Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
# Copyright: (c) 2018, Jordan Borean (@jborean93) <>
# MIT License (see LICENSE or
Function Remove-Pkcs7Padding {
Removes PKCS7 padding on a paddded byte array.
Will remove any PKCS7 padding on a byte array. This can be run multiple
times and the result will always be the same.
[byte[]] The bytes to add the remove from.
[int] The size of the block in bits.
[byte[]] The input byte array that has been unpadded.
Remove-Pkcs7Padding -Bytes [byte[]]@(1, 2, 3, 5, 5, 5, 5 ,5) -BlockSize 64
Usually this is done as part of a crypto provider but because we use
Invoke-AESCTRCycle (AES in CTR mode/stream cipher) we need to manually
unpad the bytes as this is done in the Ansible Vault implementation.
[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "", Justification="Does not adjust system state, removes the padding in a byte array")]
[Parameter(Mandatory=$true)] [byte[]]$Value,
[Parameter(Mandatory=$true)] [int]$BlockSize
$last_byte = [int]$Value[$Value.Length - 1]
if ($last_byte -gt ($BlockSize / 8)) {
return $Value
} elseif ($Value.Length -eq 1) {
return $Value
for ($i = $Value.Length - 1; $i -ge $Value.Length - $last_byte; $i--) {
if ([int]$Value[$i] -ne $last_byte) {
return $Value
$unpadded_size = $Value.Length - $last_byte
$unpadded_bytes = New-Object -TypeName byte[] -ArgumentList $unpadded_size
[System.Buffer]::BlockCopy($Value, 0, $unpadded_bytes, 0, $unpadded_size)
return [byte[]]$unpadded_bytes