Invalid iv in the message

gboudrea · March 2022

After successfully signing in, trying to list my personal vault errors-out:

$ op list items --vault gboudrea
[ERROR] 2022/03/12 16:37:17 Invalid iv in the message: 16

Other vaults are OK.

Similarly, I can do op get account 'My Item Name', but trying to get the TOTP of the same item fails. Same for get item:

$ op get totp 'My Item Name'
[ERROR] 2022/03/12 16:39:25 failed to listMatchingItemsInVault: Invalid iv in the message: 16
$ op get item 'My Item Name'
[ERROR] 2022/03/12 16:41:55 failed to listMatchingItemsInVault: Invalid iv in the message: 16

Thanks.

1Password Version: CLI 1.12.4
Extension Version: N/A
OS Version: macOS 12.2.1

Justin.Yoon_1P · March 2022

Hey @gboudrea

After some investigating, it looks like that error message is being returned from the server when the CLI client asks to list the items for that specific vault (assuming that the 'My Item Name' item is located in the gboudrea vault).

I'm wondering if you get similar errors when trying to access that vault over the other clients like the 1Password website, or the Mac application.

I am also curious if the same error occurs when listing that vault's items in the new 2nd version of the CLI.

gboudrea · March 2022

My Item Name works as expected in both 1Password 7 on Mac, and on 1password.com

Same error with op version 2.0.0:

gb@MacBook-Pro:~ $ op --version
2.0.0
gb@MacBook-Pro:~ $ op item get 'My Item Name'
[ERROR] 2022/03/15 19:46:03 failed to listMatchingItemsInVault: Invalid iv in the message: 16

Justin.Yoon_1P · March 2022

Thanks for the information @gboudrea

I'm going to open an issue to investigate this behavior.

In order to help us debug this issue, do you mind giving us some info about the vault in question?

Is this a vault that was created by you, or came with the system (eg. Private vault)?
How many items are in the vault?
You mentioned that the other vault(s) work - could you provide the same info for them as well?

gboudrea · March 2022

This is a vault called Guillaume that was created manually.
I'm a 1Password client since v3, when it was only a Mac app; not sure if this vault was created on a Mac client, and later migrated to your server, when this became an option..?

839 items in the vault. Definitely my largest vault.

2nd largest vault is 255 items, was also created manually (but is probably not as old as the Guillaume vault), and going a op item list --vault that_2nd_vault works as expected, while op item list --vault Guillaume do not.

Justin.Yoon_1P · March 2022

I think we may have an idea on what caused this - have you ever created an item using the 1Password Android client in the past?

Also, to help us troubleshoot, would you be able to try and access the item using our 1Password Mac 8 Beta client? We have a feeling that the CLI and the Mac Beta 8 client share similar logic and it should not work, but wanted to confirm our theory.

Thanks for all the correspondence so far @gboudrea

gboudrea · March 2022

Yes, I did (and still) use the Android client.

I tried 1Password 8.7.0; Guillaume vault loads fine. My Item Name also loads as it should from 1Password 8.

Only the CLI seems affected.

Justin.Yoon_1P · March 2022

Thank you again for the info @gboudrea

So from my findings, it looks like there was a small period a couple of years ago where items created in the 1Password Android client used a wrong number of nonce (IV) bytes to create an item's key. Most clients are able to handle this, but it looks like op cannot.

We are going to investigate the issue on how to fix it on op's end, but the prescribed method to fix it by our support staff was to simply recreate the item in question. In this case, it looks like My Item Name may be the culprit.

Do you mind giving that a try and seeing if it fixes things?

As for listing items in the Guillaume vault, it will be quite difficult at this point to find the culprit item, as there are over 800 items (wow!) in that vault, right?

I think I can add some debug logs in the upcoming build so we can identify the item(s) that fail. These logs will be enabled with the --debug flag.

How does this sound to you?

gboudrea · March 2022

I tried to create a new item in that vault, and op item get fails for that item.
Looks like op item get 'Anything' fails for all items in the Guillaume vault. I would guess op is trying to list items in the vault to find it, or something...

If you add debug logs, I'll try that for sure.

ajh0912 · March 2022

@gboudrea Unfortunately that's exactly how op item get works, here's the docs. https://developer.1password.com/docs/cli/reference/management-commands/item/#item-get

Requesting an item by name retrieves all the items you have access to from the 1Password servers, and then filters them by name client-side. This could result in hitting the rate limits quicker than expected. To limit the scope of the search, include the --vault flag.

As a workaround to troubleshoot before item level debugging is available, you could move a subset of items into another (or new) vault, maybe half of them, and ensure you filter to the original vault. Then you can repeat and narrow down to see when it's erroring and when it isn't.

gboudrea · March 2022

I moved all items from Guillaume into a new Guillaume2 vault. Guillaume vault is now empty.
I can op item list --vault Guillaume2, but op item list --vault Guillaume still fails, even empty.

But I have 234 archives items in that vault...
I couldn't find how to view only those archives items, so I moved all my archived items into a new vault.
Guillaume is not completely empty, but still returns the error on op item list --vault Guillaume

gboudrea · March 2022

I then went on 1password.com, and in my Guillaume vault, an item was left. That item was NOT showing in 1Password 8 for Mac.
So I moved that item to another vault (Personal), and now, I can successfully list both my Guillaume and Personal vaults!
I moved that item back into Guillaume, and voilà. I can now list all vaults using the CLI, and that item works too. I guess moving it from 1password.com fixed the problem with that item.

FYI:
That item was NOT My Item Name, it was something else.
That culprit item had:

last modified: February 28, 2016 5:00 PM
created: November 24, 2009 9:10 AM

So for anyone with a similar problem:

Create a new vault
Using a native 1Password client (Mac or Windows): nove all items from the problematic vault into that new vault
Go on 1Password.com, and look into the problematic vault; you should see 1+ other items. Move them into the new vault from the web interface. You should now see all items, including those problematic items, in the new vault.
Using a native client: nove all items from the new vault back into the problematic vault
Delete the now empty new vault
The problematic vault should now be OK. Yay.

Justin.Yoon_1P · March 2022

Thank you so much for following up here. We really appreciate your patience. We have one last piece we'd like to hit on privately to wrap this up. To facilitate that, could you please email us at 'support+forum@1password.com', and then post the support ID you get back from BitBot here?

gboudrea · March 2022

#YSL-13514-125

Justin.Yoon_1P · March 2022

Looks like your messages just came into our system, did you get a response from BitBot via e-mail?

gboudrea · March 2022

(Yes. Edited my post above.)

Horia.Culea_1P · April 2022

Hey @gboudrea,
Just to confirm, has your problem been solved, or do we need to follow up here? :D

Thanks,
Horia

gboudrea · April 2022

All good, this can be closed.

Horia.Culea_1P · May 2022

Glad this got sorted out! Let us know if we can help with anything else.

Invalid iv in the message

Comments