Hello Micah,
Thank you for replying. I appreciate you feedback.
Your are correct, CommonCrypto doesn’t provide the aes-256-gcm cipher which is why we went to OpenSSL. The previous database was encrypted using the default SQLCipher 3.8.4.3 configuration using CommonCrypto and aes-256-cbc and since we wanted to move to aes-256-gcm we updated our version of SQLCipher to 3.15.2, configured it to use OpenSSL, and use the default configuration except for changing the cipher to gcm.
I’ll include the piece of code in question. It is basically a objc version of the sqlcipher_export() documentation link you included in your post. The oldEncrypt_DB reference is our cbc encrypted database in this scenerio. The newDBPath is created somewhere above this code.
Fails on Step 3. Attached old database with the error stating “File is encrypted or not a database”. I’ve also attempted to make sure the default cipher is still cbc but when I attempted to execute “PRAGMA Cipher” after opening and keying the database, it returns SQLITE_DONE. That is what got me thinking that either CommonCrypto files are incompatible with OpenSSL files or I need to adjust some configuration settings after opening the previous database file to get this to work.
Again Thank you for replying,
-Brad
NSString * filepathString = [self dataFilePath];
const char *filepath_param = [filepathString UTF8String];
if ([[NSFileManager defaultManager] fileExistsAtPath:filepathString]) {
if (sqlite3_open(filepath_param, &oldEncrypted_DB) != SQLITE_OK)
{
sqlite3_close(oldEncrypted_DB);
}
}
/* 2. Provide Key */
NSString *sql_pragma_key = [NSString stringWithFormat:@"PRAGMA key = '%s';",[FIPS_SQLKey() UTF8String]];
const char *parm_pragmaKey = [sql_pragma_key UTF8String];
int results_pragmaKey = sqlite3_exec(oldEncrypted_DB, parm_pragmaKey, NULL, NULL, NULL);
if ( results_pragmaKey != SQLITE_OK)
{
NSLog(@"pragma key error: %d",results_pragmaKey);
}
/* 3. Attached old database */
NSString *sql_attach = [NSString stringWithFormat:@"ATTACH DATABASE '%s' AS encrypted KEY '%s';",[newDBPath UTF8String], [FIPS_SQLKey() UTF8String]];
char *error;
const char *parm_attach = [sql_attach UTF8String];
int results_attach = sqlite3_exec(oldEncrypted_DB, parm_attach, NULL, NULL, &error);
if ( results_attach != SQLITE_OK)
{
NSLog(@"Something went wrong with creating or attaching the encrypted database: %d, %s",results_attach, error);
}
/* 4. Updating Cipher */
NSString *sql_cipherMode = @"PRAGMA encrypted.cipher='aes-256-gcm';";
const char *parm_cipherMode = [sql_cipherMode UTF8String]; // This needs to be UTF8String
int results_cipherMode = sqlite3_exec(oldEncrypted_DB, parm_cipherMode, NULL, NULL, NULL);
if ( results_cipherMode != SQLITE_OK)
{
NSLog(@"error adding cipher mode: %d",results_cipherMode);
}
/* 5. Export unencrypted DB to new encrypted DB */
const char *parm_sqlcipher_export = "SELECT sqlcipher_export('encrypted');";
int results_sqlcipher_export = sqlite3_exec(oldEncrypted_DB, parm_sqlcipher_export, NULL, NULL, NULL);
if (results_sqlcipher_export != SQLITE_OK)
{
NSLog(@"un-able to export database: %d",results_sqlcipher_export);
}
/* 6. detaching database */
int results_detaching = sqlite3_exec(oldEncrypted_DB, "DETACH DATABASE encrypted;", NULL, NULL, NULL);
if (results_detaching != SQLITE_OK)
{
NSLog(@"error detaching database: %d",results_detaching);
}
/* 7. Closing Database */
sqlite3_close(oldEncrypted_DB);