Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CL_SEC_SXML_WRITER=>DECRYPT AES decryption fails / CX_SEC_SXML_ENCRYPT_ERROR

hanno_blodau
Member

‎04-02-2019 10:19 AM

0 Kudos

Dear SAP-Community,

my goal is to encrypt a string in one program using a given password and to save the encrypted result in a file. In another program I will read the encrypted message from that file and decrypt it.

I'm using CL_SEC_SXML_WRITER=>ENRCYPT for encryption and CL_SEC_SXML_WRITER=>DECRYPT for decryption (algorithm: cl_sec_sxml_writer=>co_aes256_algorithm). Encrypting works smoothly. When I try to decrypt I'm getting the exception: CX_SEC_SXML_ENCRYPT_ERROR (UNCAUGHT_EXCEPTION).

If I encrypt and decrypt in the same program, everything works fine. Only when I split the encryption and decryption in two programs I get the exception.

My encryption demo:

REPORT y_enrypt_txt.

PARAMETERS:
p_msg TYPE string OBLIGATORY DEFAULT 'This is my test' LOWER CASE,
p_pwd TYPE string OBLIGATORY DEFAULT '1234' LOWER CASE,
p_file TYPE string OBLIGATORY LOWER CASE.

START-OF-SELECTION.

* create message
DATA(lr_conv_sec) = cl_abap_conv_out_ce=>create( ).
lr_conv_sec->write( p_msg ).

* create key
DATA(lr_conv_key) = cl_abap_conv_out_ce=>create( ).
lr_conv_key->write( p_pwd ).

* encrypt using AES256
cl_sec_sxml_writer=>encrypt(
EXPORTING
plaintext = lr_conv_sec->get_buffer( )
key = lr_conv_key->get_buffer( )
algorithm = cl_sec_sxml_writer=>co_aes256_algorithm
IMPORTING
ciphertext = DATA(lv_message) ).

OPEN DATASET p_file FOR OUTPUT IN BINARY MODE.
TRANSFER lv_message TO p_file.
CLOSE DATASET p_file.

My decryption demo:

REPORT y_decrypt_txt.

DATA:
lv_enc_msg_xstring TYPE xstring,
lf_plaintext_file TYPE xstring,
lv_decrypted_string TYPE string.

PARAMETERS:
p_pwd TYPE string OBLIGATORY DEFAULT '1234' LOWER CASE,
p_file TYPE string OBLIGATORY LOWER CASE.

START-OF-SELECTION.

OPEN DATASET p_file FOR INPUT IN BINARY MODE.
READ DATASET p_file INTO lv_enc_msg_xstring.
CLOSE DATASET p_file.

* create key
DATA(lr_conv_key) = cl_abap_conv_out_ce=>create( ).
lr_conv_key->write( p_pwd ).

* decrypt using AES256

cl_sec_sxml_writer=>decrypt(
EXPORTING
ciphertext = lv_enc_msg_xstring
key = lr_conv_key->get_buffer( )

algorithm = cl_sec_sxml_writer=>co_aes256_algorithm

IMPORTING
plaintext = lf_plaintext_file ).

cl_abap_conv_in_ce=>create( input = lf_plaintext_file )->read( IMPORTING data = lv_decrypted_string ).

WRITE: / 'Decrypted: ', lv_decrypted_string.

What am I doing wrong? Why is it possible to encrypt and decrypt in the same program? Why do I get an exception if I split the code in two programs?

Best regards,

Hanno

7 REPLIES 7

RicardoRomero_1
Active Contributor

‎05-23-2019 3:18 PM

Hi, Hanno.
Same problem here. Did you find a solution?

fprokopiuk
Active Participant

‎05-24-2019 4:05 PM

0 Kudos

Hi Ricardo,

Instead of CL_SEC_SXML_WRITER=>ENCRYPT give a try to ENCRYPT_IV method, it have additional importing parameter Initialization Vector. I've used the IV parameter with initial value as you can see below and it worked this way. I hope it will work in your case as well! 

cl_sec_sxml_writer=>encrypt_iv(
  EXPORTING
    plaintext =  lr_conv_sec->get_buffer( )
    key =        lr_conv_key->get_buffer( )
    algorithm =  cl_sec_sxml_writer=>co_aes256_algorithm_pem
    iv = '00000000000000000000000000000000'
  IMPORTING
    ciphertext = DATA(lv_message) ).

former_member1103639
Discoverer

‎06-10-2019 4:46 PM

Hello,

I have the same problem, my class doesn't have ENCRYPT_IV (or decrypt_iv). Filip, we need decrypt, encryption success.

Error appears when call DECRYPT method direct. I have tested to call just with same value getted from ENCRYPT method and it runs perfect but when try to do separately it gives us dump.

Thanks in advance

jorgeoctavio_vzquezlpez
Explorer
In response to former_member1103639

‎07-10-2020 11:43 PM

0 Kudos

Hi Juanmi, did you solve the issue?

I'm currently facing the same issue with CL_SEC_SXML_WRITE. I'd wrote a test program that uploads an XML file from frontend, encrypts and downloads it to frontend again with addition in filename "crypted". Until that point everything it's ok.

When i tryed to upload and decrypt the previously crypted file, an ABAP dump is raising: CX_SEC_SXML_ENCRYPT_ERROR: Decryption of XML data failed. In addition, when decrypted with rijndael_utility trailing characters where added at the end of XML.

When i Decrypt inmeditly after encryption ther is no problem as you have already mentioned.

I've tried with AES256, AES128.

The external receiver said they have no way to handle it.

Is ther some way to avoid that?

helder_macedo
Member

‎10-16-2019 12:27 PM

Hello,

I had the same problem and the issue is related to the algorithm 256 that does not work properly: https://answers.sap.com/questions/6654008/hmac-sha256.html

Try to use the cl_sec_sxml_writer=>co_aes128_algorithm and check if it works. For me it was the solution.

fprokopiuk
Active Participant

‎01-10-2020 12:09 PM

I have successfully used above encryption / decryption method. Please remember to use proper encryption key length i.e. for XSTRING it will be:
AES128 - 32 chars
AES192 - 48 chars
AES256 - 64 chars.

You can find usage examples in local test classes of CL_SEC_SXML_WRITER, e.g. in method LCL_XML_SECURITY_TEST -> SYMMTRIC_ENC_WITH_IV

CONSTANTS: lf_aes128_key type xstring value '2B7E151628AED2A6ABF7158809CF4F3C'
,lf_aes192_key type xstring value '8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B'
,lf_aes256_key type xstring value '603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4'

m_olson
Explorer

‎05-28-2021 1:37 PM

0 Kudos

I had the same issue as the original post - I could encrypt and decrypt with the same program, even if I closed out of the program and started it again.

I wasn't able to get a successful decrypt until I provided the same hardcoded `key` to be used for both. So in my example, I set lv_key to be the same in both the encrypt and decrypt call.

Now I'm just nervous about the class/method's current inability to catch the exception CX_SEC_SXML_ENCRYPT_ERROR in case anything doesn't work. 

        cl_sec_sxml_writer=>decrypt(
          EXPORTING
            ciphertext = lv_xstring
            key =        lv_key
            algorithm =  cl_sec_sxml_writer=>co_aes256_algorithm_pem
          IMPORTING
            plaintext =  lv_decrypted_xstring ).