2 # ABSTRACT: Encrypted database to store secret text and files
8 use Crypt
::Digest
qw(digest_data);
9 use Crypt
::PRNG
qw(random_bytes);
10 use Devel
::GlobalDestruction
;
11 use File
::KDBX
::Constants
qw(:all :icon);
12 use File
::KDBX
::Error
;
14 use File
::KDBX
::Util
qw(:class :coercion :empty :search :uuid erase simple_expression_query snakify);
15 use Hash
::Util
::FieldHash
qw(fieldhashes);
16 use List
::Util
qw(any first);
17 use Ref
::Util
qw(is_ref is_arrayref is_plain_hashref);
18 use Scalar
::Util
qw(blessed);
23 our $VERSION = '0.906'; # VERSION
26 fieldhashes \
my (%SAFE, %KEYS);
33 return $_[0]->clone if @_ == 1 && blessed
$_[0] && $_[0]->isa($class);
36 $data = shift if is_plain_hashref
($_[0]);
38 my $self = bless $data // {}, $class;
40 $self->_set_nonlazy_attributes if !$data;
44 sub DESTROY
{ local ($., $@, $!, $^E, $?); !in_global_destruction
and $_[0]->reset }
51 @$self{keys %args} = values %args;
59 erase
$self->headers->{+HEADER_INNER_RANDOM_STREAM_KEY
};
60 erase
$self->inner_headers->{+INNER_HEADER_INNER_RANDOM_STREAM_KEY
};
71 return Storable
::dclone
($self);
80 return '', $copy, $KEYS{$self} // (), $SAFE{$self} // ();
91 @$self{keys %$clone} = values %$clone;
95 # Dualvars aren't cloned as dualvars, so coerce the compression flags.
96 $self->compression_flags($self->compression_flags);
98 $self->objects(history
=> 1)->each(sub { $_->kdbx($self) });
101 ##############################################################################
104 sub load
{ shift-
>_loader->load(@_) }
105 sub load_string
{ shift-
>_loader->load_string(@_) }
106 sub load_file
{ shift-
>_loader->load_file(@_) }
107 sub load_handle
{ shift-
>_loader->load_handle(@_) }
111 $self = $self->new if !ref $self;
112 require File
::KDBX
::Loader
;
113 File
::KDBX
::Loader-
>new(kdbx
=> $self);
117 sub dump { shift-
>_dumper->dump(@_) }
118 sub dump_string
{ shift-
>_dumper->dump_string(@_) }
119 sub dump_file
{ shift-
>_dumper->dump_file(@_) }
120 sub dump_handle
{ shift-
>_dumper->dump_handle(@_) }
124 $self = $self->new if !ref $self;
125 require File
::KDBX
::Dumper
;
126 File
::KDBX
::Dumper-
>new(kdbx
=> $self);
129 ##############################################################################
132 sub user_agent_string
{
134 sprintf('%s/%s (%s/%s; %s/%s; %s)',
135 __PACKAGE__
, $VERSION, @Config::Config
{qw(package version osname osvers archname)});
138 has sig1
=> KDBX_SIG1
, coerce
=> \
&to_number
;
139 has sig2
=> KDBX_SIG2_2
, coerce
=> \
&to_number
;
140 has version
=> KDBX_VERSION_3_1
, coerce
=> \
&to_number
;
142 has inner_headers
=> {};
145 has deleted_objects
=> {};
146 has raw
=> coerce
=> \
&to_string
;
149 has 'headers.comment' => '', coerce
=> \
&to_string
;
150 has 'headers.cipher_id' => sub { $_[0]->version < KDBX_VERSION_4_0
? CIPHER_UUID_AES256
: CIPHER_UUID_CHACHA20
},
152 has 'headers.compression_flags' => COMPRESSION_GZIP
, coerce
=> \
&to_compression_constant
;
153 has 'headers.master_seed' => sub { random_bytes
(32) }, coerce
=> \
&to_string
;
154 has 'headers.encryption_iv' => sub { random_bytes
($_[0]->version < KDBX_VERSION_4_0
? 16 : 12) },
155 coerce
=> \
&to_string
;
156 has 'headers.stream_start_bytes' => sub { random_bytes
(32) }, coerce
=> \
&to_string
;
157 has 'headers.kdf_parameters' => sub {
159 KDF_PARAM_UUID
() => KDF_UUID_AES
,
160 KDF_PARAM_AES_ROUNDS
() => $_[0]->headers->{+HEADER_TRANSFORM_ROUNDS
} // KDF_DEFAULT_AES_ROUNDS
,
161 KDF_PARAM_AES_SEED
() => $_[0]->headers->{+HEADER_TRANSFORM_SEED
} // random_bytes
(32),
164 # has 'headers.transform_seed' => sub { random_bytes(32) };
165 # has 'headers.transform_rounds' => 100_000;
166 # has 'headers.inner_random_stream_key' => sub { random_bytes(32) }; # 64 ?
167 # has 'headers.inner_random_stream_id' => STREAM_ID_CHACHA20;
168 # has 'headers.public_custom_data' => {};
171 has 'meta.generator' => '', coerce
=> \
&to_string
;
172 has 'meta.header_hash' => '', coerce
=> \
&to_string
;
173 has 'meta.database_name' => '', coerce
=> \
&to_string
;
174 has 'meta.database_name_changed' => sub { gmtime }, coerce
=> \
&to_time
;
175 has 'meta.database_description' => '', coerce
=> \
&to_string
;
176 has 'meta.database_description_changed' => sub { gmtime }, coerce
=> \
&to_time
;
177 has 'meta.default_username' => '', coerce
=> \
&to_string
;
178 has 'meta.default_username_changed' => sub { gmtime }, coerce
=> \
&to_time
;
179 has 'meta.maintenance_history_days' => HISTORY_DEFAULT_MAX_AGE
, coerce
=> \
&to_number
;
180 has 'meta.color' => '', coerce
=> \
&to_string
;
181 has 'meta.master_key_changed' => sub { gmtime }, coerce
=> \
&to_time
;
182 has 'meta.master_key_change_rec' => -1, coerce
=> \
&to_number
;
183 has 'meta.master_key_change_force' => -1, coerce
=> \
&to_number
;
184 # has 'meta.memory_protection' => {};
185 has 'meta.custom_icons' => [];
186 has 'meta.recycle_bin_enabled' => true
, coerce
=> \
&to_bool
;
187 has 'meta.recycle_bin_uuid' => UUID_NULL
, coerce
=> \
&to_uuid
;
188 has 'meta.recycle_bin_changed' => sub { gmtime }, coerce
=> \
&to_time
;
189 has 'meta.entry_templates_group' => UUID_NULL
, coerce
=> \
&to_uuid
;
190 has 'meta.entry_templates_group_changed' => sub { gmtime }, coerce
=> \
&to_time
;
191 has 'meta.last_selected_group' => UUID_NULL
, coerce
=> \
&to_uuid
;
192 has 'meta.last_top_visible_group' => UUID_NULL
, coerce
=> \
&to_uuid
;
193 has 'meta.history_max_items' => HISTORY_DEFAULT_MAX_ITEMS
, coerce
=> \
&to_number
;
194 has 'meta.history_max_size' => HISTORY_DEFAULT_MAX_SIZE
, coerce
=> \
&to_number
;
195 has 'meta.settings_changed' => sub { gmtime }, coerce
=> \
&to_time
;
196 # has 'meta.binaries' => {};
197 # has 'meta.custom_data' => {};
199 has 'memory_protection.protect_title' => false
, coerce
=> \
&to_bool
;
200 has 'memory_protection.protect_username' => false
, coerce
=> \
&to_bool
;
201 has 'memory_protection.protect_password' => true
, coerce
=> \
&to_bool
;
202 has 'memory_protection.protect_url' => false
, coerce
=> \
&to_bool
;
203 has 'memory_protection.protect_notes' => false
, coerce
=> \
&to_bool
;
204 # has 'memory_protection.auto_enable_visual_hiding' => false;
207 HEADER_TRANSFORM_SEED
,
208 HEADER_TRANSFORM_ROUNDS
,
209 HEADER_INNER_RANDOM_STREAM_KEY
,
210 HEADER_INNER_RANDOM_STREAM_ID
,
211 HEADER_PUBLIC_CUSTOM_DATA
,
213 sub _set_nonlazy_attributes
{
215 $self->$_ for list_attributes
(ref $self), @ATTRS;
219 sub memory_protection
{
221 $self->{meta
}{memory_protection
} = shift if @_ == 1 && is_plain_hashref
($_[0]);
222 return $self->{meta
}{memory_protection
} //= {} if !@_;
224 my $string_key = shift;
225 my $key = 'protect_' . lc($string_key);
227 $self->meta->{memory_protection
}{$key} = shift if @_;
228 $self->meta->{memory_protection
}{$key};
232 sub minimum_version
{
235 return KDBX_VERSION_4_1
if any
{
236 nonempty
$_->{last_modification_time
}
237 } values %{$self->custom_data};
239 return KDBX_VERSION_4_1
if any
{
240 nonempty
$_->{name
} || nonempty
$_->{last_modification_time
}
241 } @{$self->custom_icons};
243 return KDBX_VERSION_4_1
if $self->groups->next(sub {
244 nonempty
$_->previous_parent_group ||
246 (any
{ nonempty
$_->{last_modification_time
} } values %{$_->custom_data})
249 return KDBX_VERSION_4_1
if $self->entries(history
=> 1)->next(sub {
250 nonempty
$_->previous_parent_group ||
251 (defined $_->quality_check && !$_->quality_check) ||
252 (any
{ nonempty
$_->{last_modification_time
} } values %{$_->custom_data})
255 return KDBX_VERSION_4_0
if $self->kdf->uuid ne KDF_UUID_AES
;
257 return KDBX_VERSION_4_0
if nonempty
$self->public_custom_data;
259 return KDBX_VERSION_4_0
if $self->objects->next(sub {
260 nonempty
$_->custom_data
263 return KDBX_VERSION_3_1
;
266 ##############################################################################
272 $self->{root
} = $self->_wrap_group(@_);
273 $self->{root
}->kdbx($self);
275 $self->{root
} //= $self->_implicit_root;
276 return $self->_wrap_group($self->{root
});
279 # Called by File::KeePass::KDBX so that a File::KDBX an be treated as a File::KDBX::Group in that both types
280 # can have subgroups. File::KDBX already has a `groups' method that does something different from the
281 # File::KDBX::Groups `groups' method.
284 return [] if !$self->{root
};
285 return $self->_has_implicit_root ? $self->root->groups : [$self->root];
288 sub _has_implicit_root
{
290 my $root = $self->root;
291 my $temp = __PACKAGE__-
>_implicit_root;
292 # If an implicit root group has been changed in any significant way, it is no longer implicit.
