search

aws / aws-encryption-sdk-python

AWS Encryption SDK
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html
Apache License 2.0
230 stars 83 forks source link

Error when calling API to decrypt Cognito MFA code: '65 is not a valid SerializationVersion' #695

Open dtataru-bainbridge opened 1 week ago

dtataru-bainbridge commented 1 week ago

Security issue notifications

N/A

Problem:

I'm following the steps here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html to have Cognito call my lambda which needs to decrypt the MFA code and use a custom API to email it ( since Cognito doesn't support email MFA :/ )

Getting error: 65 is not a valid SerializationVersion I never set any version other than LambdaVersion=V1_0 as outlined in the doc above so I have no idea where that is from.

Stack trace:

Traceback (most recent call last):
  File "/var/task/aws_encryption_sdk/internal/formatting/deserialize.py", line 87, in _verified_version_from_id
    return SerializationVersion(version_id)
  File "/var/lang/lib/python3.9/enum.py", line 384, in __call__
    return cls.__new__(cls, value)
  File "/var/lang/lib/python3.9/enum.py", line 702, in __new__
    raise ve_exc
ValueError: 65 is not a valid SerializationVersion

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/task/aws_encryption_sdk/__init__.py", line 186, in decrypt
    plaintext = decryptor.read()
  File "/var/task/aws_encryption_sdk/streaming_client.py", line 250, in read
    self._prep_message()
  File "/var/task/aws_encryption_sdk/streaming_client.py", line 782, in _prep_message
    self._header, self.header_auth = self._read_header()
  File "/var/task/aws_encryption_sdk/streaming_client.py", line 797, in _read_header
    header, raw_header = deserialize_header(self.source_stream, self.config.max_encrypted_data_keys)
  File "/var/task/aws_encryption_sdk/internal/formatting/deserialize.py", line 336, in deserialize_header
    version = _verified_version_from_id(version_id)
  File "/var/task/aws_encryption_sdk/internal/formatting/deserialize.py", line 89, in _verified_version_from_id
    raise NotSupportedError("Unsupported version 
{}
".format(version_id), error)
aws_encryption_sdk.exceptions.NotSupportedError: ('Unsupported version 65', ValueError('65 is not a valid SerializationVersion'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/task/aws_encryption_sdk/streaming_client.py", line 218, in __exit__
    self.close()
  File "/var/task/aws_encryption_sdk/streaming_client.py", line 985, in close
    raise SerializationError("Footer not read")
aws_encryption_sdk.exceptions.SerializationError: Footer not read

Solution:

Looking for one.

Out of scope:

N/A

dtataru-bainbridge commented 1 week ago

Got a solution here: https://stackoverflow.com/questions/78704479/aws-encryption-sdk-python-decrypt-error-65-is-not-a-valid-serializationversion

The issue was the base64 encoding. Leaving this issue open in case you guys want to update your documentation to mention base64 decoding (similarly to the JS sister-library offered).

A better error message would be nice too.