KeyChair: Extract RSA private keys out of .keychain files (opens in new tab)

(github.com)

25 pointsrgawdzik10y ago6 comments

6 comments

6 comments · 3 top-level

splitbrain10y ago· 3 in thread

Hmm a bit more info in the readme would be helpful. My .keychain directory only contains shell snippets that set environment variables to my SSH agent.

Where's the vulnerability? In ssh-agent? Or are we talking about a completely different keychain tool here?

userbinator10y ago

I think this is for Apple's .keychain files.

"Where's the vulnerability?" I don't think this is a vulnerability at all. As the code at https://github.com/indutny/keychair/blob/master/bin/keychair shows, its use seems to be just decrypting private keys with a passphrase.

(Am I the only one who was surprised to see it's written in JS...?)

robinson-wall10y ago

I believe this is designed to operate on OSX keychain files, e.g. ~/Library/Keychains/login.keychain - and is unrelated to keychain the ssh-agent wrangler.

splitbrain10y ago

I see. Makes sense. Thank you.

j_s10y ago

Another project (written in Python) apparently created about a year ago includes more links in the source to all the various Apple open source resources that document the KeyChain format:

https://github.com/n0fate/chainbreaker

I would have to dig quite a bit further to determine what is meant by "even the seemingly unextractable ones" in the README and whether or not this Python tool accomplishes the same. (My guess would be yes since it additionally supports decrypting the keychain using the in-memory master key.)

It was interesting to me to see what popped up when searching for the RFC 3217 (Triple-DES and RC2 Key Wrapping) IV:

https://www.google.com/search?q=4adda22c79e82105

The oldest was a keychain extractor written by Matt Johnston (the author of Dropbear) copyright 2004 but only available via the Internet Archive back to 2011: https://web.archive.org/web/20110228153630/http://www.ucc.as...

davvolun10y ago

Can we get the title updated to say '...keys out of OS X .keychain files', something like that? I feel like there's enough different keychain programs out there, it seemed confusing to me.

j / k navigate · click thread line to collapse