Hi,

I'm using kdbxweb as a dependency in my project, and a Nexus IQ dependency check resulted in a high severity security violation for @xmldom/xmldom, which is a direct dependency of kdbxweb, and thus a transitive dependency for my project.

Please find the details of the vulnerability here:
https://nvd.nist.gov/vuln/detail/CVE-2022-37616

It would be very much appreciated if you could fix this vulnerability and publish a new version of kdbxweb. Thanks in advance!

Best,

Steven

Hello,

First let me express how grateful I am for your keeweb application, and the time you took to create it. I understand you may not respond, but I figured I'd just have to try.

I've been a recent "victim" of the Error: too large number bug. At first it was only when trying to sync my file via WebDav to Nextcloud (and at the time I blamed Nextcloud), but now I also can't open it either.

Dabbling in TS I cloned the repo and found the root cause of the error. As indicated in the original issue, KeePassDX on Android does something weird with some date values.

In my case it was the "LastModificationTime" value in the CustomData dictionary, that has the value JoU/Fe4cIAA=. After fiddling around the kotlin code, that gave me a date on year 286,428,884 which is close to the maximal value in Joda-Time, but very very far above the maximal value for JS Date(), which year 275,760. So, even if the code didn't throw on such high value, we still would have an Invalid Date in the end.

So on how to fix this? I see two separate ways.

Consider those values as garbage

When encountering those values, getDate() will return the maximum JS value. In all cases, OG KeePass uses .Net DateTime, which doesn't go over year 9999, so that should be more than OK.

Pros:

• not a lot to change in the kdbxweb library to make it work.
• not reeaally a breaking change for users of the library (like keeweb), as the value is still a Date.

Cons:

• that would update LastModificationTime values of things Keeweb didn't change.
• the new date may cause problems on merging.

Use BigInt() objects

The above value JoU/Fe4cIAA= is too high to be contained in a Number variable, but fits in the more recently available BigInt type. By allowing getDate() to return either a Date object or a BigInt, the kdbxweb can still handle those high values and does not require to clamp them to a supported Date.

Pros:

• that would no longer change LastModificationTime dates upon saving.
• merging on those high values is still possible as we can compare BigInt()

Cons:

• Breaking change for all dependents on kdbxweb that must handle a BigInt() value in addition to Date()
• More work wherever the kdbxweb library handles dates.

What would be your opinion?

I'm willing to do the corresponding work and provide a PR for either chosen solution, including on the keeweb repository too if necessary. My end goal would be that the Nextcloud App could grab an updated version and fix the bug for me on my Nextcloud instance. :)

I'm currently using kdbxweb to create a tool to migrate keepass to Bitwarden (because my company is switching to it) and I have a question about the otp field. If you manage the field with Keeweb, it stores the otp values in the form of otpauth://totp/default?secret=. Is this the native format for that field or Keeweb-specific? Bitwarden only expects the secret in that field so I need to map it.

Im trying to install this package, but all I get is this error:

› npm i kdbxweb@latest
npm ERR! Error while executing:
npm ERR! /usr/local/bin/git ls-remote -h -t git://github.com/keeweb/jssha.git
npm ERR!
npm ERR! fatal: remote error:
npm ERR!   Repository not found.
npm ERR!
npm ERR! exited with error code: 128

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/sallar/.npm/_logs/2018-03-03T19_24_44_180Z-debug.log

Thanks.

Hi,

we are having some small issues with using the library, maybe it is not directly connected to the library itself but may be an improvement point.

Loading the library expects to receive an ArrayBuffer. However, we are dealing with streams because we are downloading our kbdx file.

