pfn
commented
6 years ago Nonce is base64 encoded IV. if openssl expects HEX IV, then base64 decode and re-encode to base16.
On Sat, Mar 3, 2018 at 4:06 PM netson notifications@github.com wrote:
Hi,
I'm trying to connect to KeePassHttp to do some custom automation (using ansible), however, I am running into issues generating the correct verifier token for the associate request.
I am using linux mint:
Distributor ID: LinuxMint Description: Linux Mint 18.3 Sylvia Release: 18.3 Codename: sylvia
with openssl as my crypto library:
OpenSSL 1.0.2g 1 Mar 2016
with keepass
KeePass 2.38
and plugin version
KeePassHttp 2.34
Iḿ convinced the software works as it should; I have tested various client tools (one written in python, one in PHP) and when testing these clients, I get a popup in KeePass asking me for a label for the new connection. Once set, I can search logins. This proves the plugin works as advertised on my system.
However, when I attempt to create an "associate" request myself, the only response I get is the following:
{"RequestType":"associate","Version":"1.8.4.2","Hash":"8783951efee5cc475386e8f44580145b0f60e0b8"}
I am quite sure the problem lies in my Verifier token, but I can figure out what I am doing wrong, so I am turning to you for help! :-)
The readme file states the following:
Verifier - verifier, base64 encoded AES encrypted data: encrypt(base64_encode($nonce), $key, $nonce);
However, whichever combination I try, it doesn't work. I've also tried reverse engineering a working request, after capturing it using tcpdump, but I can't figure it out.
Here's what I have tried:
GENERATE 256 BIT RANDOM KEY: openssl rand 32 -out key.key
BASE64 ENCODE KEY: openssl enc -base64 -A -in key.key -out key.base64
GENERATE 128 BIT RANDOM NONCE: openssl rand 16 -out nonce.key
BASE64 ENCODE NONCE: openssl enc -base64 -A in nonce.key -out nonce.base64
So far so good, as for the verifier, I have tried the following:
openssl enc -aes-256-cbc -pass pass:key.key(|base64) -in nonce.key(|base64) -out verifier.key openssl enc -aes-256-cbc -pass pass:nonce.key(|base64) -in key.key(|base64) -out verifier.key openssl enc -aes-256-cbc -pass pass:key.key(|base64) -in key.key(|base64) -out verifier.key openssl enc -aes-256-cbc -pass pass:nonce.key(|base64) -in nonce.key(|base64) -out verifier.key ... openssl enc -base64 -A in verifier.key -out verifier.base64
The openssl documentation states I can provide a IV myself (being the nonce; I saw this in the PHP client I tested), however, it only accepts a HEX IV, which this nonce is not.
I have also tried double base64 encoding on the nonce before encrypting it, all to no avail.
Can someone tell me what I am missing? Which openssl command should I use to generate the correct verfier token?
Any help is much appreciated!
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pfn/keepasshttp/issues/356, or mute the thread https://github.com/notifications/unsubscribe-auth/AAfQxejfnxWodlr70mxyBscJzdrJ8Nx_ks5tazAUgaJpZM4SbIui .
MarkusFreitag
netson
Hi,
I'm trying to connect to KeePassHttp to do some custom automation (using ansible), however, I am running into issues generating the correct verifier token for the associate request.
I am using linux mint:
with openssl as my crypto library:
with keepass
and plugin version
Iḿ convinced the software works as it should; I have tested various client tools (one written in python, one in PHP) and when testing these clients, I get a popup in KeePass asking me for a label for the new connection. Once set, I can search logins. This proves the plugin works as advertised on my system.
However, when I attempt to create an "associate" request myself, the only response I get is the following:
I am quite sure the problem lies in my Verifier token, but I can figure out what I am doing wrong, so I am turning to you for help! :-)
The readme file states the following:
However, whichever combination I try, it doesn't work. I've also tried reverse engineering a working request, after capturing it using tcpdump, but I can't figure it out.
Here's what I have tried:
So far so good, as for the verifier, I have tried the following:
The openssl documentation states I can provide a IV myself (being the nonce; I saw this in the PHP client I tested), however, it only accepts a HEX IV, which this nonce is not.
I have also tried double base64 encoding on the nonce before encrypting it, all to no avail.
Can someone tell me what I am missing? Which openssl command should I use to generate the correct verfier token?
Any help is much appreciated!