From 016c620d55dde5f9555de734235141bb8149bbe9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= <contact@lsferreira.net>
Date: Sat, 2 Oct 2021 20:42:15 +0100
Subject: [PATCH] detect_private_key: add OpenVPN shared-secret key block
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

'OpenVPN Static key V1' label is often used by OpenVPN for providing hardening
security with additional HMAC signatures to the SSL/TLS handshake packets. They
are shared secrets and should be kept private.

Signed-off-by: Luís Ferreira <contact@lsferreira.net>
---
 pre_commit_hooks/detect_private_key.py | 1 +
 tests/detect_private_key_test.py       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/pre_commit_hooks/detect_private_key.py b/pre_commit_hooks/detect_private_key.py
index bd1f2962..3a6027da 100644
--- a/pre_commit_hooks/detect_private_key.py
+++ b/pre_commit_hooks/detect_private_key.py
@@ -12,6 +12,7 @@
     b'BEGIN SSH2 ENCRYPTED PRIVATE KEY',
     b'BEGIN PGP PRIVATE KEY BLOCK',
     b'BEGIN ENCRYPTED PRIVATE KEY',
+    b'BEGIN OpenVPN Static key V1',
 ]
 
 
diff --git a/tests/detect_private_key_test.py b/tests/detect_private_key_test.py
index 9495047b..d2c724f0 100644
--- a/tests/detect_private_key_test.py
+++ b/tests/detect_private_key_test.py
@@ -11,6 +11,7 @@
     (b'PuTTY-User-Key-File-2: ssh-rsa', 1),
     (b'---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----', 1),
     (b'-----BEGIN ENCRYPTED PRIVATE KEY-----', 1),
+    (b'-----BEGIN OpenVPN Static key V1-----', 1),
     (b'ssh-rsa DATA', 0),
     (b'ssh-dsa DATA', 0),
     # Some arbitrary binary data