platform icon indicating copy to clipboard operation
platform copied to clipboard
verified publisher icon opentdf

Python bindings complain about the public key returned from kas_public_key on the platform

Open caread850 opened this issue 1 year ago • 1 comments

Hi, I'm a new comer evaluating the platform for a larger scale application, I followed the instructions for:

  • Generating platform keys with init-temp-keys.sh
  • Running the docker-compose file
  • Running the keycloak provisioning
  • Starting the service

The service seems to be running fine, however, I am trying to encrypt/decrypt using the Python bindings and running into issues where it states:

Get kas public key failed, kas public key is: "-----BEGIN PUBLIC KEY-----...

After looking through the client code I can see that it is expecting to find -----BEGIN CERTIFICATE-----

Unsure if this is an issue with my installation, an issue with the platform or the client so I posted here.

Attached debug level logs from the Python client showing the KeyCloak communication and call to kas_public_key returning the public key.

debug_log.txt

Thanks!

caread850 avatar Jul 25 '24 04:07 caread850

OK, I'm revisiting the platform and I can see in the OpenTDF C++ code it is expecting a certificate.

Then reading through the Go for the kas_public_key endpoint there is a point where it sends back either a certificate or a public key based on the algorithm sent with the GET to the kas_public_key.

So I can tell OpenTDF that the KAS URL includes something like /kas/kas_public_key?algorithm=ec:secp256r1 and this platform then gives OpenTDF a certificate.

However, when it attempts to use the cert, it states: RuntimeError: Error code 75497574. [asym_encryption.cpp:49] Failed to create X509 cert struct.error:04800066:PEM routines::bad end line.

Examining the response from the kas_public_key endpoint, it is one \n short in the certificate output, which would be causing OpenTDF not work correctly.

Also, how does offline encryption work with this? TDFv3 states that it is supported, but I can't for the life of me get it to stop calling the IdP and the KAS.

caread850 avatar Aug 21 '24 07:08 caread850

Python isn't actively being maintained and has been made private. I'd suggest focusing on Go (the core language), Java, or client_web (JS) - those are all public.

damorris25 avatar Aug 25 '24 12:08 damorris25

Thank you.

caread850 avatar Aug 26 '24 01:08 caread850