× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. December 2019

Re: Qc3DecryptData API vs OPENSSL för AES128 Decryption

Sorry for taking so long to get back to you, but I've been busy moving and
wanted to test that everything would work with the information you have
provided. Qc3DecryptData is not sufficient by itself as the enc command is
mixing base64 functions with decryption functions and the i API does not.
So we need to:

1. Decode the base64 input
2. Decrypt the decoded value from step 1 using Qc3DecryptData
3. Convert the decrypted value (which is encoded using ASCII) to the EBCDIC
value you want (I used Latin-1 rather than Latin-2 for the conversion as
there's nothing variant in the data you provided for testing)

These three steps are shown in the following sample program. All API
settings used to decrypt the data using Qc3DecryptData were determined by
your use of the enc command.

ctl-opt dftactgrp(*no);

dcl-pr DecodeB64 int(10);
b64Input varchar(1024) options(*varsize);
lenB64Input int(10) const;
b64Output char(1024) options(*varsize);
sizB64Output int(10) const;
end-pr;

dcl-pr DecryptAES128 int(10);
exchangeTkn char(1024) const options(*varsize);
lenExcTkn int(10) const;
newASCIIRcd char(1024) ccsid(*hex) options(*varsize);
sizNewRcd int(10) const;
end-pr;

dcl-pr DecryptData extproc('Qc3DecryptData');
encData char(1024) const options(*varsize);
lenEncData int(10) const;
algDesc char(64) const options(*varsize);
algDescFmt char(8) const;
keyDesc char(256) const options(*varsize);
keyDescFmt char(8) const;
cryptoPrv char(1) const;
cryptoDev char(10) const;
newASCIIRcd char(1024) ccsid(*hex) options(*varsize);
lenPrvClrData int(10) const;
lenRtnClrData int(10);
errCde likeds(errCde);
end-pr;

/include qsysinc/qrpglesrc,qc3cci
/include qsysinc/qrpglesrc,qusec

dcl-ds errCde qualified;
hdr likeds(QUSEC);
msgData char(128);
end-ds;

// Application oriented variables - base64 encoded variable

// u3VtNgfyWU9faZc3Iaa8ZWbE5UZCfmC17yA4MyW0ghflt9dNQNDpCcgMZiG/kX

// PE4vv2CHL93B4iKiODHxxdVA==

dcl-s encodedExchangeTkn

varchar(1024)

inz(x'A4F3E5A3D58786A8E6E4F98681E983F3-

C98181F8E9E682C5F5E4E9C38694C3F1-

F7A8C1F4D4A8E6F087888693A3F984D5-

D8D5C497C38387D4E989C76192E7D7C5-

F4A5A5F2C3C8D3F9F3C2F489D289D6C4-

C8A7A784E5C17E7E');

dcl-s exchangeTkn

char(1024); // Base64 decoded value

dcl-s lenExchangeTkn

int(10);

dcl-s lenRtn int(10);

dcl-s newASCIIRcd char(1024) ccsid(819);

dcl-s newRcd char(1024);

// Test record (tstRcd) is based on your current value using openssl

dcl-s tstRcd char(1024) inz(x'F7F0F7868285F3F260F084828360F4F1-

85F060F8F8F88660F58283F4F08485F8-
83F2F084F2D7F9C1D4D7C3E3D8F4C3E9-
10101010101010101010101010101010');

// Set API error code ds to send exceptions
errCde.Hdr.qusBPrv = 0;

// Decode the base64 encodedExchangeTkn variable to exchangeTkn
lenExchangeTkn = DecodeB64( encodedExchangeTkn
: %len(encodedExchangeTkn)
: exchangeTkn
: %size(exchangeTkn));

if lenExchangeTkn = -1;
// Error found in DecodeB64
*inlr = *on;
return;
endif;

// Decrypt exchangeTkn to newASCIIRcd
lenRtn = DecryptAES128( exchangeTkn : lenExchangeTkn
: newASCIIRcd : %size(newASCIIRcd));

// Convert ASCII newRcd to EBCDIC newRcd
%subst(newRcd : 1 : lenRtn) = %subst(newASCIIRcd : 1 : lenRtn);

// Compare newRcd to known value tstRcd
if %subst(newRcd : 1 : lenRtn) = %subst(tstRcd : 1 : lenRtn);
dsply 'Worked fine';
else;
dsply 'Failed';
endif;

*inlr = *on;
return;

// **********************************************************************

dcl-proc DecodeB64;
dcl-pi DecodeB64 int(10);
b64Input varchar(1024) options(*varsize);
b64LenInput int(10) const;
b64Output char(1024) options(*varsize);
sizB64Output int(10) const;
end-pi;

dcl-ds bytes based(inputPtr);
byte1 uns(3);
byte2 uns(3);
byte3 uns(3);
byte4 uns(3);
end-ds;

dcl-ds base64; // Base64 openssl decode mappings
// based on EBCDIC offset values
base64Values char(256) inz(x'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF-
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF-
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF-
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF-
FFFFFFFFFFFFFFFFFFFFFFFFFFFF3eFF-
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF-
FF3fFFFFFFFFFFFFFFFFFFFFFFFFFFFF-
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF-
FF1a1b1c1d1e1f202122FFFFFFFFFFFF-
FF232425262728292a2bFFFFFFFFFFFF-
FFFF2c2d2e2f30313233FFFFFFFFFFFF-
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF-
FF000102030405060708FFFFFFFFFFFF-

