Add basic support for WebAuthn (Passkeys)

[varjolintu]

General

Adds basic Passkeys/WebAuthn support to KeePassXC. Currently it supports Elliptic Curve key (EC2, ES256 signature, P-256 curve), 2048-bit RSA key, EdDSA (Ed25519), and basic registration/authentication with User Verification enabled and the default none Attestation. Optional extensions credProps and uvm are supported in the registration phase. Timeouts are respected, and a new confirmation dialog is added for them.
Qt's CBOR libraries requires at least Qt 5.12, and for that reason a new CMake configuration parameter WITH_XC_BROWSER_PASSKEYS is added.

At registration phase a new credential is stored to KeePassXC with the following information:

• Username is set normally as entry username for making the credential filtering easier. Additional attribute KPEX_PASSKEY_USERNAME is added for compatibility with other clients.
• Relying Party if stored to KPEX_PASSKEY_RELYING_PARTY attribute.
• Generated User ID is stored to KPEX_PASSKEY_GENERATED_USER_ID attribute.
• Generated private key for the credential is stored to KPEX_PASSKEY_PRIVATE_KEY_PEM attribute.
• User handle is stored to KPEX_PASSKEY_USER_HANDLE attribute.

Authentication phase:

• Supports all User Verification options. Single entry with discouraged is returned immediately.
• Stored credentials are retrieved only when the private key attribute is present. User ID and URL domain must also match.

Import / Export

Importing and exporting credentials is supported. A new report page Passkeys is added along with new menu items "Passkeys" and "Import Passkey". From the new Passkeys report page it's possible to export multiple credentials simultaneously. Importing works from the menu item or from the same Passkeys report page.

When importing credentials, it is possible to select the database and group where credential is saved.

The exported credentials are strored as a JSON file with .passkey file extension. The format holds URL, relying party, username, user ID (generated ID), user handle and the private key. For example, site https://webauthn.io's credentials in an exported file are:

{
    "privateKey": <private key>,
    "relyingParty: "webauthn.io",
    "url": "https://webauthn.io",
    "userHandle": "WVhOa1lYTmtNakl5",
    "userId": "IR55CmT5PoKsxTirCeggBJmp4I0NyQapWghQ_zZ17eY",
    "username:" "testAccount"
}

Work in progress / won't be done

What is not working / is missing / won't be implemented:

• Some extensions are still missing (authentication doesn't support them at all, yet).
• Support for Resident Key.
• Support for triggering unlock from extension.
• Support for root certificates.
• Support for PIN/TouchID when authenticating.

Related

Related extension PR for the feature: keepassxreboot/keepassxc-browser#1786
Documentation: https://w3c.github.io/webauthn/

Fixes #1870.

Screenshots

Register new credentials:

Register new or update existing:

Authenticate existing:

From Import/Export feature

New menu items:

New Passkeys report page:

Export dialog:

Import dialog when using a default group:

Import dialog when using a selected group and database:

Testing strategy

Automated tests are written with a valid data captured from a real registration and authentication.
The following sites can be also used for testing the feature:

• https://webauthn.io
• https://webauthn.me/debugger
• https://webauthn.lubu.ch/_test/client.html
• https://demo.yubico.com/webauthn-technical/registration
• https://aka.ms/webauthntest
• https://passkeys.guru/
• https://passkeys.io
• GitHub
• Google
• Microsoft

More comprehensive list is available at: https://passkeys.directory/

Type of change

• ✅ New feature (change that adds functionality)

[varjolintu]

Support for 2048-bit RSA private key added.

[smurfix]

Woo hoo. :-)

Any progress on this?

[thomasmerz]

Support for 2048-bit RSA private key added.

"As of 2020, it is not known whether such keys can be cracked, but minimum recommendations have moved to at least 2048 bits. link"

[varjolintu]

Woo hoo. :-)

Any progress on this?

Just rebasing and trying to solve all new compilation problems on CI.. :) Special thanks to Homebrew for removing support for Botan 2. Luckily support for Botan 3 was fixed recently.

[varjolintu]

Uploaded some test builds here for Win64 and macOS (Apple Silicon) f someone wants to quickly test the feature: https://github.com/varjolintu/keepassxc/releases/tag/2.8.0-webauthn

If it doesn't work on your computer, compile the sources instead. Not an official release, so use at your own risk.

[garymoon]

Looks like the Ubuntu build needs Qt >= 5.12.0 for this PR and doesn't have it.

Is the TeamCity config PRable from anywhere? I couldn't find anything.

[varjolintu]

Looks like the Ubuntu build needs Qt >= 5.12.0 for this PR and doesn't have it.

Is the TeamCity config PRable from anywhere? I couldn't find anything.