293 return $root->name eq $temp->name &&
294 $root->is_expanded ^ $temp->is_expanded &&
295 $root->notes eq $temp->notes &&
296 !@{$root->entries} &&
297 !defined $root->custom_icon_uuid &&
298 !keys %{$root->custom_data} &&
299 $root->icon_id == $temp->icon_id &&
300 $root->expires ^ $temp->expires &&
301 $root->default_auto_type_sequence eq $temp->default_auto_type_sequence &&
302 !defined $root->enable_auto_type &&
303 !defined $root->enable_searching;
308 require File
::KDBX
::Group
;
309 return File
::KDBX
::Group-
>new(
312 notes
=> 'Added as an implicit root group by '.__PACKAGE__
.'.',
313 ref $self ? (kdbx
=> $self) : (),
321 return $object->lineage(@_);
329 push @lineage, $self->root if !@lineage;
330 my $base = $lineage[-1] or return [];
332 my $uuid = $object->uuid;
333 return \
@lineage if any
{ $_->uuid eq $uuid } @{$base->groups}, @{$base->entries};
335 for my $subgroup (@{$base->groups}) {
336 my $result = $self->_trace_lineage($object, @lineage, $subgroup);
337 return $result if $result;
344 if (my $group = shift) {
345 $self->recycle_bin_uuid($group->uuid);
349 my $uuid = $self->recycle_bin_uuid;
350 $group = $self->groups->grep(uuid
=> $uuid)->next if $uuid ne UUID_NULL
;
351 if (!$group && $self->recycle_bin_enabled) {
352 $group = $self->add_group(
353 name
=> 'Recycle Bin',
354 icon_id
=> ICON_TRASHCAN_FULL
,
355 enable_auto_type
=> false
,
356 enable_searching
=> false
,
358 $self->recycle_bin_uuid($group->uuid);
364 sub entry_templates
{
366 if (my $group = shift) {
367 $self->entry_templates_group($group->uuid);
370 my $uuid = $self->entry_templates_group;
371 return if $uuid eq UUID_NULL
;
372 return $self->groups->grep(uuid
=> $uuid)->next;
378 if (my $group = shift) {
379 $self->last_selected_group($group->uuid);
382 my $uuid = $self->last_selected_group;
383 return if $uuid eq UUID_NULL
;
384 return $self->groups->grep(uuid
=> $uuid)->next;
388 sub last_top_visible
{
390 if (my $group = shift) {
391 $self->last_top_visible_group($group->uuid);
394 my $uuid = $self->last_top_visible_group;
395 return if $uuid eq UUID_NULL
;
396 return $self->groups->grep(uuid
=> $uuid)->next;
399 ##############################################################################
404 my $group = @_ % 2 == 1 ? shift : undef;
407 # find the right group to add the group to
408 my $parent = delete $args{group
} // $self->root;
409 $parent = $self->groups->grep({uuid
=> $parent})->next if !ref $parent;
410 $parent or throw
'Invalid group';
412 return $parent->add_group(defined $group ? $group : (), %args, kdbx
=> $self);
418 require File
::KDBX
::Group
;
419 return File
::KDBX
::Group-
>wrap($group, $self);
425 my %args = @_ % 2 == 0 ? @_ : (base
=> shift, @_);
426 my $base = delete $args{base
} // $self->root;
428 return $base->all_groups(%args);
431 ##############################################################################
436 my $entry = @_ % 2 == 1 ? shift : undef;
439 # find the right group to add the entry to
440 my $parent = delete $args{group
} // $self->root;
441 $parent = $self->groups->grep({uuid
=> $parent})->next if !ref $parent;
442 $parent or throw
'Invalid group';
444 return $parent->add_entry(defined $entry ? $entry : (), %args, kdbx
=> $self);
450 require File
::KDBX
::Entry
;
451 return File
::KDBX
::Entry-
>wrap($entry, $self);
457 my %args = @_ % 2 == 0 ? @_ : (base
=> shift, @_);
458 my $base = delete $args{base
} // $self->root;
460 return $base->all_entries(%args);
463 ##############################################################################
468 my %args = @_ % 2 == 0 ? @_ : (base
=> shift, @_);
469 my $base = delete $args{base
} // $self->root;
471 return $base->all_objects(%args);
474 sub __iter__
{ $_[0]->objects }
476 ##############################################################################
481 my %args = @_ == 2 ? (uuid
=> shift, data
=> shift)
482 : @_ % 2 == 1 ? (uuid
=> shift, @_) : @_;
484 if (!$args{uuid
} && !$args{data
}) {
485 my %standard = (uuid
=> 1, data
=> 1, name
=> 1, last_modification_time
=> 1);
486 my @other_keys = grep { !$standard{$_} } keys %args;
487 if (@other_keys == 1) {
488 my $key = $args{key
} = $other_keys[0];
489 $args{data
} = delete $args{$key};
493 my $uuid = $args{uuid
} or throw
'Must provide a custom icon UUID to access';
494 my $icon = (first
{ $_->{uuid
} eq $uuid } @{$self->custom_icons}) // do {
495 push @{$self->custom_icons}, my $i = { uuid
=> $uuid };
500 $fields = $args{data
} if is_plain_hashref
($args{data
});
502 while (my ($field, $value) = each %$fields) {
503 $icon->{$field} = $value;
509 sub custom_icon_data
{
511 my $uuid = shift // return;
512 my $icon = first
{ $_->{uuid
} eq $uuid } @{$self->custom_icons} or return;
513 return $icon->{data
};
517 sub add_custom_icon
{
519 my %args = @_ % 2 == 1 ? (data
=> shift, @_) : @_;
521 defined $args{data
} or throw
'Must provide image data';
523 my $uuid = $args{uuid
} // generate_uuid
;
524 push @{$self->custom_icons}, {
533 sub remove_custom_icon
{
537 @{$self->custom_icons} = grep { $_->{uuid
} eq $uuid ? do { push @deleted, $_; 0 } : 1 }
538 @{$self->custom_icons};
539 $self->add_deleted_object($uuid) if @deleted;
543 ##############################################################################
548 $self->{meta
}{custom_data
} = shift if @_ == 1 && is_plain_hashref
($_[0]);
549 return $self->{meta
}{custom_data
} //= {} if !@_;
551 my %args = @_ == 2 ? (key
=> shift, value
=> shift)
552 : @_ % 2 == 1 ? (key
=> shift, @_) : @_;
554 if (!$args{key
} && !$args{value
}) {
555 my %standard = (key
=> 1, value
=> 1, last_modification_time
=> 1);
556 my @other_keys = grep { !$standard{$_} } keys %args;
557 if (@other_keys == 1) {
558 my $key = $args{key
} = $other_keys[0];
559 $args{value
} = delete $args{$key};
563 my $key = $args{key
} or throw
'Must provide a custom_data key to access';
565 return $self->{meta
}{custom_data
}{$key} = $args{value
} if is_plain_hashref
($args{value
});
567 while (my ($field, $value) = each %args) {
568 $self->{meta
}{custom_data
}{$key}{$field} = $value;
570 return $self->{meta
}{custom_data
}{$key};
574 sub custom_data_value
{
576 my $data = $self->custom_data(@_) // return;
577 return $data->{value
};
581 sub public_custom_data
{
583 $self->{headers
}{+HEADER_PUBLIC_CUSTOM_DATA
} = shift if @_ == 1 && is_plain_hashref
($_[0]);
584 return $self->{headers
}{+HEADER_PUBLIC_CUSTOM_DATA
} //= {} if !@_;
586 my $key = shift or throw
'Must provide a public_custom_data key to access';
587 $self->{headers
}{+HEADER_PUBLIC_CUSTOM_DATA
}{$key} = shift if @_;
588 return $self->{headers
}{+HEADER_PUBLIC_CUSTOM_DATA
}{$key};
591 ##############################################################################
598 # my %options = @_; # prefer_old / prefer_new
599 # $other->merge_from($self);
606 # die 'Not implemented';
610 sub add_deleted_object
{
614 # ignore null and meta stream UUIDs
615 return if $uuid eq UUID_NULL
|| $uuid eq '0' x
16;
617 $self->deleted_objects->{$uuid} = {
619 deletion_time
=> scalar gmtime,
624 sub remove_deleted_object
{
627 delete $self->deleted_objects->{$uuid};
631 sub clear_deleted_objects
{
633 %{$self->deleted_objects} = ();
636 ##############################################################################
639 sub resolve_reference
{
641 my $wanted = shift // return;
642 my $search_in = shift;
645 if (!defined $text) {
646 $wanted =~ s/^\{REF:([^\}]+)\}$/$1/i;
647 ($wanted, $search_in, $text) = $wanted =~ /^([TUPANI])\@([TUPANIO]):(.*)$/i;
649 $wanted && $search_in && nonempty
($text) or return;
653 U
=> 'expand_username',
654 P
=> 'expand_password',
658 O
=> 'other_strings',
660 $wanted = $fields{$wanted} or return;
