8.9 KiB
keepassxc-browser
Chrome extension for KeePassXC with Native Messaging.
This is a heavily forked version of pfn's chromeIPass. Some changes merged also from projectgus' fork. For testing purposes, please use following unofficial KeePassXC release's.
Get the extension for Firefox or Chrome/Chromium.
The extension is supported with Firefox 56.0a1 and newer. If you want to load it as a temporary plugin with Firefox 54 you can just change the minimum version from the manifest file before loading it.
How it works
There are two methods which you can use keepassxc-browser to connect to KeePassXC:
-
keepassxc-browser communicates directly with KeePassXC via stdin/stdout. This method launches KeePassXC every time you start the browser and closes when you exit. This can cause unsaved changes not to be saved. If you use this method it's important to enable
Automatically save after every changefrom KeePassXC's preferences. -
keepassxc-browser communicated with KeePassXC through keepassxc-proxy. The proxy handles listening stdin/stdout and transfers these messages through a localhost UDP port 19700 (configurable) to KeePassXC. This means KeePassXC can be used and started normally without inteference from Native Messaging API. keepassxc-browser starts only the proxy application and there's no risk of shutting down KeePassXC or losing any unsaved changes. keepassxc-proxy is still under development. If you want, you are free to write your own proxy that handles the traffic.
Protocol
Transmitting messages between KeePassXC and keepassxc-browser is totally rewritten. This is still under development. Now the requests are encrypted by TweetNaCl.js box method and does the following:
- keepassxc-browser generates a key pair (with public and secret key) and transfers the public key to KeePassXC
- When KeePassXC receives the public key it generates its own key pair and transfers the public key to keepassxc-browser
- All messages between the browser extension and KeePassXC are now encrypted.
- When keepassxc-browser sends a message it is encrypted with KeePassXC's public key, a random generated nonce and keepassxc-browser's secret key.
- When KeePassXC sends a message it is encrypted with keepassxc-browser's public key etc.
- Databases are stored based on the current public key used with
associate. A new key pair for data transfer is generated each time keepassxc-browser is launched.
Encrypted messages are built with these JSON parameters:
- action -
test-associate,associate,get-logins,get-logins-count,set-login... - message - Encrypted message, base64 encoded
- nonce - 24 bytes long random data, base64 encoded. This must be the same when responding to a request.
change-public-keys
Request:
{
"action": "change-public-keys",
"publicKey": "<current public key>",
"proxyPort": "<UDP port for proxy applications>",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
Response (success):
{
"action": "change-public-keys",
"version": "2.2.0",
"publicKey": "<host public key>",
"success": "true"
}
get-databasehash
Request:
{
"action": "get-databasehash"
}
Response message data (success, decrypted):
{
"action": "hash",
"hash": "29234e32274a32276e25666a42",
"version": "2.2.0"
}
associate
Unencrypted message:
{
"action": "associate",
"key": "<current public key>"
}
Request:
{
"action": "associate",
"message": encryptedMessage
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
Response message data (success, decrypted):
{
"hash": "29234e32274a32276e25666a42",
"version": "2.2.0",
"success": "true",
"id": "testclient",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
test-associate
Unencrypted message:
{
"action": "test-associate",
"id": "<saved database identifier>",
"key": "<saved database public key>"
}
Request:
{
"action": "test-associate",
"message": encryptedMessage
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
Response message data (success, decrypted):
{
"version": "2.2.0",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"hash": "29234e32274a32276e25666a42",
"id": "testclient",
"success": "true"
}
generate-password
Request:
{
"action": "generate-password",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
Response message data (success, decrypted):
{
"version": "2.2.0",
"entries": [
{
"login": 144,
"password": "testclientpassword"
}
],
"success": "true",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
get-logins
Unencrypted message:
{
"action": "get-logins",
"url": "<snip>",
"submitUrl": optional
}
Request:
{
"action": "get-logins",
"message": encryptedMessage
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
Response message data (success, decrypted):
{
"count": "2",
"entries" : [
{
"login": "user1",
"name": "user1",
"password": "passwd1"
},
{
"login": "user2",
"name": "user2",
"password": "passwd2"
}],
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"success": "true",
"hash": "29234e32274a32276e25666a42",
"version": "2.2.0"
}
set-login
Unencrypted message:
{
"action": "set-login",
"url": "<snip>",
"submitUrl": "<snip>",
"id": "testclient",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"login": "user1",
"password": "passwd1"
}
Request:
{
"action": "set-login",
"message": encryptedMessage
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}
Response message data (success, decrypted):
{
"count": null,
"entries" : null,
"error": "",
"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
"success": "true",
"hash": "29234e32274a32276e25666a42",
"version": "2.2.0"
}
Licenses
keepassxc-browser Copyright (C) 2017 Sami Vänttinen
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 3 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
PassIFox & ChromeIPass Copyright © 2010-2017 Perry Nguyen
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 3 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
The following quick method to determine which browser is used with API calls by David Rousset:
window.browser = (function () {
return window.msBrowser ||
window.browser ||
window.chrome;
})();
MIT License
Copyright (c) 2016 David Rousset
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Donations
Feel free to support this project:
- Donate via PayPal
- Donate via Bitcoin: 1LHbD69CcmpLW5hjUXs2MGJhw3GxwqLdw3