glenbot
Ability to pass a password-protected private key to Aggcat client
Hi, is there any way to pass a password-protected private key to Aggcat?
The Intuit Developer Security Review for the IPP (Intuit Platform Partner) data requires that the Private Key have a password, and that the password be AES encrypted:
https://developer.intuit.com/docs/@api/deki/files/37/ipp_security_review_questionnaire.pdf
Yes this is possible. You would need to store the password somewhere on the file system (encrypted) and then inject it into the Aggcat call. I'll keep this open. I want to switch Aggcat entirely to JSON support only which I have started coding and I'll add this feature in.
Awesome. We were able to get around this for now by creating a NamedTemporaryFile with the decoded key.
Here's a SO post about how M2Crypto prompts for passwords to private keys (it uses a callback). If that parameter to M2Crypto can be floated up through the SAML.__init__ and AggcatClient.__init__, we can use the same technique to get M2Crypto to decode the password:
http://stackoverflow.com/questions/10615098/how-can-i-load-a-password-protected-private-key-from-a-pem-file-with-m2crypto
Also the way the ruby aggcat client does it, is they optionally accept a string key rather than a key filename. Personally I don't prefer this way because it seems hacky:
https://github.com/cloocher/aggcat
# certificate could be provided as a string instead of a path to a file using certificate_value
# certificate_value takes precedence over certificate_path
# certificate_value should contain newline characters as appropriate
# config.certificate_value = "-----BEGIN RSA PRIVATE KEY-----\nasdf123FOO$BAR\n...\n-----END RSA PRIVATE KEY-----"
LMK if you're comfortable with the first way and I can create a PR.
Im comfortable with this approach. It's something I can take into the next version. Looking forward to your pull request.