Adds basic WebAuthn support to KeePassXC. Currently it uses the default Elliptic Curve key (EC2, ES256 signature, P-256 curve), 2048-bit RSA key, and basic registration/authentication with User Verification enabled and the default
none Attestation. Optional extensions
uvm are supported in the registration phase. Timeouts are respected, and a new confirmation dialog is added for them.
Qt’s CBOR libraries requires at least Qt 5.12, and for that reason a new CMake configuration parameter
WITH_XC_BROWSER_WEBAUTHN is added.
At registration phase a new credential is stored to KeePassXC with the following information:
- Generated private key for the credential is stored as attachment with the name “webauthn.pem”. Can be exported and imported normally.
- Generated User ID is stored as the entry password.
- Username and URL fields are set normally.
- Supports all User Verification options. Single entry with
discouragedis returned immediately.
- Stored credentials are retrieved only when the
webauthn.pemkey file is present. User ID and URL domain must also match.
What is not working / is missing / won’t be implemented:
- Some extensions are still missing (authentication doesn’t support them at all, yet).
- Support for Resident Key.
- Support for triggering unlock from extension.
- Support for root certificates.
- Support for PIN/TouchID when authenticating.
What is not tested:
- Support for Passkeys (in theory some sites should work, needs at least Chrome 108 for testing it).
- Exporting credentials and private key to other password manager and testing that it works (does any of them support this kind of feature yet?).
What needs to be discussed:
- How to actually import and export full credentials? Now the process is semi-manual because only the private key attachment can be used. There is no standard way to proceed with this.
Automated tests are written with a valid data captured from a real registration and authentication.
The following sites can be also used for testing the feature:
Type of change
✅New feature (change that adds functionality)