OpenSSL.crypto.Error when using crypto.sign

Question

I'm trying to sign data with the OpenSSL crypto library. I'm working local but since I will be deploying to Cloud functions, I'm testing with my key located in .env

import base64
from OpenSSL import crypto, SSL

def encrypt_metadata(data):
    

    metadata= json.dumps(data, indent=2).encode('utf-8')


    ENCRYPTION_KEY = os.environ.get('private_ssl_passbase_key')
    pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, bytes(ENCRYPTION_KEY, 'utf-8'))
    

    #encrypt metadata using openssl crypto library
    signature = base64.b64encode(crypto.sign(pkey, metadata,'sha256'))
    
    return signature

My error is related to: pkey

[('DECODER routines', '', 'unsupported')]

How can I use my string Encryption key in the crypto.sign?

My key in .env looks something like this

private_ssl_passbase_key="-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAuzJQYKTzgh5dGsKeOv8rm3esc6NEztjNbibHNnZZQQxnZRgS
7JE3lKzVZ4vqShZrbewEH/ZYfvtOEClVwsOEdLP8pqIQt4Yc3z0szQ0DvAmz9BcW
/1mqMkrdtZdThegvFdCsRhvmRjVm2H0fCBT8pFZwXZo0Zwcr2G2tHsFFO7zf0XlL
K28ZEDPyMLBydoeaWaoZ3+YhKdrJhPS/hFkcZX3s+MwBgeUXTTT9fMPlggpHXmkR
YkqimRQaxIvvDB42/yfnoI33I07zIQaMSrb2LDWHvBER/VySQaIFLJ7FNoRs58cV
pXCf4PfRWFdinVkN+TITmLkJ5aAhzwIalS9AbOJfB++ovXyBwDbQrHaBEfhlg2Vy
8Lv5sfP+A22eoD1kTL/0MD5sKVxTDfCppjMuoQlmZnGOUQlESn7T3zMIP1Q7nFMi
KUQasF5UPyBz9XvsIyHECZadiKQWa9xGXYj/C/ZbUhp0KyiMdPpQJfN+GDBX4H0g
K76yAw9hmE+9gLMLRSMjUP56GjhlINCJNyMOyAq+hXYxYPnCXZ3N2Uyzb+str1E5
HVG2fgcZoM/NT3pQKhUbQ18QQsltPtARNGrzvsmthY9hIzArwk+ct/bAsQaDGDvr
06aYDynkGmf/SjoOsbyqF0BHEmXLq0YID2M/LnsoSFJ28SMVcQWGeraMBXkCAwEA
AQKCAgBxSdvXATzVbGbQQSPddHwBlIVrXk3QGOkKVrGNRkZx1X3lcpJRVPkcIxTr
m4No3vSZC5LbfQzFnHT71ugt/IF210550e7oAmQKvk0Us2GlNQIRIMAsPSmBUkmn
EjPcAE4ul6EKtOvBZaQeNGrJS1oyYpWSMDaye2aPjqCM0k6B/qY9cXiKiqvSYH2b
9czv6tUAmq8aD33WhLAcpLoa8Ir86R6220+2OtzFPuKB1VRaRLo4asG4iI6qsb4Z
YM6EuOxzssS9J+1/EtKVFA9nUB7fVm4U5QfMG2/wBIu5G0Ui3zXBd3ykKOq5DYFG
Q2xM6Y5JV4MAlEtnCmgrjYxk6LnFoqbE9CqRRcpfIWyeEwLU21UQGzIo33Iuf9rN
kqZ2gKInkW99frKmVRCkVHZY2ZNSo4DCylBVxzjmu0xIUXJaySugvQlejjHSdcql
iXkKeVzHOmDEE9Hm/vXfd2S3966t47YMaXtMyIHUjEkWCjEgMfpuIxkOe4Qr3uIh
4vU5eyjzS34YBtFgZ1IhnuCeXPzMWzYfy3RlJKbjYLMIzZMrnncJ2V4ryjuuNX9u
8kWTEZV4a7Oq1vW4cD9QyT8ZMSQWAIpr4iZ9V/hnzI+qHWPZVaX2dmmcPENs/4qH
8J7CLbzbO0ZYWmqw2E3wDuIMKGOWLGI/zU5UFSdcoeorIGI32QKCAQEA3RxBHwmo
1qtl2qwiB0slRkkgZhKb3LBl+8kltr4n2OsqzHiFC2kll7Rmqr4HByYSNJ9OSYQ3
EHppFO0Wkr57/Sx9Gu4lMoSjepu4zYC0COOGOknm0gLJLGym+iUaNCXwqeNVuuEW
7DJt/I/uHToTWQ/pwrYk0Aa4FJ5cuE3cFUIsEFqBanVBoqn1Gk+n5ormMmduQl9k
Bhdx/DieiCT5E4ANBRykBGvJN2ZQSLlbEcMGabO59bchQFGKMZAwj+iglxAby8S/
2P87EjQGizTEw1HRw8cWDn9M/CAp1m+2kCDqQX3f0v0/AYRccwsTpiA909bybQQs
J/Z/QIm5IgwyVwKCAQEA2Lwck6r17AAe7YbE6jp032IwkrFpvF+UA9D3ZODMaR2/
eGn6MFAWlBNHKGs056pzCFcoZumOm7Ww5mp8EGl9+ECJ23AVoLuFbJNjvWUP/fdM
St05FYF+E85JPq/VxPwu8Z1vLUUKvGSUg0JJtTKxQqrv3RSLvLuJViVgJJ2VaC8q
yCKYvAp6uzqDRIHXpV4+WfumLFg9GmunIBbaVUEre0vvnr38G2bRxY5kR8tVHaLu
CaPiGxOogA9/8kws5F5SkNk0jJcItz60rHGEvCavaYzGLSrHIn9GODLvc3PN4WsU
2CwnhJu9F1/ErcVJb4n3Mty2tFDFWII+ERtlRs3ErwKCAQBGhsSeyc346yLJ5S3V
dbql+J1E8ZqVgg6FiVtmNrEvF5PHNIn7YcaD5R76RzKmrRYRgt7NxEZsEx+BdT5G
AEw8LPyaomtq+bPLX/BKXEsQqsIdxYTCZ/ETInUAROVezNs+1Sx7N2DAZjV+4cnp
uKSDO/gsCz0ivYHp0blxcCRLA5hafwPYmR4ebGepxM6hUpyqZyNcOGEHMGNDOCwY
8PIhri54+vG2F0tPSGtDRxwtRi+9d35RSeBpS5jwxjU3MdRHWvQCwvcOmBqXa9DK
hkJcqrRl5hK6/Q/pO7kclPV+c4FE8ol6Gx0FttpmN5pE2vPdpioda79J3+4m/8b1
fT5xAoIBAQC2HqvssfXgD+HtOhfxsplOtFWYjpgJAE+CPXAFRpi9o4+nAXaIbmPq
naBnqF5WZPYwhfyfLZb15OD3XXdO2zZNCv5MdIzX+XsOV3OyTF/5ynpDVk2Hcr6c
qfUGRf7dfgN8aAxp/+AbmnDpMyR4rFYjbTwNjBw3xWaMCvAVFI3dc/UBI4EwUaX7
+hkf0fOBNAY02q8yCBugPeG7pzhj91UwUAjUXVShOe7/kL1XTtcBBk37r8hpdEVd
Bqk+0x/N7ix3Ju1vTeK3CGwNk340FFXF3dMRVSbsKAK7aqGnZCIWT0K+u6uhVLS6
FXFRi7w/i7E6/hhQwKZzz02UVm7t5i5lAoIBAQCYJIHZdqlVIS7PGkVYdw3Xvkfj
L7+POuYSFMFVz1MzjxM8tshq91lOzzdFEDZuS8JjMVwPzrBIpxzaXnBMBBLdRyA+
Z81O9Kdrl2DVB6MZS471HInYcpPs8rcKfDM/s4UMDRVFHkM/exC5gn+cW0fyEqbv
b6ikdhsoMyPAi1wGXRqFZXUFPrgpHlSsdH0fIcMg//F1m0g/nmNCPRxJcZBBZcHh
36tPIf9o5ARg75nh51h5oIKLj1IxKqmNHfDTkz5T2anJLeZrWN433PWT435QYC8c
pf5Q4zGi9V7SREhh0xCfRPoQbEwj0o21JUWxUhqXv2DI633gO94MnJt5Qbqj
-----END RSA PRIVATE KEY----"

SOLVED If you see

-----END RSA PRIVATE KEY----

it's missing 1 "-"

On my machine, the code works with a valid key. Have you checked your key? By the way, the posted key is invalid, but because of *looks something like this* it is probably just a dummy and not the real key. — Topaco, Aug 01 '22 at 14:07
I missed a "-" at the end of the END RSA PRIVATE KEY so it was invalid. Gosh, I hate these moments. Thanks for checking! — Alexander Thomsen, Aug 01 '22 at 14:13

score 1 · Answer 1 · answered Aug 01 '22 at 12:53

The ----…----- blocks need to be on separate lines. So you need to put line breaks in the environment variable. Something like:

private_ssl_passbase_key="-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAuzJQYKTzgh5dGsKeOv8rm3esc6NEztjNbibHNnZZQQxnZRgS7JE3lKzVZ4vqShZrbewEH/ZYfvtOEClVwsOEdLP8pqIQt4Yc3z0szQ0DvAmz9BcW/1mqMkrdtZdThegvFdCsRhvmRjVm2H0fCBT8pFZwXZo0Zwcr2GSdvXATzVbGbQQSPddHwBlIVrXk3QGOkKVrGNRkZx1X3lcpJRVPkcIxTrm4No3vSZC5LbfQzFnHT71ugt/IF210550e7oAmQKvk0Us2GlNQIRIMAsPSmBUkmn
-----END RSA PRIVATE KEY-----"

Or if you prefer to fit the declaration on a single physical line:

private_ssl_passbase_key="-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEAuzJQYKTzgh5dGsKeOv8rm3esc6NEztjNbibHNnZZQQxnZRgS7JE3lKzVZ4vqShZrbewEH/ZYfvtOEClVwsOEdLP8pqIQt4Yc3z0szQ0DvAmz9BcW/1mqMkrdtZdThegvFdCsRhvmRjVm2H0fCBT8pFZwXZo0Zwcr2GSdvXATzVbGbQQSPddHwBlIVrXk3QGOkKVrGNRkZx1X3lcpJRVPkcIxTrm4No3vSZC5LbfQzFnHT71ugt/IF210550e7oAmQKvk0Us2GlNQIRIMAsPSmBUkmn\n
-----END RSA PRIVATE KEY-----"

You can break the base64 part into more lines if you want.

The base64 data is invalid, but the start is correct for a 4096-bit RSA key. I assume you truncated it to post here. Note that what you posted may be sufficient to reconstruct the key (I haven't checked), so make sure not to use that key for anything other than experimentation on your local machine.

Thanks for it! fixed the key in .env - Unfortunately it still throws the exact same error for this one pkey = crypto.load_privatekey('FILETYPE_PEM', ENCRYPTION_KEY). I also tried to put the encryption key directly into pkey position for crypto.sign but then I get error missing _pkey — Alexander Thomsen, Aug 01 '22 at 12:59
@AlexanderThomsen For a start, make sure this is the only corruption. I can't help you since what you posted is obviously truncated (just the base64 part: the `----END…-----` part is supposed to be the last thing). If what you posted is what you have, then it's already been corrupted, so make sure to copy it accurately from the file where it's stored. — Gilles 'SO- stop being evil', Aug 01 '22 at 13:01

OpenSSL.crypto.Error when using crypto.sign

1 Answers1