0

I have some problem when porting a function from PHP to NodeJS. I have tried implement this PHP code with Node JS, but its not working.

This is the code in PHP

   <?php 
        require_once 'vendor/autoload.php';
    
        // function decrypt
        function stringDecrypt($key, $string){
            
      
            $encrypt_method = 'AES-256-CBC';
    
            // hash
            $key_hash = hex2bin(hash('sha256', $key));
      
            // iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
            $iv = substr(hex2bin(hash('sha256', $key)), 0, 16);
    
            $output = openssl_decrypt(base64_decode($string), $encrypt_method, $key_hash, OPENSSL_RAW_DATA, $iv);
      
            return $output;
        }
        
    ?>

This is my code in NodeJs

    function decryptResponse(timestamp, string, key) {
        var key_hash = hex2bin(crypto.createHash("sha256").update(key).digest('hex'));
        var iv = key_hash.substr(0,16);
        var decoder = crypto.createDecipheriv('aes-256-cbc', key_hash, iv);
        var output = decoder.update(Buffer.from(string).toString('base64'),'base64','utf8') += decoder.final('utf8');
        console.log("Decrypt Result : ", output); //Not Showing on Log
    }

function hex2bin(hex) {
    var bytes = [];
    var str;
    for(var i=0; i< hex.length-1; i+=2){
        bytes.push(parseInt(hex.substr(i, 2), 16));
    }
    str = String.fromCharCode.apply(String, bytes);

    return str;
  }

This function is called when I get the response from API and need to send it to the user.

var decompressedResponse = decryptResponse(timestamp, response.data.response, key);  
res.send(decompressedResponse);

I need this function to decrypt a response from API so I really need this one working. Thank you for your help.

Improve this question
6
  • In the PHP code the decompress() function is not used, why do you post it (and why is it applied at all in the NodeJS code)? hex2bin() in the NodeJS code is also not defined. Commented Nov 9, 2021 at 7:43
  • @Topaco sorry, I will add the hex2bin() on nodejs, for the PHP, I dont know much about it because its not mine. The basic is, you need to decrypt the API response with aes-256-cbc, then decompressed the decrypt result with LZString Commented Nov 9, 2021 at 7:47
  • I would recommend to ask the decompress issue in a separate question (if needed at all). Currently, your information on this is inconsistent, which makes it difficult to answer the whole question: In the PHP code decompress() is not called at all and in the NodeJS code the implementation is missing. Commented Nov 9, 2021 at 8:00
  • @Topaco Ah okay, I will delete that, because the main problem is the decryption. Thank you for your advice Commented Nov 9, 2021 at 8:02
  • @Topaco Thank you for your advice. Remove the hex2bin function and return key hash as a bffer and now its working. Can you please using that as an answer? I will accept it as a correct answer. Thank you. Commented Nov 10, 2021 at 2:17

1 Answer 1

Reset to default
1

The hex2bin() function is not needed and can be removed.

Also, it's easier to determine key and IV as buffer.

The ciphertext is currently Base64 encoded a second time in update(). To avoid this, it should be passed directly to update().

And the concatenation of the results of update() and final() call must be done with + instead of += (which is probably just a typo or copy/paste error).

Overall:

function decryptResponse(timestamp, string, key) {
    var key_hash = crypto.createHash("sha256").update(key).digest(); // remove hex2bin; use Buffer
    var iv = key_hash.slice(0,16); // use Buffer
    var decoder = crypto.createDecipheriv('aes-256-cbc', key_hash, iv);
    var output = decoder.update(string,'base64','utf8') + decoder.final('utf8'); // don't Base64 encode twice, pass ciphertext directly; apply + instead of +=
    console.log("Decrypt Result : ", output); 
}

Note that it's insecure to use the key or a part of the key as IV. Usually the (non-secret) IV is randomly generated for each encryption and passed along with the ciphertext (typically concatenated).

Also, using a hash as key derivation function is insecure. Instead, a reliable key derivation function such as PBKDF2 should be applied.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.