1password 3 Support
Opened this issue · 14 comments
Is this expected to work with 1password 3?
It doesn't look like it is - the Web Sockets endpoint specifically refers to 1Password v4.
@typerlc, @robertknight is right. The Web Sockets endpoint only exists for 1password v4 and v5. I'm not exactly sure how 1password does it on v3 and I don't have access to it any more. As far as I remember, the old 1password was using an http endpoint of some kind. As always, PRs are welcome, but I can't say I will be able to look into this until I know that 1password v4 and v5 are working well.
With that said, I will explicitly mention this in the README
I had a quick go, but there are two many new things for me to easily come up with a solution.
In case anyone has the inclination to continue, here's the little I found out:
- 1password 3 does use websockets on port 6258
- websocket uri is: ws://localhost:6258/2
- websocket origin should be: resource://onepassword-at-agilebits-dot-com
The socket is correctly upgraded to a websocket, but the first message from sudolikeaboss causes the channel to drop (no response).
I'm using wireshark to sniff traffic between the chrome extension & the ws agent, but I don't know how the messages are encoded. Any assistance would be appreciated.
@typerlc Awesome! You're on the right track. This is what I would do:
- Shutdown chrome/firefox completely
- Start wireshark
- Listen on tcp.port 6258
- Start chrome/firefox
- Using some kind of temporary vault or password that you don't care about, get 1password to fill that password on whatever website (i need to make a dumb site for this or something).
- You should now see the websocket requests properly decoded.
- Export the output
- Sanitize the output if necessary
- Paste it here or email it to me and I can take a look
Actually just paste a link to the file. Not sure where the best place to store that file would be...
Make sure you don't send me passwords! I really don't want them.
Yes, already did all the above.
The requests from the chrome extension seem to be sending binary data. Well, more exactly, base64 encoded payloads (yes, they are already unmasked). At least, they look like base64. I decoded one of them, and it had a string at the start, but then lots of binary data.
e.g.
$ base64 -d
U2FsdGVkX18wKxy.....<snip>.....ZJiP6I+Hg==
Salted__0+������!�...<snip>...
That's when I gave up.
Since I can't decode it, I don't know if it contains any passwords. But I'll see if I can get a clean capture for you.
A bit of searching shows that this is likely an encrypted payload. OpenSSL's encrypt routines output the string "Salted__" and then an 8-byte salt (see e.g. http://hustoknow.blogspot.com.au/2013/02/openssl-encryption-libraries-add-salted.html)
But I don't know what the cipher is, nor the password used. I've tried several guesses for those, but not succeeded in decrypting the message.
Any thoughts?
@typerlc The Agile Keychain format which is what 1Password uses when syncing with Dropbox and which was the main storage format prior to 1Password v4 uses:
'Salted__' <8 byte salt> <AES-128-CBC encrypted data>
For all of the encrypted data it stores. Most likely guess is that the same format is used for these messages. Check the length of the base64-decoded message after the 8-byte salt. The length of the AES-128-CBC data will be a multiple of 16, if they are using that format.
In that format, the decryption key and initialization vector for the encrypted data comes from:
key = md5(password + salt)
initVector = md5(key + password + salt)
There is an implementation at https://github.com/robertknight/passcards/blob/master/lib/onepass_crypto.ts#L40
I couldn't be sure that the same key is being used for the messages as item data though. If the browser extensions for 1Password v3 are Javascript, you could delve into the source for those to see what they do with the result.
I've taken the tack of looking at the extension js source. That's paying dividends, but is slow going (all the code is obfuscated). Hopefully I can have some more detail in the next few days, but other things are more pressing at the moment.
@typerlc Awesome! I am still cooking up a fix for 1pw5 on Yosemite but if you can send me the source of the old extension that'd be awesome.
Is there any update on this ? :)