From 42b00ac776d5165cd4192eec2c6efe6165d7f17f Mon Sep 17 00:00:00 2001 From: Thomas Perappadan Date: Thu, 13 Nov 2025 03:30:08 +0000 Subject: [PATCH 1/2] avoid throwing exception on decrypt failure --- Utils/HandlerUtil.py | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/Utils/HandlerUtil.py b/Utils/HandlerUtil.py index 30f961921..087d36b00 100755 --- a/Utils/HandlerUtil.py +++ b/Utils/HandlerUtil.py @@ -201,24 +201,19 @@ def _parse_config(self, ctxt): cms_cmd = 'openssl cms -inform DER -decrypt -recip {0} -inkey {1}'.format(cert,pkey) smime_cmd = 'openssl smime -inform DER -decrypt -recip {0} -inkey {1}'.format(cert,pkey) - protected_settings_str = None + protected_settings_str = '' for decrypt_cmd in [cms_cmd, smime_cmd]: try: - session = subprocess.Popen([decrypt_cmd], shell=True, - stdin=subprocess.PIPE, - stderr=subprocess.STDOUT, - stdout=subprocess.PIPE) - output = session.communicate(unencodedSettings) - # success only if return code is 0 and we have output - if session.returncode == 0 and output[0]: - protected_settings_str = output[0] + output = waagent.RunSendStdin(decrypt_cmd, unencodedSettings) + if output[0] == 0 and output[1]: + protected_settings_str = output[1] if decrypt_cmd == cms_cmd: self.log('Decrypted protectedSettings using openssl cms.') else: self.log('Decrypted protectedSettings using openssl smime fallback.') break else: - self.log('Attempt to decrypt protectedSettings with "{0}" failed (rc={1}).'.format(decrypt_cmd, session.returncode)) + self.log('Attempt to decrypt protectedSettings with "{0}" failed (rc={1}).'.format(decrypt_cmd, output[0])) except OSError: pass From aa5701bec29e2e9c1742be707a5333e86cd17b5e Mon Sep 17 00:00:00 2001 From: Thomas Perappadan Date: Thu, 13 Nov 2025 21:09:19 +0000 Subject: [PATCH 2/2] add additional comments and error handling --- Utils/HandlerUtil.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Utils/HandlerUtil.py b/Utils/HandlerUtil.py index 087d36b00..ee588aca7 100755 --- a/Utils/HandlerUtil.py +++ b/Utils/HandlerUtil.py @@ -204,8 +204,9 @@ def _parse_config(self, ctxt): protected_settings_str = '' for decrypt_cmd in [cms_cmd, smime_cmd]: try: + # waagent.RunSendStdin returns a tuple (return code, stdout) output = waagent.RunSendStdin(decrypt_cmd, unencodedSettings) - if output[0] == 0 and output[1]: + if output and output[0] == 0 and output[1]: protected_settings_str = output[1] if decrypt_cmd == cms_cmd: self.log('Decrypted protectedSettings using openssl cms.') @@ -213,7 +214,8 @@ def _parse_config(self, ctxt): self.log('Decrypted protectedSettings using openssl smime fallback.') break else: - self.log('Attempt to decrypt protectedSettings with "{0}" failed (rc={1}).'.format(decrypt_cmd, output[0])) + rc = output[0] if output else 'N/A' + self.log('Attempt to decrypt protectedSettings with "{0}" failed (rc={1}).'.format(decrypt_cmd, rc)) except OSError: pass