KeePassXC (KDBX4) support

[r4gus]

KeePassXC got Passkey support with version 2.7.7 (https://keepassxc.org/blog/2024-03-10-2.7.7-released/). It's probably time to switch to KDBX4 to store credentials to offer compatibility.

Required Tasks:

• Implement KDBX4 support
• Write a script that translates from .trs to kdbx4

[r4gus]

I switched to a custom database format https://r4gus.github.io/ccdb/ because there are a few things in kdbx that I dislike. Nevertheless, adding kdbx4 support is still a good idea.

[r4gus]

Somebody would like kdbx4 support to use PassKeeZ for login and KeePassXC for credential management so I should start implementing KDBX4 or find a suitable C library. God I hate XML...

[r4gus]

For KDBX4 support we're going to use the keepassxc-cli tool. Implementing KDBX4 from scratch is doable but I don't really want to maintain it, mainly due to XML. This involves the following steps:

• Fork KeePassXC and and export-passkey and import-passkey support for the command line tool
• Refactor the PassKeeZ code and implement a generic Database type
• Implement KDBX4 support for Database via keepassxc-cli

[frie]

For KDBX4 support we're going to use the keepassxc-cli tool. Implementing KDBX4 from scratch is doable but I don't really want to maintain it, mainly due to XML. This involves the following steps:

* [x]  Fork KeePassXC and and `export-passkey` and `import-passkey` support for the command line tool

* [ ]  Refactor the PassKeeZ code and implement a generic `Database` type

* [ ]  Implement KDBX4 support for `Database` via `keepassxc-cli`

IMO KBDX4 support would be nice, but still is a nice-to-have. Implement it, when it is easy, just to be in sync with some kind of "standard", but the benefit for users is limited. The benefit of KeePassXC is its cross compatibility with windows, but using PasskeeZ just on Linux is still more comfortable, and completely sufficient for my personal needs.

What I am missing with the only version being installable just now is a UI for key management. The ccdb CLI is ok, but not really comfortable from the UX point of view.

Maybe it would be easier do implement the interface used by chromium to manage the passkeys on my T2F2 stick? This is what chromium shows me here:

When using PasskeeZ chromium recognizes the virtual device, but after entering the password I see this here:

There are some more shortcomings (ok, we are still at beta...) which I may file in another issue, and which I would prioritize against KBDX4 (e.g. multi-language-support)

[r4gus]

@frie is this a Plugin or how do you manage passkeys with Chromium?

[frie]

@frie is this a Plugin or how do you manage passkeys with Chromium?

See here for details, seems to be standard functionality of Chromium. I will also give a try to the "open-source-tool" mentioned in this article.

[r4gus]

I'll re-add credential management support. After that one should be able to use the chrome-tool. It's quite unfortunate that Chrome hides this within a sub-menu.

[frie]

fido2-manage by token2 (see here) also opens the PasskeeZ device and shows some information. Passkey management currently is disabled...

Change PIN opens a terminal window, asks for old and new PIN and seems to do nothing at all. The PasskeeZ device obiously is accessed because the password dialogue comes up.

[r4gus]

The "passkey management" is probably coupled to the authenticatorCredentialManagement endpoint. I'll add it. The pin change button should be disabled for the authenticator because the clientPin flag is missing from the getInfo response map (which is equivalent to: "PIN based authentication is disabled and you can't enable it").

[r4gus]

fido2-manage should work with: https://github.com/r4gus/keypass/releases/tag/0.4.0

[frie]

fido2-manage should work with: https://github.com/r4gus/keypass/releases/tag/0.4.0

Tried with fido2-manage and it works - great!

Passkey management with chromium / chrome still does not work because of the "missing PIN" - is this rather a bug of the chromium implementation?

[r4gus]

PassKeeZ communicates to clients that it doesn't support a PIN. Not quite sure what the problem with the Chromium manager is.

[r4gus]

@frie I can remember that you told me, that you weren't able to create a passkey for Google using PassKeeZ. I just tried it out and it seems to work. When you click on "add passkey" it tells you something like "your device [(Linux)] doesn't support passkeys" but if you just click on the button that states something like "create passkey on other device" you should be able to use PassKeeZ.

[frie]

@frie I can remember that you told me, that you weren't able to create a passkey for Google using PassKeeZ. I just tried it out and it seems to work. When you click on "add passkey" it tells you something like "your device [(Linux)] doesn't support passkeys" but if you just click on the button that states something like "create passkey on other device" you should be able to use PassKeeZ.

Passkey creation for Google did not work with Chromium, but with Firefox. But authentication using the passkey created from Firefox also worked with Chromium. I will recheck later...