Tranquil IT Forum

Contact us
at https://forum.tranquil.it/

waptcrypto library problem

https://forum.tranquil.it/viewtopic.php?t=2980

Page 1 of 1

waptcrypto library problem

Published: April 14, 2022 - 6:42 PM
by croquebert
Good morning,

Context:
WAPT version: 2.1 Enterprise
Server OS: Debian 11
OS administration console: Win10pro
OS package dev station: Win10pro


To encrypt secrets in WAPT packages, I use the waptcrypto library as in the example in your documentation.

Under certain conditions, this raises an exception.

This seems to be due to the presence of the slash character but only under certain positional or other conditions (a test with a very simple string containing a single slash works).

Here is the code used and the error output depending on the case: working strings and failing strings.

**************************************************************

Code used:

Code: Select all

for value in data['result']:
        if value['host_certificate'] and value['computer_name']:
            host_cert = SSLCertificate(crt_string = value['host_certificate'])
            if pc_cfgs_jsoned_by_pc.get(value['computer_name'].lower(), 0):
                encrypttxt = pc_cfgs_jsoned_by_pc[value['computer_name'].lower()]
                #encrypttxt = 'chaine avec un / au milieu'
                print('texte à chiffrer:')
                print(encrypttxt)
                print('type du texte à chiffrer : {}'.format(type(encrypttxt)))
                encryptlist[value['computer_name']] = base64.b64encode(host_cert.encrypt(encrypttxt.encode('utf-8'))).decode('utf-8')
                #print(value['computer_name'] + ':' + value['uuid'] + ':' + encryptlist[value['computer_name']])
    print('en sortie')
    print(encryptlist)
    open('encrypt-txt.json','w').write(json.dumps(encryptlist))


Output when a functional string with a slash character is passed:

Code: Select all

*** Remote Interpreter Reinitialized ***
Ligne de Commande : update-package-sources "C:\Users\moi\waptdev\monpaquetquichiffre-wapt\WAPT\.."
Using config file: C:\Users\moi\AppData\Local\waptconsole\waptconsole.ini
texte à chiffrer:
chaine avec un / au milieu
type du texte à chiffrer : <class 'str'>
en sortie
{'PCP102': 'uZaw3MxTlBZBNXNXnTqWC+YdY/uSAXr2IVJuewkHvXqye1k6sx+yl/nri+dux1aRtdA3JLsMmzggR47PGVtjPZS9Fka3+S0at1OnRwcH45EYEyd3AB5A9rvg2ANvEb//szHxQScu0nfbkA9zJFXvM8y1bUGkpUIZY03I7/uMuU+blFKNaTK3TVzNW9mHEIEkZiroG/VyRckhgd6Rb6eubNtuDdFwrtwhZ7qMQwxPopu5T0+jdIKP8FWtnJGIzQKBCsbepwOPuFkqx1xFl/7kMjq2Q2y9Hy3gIMTBFjqjt+buQJfU2wms/+J8oQCUhuazoGkmtUSBm6RWgc/uQgd4YA=='}
Packages updated :

Output when a functional string with a slash character is passed:

Code: Select all

*** Remote Interpreter Reinitialized ***
Ligne de Commande : update-package-sources "C:\Users\moi\waptdev\monpaquetquichiffre-wapt\WAPT\.."
Using config file: C:\Users\moi\AppData\Local\waptconsole\waptconsole.ini
texte à chiffrer:
{"PrivateKey": "abcd", "Address": "10.0.0.1/32", "DNS": ["192.168.0.1", "mondomaine.fr"], "PublicKey": "abcd", "PresharedKey": "abcd", "EndPoint": "mamachine.mondomaine.fr:12345"}
type du texte à chiffrer : <class 'str'>
en sortie
{'PCP102': 'XFUQR+g5GoKG8f5h45SGYmhdRov/TTGGwga1T0k7jAl0jY4+NgCJepD5e+PrYBHD1xJMssv8Tn0u6P18U/RDsftcT9eJJGWedO9GVTfuXqvH4+pR9ApyPkEJe/U/G1wk4eNiPSHSknUAYF2WYUfWmFFnHl05Dk0MB5xmTiynS4CtrBuearAvf8+frvr2ah+jdqrkGgA+skBmvmeVfozW/lyZ5CMbW16ON9DKFjqlG/edDPYiGdsVuuGHohjO4drwdZp46/wOtTdifQBn0+gNSq6JA8AKVhEpqkk5OkopuUXDUHrzLVjtETH4Nno+mbDdbGzdBlQnIGy+zmzPjNNISg=='}
Packages updated :


Output when a functional string with a slash character is passed:

