-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private key decryption fails in py3 #258
Comments
Two thoughts:
|
In order to take Windows Credential Manager out of the equation - I tried instead using priv_key_pass and adding the passphrase directly to the umapi.yml file. That results in the following: 2017-08-02 18:11:39 5268 DEBUG umapi - umapi: reading private key data from file C:\PEX\private-encrypted.key During handling of the above exception, another exception occurred: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last): |
So you had a misconfiguration in your initial setup: rather than The error encountered with your second setup looks like it might be a py3-specific bug: apparently the result of decrypting the private key file is a byte-string rather than a standard string, and this is not what |
Got it, thanks. I'm running Python 3.6.2 (2017-07-17). I can also confirm I do get further by using |
OK, I've now got this as a bug. I'll try to push a fix this week, although we may not release immediately. @andrewhollomon Can you do a build yourself, or do you need me to post a build for you here? If so, it looks like you would need windows 10/py3, yes? |
Thanks and Yep, I should be able to do a build. |
@phil-levy noticed we have a bug in our sample umapi config file - it has the wrong value for the sample secure password key. I'll fix that too. |
@andrewhollomon This is fixed in v2 head (app version 2.2.1). I have made a tag v2.2.1rc1; you can download the zip of that, expand it, and do |
fix #258: Private key decryption fails in py3
@andrewhollomon To get a clean build to work on Windows, I also had to fix #260. So now there is a tag v2.2.1rc2, and attached is a build of that for you to try. |
Thanks @adobeDan I can confirm being able to read and use an encrypted private key w/ passphrase stored in Windows credential manager with the 2.2.1.rc2 build. 2017-08-04 16:55:07 5512 DEBUG umapi - umapi: reading private key data from file C:\PEX\private-encrypted.key |
Yay! Thanks so much @andrewhollomon for confirming. Enjoy syncing! :) |
The fix for #257 was broken from the get-go, referring to the wrong local variable. This is why one should test before pushing a commit... The fix for #258 was broken in the case of exceptions that have unicode messages (py2-only). The py2 exception __str__ method doesn't handle the presence of unicode exception messages, but logging can handle unicode. So rather than invoking the exception's str handler, we explicitly use logging format on the exception message itself. The fix for #258 was then applied everywhere we format an exception message, in case any of them have unicode strings.
Merge changes for #258. The fix for #258 included example file and doc file changes that should have been in release 2.2 and so need to go to master ASAP. This means that we will also get the fix for #258 into master, which means the head version on master is now 2.1.1. Because this fix has been built and proven by customers, we are OK with the possibility that someone will pull and build head rather than downloading a given release.
I am working to set up user-sync to use a private-encrypted.key. User sync is running on Windows server. Have created encrypted private key using openssl (openssl pkcs8 -in private.key -topk8 -v2 des3 -out private-encrypted.key)
Connector-umapi.yml is
enterprise:
org_id: "##############@AdobeOrg"
secure_api_key_key: ADOBE_API_KEY
secure_client_secret_key: ADOBE_API_CLIENT_SECRET
tech_acct: "###############@techacct.adobe.com"
secure_priv_pass_key: ADOBE_PRIV_KEY_PASSWORD
priv_key_path: private-encrypted.key
Entries have been created in Windows credential manager - and entries other than the one for secure_priv_pass_key, like client secret and API key, are successfully used.
Running user sync returns
2017-08-02 08:59:28 10672 DEBUG ldap - Connected
2017-08-02 08:59:28 10672 DEBUG umapi - UMAPI initialized with options: {'logger_name': 'umapi', 'test_mode': True, 'server': {'host': 'usermanagement.adobe.io', 'endpoint': '/v2/usermanagement', 'ims_host': 'ims-na1.adobelogin.com', 'ims_endpoint_jwt': '/ims/exchange/jwt', 'timeout': 120, 'retries': 3}, 'enterprise': {'org_id': '##########@AdobeOrg', 'tech_acct': '###########@techacct.adobe.com'}}
2017-08-02 08:59:28 10672 DEBUG umapi - umapi: reading private key data from file C:\PEX\private-encrypted.key
2017-08-02 08:59:28 10672 ERROR umapi - Found unused keys: ['secure_priv_pass_key'] in: umapi configuration.enterprise
2017-08-02 08:59:28 10672 INFO main - ========== End Run (User Sync version: 2.2) (Total time: 0:00:00)
It's possible I have misconfigured something, but I've checked everything over and it looks to be configured per the best practices docs.
The text was updated successfully, but these errors were encountered: