waptcrypto library problem

[croquebert]

Good morning,

Context:
WAPT version: 2.1 Enterprise
Server OS: Debian 11
OS administration console: Win10pro
OS package dev station: Win10pro


To encrypt secrets in WAPT packages, I use the waptcrypto library as in the example in your documentation.

Under certain conditions, this raises an exception.

This seems to be due to the presence of the slash character but only under certain positional or other conditions (a test with a very simple string containing a single slash works).

Here is the code used and the error output depending on the case: working strings and failing strings.

**************************************************************

Code used:

Code: Select all

for value in data['result']:
        if value['host_certificate'] and value['computer_name']:
            host_cert = SSLCertificate(crt_string = value['host_certificate'])
            if pc_cfgs_jsoned_by_pc.get(value['computer_name'].lower(), 0):
                encrypttxt = pc_cfgs_jsoned_by_pc[value['computer_name'].lower()]
                #encrypttxt = 'chaine avec un / au milieu'
                print('texte à chiffrer:')
                print(encrypttxt)
                print('type du texte à chiffrer : {}'.format(type(encrypttxt)))
                encryptlist[value['computer_name']] = base64.b64encode(host_cert.encrypt(encrypttxt.encode('utf-8'))).decode('utf-8')
                #print(value['computer_name'] + ':' + value['uuid'] + ':' + encryptlist[value['computer_name']])
    print('en sortie')
    print(encryptlist)
    open('encrypt-txt.json','w').write(json.dumps(encryptlist))

Output when a functional string with a slash character is passed:

Code: Select all

*** Remote Interpreter Reinitialized ***
Ligne de Commande : update-package-sources "C:\Users\moi\waptdev\monpaquetquichiffre-wapt\WAPT\.."
Using config file: C:\Users\moi\AppData\Local\waptconsole\waptconsole.ini
texte à chiffrer:
chaine avec un / au milieu
type du texte à chiffrer : <class 'str'>
en sortie
{'PCP102': 'uZaw3MxTlBZBNXNXnTqWC+YdY/uSAXr2IVJuewkHvXqye1k6sx+yl/nri+dux1aRtdA3JLsMmzggR47PGVtjPZS9Fka3+S0at1OnRwcH45EYEyd3AB5A9rvg2ANvEb//szHxQScu0nfbkA9zJFXvM8y1bUGkpUIZY03I7/uMuU+blFKNaTK3TVzNW9mHEIEkZiroG/VyRckhgd6Rb6eubNtuDdFwrtwhZ7qMQwxPopu5T0+jdIKP8FWtnJGIzQKBCsbepwOPuFkqx1xFl/7kMjq2Q2y9Hy3gIMTBFjqjt+buQJfU2wms/+J8oQCUhuazoGkmtUSBm6RWgc/uQgd4YA=='}
Packages updated :
   

Output when a functional string with a slash character is passed:

Code: Select all

*** Remote Interpreter Reinitialized ***
Ligne de Commande : update-package-sources "C:\Users\moi\waptdev\monpaquetquichiffre-wapt\WAPT\.."
Using config file: C:\Users\moi\AppData\Local\waptconsole\waptconsole.ini
texte à chiffrer:
{"PrivateKey": "abcd", "Address": "10.0.0.1/32", "DNS": ["192.168.0.1", "mondomaine.fr"], "PublicKey": "abcd", "PresharedKey": "abcd", "EndPoint": "mamachine.mondomaine.fr:12345"}
type du texte à chiffrer : <class 'str'>
en sortie
{'PCP102': 'XFUQR+g5GoKG8f5h45SGYmhdRov/TTGGwga1T0k7jAl0jY4+NgCJepD5e+PrYBHD1xJMssv8Tn0u6P18U/RDsftcT9eJJGWedO9GVTfuXqvH4+pR9ApyPkEJe/U/G1wk4eNiPSHSknUAYF2WYUfWmFFnHl05Dk0MB5xmTiynS4CtrBuearAvf8+frvr2ah+jdqrkGgA+skBmvmeVfozW/lyZ5CMbW16ON9DKFjqlG/edDPYiGdsVuuGHohjO4drwdZp46/wOtTdifQBn0+gNSq6JA8AKVhEpqkk5OkopuUXDUHrzLVjtETH4Nno+mbDdbGzdBlQnIGy+zmzPjNNISg=='}
Packages updated :

Output when a functional string with a slash character is passed:

Code: Select all

*** Remote Interpreter Reinitialized ***
Ligne de Commande : update-package-sources "C:\Users\moi\waptdev\monpaquetquichiffre-wapt\WAPT\.."
Using config file: C:\Users\moi\AppData\Local\waptconsole\waptconsole.ini
texte à chiffrer:
{"PrivateKey": "abcde/abcdefghijklmnopqrstuvwxyzabc/abcdef", "Address": "10.0.0.1/32", "DNS": ["192.168.0.1", "mondomaine.fr"], "PublicKey": "abcd", "PresharedKey": "abcd", "EndPoint": "mamachine.mondomaine.fr:12345"}
type du texte à chiffrer : <class 'str'>
2022-04-14 18:20:46,161 CRITICAL Fatal error in update_package function: ValueError: Encryption/decryption failed.:
Traceback (most recent call last):
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 2973, in call_setup_hook
    hookdata = hook_func()
  File "C:\Users\roquebert\waptdev\set-wgconf_0-wapt\setup.py", line 139, in update_package
    encryptlist[value['computer_name']] = base64.b64encode(host_cert.encrypt(encrypttxt.encode('utf-8'))).decode('utf-8')
  File "C:\Program Files (x86)\wapt\waptcrypto.py", line 2284, in encrypt
    return self.rsa.encrypt(content, apadding)
  File "C:\Program Files (x86)\wapt\Scripts\lib\site-packages\cryptography\hazmat\backends\openssl\rsa.py", line 484, in encrypt
    return _enc_dec_rsa(self._backend, self, plaintext, padding)
  File "C:\Program Files (x86)\wapt\Scripts\lib\site-packages\cryptography\hazmat\backends\openssl\rsa.py", line 75, in _enc_dec_rsa
    return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding)
  File "C:\Program Files (x86)\wapt\Scripts\lib\site-packages\cryptography\hazmat\backends\openssl\rsa.py", line 133, in _enc_dec_rsa_pkey_ctx
    raise ValueError("Encryption/decryption failed.")
ValueError: Encryption/decryption failed.

FATAL ERROR : ValueError: Encryption/decryption failed.
Exit code:  3

**************************************************************


Sincerely.

Christophe

[croquebert]

Hello again,

After some quick research, it seems to be a limitation on the length of the string to be encrypted in rsa.py. After some testing, the limit I encountered is 215 characters.

So, do you have a solution for encrypting longer strings (without having to split and reassemble the long string)?

Sincerely,

Christophe

[dcardon]

Hi Christophe,

thanks for the feedback. I've forwarded the message to Hubert, who developed a good part of the waptcrypto library, to see what he thinks.

Best regards,

Denis

[croquebert]

Hello Christophe,

thank you for the feedback. I forwarded the message to Hubert, who developed a good part of the waptcrypto library, to see what he thinks.

Regards,

Denis

Hello Denis,

Great, thanks for the feedback.
It's difficult for me to see where this is coming from without the waptcrypto source code (passing arguments to functions in rsa.py, a bug or limitation in rsa.py), unless I test rsa.py directly...
For now, I'm going to cut up my encryption chains and reassemble them.
While we wait for Hubert's return on the subject.

Sincerely.

Christophe

[croquebert]

Hello Christophe,

thank you for the feedback. I forwarded the message to Hubert, who developed a good part of the waptcrypto library, to see what he thinks.

Regards,

Denis

Hello Denis,

Great, thanks for the feedback.
It's difficult for me to see where this is coming from without the waptcrypto source code (passing arguments to functions in rsa.py, a bug or limitation in rsa.py), unless I test rsa.py directly...
For now, I'm going to cut up my encryption chains and reassemble them.
While we wait for Hubert's return on the subject.

Sincerely.

Christophe

My mistake, the Waptcrypto source code is accessible, but I'll still let Hubert look into it

[htouvet]

Good evening,
Yes, absolutely, the size is limited.
To encrypt longer data, there's the SSLCertificate.encrypt_fernet(data) method,
which encrypts a random symmetric key using RSA, which is then used to encrypt the data using AES-CBC.

And the counterpart, SSLPrivateKey.decrypt_fernet.

[croquebert]

Good evening,
Yes, absolutely, the size is limited.
To encrypt longer data, there's the SSLCertificate.encrypt_fernet(data) method
, which encrypts a symmetric random key using RSA, which is then used to encrypt the data using AES-CBC.

And the counterpart, SSLPrivateKey.decrypt_fernet.

Hello Hubert,

Thank you for the feedback.

Indeed, I could have suspected as much by going to look: https://wapt.tranquil.it/wapt/nightly/a ... rypto.html

"Encrypt a (small) message will be decrypted with the public key"

Where is the maximum size for encrypt specified so that switching to encrypt_fernet is based on that size?

Is it possible to detect the method used to encrypt the string in order to apply the correct decryption method?

Sincerely.