Initially, we were doing the following, downloading the file to the disk, then reading it to the buffer. It works well. Following the code used:

    async getDatabase(url: string): Promise<string> {
        const sampleFilePath = Path.join(
            tmpdir(),
            `keepass.${Crypto.randomBytes(6).readUIntLE(0, 6).toString(36)}.kdbx`,
        );

        const file: NodeJS.WritableStream = fs.createWriteStream(sampleFilePath);
        const response = await this.httpClient.get(url);
        const stream = response.message.pipe(file);

        const promise = new Promise((resolve, reject) => {
            stream.on('finish', () => {
                resolve(true);
            });
            stream.on('error', reject);
        });

        await promise;

        return sampleFilePath;
    }

const dbPath = await this.getDatabase(argv.url);
const keepassDb = fs.readFileSync(dbPath).buffer;
const db = await kdbxweb.Kdbx.load(keepassDb, credentials);

Now we are not allowed anymore to persist things on a disk and we need to manage all of the things in memory. That is not a big issue as our DB file is only around 200kb and it will not grow.

We changed the code to the following:

    async getDatabase(url: string): Promise<Buffer> {
        const response: IHttpClientResponse = await this.httpClient.get(url);

        return new Promise<Buffer>(async (resolve, reject) => {
            const chunks = [];
            response.message
                .on('data', function (data: Buffer) {
                    chunks.push(data);
                })
                .on('end', async function () {
                    const buffer: Buffer = Buffer.concat(chunks);

                    resolve(buffer);
                })
                .on('error', function (err) {
                    reject(err);
                });
        });
    }

const dbBuffer = await this.getDatabase(argv.url);
const db = await kdbxweb.Kdbx.load(dbBuffer, credentials);

However, this does not work, we do get an exception saying KdbxError: Error InvalidArg: data.

Do you have any idea why this may not work? Is there an example of how to get a stream into the buffer that will be accepted by kdbxweb?

Would it be possible to have a possibility to load a DB direclty from a stream?

Thank you in advance.

KeePass databases can be compressed before being encrypted and according to KeePass, it is recommended to use the GZip compression option.

I created a kdbx-file by using your kdbxweb library and I opened the file with the official KeePass application. The compression is enabled in the "Database Settings" of the application:

However, I used the safe for some time and it has 15 keys stored at the moment. The size of the file is 447KB. When I open the file in KeePass, it's size is just 12 KB after saving the file without changing anything here.
So I assume there is a problem with the compression in kdbxweb.

Note: The same problem occurs in your keeweb application, so I think this is not a problem with the way I am using your library

how decrypt entry.fields.Password ?

Hey there! This issue came to my attention from subdavis/Tusk#101. I use kdbxweb in Tusk and have had several user reports of bad behavior.

An awesome bug report finally came from @Gitii, and we concluded that the kdbxweb implementation of ChaCha20 is broken.

Please find attached to this issue a ZIP file containing several KeePass databases. I've tested these all on https://app.keeweb.info and they behave like so.

files.zip

According to keepassxreboot/keepassxc#1074 using chacha20 for encryption causes a database to be saved as KDBX4, so I believe this is a compatibility issue that keeweb claims to support.

I'm quite motivated to get this fixed very soon. Let me know if there's any additional info you need.

P.S. Thank you for all your hard work. Without this library, my project would not be possible :)

EDIT: Found keeweb/keeweb#705 - I read your final comment, and according to the thread linked above, I don't believe there's any such thing as "kdbx v3 with ChaCha20". I'm going to keep searching for material on this.

EDIT 2: After playing with the code, I see that the commentor above is clearly mistaken. For some unclear reason, the KeePass2 team decoded to introduce ChaCha in v4. While that makes it a pain to support, I think it's important. I'm going to try and take on this work, but I'll gladly accept any guidance.

Hi @antelle , I want to implement ability to import db from xml-file with KeepassX database.
Do you have any ideas about right place and interface for this functionality?

Hi there! Could you please describe why is Electronic Codebook (ECB) simulation and ECB fallback used in kdbxweb/lib/crypto/key-encryptor.js ?

ECB does not provide strong confidentiality.

Hello,

I am using the latest version 2.1.1. At first I thought I did something wrong, but after doing a separate test it seems like a bug in the save function. Group tags are not written into the output file.

import {default as kdbxweb} from 'kdbxweb';
import { writeFileSync } from 'fs';

const credentials = new kdbxweb.Credentials(kdbxweb.ProtectedValue.fromString('test'));

const db = kdbxweb.Kdbx.create(credentials, 'title');

const group = db.createGroup(db.getDefaultGroup(), 'Tagged Group');
// will not be saved in groups
group.tags = ['tag1', 'tag2'];

const entry = db.createEntry(group, 'Tagged Entry');
// will be saved in entries
entry.tags = ['tag1', 'tag2'];

const data = await db.saveXml();
writeFileSync('test.xml', data);

Here is the XML output of the KDBX file I get:

https://gist.github.com/mstoecklein/e2686de4c22a263240e75db6745df6ac

We are experiencing some inconsistent behavior with the Password field. Following code:

const entry = db.getDefaultGroup().entries.find((e) => e.fields.get('UserName') === entryName);
const passwordField = entry.fields.get('Password');

Sometimes returns an object of type ProtectedValue, sometime is a string. This is pushing us to implement the readout of that field in the following way:

const passwordField = entry.fields.get('Password');
let password = '';

if (passwordField instanceof kdbxweb.ProtectedValue) {
    password = (passwordField as kdbxweb.ProtectedValue).getText();
} else {
    password = passwordField;
}

Is there a reason for this behavior or is there a better way to prevent/fetch this?

Thanks

Seeing this is v0.1.0 according to npmjs, I wasn't really sure if this was working but from https://antelle.github.io/keeweb/ , I figured it had to. However, I haven't been able to succesfully get this to even load.

Loading kdbxweb/dist/kdbxweb.js on chrome returns an error:
Uncaught SyntaxError: Invalid regular expression: /[-.0-9A-Z_a-z\xC0-\xD6\xD8-\xF6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD·̀-ͯ\ux203F-�]/: Range out of order in character class

and trying to use "require(kdbxweb)" also returns an error:
module.js:338
throw err;
^
Error: Cannot find module 'arraybuffer-slice'
at Function.Module._resolveFilename (module.js:336:15)
at Function.Module._load (module.js:278:25)
at Module.require (module.js:365:17)
at require (module.js:384:17)
at Object. (c:\Users\sgarcia\code\my-keepass\node_modules\kdbxweb\lib\format\kdbx.js:3:1)
at Module._compile (module.js:460:26)
at Object.Module._extensions..js (module.js:478:10)
at Module.load (module.js:355:32)
at Function.Module._load (module.js:310:12)
at Module.require (module.js:365:17)

Are there any demos on how to get this to work? Thanks

I would like to play around with this lib, but can't install it.
It gets stuck here:

C:\Users\7508594\Documents\lcm\code\keepass>npm i --save kdbxweb
[..................] \ fetchMetadata: sill resolveWithNewModule [email protected] checking installable status

I tried to install another library to see if it was a problem with my proxy, but didn't appear to be the case.
Also it's useful to add this to the docs.
Even though this should be obvious, to be sure I had to check the issues list to find confirmation that the installation command was correct.

v1.8 switches to v4 file format, and v4 file format requires Argon2, thus a breaking change.

When trying to include this project into an Angular project, it fails with:

Error: Can't resolve 'crypto' in '..\node_modules\kdbxweb\dist'

Is there any chance this could be made webpack compatible?

Mixing a bunch of Math.random with Salsa20 doesn't make PRNG secure. Please use crypto.getRandomValues in browser and crypto.randomBytes in Node, for example:

  var getRandomBytes = (
    (typeof self !== 'undefined' && (self.crypto || self.msCrypto))
      ? function() { // Browsers
          var crypto = (self.crypto || self.msCrypto), QUOTA = 65536;
          return function(n) {
            var a = new Uint8Array(n);
            for (var i = 0; i < n; i += QUOTA) {
              crypto.getRandomValues(a.subarray(i, i + Math.min(n - i, QUOTA)));
            }
            return a;
          };
        }
      : function() { // Node
          return require("crypto").randomBytes;
        }
  )();

This will give you random bytes:

aesKey = getRandomBytes(18)

I was using the version 0.4.6 until you fixed issue #16 yesterday (thank you :-)).

