Emulate openssl_decrypt PHP on command line

[Avelino Herrera Morales]

Hi all,

I have a very simple code in PHP to decrypt an AES-256-ECB stream in PHP that runs ok:

$ticketKeyEncHex = "3752B8D2A9BBA61682C7E93710DE9527F6C919E0E9678E4BC87C7809E34D5750";
$clientSecret = "666f3_SOME_HEX_HERE_4d4a";
$ticketKeyEncBin = hex2bin($ticketKeyEncHex);
$ret = openssl_decrypt($ticketKeyEncBin, "aes-256-ecb", $clientSecret, OPENSSL_RAW_DATA);    // returns a correct decrypted string

But I do no know how to replicate that call on command line. The following command does not generate the same decrypted string:

$ echo -n "3752B8D2A9BBA61682C7E93710DE9527F6C919E0E9678E4BC87C7809E34D5750" | xxd -r -ps | openssl enc -d -aes-256-ecb -nosalt -pass pass:666f3_SOME_HEX_HERE_4d4a -pbkdf2 -nopad | hexdump -C

How do I replicate the openssl_decrypt call in cli?

Thanks!

[Tomas Mraz]

Hello,

you can try using -K option instead of -pass with `enc`. That requires
converting the key to hexadecimal. BTW, the encryption key should be
256 bits long if it is an AES-256 key.

Tomas Mraz, OpenSSL

> --
> You received this message because you are subscribed to the Google
> Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to openssl-user...@openssl.org.
> To view this discussion visit
> https://groups.google.com/a/openssl.org/d/msgid/openssl-users/dcfd89f6-2a7f-4fdf-8285-820fd3b864a3n%40openssl.org
> .

--
Tomáš Mráz, Chief Technology Officer, OpenSSL Foundation
Join the Code Protectors or support us on Github Sponsors
https://openssl-foundation.org/donate/

[Richard Levitte]

https://www.php.net/manual/en/function.openssl-decrypt.php has this to say about the passphrase (3rd) argument to openssl_decrypt():

Caution

There is no key derivation function used for passphrase as its name might suggest. The only operation used is padding with NUL characters or truncation if the length is different than expected.

It would therefore seem like '-pbkdf2' isn't quite right.

Like Tomas Mraz said, '-K' is your option here, and 'openssl enc' has a feature here, that if you give it a too small value, it will append filler NUL bytes, i.e. exactly what php's openssl_decrypt() does.  The command warns you of this:

$  echo -n "3752B8D2A9BBA61682C7E93710DE9527F6C919E0E9678E4BC87C7809E34D5750" | xxd -r -ps | openssl enc -d -aes-256-ecb -nosalt -K $(echo 666f3_SOME_HEX_HERE_4d4a | xxd -ps) -nopad | hexdump -C
hex string is too short, padding with zero bytes to length
00000000  6d 3b 2b ca 21 c9 ad b1  de 87 39 99 6c 1b 70 7b  |m;+.!.....9.l.p{|
00000010  83 d7 c7 51 16 af 65 86  e0 61 27 ef 40 23 73 11  |...Q..e..a'.@#s.|
00000020

Was that output more like what you expected?

Cheers,
Richard

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/dcfd89f6-2a7f-4fdf-8285-820fd3b864a3n%40openssl.org.

-- 
Richard Levitte                         ric...@levitte.org
                                        http://richard.levitte.org/

"Life is a tremendous celebration - and I'm invited!"
-- from a friend's blog, translated from Swedish

[Avelino Herrera Morales]

I got it!

The "666f3_SOME_HEX_HERE_4d4a" although is a hex string, that hex string must be interpreted as a string before passing to -K parameter:

DECRYPTED_DATA=$( echo -n "${ENCRYPTED_HEX_DATA}" | xxd -r -ps | openssl enc -d -aes-256-ecb -nosalt -K $( echo -n "666f3_SOME_HEX_HERE_4d4a" | xxd -c 0 -ps ) -pbkdf2 )

Thanks for all the help!