Encrypt issue using Base64

ObiWebKenobi · July 21, 2022, 4:52pm

We use a private AES key that is generated using the GenerateSecretKey() function built into Lucee.

This gives us a Base64 key that we use to encrypt emails, passwords, etc. for our homegrown CMS system using the encrypt() and decrypt() functions.

The key we use is a valid Base64 encoded string as confirmed here: Base64 Validator | Tools | Base64

We’ve had no issues with this key in prior versions of Lucee but upgrading to 5.3.9.141 breaks it.

We now get the error of “invalid character [=] in base64 string at position [23]”

Not sure why this key would now be seen as an invalid base64 string?

We have passwords in our database that can’t be decrypted now because of this so we have to roll back to a prior version to decrypt.

Could this be a bug in the newest version of Lucee or is something else going on here?

I did see this post: [LDEV-3034] - Lucee

Stack…

Windows 2019 Server
Apache Tomcat/9.0.40
Java 11.0.11 (AdoptOpenJDK) 64bit
Lucee Version 5.3.8.201 vs 5.3.9.141

Kudos on why this came about was we were upgrading to include .webp in our CMS. And upgrading Lucee to use the new image extension. THANKS! for making that happen!!!

Zackster · July 22, 2022, 9:29am

A trycf.com example would be really helpful!

ObiWebKenobi · July 26, 2022, 4:56pm

Zack,

Running those commands in 4.5 works. Running them in 5 fails.

In our situation, we’ve got base64 keys created from 4 that suddenly don’t work when updating to 5.3.9.141 which as you can imagine causes some issues.

Zackster · July 26, 2022, 9:19pm

ok, looks like a regression caused by [LDEV-3818] - Lucee

github.com

lucee/Lucee/blob/5.3/core/src/main/java/lucee/commons/digest/Base64Encoder.java#L126


      
          				c = data.charAt(i);
          				if (c != '=') break;
          				count++;
          			}
          			if (count > 3) throw new CoderException("invalid padding length [" + count + "], maximal length is [3]");
          
          
			for (; i >= 0; i--) {
          				c = data.charAt(i);
          				if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c == '+' || c == '/') continue;
          
          
				throw new CoderException("invalid character [" + c + "] in base64 string at position [" + (i + 1) + "]");
          			}
          
          
		}
          
          
		byte[] res = org.apache.commons.codec.binary.Base64.decodeBase64(data);
          		if (res == null || res.length == 0) throw new CoderException("cannot convert the input to a binary");
          		return res;
          	}
          }

lucee.runtime.exp.NativeException: invalid character [=] in base64 string at position [23]
at lucee.commons.digest.Base64Encoder.decode(Base64Encoder.java:126)
at lucee.runtime.coder.Base64Coder.decode(Base64Coder.java:75)
at lucee.runtime.coder.Coder.decode(Coder.java:62)
at lucee.runtime.crypt.Cryptor._crypt(Cryptor.java:117)
at lucee.runtime.crypt.Cryptor.crypt(Cryptor.java:64)
at lucee.runtime.crypt.Cryptor.encrypt(Cryptor.java:150)
at lucee.runtime.crypt.Cryptor.encrypt(Cryptor.java:165)
at lucee.runtime.functions.other.Encrypt.invoke(Encrypt.java:70)
at lucee.runtime.functions.other.Encrypt.call(Encrypt.java:47)

can you file a bug? please include the above stack trace, code sample and link back it to the above task

ObiWebKenobi · July 26, 2022, 10:12pm

Bug Filed: [LDEV-4101] - Lucee