OSError: None in virtualenv

[the01]

Hi, I am trying to run oscrypto (latest pip install) inside a virtualenv on OSX 10.10 (python2.7). As a test one-liner:

python -c "import oscrypto.asymmetric as asym;asym.generate_pair('rsa', 1024)"

and end up with:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "env/lib/python2.7/site-packages/oscrypto/_osx/asymmetric.py", line 388, in generate_pair
    handle_sec_error(result)
  File "env/lib/python2.7/site-packages/oscrypto/_osx/_security.py", line 47, in handle_sec_error
    raise exception_class(output)
OSError: None

any ideas or reasons, why this wouldn't work?

[wbond]

I wonder if this is related to http://stackoverflow.com/questions/11206327/secitemexport-fails-when-exporting-private-key?

Also, could you try with a larger RSA key?

python -c "import oscrypto.asymmetric as asym;asym.generate_pair('rsa', 2048)"

Have you checked to see if this works outside of a virtualenv with the system environment?

I haven't run into the problem with my testing on OS X 10.7-10.10 or with the Travis CI machines (10.9). There must be something different between the environment or system configuration of the environments I've been working in and the one you are using.

Either way, it is something I'll need to get solved. The first step will be trying to figure out how to reproduce.

[the01]

Yes, other key sizes were the first thing I tried - same result.

It works just fine outside the virtualenv. Maybe one needs to link some .so files or a problem with permissions?

Have you worked in a virtualenv before?

[wbond]

I have worked in a virtualenv before, but not with oscrypto yet. I will do some testing of it on 10.10 in a virtualenv to see if I can reproduce.

I have found a few things to fix in the meantime, in terms of error reporting in handle_sec_error().

[wbond]

After a tweak to the error handling function for the Security.framework, this is what I get:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/Users/wbond/dev/py27venv/lib/python2.7/site-packages/oscrypto/_osx/asymmetric.py", line 388, in generate_pair
    handle_sec_error(result)
  File "/Users/wbond/dev/py27venv/lib/python2.7/site-packages/oscrypto/_osx/_security.py", line 47, in handle_sec_error
    raise exception_class(output)
OSError: The user name or passphrase you entered is not correct.

It only happens with the system Python 2.7 inside of a virtualenv. Does not happen outside of a virtualenv, or inside or outside of a virtualenv with Python 2.7 from pyenv.

The specific error code is -25293 which is errSecAuthFailed.

[wbond]

My guess is that with the system Python, the calls to Security.framework are adding the generated key to the default keychain for the current user. Then when exporting, it wants the user name and password, but that is unavailable.

It seems I will likely have to see if I can work around this by using a slightly different API or generating a temporary keychain to generate the key inside of.

[the01]

The actual error message for OSError instead of None is already a nice improvement :)

Keep up the good work and let me know if I can test something for you.

[wbond]

Version 0.14.1 works around this issue by using OpenSSL to generate the pair and then loading it for use with the Security.framework.

I spent quite a bit of time trying to find a way around the issue without resorting to this. Unfortunately none of the different ways for generating keys, both in the default or a new keychain, with or without a passphrase would succeed.

It is implemented in such a way that the workaround is only applied when a virtualenv from the system Python is detected on OS X.