Code: Select all

*** Remote Interpreter Reinitialized ***
Ligne de Commande : update-package-sources "C:\Users\moi\waptdev\monpaquetquichiffre-wapt\WAPT\.."
Using config file: C:\Users\moi\AppData\Local\waptconsole\waptconsole.ini
texte à chiffrer:
{"PrivateKey": "abcde/abcdefghijklmnopqrstuvwxyzabc/abcdef", "Address": "10.0.0.1/32", "DNS": ["192.168.0.1", "mondomaine.fr"], "PublicKey": "abcd", "PresharedKey": "abcd", "EndPoint": "mamachine.mondomaine.fr:12345"}
type du texte à chiffrer : <class 'str'>
2022-04-14 18:20:46,161 CRITICAL Fatal error in update_package function: ValueError: Encryption/decryption failed.:
Traceback (most recent call last):
  File "C:\Program Files (x86)\wapt\waptpackage.py", line 2973, in call_setup_hook
    hookdata = hook_func()
  File "C:\Users\roquebert\waptdev\set-wgconf_0-wapt\setup.py", line 139, in update_package
    encryptlist[value['computer_name']] = base64.b64encode(host_cert.encrypt(encrypttxt.encode('utf-8'))).decode('utf-8')
  File "C:\Program Files (x86)\wapt\waptcrypto.py", line 2284, in encrypt
    return self.rsa.encrypt(content, apadding)
  File "C:\Program Files (x86)\wapt\Scripts\lib\site-packages\cryptography\hazmat\backends\openssl\rsa.py", line 484, in encrypt
    return _enc_dec_rsa(self._backend, self, plaintext, padding)
  File "C:\Program Files (x86)\wapt\Scripts\lib\site-packages\cryptography\hazmat\backends\openssl\rsa.py", line 75, in _enc_dec_rsa
    return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding)
  File "C:\Program Files (x86)\wapt\Scripts\lib\site-packages\cryptography\hazmat\backends\openssl\rsa.py", line 133, in _enc_dec_rsa_pkey_ctx
    raise ValueError("Encryption/decryption failed.")
ValueError: Encryption/decryption failed.

FATAL ERROR : ValueError: Encryption/decryption failed.
Exit code:  3
**************************************************************


Sincerely.

Christophe

Re: Waptcrypto library problem

Published: April 14, 2022 - 7:14 PM
by croquebert
Hello again,

After some quick research, it seems to be a limitation on the length of the string to be encrypted in rsa.py. After some testing, the limit I encountered is 215 characters.

So, do you have a solution for encrypting longer strings (without having to split and reassemble the long string)?

Sincerely,

Christophe

Re: Waptcrypto library problem

Published: April 15, 2022 - 3:02 PM
by dcardon
Hi Christophe,

thanks for the feedback. I've forwarded the message to Hubert, who developed a good part of the waptcrypto library, to see what he thinks.

Best regards,

Denis

Re: Waptcrypto library problem

Published: April 15, 2022 - 3:24 PM
by croquebert
dcardon wrote: Apr 15, 2022 - 3:02 PM Hello Christophe,

thank you for the feedback. I forwarded the message to Hubert, who developed a good part of the waptcrypto library, to see what he thinks.

Regards,

Denis
Hello Denis,

Great, thanks for the feedback.
It's difficult for me to see where this is coming from without the waptcrypto source code (passing arguments to functions in rsa.py, a bug or limitation in rsa.py), unless I test rsa.py directly...
For now, I'm going to cut up my encryption chains and reassemble them.
While we wait for Hubert's return on the subject.

Sincerely.

Christophe

Re: Waptcrypto library problem

Published: April 15, 2022 - 3:27 PM
by croquebert
croquebert wrote: Apr 15, 2022 - 3:24 PM
dcardon wrote: Apr 15, 2022 - 3:02 PM Hello Christophe,

thank you for the feedback. I forwarded the message to Hubert, who developed a good part of the waptcrypto library, to see what he thinks.

Regards,

Denis
Hello Denis,

Great, thanks for the feedback.
It's difficult for me to see where this is coming from without the waptcrypto source code (passing arguments to functions in rsa.py, a bug or limitation in rsa.py), unless I test rsa.py directly...
For now, I'm going to cut up my encryption chains and reassemble them.
While we wait for Hubert's return on the subject.

Sincerely.

Christophe
My mistake, the Waptcrypto source code is accessible, but I'll still let Hubert look into it :-)

Re: Waptcrypto library problem

Published: April 15, 2022 - 5:24 PM
by htouvet
Good evening,
Yes, absolutely, the size is limited.
To encrypt longer data, there's the SSLCertificate.encrypt_fernet(data) method,
which encrypts a random symmetric key using RSA, which is then used to encrypt the data using AES-CBC.

And the counterpart, SSLPrivateKey.decrypt_fernet.

Re: Waptcrypto library problem

Published: April 15, 2022 - 5:44 PM
by croquebert
htouvet wrote: Apr 15, 2022 - 5:24 PM Good evening,
Yes, absolutely, the size is limited.
To encrypt longer data, there's the SSLCertificate.encrypt_fernet(data) method
, which encrypts a symmetric random key using RSA, which is then used to encrypt the data using AES-CBC.

And the counterpart, SSLPrivateKey.decrypt_fernet.
Hello Hubert,

Thank you for the feedback.

Indeed, I could have suspected as much by going to look: https://wapt.tranquil.it/wapt/nightly/a ... rypto.html

"Encrypt a (small) message will be decrypted with the public key"

Where is the maximum size for encrypt specified so that switching to encrypt_fernet is based on that size?

Is it possible to detect the method used to encrypt the string in order to apply the correct decryption method?

Sincerely.
Time zone set to UTC+02:00
Page 1 of 1

Developed by phpBB® Forum Software © phpBB Limited

Official French translation © Qiaeru