I noticed some changes in the performance, as the latest repository version is about three times slower than version 0.4.6:

Well, three times slower is quite high :-), do you plan to improve this or is there any way to make it faster?

Hi,

If I call KdbxHeader.setVersion(4) it sets the versionMinor to 1. I could not find any specification for a kdbx 4.1 file format. Some apps like Strongbox check the minor version too and are therefore not able to open the databases written via kdbxweb.
I also had this problem when creating a database with keeweb.

Could you please check, whether the latest minor version for kdbx4 shouldn't be 0?

Thanks,
trxa

Hi! We use your library over at Buttercup, and we're upgrading kdbxweb. It seems we've encountered an issue where the current copy of this library references window:

/*! kdbxweb v1.5.2, (c) 2019 Antelle, opensource.org/licenses/MIT */
(function webpackUniversalModuleDefinition(root, factory) {
	if(typeof exports === 'object' && typeof module === 'object')
		module.exports = factory(require("crypto"), require("xmldom"));
	else if(typeof define === 'function' && define.amd)
		define(["crypto", "xmldom"], factory);
	else if(typeof exports === 'object')
		exports["kdbxweb"] = factory(require("crypto"), require("xmldom"));
	else
		root["kdbxweb"] = factory(root["crypto"], root["xmldom"]);
})(window, function(__WEBPACK_EXTERNAL_MODULE__42__, __WEBPACK_EXTERNAL_MODULE__44__) {
return /******/ (function(modules) { // webpackBootstrap

Which is of course undefined:

ReferenceError: window is not defined
    at eval (webpack:///./node_modules/kdbxweb/dist/kdbxweb.js?:4:4)
    at Object../node_modules/kdbxweb/dist/kdbxweb.js (/Users/pez/git/buttercup-importer/dist/buttercup-importer.js:2311:1)
    at __webpack_require__ (/Users/pez/git/buttercup-importer/dist/buttercup-importer.js:21:30)
    at eval (webpack:///./source/importers/KDBXImporter.js?:2:15)

This only cropped up after updating from 1.2.7 to 1.5.2. I'm using Node v10 at the moment.

First of all thank you so much for making this package, it's saving my life,

I got some questions :

At the moment i'm able to lad the Database, my only concern didn't figure out how i can display all my titles/username/passwords ?

Thank you soo much

My experience using the argon2 algorithm in kdbxweb in the browser was a bit tricky.

When I use your argon2-asm.min.js from your test, I can create my derived key and everything is fine. The output file also works in my keepass client. That's nice. Unfortunately in the browser the JS is polluting my window object and I had issues with that lately. I also tried NPM libraries, but they don't worked without a bigger effort in setting up my bundler.

What I did to work around that issue:

• I took your script https://github.com/keeweb/kdbxweb/blob/master/test/test-support/argon2.ts
• created a function to wrap all the code from the argon2-asm.js file
• put it all in one file

I don't like this solution, but it was the easiest way to continue using my current bundler settings without using any additional compiler steps.

It would be a great improvement if you add the choice of an additional bundle with the baked-in argon2 algorithm.

