mrc-converter-suite convert.pl keychain: Failed to decrypt the dbkey

nrbrtfrtln
nrbrtfrtln
Community Member

When running mrc-converter-suite convert.pl keychain I get the error
"Failed to decrypt the dbkey - did you supply the correct password?"
but I sure did supply the correct password!
I also tried the --password option, no luck.
This is the local default login keychain.
Mac OS Mojave: 10.14.6
perl 5, version 18, subversion 4 (v5.18.4) built for darwin-thread-multi-2level
thanks for your help in advance.


1Password Version: 1Password 7 Version 7.6 (70600005) 1Password Store
Extension Version: Not Provided
OS Version: OS X 10.14.6
Sync Type: Not Provided

Comments

  • MrC
    MrC
    Volunteer Moderator

    @nrbrtfrtln ,

    I'm updating my VM now - be back with you shortly after I test.

  • MrC
    MrC
    Volunteer Moderator

    @nrbrtfrtln ,

    I just ran a test against my keychain, and had no issues:

    Anything you notice that's different about your command line vs. mine?

    Does your keychain have the same password as your macOS login?

    Does it have any non-ascii characters?

  • nrbrtfrtln
    nrbrtfrtln
    Community Member

    Thanks for your quick response!

    Anything you notice that's different about your command line vs. mine?

    No difference, except for the username (and I am checking carefully)

    Does your keychain have the same password as your macOS login?

    Yes

    Does it have any non-ascii characters?

    No

    I played with a file copy of this keychain and found the following:
    The same error happened when trying to "convert.pl keychain" this copy but after I deleted all the entries and then added just one test entry the script ran just fine. So only the whole keychain-db with all the entries in it seems somehow "corrupted" or just different enough that "kcdecrypt" can't handle it.

    Methinks this has something to do with the history of this keychain.
    Possible reasons:
    1. It is old, i.e. has gone through at least one upgrade: There is still a two year old file 'login.keychain' (no -db) in my Keychains folder
    2. It had, once in its past, a different password from my login pw.

    Any ideas what I could try? I have time to poke around a bit.
    If not, don't bother too much, I'll try to get them into 1pw manually.
    cheers
    Norbert
    p.s.: Oh, the hidden ways of Apple to keep you in their golden cage!
    p.p.s.: I am looking to consolidate my pws and your support makes me lean towards 1pw.

  • MrC
    MrC
    Volunteer Moderator
    edited September 2020

    @nrbrtfrtln

    Debugging the issue w/out access to the problematic keychain is a challenge.

    The code is failing to decrypt the well known Magic initial vector that is in every keychain. The code I based my decryption code on was only verified to run up to High Sierra, so there may be something that I'm unaware of, such as running on Mojave with an older keychain, or some edge case in the preparing the data for decryption.

    The keychain converter code can decrypt using one of two methods: 1) a Perl module called Crypt::CBC, which you likely don't have installed, or 2) the openssl set of crypto functions and libraries). You are likely using method 2, and its likely that there is some edge case that I'm not aware of, or able to recreate, that is causing the decryption of the magic cookie to fail (this is used to test that the password is correct). The openssl code and its many versions can be painful to deal with.

    I could add some more debug lines in the code that could give us some idea where the failure is occurring - this would require some back and forth between us to figure out where the issue is. I'm happy to entertain that, but you may not want to invest the time.

    FYI: The decrypt code I used as the basis for the keychain converter is called chainbreaker. If that works on your keychain, then the bug is in my code. The problem is that you need development libraries on your system in order to run it, and that's probably well beyond what you'd want to do.

    p.s. the Keychain format and encryption is well documented and the code is openly available.

  • nrbrtfrtln
    nrbrtfrtln
    Community Member

    Thanks for your efforts but
    I found out by eyeballing each one that I do not need any of the items in my login keychain but only those in the iCloud.
    This I have to do manually again.
    Sorry to bother your and have a great day.

  • MrC
    MrC
    Volunteer Moderator
    edited September 2020

    @nrbrtfrtln ,

    To get your iCloud Keychain passwords, try the Get_Safari12_Passwords in the converter suite. Run the script inside the unzipped folder. You can follow along with the video where I show the process.

  • nrbrtfrtln
    nrbrtfrtln
    Community Member

    Thanks a lot, this worked like a charm!

  • On behalf of MrC you're very welcome. Thank you for helping out here @MrC. :)

    Ben

This discussion has been closed.