macos - Openssl Decrypt in PHP without -iv -pass
Get the solution ↓↓↓I want to decrypt an already encrypted text i have, i manage it to do it by command in MacOS Terminal.
printf "encrypted text" | openssl enc -d -base64 -A -aes-256-cbc -k "abcde" -nosalt
In MacOS Terminal it runs fine, i get the decrypted message, but i tried this in php and failed.
<?php
$method = 'aes-256-cbc';
$password = substr(hash('sha256', 'abcde', true), 0, 32);
$iv = chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0);
$decoded = openssl_decrypt(base64_decode($token), 'AES-256-CBC', $password, 0, $iv);
return $decoded;
?>
I don't know how terminal handles the -nosalt key to get iv and pass, i tried with empty iv and failed. What is the php equivalent code for this?
Answer
Solution:
Let's start with a serious warning (that was commented by @Sammitch as well): Please do not use this function in production as it UNSECURE. Kindly use it only for migration to a much better key derivation.
To your question: OpenSSL uses an outdated key derivation to generate the key and the necessary initialization vector (IV). You could find a lot of examples here on SO to see how the key derivation works and how you could use it programmatically in PHP.
I will show you a way how to do it with OpenSSL for a single task. You ran the encryption this way:
printf "encrypted text" | openssl enc -d -base64 -A -aes-256-cbc -k "abcde" -nosalt
and receive the decrypted text. Your passphrase in use is "abcde". When adding an additional parameter "-P" you will be shown the derivated key and IV, in your case this values (all values in hex notation):
printf "encrypted text" | openssl enc -d -base64 -A -P -aes-256-cbc -k "abcde" -nosalt
key=36BBE50ED96841D10443BCB670D6554F0A34B761BE67EC9C4A8AD2C0C44CA42C
iv =2A34E82FFC2B85AA708049C7CD64A6A1
Now you can use these values in PHP for decryption (use hex2bin for conversion).
Btw.: the parameter "-P" just shows the key and IV without decryption, using "-p" shows the key and IV and runs the decryption.
Share solution ↓
Additional Information:
Link To Answer People are also looking for solutions of the problem: filter_sanitize_string deprecated
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Similar questions
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.