WARNING: Crypto deep dive in progress…
I’ve been playing a bit more with the encrypt() and decrypt()
functionality within CFML recently and I’ve managed to get every single
permutation of the available transformations in v7/v8 of java working with
two exceptions… GCM (in v7/v8 java) and CCM (in v8 java) block modes.
I’ve banged my head on this for a few days now - mostly as an exercise in
self-abuse but also to see how well integrated the JCA/JCE is with CFML.
I’ve done a ton of research and was able to get GCM working in pure Java
no problem. The only difference I think I’ve found between what CFML is
doing for the Initialization Vector (IV) and what I did is all in the spec
that’s used. For GCM it appears one must use GCMParameterSpec whereas
everything else uses IvParameterSpec, and in both 4.5 and 5 source code
I see only IVParameterSpec is being used for all permutations.
So, I guess my question is… would it be feasible/desirable to file an
ER to check for a GCM transformation and instead call the GCMParameterSpec
needed, and would this allow GCM to be used as a viable transformation with
encrypt() and decrypt()? I ask merely because GCM seems to be the faster
and more secure of the available options in Java (without license issues,
anyway) and I would love to be able to use it. I noted in v8 they also
introduced CCM (CBC + message auth) block mode, though I haven’t gone down
the rabbit hole on that one yet I expect the problem using it would be the
same - I see a few mentions of CCMParameterSpec in google searches, but
again, I haven’t dove into that one.
Anyone else played with the GCM or CCM block mode transformations and
come up with a workable solution, or am I on the right track here that the
GCMParameterSpec would need to be used under the hood, as it were, for the
GCM transformations to work?
I guess this question is mainly for the Lucee devs, but I’m open to
hearing anyone else’s experiences
encrypt( ‘test’, generateSecretKey(‘AES’), ‘AES/GCM/NoPadding’, ‘HEX’,
binaryDecode( left( hash( ‘initvector’),16 ), ‘hex’ ) );
Note that I get the same exception in Java when using IVParameterSpec
instead of GCMParameterSpec with the GCM transformation