wincred: store encoding used as attribute

thaJeztah · thaJeztah · commit 6bed3ec0ec3c · 2026-04-20T19:17:07.000+02:00
Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/wincred/wincred.go b/wincred/wincred.go
@@ -4,6 +4,8 @@ package wincred
 
 import (
 	"bytes"
+	"errors"
+	"fmt"
 	"net/url"
 
 	winc "github.com/danieljoos/wincred"
@@ -24,7 +26,10 @@ func (h Wincred) Add(creds *credentials.Credentials) error {
 	g := winc.NewGenericCredential(creds.ServerURL)
 	g.UserName = creds.Username
 	g.Persist = winc.PersistLocalMachine
-	g.Attributes = []winc.CredentialAttribute{{Keyword: "label", Value: credsLabel}}
+	g.Attributes = []winc.CredentialAttribute{
+		{Keyword: "label", Value: credsLabel},
+		{Keyword: "encoding", Value: []byte("utf16le")},
+	}
 
 	blob, err := encodeUTF16LE(creds.Secret)
 	if err != nil {
@@ -64,16 +69,31 @@ func (h Wincred) Get(serverURL string) (string, string, error) {
 
 	for _, attr := range g.Attributes {
 		if attr.Keyword == "label" && bytes.Equal(attr.Value, credsLabel) {
-			// Older versions of the wincred credential-helper stored the password blob
-			// as raw string bytes. Newer versions store it as UTF-16LE. Try decoding from
-			// UTF-16LE, otherwise assume creds were stored as raw bytes.
-			//
-			// See https://github.com/docker/docker-credential-helpers/pull/335
-			creds := string(g.CredentialBlob)
-			if p, ok := tryDecodeUTF16LE(g.CredentialBlob); ok {
-				creds = p
+			switch enc := credentialEncoding(g.Attributes); enc {
+			case "utf16le":
+				// Encoding was stored; only accept UTF-16LE or error otherwise.
+				creds, err := decodeUTF16LE(g.CredentialBlob)
+				if err != nil {
+					return "", "", fmt.Errorf("decoding credentials: %w", err)
+				}
+				return g.UserName, string(creds), nil
+			case "":
+				// Older versions of the wincred credential-helper stored the password blob
+				// as raw string bytes. Newer versions store it as UTF-16LE. Try decoding from
+				// UTF-16LE, otherwise assume creds were stored as raw bytes.
+				//
+				// This could also be the case if an external tool stored the credentials and
+				// did not set the "encoding" attribute.
+				//
+				// See https://github.com/docker/docker-credential-helpers/pull/335
+				creds := string(g.CredentialBlob)
+				if c, ok := tryDecodeUTF16LE(g.CredentialBlob); ok {
+					creds = c
+				}
+				return g.UserName, creds, nil
+			default:
+				return "", "", errors.New("unsupported credential encoding: " + enc)
 			}
-			return g.UserName, creds, nil
 		}
 	}
 	return "", "", credentials.NewErrCredentialsNotFound()
@@ -164,6 +184,15 @@ func (h Wincred) List() (map[string]string, error) {
 	return resp, nil
 }
 
+func credentialEncoding(attrs []winc.CredentialAttribute) string {
+	for _, attr := range attrs {
+		if attr.Keyword == "encoding" {
+			return string(attr.Value)
+		}
+	}
+	return ""
+}
+
 func tryDecodeUTF16LE(blob []byte) (string, bool) {
 	if len(blob)%2 != 0 {
 		return "", false
