Decrypt Firefox password database

I want to write a simple utility that extracts passwords from a Firefox password database (the corresponding file is called signons.sqlite in the profile folder).

What I've done so far: Opened database using sqlite, retrieved encrypted username, encrypted password and address of website (all stored as std::string).

So, the only thing remaining is to decrypt the username and password strings.

I tried the following (PK11Decrypt ought to store the plaintext password in plaintext):

void Firefox_Importer::PK11Decrypt(string _cipheredBuffer, char **plaintext) {
  // declarations needed
  SECItem * request;
  SECItem * reply;
  unsigned int len = (unsigned int)_cipheredBuffer.length();
  const char* cipheredBuffer = (const char*)_cipheredBuffer.c_str();

  // generate request and reply SECItem; seems to work properly
  reply = SECITEM_AllocItem(NULL, NULL, 0);
  if (reply == NULL) cout << "Error allocating SECITEM." << endl;
  request = NSSBase64_DecodeBuffer(NULL, NULL, cipheredBuffer, len);
  if (request == NULL) cout << "Error decoding buffer." << endl;

  // the following is not working
  SECStatus tmp = PK11SDR_Decrypt(request, reply, NULL);
  if(tmp != SECSuccess) cout << "Something went wrong during decrypting" << endl;

  *plaintext = (char*)malloc(reply->len + 1);
  strncpy(*plaintext, (const char*)reply->data, reply->len);
  (*plaintext)[reply->len] = '\0';

  SECITEM_FreeItem(request, true);
  SECITEM_FreeItem(reply, true);
}

When PK11Decrypt is called, it prints Something went wrong during decrypting, indicating that the call to PK11SDR_Decrypt didn开发者_开发技巧't work properly. It always returns SECFailure (which corresponds to -1).

Does anybody have some hints or know what I'm doing wrong?

It could be that the call to PK11_Authenticate() isn't optional, even if no master password is set (yes, NSS is pretty messed up). So you might need to do the following first:

PK11SlotInfo *slot = PK11_GetInternalKeySlot();
if (!slot) cout << "Error getting internal slot" << endl;

SECStatus tmp = PK11_Authenticate(slot, PR_TRUE, NULL);
if (tmp != SECSuccess) cout << "Authentication error" << endl;

Note that I pass NULL as context to PK11_Authenticate(), the context is only required if a password prompt should be displayed.

Edit: Never mind, I noticed that PK11SDR_Decrypt() will call both functions internally. Given that you get SECFailure as result, it is likely that PK11_GetInternalKeySlot() fails which would indicate that NSS isn't initialized properly.

Firefox is opensource software. You can find the most recent source here, it is up to you to find the part where they decrypt the passwords and copy it into your application. Good luck.