661 $search_in = $fields{$search_in} or return;
663 my $query = $search_in eq 'uuid' ? query
($search_in => uuid
($text))
664 : simple_expression_query
($text, '=~', $search_in);
666 my $entry = $self->entries->grep($query)->next;
669 return $entry->$wanted;
672 our %PLACEHOLDERS = (
673 # 'PLACEHOLDER' => sub { my ($entry, $arg) = @_; ... };
674 'TITLE' => sub { $_[0]->expand_title },
675 'USERNAME' => sub { $_[0]->expand_username },
676 'PASSWORD' => sub { $_[0]->expand_password },
677 'NOTES' => sub { $_[0]->expand_notes },
678 'S:' => sub { $_[0]->string_value($_[1]) },
679 'URL' => sub { $_[0]->expand_url },
680 'URL:RMVSCM' => sub { local $_ = $_[0]->url; s!^[^:/\?\#]+://!!; $_ },
681 'URL:WITHOUTSCHEME' => sub { local $_ = $_[0]->url; s!^[^:/\?\#]+://!!; $_ },
682 'URL:SCM' => sub { (split_url
($_[0]->url))[0] },
683 'URL:SCHEME' => sub { (split_url
($_[0]->url))[0] }, # non-standard
684 'URL:HOST' => sub { (split_url
($_[0]->url))[2] },
685 'URL:PORT' => sub { (split_url
($_[0]->url))[3] },
686 'URL:PATH' => sub { (split_url
($_[0]->url))[4] },
687 'URL:QUERY' => sub { (split_url
($_[0]->url))[5] },
688 'URL:HASH' => sub { (split_url
($_[0]->url))[6] }, # non-standard
689 'URL:FRAGMENT' => sub { (split_url
($_[0]->url))[6] }, # non-standard
690 'URL:USERINFO' => sub { (split_url
($_[0]->url))[1] },
691 'URL:USERNAME' => sub { (split_url
($_[0]->url))[7] },
692 'URL:PASSWORD' => sub { (split_url
($_[0]->url))[8] },
693 'UUID' => sub { local $_ = format_uuid
($_[0]->uuid); s/-//g; $_ },
694 'REF:' => sub { $_[0]->kdbx->resolve_reference($_[1]) },
695 'INTERNETEXPLORER' => sub { load_optional
('IPC::Cmd'); IPC
::Cmd
::can_run
('iexplore') },
696 'FIREFOX' => sub { load_optional
('IPC::Cmd'); IPC
::Cmd
::can_run
('firefox') },
697 'GOOGLECHROME' => sub { load_optional
('IPC::Cmd'); IPC
::Cmd
::can_run
('google-chrome') },
698 'OPERA' => sub { load_optional
('IPC::Cmd'); IPC
::Cmd
::can_run
('opera') },
699 'SAFARI' => sub { load_optional
('IPC::Cmd'); IPC
::Cmd
::can_run
('safari') },
700 'APPDIR' => sub { load_optional
('FindBin'); $FindBin::Bin
},
701 'GROUP' => sub { my $p = $_[0]->group; $p ? $p->name : undef },
702 'GROUP_PATH' => sub { $_[0]->path },
703 'GROUP_NOTES' => sub { my $p = $_[0]->group; $p ? $p->notes : undef },
712 'ENV:' => sub { $ENV{$_[1]} },
713 'ENV_DIRSEP' => sub { load_optional
('File::Spec')->catfile('', '') },
714 'ENV_PROGRAMFILES_X86' => sub { $ENV{'ProgramFiles(x86)'} || $ENV{'ProgramFiles'} },
717 'DT_SIMPLE' => sub { localtime-
>strftime('%Y%m%d%H%M%S') },
718 'DT_YEAR' => sub { localtime-
>strftime('%Y') },
719 'DT_MONTH' => sub { localtime-
>strftime('%m') },
720 'DT_DAY' => sub { localtime-
>strftime('%d') },
721 'DT_HOUR' => sub { localtime-
>strftime('%H') },
722 'DT_MINUTE' => sub { localtime-
>strftime('%M') },
723 'DT_SECOND' => sub { localtime-
>strftime('%S') },
724 'DT_UTC_SIMPLE' => sub { gmtime-
>strftime('%Y%m%d%H%M%S') },
725 'DT_UTC_YEAR' => sub { gmtime-
>strftime('%Y') },
726 'DT_UTC_MONTH' => sub { gmtime-
>strftime('%m') },
727 'DT_UTC_DAY' => sub { gmtime-
>strftime('%d') },
728 'DT_UTC_HOUR' => sub { gmtime-
>strftime('%H') },
729 'DT_UTC_MINUTE' => sub { gmtime-
>strftime('%M') },
730 'DT_UTC_SECOND' => sub { gmtime-
>strftime('%S') },
737 'HMACOTP' => sub { $_[0]->hmac_otp },
738 'TIMEOTP' => sub { $_[0]->time_otp },
739 'C:' => sub { '' }, # comment
747 ##############################################################################
752 $SAFE{$self} = shift if @_;
756 sub _remove_safe
{ delete $SAFE{$_[0]} }
761 # Find things to lock:
763 $self->entries(history
=> 1)->each(sub {
764 my $strings = $_->strings;
765 for my $string_key (keys %$strings) {
766 my $string = $strings->{$string_key};
767 push @strings, $string if $string->{protect
} // $self->memory_protection($string_key);
769 push @strings, grep { $_->{protect
} } values %{$_->binaries};
771 return $self if !@strings; # nothing to do
773 if (my $safe = $self->_safe) {
774 $safe->add(\
@strings);
777 $self->_safe(File
::KDBX
::Safe-
>new(\
@strings));
785 my $safe = $self->_safe or return $self;
795 throw
'Programmer error: Cannot call unlock_scoped in void context' if !defined wantarray;
797 return if !$self->is_locked;
798 require Scope
::Guard
;
799 my $guard = Scope
::Guard-
>new(sub { $self->lock });
808 my $safe = $self->_safe or return;
809 return $safe->peek($string);
813 sub is_locked
{ !!$_[0]->_safe }
815 ##############################################################################
818 # - Fixer tool. Can repair inconsistencies, including:
819 # - Orphaned binaries... not really a thing anymore since we now distribute binaries amongst entries
820 # - Unused custom icons (OFF, data loss)
822 # - All data types are valid
823 # - date times are correct
825 # - All UUIDs refer to things that exist
826 # - previous parent group
828 # - last selected group
829 # - last visible group
830 # - Enforce history size limits (ON)
831 # - Check headers/meta (ON)
832 # - Duplicate deleted objects (ON)
833 # - Duplicate window associations (OFF)
834 # - Header UUIDs match known ciphers/KDFs?
838 sub remove_empty_groups
{
841 $self->groups(algorithm
=> 'dfs')
842 ->where(-true
=> 'is_empty')
843 ->each(sub { push @removed, $_->remove });
848 sub remove_unused_icons
{
850 my %icons = map { $_->{uuid
} => 0 } @{$self->custom_icons};
852 $self->objects->each(sub { ++$icons{$_->custom_icon_uuid // ''} });
855 push @removed, $self->remove_custom_icon($_) for grep { $icons{$_} == 0 } keys %icons;
860 sub remove_duplicate_icons
{
865 for my $icon (@{$self->custom_icons}) {
866 my $digest = digest_data
('SHA256', $icon->{data
});
867 if (my $other = $seen{$digest}) {
868 $dup{$icon->{uuid
}} = $other->{uuid
};
871 $seen{$digest} = $icon;
876 while (my ($old_uuid, $new_uuid) = each %dup) {
878 ->where(custom_icon_uuid
=> $old_uuid)
879 ->each(sub { $_->custom_icon_uuid($new_uuid) });
880 push @removed, $self->remove_custom_icon($old_uuid);
890 my $max_items = $args{max_items
} // $self->history_max_items // HISTORY_DEFAULT_MAX_ITEMS
;
891 my $max_size = $args{max_size
} // $self->history_max_size // HISTORY_DEFAULT_MAX_SIZE
;
892 my $max_age = $args{max_age
} // $self->maintenance_history_days // HISTORY_DEFAULT_MAX_AGE
;
895 $self->entries->each(sub {
896 push @removed, $_->prune_history(
897 max_items
=> $max_items,
898 max_size
=> $max_size,
906 sub randomize_seeds
{
909 $iv_size = $self->cipher(key
=> "\0" x
32)->iv_size if KDBX_VERSION_4_0
<= $self->version;
910 $self->encryption_iv(random_bytes
($iv_size));
911 $self->inner_random_stream_key(random_bytes
(64));
912 $self->master_seed(random_bytes
(32));
913 $self->stream_start_bytes(random_bytes
(32));
914 $self->transform_seed(random_bytes
(32));
917 ##############################################################################
922 $KEYS{$self} = File
::KDBX
::Key-
>new(@_) if @_;
929 require File
::KDBX
::Key
::Composite
;
930 return File
::KDBX
::Key
::Composite-
>new(@_);
936 my %args = @_ % 2 == 1 ? (params
=> shift, @_) : @_;
938 my $params = $args{params
};
940 $params //= $self->kdf_parameters;
941 $params = {%{$params || {}}};
943 if (empty
$params || !defined $params->{+KDF_PARAM_UUID
}) {
944 $params->{+KDF_PARAM_UUID
} = KDF_UUID_AES
;
946 if ($params->{+KDF_PARAM_UUID
} eq KDF_UUID_AES
) {
947 # AES_CHALLENGE_RESPONSE is equivalent to AES if there are no challenge-response keys, and since
948 # non-KeePassXC implementations don't support challenge-response keys anyway, there's no problem with
949 # always using AES_CHALLENGE_RESPONSE for all KDBX4+ databases.
950 # For compatibility, we should not *write* AES_CHALLENGE_RESPONSE, but the dumper handles that.
