ValueError: MAC check failed after adding new user

[ChristophorusReyhan]

Hi,
After I added a user to a service, when I use get_password('service','new_user') I get ValueError: mac check failed.
Here's the log:

Traceback (most recent call last):
  File "/home/reyhan/project/.virtualenvs/keras_tf/lib/python3.6/site-packages/keyrings/cryptfile/file_base.py", line 116, in get_password
    password = self.decrypt(password_encrypted, assoc).decode('utf-8')
  File "/home/reyhan/project/.virtualenvs/keras_tf/lib/python3.6/site-packages/keyrings/cryptfile/cryptfile.py", line 130, in decrypt
    return cipher.decrypt_and_verify(data['data'], data['mac'])
  File "/home/reyhan/project/.virtualenvs/keras_tf/lib/python3.6/site-packages/Crypto/Cipher/_mode_gcm.py", line 567, in decrypt_and_verify
    self.verify(received_mac_tag)
  File "/home/reyhan/project/.virtualenvs/keras_tf/lib/python3.6/site-packages/Crypto/Cipher/_mode_gcm.py", line 508, in verify
    raise ValueError("MAC check failed")
ValueError: MAC check failed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "test.py", line 18, in <module>
    data["pass"] = file_kr.get_password(crd.getSID(tipe), json_data[tipe]["send"])
  File "/home/reyhan/project/.virtualenvs/keras_tf/lib/python3.6/site-packages/keyrings/cryptfile/file_base.py", line 119, in get_password
    password = self.decrypt(password_encrypted).decode('utf-8')
  File "/home/reyhan/project/.virtualenvs/keras_tf/lib/python3.6/site-packages/keyrings/cryptfile/cryptfile.py", line 130, in decrypt
    return cipher.decrypt_and_verify(data['data'], data['mac'])
  File "/home/reyhan/project/.virtualenvs/keras_tf/lib/python3.6/site-packages/Crypto/Cipher/_mode_gcm.py", line 567, in decrypt_and_verify
    self.verify(received_mac_tag)
  File "/home/reyhan/project/.virtualenvs/keras_tf/lib/python3.6/site-packages/Crypto/Cipher/_mode_gcm.py", line 508, in verify
    raise ValueError("MAC check failed")
ValueError: MAC check failed

[mirekphd]

I got that error too... so tried to switch over to the `keyring' package, but it did not solve the issue.

[frispete]

Could one of you provide a reproducible snippet, please?

[ChristophorusReyhan]

I fixed it before. The cause is that master password is global for all service id (you can't have multiple master password for multiple service). I (stupidly) thought I can make 2 different service with 2 master password (i thought that's how it works, mistakes were made).

[mirekphd]

Sure. First run some python 3 env, like this container of mine: docker run --rm -p 8888:8888 -u 1000 -v $PWD:/home/jovyan mirekphd/ml-cpu-py37-jup-cust:20202401.

Then try to run this python code in Jupyter Notebook or python :

from keyrings.cryptfile.cryptfile import CryptFileKeyring

# instantiate the CryptFileKeyring class
kr = CryptFileKeyring()

# set password to the chosen service, which also invokes a dialog box 
# to set the keyring password as well (which is masked as you type);
# caution: there is no way to avoid typing service password 
# here in plain text, so delete the line with "mypass=" after use
# kr.delete_password(service="vertica", username="username")
mypass="pass123"
kr.set_password(service="vertica", username="username", password=mypass)

Output:

Please enter password for encrypted keyring: ········

---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
/opt/conda/lib/python3.7/site-packages/keyrings/cryptfile/file_base.py in get_password(self, service, username)
    115             try:
--> 116                 password = self.decrypt(password_encrypted, assoc).decode('utf-8')
    117             except ValueError:

/opt/conda/lib/python3.7/site-packages/keyrings/cryptfile/cryptfile.py in decrypt(self, password_encrypted, assoc)
    129         # throws ValueError in case of failures
--> 130         return cipher.decrypt_and_verify(data['data'], data['mac'])
    131 

/opt/conda/lib/python3.7/site-packages/Crypto/Cipher/_mode_gcm.py in decrypt_and_verify(self, ciphertext, received_mac_tag, output)
    566         plaintext = self.decrypt(ciphertext, output=output)
--> 567         self.verify(received_mac_tag)
    568         return plaintext

/opt/conda/lib/python3.7/site-packages/Crypto/Cipher/_mode_gcm.py in verify(self, received_mac_tag)
    507         if mac1.digest() != mac2.digest():
--> 508             raise ValueError("MAC check failed")
    509 

ValueError: MAC check failed

During handling of the above exception, another exception occurred:

ValueError                                Traceback (most recent call last)
<ipython-input-14-7d94bae3652b> in <module>
     11 # # here in plain text, so this line must be deleted after use!
     12 # kr.delete_password(service="vertica", username="JF169533")
---> 13 kr.set_password(service="vertica", username="JF169533", password=mypass)
     14 # keyring.set_password(service_name="vertica", username="JF169533", password=mypass)
     15 

/opt/conda/lib/python3.7/site-packages/keyrings/cryptfile/file_base.py in set_password(self, service, username, password)
    127         assoc = self._generate_assoc(service, username)
    128         # encrypt the password
--> 129         password_encrypted = self.encrypt(password.encode('utf-8'), assoc)
    130         # encode with base64 and add line break to untangle config file
    131         password_base64 = '\n' + encodebytes(password_encrypted).decode()

/opt/conda/lib/python3.7/site-packages/keyrings/cryptfile/cryptfile.py in encrypt(self, password, assoc)
    108     def encrypt(self, password, assoc = None):
    109         salt = os.urandom(16)
--> 110         cipher = self._create_cipher(self.keyring_key, salt)
    111         if assoc is not None:
    112             cipher.update(assoc)

/opt/conda/lib/python3.7/site-packages/keyring/util/properties.py in __get__(self, obj, objtype)
     57         if obj is None:
     58             return self
---> 59         return self.fget(obj)

/opt/conda/lib/python3.7/site-packages/keyrings/cryptfile/file.py in keyring_key(self)
     93         # _unlock or _init_file will set the key or raise an exception
     94         if self._check_file():
---> 95             self._unlock()
     96         else:
     97             self._init_file()

/opt/conda/lib/python3.7/site-packages/keyrings/cryptfile/file.py in _unlock(self)
    185             'Please enter password for encrypted keyring: ')
    186         try:
--> 187             ref_pw = self.get_password('keyring-setting', 'password reference')
    188             assert ref_pw == 'password reference value'
    189         except AssertionError:

/opt/conda/lib/python3.7/site-packages/keyrings/cryptfile/file_base.py in get_password(self, service, username)
    117             except ValueError:
    118                 # decrypt the password without associated data
--> 119                 password = self.decrypt(password_encrypted).decode('utf-8')
    120         except (configparser.NoOptionError, configparser.NoSectionError):
    121             password = None

/opt/conda/lib/python3.7/site-packages/keyrings/cryptfile/cryptfile.py in decrypt(self, password_encrypted, assoc)
    128             cipher.update(assoc)
    129         # throws ValueError in case of failures
--> 130         return cipher.decrypt_and_verify(data['data'], data['mac'])
    131 
    132     def _check_scheme(self, config):

/opt/conda/lib/python3.7/site-packages/Crypto/Cipher/_mode_gcm.py in decrypt_and_verify(self, ciphertext, received_mac_tag, output)
    565 
    566         plaintext = self.decrypt(ciphertext, output=output)
--> 567         self.verify(received_mac_tag)
    568         return plaintext
    569 

/opt/conda/lib/python3.7/site-packages/Crypto/Cipher/_mode_gcm.py in verify(self, received_mac_tag)
    506 
    507         if mac1.digest() != mac2.digest():
--> 508             raise ValueError("MAC check failed")
    509 
    510     def hexverify(self, hex_mac_tag):

ValueError: MAC check failed

[ChristophorusReyhan]

Have you tried using
kr.keyring_key = "your keyring password"?
https://github.com/frispete/keyrings.cryptfile/blob/master/README.md

[network-shark]

I get this failure as well if I enter a wrong password .

[frispete]

Well, raising VALUE_ERROR, if providing the wrong password, is part of the inherited API from Python keyring and not something, that can or should be changed.

I will document the fact in the next round of commits.