Question
Last activity: 6 Jun 2017 4:00 EDT
RSAWrapper.encryptString coming out different between 6.2 and 7.2 PRPC
We are in the process of upgrading our Decisioning Hub at our customer site. One of the issues we are having is that the customer can no longer read our encrypted RSA data. We encrypt the same string in both the 6.2 and 7.2 environments - using the same inputs and even the same RSA data file. The encrypted strings come out the same length but different in the encryption. In 6.2, the customer's server could decrypt and process our message, but in 7.2, they cannot read the encrypted string and are returning "INVALID XML".
Out encrypted in 6.2.
MTcxNjU5MDcyOQBdZC2OuDKfIupFmGm5QlmmBw+V498rOlVZPdimm/UMevGcXSX3bbYQiXBrO7Jq6vCGkEKccnU4aMkLmt1ddxUWOXpuhsSHH5G+TSzecxOZXIgy4GAsNLpGEoaySuWxjYJTqJRHJdN5wm56Az1HBFTiFsKNkKYeE/b80gwQGKISQo0jFUtkZufyTTrMRf9tBLZvg68AtkqFrI91xJCk7HqaRVKrnjDK5oMRU8sc1OFWxvCPmKTEXtMdtD/60ysj0zqOG78JfbRjLOxegqiebjROXhpRmXrfGa+Jy8s1Zm5HjLfo4ZcZut+/qpSTdgkz5n7xf/WkRsVMFJIL8cEtW6nvkgILmNWniW4GCfSicJ1D1W99P9bj3/pnXIuavlRwJP1XnQXLe+hS86HoxmOYAJtigccxRIll/FclrZwdTGYBPT4Qjz+IIXRyBaY6a5WNnPYYGTwOAycsmhcUvnC2mT5Tyxt1vAGkRVM5vb+p4YL+pZ4h1s47PUmbH0a/oC9auiLchdkGb5BdAdUqBdiaF98Rnqcuj0u9uvvfHqAMzF7+iovPmh2AlhHKJ7ubVNUgPr8xxxdjYYTbNHu6XTeOOVWjOwq1DHmfX50hl+AoR6C7tkcHco1ucFYyb1CHVvCAgA+j5JfuAB8zl/q6FhzuAYQ+CuaYKZUaNJgTnYLp1isPEfH+eLwBjz/bNUPIynHkxIROrYW2KBSirK5R+n+pjUNCRA6MRegg0lyu/JydRo0w4CQcvo+IY0d7fujSCqFS6O8=
Our encrypted in 7.2
We are in the process of upgrading our Decisioning Hub at our customer site. One of the issues we are having is that the customer can no longer read our encrypted RSA data. We encrypt the same string in both the 6.2 and 7.2 environments - using the same inputs and even the same RSA data file. The encrypted strings come out the same length but different in the encryption. In 6.2, the customer's server could decrypt and process our message, but in 7.2, they cannot read the encrypted string and are returning "INVALID XML".
Out encrypted in 6.2.
MTcxNjU5MDcyOQBdZC2OuDKfIupFmGm5QlmmBw+V498rOlVZPdimm/UMevGcXSX3bbYQiXBrO7Jq6vCGkEKccnU4aMkLmt1ddxUWOXpuhsSHH5G+TSzecxOZXIgy4GAsNLpGEoaySuWxjYJTqJRHJdN5wm56Az1HBFTiFsKNkKYeE/b80gwQGKISQo0jFUtkZufyTTrMRf9tBLZvg68AtkqFrI91xJCk7HqaRVKrnjDK5oMRU8sc1OFWxvCPmKTEXtMdtD/60ysj0zqOG78JfbRjLOxegqiebjROXhpRmXrfGa+Jy8s1Zm5HjLfo4ZcZut+/qpSTdgkz5n7xf/WkRsVMFJIL8cEtW6nvkgILmNWniW4GCfSicJ1D1W99P9bj3/pnXIuavlRwJP1XnQXLe+hS86HoxmOYAJtigccxRIll/FclrZwdTGYBPT4Qjz+IIXRyBaY6a5WNnPYYGTwOAycsmhcUvnC2mT5Tyxt1vAGkRVM5vb+p4YL+pZ4h1s47PUmbH0a/oC9auiLchdkGb5BdAdUqBdiaF98Rnqcuj0u9uvvfHqAMzF7+iovPmh2AlhHKJ7ubVNUgPr8xxxdjYYTbNHu6XTeOOVWjOwq1DHmfX50hl+AoR6C7tkcHco1ucFYyb1CHVvCAgA+j5JfuAB8zl/q6FhzuAYQ+CuaYKZUaNJgTnYLp1isPEfH+eLwBjz/bNUPIynHkxIROrYW2KBSirK5R+n+pjUNCRA6MRegg0lyu/JydRo0w4CQcvo+IY0d7fujSCqFS6O8=
Our encrypted in 7.2