951 if ($self->version >= KDBX_VERSION_4_0
) {
952 $params->{+KDF_PARAM_UUID
} = KDF_UUID_AES_CHALLENGE_RESPONSE
;
954 $params->{+KDF_PARAM_AES_SEED
} //= $self->transform_seed;
955 $params->{+KDF_PARAM_AES_ROUNDS
} //= $self->transform_rounds;
958 require File
::KDBX
::KDF
;
959 return File
::KDBX
::KDF-
>new(%$params);
964 my $param = KDF_PARAM_AES_SEED
; # Short cut: Argon2 uses the same parameter name ("S")
965 $self->headers->{+HEADER_TRANSFORM_SEED
} =
966 $self->headers->{+HEADER_KDF_PARAMETERS
}{$param} = shift if @_;
967 $self->headers->{+HEADER_TRANSFORM_SEED
} =
968 $self->headers->{+HEADER_KDF_PARAMETERS
}{$param} //= random_bytes
(32);
971 sub transform_rounds
{
973 require File
::KDBX
::KDF
;
974 my $info = $File::KDBX
::KDF
::ROUNDS_INFO
{$self->kdf_parameters->{+KDF_PARAM_UUID
} // ''} //
975 $File::KDBX
::KDF
::DEFAULT_ROUNDS_INFO
;
976 $self->headers->{+HEADER_TRANSFORM_ROUNDS
} =
977 $self->headers->{+HEADER_KDF_PARAMETERS
}{$info->{p
}} = shift if @_;
978 $self->headers->{+HEADER_TRANSFORM_ROUNDS
} =
979 $self->headers->{+HEADER_KDF_PARAMETERS
}{$info->{p
}} //= $info->{d
};
987 $args{uuid
} //= $self->cipher_id;
988 $args{iv
} //= $self->encryption_iv;
990 require File
::KDBX
::Cipher
;
991 return File
::KDBX
::Cipher-
>new(%args);
999 $args{stream_id
} //= delete $args{id
} // $self->inner_random_stream_id;
1000 $args{key
} //= $self->inner_random_stream_key;
1002 require File
::KDBX
::Cipher
;
1003 File
::KDBX
::Cipher-
>new(%args);
1006 sub inner_random_stream_id
{
1008 $self->inner_headers->{+INNER_HEADER_INNER_RANDOM_STREAM_ID
}
1009 = $self->headers->{+HEADER_INNER_RANDOM_STREAM_ID
} = shift if @_;
1010 $self->inner_headers->{+INNER_HEADER_INNER_RANDOM_STREAM_ID
}
1011 //= $self->headers->{+HEADER_INNER_RANDOM_STREAM_ID
} //= do {
1012 my $version = $self->minimum_version;
1013 $version < KDBX_VERSION_4_0
? STREAM_ID_SALSA20
: STREAM_ID_CHACHA20
;
1017 sub inner_random_stream_key
{
1020 # These are probably the same SvPV so erasing one will CoW, but erasing the second should do the
1022 erase \
$self->inner_headers->{+INNER_HEADER_INNER_RANDOM_STREAM_KEY
};
1023 erase \
$self->headers->{+HEADER_INNER_RANDOM_STREAM_KEY
};
1024 $self->inner_headers->{+INNER_HEADER_INNER_RANDOM_STREAM_KEY
}
1025 = $self->headers->{+HEADER_INNER_RANDOM_STREAM_KEY
} = shift;
1027 $self->inner_headers->{+INNER_HEADER_INNER_RANDOM_STREAM_KEY
}
1028 //= $self->headers->{+HEADER_INNER_RANDOM_STREAM_KEY
} //= random_bytes
(64); # 32
1031 #########################################################################################
1033 sub _handle_signal
{
1039 'entry.added' => \
&_handle_object_added
,
1040 'group.added' => \
&_handle_object_added
,
1041 'entry.removed' => \
&_handle_object_removed
,
1042 'group.removed' => \
&_handle_object_removed
,
1043 'entry.uuid.changed' => \
&_handle_entry_uuid_changed
,
1044 'group.uuid.changed' => \
&_handle_group_uuid_changed
,
1046 my $handler = $handlers{$type} or return;
1047 $self->$handler($object, @_);
1050 sub _handle_object_added
{
1053 $self->remove_deleted_object($object->uuid);
1056 sub _handle_object_removed
{
1059 my $old_uuid = $object->{uuid
} // return;
1061 my $meta = $self->meta;
1062 $self->recycle_bin_uuid(UUID_NULL
) if $old_uuid eq ($meta->{recycle_bin_uuid
} // '');
1063 $self->entry_templates_group(UUID_NULL
) if $old_uuid eq ($meta->{entry_templates_group
} // '');
1064 $self->last_selected_group(UUID_NULL
) if $old_uuid eq ($meta->{last_selected_group
} // '');
1065 $self->last_top_visible_group(UUID_NULL
) if $old_uuid eq ($meta->{last_top_visible_group
} // '');
1067 $self->add_deleted_object($old_uuid);
1070 sub _handle_entry_uuid_changed
{
1073 my $new_uuid = shift;
1074 my $old_uuid = shift // return;
1076 my $old_pretty = format_uuid
($old_uuid);
1077 my $new_pretty = format_uuid
($new_uuid);
1078 my $fieldref_match = qr/\{REF:([TUPANI])\@I:\Q$old_pretty\E\}/is;
1080 $self->entries->each(sub {
1081 $_->previous_parent_group($new_uuid) if $old_uuid eq ($_->{previous_parent_group
} // '');
1083 for my $string (values %{$_->strings}) {
1084 next if !defined $string->{value
} || $string->{value
} !~ $fieldref_match;
1085 my $txn = $_->begin_work;
1086 $string->{value
} =~ s/$fieldref_match/{REF:$1\@I:$new_pretty}/g;
1092 sub _handle_group_uuid_changed
{
1095 my $new_uuid = shift;
1096 my $old_uuid = shift // return;
1098 my $meta = $self->meta;
1099 $self->recycle_bin_uuid($new_uuid) if $old_uuid eq ($meta->{recycle_bin_uuid
} // '');
1100 $self->entry_templates_group($new_uuid) if $old_uuid eq ($meta->{entry_templates_group
} // '');
1101 $self->last_selected_group($new_uuid) if $old_uuid eq ($meta->{last_selected_group
} // '');
1102 $self->last_top_visible_group($new_uuid) if $old_uuid eq ($meta->{last_top_visible_group
} // '');
1104 $self->groups->each(sub {
1105 $_->last_top_visible_entry($new_uuid) if $old_uuid eq ($_->{last_top_visible_entry
} // '');
1106 $_->previous_parent_group($new_uuid) if $old_uuid eq ($_->{previous_parent_group
} // '');
1108 $self->entries->each(sub {
1109 $_->previous_parent_group($new_uuid) if $old_uuid eq ($_->{previous_parent_group
} // '');
1113 #########################################################################################
1116 #########################################################################################
1118 sub TO_JSON
{ +{%{$_[0]}} }
1128 =for markdown [![Linux](https://github.com/chazmcgarvey/File-KDBX/actions/workflows/linux.yml/badge.svg)](https://github.com/chazmcgarvey/File-KDBX/actions/workflows/linux.yml)
1129 [![macOS](https://github.com/chazmcgarvey/File-KDBX/actions/workflows/macos.yml/badge.svg)](https://github.com/chazmcgarvey/File-KDBX/actions/workflows/macos.yml)
1130 [![Windows](https://github.com/chazmcgarvey/File-KDBX/actions/workflows/windows.yml/badge.svg)](https://github.com/chazmcgarvey/File-KDBX/actions/workflows/windows.yml)
1132 =for HTML <a title="Linux" href="https://github.com/chazmcgarvey/File-KDBX/actions/workflows/linux.yml"><img src="https://github.com/chazmcgarvey/File-KDBX/actions/workflows/linux.yml/badge.svg"></a>
1133 <a title="macOS" href="https://github.com/chazmcgarvey/File-KDBX/actions/workflows/macos.yml"><img src="https://github.com/chazmcgarvey/File-KDBX/actions/workflows/macos.yml/badge.svg"></a>
1134 <a title="Windows" href="https://github.com/chazmcgarvey/File-KDBX/actions/workflows/windows.yml"><img src="https://github.com/chazmcgarvey/File-KDBX/actions/workflows/windows.yml/badge.svg"></a>
1138 File::KDBX - Encrypted database to store secret text and files
1148 # Create a new database from scratch
1149 my $kdbx = File::KDBX->new;
1151 # Add some objects to the database
1152 my $group = $kdbx->add_group(
1153 name => 'Passwords',
1155 my $entry = $group->add_entry(
1157 username => 'mreynolds',
1158 password => 's3cr3t',
1161 # Save the database to the filesystem
1162 $kdbx->dump_file('passwords.kdbx', 'masterpw changeme');
1164 # Load the database from the filesystem into a new database instance
1165 my $kdbx2 = File::KDBX->load_file('passwords.kdbx', 'masterpw changeme');
1167 # Iterate over database entries, print entry titles
1168 $kdbx2->entries->each(sub($entry, @) {
1169 say 'Entry: ', $entry->title;
1172 See L</RECIPES> for more examples.
1176 B<File::KDBX> provides everything you need to work with KDBX databases. A KDBX database is a hierarchical
1177 object database which is commonly used to store secret information securely. It was developed for the KeePass
1178 password safe. See L</"Introduction to KDBX"> for more information about KDBX.
1180 This module lets you query entries, create new entries, delete entries, modify entries and more. The
1181 distribution also includes various parsers and generators for serializing and persisting databases.
1183 The design of this software was influenced by the L<KeePassXC|https://github.com/keepassxreboot/keepassxc>
1184 implementation of KeePass as well as the L<File::KeePass> module. B<File::KeePass> is an alternative module
1185 that works well in most cases but has a small backlog of bugs and security issues and also does not work with
1186 newer KDBX version 4 files. If you're coming here from the B<File::KeePass> world, you might be interested in
1187 L<File::KeePass::KDBX> that is a drop-in replacement for B<File::KeePass> that uses B<File::KDBX> for storage.
1189 This software is a B<pre-1.0 release>. The interface should be considered pretty stable, but there might be
1190 minor changes up until a 1.0 release. Breaking changes will be noted in the F<Changes> file.
1198 ☑ Read and write KDBX version 3 - version 4.1
1202 ☑ Read and write KDB files (requires L<File::KeePass>)
1206 ☑ Unicode character strings
1210 ☑ L</"Simple Expression"> Searching
1214 ☑ L<Placeholders|File::KDBX::Entry/Placeholders> and L<field references|/resolve_reference>
1218 ☑ L<One-time passwords|File::KDBX::Entry/"One-time Passwords">
1222 ☑ L<Very secure|/SECURITY>
1226 ☑ L</"Memory Protection">
1230 ☑ Challenge-response key components, like L<YubiKey|File::KDBX::Key::YubiKey>
1234 ☑ Variety of L<key file|File::KDBX::Key::File> types: binary, hexed, hashed, XML v1 and v2
1238 ☑ Pluggable registration of different kinds of ciphers and key derivation functions
1242 ☑ Built-in database maintenance functions
1246 ☑ Pretty fast, with L<XS optimizations|File::KDBX::XS> available
1250 ☒ Database synchronization / merging (not yet)
1254 =head2 Introduction to KDBX
1256 A KDBX database consists of a tree of I<groups> and I<entries>, with a single I<root> group. Entries can
1257 contain zero or more key-value pairs of I<strings> and zero or more I<binaries> (i.e. octet strings). Groups,
1258 entries, strings and binaries: that's the KDBX vernacular. A small amount of metadata (timestamps, etc.) is
1259 associated with each entry, group and the database as a whole.
1261 You can think of a KDBX database kind of like a file system, where groups are directories, entries are files,
1262 and strings and binaries make up a file's contents.
1264 Databases are typically persisted as encrypted, compressed files. They are usually accessed directly (i.e.
1265 not over a network). The primary focus of this type of database is data security. It is ideal for storing
1266 relatively small amounts of data (strings and binaries) that must remain secret except to such individuals as
1267 have the correct I<master key>. Even if the database file were to be "leaked" to the public Internet, it
1268 should be virtually impossible to crack with a strong key. The KDBX format is most often used by password
1269 managers to store passwords so that users can know a single strong password and not have to reuse passwords
1270 across different websites. See L</SECURITY> for an overview of security considerations.
1282 =head2 inner_headers
1288 =head2 deleted_objects
1290 Hash of UUIDs for objects that have been deleted. This includes groups, entries and even custom icons.
1294 Bytes contained within the encrypted layer of a KDBX file. This is only set when using
1295 L<File::KDBX::Loader::Raw>.
1299 A text string associated with the database stored unencrypted in the file header. Often unset.
1303 The UUID of a cipher used to encrypt the database when stored as a file.
1305 See L<File::KDBX::Cipher>.
1307 =head2 compression_flags
1309 Configuration for whether or not and how the database gets compressed. See
1310 L<File::KDBX::Constants/":compression">.
1314 The master seed is a string of 32 random bytes that is used as salt in hashing the master key when loading
1315 and saving the database. If a challenge-response key is used in the master key, the master seed is also the
1318 The master seed I<should> be changed each time the database is saved to file.
1320 =head2 transform_seed
1322 The transform seed is a string of 32 random bytes that is used in the key derivation function, either as the
1323 salt or the key (depending on the algorithm).
