decrypt cannot read private key #18
Comments
|
Sorry you are running into these issues, Apoorv! Have you tried using the MemReaderWriter instead of NewBinaryReader? I see that the AWS script is using MemReaderWriter to write the private key: |
|
I am not really sure how to put private key into In pseudo-code they have I need help with this magical |
|
In your script from your first post, I see you are calling I think you will need to decrypt the private key first in order to get it from ciphertext into proper bytes, corresponding to this encrypt call in the aws_key_gen script.. Have you done that previously? For the |
|
I am repeating the same steps as creating the key 🔑 just instead of awsClient, err := awskms.NewClient(keyURI)
if err != nil {
fmt.Printf("creating aws kms client failed, %v\n", err)
return
}
registry.RegisterKMSClient(awsClient)
dek := aead.AES128CTRHMACSHA256KeyTemplate()
khgcs, err := keyset.NewHandle(aead.KMSEnvelopeAEADKeyTemplate(keyURI, dek))
if err != nil {
fmt.Printf("new handle failed, %v", err)
return
}
a, err := aead.New(khgcs)
if err != nil {
fmt.Printf("failed to create new aead, %v", err)
return
}
pk, pkErr := base64.StdEncoding.DecodeString(privateKey)
if pkErr != nil {
fmt.Printf("decoding private key failed, %v\n", pkErr)
return
}
plainBytesPk, err := a.Decrypt(pk, nil)
if err != nil {
fmt.Printf("decrypting private key failed, %v\n", err)
return
}And the decryption fails with following error. Everything before that succeeds. decrypting private key failed, aead_factory: decryption failedAlso there were huge warnings everywhere on hybrid decryption that never hardcode the private key into the source code and commit history. If my private key is already encrypted then I can hardcode the private key 🔑 right? I shouldn't probably go as far as posting my private key 🔑 into public github repo but at least I can commit that into my private source code. |
|
Sorry I am not sure what the issue is here. You might want to post this to Tink's Github since I think this mainly has to do with their tools. The only thing I can think of is ensuring that you are loading in the same key used during encryption with the AWS client. I can't really comment on the key security. How secure you want to be with your private key is up to you and your use case. |
|
I ran it again and created new private key. It decrypts on the encryption script but won't decrypt on another script. |
|
This is taking way too long. So I will keep this on backburner. The alternative is https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html |
I am following decrypt with tinkey official guide for golang.
https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#decryption
Then it fails with message
I also tried adding key directly
Then again it failed with same message
I am running this code on local playground because there are lots of warning saying DONT ADD PRIVATE KEY INTO SOURCE CODE.
Took me very long time to convert authorize lambda encpoint from NodeJS to golang. I do receive base64 encoded encrypted key as follows.
I can base64 decode it fine at lambda. But have trouble reading private key.
The private key is same generated from https://github.com/subscriptions-project/encryption/tree/master/golang/cmd/aws_key_gen
It generated one public and private key.
The text was updated successfully, but these errors were encountered: