× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hi, Mark

Good to hear from you, it's been a while. I was aware of those (and a few
other) offerings. That's what prompted me to add the "nothing within the i
operating system itself" qualifier (in my mind meaning the base OS).

On Fri, Nov 22, 2019 at 12:33 PM Mark Waterbury <
mark.s.waterbury@xxxxxxxxxxxxx> wrote:

Hi, Bruce,

Well, ... there is this:

https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/rzaie/apr_core_api/group___a_p_r___util___base64.html
and this:
http://www.scottklement.com/base64/

All the best,


Mark S. Waterbury


On Friday, November 22, 2019, 12:18:39 PM EST, Bruce Vining <
bruce.vining@xxxxxxxxx> wrote:

When you construct the cmd variable you specify:

-aes-128-ecb

so we know it's aes with 128 bit keys and ecb

Now let's look at the qc3DecryptData API at
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/apis/qc3decdt.htm
.
If we look at the Algorithm description format name parameter we see it
supports AES with format ALGD0200. If we look at the Block cipher
algorithm element of format ALGD0200 we see a value of 22 means use AES and
a Mode element value of 0 means ECB. If we look at the If we look at the
Key description format name parameter we see it supports format KEYD0200
which supports AES with a Key type value of 22. Further that with key type
22 the key string length or derived key length can be 16, 24, or 32. This
is in bytes so a value of 16 is equivalent to a bit count of 128.

cmd also specifies:

-base64

The qc3DecryptData API does not support base64 so you would need to first
decode the XML base64 value and then use that decoded value as input to
qc3DecryptData. Unfortunately looking (very briefly) at the enc
documentation it doesn't (readily) specify the implementation of base64
it's using. There are various base64 encode/decode utilities around for
the i, but nothing within the i operating system itself.

On Fri, Nov 22, 2019 at 11:43 AM Rishi Seth <rishiseth99@xxxxxxxxx> wrote:

......
....XML file in my previous email ,so could it be confirmed whether
putting
these below changes will take care of all future junk values(DLEs etc.)
which might come in the decrypted value?
or some other error handling conditions we need to incorporate in this
code to take care of such unforeseen DLEs or some other junk values?
pos2 = %scan(x'10' :record);
Record = %subst(Record :1 :(Pos2 - 1));


...Also as we did not know that how the data was encrypted so we could
not
use Qc3DecryptData API here but as per experts on this forum i would like
to confirm one again since we don't know how the data is encrypted
so we can not use Qc3DecryptData API to decrypt it using AES128 algorithm
neither we can use sql decrypt function due to it's limits also as we
have
used openssl here and saw these DLEs here so shared XML file here as well
considering possibility data itself is junk or having DLEs inside in it
so
could you please confirm whether it's XML issue only now?
If yes ,then what above said changes we have incorporated in our program
then it should be sufficient enough to handle all those DLEs errors


Thanks much...

Thanks

On Fri, Nov 22, 2019 at 5:22 PM Rishi Seth <rishiseth99@xxxxxxxxx>
wrote:

ok,that key hardcoding issue is resolved now thanks much but regarding
those DLEs as i have shared sample

On Fri, Nov 22, 2019 at 5:01 PM Bruce Vining <bruce.vining@xxxxxxxxx>
wrote:

-- cmd = 'echo ' + '''' + encodedExchangeToken + ''' ! openssl +
-- enc -d -aes-128-ecb -K 363631653237354f494d31554c594c4a +
-- -nopad -nosalt -base64 -A';

The above does NOT represent the changes suggested in my previous
reply.
I
would have expected to see something like

...-K ' + KEY + ' -nopad...

The provided text still has the key value as a literal.

--



<encodedExchangeToken>u3VtNgfyWU9faZc3Iaa8ZWbE5UZCfmC17yA4MyW0ghflt9dNQNDpCcgMZiG/kXPE4vv2CHL93B4iKiODHxxdVA==---
</encodedExchangeToken>

You have confirmed that the XML file contains the "extra" 16 bytes.
Who/what provided this value? This line indicates to ship those 16
bytes,
which are being decoded and decrypted into DLEs. From what I can see
everything is working just like one would expect given this source...

On Fri, Nov 22, 2019 at 10:42 AM Rishi Seth <rishiseth99@xxxxxxxxx>
wrote:

ok,thanks tried as per below now and when ran it got below errors:-




cmd = 'echo ' + '''' + encodedExchangeToken + ''' ! openssl +
enc -d -aes-128-ecb -K 363631653237354f494d31554c594c4a +
-nopad -nosalt -base64 -A';

**************************************************************
Additional Message Information



Message ID . . . . . . : RNQ0103 Severity . . . . . . . :
99

Message type . . . . . : Inquiry

Date sent . . . . . . : 19-11-22 Time sent . . . . . . :
15:40:09


Message . . . . : The target for a numeric operation is too small
to
hold
the result (C G D F).