1325 The transform seed I<should> be changed each time the database is saved to file.
1327 =head2 transform_rounds
1329 The number of rounds or iterations used in the key derivation function. Increasing this number makes loading
1330 and saving the database slower in order to make dictionary and brute force attacks more costly.
1332 =head2 encryption_iv
1334 The initialization vector used by the cipher.
1336 The encryption IV I<should> be changed each time the database is saved to file.
1338 =head2 inner_random_stream_key
1340 The encryption key (possibly including the IV, depending on the cipher) used to encrypt the protected strings
1341 within the database.
1343 =head2 stream_start_bytes
1345 A string of 32 random bytes written in the header and encrypted in the body. If the bytes do not match when
1346 loading a file then the wrong master key was used or the file is corrupt. Only KDBX 2 and KDBX 3 files use
1347 this. KDBX 4 files use an improved HMAC method to verify the master key and data integrity of the header and
1350 =head2 inner_random_stream_id
1352 A number indicating the cipher algorithm used to encrypt the protected strings within the database, usually
1353 Salsa20 or ChaCha20. See L<File::KDBX::Constants/":random_stream">.
1355 =head2 kdf_parameters
1357 A hash/dict of key-value pairs used to configure the key derivation function. This is the KDBX4+ way to
1358 configure the KDF, superceding L</transform_seed> and L</transform_rounds>.
1362 The name of the software used to generate the KDBX file.
1366 The header hash used to verify that the file header is not corrupt. (KDBX 2 - KDBX 3.1, removed KDBX 4.0)
1368 =head2 database_name
1370 Name of the database.
1372 =head2 database_name_changed
1374 Timestamp indicating when the database name was last changed.
1376 =head2 database_description
1378 Description of the database
1380 =head2 database_description_changed
1382 Timestamp indicating when the database description was last changed.
1384 =head2 default_username
1386 When a new entry is created, the I<UserName> string will be populated with this value.
1388 =head2 default_username_changed
1390 Timestamp indicating when the default username was last changed.
1394 A color associated with the database (in the form C<#ffffff> where "f" is a hexidecimal digit). Some agents
1395 use this to help users visually distinguish between different databases.
1397 =head2 master_key_changed
1399 Timestamp indicating when the master key was last changed.
1401 =head2 master_key_change_rec
1403 Number of days until the agent should prompt to recommend changing the master key.
1405 =head2 master_key_change_force
1407 Number of days until the agent should prompt to force changing the master key.
1409 Note: This is purely advisory. It is up to the individual agent software to actually enforce it.
1410 B<File::KDBX> does NOT enforce it.
1414 Array of custom icons that can be associated with groups and entries.
1416 This list can be managed with the methods L</add_custom_icon> and L</remove_custom_icon>.
1418 =head2 recycle_bin_enabled
1420 Boolean indicating whether removed groups and entries should go to a recycle bin or be immediately deleted.
1422 =head2 recycle_bin_uuid
1424 The UUID of a group used to store thrown-away groups and entries.
1426 =head2 recycle_bin_changed
1428 Timestamp indicating when the recycle bin group was last changed.
1430 =head2 entry_templates_group
1432 The UUID of a group containing template entries used when creating new entries.
1434 =head2 entry_templates_group_changed
1436 Timestamp indicating when the entry templates group was last changed.
1438 =head2 last_selected_group
1440 The UUID of the previously-selected group.
1442 =head2 last_top_visible_group
1444 The UUID of the group visible at the top of the list.
1446 =head2 history_max_items
1448 The maximum number of historical entries that should be kept for each entry. Default is 10.
1450 =head2 history_max_size
1452 The maximum total size (in bytes) that each individual entry's history is allowed to grow. Default is 6 MiB.
1454 =head2 maintenance_history_days
1456 The maximum age (in days) historical entries should be kept. Default it 365.
1458 =head2 settings_changed
1460 Timestamp indicating when the database settings were last updated.
1462 =head2 protect_title
1464 Alias of the L</memory_protection> setting for the I<Title> string.
1466 =head2 protect_username
1468 Alias of the L</memory_protection> setting for the I<UserName> string.
1470 =head2 protect_password
1472 Alias of the L</memory_protection> setting for the I<Password> string.
1476 Alias of the L</memory_protection> setting for the I<URL> string.
1478 =head2 protect_notes
1480 Alias of the L</memory_protection> setting for the I<Notes> string.
1486 $kdbx = File::KDBX->new(%attributes);
1487 $kdbx = File::KDBX->new($kdbx); # copy constructor
1489 Construct a new L<File::KDBX>.
1493 $kdbx = $kdbx->init(%attributes);
1495 Initialize a L<File::KDBX> with a set of attributes. Returns itself to allow method chaining.
1497 This is called by L</new>.
1501 $kdbx = $kdbx->reset;
1503 Set a L<File::KDBX> to an empty state, ready to load a KDBX file or build a new one. Returns itself to allow
1508 $kdbx_copy = $kdbx->clone;
1509 $kdbx_copy = File::KDBX->new($kdbx);
1511 Clone a L<File::KDBX>. The clone will be an exact copy and completely independent of the original.
1521 $kdbx = KDBX::File->load(\$string, $key);
1522 $kdbx = KDBX::File->load(*IO, $key);
1523 $kdbx = KDBX::File->load($filepath, $key);
1524 $kdbx->load(...); # also instance method
1526 $kdbx = File::KDBX->load_string($string, $key);
1527 $kdbx = File::KDBX->load_string(\$string, $key);
1528 $kdbx->load_string(...); # also instance method
1530 $kdbx = File::KDBX->load_file($filepath, $key);
1531 $kdbx->load_file(...); # also instance method
1533 $kdbx = File::KDBX->load_handle($fh, $key);
1534 $kdbx = File::KDBX->load_handle(*IO, $key);
1535 $kdbx->load_handle(...); # also instance method
1537 Load a KDBX file from a string buffer, IO handle or file from a filesystem.
1539 L<File::KDBX::Loader> does the heavy lifting.
1549 $kdbx->dump(\$string, $key);
1550 $kdbx->dump(*IO, $key);
1551 $kdbx->dump($filepath, $key);
1553 $kdbx->dump_string(\$string, $key);
1554 \$string = $kdbx->dump_string($key);
1556 $kdbx->dump_file($filepath, $key);
1558 $kdbx->dump_handle($fh, $key);
1559 $kdbx->dump_handle(*IO, $key);
1561 Dump a KDBX file to a string buffer, IO handle or file in a filesystem.
1563 L<File::KDBX::Dumper> does the heavy lifting.
1565 =head2 user_agent_string
1567 $string = $kdbx->user_agent_string;
1569 Get a text string identifying the database client software.
1571 =head2 memory_protection
1573 \%settings = $kdbx->memory_protection
1574 $kdbx->memory_protection(\%settings);
1576 $bool = $kdbx->memory_protection($string_key);
1577 $kdbx->memory_protection($string_key => $bool);
1579 Get or set memory protection settings. This globally (for the whole database) configures whether and which of
1580 the standard strings should be memory-protected. The default setting is to memory-protect only I<Password>
1583 Memory protection can be toggled individually for each entry string, and individual settings take precedence
1584 over these global settings.
1586 =head2 minimum_version
1588 $version = $kdbx->minimum_version;
1590 Determine the minimum file version required to save a database losslessly. Using certain databases features
1591 might increase this value. For example, setting the KDF to Argon2 will increase the minimum version to at
1592 least C<KDBX_VERSION_4_0> (i.e. C<0x00040000>) because Argon2 was introduced with KDBX4.
1594 This method never returns less than C<KDBX_VERSION_3_1> (i.e. C<0x00030001>). That file version is so
1595 ubiquitous and well-supported, there are seldom reasons to dump in a lesser format nowadays.
1597 B<WARNING:> If you dump a database with a minimum version higher than the current L</version>, the dumper will
1598 typically issue a warning and automatically upgrade the database. This seems like the safest behavior in order
1599 to avoid data loss, but lower versions have the benefit of being compatible with more software. It is possible
1600 to prevent auto-upgrades by explicitly telling the dumper which version to use, but you do run the risk of
1601 data loss. A database will never be automatically downgraded.
1605 $group = $kdbx->root;
1606 $kdbx->root($group);
1608 Get or set a database's root group. You don't necessarily need to explicitly create or set a root group
1609 because it autovivifies when adding entries and groups to the database.
1611 Every database has only a single root group at a time. Some old KDB files might have multiple root groups.
1612 When reading such files, a single implicit root group is created to contain the actual root groups. When
1613 writing to such a format, if the root group looks like it was implicitly created then it won't be written and
1614 the resulting file might have multiple root groups, as it was before loading. This allows working with older
1615 files without changing their written internal structure while still adhering to modern semantics while the
1618 The root group of a KDBX database contains all of the database's entries and other groups. If you replace the
1619 root group, you are essentially replacing the entire database contents with something else.
1621 =head2 trace_lineage
1623 \@lineage = $kdbx->trace_lineage($group);
1624 \@lineage = $kdbx->trace_lineage($group, $base_group);
1625 \@lineage = $kdbx->trace_lineage($entry);
1626 \@lineage = $kdbx->trace_lineage($entry, $base_group);
1628 Get the direct line of ancestors from C<$base_group> (default: the root group) to a group or entry. The
1629 lineage includes the base group but I<not> the target group or entry. Returns C<undef> if the target is not in
1630 the database structure.
1634 $group = $kdbx->recycle_bin;
1635 $kdbx->recycle_bin($group);
1637 Get or set the recycle bin group. Returns C<undef> if there is no recycle bin and L</recycle_bin_enabled> is
1638 false, otherwise the current recycle bin or an autovivified recycle bin group is returned.
