

KeyChair: Extract RSA private keys out of .keychain files - rgawdzik
https://github.com/indutny/keychair

======
splitbrain
Hmm a bit more info in the readme would be helpful. My .keychain directory
only contains shell snippets that set environment variables to my SSH agent.

Where's the vulnerability? In ssh-agent? Or are we talking about a completely
different keychain tool here?

~~~
robinson-wall
I believe this is designed to operate on OSX keychain files, e.g.
~/Library/Keychains/login.keychain - and is unrelated to keychain the ssh-
agent wrangler.

~~~
splitbrain
I see. Makes sense. Thank you.

------
j_s
Another project (written in Python) apparently created about a year ago
includes more links in the source to all the various Apple open source
resources that document the KeyChain format:

[https://github.com/n0fate/chainbreaker](https://github.com/n0fate/chainbreaker)

I would have to dig quite a bit further to determine what is meant by "even
the seemingly unextractable ones" in the README and whether or not this Python
tool accomplishes the same. (My guess would be yes since it additionally
supports decrypting the keychain using the in-memory master key.)

It was interesting to me to see what popped up when searching for the RFC 3217
(Triple-DES and RC2 Key Wrapping) IV:

[https://www.google.com/search?q=4adda22c79e82105](https://www.google.com/search?q=4adda22c79e82105)

The oldest was a keychain extractor written by Matt Johnston (the author of
Dropbear) copyright 2004 but only available via the Internet Archive back to
2011:
[https://web.archive.org/web/20110228153630/http://www.ucc.as...](https://web.archive.org/web/20110228153630/http://www.ucc.asn.au/~matt/src/extractkeychain-0.1/extractkeychain.py)

------
davvolun
Can we get the title updated to say '...keys out of OS X .keychain files',
something like that? I feel like there's enough different keychain programs
out there, it seemed confusing to me.