Cause . . . . . : RPG procedure DCR19 in program RISHI/DCR19 at
statement
113 performed an arithmetic operation which resulted in a value
that
is
too
large to fit in the target. If this is a numeric expression, the
overflow
could be the result of the calculation of some intermediate
result.

Recovery . . . : Contact the person responsible for program
maintenance
to
determine the cause of the problem.

Possible choices for replying to message . . . . . . . . . . . . .
.
.
:

D -- Obtain RPG formatted dump.

S -- Obtain system dump.

F -- Obtain full formatted dump.


More...
Press Enter to continue.



F3=Exit F6=Print F9=Display message details

F10=Display messages in job log F12=Cancel F21=Select assistance
level

***********************************************************

Additional Message Information



Message ID . . . . . . : CPF9999 Severity . . . . . . . :
40

Message type . . . . . : Escape

Date sent . . . . . . : 19-11-22 Time sent . . . . . . :
15:40:09


Message . . . . : Function check. MCH1210 unmonitored by DCR19 at
statement
0000000113, instruction X'0000'.

Cause . . . . . : An escape exception message was sent to a
program
which
did not monitor for that message. The full name of the program to
which
the
unmonitored message was sent is DCR19 DCR19 DCR19. At the time
the
message
was sent the program was stopped at higher level language
statement

number(s) 0000000113. If more than one statement number is shown,
the

program was a bound program. Optimization does not allow a single
statement
number to be determined. If *N is shown as a value, it means the
actual

value was not available.

Recovery . . . : See the low level messages previously listed to
locate
the
cause of the function check. Correct any errors, and then try
the
request

More...
Press Enter to continue.


*********
And if XML is causing those DLEs then I think i need not to bother
as
we
have put below changes so i think it will take care care of all
those
unforeseen junk(DLEs).

pos2 = %scan(x'10' :record);
Record = %subst(Record :1 :(Pos2 - 1));

please correct me if i am wrong and below is requested xml for DLEs
analysis>/
<?xml version="1.0" encoding="UTF-8" standalone="true"?>

-<TokenExchangeResponse xmlns:ns2="
http://schemas.nav.gov.hu/OSA/1.0/data";
xmlns="http://schemas.nav.gov.hu/OSA/1.0/api";>


-<header>

<requestId>XXXXXXX6614</requestId>

<timestamp>2019-10-22T09:53:40.541Z</timestamp>

<requestVersion>1.1</requestVersion>

<headerVersion>1.0</headerVersion>

</header>


-<result>

<funcCode>OK</funcCode>

</result>


-<software>

<softwareId>R1RL002AAAAAAAAAAA</softwareId>

<softwareName>string</softwareName>

<softwareOperation>LOCAL_SOFTWARE</softwareOperation>

<softwareMainVersion>string</softwareMainVersion>

<softwareDevName>string</softwareDevName>

<softwareDevContact>string</softwareDevContact>

<softwareDevCountryCode>HU</softwareDevCountryCode>

<softwareDevTaxNumber>string</softwareDevTaxNumber>

</software>





<encodedExchangeToken>u3VtNgfyWU9faZc3Iaa8ZWbE5UZCfmC17yA4MyW0ghflt9dNQNDpCcgMZiG/kXPE4vv2CHL93B4iKiODHxxdVA==</encodedExchangeToken>

<tokenValidityFrom>2019-10-22T11:57:16.646+02:00</tokenValidityFrom>

<tokenValidityTo>2019-10-22T12:02:16.646+02:00</tokenValidityTo>

</TokenExchangeResponse>



Thanks

On Fri, Nov 22, 2019 at 3:00 PM Bruce Vining <
bruce.vining@xxxxxxxxx>
wrote:

You have KEY within the quoted string starting with ! openssl and
ending
with -A';

End the quoted string prior to KEY and then resume it following
KEY
(and
add + before and after so everything is nicely concatenated...)

As for the DLEs, again I have to, based on provided information,
assume
the
XML file is the source -- that is, whoever is writing/construction
the
XML.

