search

FiloSottile / age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
https://age-encryption.org
BSD 3-Clause "New" or "Revised" License
17.31k stars 508 forks source link

age fails to decrypt files generated in Windows PowerShell #2

Closed BlackHoleFox closed 4 years ago

BlackHoleFox commented 5 years ago

When attempting a round trip on Windows using PowerShell, age errors out when trying to decrypt a file. I have confirmed the exact same steps work fine in WSL.

It creates the key file and the encrypted .age file properly as far as I can tell.

Steps to reproduce:

  1. ./age -generate > key.txt
  2. echo "Gophers" | ./age pubkey:h-yq6lhyIAdDc23LVXP_h1X5wpIgHvNk8kvbV0auhG4 > test.txt.age
  3. /.age -d key.txt | Get-Content -raw test.txt.age
  4. See error of: error: malformed secret keys file "key.txt": malformed secret key: ��# c r e a t e d : 2 0 1 9 - 1 0 - 0 7 T 0 0 : 0 5 : 3 7 - 0 5 : 0 0

key.txt contents (CRLF line endings):

# created: 2019-10-07T00:22:04-05:00
# pubkey:xmAE7g4IsPELqsEkUEner7mlIu4pi2qwda0-s8eq3jw
AGE_SECRET_KEY_MZuIdDrlt4dRUXlmO6FdVwXMHrhzXdgxxgj4yaj9Z14
FiloSottile commented 5 years ago

It looks like there are a couple bytes before the # in key.txt? Can you do a hexdump of the file?

BlackHoleFox commented 5 years ago

Looking at the hexdump, it seems to be creating 2 random characters at the start.

Heres a gist of the hex dump: https://gist.github.com/BlackHoleFox/5dbfb60ba8d5180f2cbac53446597e4f

And heres a picture of HxD for easy viewing: image

FiloSottile commented 5 years ago

Yeah, that's a BOM, and it looks like the text got also converted to UTF-16 (notice the zero bytes).

That's not something we can support on the parsing side for sure, the file is effectively corrupt. Are we supposed to put stdout in some special mode to prevent this? I know next to nothing about PowerShell.

BlackHoleFox commented 5 years ago

So, replacing the > with | out-file -encoding ASCII on both the key and encrypted file generation fixes the corruption issue, but it still seems the line endings are causing trouble.

By default, I get Error initializing decryption: failed to read header: parsing age header: unexpected intro: "This is a file encrypted with age-tool.com, version 1\r\n" while decrypting.

When I change the line endings of the files, I get Error decrypting the input: chacha20poly1305: message authentication failed, which makes sense considering I modified the .age file to change the EOLs to LF

FiloSottile commented 4 years ago

The armored format (-a) should make it viable to use redirection in PowerShell. For binary files, use -o and the input argument.