Skip to content

Snowflake-Credentials block from Prefect-Snowflake does not work with encrypted private keys due to bad regex #17883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
konwiddak opened this issue Apr 22, 2025 · 2 comments · Fixed by #17985
Labels
bug Something isn't working

Comments

@konwiddak
Copy link

konwiddak commented Apr 22, 2025

Bug summary

Snowflake-Credentials can be set up using private-public keypair. Ideally the key would be encrypted with a private key passphrase.

Image

An encrypted private key pem file is structured (this is not a real key!):

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,ABCDEF304983345

eeiuf9ehfiuehf989879heifhaiefa78fheahfe8a7hf8e7hf8ea7hf8ea7
ef9hea9afhe98y395874938749q38ya9r8h3f938hf938hf93qhf93ahhhh
30ru83q9r83q98r3q98rh39h8r3h838383rh39rh398qh938rh3q9hrjjjj
-----END RSA PRIVATE KEY-----

Unlike unencrypted keys, it contains the keywords Proc-Type and DEK-Info.

prefect/src/integrations/prefect-snowflake/prefect-snowflake/credentials.py

Line 226:

composed_private_key = self._compose_pem(private_key)

_compose_pem does a regex on the PEM file using the following pattern to split the key into parts:

_SIMPLE_PEM_CERTIFICATE_REGEX = "^(-+[^-]+-+)([^-]+)(-+[^-]+-+)"

Unfortunately this regex identifies the "-" in the "Proc-Type" keyword as the start of the last line of the PEM file and the - in DEK-Info as the end of the file. This means that it parses the key to be:

-----BEGIN RSA PRIVATE KEY-----\nProc\n-Type: 4,ENCRYPTED\r\nDEK-

This is now an invalid key and it throws an error:

 ValueError('Could not deserialize key data. The data may be in an incorrect format, the provided password may be incorrect, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

If I patch line 226 to be:

composed_private_key = private_key

Then it loads and decrypts the key correctly, just without protection of malformed pem files.

The process needs to be adjusted to reassemble the pem file correctly.

Version info

Version:             3.3.5
API version:         0.8.4
Python version:      3.12.10
Git commit:          db4b7a33
Built:               Thu, Apr 17, 2025 09:25 PM
OS/Arch:             win32/AMD64
Profile:             prod
Server type:         server
Pydantic version:    2.11.3
Integrations:
  prefect-dask:      0.3.4
  prefect-snowflake: 0.28.2

Additional context

No response

@konwiddak konwiddak added the bug Something isn't working label Apr 22, 2025
@konwiddak
Copy link
Author

konwiddak commented Apr 22, 2025

A bit more info around this issue, there's a bit of subtlety to ensure the pem is in the right format.

In credentials.py
This alternative pattern works as intended to split the PEM correctly:

^(-+[^-]+-+)([\s\S]+?)(--+[^-]+-+)

However this still breaks because the _compose_pem then regex splits on "\s+" which strips whitespace and reforming with new lines. However this breaks up this part of the pem key due to the space after the colon:

Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,ABCDEF304983345

It's possible to adjust the regex to ignore the space after the colon, however this removes the new line between DEK-Info and the key. This also breaks the pem format.

This key will not work:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,ABCDEF304983345
eeiuf9ehfiuehf989879heifhaiefa78fheahfe8a7hf8e7hf8ea7hf8ea7
ef9hea9afhe98y395874938749q38ya9r8h3f938hf938hf93qhf93ahhhh
30ru83q9r83q98r3q98rh39h8r3h838383rh39rh398qh938rh3q9hrjjjj
-----END RSA PRIVATE KEY-----

This key is ok because it contains the new line:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,ABCDEF304983345

eeiuf9ehfiuehf989879heifhaiefa78fheahfe8a7hf8e7hf8ea7hf8ea7
ef9hea9afhe98y395874938749q38ya9r8h3f938hf938hf93qhf93ahhhh
30ru83q9r83q98r3q98rh39h8r3h838383rh39rh398qh938rh3q9hrjjjj
-----END RSA PRIVATE KEY-----

I'm presuming the malformed pem comes from the Block storing new lines incorrectly (?) perhaps the code should not manipulate the pem if it's being directly read from a file?

@zzstoatzz
Copy link
Collaborator

the fix (linked above) is now released in prefect-snowflake==0.28.4 - let us know if you're still seeing anything unexpected!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants