Solved

How to integrate PGP using python

  • 22 February 2022
  • 8 replies
  • 3137 views

Hello team

I am currently trying to encrypting the message using PGPY library on python side so we can generate the claim for front end to use to integrate dashboard through pgp SSO.

 

However I am stuck at the `sign` stage , all the signed message seems not able to be decrypted on Gooddata side, 

error: 

The error message is Cannot decrypt SSO message from sso provider=pgp-test.polyai-test.<hidden> Invalid sessionId

Error code='sso.decrypt'

Request id='aN3MEuAqWGt8SSrK:woOj0utfTAwppYz4'

 

Look like pgpy only support clearSign by looking at the source code. ( At least that’s what I think why Gooddata cannot decrypt it)

 

I wonder if there is any suggestion on how to encrypt the message using python instead of using gnupg ?

 

That will be super helpful !

 

Thanks so much

icon

Best answer by qian zheng 23 February 2022, 15:32

View original

8 replies

Userlevel 2

Hello Qian,

I was checking the request ID you provided in our logs and see the following error:

Cannot decrypt SSO message
java.lang.IllegalStateException: Cannot recognize format of signed data!

If you prepare encryptedClaims manually using gpg utility as described here and use it for log in, does that work? This way we can confirm correct keys are used for signing and encrypting.

​​​​​​​-Jan

Yes, it would work if I use GPG tool,99 % sure it’s the right key

Just checked , If I use gnupg to sign it with --clearsign option, I got the same error, so I feel like the issue is with the clearsign ( that gpgy library is doing )

Userlevel 2

If you compare outputs from the pgpy library with gpg commands we have in our documentation, are you able to decode the difference? Especially when signing the message and encrypting.
If it doesn't help, would you mind sharing with us code snippet with your PGPY pgp SSO implementation?

-Jan
 

There is some difference for signing, gnupg generated the sign txt with header -----BEGIN PGP MESSAGE-----

But the signed.txt I generated with pgpy has header -----BEGIN PGP SIGNATURE-----

Code snippet : 

 
info = { "email": "qian@poly-ai.com", "validity": 1645527373}
z = PGPMessage.new(bytearray(json.dumps(info).encode()))
print(z.type). //literal
print(z) // PGP MESSAGE
sign_txt = privateKey.sign(z)
print(sign_txt)//-----BEGIN PGP SIGNATURE-----
message = PGPMessage.new(str(sign_txt))
​​​​​​​encrypt = publicKey.encrypt(message)
print(str(encrypt)) // -----BEGIN PGP MESSAGE-----

 

 

I have tried with `bytearray` and just pure json str.

 

Thanks for looking into this for me

( Encrypting with gooddata public key is defo working correctly because I tried to encrypt the signed txt generated using gnupg sign, and it worked , so the only issue is signing )

 

Qian

And also if I try 

 

z = PGPMessage.new('test')
sign_txt = privateKey.sign(z)
print(mypublicKey.verify('test', sign_txt))

 

This does give my the `true` and myPublicKey is the public key I shared with Gooddata team

Ok guys, I got this working !

from pgpy import PGPKey, PGPMessage
info = {
"email": "qian@poly-ai.com",
"validity": 1645527373
}

privateKey, _ = PGPKey.from_file("./private.key")
publicKey, _ = PGPKey.from_file("./public.asc")


with privateKey.unlock('gooddata@poly-ai.com'):
with open('./test.json', "rb") as f:
z = PGPMessage.new('./test.json', file=True)
z |= privateKey.sign(z)
encrypt = publicKey.encrypt(z)
print(str(encrypt))

 

the key thing is |= instead = ( I have no idea why, but it worked :D )

Userlevel 2

Hey Qian, I'm glad you managed to figure it out :) 

Reply