1640 =head2 entry_templates
1642 $group = $kdbx->entry_templates;
1643 $kdbx->entry_templates($group);
1645 Get or set the entry templates group. May return C<undef> if unset.
1647 =head2 last_selected
1649 $group = $kdbx->last_selected;
1650 $kdbx->last_selected($group);
1652 Get or set the last selected group. May return C<undef> if unset.
1654 =head2 last_top_visible
1656 $group = $kdbx->last_top_visible;
1657 $kdbx->last_top_visible($group);
1659 Get or set the last top visible group. May return C<undef> if unset.
1663 $kdbx->add_group($group);
1664 $kdbx->add_group(%group_attributes, %options);
1666 Add a group to a database. This is equivalent to identifying a parent group and calling
1667 L<File::KDBX::Group/add_group> on the parent group, forwarding the arguments. Available options:
1673 C<group> - Group object or group UUID to add the group to (default: root group)
1679 \&iterator = $kdbx->groups(%options);
1680 \&iterator = $kdbx->groups($base_group, %options);
1682 Get an L<File::KDBX::Iterator> over I<groups> within a database. Options:
1688 C<base> - Only include groups within a base group (same as C<$base_group>) (default: L</root>)
1692 C<inclusive> - Include the base group in the results (default: true)
1696 C<algorithm> - Search algorithm, one of C<ids>, C<bfs> or C<dfs> (default: C<ids>)
1702 $kdbx->add_entry($entry, %options);
1703 $kdbx->add_entry(%entry_attributes, %options);
1705 Add an entry to a database. This is equivalent to identifying a parent group and calling
1706 L<File::KDBX::Group/add_entry> on the parent group, forwarding the arguments. Available options:
1712 C<group> - Group object or group UUID to add the entry to (default: root group)
1718 \&iterator = $kdbx->entries(%options);
1719 \&iterator = $kdbx->entries($base_group, %options);
1721 Get an L<File::KDBX::Iterator> over I<entries> within a database. Supports the same options as L</groups>,
1728 C<auto_type> - Only include entries with auto-type enabled (default: false, include all)
1732 C<searching> - Only include entries within groups with searching enabled (default: false, include all)
1736 C<history> - Also include historical entries (default: false, include only current entries)
1742 \&iterator = $kdbx->objects(%options);
1743 \&iterator = $kdbx->objects($base_group, %options);
1745 Get an L<File::KDBX::Iterator> over I<objects> within a database. Groups and entries are considered objects,
1746 so this is essentially a combination of L</groups> and L</entries>. This won't often be useful, but it can be
1747 convenient for maintenance tasks. This method takes the same options as L</groups> and L</entries>.
1751 \%icon = $kdbx->custom_icon($uuid);
1752 $kdbx->custom_icon($uuid => \%icon);
1753 $kdbx->custom_icon(%icon);
1754 $kdbx->custom_icon(uuid => $value, %icon);
1756 Get or set custom icons.
1758 =head2 custom_icon_data
1760 $image_data = $kdbx->custom_icon_data($uuid);
1762 Get a custom icon image data.
1764 =head2 add_custom_icon
1766 $uuid = $kdbx->add_custom_icon($image_data, %attributes);
1767 $uuid = $kdbx->add_custom_icon(%attributes);
1769 Add a custom icon and get its UUID. If not provided, a random UUID will be generated. Possible attributes:
1775 C<uuid> - Icon UUID (default: autogenerated)
1779 C<data> - Image data (same as C<$image_data>)
1783 C<name> - Name of the icon (text, KDBX4.1+)
1787 C<last_modification_time> - Just what it says (datetime, KDBX4.1+)
1791 =head2 remove_custom_icon
1793 $kdbx->remove_custom_icon($uuid);
1795 Remove a custom icon.
1799 \%all_data = $kdbx->custom_data;
1800 $kdbx->custom_data(\%all_data);
1802 \%data = $kdbx->custom_data($key);
1803 $kdbx->custom_data($key => \%data);
1804 $kdbx->custom_data(%data);
1805 $kdbx->custom_data(key => $value, %data);
1807 Get and set custom data. Custom data is metadata associated with a database.
1809 Each data item can have a few attributes associated with it.
1815 C<key> - A unique text string identifier used to look up the data item (required)
1819 C<value> - A text string value (required)
1823 C<last_modification_time> (optional, KDBX4.1+)
1827 =head2 custom_data_value
1829 $value = $kdbx->custom_data_value($key);
1831 Exactly the same as L</custom_data> except returns just the custom data's value rather than a structure of
1832 attributes. This is a shortcut for:
1834 my $data = $kdbx->custom_data($key);
1835 my $value = defined $data ? $data->{value} : undef;
1837 =head2 public_custom_data
1839 \%all_data = $kdbx->public_custom_data;
1840 $kdbx->public_custom_data(\%all_data);
1842 $value = $kdbx->public_custom_data($key);
1843 $kdbx->public_custom_data($key => $value);
1845 Get and set public custom data. Public custom data is similar to custom data but different in some important
1846 ways. Public custom data:
1852 can store strings, booleans and up to 64-bit integer values (custom data can only store text values)
1856 is NOT encrypted within a KDBX file (hence the "public" part of the name)
1860 is a plain hash/dict of key-value pairs with no other associated fields (like modification times)
1864 =head2 add_deleted_object
1866 $kdbx->add_deleted_object($uuid);
1868 Add a UUID to the deleted objects list. This list is used to support automatic database merging.
1870 You typically do not need to call this yourself because the list will be populated automatically as objects
1873 =head2 remove_deleted_object
1875 $kdbx->remove_deleted_object($uuid);
1877 Remove a UUID from the deleted objects list. This list is used to support automatic database merging.
1879 You typically do not need to call this yourself because the list will be maintained automatically as objects
1882 =head2 clear_deleted_objects
1884 Remove all UUIDs from the deleted objects list. This list is used to support automatic database merging, but
1885 if you don't need merging then you can clear deleted objects to reduce the database file size.
1887 =head2 resolve_reference
1889 $string = $kdbx->resolve_reference($reference);
1890 $string = $kdbx->resolve_reference($wanted, $search_in, $expression);
1892 Resolve a L<field reference|https://keepass.info/help/base/fieldrefs.html>. A field reference is a kind of
1893 string placeholder. You can use a field reference to refer directly to a standard field within an entry. Field
1894 references are resolved automatically while expanding entry strings (i.e. replacing placeholders), but you can
1895 use this method to resolve on-the-fly references that aren't part of any actual string in the database.
1897 If the reference does not resolve to any field, C<undef> is returned. If the reference resolves to multiple
1898 fields, only the first one is returned (in the same order as iterated by L</entries>). To avoid ambiguity, you
1899 can refer to a specific entry by its UUID.
1901 The syntax of a reference is: C<< {REF:<WantedField>@<SearchIn>:<Text>} >>. C<Text> is a
1902 L</"Simple Expression">. C<WantedField> and C<SearchIn> are both single character codes representing a field:
1932 C<O> - Other custom strings
1936 Since C<O> does not represent any specific field, it cannot be used as the C<WantedField>.
1940 To get the value of the I<UserName> string of the first entry with "My Bank" in the title:
1942 my $username = $kdbx->resolve_reference('{REF:U@T:"My Bank"}');
1943 # OR the {REF:...} wrapper is optional
1944 my $username = $kdbx->resolve_reference('U@T:"My Bank"');
1945 # OR separate the arguments
1946 my $username = $kdbx->resolve_reference(U => T => '"My Bank"');
1948 Note how the text is a L</"Simple Expression">, so search terms with spaces must be surrounded in double
1951 To get the I<Password> string of a specific entry (identified by its UUID):
1953 my $password = $kdbx->resolve_reference('{REF:P@I:46C9B1FFBD4ABC4BBB260C6190BAD20C}');
1959 Encrypt all protected strings and binaries in a database. The encrypted data is stored in
1960 a L<File::KDBX::Safe> associated with the database and the actual values will be replaced with C<undef> to
1961 indicate their protected state. Returns itself to allow method chaining.
1963 You can call C<lock> on an already-locked database to memory-protect any unprotected strings and binaries
1964 added after the last time the database was locked.
1970 Decrypt all protected strings and binaries in a database, replacing C<undef> value placeholders with their
1971 actual, unprotected values. Returns itself to allow method chaining.
1973 =head2 unlock_scoped
1975 $guard = $kdbx->unlock_scoped;
1977 Unlock a database temporarily, relocking when the guard is released (typically at the end of a scope). Returns
1978 C<undef> if the database is already unlocked.
1980 See L</lock> and L</unlock>.
1985 my $guard = $kdbx->unlock_scoped;
1988 # $kdbx is now memory-locked
1992 $string = $kdbx->peek(\%string);
1993 $string = $kdbx->peek(\%binary);
1995 Peek at the value of a protected string or binary without unlocking the whole database. The argument can be
1996 a string or binary hashref as returned by L<File::KDBX::Entry/string> or L<File::KDBX::Entry/binary>.
2000 $bool = $kdbx->is_locked;
2002 Get whether or not a database's contents are in a locked (i.e. memory-protected) state. If this is true, then
2003 some or all of the protected strings and binaries within the database will be unavailable (literally have
2004 C<undef> values) until L</unlock> is called.
2006 =head2 remove_empty_groups
2008 $kdbx->remove_empty_groups;
2010 Remove groups with no subgroups and no entries.
2012 =head2 remove_unused_icons
2014 $kdbx->remove_unused_icons;
2016 Remove icons that are not associated with any entry or group in the database.
2018 =head2 remove_duplicate_icons
2020 $kdbx->remove_duplicate_icons;
2022 Remove duplicate icons as determined by hashing the icon data.
2024 =head2 prune_history
2026 $kdbx->prune_history(%options);
2028 Remove just as many older historical entries as necessary to get under certain limits.
2034 C<max_items> - Maximum number of historical entries to keep (default: value of L</history_max_items>, no limit: -1)
2038 C<max_size> - Maximum total size (in bytes) of historical entries to keep (default: value of L</history_max_size>, no limit: -1)
2042 C<max_age> - Maximum age (in days) of historical entries to keep (default: value of L</maintenance_history_days>, no limit: -1)
2046 =head2 randomize_seeds
2048 $kdbx->randomize_seeds;
2050 Set various keys, seeds and IVs to random values. These values are used by the cryptographic functions that
2051 secure the database when dumped. The attributes that will be randomized are:
2061 L</inner_random_stream_key>
2069 L</stream_start_bytes>
2077 Randomizing these values has no effect on a loaded database. These are only used when a database is dumped.
2078 You normally do not need to call this method explicitly because the dumper does it for you by default.
2083 $key = $kdbx->key($key);
2084 $key = $kdbx->key($primitive);
2086 Get or set a L<File::KDBX::Key>. This is the master key (e.g. a password or a key file that can decrypt
2087 a database). You can also pass a primitive castable to a B<Key>. See L<File::KDBX::Key/new> for an explanation
2088 of what the primitive can be.
2090 You generally don't need to call this directly because you can provide the key directly to the loader or
2091 dumper when loading or dumping a KDBX file.
2093 =head2 composite_key
2095 $key = $kdbx->composite_key($key);
2096 $key = $kdbx->composite_key($primitive);
2098 Construct a L<File::KDBX::Key::Composite> from a B<Key> or primitive. See L<File::KDBX::Key/new> for an
2099 explanation of what the primitive can be. If the primitive does not represent a composite key, it will be
2102 You generally don't need to call this directly. The loader and dumper use it to transform a master key into
2103 a raw encryption key.
