[BUG] Failure to add user to group with many keys (736)

1

When adding a new user to the group, this fails after decrypting some 420-480 keys with an error “Error decrypting message: Private key is not decrypted”.

The following error is printed in the browser console:
Object { fileName: "moz-extension://b7e26118-<id>/vendors/openpgp.js", lineNumber: 44263, columnNumber: 23, message: "Error decrypting message: Private key is not decrypted.", workerStack: "[126]</Message.prototype.decryptSessionKeys/</</<@moz-extension://b7e26118-<id>/vendors/openpgp.js:36275:19\n[126]</Message.prototype.decryptSessionKeys/</<@moz-extension://b7e26118-<id>/vendors/openpgp.js:36270:45\n" }

Further stack trace:

 app.js:1382:6361
    onEditFailure moz-extension://b7e26118-<id>/data/js/dist/app.js:1382
    handleSubmit moz-extension://b7e26118-<id>/data/js/dist/app.js:1382
    o moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    p moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    b moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    b moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    ut moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    rt moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    ot moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    pt moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    q moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    H moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    Qt moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    $t moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    unstable_runWithPriority moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2302
    Rr moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    W moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    Vt moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    Kt moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    Gt moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    Vu moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    sd moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    cd moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    od moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    Zo moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    Ur moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    unstable_runWithPriority moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2302
    Rr moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282
    Ur moz-extension://b7e26118-<id>/data/js/dist/vendors.js:2282

As this group is one of the key user groups of the installation, it would be preferable if you could at least mention which of the keys is problematic.

It might be useful to note that we’re on server 2.13.5. My browser extension is version 3.1.0

2

Updating to V3.1.0 fixed the issue, somehow. I’d like to note, though, that adding someone to a group apparently requires re-encryption of all shared secrets, and sends them as 1 request to the backend, which could fail and you’d have to start from 0.

This is fine for small sets of keys, but for large sets of keys that takes a long time and failure anywhere in the path is very costly in time spent.

3

that adding someone to a group apparently requires re-encryption of all shared secrets

Kind of. It’s re-encrypting the password for the added user. If a password is shared between 5 personnel, then there exist 5 different copies of the password on the server, each encrypted with the corresponding user’s public key. (I’m sure it’s technically way more complicated than that, but that’s the basic gist of it.) Unlike many other collaborative password solutions, which feature a single master decryption key stored in a locked down folder ideally accessible only by the collaborative password manager itself… no such master key exists with Passbolt. Therefore, secrets stored in Passbolt are safe even if the server itself is completely compromised.

4

Hi @matthias.cofano, there is indeed a bunch of issues when add new people to a group when that group has many secrets. We have it on our radar to improve this year.