differently.
        Hide
        Charles Oliver Nutter added a comment -

        As far as I can tell, we are setting up initial IV the same way as MRI.

        Show
        Charles Oliver Nutter added a comment - As far as I can tell, we are setting up initial IV the same way as MRI.
        Hide
        Charles Oliver Nutter added a comment -

        I think this should do it. Please confirm as well as possible.

        commit 7f2a1414de0a7878e63417d5e724633f839489d6
        Author: Charles Oliver Nutter <headius@headius.com>
        Date:   Tue Dec 4 11:43:30 2012 -0600
        
            Fix JRUBY-6951
            
            Unable to encrypt data and then decrypt it in MRI Ruby
            
            It appears that we were not setting up the initial IV properly. In
            MRI, if you specify parameters to #encrypt, it will initialize IV
            using a substring of "OpenSSL for Ruby rulez!". We had two issues:
            
            1. In some places, we used "OpenSSL for JRuby rulez!"
            2. If the initialization did not happen in #encrypt, we tried
            again to do it on first update.
            
            My fix was to use a blank IV (all zeros) if none is set up in
            does not appear to break any other tests we run.
        
        :100644 100644 dafe964... 2f07b52... M	src/org/jruby/ext/openssl/Cipher.java
        
        Show
        Charles Oliver Nutter added a comment - I think this should do it. Please confirm as well as possible. commit 7f2a1414de0a7878e63417d5e724633f839489d6 Author: Charles Oliver Nutter <headius@headius.com> Date: Tue Dec 4 11:43:30 2012 -0600 Fix JRUBY-6951 Unable to encrypt data and then decrypt it in MRI Ruby It appears that we were not setting up the initial IV properly. In MRI, if you specify parameters to #encrypt, it will initialize IV using a substring of "OpenSSL for Ruby rulez!". We had two issues: 1. In some places, we used "OpenSSL for JRuby rulez!" 2. If the initialization did not happen in #encrypt, we tried again to do it on first update. My fix was to use a blank IV (all zeros) if none is set up in does not appear to break any other tests we run. :100644 100644 dafe964... 2f07b52... M src/org/jruby/ext/openssl/Cipher.java
        Hide
        Tim Olsen added a comment -

        Confirmed. The fix works for me.

        Show
        Tim Olsen added a comment - Confirmed. The fix works for me.

          People

          • Assignee:
            Charles Oliver Nutter
            Reporter:
            Tim Olsen
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: