使用 DBMS_CRYPTO 函数解密 CLOB 数据时出错
Error while using DBMS_CRYPTO function to decrypt CLOB data
我的任务是执行两个实现以下目标的 Oracle 函数:
- 将 CLOB 作为输入并使用 AES-256 和 return 加密的 CLOB 对其进行加密
- 将加密的 CLOB 作为输入,使用 AES-256 和 return 解密的 CLOB 对其进行解密
问题是 CLOB 数据很大,函数应该处理这个问题。
我能够完成第一个函数,它运行良好,即用大量数据加密 CLOB:
create or replace
function F_ENCRYPT_CLOB (ac_input IN CLOB) return CLOB is
l_clob CLOB;
lb_variable BLOB;
v_key RAW (320);
v_encryption_type PLS_INTEGER := DBMS_CRYPTO.AES_CBC_PKCS5;
v_iv RAW (320);
l_dest_offset PLS_INTEGER := 1;
l_src_offset PLS_INTEGER := 1;
l_lang_context PLS_INTEGER := DBMS_LOB.default_lang_ctx;
l_warning PLS_INTEGER;
l_step PLS_INTEGER := 1998;
begin
SELECT VALUE
INTO v_key
FROM algparameters
WHERE name = 'key';
SELECT VALUE
INTO v_iv
FROM algparameters
WHERE name = 'iv';
dbms_lob.createtemporary(lb_variable, true);
sys.DBMS_CRYPTO.ENCRYPT(
dst => lb_variable,
src => ac_input,
typ => v_encryption_type,
key => v_key,
iv => v_iv
);
DBMS_LOB.createTemporary(
lob_loc => l_clob,
cache => TRUE);
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(lb_variable) - 1 )/l_step) LOOP
l_clob := l_clob || UTL_RAW.cast_to_varchar2(UTL_ENCODE.base64_encode(DBMS_LOB.substr(lb_variable, l_step, i * l_step + 1)));
END LOOP;
RETURN l_clob;
end F_ENCRYPT_CLOB;
但我在使用类似步骤解密之前加密的值时遇到问题:
create or replace
function F_DECRYPT_CLOB (ac_input IN CLOB) return CLOB is
lb_variable CLOB;
l_blob BLOB;
v_key RAW (320);
v_encryption_type PLS_INTEGER := DBMS_CRYPTO.AES_CBC_PKCS5;
v_iv RAW (320);
l_dest_offset PLS_INTEGER := 1;
l_src_offset PLS_INTEGER := 1;
l_lang_context PLS_INTEGER := DBMS_LOB.default_lang_ctx;
l_warning PLS_INTEGER;
l_raw RAW(32767);
l_amt NUMBER := 7700;
l_offset NUMBER := 1;
l_temp VARCHAR2(32767);
l_step PLS_INTEGER := 7700;
begin
SELECT VALUE
INTO v_key
FROM algparameters
WHERE name = 'key';
SELECT VALUE
INTO v_iv
FROM algparameters
WHERE name = 'iv';
dbms_lob.createtemporary(l_blob, true);
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(ac_input) - 1 )/l_amt) LOOP
DBMS_LOB.read(ac_input, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt;
l_raw := UTL_ENCODE.base64_decode(l_temp);
DBMS_LOB.append (l_blob, TO_BLOB(l_raw));
END LOOP;
dbms_lob.createtemporary(lb_variable, true);
sys.DBMS_CRYPTO.DECRYPT(
dst => lb_variable,
src => l_blob,
typ => v_encryption_type,--dbms_crypto.des_cbc_pkcs5,
key => v_key,
iv => v_iv
);
return lb_variable;
end F_DECRYPT_CLOB;
它抛出的错误是:
ORA-06502: PL/SQL: numeric or value error: hex to raw conversion error
ORA-06512: at "SN_PRE_STAGE_415.F_DECRYPT_CLOB", line 33
06502. 00000 - "PL/SQL: numeric or value error%s"
*Cause:
*Action:
错误来自第 33 行,即:
l_raw := UTL_ENCODE.base64_decode(l_temp);
base64_decode function 需要一个 RAW 参数,因此您可以转换您现在拥有的字符串:
l_raw := UTL_ENCODE.base64_decode(UTL_RAW.cast_to_raw(l_temp));
即
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(ac_input) - 1 )/l_amt) LOOP
DBMS_LOB.read(ac_input, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt;
l_raw := UTL_ENCODE.base64_decode(UTL_RAW.cast_to_raw(l_temp));
DBMS_LOB.append (l_blob, TO_BLOB(l_raw));
END LOOP;
Now it is throwing this
ORA-28817: PL/SQL function returned an error.
ORA-06512: at "SYS.DBMS_CRYPTO_FFI", line 110
ORA-06512: at "SYS.DBMS_CRYPTO", line 64
ORA-06512: at "Whosebug.F_DECRYPT_CLOB", line 39
您的 base-64 字符串有换行符;那些正在丢弃解码器。您可以使用较小的块大小,使用 l_amt = 64,并跳过换行符:
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(ac_input) - 1 )/(l_amt + 2)) LOOP
DBMS_LOB.read(ac_input, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt + 2;
但通过一个新的 l_clob 变量一次将它们全部剥离可能更简单、更有效:
create or replace
function F_DECRYPT_CLOB (ac_input IN CLOB) return CLOB is
lb_variable CLOB;
l_clob CLOB;
l_blob BLOB;
...
begin
...
dbms_lob.createtemporary(l_blob, true);
l_clob := replace(replace(ac_input, chr(13), null), chr(10), null);
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(l_clob) - 1 )/l_amt) LOOP
DBMS_LOB.read(l_clob, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt;
l_raw := UTL_ENCODE.base64_decode(utl_raw.cast_to_raw(l_temp));
DBMS_LOB.append (l_blob, TO_BLOB(l_raw));
END LOOP;
...
end F_DECRYPT_CLOB;
/
完整:
create or replace
function F_DECRYPT_CLOB (ac_input IN CLOB) return CLOB is
lb_variable CLOB;
l_clob CLOB;
l_blob BLOB;
v_key RAW (320);
v_encryption_type PLS_INTEGER := DBMS_CRYPTO.AES_CBC_PKCS5;
v_iv RAW (320);
l_dest_offset PLS_INTEGER := 1;
l_src_offset PLS_INTEGER := 1;
l_lang_context PLS_INTEGER := DBMS_LOB.default_lang_ctx;
l_warning PLS_INTEGER;
l_raw RAW(32767);
l_amt NUMBER := 7700;
l_offset NUMBER := 1;
l_temp VARCHAR2(32767);
l_step PLS_INTEGER := 7700;
begin
SELECT VALUE
INTO v_key
FROM algparameters
WHERE name = 'key';
SELECT VALUE
INTO v_iv
FROM algparameters
WHERE name = 'iv';
dbms_lob.createtemporary(l_blob, true);
l_clob := replace(replace(ac_input, chr(13), null), chr(10), null);
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(l_clob) - 1 )/l_amt) LOOP
DBMS_LOB.read(l_clob, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt;
l_raw := UTL_ENCODE.base64_decode(utl_raw.cast_to_raw(l_temp));
DBMS_LOB.append (l_blob, TO_BLOB(l_raw));
END LOOP;
dbms_lob.createtemporary(lb_variable, true);
sys.DBMS_CRYPTO.DECRYPT(
dst => lb_variable,
src => l_blob,
typ => v_encryption_type,--dbms_crypto.des_cbc_pkcs5,
key => v_key,
iv => v_iv
);
return lb_variable;
end F_DECRYPT_CLOB;
/
我的任务是执行两个实现以下目标的 Oracle 函数:
- 将 CLOB 作为输入并使用 AES-256 和 return 加密的 CLOB 对其进行加密
- 将加密的 CLOB 作为输入,使用 AES-256 和 return 解密的 CLOB 对其进行解密
问题是 CLOB 数据很大,函数应该处理这个问题。
我能够完成第一个函数,它运行良好,即用大量数据加密 CLOB:
create or replace
function F_ENCRYPT_CLOB (ac_input IN CLOB) return CLOB is
l_clob CLOB;
lb_variable BLOB;
v_key RAW (320);
v_encryption_type PLS_INTEGER := DBMS_CRYPTO.AES_CBC_PKCS5;
v_iv RAW (320);
l_dest_offset PLS_INTEGER := 1;
l_src_offset PLS_INTEGER := 1;
l_lang_context PLS_INTEGER := DBMS_LOB.default_lang_ctx;
l_warning PLS_INTEGER;
l_step PLS_INTEGER := 1998;
begin
SELECT VALUE
INTO v_key
FROM algparameters
WHERE name = 'key';
SELECT VALUE
INTO v_iv
FROM algparameters
WHERE name = 'iv';
dbms_lob.createtemporary(lb_variable, true);
sys.DBMS_CRYPTO.ENCRYPT(
dst => lb_variable,
src => ac_input,
typ => v_encryption_type,
key => v_key,
iv => v_iv
);
DBMS_LOB.createTemporary(
lob_loc => l_clob,
cache => TRUE);
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(lb_variable) - 1 )/l_step) LOOP
l_clob := l_clob || UTL_RAW.cast_to_varchar2(UTL_ENCODE.base64_encode(DBMS_LOB.substr(lb_variable, l_step, i * l_step + 1)));
END LOOP;
RETURN l_clob;
end F_ENCRYPT_CLOB;
但我在使用类似步骤解密之前加密的值时遇到问题:
create or replace
function F_DECRYPT_CLOB (ac_input IN CLOB) return CLOB is
lb_variable CLOB;
l_blob BLOB;
v_key RAW (320);
v_encryption_type PLS_INTEGER := DBMS_CRYPTO.AES_CBC_PKCS5;
v_iv RAW (320);
l_dest_offset PLS_INTEGER := 1;
l_src_offset PLS_INTEGER := 1;
l_lang_context PLS_INTEGER := DBMS_LOB.default_lang_ctx;
