Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot Use encrypted key #512

Open
bbernays opened this issue Jun 12, 2024 · 0 comments
Open

Cannot Use encrypted key #512

bbernays opened this issue Jun 12, 2024 · 0 comments
Labels
SDK Issue pertains to the SDK itself and not specific to any service

Comments

@bbernays
Copy link

The documentation for generating an API Signing Key is clear that users should set a passphrase.

The documentation says to use openssl to generate the key. I follow the docs and generate the following:

(This is key was generated purely for this issue report and never associated with anything)

bernays@computer-1 oracle % openssl -v                                                                      
OpenSSL 3.3.0 9 Apr 2024 (Library: OpenSSL 3.3.0 9 Apr 2024)

bernays@computer-1 oracle % openssl genrsa -out ~/.oci/oci_api_key.pem -aes128 2048                    
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

bernays@computer-1 oracle % cat ~/.oci/oci_api_key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQH//r2y+0Ug11VGQs
dVSCHgICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEHCrtAg2894/jkky
JVZQVoEEggTQxEnh+xYYysNI58ds9seeK6P50LSdVJarjX3uj6uCW0roZBVfUM8m
UH6iN2gCDAc5H1tFLZmTp1NCmk9sMb+k46MVvx3+npZAfL9eEd3Pboldd4EVIerK
ZKUjgJEBMRTgus1mmj7dN501rkUhLpXN142TGykC9KUzCQT/nZ0Eqlpq6QUygb2S
9iHsTe0eY2Z0WSlY9nkxYsSXF9mbiE92blsgS1P+C85bVQmA9IRvNZj3dZLgWdP/
t7HlzSOSf6/dp8slaR5yKhhT0JNgXvmTfBQIBAXRLoAoAtpSEMohxQUafsL3ObvH
AXe9U/DgDcU78N/aHB9urvMnuv85OHTgppVEG4WYlAc/wuUBouOvPSuW1NPGtgcY
YThiZkew1km1yv8BEEkeoDwT2Xac1/Kq+IINadU+i3gmeNw3tCjhwq+sVVPeeDMD
bVqDoAyVDB35ew0q3XbfDJfVjQRZnQ9AJAB99lMr9LowYOA42GB3EDQ5+VaVvEjQ
snUq40PHuzhhm5U5AuO7+KTN7APzGKWlUKfnnVefZBxqyTEXLyyivMiOLrlVd6GU
JaPZy5WBqcgngXzr0lyw9FX+R+ju2W1ttEj8Oz8kXQNXbXXMSIQDhVasXzD0EfRo
+PoPysEjQySvPQ0fiUdy1A5D6HABPSdeo82E+YoKNWX0NACOjqN/iSfs3TqV5z2t
2Ezx38vB3vBCa9zgR4f1XelR+Uww+S9Qidlf7Se5Lv/qQ4CEkJTuHrwAp/QtntHX
6QwDWd2AoXYYINrU+MByanGB9e98p9trVCExgJxNhUgv0LGGltxBis2e21EWqm4Y
AW6av/fSEUzenngLEvZ+J7k0cHJi//5hzjjVg8yllvPmxXFqvDEBfTh8YLrqui9N
iKEt4fZvS8p1/t1iynhoL6sJ/55HNMWmc8B3AkthpJF/cR1fdaWtYfLNzseschuk
fs4hkn7h2Ueqr6PQJA4jpxwzyW20W4r1t+Y2WrH+3GcrXtQzXtC5yEPdluFYiNMY
NWms4RcHgul2yA4yBBW2XqVza2/QMUDtfmxr9+c97faeodaXCqosNq+oiQ9B589a
bwo0ymXAya7RQuwJUX3PqkqNV3oB8yNarZY6hEebXsfHf06x4J/7fiB0W7D5uARi
tn45Zb/ofResaUZZF4puNuSRZsDTLvlBtrLkj16ERKfTxN9rNY8Ky2QE7gXbwbMt
hKPqBZ5ZCFWRw1ThYWUKh6bHQ3MEwYgnabNmiu3skm+6KTTBGwclt05CqYrjgUKK
aUCa8DSnCRrctZ/mlRSEIn3Bj/C2U396cmYc0HsVzBDwVxAUnS4L00CGV8vXdDho
gHRiydPBoBa+zOBkHWTypAdLGrxlzaJTbgdwqG6gL4ysy5+vsMRIU0kRzIbexN94
SM5lRC2UmRRSjMCM54NRKWVd1SRrVm+QpN9ulKXfmaMh3lHXFrqBGMxyRa8DPmFl
66bK/pH9sgY8mk+rTl4fQvM2fKrV7flyxGYebnZvLQKNyUfY706hbwMoNCpxyp0b
wu6OUue9ouu9MShr1vBIyjF5mUmWRU03zoxwyPJ7d+UflIFfGy/036Z/5C6SAMn5
S3/CxRz2bym4jOd5EU2WWUa97QVPAJ7UUyHsrVxHRT+Gt+4GxwlQ8dc=
-----END ENCRYPTED PRIVATE KEY-----

I pass in the passphrase via common.ConfigurationProviderEnvironmentVariables but the issue is that the OCI SDK uses the x509.IsEncryptedPEMBlock function to check if the PEM block is encrypted, this function assumes that the header DEK-Info is present in the file, which openssl does not set.

oci-go-sdk/common/helpers.go

Lines 227 to 235 in 31d2a19

if x509.IsEncryptedPEMBlock(pemBlock) {
if password == nil {
e = fmt.Errorf("private key password is required for encrypted private keys")
return
}
if decrypted, e = x509.DecryptPEMBlock(pemBlock, password); e != nil {
return
}
}

This means that users that follow the exact directions in the above docs are not able to use this SDK to interact with OCI
@richachugh11 richachugh11 added the SDK Issue pertains to the SDK itself and not specific to any service label Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SDK Issue pertains to the SDK itself and not specific to any service
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bbernays @richachugh11