I'm trying to decrypt 'Instant Notifications' from ClickBank, they have code samples for decoding in several languages but not C# so I'm trying to translate the Java code: https://support.clickbank.com/hc/en-us/articles/220376507-Instant-Notification-Service-INS-#Code%20Samples
I've tried several different ways over the last few days but no luck! Help pls SO, what am I missing?
Java:
final StringBuilder buffer = new StringBuilder();
final String secretKey = "YOUR SECRET KEY";
String line;
final BufferedReader reader = theRequest.getReader();
while(null != (line = reader.readLine())) {
buffer.append(line);
}
final JSONParser parser = new JSONParser();
final JSONObject obj = (JSONObject) parser.parse(buffer.toString());
final String initializationVector = (String) obj.get("iv");
final String encryptedNotification = (String) obj.get("notification");
final MessageDigest digest = MessageDigest.getInstance("SHA-1");
digest.reset();
digest.update(secretKey.getBytes("UTF-8"));
final String key = new String(Hex.encodeHex(digest.digest())).substring(0, 32);
final IvParameterSpec iv = new IvParameterSpec(DatatypeConverter.parseBase64Binary(initializationVector));
final SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "AES");
final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, keySpec, iv);
final JSONObject notification = (JSONObject) parser.parse(
new String(cipher.doFinal(DatatypeConverter.parseBase64Binary(encryptedNotification)),
"ISO-8859-1"));`
C#
const string secretKey = "YOUR SECRET KEY";
string sContent = "";
using (System.IO.Stream receiveStream = Request.InputStream)
{
receiveStream.Position = 0;
using (System.IO.StreamReader readStream =
new System.IO.StreamReader(receiveStream, Encoding.UTF8))
{
sContent = readStream.ReadToEnd();
}
}
dynamic json = System.Web.Helpers.Json.Decode(sContent);
string initializationVector = json.iv;
string encryptedNotification = json.notification;
//turn the key into a fixed length string via SHA-1 hash
SHA1 sha1 = SHA1Managed.Create();
byte[] hash = sha1.ComputeHash(Encoding.UTF8.GetBytes(secretKey));
var key = Org.BouncyCastle.Utilities.Encoders.Hex.Encode(hash);
var keyString = Convert.ToBase64String(key).Substring(0, 32);
//var key = BitConverter.ToString(hash).Substring(0, 32);
var iv = Convert.FromBase64String(initializationVector);
byte[] keyspec = Encoding.UTF8.GetBytes(keyString);
using (var rijndaelManaged =
new RijndaelManaged { Key = keyspec, IV = iv, Mode = CipherMode.CBC, Padding = PaddingMode.PKCS7 })
using (var memoryStream =
new MemoryStream(Convert.FromBase64String(encryptedNotification)))
using (var cryptoStream =
new CryptoStream(memoryStream,
rijndaelManaged.CreateDecryptor(keyspec, iv),
CryptoStreamMode.Read))
{
var result = new StreamReader(cryptoStream).ReadToEnd();
}
gives the error - 'Padding is invalid and cannot be removed.'
So I'm guessing I must be creating the key wrong, I've tried different ways of hashing and hex encoding but none seem to work. Please advise guys! Thanks for your time
Edit: removing useless extra code
Oh dear, a bank that uses CBC to send messages. This Java code sample looks like "my first attempt at crypto", and coming from a bank, that's not a bank that you should trust.
The key is indeed wrong, you should try key = Hex.ToHexString() and then convert the sub string of the result to ASCII using Encoding.ASCII.GetBytes(key). The additional base 64 or bit conversion is not present in the Java code and should not be used.