FF090a0b0c0d0e0f1011FFFFFFFFFFFF-
FFFF1213141516171819FFFFFFFFFFFF-
3435363738393a3b3c3dFFFFFFFFFFFF-
');
base64Value uns(3) dim(255) overlay(base64Values : 2);
end-ds;

dcl-ds work;
nbr uns(5) inz(0);
byte char(1) overlay(nbr : 2);
end-ds;

dcl-s inputPtr pointer;
dcl-s outData char(3) based(outputPtr);
dcl-s outputPtr pointer;
dcl-s pos int(10);
dcl-s temp varchar(3);

pos = 1;
inputPtr = %addr(b64Input) + 2; // Adjust addr for varchar input
outputPtr = %addr(b64Output);

dow (pos <= b64lenInput);
if base64Value(byte1) = x'FF';
dsply ('Bad value at position ' + %char(pos));
return -1;
endif;

if base64Value(byte2) = x'FF';
dsply ('Bad value at position ' + %char(pos + 1));
return -1;
endif;

if ((base64Value(byte3) = x'FF') and (byte3 <> 126));
dsply ('Bad value at position ' + %char(pos + 2));
return -1;
endif;

if ((base64Value(byte4) = x'FF') and (byte4 <> 126));
dsply ('Bad value at position ' + %char(pos + 3));
return -1;
endif;

// First output byte comes from bits 3-8 of byte 1
// and bits 3-4 of byte 2

nbr = ( (base64Value(byte1) * 4)
+ (base64Value(byte2) / 16));
temp = byte;

// Second output byte comes from bits 5-8 of byte 2
// and bits 3-6 of byte 3
// unless it's the pad character

if %subst(bytes : 3 : 1) <> '=';
nbr = ( (%bitand(base64Value(byte2) : x'0F') * 16)
+ (base64Value(byte3) / 4));
temp += byte;
endif;

// Third output byte comes from bits 7-8 of byte 3
// and bits 3-8 of byte 4
// unless it's the pad character

if %subst(bytes : 4 : 1) <> '=';
nbr = ( (%bitand(base64Value(byte3) : x'03') * 64)
+ base64Value(byte4));
temp += byte;
endif;

inputPtr += %size(bytes);
pos += %size(bytes);
lenRtn += %len(Temp);

if (lenRtn <= sizB64Output);
outData = temp;
outputPtr += %len(temp);
endif;
enddo;

return lenRtn;

end-proc;

// **********************************************************************

dcl-proc DecryptAES128;
dcl-pi DecryptAES128 int(10);
exchangeTkn char(1024) const options(*varsize);
lenExcTkn int(10) const;
newASCIIRcd char(1024) ccsid(*hex) options(*varsize);
sizNewRcd int(10) const;
end-pi;

dcl-ds myKEYD0200 qualified;
hdr likeds(QC3D020000);
key char(16);
end-ds;

// Initialize algorith description block to AES
qc3BCA = 22;
qc3BL = 16;
qc3Mode = '0';
qc3PO = '0';
qc3PC = x'00';
qc3Erved = x'00';
qc3MacL = x'00';
qc3EKS = x'00';
qc3IV = *allx'00';

// Initialize key description to AES
myKEYD0200.Hdr.qc3KT = 22;
myKEYD0200.Hdr.qc3KSL = 16;
myKEYD0200.Hdr.qc3KF = '0';
myKEYD0200.Hdr.qc3Erved02 = *allx'00';
// Taken from openssl enc
myKEYD0200.Key = x'363631653237354f494d31554c594c4a';

DecryptData( exchangeTkn : lenExcTkn
: qc3D0200 : 'ALGD0200'
: myKEYD0200 : 'KEYD0200'
: '0' : ' '
: newASCIIRcd : sizNewRcd : lenRtn
: errCde);

return lenRtn;
end-proc;

Compile and run the program. You should get the message 'DSPLY Worked
fine'.

So YES, the i API can be used.
Bruce

On Sat, Nov 23, 2019 at 8:04 AM Rishi Seth <rishiseth99@xxxxxxxxx> wrote:

Hi,

As my email to this forum was rejected by admin due to message size issue
so i än afraid whether my läst email was delivered or not to the AS400
experts or not so this is regarding my previous email's query which i had
posted like considering my encodedexchange token values inside those
sample type of XMLs should i conclude that as per my XMLs and
encodedexchange token values which we have decrypted with OPENSSL that can
not be decrypted with this 'Qc3DecryptData API' until i have sufficient
information how that value of encoded exchange token inside sthat sample
XML is coming.
Because OPENSSL did not bother these details and simply decrypted that
data(encodedexchangetoken data) using AES128 Algorithm.
Also could you please specific allt let me know what exact details we need
to decrypt that encodedexchange token data using this Qc3DecryptData API in
case still it could be decrypted using this Qc3DecryptData API.

I believe safer way should be to use Qc3DecryptData API to decrypt such
data provided we have all those minimum data which is Requied to decrypt it
using Qc3DecryptData API.
Please correct me if my understanding is wrong.


Thanks much.....
--
This is the RPG programming on IBM i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/rpg400-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.