Invalid iv in the message

gboudrea
gboudrea
Community Member

After successfully signing in, trying to list my personal vault errors-out:

$ op list items --vault gboudrea
[ERROR] 2022/03/12 16:37:17 Invalid iv in the message: 16

Other vaults are OK.

Similarly, I can do op get account 'My Item Name', but trying to get the TOTP of the same item fails. Same for get item:

$ op get totp 'My Item Name'
[ERROR] 2022/03/12 16:39:25 failed to listMatchingItemsInVault: Invalid iv in the message: 16
$ op get item 'My Item Name'
[ERROR] 2022/03/12 16:41:55 failed to listMatchingItemsInVault: Invalid iv in the message: 16

Thanks.


1Password Version: CLI 1.12.4
Extension Version: N/A
OS Version: macOS 12.2.1

Comments

  • Justin.Yoon_1P
    edited March 2022

    Hey @gboudrea

    After some investigating, it looks like that error message is being returned from the server when the CLI client asks to list the items for that specific vault (assuming that the 'My Item Name' item is located in the gboudrea vault).

    I'm wondering if you get similar errors when trying to access that vault over the other clients like the 1Password website, or the Mac application.

    I am also curious if the same error occurs when listing that vault's items in the new 2nd version of the CLI.

  • gboudrea
    gboudrea
    Community Member

    My Item Name works as expected in both 1Password 7 on Mac, and on 1password.com

    Same error with op version 2.0.0:

    gb@MacBook-Pro:~ $ op --version
    2.0.0
    gb@MacBook-Pro:~ $ op item get 'My Item Name'
    [ERROR] 2022/03/15 19:46:03 failed to listMatchingItemsInVault: Invalid iv in the message: 16
    
  • Justin.Yoon_1P
    edited March 2022

    Thanks for the information @gboudrea

    I'm going to open an issue to investigate this behavior.

    In order to help us debug this issue, do you mind giving us some info about the vault in question?

    • Is this a vault that was created by you, or came with the system (eg. Private vault)?
    • How many items are in the vault?
    • You mentioned that the other vault(s) work - could you provide the same info for them as well?
  • gboudrea
    gboudrea
    Community Member

    This is a vault called Guillaume that was created manually.
    I'm a 1Password client since v3, when it was only a Mac app; not sure if this vault was created on a Mac client, and later migrated to your server, when this became an option..?

    839 items in the vault. Definitely my largest vault.

    2nd largest vault is 255 items, was also created manually (but is probably not as old as the Guillaume vault), and going a op item list --vault that_2nd_vault works as expected, while op item list --vault Guillaume do not.

  • I think we may have an idea on what caused this - have you ever created an item using the 1Password Android client in the past?

    Also, to help us troubleshoot, would you be able to try and access the item using our 1Password Mac 8 Beta client? We have a feeling that the CLI and the Mac Beta 8 client share similar logic and it should not work, but wanted to confirm our theory.

    Thanks for all the correspondence so far @gboudrea

  • gboudrea
    gboudrea
    Community Member

    Yes, I did (and still) use the Android client.

    I tried 1Password 8.7.0; Guillaume vault loads fine. My Item Name also loads as it should from 1Password 8.

    Only the CLI seems affected.

  • Thank you again for the info @gboudrea

    So from my findings, it looks like there was a small period a couple of years ago where items created in the 1Password Android client used a wrong number of nonce (IV) bytes to create an item's key. Most clients are able to handle this, but it looks like op cannot.

    We are going to investigate the issue on how to fix it on op's end, but the prescribed method to fix it by our support staff was to simply recreate the item in question. In this case, it looks like My Item Name may be the culprit.

    Do you mind giving that a try and seeing if it fixes things?

    As for listing items in the Guillaume vault, it will be quite difficult at this point to find the culprit item, as there are over 800 items (wow!) in that vault, right?

    I think I can add some debug logs in the upcoming build so we can identify the item(s) that fail. These logs will be enabled with the --debug flag.

    How does this sound to you?

  • gboudrea
    gboudrea
    Community Member

    I tried to create a new item in that vault, and op item get fails for that item.
    Looks like op item get 'Anything' fails for all items in the Guillaume vault. I would guess op is trying to list items in the vault to find it, or something...

    If you add debug logs, I'll try that for sure.

  • ajh0912
    ajh0912
    Community Member

    @gboudrea Unfortunately that's exactly how op item get works, here's the docs. https://developer.1password.com/docs/cli/reference/management-commands/item/#item-get

    Requesting an item by name retrieves all the items you have access to from the 1Password servers, and then filters them by name client-side. This could result in hitting the rate limits quicker than expected. To limit the scope of the search, include the --vault flag.

    As a workaround to troubleshoot before item level debugging is available, you could move a subset of items into another (or new) vault, maybe half of them, and ensure you filter to the original vault. Then you can repeat and narrow down to see when it's erroring and when it isn't.

  • gboudrea
    gboudrea
    Community Member

    I moved all items from Guillaume into a new Guillaume2 vault. Guillaume vault is now empty.
    I can op item list --vault Guillaume2, but op item list --vault Guillaume still fails, even empty.

    But I have 234 archives items in that vault...
    I couldn't find how to view only those archives items, so I moved all my archived items into a new vault.
    Guillaume is not completely empty, but still returns the error on op item list --vault Guillaume

  • gboudrea
    gboudrea
    Community Member
    edited March 2022

    I then went on 1password.com, and in my Guillaume vault, an item was left. That item was NOT showing in 1Password 8 for Mac.
    So I moved that item to another vault (Personal), and now, I can successfully list both my Guillaume and Personal vaults!
    I moved that item back into Guillaume, and voilà. I can now list all vaults using the CLI, and that item works too. I guess moving it from 1password.com fixed the problem with that item.

    FYI:
    That item was NOT My Item Name, it was something else.
    That culprit item had:

    • last modified: February 28, 2016 5:00 PM
    • created: November 24, 2009 9:10 AM

    So for anyone with a similar problem:

    • Create a new vault
    • Using a native 1Password client (Mac or Windows): nove all items from the problematic vault into that new vault
    • Go on 1Password.com, and look into the problematic vault; you should see 1+ other items. Move them into the new vault from the web interface. You should now see all items, including those problematic items, in the new vault.
    • Using a native client: nove all items from the new vault back into the problematic vault
    • Delete the now empty new vault
      The problematic vault should now be OK. Yay.
  • Thank you so much for following up here. We really appreciate your patience. We have one last piece we'd like to hit on privately to wrap this up. To facilitate that, could you please email us at 'support+forum@1password.com', and then post the support ID you get back from BitBot here?

  • gboudrea
    gboudrea
    Community Member
    edited March 2022

    #YSL-13514-125

  • Looks like your messages just came into our system, did you get a response from BitBot via e-mail?

  • gboudrea
    gboudrea
    Community Member

    (Yes. Edited my post above.)

  • Hey @gboudrea,
    Just to confirm, has your problem been solved, or do we need to follow up here? :D

    Thanks,
    Horia

  • gboudrea
    gboudrea
    Community Member

    All good, this can be closed.

  • Glad this got sorted out! Let us know if we can help with anything else.

This discussion has been closed.