2107 $kdf = $kdbx->kdf(%options);
2108 $kdf = $kdbx->kdf(\%parameters, %options);
2110 Get a L<File::KDBX::KDF> (key derivation function).
2118 C<params> - KDF parameters, same as C<\%parameters> (default: value of L</kdf_parameters>)
2124 $cipher = $kdbx->cipher(key => $key);
2125 $cipher = $kdbx->cipher(key => $key, iv => $iv, uuid => $uuid);
2127 Get a L<File::KDBX::Cipher> capable of encrypting and decrypting the body of a database file.
2129 A key is required. This should be a raw encryption key made up of a fixed number of octets (depending on the
2130 cipher), not a L<File::KDBX::Key> or primitive.
2132 If not passed, the UUID comes from C<< $kdbx->headers->{cipher_id} >> and the encryption IV comes from
2133 C<< $kdbx->headers->{encryption_iv} >>.
2135 You generally don't need to call this directly. The loader and dumper use it to decrypt and encrypt KDBX
2138 =head2 random_stream
2140 $cipher = $kdbx->random_stream;
2141 $cipher = $kdbx->random_stream(id => $stream_id, key => $key);
2143 Get a L<File::KDBX::Cipher::Stream> for decrypting and encrypting protected values.
2145 If not passed, the ID and encryption key comes from C<< $kdbx->headers->{inner_random_stream_id} >> and
2146 C<< $kdbx->headers->{inner_random_stream_key} >> (respectively) for KDBX3 files and from
2147 C<< $kdbx->inner_headers->{inner_random_stream_key} >> and
2148 C<< $kdbx->inner_headers->{inner_random_stream_id} >> (respectively) for KDBX4 files.
2150 You generally don't need to call this directly. The loader and dumper use it to scramble protected strings.
2152 =for Pod::Coverage STORABLE_freeze STORABLE_thaw TO_JSON
2156 =head2 Create a new database
2158 my $kdbx = File::KDBX->new;
2160 my $group = $kdbx->add_group(name => 'Passwords);
2161 my $entry = $group->add_entry(
2162 title => 'WayneCorp',
2163 username => 'bwayne',
2164 password => 'iambatman',
2165 url => 'https://example.com/login'
2167 $entry->add_auto_type_window_association('WayneCorp - Mozilla Firefox', '{PASSWORD}{ENTER}');
2169 $kdbx->dump_file('mypasswords.kdbx', 'master password CHANGEME');
2171 =head2 Read an existing database
2173 my $kdbx = File::KDBX->load_file('mypasswords.kdbx', 'master password CHANGEME');
2174 $kdbx->unlock; # cause $entry->password below to be defined
2176 $kdbx->entries->each(sub($entry, @) {
2177 say 'Found password for: ', $entry->title;
2178 say ' Username: ', $entry->username;
2179 say ' Password: ', $entry->password;
2182 =head2 Search for entries
2184 my @entries = $kdbx->entries(searching => 1)
2185 ->grep(title => 'WayneCorp')
2186 ->each; # return all matches
2188 The C<searching> option limits results to only entries within groups with searching enabled. Other options are
2189 also available. See L</entries>.
2191 See L</QUERY> for many more query examples.
2193 =head2 Search for entries by auto-type window association
2195 my $window_title = 'WayneCorp - Mozilla Firefox';
2197 my $entries = $kdbx->entries(auto_type => 1)
2199 my ($ata) = grep { $_->{window} =~ /\Q$window_title\E/i } @{$_->auto_type_associations};
2200 return [$_, $ata->{keystroke_sequence}] if $ata;
2203 my ($entry, $keys) = @$_;
2204 say 'Entry title: ', $entry->title, ', key sequence: ', $keys;
2209 Entry title: WayneCorp, key sequence: {PASSWORD}{ENTER}
2211 =head2 Remove entries from a database
2214 ->grep(notes => {'=~' => qr/too old/i})
2215 ->each(sub { $_->recycle });
2217 Recycle all entries with the string "too old" appearing in the B<Notes> string.
2219 =head2 Remove empty groups
2221 $kdbx->groups(algorithm => 'dfs')
2222 ->where(-true => 'is_empty')
2225 With the search/iteration C<algorithm> set to "dfs", groups will be ordered deepest first and the root group
2226 will be last. This allows removing groups that only contain empty groups.
2228 This can also be done with one call to L</remove_empty_groups>.
2232 One of the biggest threats to your database security is how easily the encryption key can be brute-forced.
2233 Strong brute-force protection depends on:
2239 Using unguessable passwords, passphrases and key files.
2243 Using a brute-force resistent key derivation function.
2247 The first factor is up to you. This module does not enforce strong master keys. It is up to you to pick or
2248 generate strong keys.
2250 The KDBX format allows for the key derivation function to be tuned. The idea is that you want each single
2251 brute-force attempt to be expensive (in terms of time, CPU usage or memory usage), so that making a lot of
2252 attempts (which would be required if you have a strong master key) gets I<really> expensive.
2254 How expensive you want to make each attempt is up to you and can depend on the application.
2256 This and other KDBX-related security issues are covered here more in depth:
2257 L<https://keepass.info/help/base/security.html>
2259 Here are other security risks you should be thinking about:
2263 This distribution uses the excellent L<CryptX> and L<Crypt::Argon2> packages to handle all crypto-related
2264 functions. As such, a lot of the security depends on the quality of these dependencies. Fortunately these
2265 modules are maintained and appear to have good track records.
2267 The KDBX format has evolved over time to incorporate improved security practices and cryptographic functions.
2268 This package uses the following functions for authentication, hashing, encryption and random number
2311 At the time of this writing, I am not aware of any successful attacks against any of these functions. These
2312 are among the most-analyzed and widely-adopted crypto functions available.
2314 The KDBX format allows the body cipher and key derivation function to be configured. If a flaw is discovered
2315 in one of these functions, you can hopefully just switch to a better function without needing to update this
2316 software. A later software release may phase out the use of any functions which are no longer secure.
2318 =head2 Memory Protection
2320 It is not a good idea to keep secret information unencrypted in system memory for longer than is needed. The
2321 address space of your program can generally be read by a user with elevated privileges on the system. If your
2322 system is memory-constrained or goes into a hibernation mode, the contents of your address space could be
2323 written to a disk where it might be persisted for long time.
2325 There might be system-level things you can do to reduce your risk, like using swap encryption and limiting
2326 system access to your program's address space while your program is running.
2328 B<File::KDBX> helps minimize (but not eliminate) risk by keeping secrets encrypted in memory until accessed
2329 and zeroing out memory that holds secrets after they're no longer needed, but it's not a silver bullet.
2331 For one thing, the encryption key is stored in the same address space. If core is dumped, the encryption key
2332 is available to be found out. But at least there is the chance that the encryption key and the encrypted
2333 secrets won't both be paged out together while memory-constrained.
2335 Another problem is that some perls (somewhat notoriously) copy around memory behind the scenes willy nilly,
2336 and it's difficult know when perl makes a copy of a secret in order to be able to zero it out later. It might
2337 be impossible. The good news is that perls with SvPV copy-on-write (enabled by default beginning with perl
2338 5.20) are much better in this regard. With COW, it's mostly possible to know what operations will cause perl
2339 to copy the memory of a scalar string, and the number of copies will be significantly reduced. There is a unit
2340 test named F<t/memory-protection.t> in this distribution that can be run on POSIX systems to determine how
2341 well B<File::KDBX> memory protection is working.
2343 Memory protection also depends on how your application handles secrets. If your app code is handling scalar
2344 strings with secret information, it's up to you to make sure its memory is zeroed out when no longer needed.
2345 L<File::KDBX::Util/erase> et al. provide some tools to help accomplish this. Or if you're not too concerned
2346 about the risks memory protection is meant to mitigate, then maybe don't worry about it. The security policy
2347 of B<File::KDBX> is to try hard to keep secrets protected while in memory so that your app might claim a high
2348 level of security, in case you care about that.
2350 There are some memory protection strategies that B<File::KDBX> does NOT use today but could in the future:
2352 Many systems allow programs to mark unswappable pages. Secret information should ideally be stored in such
2353 pages. You could potentially use L<mlockall(2)> (or equivalent for your system) in your own application to
2354 prevent the entire address space from being swapped.
2356 Some systems provide special syscalls for storing secrets in memory while keeping the encryption key outside
2357 of the program's address space, like C<CryptProtectMemory> for Windows. This could be a good option, though
2358 unfortunately not portable.
2362 To find things in a KDBX database, you should use a filtered iterator. If you have an iterator, such as
2363 returned by L</entries>, L</groups> or even L</objects> you can filter it using L<File::KDBX::Iterator/where>.
2365 my $filtered_entries = $kdbx->entries->where(\&query);
2367 A C<\&query> is just a subroutine that you can either write yourself or have generated for you from either
2368 a L</"Simple Expression"> or L</"Declarative Syntax">. It's easier to have your query generated, so I'll cover
2371 =head2 Simple Expression
2373 A simple expression is mostly compatible with the KeePass 2 implementation
2374 L<described here|https://keepass.info/help/base/search.html#mode_se>.
2376 An expression is a string with one or more space-separated terms. Terms with spaces can be enclosed in double
2377 quotes. Terms are negated if they are prefixed with a minus sign. A record must match every term on at least
2378 one of the given fields.
2380 So a simple expression is something like what you might type into a search engine. You can generate a simple
2381 expression query using L<File::KDBX::Util/simple_expression_query> or by passing the simple expression as
2382 a B<scalar reference> to C<where>.
2384 To search for all entries in a database with the word "canyon" appearing anywhere in the title:
2386 my $entries = $kdbx->entries->where(\'canyon', qw[title]);
2388 Notice the first argument is a B<scalarref>. This disambiguates a simple expression from other types of
2389 queries covered below.
2391 As mentioned, a simple expression can have multiple terms. This simple expression query matches any entry that
2392 has the words "red" B<and> "canyon" anywhere in the title:
2394 my $entries = $kdbx->entries->where(\'red canyon', qw[title]);
2396 Each term in the simple expression must be found for an entry to match.
2398 To search for entries with "red" in the title but B<not> "canyon", just prepend "canyon" with a minus sign:
2400 my $entries = $kdbx->entries->where(\'red -canyon', qw[title]);
2402 To search over multiple fields simultaneously, just list them all. To search for entries with "grocery" (but
2403 not "Foodland") in the title or notes:
2405 my $entries = $kdbx->entries->where(\'grocery -Foodland', qw[title notes]);
2407 The default operator is a case-insensitive regexp match, which is fine for searching text loosely. You can use
2408 just about any binary comparison operator that perl supports. To specify an operator, list it after the simple
2409 expression. For example, to search for any entry that has been used at least five times:
2411 my $entries = $kdbx->entries->where(\5, '>=', qw[usage_count]);
2413 It helps to read it right-to-left, like "usage_count is greater than or equal to 5".
2415 If you find the disambiguating structures to be distracting or confusing, you can also use the
2416 L<File::KDBX::Util/simple_expression_query> function as a more intuitive alternative. The following example is
2417 equivalent to the previous:
2419 my $entries = $kdbx->entries->where(simple_expression_query(5, '>=', qw[usage_count]));
2421 =head2 Declarative Syntax
2423 Structuring a declarative query is similar to L<SQL::Abstract/"WHERE CLAUSES">, but you don't have to be
2424 familiar with that module. Just learn by examples here.
