keepassxc-browser/README.md
2017-10-11 15:08:58 +03:00

8.5 KiB

keepassxc-browser

Chrome extension for KeePassXC with Native Messaging.

This is a heavily forked version of pfn's chromeIPass. Some changes merged also from smorks' KeePassHttp-Connector fork. For testing purposes, please use following unofficial KeePassXC release's.

Get the extension for Firefox or Chrome/Chromium.

The extension is supported with Firefox 55 and newer. If you want to load it as a temporary plugin with Firefox 54 you can just change the minimum version from the manifest file before loading it.

Please thee this wiki page for instructions how to configure this KeePassXC fork in order to connect the database correctly.

How it works

There are two methods which you can use keepassxc-browser to connect to KeePassXC:

  1. keepassxc-browser communicates directly with KeePassXC via stdin/stdout. This method launches KeePassXC every time you start the browser and closes when you exit. This can cause unsaved changes not to be saved. If you use this method it's important to enable Automatically save after every change from KeePassXC's preferences.

  2. keepassxc-browser communicated with KeePassXC through keepassxc-proxy or keepassxc-proxy-rust. The proxy handles listening stdin/stdout and transfers these messages through a localhost UDP port 19700 (configurable) to KeePassXC. This means KeePassXC can be used and started normally without inteference from Native Messaging API. keepassxc-browser starts only the proxy application and there's no risk of shutting down KeePassXC or losing any unsaved changes. keepassxc-proxy is still under development. If you want, you are free to write your own proxy that handles the traffic.

Protocol

Transmitting messages between KeePassXC and keepassxc-browser is totally rewritten. This is still under development. Now the requests are encrypted by TweetNaCl.js box method and does the following:

  1. keepassxc-browser generates a key pair (with public and secret key) and transfers the public key to KeePassXC
  2. When KeePassXC receives the public key it generates its own key pair and transfers the public key to keepassxc-browser
  3. All messages between the browser extension and KeePassXC are now encrypted.
  4. When keepassxc-browser sends a message it is encrypted with KeePassXC's public key, a random generated nonce and keepassxc-browser's secret key.
  5. When KeePassXC sends a message it is encrypted with keepassxc-browser's public key etc.
  6. Databases are stored based on the current public key used with associate. A new key pair for data transfer is generated each time keepassxc-browser is launched.

Encrypted messages are built with these JSON parameters:

  • action - test-associate, associate, get-logins, get-logins-count, set-login...
  • message - Encrypted message, base64 encoded
  • nonce - 24 bytes long random data, base64 encoded. This must be the same when responding to a request.
  • clientID - 24 bytes long random data, base64 encoded. This is used to identify different browsers if multiple are used with proxy application.

change-public-keys

Request:

{
	"action": "change-public-keys",
	"publicKey": "<current public key>",
	"proxyPort": "<UDP port for proxy applications>",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response (success):

{
	"action": "change-public-keys",
	"version": "2.2.0",
	"publicKey": "<host public key>",
	"success": "true"
}

get-databasehash

Request (unencrypted):

{
	"action": "get-databasehash"
}

Response message data (success, decrypted):

{
	"action": "hash",
	"hash": "29234e32274a32276e25666a42",
	"version": "2.2.0"
}

associate

Unencrypted message:

{
	"action": "associate",
	"key": "<current public key>"
}

Request:

{
	"action": "associate",
	"message": encryptedMessage
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success, decrypted):

{
	"hash": "29234e32274a32276e25666a42",
	"version": "2.2.0",
	"success": "true",
	"id": "testclient",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

test-associate

Unencrypted message:

{
	"action": "test-associate",
	"id": "<saved database identifier>",
	"key": "<saved database public key>",
	"clientID": "<clientID>"
}

Request:

{
	"action": "test-associate",
	"message": encryptedMessage
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

Response message data (success, decrypted):

{
	"version": "2.2.0",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"hash": "29234e32274a32276e25666a42",
	"id": "testclient",
	"success": "true"
}

generate-password

Request:

{
	"action": "generate-password",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success, decrypted):

{
	"version": "2.2.0",
	"entries": [
		{
			"login": 144,
			"password": "testclientpassword"
		}
	],
	"success": "true",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

get-logins

Unencrypted message:

{
	"action": "get-logins",
	"url": "<snip>",
	"submitUrl": optional
}

Request:

{
	"action": "get-logins",
	"message": encryptedMessage
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success, decrypted):

{
	"count": "2",
	"entries" : [
	{
		"login": "user1",
		"name": "user1",
		"password": "passwd1"
	},
	{
		"login": "user2",
		"name": "user2",
		"password": "passwd2"
	}],
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"success": "true",
	"hash": "29234e32274a32276e25666a42",
	"version": "2.2.0"
}

set-login

Unencrypted message:

{
	"action": "set-login",
	"url": "<snip>",
	"submitUrl": "<snip>",
	"id": "testclient",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"login": "user1",
	"password": "passwd1"
}

Request:

{
	"action": "set-login",
	"message": encryptedMessage
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success, decrypted):

{
	"count": null,
	"entries" : null,
	"error": "",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"success": "true",
	"hash": "29234e32274a32276e25666a42",
	"version": "2.2.0"
}

Licenses

keepassxc-browser Copyright (C) 2017 Sami Vänttinen
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 3 of the License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
PassIFox & ChromeIPass Copyright © 2010-2017 Perry Nguyen  
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 3 of the License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

Donations

Feel free to support this project:

  • Donate via PayPal
  • Donate via Bitcoin: 1LHbD69CcmpLW5hjUXs2MGJhw3GxwqLdw3

Also consider donating to KeePassXC and passifox teams (1),(2),(3). They are doing great job.