Tags: aes, correctly, create, database, encode, encryption, external, function, functionality, login, mysql, oracle, service, sql, unsure, web
Encryption question: AES
I am trying to create a function to encode data for an external web service's login functionality. I am unsure if I am doing this correctly but here is sample information and code.
In my case the webservice provider has given me a key that is to be used to encrypt a string token I have already constructed. They say it must be encrypted using AES in ECB mode with PKCS5Padding and the final output Character Encoding must be UTF-8 (Base64 encoded). After the encoding, it must be URL Encoded. I have wrote a function that goes through the result and replaces specified characters with %codes for the URL encoding part but I am always told my token length is not a multiple of 16 bytes.
Here is the sample code:
CREATE OR REPLACE FUNCTION aes_test RETURN varchar2 IS
enc_val raw (2000);
l_key RAW(128) := utl_raw.cast_to_raw('<
l_key_len number := 16;
l_mod number := dbms_crypto.ENCRYPT_AES
TEMP := '?username=user&
l_encrypted_raw := dbms_crypto.encrypt(enc_val,
Anyone have any sugestions?
Leave a comment...
- 7 Comments
- I'm not sure where you are running into your error at, but the first thing to check is the length of your key. When I was testing it it wanted a key that was 16 bytes long e.g. '1234567890123456' (dumb key but it works for testing).
Another thing to remember is that UTL_ENCODE.BASE64_ENCODE operates on raw data and returns raw data so you probably need to cast it back to varchar2 before returning it or url encoding it.
I don't know what your URI_ENCODE function does, but I assume it performs similar opperations as UTL_URL.ESCAPE.
RETURN UTL_URL.ESCAPE( UTL_RAW.CAST_TO_VARCHAR2( UTL_ENCODE.BASE64_ENCODE(L_ENCRYPTED_RAW) ), URL_CHARSET => 'UTF-8' );
Using your code with my test key I get the following encoded string:
mr62iE/+rJkeXToya6iUbVHkNt67v6LtQfg+8aERmk1ZTC9iCGccK5IWMTd1Y1HF%0D%0Ae3jWhKM+UzDQ9eFg3KU37A==#1; Sun, 24 Feb 2008 01:26:00 GMT
- I appologize, I should have included the code. If there is an existing function that accomplishes this same type of operations.
CREATE OR REPLACE FUNCTION URI_ENCODE(prestring in varchar2) return varchar2 is
outstr := REPLACE(prestring,'!','%21');
outstr := REPLACE(outstr,'*','%2A');
outstr := REPLACE(outstr,'''','%27');
outstr := REPLACE(outstr,'(','%28');
outstr := REPLACE(outstr,')','%29');
outstr := REPLACE(outstr,';
outstr := REPLACE(outstr,':','%3A');
outstr := REPLACE(outstr,'.oracle.mscer.com.','%40');
outstr := REPLACE(outstr,'&
outstr := REPLACE(outstr,'=','%3D');
outstr := REPLACE(outstr,'+','%2B');
outstr := REPLACE(outstr,'$','%24');
outstr := REPLACE(outstr,',','%2C');
outstr := REPLACE(outstr,'/','%2F');
outstr := REPLACE(outstr,'?','%3F');
outstr := REPLACE(outstr,'%','%25');
outstr := REPLACE(outstr,'#','%23');
outstr := REPLACE(outstr,'[','%5B');
outstr := REPLACE(outstr,']','%5D');
/#2; Sun, 24 Feb 2008 01:27:00 GMT
- I have tried and this still does not seem to produce an acceptable result with the webservice as it keeps directing me to a wiki page on block ciphers. It appears that somehow the Oracle cipher routines might be padding and doing things differently than they do them because the error I continually run into is that the web service reports the token is incorrectly padded though they specify padding is PKCS5Padding. I dont know if the padding is being messed up in the conversions somewhere or what but my suspicions are somewhere during the conversion processes after AES something is being messed up.#3; Sun, 24 Feb 2008 01:28:00 GMT
- You are passing a raw value to your URI_ENCODE function try casting it back to varchar2 first
URI_ENCODE( UTL_RAW.CAST_TO_VARCHAR2( UTL_ENCODE.BASE64_ENCODE( l_encrypted_raw ) ) );#4; Sun, 24 Feb 2008 01:29:00 GMT
- I have found out the problem. Somehow there was a cr lf being thrown in there that should not have been right in the middle of the function. Also my URI_ENCODE function was wrong. I had to reorder it because I was wiping out the % from URL_ENCODING. Once I processed % first in my URI_ENCODE and ran a replace with a null replacement on cr lf in the string inside URI_ENCODE it fixed it and the encoded string works now.#5; Sun, 24 Feb 2008 01:30:00 GMT
- You might be interested in the new encyrption possibilities that the 11g database version has to offer: http://www.oracle.com/technology/pub/articles/oracle-database-11g-top-features/11g-security.html
Some parts of it are already available in 10gR2: http://www.oracle.com/technology/pub/articles/10gdba/nanda_10gr2dba_part1.html#tde#6; Sun, 24 Feb 2008 01:31:00 GMT
- I will look but from what I hear 11g will not be an option here for some time into the foreseen future due to some 3rd party apps we have to run that are not 11g compatible yet.#7; Sun, 24 Feb 2008 01:32:00 GMT