jojonas / pyage Goto Github PK

View Code? Open in Web Editor NEW

29.0 29.0 2.0 1.62 MB

Actually good encryption. In Python.

License: MIT License

Python 100.00%

pyage's People

Contributors

Stargazers

Watchers

Forkers

simrit1 stefan-caraiman

pyage's Issues

pyage fails to decrypt one of the official AGE test vectors

Hello! I was playing with your library and found a problem. Not sure if I am using it incorrectly or if there is a bug.

from age.file import Decryptor as ageStreamDecrypt
from age.keys.agekey import AgePrivateKey

from io import BytesIO

# official AGE test vector
# https://github.com/C2SP/CCTV/blob/3ec4d716e80597545ed285cf62af3dded3a14f65/age/testdata/x25519

expected_payload = '013f54400c82da08037759ada907a8b864e97de81c088a182062c4b5622fd2ab'
file_key = '59454c4c4f57205355424d4152494e45'
identity = 'AGE-SECRET-KEY-1XMWWC06LY3EE5RYTXM9MFLAZ2U56JJJ36S0MYPDRWSVLUL66MV4QX3S7F6'

age_payload = 'age-encryption.org/v1\n-> X25519 TEiF0ypqr+bpvcqXNyCVJpL7OuwPdVwPL7KQEbFDOCc\nEmECAEcKN+n/Vs9SbWiV+Hu0r+E8R77DdWYyd83nw7U\n--- Vn+54jqiiUCE+WZcEVY3f1sqHjlu/z1LCQ/T7Xm7qI0\nîÏbÇÎ‘´3\'NhÔòù�L·L[þ÷¾ªRÈð¼�™,�ƒ1ûf'.encode('utf-8')

keys = [AgePrivateKey.from_private_string(identity)]

buffer_in = BytesIO()
buffer_in.write(age_payload)
buffer_in.seek(0)

# prepare the output buffer and decrypt
buffer_out = BytesIO()
with ageStreamDecrypt(keys, buffer_in) as decryptor:
    buffer_out.write(decryptor.read())

# return the content of the output buffer
buffer_out.seek(0)
decrypted = buffer_out.read()
print(decrypted)

fails with

Traceback (most recent call last):
  File "/Users/marek/Development/open-source/demonstrate-hmac-problem/page.py", line 23, in <module>
    with ageStreamDecrypt(keys, buffer_in) as decryptor:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/marek/.pyenv/versions/mimblewimble/lib/python3.11/site-packages/age/file.py", line 78, in __init__
    self._decrypt_body()
  File "/Users/marek/.pyenv/versions/mimblewimble/lib/python3.11/site-packages/age/file.py", line 129, in _decrypt_body
    plaintext = stream_decrypt(stream_key, ciphertext)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/marek/.pyenv/versions/mimblewimble/lib/python3.11/site-packages/age/stream.py", line 48, in stream_decrypt
    decrypted += aead.decrypt(nonce=packed_nonce, data=block, associated_data=None)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cryptography.exceptions.InvalidTag

the test vector is

expect: success
payload: 013f54400c82da08037759ada907a8b864e97de81c088a182062c4b5622fd2ab
file key: 59454c4c4f57205355424d4152494e45
identity: AGE-SECRET-KEY-1XMWWC06LY3EE5RYTXM9MFLAZ2U56JJJ36S0MYPDRWSVLUL66MV4QX3S7F6

age-encryption.org/v1
-> X25519 TEiF0ypqr+bpvcqXNyCVJpL7OuwPdVwPL7KQEbFDOCc
EmECAEcKN+n/Vs9SbWiV+Hu0r+E8R77DdWYyd83nw7U
--- Vn+54jqiiUCE+WZcEVY3f1sqHjlu/z1LCQ/T7Xm7qI0
îÏbÇÎ‘´3'NhÔòù�L·L[þ÷¾ªRÈð¼�™,�ƒ1ûf

ref https://github.com/C2SP/CCTV/blob/3ec4d716e80597545ed285cf62af3dded3a14f65/age/testdata/x25519

many thanks in advance for your comments!

No way to use from code?

The __init__.py seems rather devoid of stuff.

Was hoping to use this to encrypt some stuff programmatically, without shelling to the official age...

Or am I just missing something?

scrypt recipient parser accepts non-canonical integer encodings

The scrypt work factor is encoded as a decimal integer string, which is parsed using int() here:

pyage/src/age/recipients/scrypt.py

Line 28 in d6b910d

return cls(decode(args[0]), int(args[1]), decode(body))

This is incorrect for two reasons. Firstly, it allows leading zeroes, which is forbidden by the age spec (it also allows leading or trailing whitespace, and a + prefix). Secondly, and perhaps more surprisingly, it accepts non-latin digits. for example:

>>> int("0၁4")
14

I have attached an age file encrypted with passphrase "hello", which abuses this. Correct age implementations reject the file as invalid, but pyage accepts it:

$ pyage decrypt -p -i test.age
Type passphrase: hello
Hello, world!

I realise that pyage is explicitly not intended to be a secure implementation, but I thought I'd report this anyway (it might be interesting for other implementers to know!)

test.age.zip

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.