A Java 7 API for databases compatible with the renowned KeePass password safe for Windows.
Features to date:
- Read and write KeePass 2.x format (File format V3 supported, V4 in development)
- Keepass 2.x Password and Keyfile Credentials
- Read KeePass 1.x format (Rijndael only)
- No requirement for JCE Policy Files
- Android compatible
- Interfaces for Database, Group and Entry allow compatible addition of other formats
It is licensed under the Apache 2 License and is currently usable.
The work is provided on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties
or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY,
or FITNESS FOR A PARTICULAR PURPOSE.
You are solely responsible for determining the appropriateness
of using or redistributing the Work and assume any risks
associated with Your exercise of permissions under this License.
(see license)
The composite POM is
<groupId>org.linguafranca.pwdb</groupId>
<artifactId>KeePassJava2</artifactId>
<version>2.1.4</version>
at Maven Central. Note that the artifactId has become Camel Case from release 2.1.x onwards.
There are also separate POMs for the various modules. The module structure is illustrated below under Build from Source.
Snapshot builds at Sonatype OSS.
It is written for Java 1.7.
Create credentials and an input stream for the password file in question:
KdbxCreds creds = new KdbxCreds("123".getBytes());
InputStream inputStream = getClass().getClassLoader().getResourceAsStream("test1.kdbx");
then choose a database implementation, and load the database.
Database database = SimpleDatabase.load(credentials, inputStream)
or
Database database = JaxbDatabase.load(credentials, inputStream)
or
Database database = DomDatabaseWrapper.load(credentials, inputStream)
Different implementations have varying characteristics, primarily speed.
The table below illustrates timings for the file test1.kdbx
(in the test module resources -
it is around 2k bytes and contains a few dozen entries)
as assessed by this test
in the examples module.
Simple 5 loads 20 iterations 257 millis
Jaxb 5 loads 20 iterations 326 millis
Dom 5 loads 20 iterations 758 millis
Simple 10 loads 1 iterations 340 millis
Jaxb 10 loads 1 iterations 552 millis
Dom 10 loads 1 iterations 175 millis
Simple 1 loads 50 iterations 28 millis
Jaxb 1 loads 50 iterations 47 millis
Dom 1 loads 50 iterations 251 millis
Load time is dominant in this example for JAXB and Simple, database traversal for the DOM implementation.
Password databases are modelled as a three layer abstraction.
A Database is a collection of records whose physical representation needs only to be capable of rendering as a stream. Entries hold the information of value in the database and Groups allow the structuring of entries into collections, just like a folder structure.
The Database has a root group and by following sub-groups of the root group the tree structure of the database can be navigated. Entries belong to groups. Entries can be moved between groups and groups can also be moved between groups. However, entries and groups created in one database cannot be moved to another database without being converted:
database.newEntry(entryToCopy);
database.newGroup(groupToCopy);
The class Javadoc on Interface classes Database, Group and Entry describe how to use the methods of those classes to create and modify entries. These classes provide the basis of all implementations of the various database formats, initially KDB, KDBX 3.1 and KDBX 4 (KeePass 2) file formats, subsequently, potentially, others.
The class QuickStart.java provides some illustrations of operations using the Database, Group and Entry interfaces.
This project is so named by kind permission of Dominik Reichl the author of KeePass. There is no formal connection with that project.
It has always been the intention to support other specific password database implementations. Hence the creation of abstract Database interfaces rather than following the KeePass model exactly.
KeePass is in effect defined by the code that Dominik writes to create and maintain the project. Hence there is not much by way of definitive specification of KeePass files other than that code. There is a discussion of the differences between KDBX version 3.1 and version 4.
For the sake of clarification and my own satisfaction I have written about my understanding of KeePass formats in the following locations:
- The Javadoc header to KdbxSerializer describes KDBX stream formatting.
- The XSD Schema KDBX.4.xsd documents my understanding of the Keepass XML, and also my lack of understanding, in parts.
- The following graphic illustrates KDBX 3.1 and 4 file formats:
Aside from the JRE the API depends on:
- Google Guava (Apache 2 license).
- Apache Commons Codec (Apache 2 license).
- Spongy Castle (License) which is a repackaging for Android of Bouncy Castle (License).
- Jargon2 for KDBX format version 4 Argon2 Key Derivation Function (Apache2 license)
The Simple XML implementation additionally depends on:
It also depends on SLF4J and Junit for tests.
Included POM is for Maven 3.
There are rather a lot of modules, this is in order to allow loading of minimal necessary functionality. The module dependencies are illustrated below.
Each module corresponds to a Maven artifact. The GroupId is org.linguafranca.pwdb
. The version id is as noted above.
Module | ArtifactId | JavaDoc | Description |
---|---|---|---|
database | database | Base definition of the Database APIs. | |
example | example | Worked examples of loading, saving, splicing etc. using the APIs | |
test | test | Shared tests to assess the viability of the implementation. | |
all | KeePassJava2 | (no JavaDoc) | This is the main KeePassJava2 Maven dependency. Provides a route to all artifacts (other than test and examples) via transitive dependency. |
kdb | KeePassJava2-kdb | An implementation of the Database APIs supporting KeePass KDB format. | |
kdbx | KeePassJava2-kdbx | Provides support for KDBX streaming and security. | |
simple | KeePassJava2-simple | A Simple XML Platform implementation of KDBX. Could be useful for Android. | |
jaxb | KeePassJava2-jaxb | A JAXB implementation of KDBX. Probably not useful for Android. The generated class bindings might be useful for building other interfaces. | |
dom | KeePassJava2-dom | A DOM based implementation of KDBX. Being DOM based it is rather slow, but messes less with existing content than the other two implementations. Known to work on Android. | |
http | keepasshttp | An implementation of a server
intended to be the equivalent of
keepasshttp, which is a plugin for Windows Keepass
supporting communication with Chrome (chromeIPass) and Firefox(PassIFox) extensions.
It is experimental and usafe. Please read and inwardly digest the readme. |
Why are there so many implementations for KDBX? Well, the DOM implementation came first, because of the fact that it can load and save stuff that the implementation doesn't specifically know about. But it is very slow.
Then came the JAXB implementation, but belatedly it seems that Android support is in question. So latterly the Simple implementation. That's probably enough KDBX implementations.
If you prefer Gradle the automatic conversion gradle init
converts the POM successfully, however you will
need to add something like gradle-source-sets.txt to the build.gradle
for the JAXB module, so that the generated sources
get compiled correctly.
In this file.
Many thanks to Pavel Ivanov @ivanovpv for his help with Android and Gradle compatibility issues.
Copyright (c) 2016 Jo Rabin
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.