2017-10-22 14:52:55 +00:00
## keepassxc-protocol
Transmitting messages between KeePassXC and keepassxc-browser is totally rewritten. This is still under development.
Now the requests are encrypted by [TweetNaCl.js ](https://github.com/dchest/tweetnacl-js ) box method and does the following:
1. keepassxc-browser generates a key pair (with public and secret key) and transfers the public key to KeePassXC
2017-12-17 07:23:58 +00:00
2. When KeePassXC receives the public key it generates its own key pair and transfers the public key to keepassxc-browser. Public key is transferred in plain-text. Secret keys are never transferred or used anywhere except when encrypting/decrypting.
2017-10-22 14:52:55 +00:00
3. All messages between the browser extension and KeePassXC are now encrypted.
4. When keepassxc-browser sends a message it is encrypted with KeePassXC's public key, a random generated nonce and keepassxc-browser's secret key.
2017-11-26 10:31:05 +00:00
5. When KeePassXC sends a message it is encrypted with keepassxc-browser's public key and an incremented nonce.
2018-08-07 05:28:50 +00:00
6. Databases are stored with newly created public key used with `associate` . A new key pair for data transfer is generated each time keepassxc-browser is launched. This saved key is not used again, as it's only used for identification.
2017-10-22 14:52:55 +00:00
2020-04-05 13:10:05 +00:00
Thus there are three key pairs involved in every communication:
- `host key` - A temporary key pair created by KeePassXC to encrypt the communication of the current session.
- `client key` - A temporary key pair created by keepassxc-browser to encrypt the communication of the current session.
- `identification key` - A permanent key pair created by keepassxc-browser used to authenticate the browser in later sessions after it was successfully *associated* with a database. This one should be stored safely by the browser. Note that only the public key part is ever used which might be a tiny flaw in the protocol since that part is also stored in the database.
2017-10-22 14:52:55 +00:00
Encrypted messages are built with these JSON parameters:
- action - `test-associate` , `associate` , `get-logins` , `get-logins-count` , `set-login` ...
- message - Encrypted message, base64 encoded
2017-12-15 05:12:21 +00:00
- nonce - 24 bytes long random data, base64 encoded. This is incremented to the response.
2020-04-05 13:10:05 +00:00
- clientID - 24 bytes long random data, base64 encoded. This is used for a single session to identify different browsers if multiple are used with proxy application.
2017-10-22 14:52:55 +00:00
Currently these messages are implemented:
- `change-public-keys` : Request for passing public keys from client to server and back.
- `get-databasehash` : Request for receiving the database hash (SHA256) of the current active database.
- `associate` : Request for associating a new client with KeePassXC.
- `test-associate` : Request for testing if the client has been associated with KeePassXC.
- `generate-password` : Request for generating a password. KeePassXC's settings are used.
- `get-logins` : Requests for receiving credentials for the current URL match.
- `set-login` : Request for adding or updating credentials to the database.
- `lock-database` : Request for locking the database from client.
- `database-locked` : A signal from KeePassXC, the current active database is locked.
- `database-unlocked` : A signal from KeePassXC, the current active database is unlocked.
2020-08-20 13:28:27 +00:00
- `get-totp` : Request for receiving the current TOTP.
2017-10-22 14:52:55 +00:00
### change-public-keys
Request:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "change-public-keys",
2020-04-05 13:10:05 +00:00
"publicKey": "< client public key > ",
2019-02-05 08:22:00 +00:00
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
2017-10-22 14:52:55 +00:00
}
```
Response (success):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "change-public-keys",
"version": "2.2.0",
"publicKey": "< host public key > ",
"success": "true"
2017-10-22 14:52:55 +00:00
}
```
### get-databasehash
2019-01-06 10:38:33 +00:00
Unencrypted message:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "get-databasehash"
2017-10-22 14:52:55 +00:00
}
```
2019-01-06 10:38:33 +00:00
Request:
2020-04-05 13:11:06 +00:00
```json
2019-01-06 10:38:33 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "get-databasehash",
"message": "< encrypted message > ",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
2019-01-06 10:38:33 +00:00
}
```
2017-10-22 14:52:55 +00:00
Response message data (success, decrypted):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "hash",
"hash": "29234e32274a32276e25666a42",
"version": "2.2.0"
2017-10-22 14:52:55 +00:00
}
```
### associate
Unencrypted message:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "associate",
2020-04-05 13:10:05 +00:00
"key": "< client public key > ",
"idKey": "< a new identification public key > "
2017-10-22 14:52:55 +00:00
}
```
Request:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "associate",
"message": "< encrypted message > ",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
2017-10-22 14:52:55 +00:00
}
```
Response message data (success, decrypted):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"hash": "29234e32274a32276e25666a42",
"version": "2.2.0",
"success": "true",
"id": "testclient",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
2017-10-22 14:52:55 +00:00
}
```
### test-associate
Unencrypted message:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "test-associate",
2020-04-05 13:10:05 +00:00
"id": "< saved database identifier received from associate > ",
"key": "< saved identification public key > "
2017-10-22 14:52:55 +00:00
}
```
Request:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "test-associate",
"message": "< encrypted message > ",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
2017-10-22 14:52:55 +00:00
}
```
Response message data (success, decrypted):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"version": "2.2.0",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"hash": "29234e32274a32276e25666a42",
"id": "testclient",
"success": "true"
2017-10-22 14:52:55 +00:00
}
```
### generate-password
2019-01-06 10:38:33 +00:00
Request (no unencrypted message is needed):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "generate-password",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
2017-10-22 14:52:55 +00:00
}
```
Response message data (success, decrypted):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"version": "2.2.0",
"entries": [
{
"login": 144,
"password": "testclientpassword"
}
],
"success": "true",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
2017-10-22 14:52:55 +00:00
}
```
### get-logins
Unencrypted message:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "get-logins",
"url": "< snip > ",
2020-04-05 13:11:06 +00:00
"submitUrl": "< optional > ",
"httpAuth": "< optional > ",
2019-02-05 08:22:00 +00:00
"keys": [
{
2020-04-05 13:10:05 +00:00
"id": "< saved database identifier received from associate > ",
"key": "< saved identification public key > "
2019-02-05 08:22:00 +00:00
},
...
]
2017-10-22 14:52:55 +00:00
}
```
Request:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "get-logins",
"message": "< encrypted message > ",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
2017-10-22 14:52:55 +00:00
}
```
Response message data (success, decrypted):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"count": "2",
"entries" : [
{
"login": "user1",
"name": "user1",
"password": "passwd1"
},
{
"login": "user2",
"name": "user2",
2019-05-09 05:45:47 +00:00
"password": "passwd2",
"expired": "true"
2019-02-05 08:22:00 +00:00
}],
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"success": "true",
"hash": "29234e32274a32276e25666a42",
"version": "2.2.0"
2017-10-22 14:52:55 +00:00
}
```
### set-login
Unencrypted message:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "set-login",
"url": "< snip > ",
"submitUrl": "< snip > ",
"id": "testclient",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"login": "user1",
"password": "passwd1",
"group": "< group name > ",
"groupUuid": "< group UUID > ",
"uuid": "< entry UUID > "
2017-10-22 14:52:55 +00:00
}
```
Request:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "set-login",
"message": "< encrypted message > ",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
2017-10-22 14:52:55 +00:00
}
```
Response message data (success, decrypted):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"count": null,
"entries" : null,
"error": "",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"success": "true",
"hash": "29234e32274a32276e25666a42",
"version": "2.2.0"
2017-10-22 14:52:55 +00:00
}
```
### lock-database
2019-01-06 10:38:33 +00:00
Unencrypted message:
2020-04-05 13:11:06 +00:00
```json
2019-01-06 10:38:33 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "lock-database"
2019-01-06 10:38:33 +00:00
}
```
2017-10-22 14:52:55 +00:00
Request:
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "lock-database",
"message": "< encrypted message > ",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
2017-10-22 14:52:55 +00:00
}
```
Response message data (success always returns an error, decrypted):
2020-04-05 13:11:06 +00:00
```json
2017-10-22 14:52:55 +00:00
{
2019-02-05 08:22:00 +00:00
"action": "lock-database",
"errorCode": 1,
"error": "Database not opened",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
```
### get-database-groups
Unencrypted message:
2020-04-05 13:11:06 +00:00
```json
2019-02-05 08:22:00 +00:00
{
"action": "get-database-groups"
}
```
Request:
2020-04-05 13:11:06 +00:00
```json
2019-02-05 08:22:00 +00:00
{
"action": "get-database-groups",
"message": "< encrypted message > ",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
}
```
Response message data (success, decrypted):
```json
{
"defaultGroup": "< default group name > ",
"defaultGroupAlwaysAllow": false,
"groups": [
{
"name": "Root",
"uuid": "< group UUID > ",
"children": [
{
"name": "KeePassXC-Browser Passwords",
"uuid": "< group UUID > ",
"children": []
},
{
"name": "SecondRoot",
"uuid": "< group UUID > ",
"children": [
{
"name": "Child",
"uuid": "< group UUID > ",
"children": [
{
"name": "GrandChild",
"uuid": "< group UUID > ",
"children": []
}
]
}
]
},
{
"name": "ThirdRoot",
"uuid": "< group UUID > ",
"children": [
{
"name": "Child2",
"uuid": "< group UUID > ",
"children": []
}
]
},
{
"name": "Child2",
"uuid": "< group UUID > ",
"children": []
}
]
}
]
}
```
### create-new-group
Unencrypted message:
2020-04-05 13:11:06 +00:00
```json
2019-02-05 08:22:00 +00:00
{
"action": "create-new-group",
"groupName": "< group name or path > "
}
```
Request:
2020-04-05 13:11:06 +00:00
```json
2019-02-05 08:22:00 +00:00
{
"action": "create-new-group",
"message": "< encrypted message > ",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"clientID": "< clientID > "
}
```
Response message data (success, decrypted):
```json
{
"name": "< group name > ",
"uuid": "< group UUID > "
2017-10-22 14:52:55 +00:00
}
2017-11-09 11:25:42 +00:00
```
2020-08-20 13:28:27 +00:00
### get-totp (KeePassXC 2.6.1 and newer)
Request (no unencrypted message is needed):
```json
{
2020-12-08 10:11:05 +00:00
"action": "get-totp",
2020-08-20 13:28:27 +00:00
"uuid": "< entry UUID > "
}
```
Response message data (success, decrypted):
```json
{
"totp": < TOTP > ,
"version": "2.2.0",
"success": "true",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
```