decrypt.rb

Aki Tuomi aki.tuomi at open-xchange.com
Thu Apr 11 09:50:53 EEST 2019


> On 11 April 2019 00:49 David Salisbury via dovecot <dovecot at dovecot.org> wrote:
> 
>  
> >>>
> >> Yes. I gave it a try here, and it seems to work. Does it give any extra
> >> information if you include -i flag?
> >>
> >> Aki
> >>
> >
> > Yes, I had tried that, and it doesn't give much extra information, at 
> > least to my eye, that seems to help my issue.  Above the previous 
> > output it outputs the Version, Flags, Header length, Cipher algo, and 
> > Digest algo, and then the Key derivation Rounds. Then it does the 
> > previous output and exits as before.
> >
> > I tried using pry to debug through the script a little, and strace as 
> > well, but have not found anything pointing me in the direction of a 
> > solution or what may be causing it not to work for me yet. Will keep 
> > looking.
> >
> > Out of curiosity, what version of ruby were you using to run the 
> > script?  My ruby version is 2.5.1p57.
> >
> > -Dave
> 
> So, I found that in decrypt.rb there is a point where this section is 
> reached:
> 
> [code]
> unless our_key == nil
>     # decrypt data!
> [/code]
> 
> While testing I discovered that, for me, our_key was apparently equal to 
> nil because the code was never even making it into that block.  There 
> was a block right above that that was setting our_key to nil if a 
> certain condition happened, but I could tell that condition wasn't 
> happening as the accompanying error message wasn't printing.  Looking 
> farther up, I found:
> 
> [code]
> our_key = key if key[:digest] == options[:key_digest]
> [/code]
> 
> I printed the values of key[:digest] and options[:key_digest], and they 
> are in fact different.  Since our_key is nil by default, our_key was 
> just remaining nil, hence no decryption for me.
> 
> The key[:digest] variable is filled a little above that part of the code:
> 
> [code]
> (key[:type],key[:digest]) = options[:input].read(33).unpack('Ca*')
> [/code]
> 
> and options[:key_digest] is filled as the private key option is passed in:
> 
> [code]
> opts.on("-k","--key KEY", "Private key to decrypt file") do |k|
>    options[:key] = OpenSSL::PKey.read(File.open(k))
>    options[:key_digest] = get_pubid_priv(options[:key])
> end
> [/code]
> 
> It's apparently using the key from the command line to get the key 
> digest with the get_pubid_priv() function, and for some reason that 
> value is coming back as different than the key digest that is 
> ascertained by the "options[:input].read" line.
> 
> Out of curiosity, and since I know I'm using the correct key, I 
> commented out the if statement in the our_key line so as not to make the 
> comparison between the digests:
> 
> [code]
> our_key = key #if key[:digest] == options[:key_digest]
> [/code]
> 
> .... and then it worked!  The script successfully decrypted the message!
> 
> So, not being an expert at encryption, what are the ramifications of 
> those digests being read as different values in the two different 
> places??   I do notice that the get_pubid_priv() function is internal to 
> the decrypt.rb script and calls several OpenSSL functions.
> 
> -Dave

Hmm... can you show me how you made the keypair for encryption? Maybe there is some difference?

Aki


More information about the dovecot mailing list