I have a web service where I send encrypted data in format "TripleDES, ECB mode, key size 192 and padding Zeros". The Provider show me the example of raw value and expected result:
raw string = IA000001
encrypted string (to send to web service) = aVR5J/0Lph0=;
In PHP, openssl_encrypt() function work fine for this string, but raise a data not multiple of block length SSL error.
I did a script to show all the problem (with comments):
<?php
$key = '1234567890123456ABCDEFGH';
$expected_result = 'aVR5J/0Lph0=';
function test_results($expected_value, $return_value) {
echo openssl_error_string() . "\n";
$compare = var_export($return_value == $expected_value, 1);
echo "'$return_value' == '$expected_value' => {$compare}\n" ;
}
echo "Function value == Expected Value => same strings?\n";
// This works with $data == 'IA000001'
$data = 'IA000001';
$resultado_function = @openssl_encrypt($data, 'DES3', $key, OPENSSL_ZERO_PADDING);
test_results($expected_result, $resultado_function); // true
// but if I change string value (i.e. $data == 'IA000001T')
// openssl function fail:
// error:0607F08A:digital envelope routines:EVP_EncryptFinal_ex:data not multiple of block length
$data = 'IA000001T';
$resultado_function = @openssl_encrypt($data, 'DES3', $key, OPENSSL_ZERO_PADDING);
// if change options to OPENSSL_RAW_DATA, errors gone, but strings aren't equals
$data = 'IA000001';
$resultado_function = @openssl_encrypt($data, 'DES3', $key, OPENSSL_RAW_DATA);
test_results($expected_result, $resultado_function); // false
// results are encoded in base64? not equal, but almost equal
$resultado_function = @openssl_encrypt($data, 'DES3', $key, OPENSSL_RAW_DATA);
$decoded_result = base64_encode($resultado_function);
test_results($expected_result, $decoded_result); // false but...
// Compare the firsts 11 chars:
// aVR5J/0Lph0=
// aVR5J/0Lph05HiLWyHnDqg==
// ^-- Until this char, the strings are equal.
What am I doing wrong? Block size? not encoded key or data?
Note: I have not control over web service implementation.
I am not an encryption guru but had to solve a similar problem when switching from mcrypt to openssl recently. I believe your data needs to be of a length that is divisible by eight (i.e. blocks of 8 characters). That string is nine characters long and not 8 or sixteen so you get this error.
You can overcome this by padding it with null characters to get to the desired length (i.e. a multiple of 8).
I wrapped the encryption code into a function to better encapsulate the logic:
$key = '1234567890123456ABCDEFGH';
$expected_result = 'aVR5J/0Lph0=';
function test_results($expected_value, $return_value) {
echo openssl_error_string() . "\n";
$compare = var_export($return_value == $expected_value, 1);
echo "'$return_value' == '$expected_value' => {$compare}\n" ;
}
function encrypt($text, $key) {
$block_size = 8;
if (strlen($text) % $block_size) {
$text = str_pad($text, strlen($text) + $block_size - strlen($text) % $block_size, "\0");
}
return base64_encode(@openssl_encrypt($text, 'DES3', $key, OPENSSL_RAW_DATA | OPENSSL_NO_PADDING));
}
foreach (['IA000001', 'IA000001T'] as $data) {
$resultado_function = encrypt($data, $key);
test_results($expected_result, $resultado_function);
}
Output:
'aVR5J/0Lph0=' == 'aVR5J/0Lph0=' => true
'aVR5J/0Lph21RT9SWL7RSg==' == 'aVR5J/0Lph0=' => false