hydroxide icon indicating copy to clipboard operation
hydroxide copied to clipboard
verified publisher icon emersion

CardDAV access returns 500 "openpgp: incorrect key"

Open necopinus opened this issue 4 years ago • 4 comments

I'm trying to configure an automatic backup of my mail and contacts using hydroxide. Email sync works fine with OfflineIMAP (though mbsync fails for me with what looks like #78), but whenever I try to access my contacts using vdirsyncer, hydroxide responds with a 500 and the message "openpgp: incorrect key".

From my reading of previous issues (in particular #103 and #27), I'm wondering if this is because my email encryption keys are all ed25519, but my contact encryption key is an older RSA key (which I don't see a way to update).

Happy to provide debug logs, though it's not 100% what information is sensitive and should be redacted for hydroxide.

necopinus avatar Mar 04 '21 17:03 necopinus

"openpgp: incorrect key"

I think this would happen if we don't have a suitable decrypted private key:

https://github.com/golang/crypto/blob/afb6bcd081ae5258e9449bf8b9af19593c9b261f/openpgp/read.go#L185

Are there any warnings in the logs about hydroxide being unable to decrypt a private key?

emersion avatar Mar 04 '21 17:03 emersion

The only lines that look like they may at all be relevant from hydroxide -debug serve have the following structure:

2021/03/04 10:01:10 &struct { protonmail.resp; Contacts []*protonmail.Contact; Total int }{resp:protonmail.resp{Code:1000, RawAPIError:(*protonmail.RawAPIError)(nil)}, Contacts:[]*protonmail.Contact{(*protonmail.Contact)(0xXXXXXXXXXX), ... SNIP ..., (*protonmail.Contact)(0xXXXXXXXXXX)}, Total:XXX}

(This is from looking for variations of "error"; there's nothing that matches any variation of "warn".) This is from running vdirsyncer discover, but other commands and variations of the vdirsyncer configuration produce similar output, with this same line (potentially repeated a few times).

necopinus avatar Mar 04 '21 17:03 necopinus

The code is failing for me here because we are missing a key. I can confirm that all the "Email encryption keys" are being fetched and exist in the openpgp.KeyRing, including duplicates. And the first of the "Contact encryption keys" is shared with an email encryption key, thus is in the key ring, but the second, and default key, is not shared and is missing from the keyring.

I will dig into how to fetch these keys specifically, but it looks like they are already in memory, since they would have been fetched as part of https://old.protonmail.com/api/users. I guess we do not merge the two keyrings? Should be pretty easy?

urandom2 avatar Apr 06 '22 14:04 urandom2

Hm right. I guess we shouldn't be really caring about private keys coming from the user's addresses for CardDAV?

emersion avatar Apr 08 '22 07:04 emersion