Inspect encrypted file details

[wgslr]

What were you trying to do

Identify file's recipients, or at least how many recipients there are.

What happened

I created an ascii armored encrypted file. age gives no way to list its recipients, as it does in the binary format (excluding some bash magic relying on the knowledge that the PEM uses base64).

$ age-keygen -o key.txt
Public key: age13u320nw4pv6pv7qrve2epr4r7233ms2x68r3y3tt653nyvg5y3jst3apxw
[0]$ echo 'Hello age' | age -a -r 'age13u320nw4pv6pv7qrve2epr4r7233ms2x68r3y3tt653nyvg5y3jst3apxw' -o encrypted.age.ascii
[0]$ cat encrypted.age.ascii
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUElIMVBpZThuVkh0WDVZ
TUwrSmxuNk1xZFI1dHliNy9Nd0ptZ0UrOVUwCi8wRzc0djRwemZHanJGTGhNb0pB
M0NQTzFQUzFzNEtpclIxeTh2ZkFwR0kKLS0tIFMxUjdZczEyVzZBczNvTGJmZ1VN
Z1hoMWxVOHEwcm40TnZ1VWcvRGM4R0kKQASOAFMfE0DMdj++onPwdeByjMGRP6Sj
3PbGzfjpktCw9HJ14r+qX9B/
-----END AGE ENCRYPTED FILE-----
[0]$ tail -n +2 encrypted.age.ascii | base64 -d
age-encryption.org/v1
-> X25519 2PIH1Pie8nVHtX5YML+Jln6MqdR5tyb7/MwJmgE+9U0
/0G74v4pzfGjrFLhMoJA3CPO1PS1s4KirR1y8vfApGI
--- S1R7Ys12W6As3oLbfgUMgXh1lU8q0rn4NvuUg/Dc8GI
@�S@�v?��s�u�r���?���������а�ru⿪_�base64: invalid input

As a matter of fact, a pretty listing of recipients would also be useful for non-armored files, if it could present the files in the same format as originially (e.g. to visually match/grep ssh pubkey to one of the files in ~/.ssh/id_rsa). And be a good follow up for the error message "Error: no identity matched a recipient".

Side note - confusing feature set of beta

By browsing this repo's issues, the mailing list and the age specification, I encountered various potential methods of storing the keys and specifying recipients (the ~/.config/age/keys.txt path, recipient's github username, providing https url of the keys). None of them seemed to work. It would be nice for the repo's readme to be more explicit about which parts are NOT implemented in the current version.

[codesoap]

Disclaimer: I am not a cryptographer, so maybe I misunderstood the spec.

Looking at the spec, I think it's impossible to do this. The best that could be done is to tell how many recipients there are, but is this really useful?

For example: The spec says, that an age reciepient (X25519) stanza is composed like this:

-> X25519 encode(X25519(ephemeral secret, basepoint))
encrypt[HKDF[salt, label](X25519(ephemeral secret, public key))](file key)

You can see that the public key is only used (after some transformation) to encrypt the file key. I think it is thus impossible to get back the public key from that. It's probably (I'm not sure) even impossible to tell if the file was encrypted for a given public key. I would guess, that this is an intended security feature: No third party should be able to tell for whom a file was encrypted.

[FiloSottile]

We can't print what recipients a file is encrypted to, but there should be a way to get a text/JSON output with number and types of recipients, header version, and file size. It would work for both armored and binary files.

[dtscd]

It would be nice to be able to find the file size, at least in the Go API, without needing to read the full file. I would like to decrypt a file and stream the raw file out, but use content length=N prefix. It seems like this should be possible by reading the header and knowing the encrypted file size.

[codesoap]

While writing another client for age, I've encountered another application for something like this: If a user tries to decrypt an age file with a password, that was not encrypted with a password, the error from the age library tells the user that the password was wrong.

If the age library gave me some way to see if scrypt was even used during encryption, I could tell the user, whether there is even a point in trying other passwords.