Little Help Recreating This?
Closed this issue · 4 comments
Hello,
First off, I want to say thank you for all of your hard work on buddy. It is much appreciated.
I have some code that I'd like to convert to buddy, and I was wondering if you (or one of the fine people reading this) could help me out:
(ns toy.crypto
(:require [buddy.core.bytes :as bytes]
[buddy.core.crypto :as crypto]
[buddy.core.codecs :as codecs]
[buddy.core.kdf :as kdf]
[buddy.core.nonce :as nonce]
[buddy.core.padding :as padding]
[buddy.core.hash :as hash]
[buddy.hashers :as hashers]
[clojure.data.codec.base64 :as b64]
[clojure.string :as str]
[byte-streams]
[byte-transforms]
[outpace.config :refer (defconfig!)])
(:import [java.io
ByteArrayInputStream
ByteArrayOutputStream]
[javax.crypto Cipher
SecretKeyFactory]
[javax.crypto.spec
IvParameterSpec
PBEKeySpec
SecretKeySpec]))
(def salt "this is some salt")
(def passcode "this is a passcode")
(defonce key-factory (SecretKeyFactory/getInstance "PBKDF2WithHmacSHA1"))
(defonce key-spec (PBEKeySpec. (.toCharArray passcode)
(.getBytes salt)
100000 ;; iterations
256)) ;; AES256
(defonce aes-key (-> key-factory
(.generateSecret key-spec)
(.getEncoded)
(SecretKeySpec. "AES")))
(defn decrypt [payload]
(let [[iv msg] (str/split payload #"--")
iv-spec (-> (byte-transforms/decode iv :base64)
IvParameterSpec.)
cipher (Cipher/getInstance "AES/CBC/PKCS5Padding") ;; I think I read that PKCS5Padding is synonymous with PKCS7Padding when used in this context, but I am not 100% sure on that.
_ (.init cipher Cipher/DECRYPT_MODE aes-key iv-spec)]
(.doFinal cipher (byte-transforms/decode msg :base64))))
(defn encrypt [msg]
(let [cipher (Cipher/getInstance "AES/CBC/PKCS5Padding")
_ (.init cipher Cipher/ENCRYPT_MODE aes-key)
params (.getParameters cipher)
iv (.getIV (.getParameterSpec params IvParameterSpec))
encrypted-msg (.doFinal cipher (.getBytes msg "UTF-8"))]
(format "%s--%s"
(String. (b64/encode iv) "UTF-8")
(String. (b64/encode encrypted-msg) "UTF-8"))))Any help would be much appreciated!
Hi! Converting this to use buddy with the condition that the convetrted code coexists and works in exactly way as this code can be tedious. Because here you are using a AES/CBC/PKCS5Padding that is a "high level" encryption scheme. That we should read and know it it match in the identical way as one of the buddy high-level encryption scheme (introduced in 0.6.x). If it not, you should read how it concretelly works and implement it (or propose a feature request for some other implement it).
But if you don't want exact output and you want a similar security encryption scheme, you can consider using one of the existing encryption schemes of the buddy https://funcool.github.io/buddy-core/latest/#high-level-encryption-schemes
Hello @niwinz,
Yes, I began reading last night about this scheme, but I've been unable to find good information about the steps it actually takes. I looked through the high level encryption schemes and was still a little confused as to what I actually needed to do. I would happily switch to one of the schemes you have, but the "AES/CBC/PKCS5Padding" scheme is necessary for now.
Based on what I can tell, :aes256-cbc-hmac-sha512 is very close. No?
Yes, the :aes256-cbc-hmac-sha512 should be very close to the "AES/CBC/PKCS5Padding". But how this last one is very opaque, I don't know how it uses the authentication tag.
The encryption schemes on the buddy are defined as RFC specified about AES+CBC+HMAC+SHA2 http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05
Thanks for the link and for creating the issue to create this high level scheme.
I am reading up on crypto, but I suspect this will take me a lot longer to figure out than someone with some experience implementing these schemes. My reading has led me to the point where I feel like I really should sit down and read a book before I get too confident implementing this myself.
If you find the time, it would be great to switch from doing direct interop to using buddy directly.
Thanks so much for your help!