Hi! I'm trying to implement argon2 support using the npm library argon2, and am now getting the following error:

{ [KdbxError: Error Unsupported: bad derived key]
  name: 'KdbxError',
  code: 'Unsupported',
  message: 'Error Unsupported: bad derived key' }

I have the following code so far:

const nodeArgon2 = require("argon2");
const toBuffer = require("typedarray-to-buffer");

function argon2(password, salt, memory, iterations, length, parallelism, type, version) {
    return nodeArgon2.hash(toBuffer(password), {
        salt: toBuffer(salt),
        type,
        memoryCost: memory,
        hashLength: length,
        parallelism,
        version,
        timeCost: iterations
    }).then(out => {
        return Buffer.from(out);
    });
}

module.exports = {
    argon2
};

I can't make light of the example in the test folder as it doesn't particularly describe any of the values going to and fro. I believe I've got the input from KdbxWeb to argon2 cracked, I'm getting a valid hash:

$argon2d$v=19$m=131072,t=4,p=4$uuJR7sfQapC2usfQxd9eOkyc0DgPsZ1bELHXbOPnz/I$4euUHLZOxByaffEIRQyvvfNE82B0wc7S709eniV1cGU

But it seems the return value is not correct. Would you be able to point out what the result from the implemented argon2 method should be? I'd also love documentation on the input parameters to that argon2 function (I could add jsdoc comments to your test file if you'd like). Thanks!

To upgrade a new database I need to execute:

db.upgrade();
db.header.keyEncryptionRounds = undefined;

I think the 2nd line should be included within the upgrade function?

For example, in KeeWeb, it's used to conditionally display relevant settings:

https://github.com/keeweb/keeweb/blob/af9d668d2ae2f35c2f88bf659fdcb7c8a154b407/app/templates/settings/settings-file.hbs#L122

The readme says this:

// your implementation makes hash (Uint32Array, 'length' bytes)

so I did this:

const result: Argon2BrowserHashResult = await argon.hash({
        pass: new Uint8Array(password),
        salt: new Uint8Array(salt),
        time: iterations,
        mem: memory,
        parallelism: parallelism,
        hashLen: length,
        type: type,
});

// your implementation makes hash (Uint32Array, 'length' bytes)
return new Uint32Array(result.hash.buffer);

(Note the new UInt32Array)
This resulted in a failure to decrypt. When I simply returned the Uint8Array in result.hash, everything was fine.

Is the doc wrong or did I misunderstand?

Hi @antelle! First of all, thanks for your excellent work in the KeePass space! I'm a happy KeeWeb user and was excited to find this kdbxweb library!

However, I'm not able to open a password only .kdbx file created with KeeWeb. I'm using code like this:

var dataAsArrayBuffer = require('fs').readFileSync('example.kdbx', 'base64');
var credentials = new kdbxweb.Credentials(kdbxweb.ProtectedValue.fromString('examplePass'));
kdbxweb.Kdbx.load(dataAsArrayBuffer, credentials).then(db => ...);

But it throws an error like this:

{ [KdbxError: Error InvalidArg: data]
  name: 'KdbxError',
  code: 'InvalidArg',
  message: 'Error InvalidArg: data' }

The README instructions skip this bit and I haven't been able to figure this one out based on the KeeWeb or test code.

Could you add a line to the loading example under Usage to demonstrate how to correctly open a database?

Thanks for your continued support and keep up the good work!

A tried the manual tests, used the correct password and selected the kdbx file (no key selected).

However, the website just displays "working..." and hangs. There is no output in the console (Google Chrome)

The data is right, as I am able to open the safe with the KeePass application.

I would like to use your lib in my Angular project but I have an error :

core.js:6014 ERROR Error: Uncaught (in promise): ReferenceError: global is not defined
ReferenceError: global is not defined
    at Object../node_modules/buffer/index.js (index.js:43)
    at __webpack_require__ (bootstrap:84)
    at Object../node_modules/safe-buffer/index.js (index.js:2)
    at __webpack_require__ (bootstrap:84)
    at Object../node_modules/randombytes/browser.js (browser.js:15)
    at __webpack_require__ (bootstrap:84)
    at Object../node_modules/crypto-browserify/index.js (index.js:3)
    at __webpack_require__ (bootstrap:84)
    at webpackUniversalModuleDefinition (kdbxweb.js:4)
    at Object../node_modules/kdbxweb/dist/kdbxweb.js (kdbxweb.js:11)
    at resolvePromise (zone-evergreen.js:797)
    at resolvePromise (zone-evergreen.js:754)
    at zone-evergreen.js:858
    at ZoneDelegate.invokeTask (zone-evergreen.js:391)
    at Object.onInvokeTask (core.js:39680)
    at ZoneDelegate.invokeTask (zone-evergreen.js:390)
    at Zone.runTask (zone-evergreen.js:168)
    at drainMicroTaskQueue (zone-evergreen.js:559)