2426 To search for all entries in a database titled "My Bank":
2428 my $entries = $kdbx->entries->where({ title => 'My Bank' });
2430 The query here is C<< { title => 'My Bank' } >>. A hashref can contain key-value pairs where the key is an
2431 attribute of the thing being searched for (in this case an entry) and the value is what you want the thing's
2432 attribute to be to consider it a match. In this case, the attribute we're using as our match criteria is
2433 L<File::KDBX::Entry/title>, a text field. If an entry has its title attribute equal to "My Bank", it's
2436 A hashref can contain multiple attributes. The search candidate will be a match if I<all> of the specified
2437 attributes are equal to their respective values. For example, to search for all entries with a particular URL
2440 my $entries = $kdbx->entries->where({
2441 url => 'https://example.com',
2445 To search for entries matching I<any> criteria, just change the hashref to an arrayref. To search for entries
2446 with a particular URL B<OR> username:
2448 my $entries = $kdbx->entries->where([ # <-- Notice the square bracket
2449 url => 'https://example.com',
2453 You can use different operators to test different types of attributes. The L<File::KDBX::Entry/icon_id>
2454 attribute is a number, so we should use a number comparison operator. To find entries using the smartphone
2457 my $entries = $kdbx->entries->where({
2458 icon_id => { '==', ICON_SMARTPHONE },
2461 Note: L<File::KDBX::Constants/ICON_SMARTPHONE> is just a constant from L<File::KDBX::Constants>. It isn't
2462 special to this example or to queries generally. We could have just used a literal number.
2464 The important thing to notice here is how we wrapped the condition in another hashref with a single key-value
2465 pair where the key is the name of an operator and the value is the thing to match against. The supported
2472 C<eq> - String equal
2476 C<ne> - String not equal
2480 C<lt> - String less than
2484 C<gt> - String greater than
2488 C<le> - String less than or equal
2492 C<ge> - String greater than or equal
2496 C<==> - Number equal
2500 C<!=> - Number not equal
2504 C<< < >> - Number less than
2508 C<< > >> - Number greater than
2512 C<< <= >> - Number less than or equal
2516 C<< >= >> - Number less than or equal
2520 C<=~> - String match regular expression
2524 C<!~> - String does not match regular expression
2528 C<!> - Boolean false
2532 C<!!> - Boolean true
2536 Other special operators:
2542 C<-true> - Boolean true
2546 C<-false> - Boolean false
2550 C<-not> - Boolean false (alias for C<-false>)
2554 C<-defined> - Is defined
2558 C<-undef> - Is not defined
2562 C<-empty> - Is empty
2566 C<-nonempty> - Is not empty
2574 C<-and> - Logical and
2578 Let's see another example using an explicit operator. To find all groups except one in particular (identified
2579 by its L<File::KDBX::Group/uuid>), we can use the C<ne> (string not equal) operator:
2581 my $groups = $kdbx->groups->where(
2583 'ne' => uuid('596f7520-6172-6520-7370-656369616c2e'),
2587 Note: L<File::KDBX::Util/uuid> is a little utility function to convert a UUID in its pretty form into bytes.
2588 This utility function isn't special to this example or to queries generally. It could have been written with
2589 a literal such as C<"\x59\x6f\x75\x20\x61...">, but that's harder to read.
2591 Notice we searched for groups this time. Finding groups works exactly the same as it does for entries.
2593 Notice also that we didn't wrap the query in hashref curly-braces or arrayref square-braces. Those are
2594 optional. By default it will only match ALL attributes (as if there were curly-braces).
2596 Testing the truthiness of an attribute is a little bit different because it isn't a binary operation. To find
2597 all entries with the password quality check disabled:
2599 my $entries = $kdbx->entries->where('!' => 'quality_check');
2601 This time the string after the operator is the attribute name rather than a value to compare the attribute
2602 against. To test that a boolean value is true, use the C<!!> operator (or C<-true> if C<!!> seems a little too
2603 weird for your taste):
2605 my $entries = $kdbx->entries->where('!!' => 'quality_check');
2606 my $entries = $kdbx->entries->where(-true => 'quality_check'); # same thing
2608 Yes, there is also a C<-false> and a C<-not> if you prefer one of those over C<!>. C<-false> and C<-not>
2609 (along with C<-true>) are also special in that you can use them to invert the logic of a subquery. These are
2610 logically equivalent:
2612 my $entries = $kdbx->entries->where(-not => { title => 'My Bank' });
2613 my $entries = $kdbx->entries->where(title => { 'ne' => 'My Bank' });
2615 These special operators become more useful when combined with two more special operators: C<-and> and C<-or>.
2616 With these, it is possible to construct more interesting queries with groups of logic. For example:
2618 my $entries = $kdbx->entries->where({
2619 title => { '=~', qr/bank/ },
2622 notes => { '=~', qr/business/ },
2623 icon_id => { '==', ICON_TRASHCAN_FULL },
2628 In English, find entries where the word "bank" appears anywhere in the title but also do not have either the
2629 word "business" in the notes or are using the full trashcan icon.
2631 =head2 Subroutine Query
2633 Lastly, as mentioned at the top, you can ignore all this and write your own subroutine. Your subroutine will
2634 be called once for each object being searched over. The subroutine should match the candidate against whatever
2635 criteria you want and return true if it matches or false to skip. To do this, just pass your subroutine
2636 coderef to C<where>.
2638 To review the different types of queries, these are all equivalent to find all entries in the database titled
2641 my $entries = $kdbx->entries->where(\'"My Bank"', 'eq', qw[title]); # simple expression
2642 my $entries = $kdbx->entries->where(title => 'My Bank'); # declarative syntax
2643 my $entries = $kdbx->entries->where(sub { $_->title eq 'My Bank' }); # subroutine query
2645 This is a trivial example, but of course your subroutine can be arbitrarily complex.
2647 All of these query mechanisms described in this section are just tools, each with its own set of limitations.
2648 If the tools are getting in your way, you can of course iterate over the contents of a database and implement
2649 your own query logic, like this:
2651 my $entries = $kdbx->entries;
2652 while (my $entry = $entries->next) {
2653 if (wanted($entry)) {
2654 do_something($entry);
2663 Iterators are the built-in way to navigate or walk the database tree. You get an iterator from L</entries>,
2664 L</groups> and L</objects>. You can specify the search algorithm to iterate over objects in different orders
2665 using the C<algorithm> option, which can be one of these L<constants|File::KDBX::Constants/":iteration">:
2671 C<ITERATION_IDS> - Iterative deepening search (default)
2675 C<ITERATION_DFS> - Depth-first search
2679 C<ITERATION_BFS> - Breadth-first search
2683 When iterating over objects generically, groups always precede their direct entries (if any). When the
2684 C<history> option is used, current entries always precede historical entries.
2686 If you have a database tree like this:
2701 IDS order of groups is: Root, Group1, Group2, Group3
2705 IDS order of entries is: EntryA, EntryB, EntryC
2709 IDS order of objects is: Root, Group1, EntryA, Group2, EntryB, Group3, EntryC
2713 DFS order of groups is: Group2, Group1, Group3, Root
2717 DFS order of entries is: EntryB, EntryA, EntryC
2721 DFS order of objects is: Group2, EntryB, Group1, EntryA, Group3, EntryC, Root
2725 BFS order of groups is: Root, Group1, Group3, Group2
2729 BFS order of entries is: EntryA, EntryC, EntryB
2733 BFS order of objects is: Root, Group1, EntryA, Group3, EntryC, Group2, EntryB
2737 =head1 SYNCHRONIZING
2739 B<TODO> - This is a planned feature, not yet implemented.
2743 Errors in this package are constructed as L<File::KDBX::Error> objects and propagated using perl's built-in
2744 mechanisms. Fatal errors are propagated using L<perlfunc/"die LIST"> and non-fatal errors (a.k.a. warnings)
2745 are propagated using L<perlfunc/"warn LIST"> while adhering to perl's L<warnings> system. If you're already
2746 familiar with these mechanisms, you can skip this section.
2748 You can catch fatal errors using L<perlfunc/"eval BLOCK"> (or something like L<Try::Tiny>) and non-fatal
2749 errors using C<$SIG{__WARN__}> (see L<perlvar/%SIG>). Examples:
2751 use File::KDBX::Error qw(error);
2753 my $key = ''; # uh oh
2755 $kdbx->load_file('whatever.kdbx', $key);
2757 if (my $error = error($@)) {
2758 handle_missing_key($error) if $error->type eq 'key.missing';
2762 or using C<Try::Tiny>:
2765 $kdbx->load_file('whatever.kdbx', $key);
2771 Catching non-fatal errors:
2774 local $SIG{__WARN__} = sub { push @warnings, $_[0] };
2776 $kdbx->load_file('whatever.kdbx', $key);
2778 handle_warnings(@warnings) if @warnings;
2780 By default perl prints warnings to C<STDERR> if you don't catch them. If you don't want to catch them and also
2781 don't want them printed to C<STDERR>, you can suppress them lexically (perl v5.28 or higher required):
2784 no warnings 'File::KDBX';
2791 local $File::KDBX::WARNINGS = 0;
2795 or globally in your program:
2797 $File::KDBX::WARNINGS = 0;
2799 You cannot suppress fatal errors, and if you don't catch them your program will exit.
2803 This software will alter its behavior depending on the value of certain environment variables:
2809 C<PERL_FILE_KDBX_XS> - Do not use L<File::KDBX::XS> if false (default: true)
2813 C<PERL_ONLY> - Do not use L<File::KDBX::XS> if true (default: false)
2817 C<NO_FORK> - Do not fork if true (default: false)
2827 L<KeePass Password Safe|https://keepass.info/> - The original KeePass
2831 L<KeePassXC|https://keepassxc.org/> - Cross-Platform Password Manager written in C++
2835 L<File::KeePass> has overlapping functionality. It's good but has a backlog of some pretty critical bugs and lacks support for newer KDBX features.
2841 Please report any bugs or feature requests on the bugtracker website
2842 L<https://github.com/chazmcgarvey/File-KDBX/issues>
2844 When submitting a bug or request, please include a test-file or a
2845 patch to an existing test-file that illustrates the bug or desired
2850 Charles McGarvey <ccm@cpan.org>
2852 =head1 COPYRIGHT AND LICENSE
2854 This software is copyright (c) 2022 by Charles McGarvey.
2856 This is free software; you can redistribute it and/or modify it under
2857 the same terms as the Perl 5 programming language system itself.