l_warning PLS_INTEGER;
l_raw RAW(32767);
l_amt NUMBER := 7700;
l_offset NUMBER := 1;
l_temp VARCHAR2(32767);
l_step PLS_INTEGER := 7700;
begin
SELECT VALUE
INTO v_key
FROM algparameters
WHERE name = 'key';
SELECT VALUE
INTO v_iv
FROM algparameters
WHERE name = 'iv';
dbms_lob.createtemporary(l_blob, true);
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(ac_input) - 1 )/l_amt) LOOP
DBMS_LOB.read(ac_input, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt;
l_raw := UTL_ENCODE.base64_decode(l_temp);
DBMS_LOB.append (l_blob, TO_BLOB(l_raw));
END LOOP;
dbms_lob.createtemporary(lb_variable, true);
sys.DBMS_CRYPTO.DECRYPT(
dst => lb_variable,
src => l_blob,
typ => v_encryption_type,--dbms_crypto.des_cbc_pkcs5,
key => v_key,
iv => v_iv
);
return lb_variable;
end F_DECRYPT_CLOB;
它抛出的错误是:
ORA-06502: PL/SQL: numeric or value error: hex to raw conversion error
ORA-06512: at "SN_PRE_STAGE_415.F_DECRYPT_CLOB", line 33
06502. 00000 - "PL/SQL: numeric or value error%s"
*Cause:
*Action:
错误来自第 33 行,即:
l_raw := UTL_ENCODE.base64_decode(l_temp);
base64_decode function 需要一个 RAW 参数,因此您可以转换您现在拥有的字符串:
l_raw := UTL_ENCODE.base64_decode(UTL_RAW.cast_to_raw(l_temp));
即
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(ac_input) - 1 )/l_amt) LOOP
DBMS_LOB.read(ac_input, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt;
l_raw := UTL_ENCODE.base64_decode(UTL_RAW.cast_to_raw(l_temp));
DBMS_LOB.append (l_blob, TO_BLOB(l_raw));
END LOOP;
Now it is throwing this
ORA-28817: PL/SQL function returned an error.
ORA-06512: at "SYS.DBMS_CRYPTO_FFI", line 110
ORA-06512: at "SYS.DBMS_CRYPTO", line 64
ORA-06512: at "Whosebug.F_DECRYPT_CLOB", line 39
您的 base-64 字符串有换行符;那些正在丢弃解码器。您可以使用较小的块大小,使用 l_amt = 64,并跳过换行符:
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(ac_input) - 1 )/(l_amt + 2)) LOOP
DBMS_LOB.read(ac_input, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt + 2;
但通过一个新的 l_clob 变量一次将它们全部剥离可能更简单、更有效:
create or replace
function F_DECRYPT_CLOB (ac_input IN CLOB) return CLOB is
lb_variable CLOB;
l_clob CLOB;
l_blob BLOB;
...
begin
...
dbms_lob.createtemporary(l_blob, true);
l_clob := replace(replace(ac_input, chr(13), null), chr(10), null);
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(l_clob) - 1 )/l_amt) LOOP
DBMS_LOB.read(l_clob, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt;
l_raw := UTL_ENCODE.base64_decode(utl_raw.cast_to_raw(l_temp));
DBMS_LOB.append (l_blob, TO_BLOB(l_raw));
END LOOP;
...
end F_DECRYPT_CLOB;
/
完整:
create or replace
function F_DECRYPT_CLOB (ac_input IN CLOB) return CLOB is
lb_variable CLOB;
l_clob CLOB;
l_blob BLOB;
v_key RAW (320);
v_encryption_type PLS_INTEGER := DBMS_CRYPTO.AES_CBC_PKCS5;
v_iv RAW (320);
l_dest_offset PLS_INTEGER := 1;
l_src_offset PLS_INTEGER := 1;
l_lang_context PLS_INTEGER := DBMS_LOB.default_lang_ctx;
l_warning PLS_INTEGER;
l_raw RAW(32767);
l_amt NUMBER := 7700;
l_offset NUMBER := 1;
l_temp VARCHAR2(32767);
l_step PLS_INTEGER := 7700;
begin
SELECT VALUE
INTO v_key
FROM algparameters
WHERE name = 'key';
SELECT VALUE
INTO v_iv
FROM algparameters
WHERE name = 'iv';
dbms_lob.createtemporary(l_blob, true);
l_clob := replace(replace(ac_input, chr(13), null), chr(10), null);
FOR i IN 0 .. TRUNC((DBMS_LOB.getlength(l_clob) - 1 )/l_amt) LOOP
DBMS_LOB.read(l_clob, l_amt, l_offset, l_temp);
l_offset := l_offset + l_amt;
l_raw := UTL_ENCODE.base64_decode(utl_raw.cast_to_raw(l_temp));
DBMS_LOB.append (l_blob, TO_BLOB(l_raw));
END LOOP;
dbms_lob.createtemporary(lb_variable, true);
sys.DBMS_CRYPTO.DECRYPT(
dst => lb_variable,
src => l_blob,
typ => v_encryption_type,--dbms_crypto.des_cbc_pkcs5,
key => v_key,
iv => v_iv
);
return lb_variable;
end F_DECRYPT_CLOB;
/