Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

rsa_private_key_passphrase must be documented as only accepting byte strings

See original GitHub issue

The cryptography library documents that rsa_private_key_passphrase must be a bytes object: https://cryptography.io/en/latest/hazmat/backends/interfaces/?highlight=load_pem_private_key#cryptography.hazmat.backends.interfaces.PEMSerializationBackend.load_pem_private_key.

Right now, our documentation says str.

Original bug report:

Trying to get an access token generated using JWTAuth but failing with the following error stack:

From cffi callback <function _pem_password_cb at 0x10c09a230>:
Traceback (most recent call last):
  File "/Users/alan/.virtualenvs/myapp/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 95, in _pem_password_cb
    pw_buf[:len(ud.password)] = ud.password
ValueError: right operand length must match slice length
Traceback (most recent call last):
  File "boxtest.py", line 21, in <module>
    rsa_private_key_passphrase = boxPrivateKeyPassphrase
  File "/Users/alan/.virtualenvs/myapp/lib/python2.7/site-packages/boxsdk/auth/jwt_auth.py", line 102, in __init__
    backend=default_backend(),
  File "/Users/alan/.virtualenvs/myapp/lib/python2.7/site-packages/cryptography/hazmat/primitives/serialization.py", line 20, in load_pem_private_key
    return backend.load_pem_private_key(data, password)
  File "/Users/alan/.virtualenvs/myapp/lib/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 289, in load_pem_private_key
    return b.load_pem_private_key(data, password)
  File "/Users/alan/.virtualenvs/myapp/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1069, in load_pem_private_key
    password,
  File "/Users/alan/.virtualenvs/myapp/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1265, in _load_key
    self._handle_key_loading_error()
  File "/Users/alan/.virtualenvs/myapp/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1337, in _handle_key_loading_error
    raise ValueError("Could not unserialize key data.")
ValueError: Could not unserialize key data.

My code is:

# coding: utf-8
from __future__ import (absolute_import, division, print_function, unicode_literals)

from boxsdk import JWTAuth
import random
import string

boxClientId = "xxx"
boxClientSecret = "xxx"
boxEnterpriseId = "xxx"
boxJwtKeyId = "xxx"
boxPrivateKeyPath = "private_key.pem"
boxPrivateKeyPassphrase = "xxx"

auth = JWTAuth(
    client_id = boxClientId,
    client_secret = boxClientSecret,
    enterprise_id = boxEnterpriseId,
    jwt_key_id = boxJwtKeyId,
    rsa_private_key_file_sys_path = boxPrivateKeyPath,
    rsa_private_key_passphrase = boxPrivateKeyPassphrase
)

access_token = auth.authenticate_instance()

print(access_token)

And the modules I have installed are:

boxsdk (1.5.3)
cffi (1.6.0)
cryptography (1.3.2)
ecdsa (0.13)
enum34 (1.1.6)
future (0.15.2)
idna (2.1)
ipaddress (1.0.16)
pip (8.1.2)
pyasn1 (0.1.9)
pycparser (2.14)
pycrypto (2.6.1)
PyJWT (1.4.0)
python-jose (0.6.1)
requests (2.10.0)
requests-toolbelt (0.6.2)
setuptools (18.2)
six (1.10.0)
wheel (0.24.0)

Any idea what I’m doing wrong here? I’ve triple checked my parameters and they are all correct but it looks like it’s failing on something related to the passphrase size. I’ve tried both long and short/simple passphrases to no avail. Also generating the keys using:

openssl genrsa -aes256 -out private_key.pem 2048 and openssl rsa -pubout -in private_key.pem -out public_key.pem

Issue Analytics

State:
Created 7 years ago
Reactions:1
Comments:9 (5 by maintainers)

Top GitHub Comments

4reactions

jmoldowcommented, Jun 28, 2016

The first ValueError is coming from here in the cffi library: https://bitbucket.org/cffi/cffi/src/default/c/minibuffer.h#minibuffer.h-59

Which is being invoked from here in the cryptography library: https://github.com/pyca/cryptography/blob/master/src/cryptography/hazmat/backends/openssl/backend.py#L96

In the cffi code, PyObject_AsReadBuffer(other, &buffer, &buffer_len), it looks like buffer_len is set to be greater than len(other) when other is a Python unicode object.

I don’t know if this is a bug in cffi, or a bug in cryptography, or if it isn’t a bug.

You can fix it in your code by using boxPrivateKeyPassphrase = b"xxx" instead (without the leading b, it is a unicode string because you are using unicode_literals).

0reactions

Inetgatecommented, Mar 9, 2018

Hi! I am experiencing similar issue. Here is my code:

import yaml
import requests
from boxsdk import Client
from boxsdk import JWTAuth
CLIENT_ID = None
CLIENT_SECRET = None
ENTERPRISE_ID = None
JWT_KEY_ID = None
RSA_KEY_PATH = None
RSA_PASSPHRASE = None
with open('getboxfile2.yml', 'r') as ymlfile:
    cfg = yaml.load(ymlfile)
    CLIENT_ID      = cfg['box']['client_id']
    CLIENT_SECRET  = cfg['box']['client_secret']
    ENTERPRISE_ID  = cfg['box']['enterprise_id']
    JWT_KEY_ID     = cfg['box']['jwt_key_id']
    RSA_KEY_PATH   = cfg['box']['rsa_private_key_file_sys_path']
    RSA_PASSPHRASE = cfg['box']['rsa_private_key_passphrase']
auth = JWTAuth(
  client_id=CLIENT_ID,
  client_secret=CLIENT_SECRET,
  enterprise_id=ENTERPRISE_ID,
  jwt_key_id=JWT_KEY_ID,
  rsa_private_key_file_sys_path=RSA_KEY_PATH,
  rsa_private_key_passphrase=RSA_PASSPHRASE
)
access_token = auth.authenticate_instance()
client = Client(auth)

When I enter auth = JWTAuth( …snip…), I get below traceback

Traceback (most recent call last):
  File "<stdin>", line 7, in <module>
  File "/usr/local/lib/python3.6/site-packages/boxsdk/auth/jwt_auth.py", line 104, in __init__
    backend=default_backend(),
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/primitives/serialization.py", line 20, in load_pem_private_key
    return backend.load_pem_private_key(data, password)
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1015, in load_pem_private_key
    password,
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1202, in _load_key
    raise TypeError("Password must be bytes")
TypeError: Password must be bytes

I try to change in /usr/local/lib/python3.6/dist-packages/boxsdk/auth/jwt_auth.py from ‘key_file.read()’ to ‘bytes(key_file.read())’, but I encounter same issue. Before test, I remove jwt_auth.pyc from __pycache__.

Also, I try to change b’’ in conf file, but issue is not cleared.