sudolikeaboss icon indicating copy to clipboard operation
sudolikeaboss copied to clipboard

Published 20 hours ago verified publisher icon ravenac95

1password 3 Support

Open typerlc opened this issue 10 years ago • 14 comments

Is this expected to work with 1password 3?

typerlc avatar Oct 20 '14 11:10 typerlc

It doesn't look like it is - the Web Sockets endpoint specifically refers to 1Password v4.

robertknight avatar Oct 20 '14 11:10 robertknight

@typerlc, @robertknight is right. The Web Sockets endpoint only exists for 1password v4 and v5. I'm not exactly sure how 1password does it on v3 and I don't have access to it any more. As far as I remember, the old 1password was using an http endpoint of some kind. As always, PRs are welcome, but I can't say I will be able to look into this until I know that 1password v4 and v5 are working well.

ravenac95 avatar Oct 20 '14 15:10 ravenac95

With that said, I will explicitly mention this in the README

ravenac95 avatar Oct 20 '14 15:10 ravenac95

I had a quick go, but there are two many new things for me to easily come up with a solution. In case anyone has the inclination to continue, here's the little I found out:

  • 1password 3 does use websockets on port 6258
  • websocket uri is: ws://localhost:6258/2
  • websocket origin should be: resource://onepassword-at-agilebits-dot-com

The socket is correctly upgraded to a websocket, but the first message from sudolikeaboss causes the channel to drop (no response).

I'm using wireshark to sniff traffic between the chrome extension & the ws agent, but I don't know how the messages are encoded. Any assistance would be appreciated.

typerlc avatar Oct 21 '14 00:10 typerlc

@typerlc Awesome! You're on the right track. This is what I would do:

  1. Shutdown chrome/firefox completely
  2. Start wireshark
  3. Listen on tcp.port 6258
  4. Start chrome/firefox
  5. Using some kind of temporary vault or password that you don't care about, get 1password to fill that password on whatever website (i need to make a dumb site for this or something).
  6. You should now see the websocket requests properly decoded.
  7. Export the output
  8. Sanitize the output if necessary
  9. Paste it here or email it to me and I can take a look

ravenac95 avatar Oct 21 '14 03:10 ravenac95

Actually just paste a link to the file. Not sure where the best place to store that file would be...

ravenac95 avatar Oct 21 '14 03:10 ravenac95

Make sure you don't send me passwords! I really don't want them.

ravenac95 avatar Oct 21 '14 03:10 ravenac95

Yes, already did all the above.

The requests from the chrome extension seem to be sending binary data. Well, more exactly, base64 encoded payloads (yes, they are already unmasked). At least, they look like base64. I decoded one of them, and it had a string at the start, but then lots of binary data.

e.g.

$ base64 -d
U2FsdGVkX18wKxy.....<snip>.....ZJiP6I+Hg==
Salted__0+������!�...<snip>...

That's when I gave up.

Since I can't decode it, I don't know if it contains any passwords. But I'll see if I can get a clean capture for you.

typerlc avatar Oct 21 '14 04:10 typerlc

A bit of searching shows that this is likely an encrypted payload. OpenSSL's encrypt routines output the string "Salted__" and then an 8-byte salt (see e.g. http://hustoknow.blogspot.com.au/2013/02/openssl-encryption-libraries-add-salted.html)

But I don't know what the cipher is, nor the password used. I've tried several guesses for those, but not succeeded in decrypting the message.

Any thoughts?

typerlc avatar Oct 21 '14 04:10 typerlc

@typerlc The Agile Keychain format which is what 1Password uses when syncing with Dropbox and which was the main storage format prior to 1Password v4 uses:

'Salted__' <8 byte salt> <AES-128-CBC encrypted data>

For all of the encrypted data it stores. Most likely guess is that the same format is used for these messages. Check the length of the base64-decoded message after the 8-byte salt. The length of the AES-128-CBC data will be a multiple of 16, if they are using that format.

In that format, the decryption key and initialization vector for the encrypted data comes from:

key = md5(password + salt)
initVector = md5(key + password + salt)

There is an implementation at https://github.com/robertknight/passcards/blob/master/lib/onepass_crypto.ts#L40

I couldn't be sure that the same key is being used for the messages as item data though. If the browser extensions for 1Password v3 are Javascript, you could delve into the source for those to see what they do with the result.

robertknight avatar Oct 21 '14 06:10 robertknight

I've taken the tack of looking at the extension js source. That's paying dividends, but is slow going (all the code is obfuscated). Hopefully I can have some more detail in the next few days, but other things are more pressing at the moment.

typerlc avatar Oct 22 '14 03:10 typerlc

@typerlc Awesome! I am still cooking up a fix for 1pw5 on Yosemite but if you can send me the source of the old extension that'd be awesome.

ravenac95 avatar Oct 23 '14 04:10 ravenac95

Is there any update on this ? :)

zedtux avatar Jul 02 '15 15:07 zedtux

@zedtux I wish... I haven't been able to spend the time to really look at the 1password3 code myself. Any help on that front would be greatly appreciated.

ravenac95 avatar Jul 21 '15 16:07 ravenac95