Unable to use encrypted-private key

[gglen]

Platform: Windows Server 2016
Python: 3.6.3 x64

Using a encrypted-private key with user-sync 2.2.2 fails with error message:
CRITICAL main - umapi configuration.enterprise: Error decrypting private key, either the password is wrong or: RSA key format is not supported

Error occurs with keypass either in Windows Credential Manager or plain text keypass in file, ie:
secure_priv_key_pass_key: umapi_private_key_passphrase
or
priv_key_pass: "xxx"

Unencrypted private key works correctly. Encrypted key created using OpenSSL:
openssl pkcs8 -in private.key -topk8 -v2 des3 -out private-encrypted.key

Could be related to: #258

[adobeDan]

This is puzzling, since none of that code has changed since it worked in 2.2.1. As a "let's rule out the obvious" step, would you mind using ssl to decrypt that key with the "xxx" passphrase that you have in your config file? I just want to make sure that there wasn't a typo somewhere.

[gglen]

Was thinking that myself.... Checked reversing out the encryption. I don't believe there is a typo with the keypass. The unencrypted encrypted file works OK when referenced in the config file.

[adobeDan]

OK, thanks for checking. I will try to repro these steps with my own key on a matching system. Things are a little hectic, so it might take me a couple of days.

[adobeDan]

So I cannot repro this running on a Win2016 server using the posted py3.6.3 Windows build of v2.2.2. I have these lines in my umapi-config file:

priv_key_path: 'stress1-encrypted.key'
priv_key_pass: "test"

(where test is actually the password :) and it works just fine. Are you certain that you have the encrypted key in priv_key_path, rather than the unencrypted key? Are you certain that you used openssl on Windows to encrypt the key?

[gglen]

OK, I think I discovered what is going on. So somewhere along the way the encrypted file ended up with CR&LF chars normally there is only *NIX LF char on the OpenSSL output. OpenSSL doesn't mind this but python/user-sync.py doesn't like this, hence the rejection.

[adobeDan]

Thanks @gglen for following up. Yes, there are lots of ways for Windows files to pick CR/LFs. Too bad the crypto libraries we are using are sensitive to that. We appreciate your filing the issue!