Skip to content

Improve error message on corrupted or tampered encrypted private key (InvalidTag) #48

New issue
New issue
Open
Open
Improve error message on corrupted or tampered encrypted private key (InvalidTag)#48
@AlesCUMSI

Description

@AlesCUMSI
AlesCUMSI
opened on Jul 14, 2025

Description:
When loading a tampered or corrupted Crypt4GH private key, decryption fails with a raw cryptography.exceptions.InvalidTag exception. While this is technically correct, it’s not user-friendly and may confuse users.

Suggestion:
Catch this exception and raise a clearer message like:
"Decryption failed: The private key is corrupted or the passphrase is incorrect."

Steps to reproduce:

  1. Encrypt a private key.

  2. Modify two bytes in the key file (I changed values in columns 107 and 108)

  3. Try to decrypt with crypt4gh decrypt.

  4. The output i get:
    crypt4gh decrypt --sk ./keys-private/crypt4gh_orig_changed.key < Dockerfile_download.c4gh > Dockerfile_download_fail
    Warning: Using a passphrase in an environment variable is insecure
    Traceback (most recent call last):
    File "/home/alex/python/crypt4gh-env/bin/crypt4gh", line 8, in
    sys.exit(main())
    ^^^^^^
    File "/home/alex/python/crypt4gh-env/lib/python3.12/site-packages/crypt4gh/main.py", line 21, in main
    cmd(args)
    File "/home/alex/python/crypt4gh-env/lib/python3.12/site-packages/crypt4gh/cli.py", line 173, in decrypt
    seckey = retrieve_private_key(args)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/home/alex/python/crypt4gh-env/lib/python3.12/site-packages/crypt4gh/cli.py", line 125, in retrieve_private_key
    return get_private_key(seckeypath, cb)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/home/alex/python/crypt4gh-env/lib/python3.12/site-packages/crypt4gh/keys/init.py", line 122, in get_private_key
    return c4gh.parse_private_key(stream, callback)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/home/alex/python/crypt4gh-env/lib/python3.12/site-packages/crypt4gh/exceptions.py", line 39, in wrapper
    return func(*args, **kwargs)
    ^^^^^^^^^^^^^^^^^^^^^
    File "/home/alex/python/crypt4gh-env/lib/python3.12/site-packages/crypt4gh/keys/c4gh.py", line 132, in parse_private_key
    return ChaCha20Poly1305(shared_key).decrypt(nonce, encrypted_data, None) # No add
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    cryptography.exceptions.InvalidTag

Thanks for the great work!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions