Getting null when I try to decrypt ticket

[setvik]

I created a quick test.js file with the following contents & included the validation key and decryption key specified in the entry in my Web.config file.

I'm unsure of what to put for the DOTNET_DECRYPTION_IV. I've tried null as well as the 1st 128 characters in the encrypted cookie. Both values result in authTicket getting set to null.

Any thoughts on what I'm missing?

process.env.DOTNET_VALIDATION_KEY = '[validationkey];
process.env.DOTNET_DECRYPTION_IV = '[?]';
process.env.DOTNET_DECRYPTION_KEY = '[decryptionkey]';

var aspxauth = require( "aspxauth" )( {
    validationMethod: "sha1",
    validationKey: process.env.DOTNET_VALIDATION_KEY,
    decryptionMethod: "aes",
    decryptionIV: process.env.DOTNET_DECRYPTION_IV,
    decryptionKey: process.env.DOTNET_DECRYPTION_KEY,
    validateExpiration: false
} );

var authTicket = aspxauth.decrypt('[aspxauth cookie string]'); 
console.log(authTicket);

[Prestaul]

@setvik, I think most people will be able to leave the decryptionIV off entirely. It will default to a buffer of zeros which is the same behavior we get from .NET.

If that's not working for you (and it likely won't if you already tested with null there) then you probably want to drop some log statements into your /node_modules/aspxauth/lib/index.js file and see which check is failing. If it is failing to decrypt then you will want to double check the two methods (the ones you are using are the defaults for this module and for .NET) and two key settings.

[setvik]

Thanks for the reply. Unfortunately, still unable to get it to work.

It's currently failing in the validate() function.

hash.digest().equals (signature)

returns false.
We're on .net 4.5.1 with a Web.config Machine key entry of:

<machineKey decryption="AES" decryptionKey="[DECRYPTION KEY]" validation="SHA1" validationKey="[VALIDATION KEY]" />

Any thoughts on what the issue might be?

[Prestaul]

@setvik, all I can tell from what you've told me is that it is failing the checksum validation. Short of confirming your validation key I'm not sure there is much else that I can do. It is also possible that the algorithm is incorrect, but right now I've only added support for SHA1 so, if that is the case, we would need to add support for whichever method you are using. There is a possibility that there is some change to forms validation in 4.5 that I'm not aware of (I'm testing with 4.0.3).

I'm sorry I'm not able to help more.

[DHFW]

@setvik Have you solved your issue? I'm experiencing the same with .Net 4.7...

[thisroot]

We have a .Net 4.5.2 version, and got same result

[JamesFaix]

Also running into this issue. I have ticketCompatibilityMode="Framework40" set in my web.config, although the app is running on 4.7.2.

[fangforever]

anyone able to get the decrypt part work? I am using .net 4.5, and removed all the validation, and just decryption, and I am getting

Error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length

[durlabhjain]

This happens due to different .NET 4.5 mode ticket. I've created a pull request to handle decryption of those auth tickets.