What I did was :

• npm i kdbxweb
• import it
• console.log(kdbxweb)

Even with a freshly started project I still have it.

I get the following error output when testing on Travis:

Using worker: worker-linux-docker-c88f3d31.prod.travis-ci.org:travis-linux-2

Build system information
Build language: node_js
Build image provisioning date and time
Thu Feb  5 15:09:33 UTC 2015
Operating System Details
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.5 LTS
Release:    12.04
Codename:   precise
Linux Version
3.13.0-29-generic
Cookbooks Version
a68419e https://github.com/travis-ci/travis-cookbooks/tree/a68419e
GCC version
gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

LLVM version
clang version 3.4 (tags/RELEASE_34/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
Pre-installed Ruby versions
ruby-1.9.3-p551
Pre-installed Node.js versions
v0.10.36
Pre-installed Go versions
1.4.1
Redis version
redis-server 2.8.19
riak version
2.0.2
MongoDB version
MongoDB 2.4.12
CouchDB version
couchdb 1.6.1
Neo4j version
1.9.4
RabbitMQ Version
3.4.3
ElasticSearch version
1.4.0
Installed Sphinx versions
2.0.10
2.1.9
2.2.6
Default Sphinx version
2.2.6
Installed Firefox version
firefox 31.0esr
PhantomJS version
1.9.8
ant -version
Apache Ant(TM) version 1.8.2 compiled on December 3 2011
mvn -version
Apache Maven 3.2.5 (12a6b3acb947671f09b81f49094c53f426d8cea1; 2014-12-14T17:29:23+00:00)
Maven home: /usr/local/maven
Java version: 1.7.0_76, vendor: Oracle Corporation
Java home: /usr/lib/jvm/java-7-oracle/jre
Default locale: en_US, platform encoding: ANSI_X3.4-1968
OS name: "linux", version: "3.13.0-29-generic", arch: "amd64", family: "unix"

$ git clone --depth=50 --branch=master https://github.com/perry-mitchell/buttercup-importer.git perry-mitchell/buttercup-importer
Cloning into 'perry-mitchell/buttercup-importer'...
remote: Counting objects: 42, done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 42 (delta 11), reused 36 (delta 8), pack-reused 0
Unpacking objects: 100% (42/42), done.
Checking connectivity... done.
$ cd perry-mitchell/buttercup-importer
$ git checkout -qf 3836392500d5d7a015ad001ed75d3b5c531a4d18

This job is running on container-based infrastructure, which does not allow use of 'sudo', setuid and setguid executables.
If you require sudo, add 'sudo: required' to your .travis.yml
See http://docs.travis-ci.com/user/workers/container-based-infrastructure/ for details.
$ nvm install stable
######################################################################## 100.0%
Checksums empty
Now using node v5.0.0
$ node --version
v5.0.0
$ npm --version
3.3.6
$ nvm --version
0.23.3
$ npm install 
npm WARN engine [email protected]: wanted: {"node":"~0.10"} (current: {"node":"5.0.0","npm":"3.3.6"})

