Search code examples
javaexceptioncryptographyaes

javax.crypto.AEADBadTagException - AES/GCM/NoPadding works, then doesn't

I am trying to decrypt some data from a DB and have run into some AEADBadTagExceptions, but not always.

While searching for the error, I have taken the cipher initialization and put a loop around the decryption. I.e.

GCMParameterSpec parameterSpec = new GCMParameterSpec(authenticationTagLength, ivByte);
cipher = Cipher.getInstance(AES_MODE_GCM);
cipher.init(Cipher.DECRYPT_MODE, secretKey, parameterSpec);
if (additionalDataText.length()>0) {
    cipher.updateAAD(additionalDataText.getBytes("UTF-8"));
    }                        }
for(int i = 0; i < 500; i++) {
    cipher.doFinal(cypherBytes);
}

Running this code several times, I get 17/500 successes on the first try, then Zero for the next several tries. Changing the code and letting Eclipse rebuild may yield 17 or 18 successes followed by failures.

The exception is as follows

[err] javax.crypto.AEADBadTagException
[err]   at com.ibm.crypto.provider.GCTRInHardware.gcm_ad(Unknown Source)
[err]   at com.ibm.crypto.provider.aA.c(Unknown Source)
[err]   at com.ibm.crypto.provider.AESGCMCipher.engineDoFinal(Unknown Source)
[err]   at com.ibm.crypto.provider.AESGCMCipher.engineDoFinal(Unknown Source)
[err]   at javax.crypto.Cipher.doFinal(Unknown Source)

Oh yeah, I'm using Java 1.8 on the "IBM J9 VM" if that helps.

Does anyone have any idea what might prompt this behaviour? Kind regards

Edit: in additional news, this seems to be caused by something on the server this is running on - I can successfully decrypt the same data on another server, and in a JUnit test. I'll have a look to see if I can find the difference in the configurations.

Solution In my jvm.options I had specified a YourKit profiler under the option -agentpath By removing this line from the options, I got it to work.

Solution

  • Alright, I didn't know this was going to be relevant: I am running a Websphere Liberty Profile server. As mentioned in my edit, the code works in JUnit and on another server. I've checked the differences and got it to work, so I redid the differences one by one and found it was the following:

    In my jvm.options I had specified a YourKit profiler under the option -agentpath By removing this line from the options, I got it to work.

    Not sure what the etiquette is on answering your own questions, so I'll also add this to the question.