On Fri, Nov 22, 2019 at 8:20 AM Rishi Seth <rishiseth99@xxxxxxxxx

wrote:

Hi,

I tried below code in which i have kept hex value of key in a
file
called
k1 and field called key in this file but the problem is that my
program
is
able to read key value from this file but the moment
i try to execute this cmd command inside my program and check
the
value
of
cmd field in debug mode i get it like below :-

EVAL cmd
CMD =

....5...10...15...20...25...30...35...40...45...50...55...60
1 'echo
'jkYrd7QTBwv6ghTV0SnrqCdwJ8TnpZAk8+oVlNXwt7aDHoJSQWBsh4'
61 'R7cggjSc+34vv2CHL93B4iKiODHxxdVA==' ! openssl enc -d
-aes-12'
121 '8-ecb -K key -nopad -nosalt -base64 -A
'
181 '
'
241 '
'

i was expecting like it took encodedexchangetoken field value
from
that
xml file using xml into builtin function and showing it's value
in
encodedexchangetoken field.
but when i read file in my code it does not pick the key field's
value
from
this below code i am just wondering how can i pass key field's
value to
openssl command rather than hardcoding inside my program.

*******
FUNIX IF F 1000 SPECIAL PGMNAME('UNIXCMD')
F PLIST(UNIXPARM) USROPN
fk1 if e disk
F*QSYSPRT O F 1000 PRINTER
dencodedExcha...
dngeToken s 500 VARYING

DPOS2 S 5U 0
D cmd s 5000a
D mode s 1A inz('P')
DN1 S 2P 0
D Åcommand s 512a
d QCMDEXC PR ExtPgm('QCMDEXC')
d command 500a const
d clength 15p 5 const

D record ds 1000
D outrec s 1000 varying inz

C UNIXPARM PLIST
C PARM CMD
C PARM MODE
/free
RECORD = *BLANKS;
OUTREC = *BLANKS;
XML-INTO encodedExchangeToken %XML('/home/I0RS01HU/+
IN2.xml':'doc=file case=any path=+
TokenExchangeResponse/encodedExchangeToken');
eval encodedExchangeToken =%trimr(encodedExchangeToken);
READ rec;
dsply key;
cmd = 'echo ' + '''' + encodedExchangeToken + ''' !
openssl
+
enc -d -aes-128-ecb -K KEY +
-nopad -nosalt -base64 -A';
open UNIX;
read UNIX record;
dow not %eof(UNIX);
pos2 = %scan(x'10' :record);
Record = %subst(Record :1 :(Pos2 - 1));
eval outrec = %trimr(record);
EVAL N1 = %LEN(OUTREC);
DSPLY N1;
//Delete the TESTFILE
Åcommand = 'DLTF FILE(rishi/TESTFILE)';
QCMDEXC(%trim(Åcommand): %len(%trim(Åcommand)));
Åcommand = *blanks;
Åcommand = 'CRTPF FILE(RISHI/TESTFILE) RCDLEN(' +
%char(N1) +
')';
QCMDEXC(%trim(Åcommand): %len(%trim(Åcommand)));
//Write into file
EXEC SQL
INSERT INTO rishi/TESTFILE VALUES (:outrec);
// dsply %subst(outrec:1:48);
read UNIX record;
enddo;
close UNIX;
return;
/end-free


Thanks







On Thu, Nov 21, 2019 at 11:38 PM Rishi Seth <
rishiseth99@xxxxxxxxx>
wrote:

Ok, thanks for these details,

Is it possible not to hardcode the key value used here and use
it
as
a
variable field like field of some file etc.so that each time
once
key
is
changed we may not have to change the program code and do not
need to
recompile it?
Also in input XML we were not focused on other field's only
target
was
just to fetch this 'encodedexchangetoken' field out of that
XML
file
and
whatever data comes inside this field that should have been
decrypted
using
AES 128 Algorithm so far this program seems to be working fine
only
thing i
was worried because of DLEs but could there be some more junk
values
might
come like these DLEs in decrypted value, Which currently we
can't
imagine
and låter on this program might crash as we have not thought
of
or
have
not
considered handling regarding those probable junk values (Or
so
called
some other type of DLEs etc.) as of now?

Thanks much.....

On Thu, Nov 21, 2019, 21:17 Bruce Vining <
bruce.vining@xxxxxxxxx>
wrote:

I did not get around to actually trying out Qc3DecryptData.

Yesterday the DLEs in the debug eval of record really told me
all I
needed
to know. This morning I looked more at the debug eval
of encodedExchangeToken, saw the leading x'0058' and realized
you
had
it
defined as varying length. That value tells me that XML-INTO
returned
88
bytes and the -base64 argument to enc told me it was base64
indicating
the
actual length received (based64 decoded) was 66 bytes with
two
trailing
pad
characters (the == from record) leaving 64 "real" bytes. The
last
16
bytes
(the DLEs) then must have been in the original stream (OK,
maybe
AES
decryption and base64 decoding uses DLEs for errors or
somesuch
though
I've
never seen that behavior or found it documented). In any
case
"someone"
is
adding 16 bytes to encodedExchangeToken prior to your
receiving
it
with
XML-INTO. As you did not provide the XML file (as requested
with 8.
Post
the contents of /home/I0RS01HU/INPUT.xml) I'm assuming it's
there in
the
file and that XML-INTO didn't add it (an add which I've never
seen
and I
have played with it, XML-INTO, in the past).

