Skip to content

Latest commit

 

History

History
516 lines (472 loc) · 12.9 KB

keepassxc-protocol.md

File metadata and controls

516 lines (472 loc) · 12.9 KB

keepassxc-protocol

Transmitting messages between KeePassXC and keepassxc-browser is totally rewritten. This is still under development. Now the requests are encrypted by TweetNaCl.js box method and does the following:

  1. keepassxc-browser generates a key pair (with public and secret key) and transfers the public key to KeePassXC
  2. When KeePassXC receives the public key it generates its own key pair and transfers the public key to keepassxc-browser. Public key is transferred in plain-text. Secret keys are never transferred or used anywhere except when encrypting/decrypting.
  3. All messages between the browser extension and KeePassXC are now encrypted.
  4. When keepassxc-browser sends a message it is encrypted with KeePassXC's public key, a random generated nonce and keepassxc-browser's secret key.
  5. When KeePassXC sends a message it is encrypted with keepassxc-browser's public key and an incremented nonce.
  6. Databases are stored with newly created public key used with associate. A new key pair for data transfer is generated each time keepassxc-browser is launched. This saved key is not used again, as it's only used for identification.

Thus there are three key pairs involved in every communication:

  • host key - A temporary key pair created by KeePassXC to encrypt the communication of the current session.
  • client key - A temporary key pair created by keepassxc-browser to encrypt the communication of the current session.
  • identification key - A permanent key pair created by keepassxc-browser used to authenticate the browser in later sessions after it was successfully associated with a database. This one should be stored safely by the browser. Note that only the public key part is ever used which might be a tiny flaw in the protocol since that part is also stored in the database.

Encrypted messages are built with these JSON parameters:

  • action - test-associate, associate, get-logins, get-logins-count, set-login...
  • message - Encrypted message, base64 encoded
  • nonce - 24 bytes long random data, base64 encoded. This is incremented to the response.
  • clientID - 24 bytes long random data, base64 encoded. This is used for a single session to identify different browsers if multiple are used with proxy application.
  • requestID (optional) - A random 8 character string. Used to identify error responses. Currently used only with generate-password.

Currently these messages are implemented:

  • associate: Request for associating a new client with KeePassXC.
  • change-public-keys: Request for passing public keys from client to server and back.
  • create-new-group: Request for creating a new group to database.
  • database-locked: A signal from KeePassXC, the current active database is locked.
  • database-unlocked: A signal from KeePassXC, the current active database is unlocked.
  • generate-password: Request for generating a password. KeePassXC's settings are used.
  • get-database-groups: Returns all groups from the active database.
  • get-databasehash: Request for receiving the database hash (SHA256) of the current active database.
  • get-logins: Requests for receiving credentials for the current URL match.
  • get-totp: Request for receiving the current TOTP.
  • lock-database: Request for locking the database from client.
  • passkeys-get: Request for Passkeys authentication.
  • passkeys-register: Request for Passkeys credential registration.
  • request-autotype: Performs Global Auto-Type.
  • set-login: Request for adding or updating credentials to the database.
  • test-associate: Request for testing if the client has been associated with KeePassXC.

associate

Unencrypted message:

{
    "action": "associate",
    "key": "<client public key>",
    "idKey": "<a new identification public key>"
}

Request:

{
    "action": "associate",
    "message": "<encrypted message>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response message data (success, decrypted):

{
    "hash": "29234e32274a32276e25666a42",
    "version": "2.7.0",
    "success": "true",
    "id": "testclient",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

change-public-keys

Request:

{
    "action": "change-public-keys",
    "publicKey": "<client public key>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response (success):

{
    "action": "change-public-keys",
    "version": "2.7.0",
    "publicKey": "<host public key>",
    "success": "true"
}

create-new-group

Unencrypted message:

{
    "action": "create-new-group",
    "groupName": "<group name or path>"
}

Request:

{
    "action": "create-new-group",
    "message": "<encrypted message>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response message data (success, decrypted):

{
    "name": "<group name>",
    "uuid": "<group UUID>"
}

generate-password

Request (no unencrypted message is needed):

{
    "action": "generate-password",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>",
    "requestID": "<request ID>"
}

Response message data (success, decrypted):

{
    "version": "2.7.0",
    "password": "testclientpassword"
    "success": "true",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

Response message data (success, decrypted, KeePassXC 2.7.0 and later):

{
    "version": "2.7.0",
    "password": "thePassword",
    "success": "true",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

get-database-groups

Unencrypted message:

{
    "action": "get-database-groups"
}

Request:

{
    "action": "get-database-groups",
    "message": "<encrypted message>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response message data (success, decrypted):

{
    "defaultGroup": "<default group name>",
    "defaultGroupAlwaysAllow": false,
    "groups": [
        {
            "name": "Root",
            "uuid": "<group UUID>",
            "children": [
                {
                    "name": "KeePassXC-Browser Passwords",
                    "uuid": "<group UUID>",
                    "children": []
                },
                {
                    "name": "SecondRoot",
                    "uuid": "<group UUID>",
                    "children": [
                        {
                            "name": "Child",
                            "uuid": "<group UUID>",
                            "children": [
                                {
                                    "name": "GrandChild",
                                    "uuid": "<group UUID>",
                                    "children": []
                                }
                            ]
                        }
                    ]
                },
                {
                    "name": "ThirdRoot",
                    "uuid": "<group UUID>",
                    "children": [
                        {
                            "name": "Child2",
                            "uuid": "<group UUID>",
                            "children": []
                        }
                    ]
                },
                {
                    "name": "Child2",
                    "uuid": "<group UUID>",
                    "children": []
                }
            ]
        }
    ]
}

get-databasehash

Unencrypted message:

{
    "action": "get-databasehash"
}

Request:

{
    "action": "get-databasehash",
    "message": "<encrypted message>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response message data (success, decrypted):

{
    "action": "hash",
    "hash": "29234e32274a32276e25666a42",
    "version": "2.2.0"
}

get-logins

Unencrypted message:

{
    "action": "get-logins",
    "url": "<snip>",
    "submitUrl": "<optional>",
    "httpAuth": "<optional>",
    "keys": [
        {
            "id": "<saved database identifier received from associate>",
            "key": "<saved identification public key>"
        },
        ...
    ]
}

Request:

{
    "action": "get-logins",
    "message": "<encrypted message>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response message data (success, decrypted):

{
    "count": "2",
    "entries" : [
    {
        "login": "user1",
        "name": "user1",
        "password": "passwd1"
    },
    {
        "login": "user2",
        "name": "user2",
        "password": "passwd2",
        "expired": "true"
    }],
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "success": "true",
    "hash": "29234e32274a32276e25666a42",
    "version": "2.2.0"
}

get-totp (KeePassXC 2.6.1 and newer)

Request (no unencrypted message is needed):

{
    "action": "get-totp",
    "uuid": "<entry UUID>"
}

Response message data (success, decrypted):

{
    "totp": "<TOTP>",
    "version": "2.2.0",
    "success": "true",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

lock-database

Unencrypted message:

{
    "action": "lock-database"
}

Request:

{
    "action": "lock-database",
    "message": "<encrypted message>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response message data (success always returns an error, decrypted):

{
    "action": "lock-database",
    "errorCode": 1,
    "error": "Database not opened",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

request-autotype (KeePassXC 2.7.0 and newer)

Request (no unencrypted message is needed):

{
    "action": "request-autotype",
    "search": "<base domain of URL>"
}

Response message data (success, decrypted):

{
    "version": "2.7.0",
    "success": "true",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
}

set-login

Unencrypted message (downloadFavicon supported in KeePassXC 2.7.0 and later, but not when updating credentials):

{
    "action": "set-login",
    "url": "<snip>",
    "submitUrl": "<snip>",
    "id": "testclient",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "login": "user1",
    "password": "passwd1",
    "group": "<group name>",
    "groupUuid": "<group UUID>",
    "uuid": "<entry UUID>",
    "downloadFavicon": "true"
}

Request:

{
    "action": "set-login",
    "message": "<encrypted message>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response message data (success, decrypted):

{
    "count": null,
    "entries" : null,
    "error": "",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "success": "true",
    "hash": "29234e32274a32276e25666a42",
    "version": "2.2.0"
}

test-associate

Unencrypted message:

{
    "action": "test-associate",
    "id": "<saved database identifier received from associate>",
    "key": "<saved identification public key>"
}

Request:

{
    "action": "test-associate",
    "message": "<encrypted message>",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "clientID": "<clientID>"
}

Response message data (success, decrypted):

{
    "version": "2.7.0",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "hash": "29234e32274a32276e25666a42",
    "id": "testclient",
    "success": "true"
}

passkeys-get (decrypted, KeePassXC 2.7.7 and newer)

Unencrypted message:

{
    "action": "passkeys-get",
    "publicKey": PublicKeyCredentialRequestOptions,
    "origin": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "keys: [
        {
            "id": "<saved database identifier received from associate>",
            "key": "<saved identification public key>"
        },
        ...
    ]
}

Response (success, decrypted):

{
    "version": "2.7.7",
    "success": "true",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "response": PublicKeyCredential
}

Response (error, decrypted):

{
    "version": "2.7.7",
    "success": "true",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "response": {
        "errorCode": "<error code>"
    }
}

passkeys-register (decrypted, KeePassXC 2.7.7 and newer)

Unencrypted message:

{
    "action": "passkeys-register",
    "publicKey": PublicKeyCredentialCreationOptions,
    "origin": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "keys: [
        {
            "id": "<saved database identifier received from associate>",
            "key": "<saved identification public key>"
        },
        ...
    ]
}

Response (success, decrypted):

{
    "version": "2.7.7",
    "success": "true",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q"
    "response": PublicKeyCredential
}

Response (error, decrypted):

{
    "version": "2.7.7",
    "success": "true",
    "nonce": "tZvLrBzkQ9GxXq9PvKJj4iAnfPT0VZ3Q",
    "response": {
        "errorCode": "<error code>"
    }
}