mirror of
https://github.com/keepassxreboot/keepassxc.git
synced 2025-03-19 04:46:08 -04:00
80809ace67
Selected the [Botan crypto library](https://github.com/randombit/botan) due to its feature list, maintainer support, availability across all deployment platforms, and ease of use. Also evaluated Crypto++ as a viable candidate, but the additional features of Botan (PKCS#11, TPM, etc) won out. The random number generator received a backend upgrade. Botan prefers hardware-based RNG's and will provide one if available. This is transparent to KeePassXC and a significant improvement over gcrypt. Replaced Argon2 library with built-in Botan implementation that supports i, d, and id. This requires Botan 2.11.0 or higher. Also simplified the parameter test across KDF's. Aligned SymmetricCipher parameters with available modes. All encrypt and decrypt operations are done in-place instead of returning new objects. This allows use of secure vectors in the future with no additional overhead. Took this opportunity to decouple KeeShare from SSH Agent. Removed leftover code from OpenSSHKey and consolidated the SSH Agent code into the same directory. Removed bcrypt and blowfish inserts since they are provided by Botan. Additionally simplified KeeShare settings interface by removing raw certificate byte data from the user interface. KeeShare will be further refactored in a future PR. NOTE: This PR breaks backwards compatibility with KeeShare certificates due to different RSA key storage with Botan. As a result, new "own" certificates will need to be generated and trust re-established. Removed YKChallengeResponseKeyCLI in favor of just using the original implementation with signal/slots. Removed TestRandom stub since it was just faking random numbers and not actually using the backend. TestRandomGenerator now uses the actual RNG. Greatly simplified Secret Service plugin's use of crypto functions with Botan.
Freedesktop.org Secret Storage Spec Server Side API
This plugin implements the Secret Storage specification version 0.2. While running KeePassXC, it acts as a Secret Service server, registered on DBus, so clients like seahorse, python-secretstorage, or other implementations can connect and access the exposed database in KeePassXC.
Configurable settings
- The user can specify if a database is exposed on DBus, and which group is exposed.
- Whether to show desktop notification is shown when an entry is retrieved.
- Whether to skip confirmation for entries deleted from DBus
Implemented Attributes on Item Object
The following attributes are exposed:
| Key | Value |
|---|---|
| Title | The entry title |
| UserName | The entry user name |
| URL | The entry URL |
| Notes | The entry notes |
In addition, all non-protected custom attributes are also exposed.
Architecture
FdoSecrets::Serviceis the top level DBus service- There is one and only one
FdoSecrets::Collectionper opened database tab - Each entry under the exposed database group has a corresponding
FdoSecrets::ItemDBus object.
Signal connections
- Collections are created when a corresponding database tab opened
- If the database is locked, a collection is created
- When the database is unlocked, collection populates its children
- If the unlocked database's exposed group is none, collection deletes itself
- If the database's exposed group changes, collection repopulates
- If the database's exposed group changes to none, collection deletes itself
- If the database's exposed group changes from none, the service recreates a collection