rage: Parse identities before input file during decryption

Previously we avoided parsing `-i/--identity` flags before determining whether the input file was passphrase-encrypted or not, as it is an error to provide `-i/--identity` flags when decrypting a file encrypted with a passphrase. However, once we support identities via standard input (`-i -`), we won't be able to distinguish between standard input containing an encrypted file and an encrypted identity, so instead of a nice "stdin used multiple times" error we will get a misleading "invalid header" error. By parsing identities first, we ensure that the `-i/--identity` flags are themselves used correctly, and then in the case that we wouldn't use them due to passphrase encryption, we drop the parsed identities. It's a bit more work on the unhappy path, but no more work on the happy path.
2025-04-04 11:27:43 +03:00 · 2024-01-21 19:13:34 +00:00 · 2024-01-21 19:13:34 +00:00 · d3b2195987
commit d3b2195987
parent b82e084ca3
2 changed files with 17 additions and 13 deletions
--- a/rage/src/bin/rage/main.rs
+++ b/rage/src/bin/rage/main.rs
@ -244,6 +244,19 @@ fn decrypt(opts: AgeOptions) -> Result<(), error::DecryptError> {

    let (input, output) = set_up_io(opts.input, opts.output, file_io::OutputFormat::Unknown)?;

+    let identities_were_provided = !opts.identity.is_empty();
+    let plugin_name = opts.plugin_name.as_deref().unwrap_or_default();
+    let identities = if plugin_name.is_empty() {
+        read_identities(opts.identity, opts.max_work_factor)?
+    } else {
+        // Construct the default plugin.
+        vec![Box::new(plugin::IdentityPluginV1::new(
+            plugin_name,
+            &[plugin::Identity::default_for_plugin(plugin_name)],
+            UiCallbacks,
+        )?) as Box<dyn Identity>]
+    };
+
    // CRLF_MANGLED_INTRO and UTF16_MANGLED_INTRO are the intro lines of the age format after
    // mangling by various versions of PowerShell redirection, truncated to the length of the
    // correct intro line. See https://github.com/FiloSottile/age/issues/290 for more info.
@ -267,7 +280,7 @@ fn decrypt(opts: AgeOptions) -> Result<(), error::DecryptError> {

    match age::Decryptor::new_buffered(ArmoredReader::new(input))? {
        age::Decryptor::Passphrase(decryptor) => {
-            if !opts.identity.is_empty() {
+            if identities_were_provided {
                return Err(error::DecryptError::MixedIdentityAndPassphrase);
            }

@ -305,18 +318,6 @@ fn decrypt(opts: AgeOptions) -> Result<(), error::DecryptError> {
            }
        }
        age::Decryptor::Recipients(decryptor) => {
-            let plugin_name = opts.plugin_name.as_deref().unwrap_or_default();
-            let identities = if plugin_name.is_empty() {
-                read_identities(opts.identity, opts.max_work_factor)?
-            } else {
-                // Construct the default plugin.
-                vec![Box::new(plugin::IdentityPluginV1::new(
-                    plugin_name,
-                    &[plugin::Identity::default_for_plugin(plugin_name)],
-                    UiCallbacks,
-                )?) as Box<dyn Identity>]
-            };
-
            if identities.is_empty() {
                return Err(error::DecryptError::MissingIdentities);
            }
--- a/rage/tests/cmd/rage/decrypt-mixed-identity-and-passphrase.in/key.txt
+++ b/rage/tests/cmd/rage/decrypt-mixed-identity-and-passphrase.in/key.txt
@ -0,0 +1,3 @@
+# created: 2024-01-07T22:30:16Z
+# public key: age1g8g50ksmsfxuv4rpyhlnau8tx87y2xz8v4agzs2vltcxlssy2qwqq6qc4t
+AGE-SECRET-KEY-1SRQGS50G584HFA5JG9D6D9S6639VVHJUE5XHHKJET9DRU76HK4RQP0X5Q3