> [email protected] postinstall /home/travis/build/perry-mitchell/buttercup-importer/node_modules/kdbxweb
> cd node_modules/asmcrypto.js && npm install && grunt --with=utils,aes-cbc,aes-ecb,sha256

sh: 1: cd: can't cd to node_modules/asmcrypto.js
[email protected] /home/travis/build/perry-mitchell/buttercup-importer
├─┬ [email protected] 
│ ├── [email protected] 
│ ├── [email protected] 
│ ├── [email protected] 
│ ├── [email protected] 
│ └─┬ [email protected] 
│   ├── [email protected] 
│   └─┬ [email protected] 
│     └── [email protected] 
└─┬ [email protected] 
  └─┬ [email protected] 
    ├── [email protected] 
    ├── [email protected] 
    ├─┬ [email protected] 
    │ ├── [email protected] 
    │ ├── [email protected] 
    │ └── [email protected] 
    ├─┬ [email protected] 
    │ ├─┬ [email protected] 
    │ │ └── [email protected] 
    │ ├─┬ [email protected] 
    │ │ └─┬ [email protected] 
    │ │   ├── [email protected] 
    │ │   └── [email protected] 
    │ └── [email protected] 
    ├── [email protected] 
    ├─┬ [email protected] 
    │ └── [email protected] 
    ├─┬ [email protected] 
    │ └── [email protected] 
    ├─┬ [email protected] 
    │ └─┬ [email protected] 
    │   └─┬ [email protected] 
    │     ├── [email protected] 
    │     └── [email protected] 
    ├── [email protected] 
    └── [email protected] 

npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v5.0.0/bin/node" "/home/travis/.nvm/versions/node/v5.0.0/bin/npm" "install"
npm ERR! node v5.0.0
npm ERR! npm  v3.3.6
npm ERR! code ELIFECYCLE

npm ERR! [email protected] postinstall: `cd node_modules/asmcrypto.js && npm install && grunt --with=utils,aes-cbc,aes-ecb,sha256`
npm ERR! Exit status 2
npm ERR! 
npm ERR! Failed at the [email protected] postinstall script 'cd node_modules/asmcrypto.js && npm install && grunt --with=utils,aes-cbc,aes-ecb,sha256'.
npm ERR! This is most likely a problem with the kdbxweb package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR!     cd node_modules/asmcrypto.js && npm install && grunt --with=utils,aes-cbc,aes-ecb,sha256
npm ERR! You can get their info via:
npm ERR!     npm owner ls kdbxweb
npm ERR! There is likely additional logging output above.

npm ERR! Please include the following file with any support request:
npm ERR!     /home/travis/build/perry-mitchell/buttercup-importer/npm-debug.log

# SNIPPED

The command "eval npm install " failed 3 times.


The command "npm install " failed and exited with 1 during .

Your build has been stopped.

Hello. Today I created an empty kdbx file using code:

let credentials = new kdbxweb.Credentials(kdbxweb.ProtectedValue.fromString('password'));
let db = kdbxweb.Kdbx.create(credentials, 'emptydb');
let group = db.createGroup(db.getDefaultGroup(), '1stgroup');
db.save().then(dataAsArrayBuffer => {
    fs.writeFileSync('./empty.kdbx', Buffer.from(dataAsArrayBuffer));
})

And then I opened it using code:

let dataAsArrayBuffer = fs.readFileSync('./empty.kdbx').buffer;
let credentials = new kdbxweb.Credentials(kdbxweb.ProtectedValue.fromString('password'));
kdbxweb.Kdbx.load(dataAsArrayBuffer, credentials).then(db => {
    console.log(db);
}).catch(err => {
    console.log(err);
});

But it threw the error:

{ [KdbxError: Error BadSignature]
  name: 'KdbxError',
  code: 'BadSignature',
  message: 'Error BadSignature' }

Using KeePass Password Manager or KeeWeb Online, it (kdbx file I created) can be opened normally.
Also, I have tried to create a kdbx file using KeePass whose structure like this:

emptydb
  |--1stgroup
  |--Recycle Bin

And I opened it using the code as mentioned but got the same error.
I want to know what's the meaning of 'BadSignature' and how to solve my problem.
My environment is Node.js v8.5.0 and Windows 10.

see
keeweb/keeweb#2001
https://sourceforge.net/p/keepass/bugs/2231/
https://keepass.info/help/kb/kdbx_4.1.html#cd_lastmod

after reading the source I would assume that the issue is maybe here

this line calls setDate

because the lastModificationTime is only written for dataases >= 4.1 - so it should be save to add the third parameter with true.

