caldera icon indicating copy to clipboard operation
caldera copied to clipboard

Published 20 hours ago verified publisher icon mitre

Docker error with cryptography.fernet.InvalidToken

Open nightmare-wolf opened this issue 3 years ago • 18 comments

Describe the bug server.py with insecure will not run.

To Reproduce Steps to reproduce the behavior:

  1. python3.9 server.py --insecure
  2. python3.7 server.py --insecure
  3. docker run -p 7010:7010 -p 7011:7011/udp -p 7012:7012 -p 8888:8888 caldera:server

Expected behavior for the server to run. When i run server.py without --insecure flag, it runs fine.

Screenshots [root-caldera]# python3.9 server.py --insecure 2022-07-13 17:25:37 - WARNING (server.py:116 ) --insecure flag set. Caldera will use the default.yml config file. 2022-07-13 17:25:37 - INFO (server.py:123 ) Using main config from conf/default.yml Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/cryptography/fernet.py", line 127, in _verify_signature h.verify(data[-32:]) File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/primitives/hmac.py", line 72, in verify ctx.verify(signature) File "/usr/local/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/hmac.py", line 85, in verify raise InvalidSignature("Signature did not match digest.") cryptography.exceptions.InvalidSignature: Signature did not match digest.

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/root/Downloads/caldera/server.py", line 153, in run_tasks(services=app_svc.get_services()) File "/root/Downloads/caldera/server.py", line 56, in run_tasks loop.run_until_complete(data_svc.restore_state()) File "/usr/local/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete return future.result() File "/root/Downloads/caldera/app/service/data_svc.py", line 106, in restore_state _, store = await self.get_service('file_svc').read_file('object_store', 'data') File "/root/Downloads/caldera/app/service/file_svc.py", line 116, in read_file return name, self._read(file_name) File "/root/Downloads/caldera/app/service/file_svc.py", line 230, in _read buf = self.encryptor.decrypt(buf[len(FILE_ENCRYPTION_FLAG):]) File "/usr/local/lib/python3.9/site-packages/cryptography/fernet.py", line 88, in decrypt return self._decrypt_data(data, timestamp, time_info) File "/usr/local/lib/python3.9/site-packages/cryptography/fernet.py", line 145, in _decrypt_data self._verify_signature(data) File "/usr/local/lib/python3.9/site-packages/cryptography/fernet.py", line 129, in _verify_signature raise InvalidToken cryptography.fernet.InvalidToken

The same error occurs with python 3.7/3.9 and with docker.

Desktop (please complete the following information):

  • OS: Fedora - RHEL 8
  • Python 3.7/ Python3.9 and docker-ce (tried all 3 of these).

nightmare-wolf avatar Jul 13 '22 22:07 nightmare-wolf

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

github-actions[bot] avatar Jul 13 '22 22:07 github-actions[bot]

Not trying to do the call to the script manually but trying to run it in docker now.....: [root@caldera]# docker run -p 7010:7010 -p 7011:7011/udp -p 7012:7012 -p 8888:8888 caldera:server 2022-07-14 14:59:00 - INFO (server.py:123 ) Using main config from conf/local.yml 2022-07-14 14:59:01 - WARNING (warnings.py:109 _showwarnmsg) /usr/src/app/server.py:54: DeprecationWarning: There is no current event loop loop = asyncio.get_event_loop()

Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/cryptography/fernet.py", line 127, in _verify_signature h.verify(data[-32:]) File "/usr/local/lib/python3.10/dist-packages/cryptography/hazmat/primitives/hmac.py", line 72, in verify ctx.verify(signature) File "/usr/local/lib/python3.10/dist-packages/cryptography/hazmat/backends/openssl/hmac.py", line 85, in verify raise InvalidSignature("Signature did not match digest.") cryptography.exceptions.InvalidSignature: Signature did not match digest.

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/src/app/server.py", line 153, in run_tasks(services=app_svc.get_services()) File "/usr/src/app/server.py", line 56, in run_tasks loop.run_until_complete(data_svc.restore_state()) File "/usr/lib/python3.10/asyncio/base_events.py", line 646, in run_until_complete return future.result() File "/usr/src/app/app/service/data_svc.py", line 106, in restore_state _, store = await self.get_service('file_svc').read_file('object_store', 'data') File "/usr/src/app/app/service/file_svc.py", line 116, in read_file return name, self._read(file_name) File "/usr/src/app/app/service/file_svc.py", line 230, in _read buf = self.encryptor.decrypt(buf[len(FILE_ENCRYPTION_FLAG):]) File "/usr/local/lib/python3.10/dist-packages/cryptography/fernet.py", line 88, in decrypt return self._decrypt_data(data, timestamp, time_info) File "/usr/local/lib/python3.10/dist-packages/cryptography/fernet.py", line 145, in _decrypt_data self._verify_signature(data) File "/usr/local/lib/python3.10/dist-packages/cryptography/fernet.py", line 129, in _verify_signature raise InvalidToken cryptography.fernet.InvalidToken

nightmare-wolf avatar Jul 14 '22 15:07 nightmare-wolf

Any update to this? I could really use help. @wbooth

nightmare-wolf avatar Jul 19 '22 20:07 nightmare-wolf

@elegantmoose

wbooth avatar Jul 19 '22 20:07 wbooth

@elegantmoose and @clenk is it possible to respond sometime this week with updates?

nightmare-wolf avatar Jul 19 '22 21:07 nightmare-wolf

@Cy-Beard there might be some leftover artifacts from earlier runs of the server. Do you see the same behavior if you start it with both --insecure and --fresh? (WARNING: this will delete all data from previous operations, facts/abilities/adversaries added, etc.)

clenk avatar Jul 20 '22 13:07 clenk

when i ran both python server.py with --insecure and --fresh the server ran. I then tried it again without the --fresh but kept the --insecure and it worked as well where as before it was giving me an error. But when i tried docker run -p 7010:7010 -p 7011:7011/udp -p 7012:7012 -p 8888:8888 caldera:server it still gave me the same cryptography.fernet.InvalidToken error.

nightmare-wolf avatar Jul 20 '22 14:07 nightmare-wolf

@clenk any update?

nightmare-wolf avatar Jul 22 '22 17:07 nightmare-wolf

I found some leftover "servers" within docker that was associated with my first install. I removed them all and attempted the command again. But now I am receiving another error: "Unable to find image locally." image

nightmare-wolf avatar Jul 22 '22 19:07 nightmare-wolf

After removing the leftovers, did you rebuild the caldera image with the server tag or just latest? you may need to change your docker run command to use caldera:latest.

clenk avatar Jul 22 '22 19:07 clenk

Oh, nevermind. I changed the command to caldera:latest and got the cryptography.fernet.InvalidToken error again. Here is an attached photo: image

nightmare-wolf avatar Jul 22 '22 19:07 nightmare-wolf

@clenk any updates?

nightmare-wolf avatar Jul 26 '22 17:07 nightmare-wolf

Hello @Cy-Beard , thank you for your patience while we debugged this issue. If you re-pull the latest and rebuild the image after adding the --insecure flag (and preferably --log DEBUG as well, should any further issues arise) directly to the entrypoint in the caldera Dockerfile.

Current:

ENTRYPOINT ["python3", "server.py"]

Insecure (feel free to add the debug flag as well if issues arise):

ENTRYPOINT ["python3", "server.py", "--insecure"]

The --insecure flag reads credentials from default.yml rather than local.yml, and may result in the InvalidToken error you posted, although we've thus far been unable to fully reproduce the bug.

If this fix does not work for you, feel free to re-open the issue and assign me directly, I'd be happy to help further debug. Thanks and have a great rest of your day.

CDJellen avatar Aug 03 '22 02:08 CDJellen

It still does not seem to work. This time i ran: docker run -p 7010:7010 -p 7011:7011/udp -p 7012:7012 -p 8888:8888 caldera:server --fresh and it ran but when i go to the url, it doesn't load. One thing i just noticed is that i do have Vectr running in docker forwarding from port 8081 to 8443. Therefore i am unsure if the Vectr docker will get in the way or conflict with caldera. But like i said when i used the "--fresh" flag, it says all systems ready but the page does not load. Here is an output with debug on: image image

nightmare-wolf avatar Aug 03 '22 19:08 nightmare-wolf

@CDJellen If you can please re-open this issue, it does not give me the option of re-opening nor re-assigning to you.

nightmare-wolf avatar Aug 03 '22 19:08 nightmare-wolf

Just wanted to let you guys know that I'm having the exact same issue running Caldera 4.0.0 on MacOS Monterey 12.5 with python3 server.py . Running with the insecure flag works just fine, but without it causes it to bail out with the same fernet InvalidToken error throwing "Signature did not match digest".

dpramone avatar Aug 12 '22 15:08 dpramone

Roger @dpramone

mkultraWasHere avatar Aug 14 '22 23:08 mkultraWasHere

This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Sep 04 '22 00:09 github-actions[bot]

This issue is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Sep 25 '22 00:09 github-actions[bot]