feat: raise exception if decryption of original value fails during th…

…e reencryption process
dimagi · Jan 20, 2025 · 4c49627 · 4c49627
1 parent 36b9977
commit 4c49627
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/corehq/motech/utils.py b/corehq/motech/utils.py
@@ -132,6 +132,10 @@ def b64_aes_cbc_decrypt(message):
     return plaintext_bytes.decode('utf8')
 
 
+class AesEcbDecryptionError(Exception):
+    pass
+
+
 # Only needed for migration from ECB to CBC mode.
 def reencrypt_ecb_to_cbc_mode(encrypted_text, existing_prefix=None):
     """
@@ -144,8 +148,11 @@ def reencrypt_ecb_to_cbc_mode(encrypted_text, existing_prefix=None):
         ciphertext = encrypted_text[len(existing_prefix):]
     else:
         ciphertext = encrypted_text
-
-    new_ciphertext = b64_aes_cbc_encrypt(b64_aes_decrypt(ciphertext))
+    try:
+        plaintext = b64_aes_decrypt(ciphertext)
+    except UnicodeDecodeError:
+        raise AesEcbDecryptionError("Failed to decrypt the AES-ECB-encrypted text.")
+    new_ciphertext = b64_aes_cbc_encrypt(plaintext)
     return f'${ALGO_AES_CBC}${new_ciphertext}'