Please change to 38:

Sorry to bother again! I've tried copying your argon2 code used in the test-support directory and am getting the following now:

Cannot enlarge memory arrays. Either (1) compile with  -s TOTAL_MEMORY=X  with X higher than the current value 134217728, (2) compile with  -s ALLOW_MEMORY_GROWTH=1  which adjusts the size at runtime but prevents some optimizations, (3) set Module.TOTAL_MEMORY to a higher value before the program runs, or if you want malloc to return NULL (0) instead of this abort, compile with  -s ABORTING_MALLOC=0
Cannot enlarge memory arrays. Either (1) compile with  -s TOTAL_MEMORY=X  with X higher than the current value 134217728, (2) compile with  -s ALLOW_MEMORY_GROWTH=1  which adjusts the size at runtime but prevents some optimizations, (3) set Module.TOTAL_MEMORY to a higher value before the program runs, or if you want malloc to return NULL (0) instead of this abort, compile with  -s ABORTING_MALLOC=0
abort("Cannot enlarge memory arrays. Either (1) compile with  -s TOTAL_MEMORY=X  with X higher than the current value 134217728, (2) compile with  -s ALLOW_MEMORY_GROWTH=1  which adjusts the size at runtime but prevents some optimizations, (3) set Module.TOTAL_MEMORY to a higher value before the program runs, or if you want malloc to return NULL (0) instead of this abort, compile with  -s ABORTING_MALLOC=0 ") at Error:
    at jsStackTrace (webpack:///./source/crypto/argon2-core.js?:974:13)
    at stackTrace (webpack:///./source/crypto/argon2-core.js?:992:12)
    at abort (webpack:///./source/crypto/argon2-core.js?:8591:44)
    at abortOnCannotGrowMemory (webpack:///./source/crypto/argon2-core.js?:1020:3)
    at enlargeMemory (webpack:///./source/crypto/argon2-core.js?:1024:3)
    at Wa (webpack:///./source/crypto/argon2-core.js?:7985:32)
    at Ra (webpack:///./source/crypto/argon2-core.js?:6884:15)
    at ya (webpack:///./source/crypto/argon2-core.js?:2901:11)
    at Ga (webpack:///./source/crypto/argon2-core.js?:3376:11)
    at sa (webpack:///./source/crypto/argon2-core.js?:2538:11)
If this abort() is unexpected, build with -s ASSERTIONS=1 which can give more information.

We're only using kdbxweb in Node currently, so I suspect we have a number of options for an argon2 implementation. I've also seen that @antelle provides one such project. What should I be doing to allow for argon2 support in a basic Node project, if copying the example code doesn't work?

The above issue occurs immediately when calling the also-copied argon2 method, from the test-support dir.

Moved here: https://github.com/keeweb/kdbxweb/projects/1

Hello sir/madam

According to KDBX 4 specs at:
https://keepass.info/help/kb/kdbx_4.html#exthdr

Note that the header data is not encrypted and is only present in KDBX files (not in XML exports).

I'm interested in setting a lookup table that I can read before decoding. I see that kdbxweb need to read the database with credentials before I can access the header. Could you guide me way to do so without logging in first.

Thank you and best regards!

Hi,
I've looked at the xml genergated by kdbxweb and I found a quirk, it can produce a null Entry.String.Value if, on the web interface, I fill and then delete a Note or another field.

I think the correct ways to handle it are:

• produce an empty Value (ie <Value></Value>)
• or skip the whole String field.

Thanks

Sample xml and kdbx - password "demo"