While writing a program to parse the OPVault file format I came across a couple of errors/omissions and I though it would be good to report them.
The Key Derivation section says that to derive the encryption and mac keys the master password is converted to a "UTF-8 null terminated string". This is a little confusing because the terminating NULL character is not actually used to derive the key. It only serves the purpose of using
strlen to easily determine the password length to call
CCKeyDerivationPBKDF. This is also highly dependent on both the Apple platform and the C language. Given the multi-platform nature of your software I would describe the file format in a more language and platform agnostic way. Moreover the document does not specify how Unicode strings should be normalized (NFC or NFD) which is as important as specifying the UTF-8 encoding is used to get the correct derived key.
In the hmac section, the pseudo-code to compute the MAC shows that the elements' values are converted to strings. The problem here arises when a value is of a boolean type, like in the "trashed" element. From my tests I guess your code to compute the MAC is converting the
true JSON token to the string "1" instead of the more intuitive string "true". It would be good to clearly state how these conversions are performed to properly validate the MAC.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided