-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add basic support for WebAuthn (Passkeys) #8825
Add basic support for WebAuthn (Passkeys) #8825
Conversation
Support for 2048-bit RSA private key added. |
Woo hoo. :-) Any progress on this? |
"As of 2020, it is not known whether such keys can be cracked, but minimum recommendations have moved to at least 2048 bits. link" |
eb11e04
to
7fae36d
Compare
Just rebasing and trying to solve all new compilation problems on CI.. :) Special thanks to Homebrew for removing support for Botan 2. Luckily support for Botan 3 was fixed recently. |
9090394
to
bda9f60
Compare
Uploaded some test builds here for Win64 and macOS (Apple Silicon) f someone wants to quickly test the feature: https://github.com/varjolintu/keepassxc/releases/tag/2.8.0-webauthn If it doesn't work on your computer, compile the sources instead. Not an official release, so use at your own risk. |
Looks like the Ubuntu build needs Qt >= 5.12.0 for this PR and doesn't have it. Is the TeamCity config PRable from anywhere? I couldn't find anything. |
Yes. That's the reason CI build fails. And it's one of the problems that needs to be solved before we can even think of merging this PR. |
But we would also need the modified Chrome Browser Plugin to actually Enter Those Tokens from browser into KeePassXC right? |
Yes of course. |
But the merger is still open so official 1.8.6.1 from GitHub does NOT included that correct? Edit: |
This is very exciting! If you don't mind me asking is there any thoughts on the timeline for this landing in main? |
That depends on so many things I cannot say anything exact. |
@varjolintu is this ready for review? |
Uh oh. Maybe? I'd still like to add some specific dialog to view/import/export all WebAuthn credentials. Also the format for handling these credentials should be specified. Maybe it could be just a file with The biggest problems with this PR is that I haven't had time to test it with multiple sites that have enabled the Passkeys feature. Gotta begin going through the sites and see if there's something relevant features missing. Still, I'd appreciate any reviews for the code and for the sites this already works with. And of course, one major thing that should be solved is the minimum requirement of Qt's version 5.12. |
4ea34a7
to
d528c3a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a first read through and most of what I saw was pretty solid. Good job! I will test this thing in the coming days.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can probably merge this now and then fix bugs later. The dialogue windows also need some design love.
Will there be a test version for the merger or is a release planned for soon(tm)? |
The latest snapshot should now work :) |
Passkeys are working great so far! |
That will be done before the final release :) |
Does this have support for the I recently stumbled over https://blog.millerti.me/2023/01/22/encrypting-data-in-the-browser-using-webauthn/ which would allow end-to-end encryption in the browser using WebAuthn! |
Not yet. Thanks for the links. I'll take a look. |
FYI: #9998 makes some minor changes to the JSON format. |
This would in theory make it possible to sign in to services like ProtonMail with WebAuthN alone, but I don’t see that being implemented any time soon. Bitwarden and 1Password will use this for passwordless sign in. But is anyone using KeePassXC to sign in to those? 😅 |
--------- Co-authored-by: varjolintu <[email protected]> Co-authored-by: droidmonkey <[email protected]>
--------- Co-authored-by: varjolintu <[email protected]> Co-authored-by: droidmonkey <[email protected]>
--------- Co-authored-by: varjolintu <[email protected]> Co-authored-by: droidmonkey <[email protected]>
--------- Co-authored-by: varjolintu <[email protected]> Co-authored-by: droidmonkey <[email protected]>
Release 2.7.7 - Support USB Hotplug for Hardware Key interface [keepassxreboot#10092] - Support 1PUX and Bitwarden import [keepassxreboot#9815] - Browser: Add support for PassKeys [keepassxreboot#8825, keepassxreboot#9987, keepassxreboot#10318] - Build System: Move to vcpkg manifest mode [keepassxreboot#10088] - Fix multiple TOTP issues [keepassxreboot#9874] - Fix focus loss on save when the editor is not visible anymore [keepassxreboot#10075] - Fix visual when removing entry from history [keepassxreboot#9947] - Fix first entry is not selected when a search is performed [keepassxreboot#9868] - Prevent scrollbars on entry drag/drop [keepassxreboot#9747] - Prevent duplicate characters in "Also choose from" field of password generator [keepassxreboot#9803] - Security: Prevent byte-by-byte and attachment inference side channel attacks [keepassxreboot#10266] - Browser: Fix raising Update Entry messagebox [keepassxreboot#9853] - Browser: Fix bugs when returning credentials [keepassxreboot#9136] - Browser: Fix crash on database open from browser [keepassxreboot#9939] - Browser: Fix support for referenced URL fields [keepassxreboot#8788] - MacOS: Fix crash when changing highlight/accent color [keepassxreboot#10348] - MacOS: Fix TouchID appearing even though lid is closed [keepassxreboot#10092] - Windows: Fix terminating KeePassXC processes with MSI installer [keepassxreboot#9822] - FdoSecrets: Fix database merge crash when enabled [keepassxreboot#10136] # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEENIkEDB8MPuq41ValRA/GXy4MbgEFAmXs7VsACgkQRA/GXy4M # bgHLpwf/brnyPPs3gJxZmD2pn8542D4CCsDh0fTceurOtqCe3J4Y+Fftc5euuoQu # 6rP4vJdd586l7JX5FnYIPXvGiU9op3MudJh+y+RN/PWwKcXNIXfUItMhpZEka49n # xnw+Wvbilg1QIHSSmZdIjBpohnEkA67qhWauc3bCacrRyEvIOzVMTxnqDTe4GUDy # CyauaRMMKezRTpLxSsk63TDAZZgDwK4ci5lC6ysHekc1Za6IbI3fMFjz1BGj+kPU # tMHMfDCWqK/5JZ27ZWcxy7m8tJY9m3rb+MoCyFRQz9ixaEe29yf5NqYdm9sn1Dlh # O7aFi7/EJtsBlXdguw5BcTPbsL7XEQ== # =Cots # -----END PGP SIGNATURE----- # gpg: directory '/home/runner/.gnupg' created # gpg: keybox '/home/runner/.gnupg/pubring.kbx' created # gpg: Signature made Sat Mar 9 23:14:35 2024 UTC # gpg: using RSA key 3489040C1F0C3EEAB8D556A5440FC65F2E0C6E01 # gpg: Can't check signature: No public key
General
Adds basic Passkeys/WebAuthn support to KeePassXC. Currently it supports Elliptic Curve key (EC2, ES256 signature, P-256 curve), 2048-bit RSA key, EdDSA (Ed25519), and basic registration/authentication with User Verification enabled and the default
none
Attestation. Optional extensionscredProps
anduvm
are supported in the registration phase. Timeouts are respected, and a new confirmation dialog is added for them.Qt's CBOR libraries requires at least Qt 5.12, and for that reason a new CMake configuration parameter
WITH_XC_BROWSER_PASSKEYS
is added.At registration phase a new credential is stored to KeePassXC with the following information:
KPEX_PASSKEY_USERNAME
is added for compatibility with other clients.KPEX_PASSKEY_RELYING_PARTY
attribute.KPEX_PASSKEY_GENERATED_USER_ID
attribute.KPEX_PASSKEY_PRIVATE_KEY_PEM
attribute.KPEX_PASSKEY_USER_HANDLE
attribute.Authentication phase:
discouraged
is returned immediately.Import / Export
Importing and exporting credentials is supported. A new report page Passkeys is added along with new menu items "Passkeys" and "Import Passkey". From the new Passkeys report page it's possible to export multiple credentials simultaneously. Importing works from the menu item or from the same Passkeys report page.
When importing credentials, it is possible to select the database and group where credential is saved.
The exported credentials are strored as a JSON file with
.passkey
file extension. The format holds URL, relying party, username, user ID (generated ID), user handle and the private key. For example, sitehttps://webauthn.io
's credentials in an exported file are:Work in progress / won't be done
What is not working / is missing / won't be implemented:
Related
Related extension PR for the feature: keepassxreboot/keepassxc-browser#1786
Documentation: https://w3c.github.io/webauthn/
Fixes #1870.
Screenshots
Register new credentials:
Register new or update existing:
Authenticate existing:
From Import/Export feature
New menu items:
New Passkeys report page:
Export dialog:
Import dialog when using a default group:
Import dialog when using a selected group and database:
Testing strategy
Automated tests are written with a valid data captured from a real registration and authentication.
The following sites can be also used for testing the feature:
More comprehensive list is available at: https://passkeys.directory/
Type of change