From ccdf02dfd48be0656f3b33ded45e629296344db5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= Date: Sat, 2 Oct 2021 20:33:35 +0100 Subject: [PATCH 1/2] detect_private_key: add textual version of `PKCS #8` encrypted private keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As described by RFC7468 and RFC5958, keys that are encoded using the "ENCRYPTED PRIVATE KEY" label are described as private key information and therefore can contain secrets, even though encrypted. Signed-off-by: Luís Ferreira --- pre_commit_hooks/detect_private_key.py | 1 + tests/detect_private_key_test.py | 1 + 2 files changed, 2 insertions(+) diff --git a/pre_commit_hooks/detect_private_key.py b/pre_commit_hooks/detect_private_key.py index 7bbc2f91..bd1f2962 100644 --- a/pre_commit_hooks/detect_private_key.py +++ b/pre_commit_hooks/detect_private_key.py @@ -11,6 +11,7 @@ b'PuTTY-User-Key-File-2', b'BEGIN SSH2 ENCRYPTED PRIVATE KEY', b'BEGIN PGP PRIVATE KEY BLOCK', + b'BEGIN ENCRYPTED PRIVATE KEY', ] diff --git a/tests/detect_private_key_test.py b/tests/detect_private_key_test.py index 72810008..9495047b 100644 --- a/tests/detect_private_key_test.py +++ b/tests/detect_private_key_test.py @@ -10,6 +10,7 @@ (b'-----BEGIN OPENSSH PRIVATE KEY-----', 1), (b'PuTTY-User-Key-File-2: ssh-rsa', 1), (b'---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----', 1), + (b'-----BEGIN ENCRYPTED PRIVATE KEY-----', 1), (b'ssh-rsa DATA', 0), (b'ssh-dsa DATA', 0), # Some arbitrary binary data From 1b4e30e9aaebad246088f2493b3fdbbc04991686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= Date: Sat, 2 Oct 2021 20:42:15 +0100 Subject: [PATCH 2/2] detect_private_key: add OpenVPN shared-secret key block MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'OpenVPN Static key V1' label is often used by OpenVPN for providing hardening security with additional HMAC signatures to the SSL/TLS handshake packets. They are shared secrets and should be kept private. Signed-off-by: Luís Ferreira --- pre_commit_hooks/detect_private_key.py | 1 + tests/detect_private_key_test.py | 1 + 2 files changed, 2 insertions(+) diff --git a/pre_commit_hooks/detect_private_key.py b/pre_commit_hooks/detect_private_key.py index bd1f2962..3a6027da 100644 --- a/pre_commit_hooks/detect_private_key.py +++ b/pre_commit_hooks/detect_private_key.py @@ -12,6 +12,7 @@ b'BEGIN SSH2 ENCRYPTED PRIVATE KEY', b'BEGIN PGP PRIVATE KEY BLOCK', b'BEGIN ENCRYPTED PRIVATE KEY', + b'BEGIN OpenVPN Static key V1', ] diff --git a/tests/detect_private_key_test.py b/tests/detect_private_key_test.py index 9495047b..d2c724f0 100644 --- a/tests/detect_private_key_test.py +++ b/tests/detect_private_key_test.py @@ -11,6 +11,7 @@ (b'PuTTY-User-Key-File-2: ssh-rsa', 1), (b'---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----', 1), (b'-----BEGIN ENCRYPTED PRIVATE KEY-----', 1), + (b'-----BEGIN OpenVPN Static key V1-----', 1), (b'ssh-rsa DATA', 0), (b'ssh-dsa DATA', 0), # Some arbitrary binary data