Session key decryption failed

Hwiggy · April 8, 2021, 11:53pm

Regarding the following:
Session key decryption failed. · Issue #1126 · openpgpjs/openpgpjs · GitHub
Browser extension v3.0.3: session key decryption failed

I am not interested in fighting to regenerate my keys etc anymore.
How do I set the relevant openpgp configuration flag to allow the insecure keys?

remy · April 9, 2021, 8:46am

Hi @Hwiggy,

It’s enabled by default for everyone on the latest browser extension:

github.com

passbolt/passbolt_browser_extension/blob/883832309962eb6c04fe3f26dbbc44ce9eb942aa/src/all/background_page/index.js#L43


AuthStatusLocalStorage.init();
UserLocalStorage.init();
GroupLocalStorage.init();
RolesLocalStorage.init();

// Openpgpjs worker initialization
/**
 * This option is needed because some secrets were encrypted using non-encryption RSA keys,
 * due to an openpgpjs bug: https://github.com/openpgpjs/openpgpjs/pull/1148
 */
openpgp.config.allow_insecure_decryption_with_signing_keys = true;
openpgp.initWorker({ path:'/vendors/openpgp.worker.js' });

/* ==================================================================================
 *  Interface changes
 *  Where we affect the look and feel of the firefox instance
 * ==================================================================================
 */
var ToolbarController = require('./controller/toolbarController').ToolbarController;
new ToolbarController();

Can you describe a bit more your scenario/situation?

Hwiggy · April 12, 2021, 11:32am

My key had expired so I then needed to regenerate the key but now no matter what kind of key I generate I just am always getting this error message, even on the website directly (not only in browser extension)

I am editing public key manually via mysql and dropping got keychain + reimporting server key but nothing is fixing this issue. I was hoping there might be a flag I can enable that just bypasses this error message.

remy · April 12, 2021, 11:38am

@Hwiggy can you confirm this is your user key that is expired?

Unfortunately there is no user interface to rotate expired user keys.
However there is a manual procedure that can be followed:

Remove the expiry date and export a public and private key without expiry (or new expiry date set in the future), using gnupg for example
Manually update the public key in the database under the gpgkeys table for this user, make sure you update both the armored key and the modified date (so that your colleagues can get the updated key also).
Remove the key from the gnupg keyring on the server
Perform an account recovery with the new private key
From there you should be able to login.

Hwiggy · April 13, 2021, 12:48pm

I have manually reset my key in the database many times to no avail.
I got the system to a point where I could log in, but decrypting any password immediately failed.

Hwiggy · April 13, 2021, 1:23pm

Just a heads up that I did a full reinstall of Passbolt
(backup database, server key, remove entire directory, reinstall & reimport then recover)

I still cannot decrypt any of my passwords

remy · April 13, 2021, 1:39pm

I’m not sure what’s happening to you.

One logical explanation as of why you can login but not decrypt, would that the secret are encrypted with a different public key. Like either:

You created a new key that is not related to the expired one
The secrets were encrypted for another key than the expired one that you changed.

Hard to tell without having more information.

Hwiggy · April 13, 2021, 8:00pm

Ah, this might explain things.
Yeah it might be that I generated a new public key when I noticed mine was expired.
Not great, but perhaps I have a backup of my keypair.

I tested creating a new password and decrypting it, that worked fine with the new key stored on the server; I suppose this is a problem with my side then.

Thanks.

Hwiggy · April 13, 2021, 9:17pm

Okay so I was using the same public key as passbolt knew, but the problem was I had deleted the subkey that had expired, rather than changing the expiry. I guess I became a victim of my lack of encryption knowledge; I suppose this meant that passbolt (or gpg even) did not recognize that keys signed with a specific subkey applied to the existing public key.

Reimporting the expired subkey and properly changing the expiration date, then re-importing the public key on passbolt did the trick, and I have totally recovered my credentials.
Thank you very much.