Yes. That's the reason CI build fails. And it's one of the problems that needs to be solved before we can even think of merging this PR.

[haldi4803]

Uploaded some test builds here for Win64 and macOS (Apple Silicon) f someone wants to quickly test the feature: https://github.com/varjolintu/keepassxc/releases/tag/2.8.0-webauthn

If it doesn't work on your computer, compile the sources instead. Not an official release, so use at your own risk.

But we would also need the modified Chrome Browser Plugin to actually Enter Those Tokens from browser into KeePassXC right?

[varjolintu]

Uploaded some test builds here for Win64 and macOS (Apple Silicon) f someone wants to quickly test the feature: https://github.com/varjolintu/keepassxc/releases/tag/2.8.0-webauthn
If it doesn't work on your computer, compile the sources instead. Not an official release, so use at your own risk.

But we would also need the modified Chrome Browser Plugin to actually Enter Those Tokens from browser into KeePassXC right?

Yes of course.

[haldi4803]

Uploaded some test builds here for Win64 and macOS (Apple Silicon) f someone wants to quickly test the feature: https://github.com/varjolintu/keepassxc/releases/tag/2.8.0-webauthn
If it doesn't work on your computer, compile the sources instead. Not an official release, so use at your own risk.

But we would also need the modified Chrome Browser Plugin to actually Enter Those Tokens from browser into KeePassXC right?

Yes of course.

But the merger is still open so official 1.8.6.1 from GitHub does NOT included that correct?

Edit:
Ahhh I see you updated Release post with DL link.
Thank you.

[agnosticlines]

This is very exciting! If you don't mind me asking is there any thoughts on the timeline for this landing in main?

[varjolintu]

This is very exciting! If you don't mind me asking is there any thoughts on the timeline for this landing in main?

That depends on so many things I cannot say anything exact.

[droidmonkey]

@varjolintu is this ready for review?

[varjolintu]

@varjolintu is this ready for review?

Uh oh. Maybe? I'd still like to add some specific dialog to view/import/export all WebAuthn credentials. Also the format for handling these credentials should be specified. Maybe it could be just a file with .webauthn file extension with the User ID at the beginning of the file and the key data after that. But of course this could be merged and any improvements can be made to a separate PR.

The biggest problems with this PR is that I haven't had time to test it with multiple sites that have enabled the Passkeys feature. Gotta begin going through the sites and see if there's something relevant features missing. Still, I'd appreciate any reviews for the code and for the sites this already works with.

And of course, one major thing that should be solved is the minimum requirement of Qt's version 5.12.

[phoerious]

I had a first read through and most of what I saw was pretty solid. Good job! I will test this thing in the coming days.

[phoerious]

We can probably merge this now and then fix bugs later. The dialogue windows also need some design love.

[haldi4803]

Will there be a test version for the merger or is a release planned for soon(tm)?

[phoerious]

https://snapshot.keepassxc.org/

[varjolintu]

The latest snapshot should now work :)

[jasperweiss]

Passkeys are working great so far!
The option to update an existing entry instead of creating a new one would be nice. There is an option to update an existing passkey already but it would be nice if you could add the passkey to any regular entry as well (similar to TOTP codes).

[varjolintu]

Passkeys are working great so far! The option to update an existing entry instead of creating a new one would be nice. There is an option to update an existing passkey already but it would be nice if you could add the passkey to any regular entry as well (similar to TOTP codes).

That will be done before the final release :)

[varjolintu]

@jasperweiss #9987

[darkdragon-001]

Does this have support for the prf extension or should I create a new issue for this?

I recently stumbled over https://blog.millerti.me/2023/01/22/encrypting-data-in-the-browser-using-webauthn/ which would allow end-to-end encryption in the browser using WebAuthn!

[varjolintu]

Does this have support for the prf extension or should I create a new issue for this?

I recently stumbled over https://blog.millerti.me/2023/01/22/encrypting-data-in-the-browser-using-webauthn/ which would allow end-to-end encryption in the browser using WebAuthn!

Not yet. Thanks for the links. I'll take a look.

[varjolintu]

FYI: #9998 makes some minor changes to the JSON format.

[jasperweiss]

Does this have support for the prf extension or should I create a new issue for this?
I recently stumbled over https://blog.millerti.me/2023/01/22/encrypting-data-in-the-browser-using-webauthn/ which would allow end-to-end encryption in the browser using WebAuthn!

Not yet. Thanks for the links. I'll take a look.

This would in theory make it possible to sign in to services like ProtonMail with WebAuthN alone, but I don’t see that being implemented any time soon. Bitwarden and 1Password will use this for passwordless sign in. But is anyone using KeePassXC to sign in to those? 😅
But it’d be a nice feature to have at some point.