logo

Decrypting RC4 Encoded Data In Java (Lotus Domino + FoxyCart)

I've just spent a day working out how to integrate Lotus Domino and the FoxyCart payment gateway. As part of this I had to decrypt the transaction data they send back to your server as part of the payment process.

Hopefully I can save somebody some time in doing this by posting what I did. First of all here's the code that does the job:

String password = "YOUR_SECRET_KEY";

Cipher rc4 = Cipher.getInstance("RC4");
rc4.init(Cipher.DECRYPT_MODE,
        new SecretKeySpec(password.getBytes(), "RC4")
    );

//need Commons-codec library for this bit!
byte[] decoded = URLCodec.decodeUrl(
        document.getItemValueString("FoxyData").getBytes()
    );

byte[] decrypted = rc4.doFinal(decoded);

String xml = new new String(decrypted);

document.replaceItemValue("XML_From_Foxy", xml);

FoxyCart POSTs data back to the URL you specify in a field called "FoxyData". The data is RC4 encrypted as well as being URL encoded. To undo this and get the pure XML in a plain string you need to run the code above during the WQS event of the Form to which you have FoxyCart post results.

Note that you need to import the Commons Codec library in to your agent to get the above code to work.

Other Gotchas

The code took some arriving at itself, but the main obstacle was getting the code to run on the Domino server once "compiled".

First hurdle was this error:

java.security.InvalidKeyException: Illegal key size or default parameters

Turns out that we need to install the "unlimited strength" security files. This involves replacing US_export_policy.jar and local_policy.jar in the following directory on the server:

[Domino_Install_Path]\jvm\lib\security\

At first, to do this I used the official Sun/Oracle Java files but then hit this error:

java.lang.SecurityException: Cannot set up certs for trusted CAs
Jurisdiction policy files are not signed by trusted signers!

Turns out I need to use the IBM versions of those two JAR files, which you can get form here (see "IBM SDK Policy files" section).

And, phew, it all worked.

Comments

  1. JVM files differ from one Domino version to another, and by platform. Can you specify what Domino server you were working with?

      • avatar
      • Jake Howlett
      • Wed 10 Aug 2011 08:32 AM

      Domino 8.5.2 on Windows

    • avatar
    • Jorge Coelho
    • Wed 10 Aug 2011 09:38 AM

    It's amazing though that at the end of the day something so complex becomes a few lines of code and you sit back and wonder at the simplicity. All the time spent on a dozen lines of code.

      • avatar
      • Jake Howlett
      • Wed 10 Aug 2011 09:40 AM

      Probably took an hour *per* line of the above code.

      It's my experience that anything that involves "encryption" is never easy.

    • avatar
    • Brett
    • Wed 10 Aug 2011 01:44 PM

    Hi Jake. Thanks for posting this. We've added a link to our wiki:

    http://wiki.foxycart.com/integration/java

    Sorry it took so long. We've been discussing moving to Base64 + AES instead of URL encoding + RC4, as well as changing it so rather than keying of a response of "foxy" it uses the response code. Would that have made it easier for you, or do you think it still would have been problematic? We definitely want to do what we can to make things easier for advanced devs like you.

      • avatar
      • Jake Howlett
      • Thu 11 Aug 2011 03:28 AM

      Hi Brett,

      "advanced dev"? Me?

      Not sure if Base64 + AES would have made it any easier as I've never used AES with Domino and Java. Chances are it might have been equally as difficult. Things like this normally are with Domino.

      Jake

      Hide the rest of this thread

      1. Did this about two years ago. Not too bad actually. Took some reading up on AES but with free libraries available for java, it wasn't too terrible hard at all.

  2. Interestingly, I thought the NSA had decided the export policy for limited encryption strength was no longer material. I'm surprised IBM still distributes code that has this restriction.

    Yes... encryption. Had a fair bit of fun with that last year. Lots of rabbit holes there if you fancy.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Wed 10 Aug 2011

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content