Back on Mac OS 10.7, there was an encrypted file called Form Values in the folder /home/Users/${user}/Library/Safari. This encrypted file contained all "auto-fill" form values in Safari. I don't know if this file still exists on current version, but during some analysis of an old mac of mine, I found this encrypted file and wanted to dig into it.
This file seems to be encrypted with a key contained in the user's login.keychain. I have the key (256 bits long) but I was not able to find the correct way to decrypt data.
According to this answer https://apple.stackexchange.com/a/198290/332020 the file is encrypted with AES-128 bits. But none of my implementation did work (AES-128 with first 128 bits as salt, 128 after as key, ECB, CBC, …). Since Mac OS 10.7 was released in 2011, I also tried 3DES, without luck also.
Does someone know more about the encryption process?
Best Answer
So... After hours research, I finally found the encryption process.
The password contained in the keychain is NOT the encryption key! The password has to be derived to obtain the key. The process is as follow: PBKDF2_SHA1(password: passwordFromKeychain, salt: someSalt, iterations: 1000, outputLen: 128)
Then the cipher can be easily decrypted. It is simply AES-CBC-128 with PKCS5Padding and no IV (or IV = [0, ...])
The output will be a binary PLIST which can be read by any program having such capability. Thus, you can know if the decryption process is successful by verifying the first 6 byte are equals to: "bplist".
I wrote a code (JAVA) to do the decryption: https://github.com/Flo354/SafariFormValuesDecryptor