NSCharacterSet URLHostAllowedCharacterSet doesn't replace '+' sign?

Question

I'm struggling to transmit long encrypted strings over the network and get them to come out correctly on the server. For example, I have this encrypted string on the client:

wcWSERZCh8Xm1hpbNo1kSD1LvFmpuUr4wmq9hQUWeK0vYcLeFPGwFR/sBTES1A4rPV6eyp9nzEEU9uKkiFSTdP+SPOSqUf6evjf3WRHrXMRe81lIrHuRyk0iRwoNe5uIk+VlpR41kETmznXa4+gELmf53r7oayRkkffnIPDmpO+WbgE0VL3PQeOsXB01tWJyDiBIsz5WJiiEIm3ZoJW/sw==

As you can see, it has a few characters that will not transmit over the network without some URL encoding (+ and /, most notably). I'm not entirely sure if there could be other characters that could arise in other situations, so I want to make sure that my solution is 'universally' correct. I am using this line:

NSString *escapedString = [cipherString stringByAddingPercentEncodingWithAllowedCharacters:[NSCharacterSet URLHostAllowedCharacterSet]];

which I found in a highly reviewed answer.

However, I'm still having trouble decrypting this on the server side, so I printed out the results on the client immediately before sending, and I see this:

wcWSERZCh8Xm1hpbNo1kSD1LvFmpuUr4wmq9hQUWeK0vYcLeFPGwFR%2FsBTES1A4rPV6eyp9nzEEU9uKkiFSTdP+SPOSqUf6evjf3WRHrXMRe81lIrHuRyk0iRwoNe5uIk+VlpR41kETmznXa4+gELmf53r7oayRkkffnIPDmpO+WbgE0VL3PQeOsXB01tWJyDiBIsz5WJiiEIm3ZoJW%2Fsw==

Why are the '+' signs still there? Am I using the wrong allowed character set? Which character set should I use to guarantee that I correctly escape all problematic characters?

If it helps, here is the code that I am using to encrypt the plain text string. When it is done, I base64 encode the results before sending across the network:

- (NSData *)phpEncryptCleartext : (NSData *)cleartext
{
    NSData *cleartextPadded = [self phpPadData:cleartext];

    CCCryptorStatus ccStatus        = kCCSuccess;
    size_t          cryptBytes      = 0;    // Number of bytes moved to buffer.
    NSMutableData  *cipherTextData  = [NSMutableData dataWithLength:cleartextPadded.length];

    ccStatus = CCCrypt(kCCEncrypt,
                       kCCAlgorithmAES128,
                       0,
                       _sessionKey.bytes,
                       kCCKeySizeAES128,
                       _iv.bytes,
                       cleartextPadded.bytes,
                       cleartextPadded.length,
                       cipherTextData.mutableBytes,
                       cipherTextData.length,
                       &cryptBytes);

    if (ccStatus == kCCSuccess) {
        cipherTextData.length = cryptBytes;
    }
    else {
        NSLog(@"kEncryptionError code: %d", ccStatus); // Add error handling
        cipherTextData = nil;
    }

    return cipherTextData;
}

Thanks for any advice!

Answer 1

Swift version here.

To escape character use stringByAddingPercentEncodingWithAllowedCharacters:

NSString *URLEscapedString =
[string stringByAddingPercentEncodingWithAllowedCharacters:[NSCharacterSet URLQueryAllowedCharacterSet]];

The following are useful character sets, actually the characters not included in the sets:

URLFragmentAllowedCharacterSet  "#%<>[\]^`{|}
URLHostAllowedCharacterSet      "#%/<>?@\^`{|}
URLPasswordAllowedCharacterSet  "#%/:<>?@[\]^`{|}
URLPathAllowedCharacterSet      "#%;<>?[\]^`{|}
URLQueryAllowedCharacterSet     "#%<>[\]^`{|}
URLUserAllowedCharacterSet      "#%/:<>?@[\]^`

Or create your own characterset with just the characters that you need to escape.

NSCharacterSet *customCharacterset = [[NSCharacterSet characterSetWithCharactersInString:@"your characters"] invertedSet];

Creating a characterset combining all of the above:

NSCharacterSet *URLFullCharacterSet = [[NSCharacterSet characterSetWithCharactersInString:@" \"#%/:<>?@[\\]^`{|}"] invertedSet];

Creating a Base64

In the case of Base64 characterset:

NSCharacterSet *URLBase64CharacterSet = [[NSCharacterSet characterSetWithCharactersInString:@"/+=\n"] invertedSet];

Note: stringByAddingPercentEncodingWithAllowedCharacters will also encode UTF-8 characters requiring encoding.

Example to verify the characters in the set:

void characterInSet(NSCharacterSet *set) {
    NSMutableString *characters = [NSMutableString new];
    NSCharacterSet *invertedSet = set.invertedSet;
    for (int i=32; i<127; i++) {
        if ([invertedSet characterIsMember:(unichar)i]) {
            NSString *c = [[NSString alloc] initWithBytes:&i length:1 encoding:NSUTF8StringEncoding];
            [characters appendString:c];
        }
    }
    printf("characters not in set: '%s'\n", [characters UTF8String]);
}