As you now have it working with openssl enc I wouldn't bother
changing.

Personally I use the i cryptographic APIs (but I'm also
somewhat
biased
when it comes to system APIs) when doing development.

When the SQL encrypt and decrypt functions first came out I
did
take a
quick look at them and immediately saw that there were a
whole
lot
of
features (that I sometimes use) that the SQL interfaces do
not
support.
So
I would not use them unless forced to -- meaning that someone
was
sending
me data encrypted using say ENCRYPT_AES. To date I have
never
run
into
that situation.

I do however wonder why base64 is being used as it appears to
be
text
data
being exchanged (with the exception of the DLEs) and what
padding
might
be
done if say the "real" data was only 45 bytes rather than a
multiple
of
16
such as 48.

Hope this helps,

On Thu, Nov 21, 2019 at 10:09 AM Rishi Seth <
rishiseth99@xxxxxxxxx>
wrote:

Hi,

How could we say or conclude so because whenever i
interactively
call
openssl command the same DLE seems to be coming that time
as
well
in
the
result of pase ?

so does this mean xml itself is faulty i mean the value
which
is
supplied
in XML (specially data in that encodedexchangetoken field
in
that
XML
file
itself is faulty ?)

secondly were you able to run that 'Qc3DecryptData' API
program
successfully could you please share your program example
for
current
case
as i tried to use Qc3DecryptData API for same decryption
(Using
AES128
Algorithm) but it did not work because i did not know how
the
data
was
encrypted only decryption thing i was focused on, as i did
not
know
how
the
data was encoded so may be those sql encrypt and decrypt
function
also
did
not work for this case also when you would have used that
Qc3DecryptData
API was your program capable to handle each time different
XML
files
data
like the one which i shared was having XML into kind of
builtin
functions
so it was capable to handle those different XMLs.
1) If same decrypted value could be achived using
Qc3DecryptData'
API
Could you please share that program code example ?

2) Can same result be achieved using SQL Decrypt function
as
well
if
yes
then could you please share that as well?

3) Which way should be best technically among of all
these 3
approaches
in case same decrypted value could be achieved using
openssl,
Qc3DecryptData API,SQL Decrypt function ?



Thanks much...



On Thu, Nov 21, 2019 at 1:44 PM Bruce Vining <
bruce.vining@xxxxxxxxx>
wrote:

The DLEs are in the original XML stream being received.

On Wed, Nov 20, 2019 at 3:17 PM Bruce Vining <
bruce.vining@xxxxxxxxx>
wrote:

Since Rishi has provided the encrypted stream and the
key
I'll,
if I
find
the time (which as I'm currently free of work should be
possible),
decrypt
using Qc3DecryptData and at least find out if it's in
the
stream
or
being
added later when running cmd through the UNIXCMD
interface...

On Wed, Nov 20, 2019 at 1:12 PM Scott Klement <
sk@xxxxxxxxxxxxxxxx>
wrote:

The other possibility is that the PASE shell is
inserting
them,
maybe
thinking it needs to escape something for the sake of
a
terminal?

On 11/20/2019 9:32 AM, Bruce Vining wrote:
As I cannot imagine Scott inserting those DLEs I
have
to
assume
they
are in
the XML document.
--
This is the RPG programming on IBM i (RPG400-L)
mailing
list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the
archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any
subscription
related
questions.

Help support midrange.com by shopping at amazon.com
with
our
affiliate
link: https://amazon.midrange.com



--
Thanks and Regards,
Bruce
931-505-1915



--
Thanks and Regards,
Bruce
931-505-1915
--
This is the RPG programming on IBM i (RPG400-L) mailing
list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the
archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription
related
questions.

Help support midrange.com by shopping at amazon.com with
our
affiliate
link: https://amazon.midrange.com

--
This is the RPG programming on IBM i (RPG400-L) mailing
list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription
related
questions.

Help support midrange.com by shopping at amazon.com with
our
affiliate
link: https://amazon.midrange.com



--
Thanks and Regards,
Bruce
931-505-1915
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription
related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com


--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription
related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com



--
Thanks and Regards,
Bruce
931-505-1915
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com

--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com



--
Thanks and Regards,
Bruce
931-505-1915
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com


--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com



--
Thanks and Regards,
Bruce
931-505-1915
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.