cloak icon indicating copy to clipboard operation
cloak copied to clipboard
verified publisher icon 47ng

CLI command decrypt fails with 'Key is not available'

Open jdjkelly opened this issue 3 years ago • 1 comments

Example:

❯ node -v
v16.18.0

❯ npm install -g @47ng/cloak

❯ cloak generate
Key:          k1.aesgcm256.xDQ816copHeT8jWCNGHinlashyfB5hOXR8wcvXbReeM=
Fingerprint:  d5fff283

# Generated new empty keychain:
export CLOAK_MASTER_KEY=k1.aesgcm256.xDQ816copHeT8jWCNGHinlashyfB5hOXR8wcvXbReeM=
export CLOAK_KEYCHAIN=v1.aesgcm256.d5fff283.RJPDSOWSrJubssj7.CHTk4XNSpHFKMISv3_hwdMev

❯ echo 'test' | cloak encrypt 'k1.aesgcm256.xDQ816copHeT8jWCNGHinlashyfB5hOXR8wcvXbReeM='
v1.aesgcm256.d5fff283.RWkS6dy0bZRfe8jn.KJ2CN-QinTiQhnFFFa9qNk9sgMrs

❯ export CLOAK_MASTER_KEY=k1.aesgcm256.xDQ816copHeT8jWCNGHinlashyfB5hOXR8wcvXbReeM=

❯ export CLOAK_KEYCHAIN=v1.aesgcm256.d5fff283.RJPDSOWSrJubssj7.CHTk4XNSpHFKMISv3_hwdMev

❯ echo 'v1.aesgcm256.d5fff283.RWkS6dy0bZRfe8jn.KJ2CN-QinTiQhnFFFa9qNk9sgMrs' | cloak decrypt
Error: Error: Key is not available

As best as I can tell, the root cause of this is that decrypt calls getEnvKeychain which calls importKeychain which itself calls decryptString and then decryptAesGcm which passes to decryptAesGcmSync. It is here, in decryptAesGcmSync that the Node's Decipher returns an empty array after the final update + final, which is unexpected.

I tried writing a failing test, but got blocked on being able to pass stdin to Commander in jest. Something like this is the foundation though:

import program from './cli';

const OLD_ENV = process.env;

beforeEach(() => {
  jest.resetModules();
  
  process.env = {
    ...OLD_ENV,
    CLOAK_MASTER_KEY: 'k1.aesgcm256.2itF7YmMYIP4b9NNtKMhIx2axGi6aI50RcwGBiFq-VA=',
  };
});

afterAll(() => {
  process.env = OLD_ENV;
});

test('decrypt', () => {
  const cipher = 'v1.aesgcm256.710bb0e2.F5wkSytfdVv4xvtN.8uNajc7ufhVmMFpDdzWgKMKhOY4ZR2OSv1DFjvnm'
  const expected = 'Hello, World !'
  expect(() => {
    program.parse(['decrypt', cipher]);
  }).toReturnWith(expected)
})

jdjkelly avatar Dec 29 '22 22:12 jdjkelly

Your example uses the master key to encrypt, but then uses the keychain to try and decrypt. The master key is not part of the keychain (as it's used to encrypt the keychain), hence the message Key is not available.

franky47 avatar Dec 29 '22 22:12 franky47