Search code examples
encryptioncoldfusionurlencodesecret-keyurldecode

The key specified is not a valid key for this encryption: Key size is not valid. Got key length of: 15


I keep getting an error message when trying to send the key through url with encodeforURL() and decodefromUrl(). The code example is below.

This is my entry page:

key = generateSecretKey(("AES"),128);
data = encrypt(serializeJSON(pg_info), key, "AES", "HEX");
location("home.cfm?str=#encodeForURL(key)#&dt=#data#", "false", "301");

This is my home page:

if ( structKeyExists(url, "str") ) {
    key = DecodeFromURL(url.str);
    strData = deserializeJSON(decrypt(url.dt, key, "AES", "HEX")); // This is the line where the error message is pointing
} else {
    writeOutput("<p>Error! Please contact your administrator.</p>");
    abort;
}

The code is very simple. When user gets to the entry page the data parameters are being encrypted and sent trhough url to home page. Once user gets to home page data is extracted from ul. I tried adding the size when creating the secret key (128) in hope that issue will be resolved. The error is still happening and it seems that might be related to something else. I though that key length is the issue, but the error message is pointing to the line of code where url string is being applied to deserializeJSON(). Is there a way to find out what is causing an error an how to fix this issue? Thank you.


Solution

  • BTW, I assume this code is just for testing purpose, since passing the encryption key alongside the encrypted text utterly and completely defeats the purpose of encryption ;-)

    Is there a way to find out what is causing an error

    With troubleshooting, location() tends to get in the way, so best to temporarily replace it with a hyperlink. Then you'll be able to output the original key generated and compare it to what's actually received on the home page.

    Test Case (Single Page)

    <cfscript>
        // It make take a few executions to hit a failing key like `n+Py4flPF6uOwNXwpq2J4g==`. 
        pg_info = { "plain" : "text" };
        key     = "generateSecretKey(("AES"),128);
        data    = encrypt(serializeJSON(pg_info), key, "AES", "HEX");
        
        writeOutput( "[key] "& key &"<br>[encoded] "& encodeForURL(key) &"<br><br>");
        writeOutput( '<a href="#CGI.SCRIPT_NAME#?str=#encodeForURL(key)#&dt=#data#">Test</a>' );
        
    
        if ( url.keyExists("str"))  {
        
            writeDump( var=[url.str], label="url.str (Original)" );
            writeDump( var=[DecodeFromURL(url.str)], label="url.str (Decoded)" );
    
            key = DecodeFromURL(url.str);
            strData = deserializeJSON(decrypt(url.dt, key, "AES", "HEX")); 
            writeDump( var=strData, label="strData" );
        }
        
    </cfscript>
    

    how to fix this issue?

    CF already decodes url parameters automatically. So decoding url.str a second time alters the original key value, causing decrypt() to fail because the key is no longer valid. Notice with a failing key like n+Py4flPF6uOwNXwpq2J4g== the original url.str value differs from the decoded key?

    • url.str (Original) n+Py4flPF6uOwNXwpq2J4g== (has "+" char)

    • key (Decoded) n Py4flPF6uOwNXwpq2J4g== ("+" changes to space char)