OpenSSL decrypt AES 256bit (base64) encrypted password - wrong final block length

Question

I am trying to decrypt aes-256-cdc encoded password using OpenSSL

#!/usr/bin/env bash

ak=BgL0cPoZQ4wZWOWl5mXBhlMsNbbZL2zvsWZXjuGy4Iw=
iv=cGEvcGWzE8t7CS3wbeoUFQ==
pass=RCQm23YHOCg3nxOl7CcQ7w==

#change format from base64 into hex
AES_KEY=$(echo "${ak}" | openssl base64 -d | xxd -p |tr -d '\n')
AES_IV=$(echo "${iv}" | openssl base64 -d | xxd -p)
ENCODED_PASSWORD=$(echo "${pass}" | openssl base64 -d | xxd -p)

echo "AES_KEY ${AES_KEY}"
echo "AES_IV ${AES_IV}"
echo "ENCODED_PASSWORD ${ENCODED_PASSWORD}"

#set password file
echo "${ENCODED_PASSWORD}" > in.txt

#decode password
openssl enc -nosalt -aes-256-cbc -d -iv ${AES_IV} -K ${AES_KEY} -in in.txt

this results in error message

AES_KEY 0602f470fa19438c1958e5a5e665c186532c35b6d92f6cefb166578ee1b2e08c
AES_IV 70612f7065b313cb7b092df06dea1415
ENCODED_PASSWORD 53b7adff6e85baedfa9dab80109ad67d
▒▒▒▒▒▒`$;▒▒▒▒%▒O▒Q▒▒▒S▒▒<7 7
                            bad decrypt
32624:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:518:
0602f470fa19438c1958e5a5e665c186532c35b6d92f6cefb166578ee1b2
e08c

I think that the problem is aes-key (ak) which has a newline char in it, which I am trying to remove with

|tr -d '\n'

a password should decode as

password

Answer 1

No, what's wrong is the encoding of in.txt. It should not be text at all, it should be binary.

In principle you would not get this error either if you'd use echo -n suppressing the final end-of-line within the ciphertext. The decryption would however still fail as it expects binary instead of an encoded binary value.

You may want to change the name of in.txt to in.bin if you want to keep a file. You should also be able to simply pipe the ciphertext into openssl using the standard input (stdin). In that case you may want to encode it first to store it in a shell variable and then decode before piping it to openssl to decrypt it.

For binary, use cat instead of echo.