keepassxc-browser/keepassxc-protocol.md
2017-12-15 07:24:14 +02:00

5.9 KiB

keepassxc-protocol

Transmitting messages between KeePassXC and keepassxc-browser is totally rewritten. This is still under development. Now the requests are encrypted by TweetNaCl.js box method and does the following:

  1. keepassxc-browser generates a key pair (with public and secret key) and transfers the public key to KeePassXC
  2. When KeePassXC receives the public key it generates its own key pair and transfers the public key to keepassxc-browser
  3. All messages between the browser extension and KeePassXC are now encrypted.
  4. When keepassxc-browser sends a message it is encrypted with KeePassXC's public key, a random generated nonce and keepassxc-browser's secret key.
  5. When KeePassXC sends a message it is encrypted with keepassxc-browser's public key and an incremented nonce.
  6. Databases are stored based on the current public key used with associate. This public key used for indentification is not used again afterwards. A new key pair for data transfer is generated each time keepassxc-browser is launched.

Encrypted messages are built with these JSON parameters:

  • action - test-associate, associate, get-logins, get-logins-count, set-login...
  • message - Encrypted message, base64 encoded
  • nonce - 24 bytes long random data, base64 encoded. This is incremented to the response.
  • clientID - 24 bytes long random data, base64 encoded. This is used to identify different browsers if multiple are used with proxy application.

Currently these messages are implemented:

  • change-public-keys: Request for passing public keys from client to server and back.
  • get-databasehash: Request for receiving the database hash (SHA256) of the current active database.
  • associate: Request for associating a new client with KeePassXC.
  • test-associate: Request for testing if the client has been associated with KeePassXC.
  • generate-password: Request for generating a password. KeePassXC's settings are used.
  • get-logins: Requests for receiving credentials for the current URL match.
  • set-login: Request for adding or updating credentials to the database.
  • lock-database: Request for locking the database from client.
  • database-locked: A signal from KeePassXC, the current active database is locked.
  • database-unlocked: A signal from KeePassXC, the current active database is unlocked.

change-public-keys

Request:

{
	"action": "change-public-keys",
	"publicKey": "<current public key>",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response (success):

{
	"action": "change-public-keys",
	"version": "2.2.0",
	"publicKey": "<host public key>",
	"success": "true"
}

get-databasehash

Request (unencrypted):

{
	"action": "get-databasehash"
}

Response message data (success, decrypted):

{
	"action": "hash",
	"hash": "29234e32274a32276e25666a42",
	"version": "2.2.0"
}

associate

Unencrypted message:

{
	"action": "associate",
	"key": "<current public key>"
}

Request:

{
	"action": "associate",
	"message": encryptedMessage
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success, decrypted):

{
	"hash": "29234e32274a32276e25666a42",
	"version": "2.2.0",
	"success": "true",
	"id": "testclient",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

test-associate

Unencrypted message:

{
	"action": "test-associate",
	"id": "<saved database identifier>",
	"key": "<saved database public key>",
	"clientID": "<clientID>"
}

Request:

{
	"action": "test-associate",
	"message": encryptedMessage
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

Response message data (success, decrypted):

{
	"version": "2.2.0",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"hash": "29234e32274a32276e25666a42",
	"id": "testclient",
	"success": "true"
}

generate-password

Request:

{
	"action": "generate-password",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success, decrypted):

{
	"version": "2.2.0",
	"entries": [
		{
			"login": 144,
			"password": "testclientpassword"
		}
	],
	"success": "true",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

get-logins

Unencrypted message:

{
	"action": "get-logins",
	"url": "<snip>",
	"submitUrl": optional
}

Request:

{
	"action": "get-logins",
	"message": encryptedMessage
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success, decrypted):

{
	"count": "2",
	"entries" : [
	{
		"login": "user1",
		"name": "user1",
		"password": "passwd1"
	},
	{
		"login": "user2",
		"name": "user2",
		"password": "passwd2"
	}],
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"success": "true",
	"hash": "29234e32274a32276e25666a42",
	"version": "2.2.0"
}

set-login

Unencrypted message:

{
	"action": "set-login",
	"url": "<snip>",
	"submitUrl": "<snip>",
	"id": "testclient",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"login": "user1",
	"password": "passwd1"
}

Request:

{
	"action": "set-login",
	"message": encryptedMessage
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success, decrypted):

{
	"count": null,
	"entries" : null,
	"error": "",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"success": "true",
	"hash": "29234e32274a32276e25666a42",
	"version": "2.2.0"
}

lock-database

Request:

{
	"action": "lock-database",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
	"clientID": "<clientID>"
}

Response message data (success always returns an error, decrypted):

{
	"action": "lock-database",
	"errorCode": 1,
	"error": "Database not opened",
	"nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}