Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save pedroteixeira/54cddd240b1dd78ca9eeaa52668c3c64 to your computer and use it in GitHub Desktop.
Save pedroteixeira/54cddd240b1dd78ca9eeaa52668c3c64 to your computer and use it in GitHub Desktop.
Export Google Chrome passwords to Firefox
#
# This is a little script to populate Firefox Sync with
# password exported from Google Chrome as csv. Use it like so:
#
# $> pip install PyFxA syncclient cryptography
# $> python ./upload_passwords_to_firefox_sync_account.py
#
# It will prompt for your Firefox Account email address and
# password, csv file and upload password records, then
# sync down and print all password records stored in sync.
#
import os
import time
import json
import random
import string
import getpass
import hmac
import hashlib
import base64
import uuid
from binascii import hexlify
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.backends import default_backend
import fxa.core
import fxa.crypto
import syncclient.client
CRYPTO_BACKEND = default_backend()
EMAIL = raw_input("Email: ")
PASSWORD = getpass.getpass("Password: ")
CHROME_PASSWORD_CSV_EXPORT_PATH = raw_input('Path to Chrome exported passwords csv: ')
import csv
now = int(time.time() * 1000)
passwords = []
with open(CHROME_PASSWORD_CSV_EXPORT_PATH) as csv_file:
csv_reader = csv.reader(csv_file, delimiter=',')
line_count = 0
for row in csv_reader:
if line_count > 1:
passwords.append({
"id": "{%s}" % (uuid.uuid4(),),
"username": row[2],
"password": row[3],
"hostname": row[0],
"formSubmitURL": row[1],
"timeCreated": now,
"timePasswordChanged": now,
"httpRealm": None,
"usernameField": "username",
"passwordField": "password",
})
line_count += 1
print 'Processed ', line_count, ' lines.'
# Below here is all the mechanics of uploading them to the sync server.
def main():
creds = login()
upload_fake_password_records(*creds)
def login():
client = fxa.core.Client()
print "Signing in as", EMAIL, "..."
session = client.login(EMAIL, PASSWORD, keys=True)
try:
status = session.get_email_status()
while not status["verified"]:
print "Please click through the confirmation email."
if raw_input("Hit enter when done, or type 'resend':").strip() == "resend":
session.resend_email_code()
status = session.get_email_status()
assertion = session.get_identity_assertion("https://token.services.mozilla.com/")
_, kB = session.fetch_keys()
finally:
session.destroy_session()
return assertion, kB
def upload_fake_password_records(assertion, kB):
# Connect to sync.
xcs = hexlify(hashlib.sha256(kB).digest()[:16])
client = syncclient.client.SyncClient(assertion, xcs)
# Fetch /crypto/keys.
raw_sync_key = fxa.crypto.derive_key(kB, "oldsync", 64)
root_key_bundle = KeyBundle(
raw_sync_key[:32],
raw_sync_key[32:],
)
keys_bso = client.get_record("crypto", "keys")
keys = root_key_bundle.decrypt_bso(keys_bso)
default_key_bundle = KeyBundle(
base64.b64decode(keys["default"][0]),
base64.b64decode(keys["default"][1]),
)
# Make a lot of password records.
i = 0
for password in passwords:
print "Uploading", i, "of", len(passwords), "fake password records..."
er = default_key_bundle.encrypt_bso(password)
assert default_key_bundle.decrypt_bso(er) == password
client.put_record("passwords", er)
i += 1
print "Synced password records:"
for er in client.get_records("passwords"):
r = default_key_bundle.decrypt_bso(er)
print " %s: %r (%s)" % (r["username"], r["password"].encode('utf8'), r["hostname"])
print "Done!"
class KeyBundle:
"""A little helper class to hold a sync key bundle."""
def __init__(self, enc_key, mac_key):
self.enc_key = enc_key
self.mac_key = mac_key
def decrypt_bso(self, data):
payload = json.loads(data["payload"])
mac = hmac.new(self.mac_key, payload["ciphertext"], hashlib.sha256)
if mac.hexdigest() != payload["hmac"]:
raise ValueError("hmac mismatch: %r != %r" % (mac.hexdigest(), payload["hmac"]))
iv = base64.b64decode(payload["IV"])
cipher = Cipher(
algorithms.AES(self.enc_key),
modes.CBC(iv),
backend=CRYPTO_BACKEND
)
decryptor = cipher.decryptor()
plaintext = decryptor.update(base64.b64decode(payload["ciphertext"]))
plaintext += decryptor.finalize()
unpadder = padding.PKCS7(128).unpadder()
plaintext = unpadder.update(plaintext) + unpadder.finalize()
return json.loads(plaintext)
def encrypt_bso(self, data):
plaintext = json.dumps(data)
padder = padding.PKCS7(128).padder()
plaintext = padder.update(plaintext) + padder.finalize()
iv = os.urandom(16)
cipher = Cipher(
algorithms.AES(self.enc_key),
modes.CBC(iv),
backend=CRYPTO_BACKEND
)
encryptor = cipher.encryptor()
ciphertext = encryptor.update(plaintext)
ciphertext += encryptor.finalize()
b64_ciphertext = base64.b64encode(ciphertext)
mac = hmac.new(self.mac_key, b64_ciphertext, hashlib.sha256).hexdigest()
return {
"id": data["id"],
"payload": json.dumps({
"ciphertext": b64_ciphertext,
"IV": base64.b64encode(iv),
"hmac": mac,
})
}
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment