[SalesForce] How to decrpt the MCRYPT_RIJNDAEL_256 encrypted value in salesforce.

How to decrpt the MCRYPT_RIJNDAEL_256 encrypted value in salesforce. Let me explain saelsforce getting encrypted (MCRYPT_RIJNDAEL_256, ECB mode) value from external website. So, we need to decrypt that value before setting to portal user in salesforce.

Any body could you please let me know how to do this task

Best Answer

The AES specification uses a subset of the Rijndael algorithm, so 'AES-256' should be synonymous with 'Rijndael-256' (assuming that the '256' is the size of the key, not the block size. If Rijndael-256 means a block size of 256, then you're completely out of luck). +edit: Rijndael-256 means that the block size of the cipher is 256 bits. AES uses a fixed block size of 128-bits, so Rijndael-256 is not synonymous with AES-256.

Salesforce provides very little in the way of being able to decrypt things on-platform, so I think that you're (unfortunately) still out of luck.

The documentation on the Crypto class, specifically for the decrypt(algorithmName, privateKey, initializationVector, cipherText) method, has the following to say (emphasis mine):

Valid values for algorithmName are:

  • AES128
  • AES192
  • AES256

These are all industry standard Advanced Encryption Standard (AES) algorithms with different size keys. They use cipher block chaining (CBC) and PKCS5 padding.

The length of privateKey must match the specified algorithm: 128 bits, 192 bits, or 256 bits, which is 16, 24, or 32 bytes, respectively. You can use a third-party application or the generateAesKey method to generate this key for you.

The initialization vector must be 128 bits (16 bytes.)

Salesforce does not support ECB mode, only CBC.

If you aren't able to change the algorithm that this external site is using, then your options are:

  • Use a different website that uses AES in CBC mode (The consensus for over 5 years now seems to be that ECB is bad)
  • Use another (trusted) third party to decrypt/re-encrypt for you
  • Use an intermediary server (that you control) to intercept the ciphertext, and decrypt/re-encrypt it for you before passing it back to Salesforce

I honestly wouldn't even consider trying to find an implementation in some other language, and port it to Apex. Encryption is one of those things that you really need to know exactly what you're doing. Small mistakes in this domain tend to have grave consequences.

Related Topic