Sample code for Implementing PSA_ALG_CBC_PKCS7 ESP 32-S3

[RiverS_16]

Hello,

I am trying to implement encryption/Decryption in ESP 32 S3 using their IDF.The Sample code i referred to is
https://github.com/Mbed-TLS/mbedtls/blo ... les.c#L300, which works fine .
Basically my problem statement is ,i am getting a encrypted string in Base 64 format, which i need to decrypt, do some processing, encrypt it and send it back.
Currently , i am facing a problem that if a string other than ascii format is passed to encryption /decryption function its throws a error (-135) , i.e Invalid parameter.

i wanted some help to cope up with the above problem.

[MicroController]

a) show us your code which reproduces the error
b) make sure you don't use strlen(...) on binary data

[RiverS_16]

hello

This is the code i am using .i have modified reference code's function cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi a little to suit my need.Rest all functions i have used from reference code(https://github.com/Mbed-TLS/mbedtls/blo ... les.c#L300,) as it is.Here 'a' is a string i am receiving from a third party app light blue, and 'b' is the length of the string.
I am converting encrypted output to base 64 format, and passing that converted string to decrypt function.On hitting cipher operation in decrypt function i am getting error -135.


psa_status_t cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi(unsigned char a[],size_t b)
{
enum {
block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(PSA_KEY_TYPE_AES),
key_bits = 256,
input_size = 100,
part_size = 14,

};

const psa_algorithm_t alg = PSA_ALG_CBC_PKCS7;




psa_status_t status;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_id_t key ="ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEF" ;

size_t output_len = 0;
uint8_t iv[block_size]= "ABCDEFGHIJKLMNOP",encrypt[input_size + block_size], decrypt[input_size + block_size];;

status = psa_crypto_init();
if (status != PSA_SUCCESS)
{
printf("Failed to initialize PSA Crypto\n");
return 1;
}
else
{

printf(" PSA Crypto encrypt init success\n");

}
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, key_bits);

status = psa_generate_key(&attributes, &key);
ASSERT_STATUS(status, PSA_SUCCESS);

printf("Original Text: %s\n", a);

status = cipher_encrypt(key, alg, iv, sizeof(iv),
a, b, part_size,
encrypt, sizeof(encrypt), &output_len);
printf("Encrypted output=%s\n",encrypt);
//
unsigned char *base64_output = base64Encode((unsigned char*)encrypt, output_len);

printf("Encrypted and Base64 Encoded: %s\n", base64_output);

status = cipher_decrypt(key, alg, iv, sizeof(iv),
base64_output, b, part_size,
decrypt, sizeof(decrypt), &b);
ASSERT_STATUS(status, PSA_SUCCESS);
printf("Decrypted output=%s\n",decrypt);

printf("decrypt=%d\n",sizeof(decrypt));



exit:
psa_destroy_key(key);
return status;
}

unsigned char *base64Encode(unsigned char *input, size_t input_len) {
size_t output_len;
mbedtls_base64_encode(NULL, 0, &output_len, (const unsigned char *)input, input_len);

unsigned char *output = (unsigned char *)malloc(output_len + 1);
mbedtls_base64_encode((unsigned char *)output, output_len, &output_len, (const unsigned char *)input, input_len);
output[output_len] = '\0';

return output;
}

[MicroController]

I am converting encrypted output to base 64 format, and passing that converted string to decrypt function.

Not sure why one would do that. There are easier ways to generate pseudo-random numbers.
With that, I find it hard to see what in your code is intentional and what's not.
However,

Code: Select all

status = cipher_encrypt(key, alg, iv, sizeof(iv),
a, b, part_size,
encrypt, sizeof(encrypt), &output_len);
...
status = cipher_decrypt(key, alg, iv, sizeof(iv),
base64_output, b, part_size,
decrypt, sizeof(decrypt), &b);

You'll want to use the length of the output generated by cipher_encrypt (output_len) as the length of the input to cipher_decrypt (i.e. some multiple of the block size).

[RiverS_16]

Hello,

Thank you for your reply.

To answer your question , In my problem statement i am getting a base 64 encrypted string and i need to decrypt that string.

secondly , I get your point that i need to give length of encrypted string as input to decrypt function.

But i need clarity on following points.

1.does encrypt and decrypt function accept Only ASCII strings.

2.Can i call the Decrypt function directly if i have a encrypted string or its mandatory to follow first encrypt then decrypt sequence.

[MicroController]

To answer your question , In my problem statement i am getting a base 64 encrypted string and i need to decrypt that string.

Ok, I think I get that.
But, and to your question: Encryption yields non-ASCII, binary data. And cipher_decrypt expects the same binary data. If you have a Base64 string containing encrypted data, you'll want to first decode Base64 to binary and then perform decryption on the binary data.
Passing the Base64 string to cipher_decrypt will result in garbage data output, and, as you have noticed, may fail straight away because the Base64 is of a different length than the binary data encoded in it and expected by the decryption algorithm.

Alice:
message = Base64Encode(encrypt(plaintext));

Bob:
plaintext = decrypt(Base64Decode(message));