MTcxNjU5MDcyOQBERbd+xGKU4paEOulLck16cCNXdUVWTiYZcG6DGNnfkVT3FqVWI7NWfzlPHSjY7CK+dv63QO95N4axVKbqdhPYqxfHK3VQVLGN/3zbO/wh3CDWUjkvyWwVwLJ1FybnzSbszR7g2sbv71cU3CgaeA/U2cewRwNYpbY9V7O5Shw3+FV5fqC+oCbo+GfqAmw5ysBbL6TinaRq11qkmRNmeWIdBwackmHCsYYtWyKN9rFw8/+6IRum+Wxg+eqvgqVt723zKhxI9s3R73BqMqo/9ERtxcSyWbDxEffAzRpTnDJzVS/5rq6wrx0KbMv5QsTrj9mK6XeeohIgC0aN+JozHIb19kLfJkOO15VyBBOIs5D/QY1DxCc4Dq/3eC8BUzeyM+jO0WkeURybIuQ8OdMNHymfksaw/coKLyYXMZoIlvya3JUFUv+9k5tH+W5SGZFvEVTiBm5u5CyKU7lklhFG7W0CFivTwJC3LPF9QPaEYik6xngMkcebgB+sRJSwFWURbORQpfrC9phj3DCXQ6iJiq0gCFvulhdtW3MBJuU7PIxD2VXtZu/7zTgC1NfSVXNeUbQmnSAgJaNA5s8oaYPUTuue/xI/oEPeT3KwvVKbsH8OYFR7kpC5SPdc6Fxl7y8FR8h6HzXTvIpJZzBA7Pqjs3iuNnYz5qUPE7AW1mRndFbG/qmTFpIAhXuendwP55DPRPcdfvlhFO4jrJzEbkQ+5dkabVnnMyiBoENZiUlZGutvYMcmcsd863W5AZkxCYNXKm8=
--------------------
Has anyone had issues in using the RSA libraries in 7.2? Is there something different we need to do for the new version?
Message was edited by: Sidney Coats Members expressed security concerns, so I removed the in the clear messages. The data was not production data, but merely sandbox test data, but I want to err on the side of caution.
Accepted Solution
On reviewing the corresponding SR, we see that it has been resolved.
Resolution is to apply HFix-27140
Although, both the 6.2 and 7.2 are using the same Java Home, I am seeing different cipher suites for the two.
For 6.2, they start with the following.
For 7.2, they start with these.
I notice in 7.2 we use jcajce.provider on the bouncy castle vs. just jce.provider on 6.2. I don't even know if that matters. I believe we are failing because our client's server to which we are encrypting data does not share all of our cipher suites. The java system property for rsaKeyClass is null. I have two questions.
1) Is there a way to know which cipher suite we are using in our encryption when we call RSAWrapper.encryptString?
2) Can we change it to a specific cipher - or is cipher and keyClass not the same?
We are now seeing that the 7.2 URL encoding going out to the wire on HTTP connections is not converting the '+' to '%2B'. The 6.2 URL encoding is converting '+' to '%2B'. If we call the Java URLEncoder.encodeString, it converts '+' to '%2B'.
Should + be converted to '%2B'? Should it matter? Should it be done under certain conditions? This is the only difference I am seeing between the code that is working in 6.2 and the code that is failing in 7.2. It does not appear to be an encryption issue as the strings we encrypt on 7.2 work fine when sent out on 6.2 and the encrypted response received in 6.2 can be decrypted successfully by 7.2. It does appear to be a URL encoding issue. If anyone has seen this or knows something about it, please let us know. Otherwise, I will post the answer here once we track it down.
Pegasystems Inc.
IN
Hello!
The SR details are not published on PDN. The Pega Global Customer Support Team had provided HFix-27140 which resolved the issue. This HFix was for Pega 7.2 product version. In case you are seeking the same HFix, please create an SR with the Pega Global Customer Support Team. This blog could help you with that: Raising Support Requests for Hotfixes now made easy!
In case your use case is slightly different for your Pega is of a different version, we suggest that you create an SR and mention the URL to this post.
Hope this helps!
Regards,