# badkeys
Tool and library to check cryptographic public keys for known vulnerabilities
# what?
badkeys checks public keys in various formats for known vulnerabilities. A web version
can be found at [badkeys.info](https://badkeys.info/).
# install
badkeys can be installed [via pip](https://pypi.org/project/badkeys/):
```
pip3 install badkeys
```
Alternatively, you can call _./badkeys-cli_ directly from the git repository.
# usage
Before using badkeys, you need to download the blocklist data:
```
badkeys --update-bl
```
After that, you can call _badkeys_ and pass files with cryptographic public keys as the
parameter:
```
badkeys test.crt my.key
```
It will automatically try to detect the file format. Supported are public and private
keys in PEM format (both PKCS #1 and PKCS #8), X.509 certificates, certificate signing
requests (CSRs) and SSH public keys. You can find some test keys in the _tests/data_
directory.
By default, badkeys will only output information about vulnerable keys, meaning no
output will be generated if no vulnerabilities are found. The _-a_ parameter creates
output for all keys.
# scanning
badkeys can scan SSH and TLS hosts and automatically check their public keys. This can
be enabled with the parameters _-s_ (SSH) and _-t_ (TLS). By default, SSH will be
scanned on port 22 and TLS will be scanned on several ports for common protocols
(https/443, smtps/465, ldaps/636, ftps/990, imaps/993, pop3s/995 and 8443, which is
commonly used as a non-standard https port).
Alternative ports can be configured with _--tls-ports_ and _--ssh-ports_.
TLS and SSH scanning can be combined:
```
badkeys -ts example.org
```
Note that the scanning modes have limitations. It is often more desirable to use other
tools to collect TLS/SSH keys and scan them locally with badkeys.
SSH scanning needs [paramiko](https://www.paramiko.org/) as an additional dependency.
TLS scanning can't detect multiple certificates on one host (e.g. ECDSA and RSA). This
is a [limitation of Python's ssl.get_server_certificate() function](
https://bugs.python.org/issue31892).
# Python module and API
badkeys can also be used as a Python module. However, currently the software is in beta
state and the API may change regularly.
# about
badkeys was written by [Hanno Böck](https://hboeck.de).
This work was initially funded in 2022 by Industriens Fond through the CIDI project
(Cybersecure IOT in Danish Industry) and the [Center for Information Security and Trust
(CISAT)](https://cisat.dk/) at the IT University of Copenhagen, Denmark.
Raw data
{
"_id": null,
"home_page": null,
"name": "badkeys",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "security, cryptography, rsa",
"author": "Hanno B\u00f6ck",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/88/fd/0b40be2d9d46befa087cc5ca494ebadf5777cb05a5ef6ee27577e82ae409/badkeys-0.0.11.tar.gz",
"platform": null,
"description": "# badkeys\n\nTool and library to check cryptographic public keys for known vulnerabilities\n\n# what?\n\nbadkeys checks public keys in various formats for known vulnerabilities. A web version\ncan be found at [badkeys.info](https://badkeys.info/).\n\n# install\n\nbadkeys can be installed [via pip](https://pypi.org/project/badkeys/):\n```\npip3 install badkeys\n```\n\nAlternatively, you can call _./badkeys-cli_ directly from the git repository.\n\n# usage\n\nBefore using badkeys, you need to download the blocklist data:\n```\nbadkeys --update-bl\n```\n\nAfter that, you can call _badkeys_ and pass files with cryptographic public keys as the\nparameter:\n```\nbadkeys test.crt my.key\n```\n\nIt will automatically try to detect the file format. Supported are public and private\nkeys in PEM format (both PKCS #1 and PKCS #8), X.509 certificates, certificate signing\nrequests (CSRs) and SSH public keys. You can find some test keys in the _tests/data_\ndirectory.\n\nBy default, badkeys will only output information about vulnerable keys, meaning no\noutput will be generated if no vulnerabilities are found. The _-a_ parameter creates\noutput for all keys.\n\n# scanning\n\nbadkeys can scan SSH and TLS hosts and automatically check their public keys. This can\nbe enabled with the parameters _-s_ (SSH) and _-t_ (TLS). By default, SSH will be\nscanned on port 22 and TLS will be scanned on several ports for common protocols\n(https/443, smtps/465, ldaps/636, ftps/990, imaps/993, pop3s/995 and 8443, which is\ncommonly used as a non-standard https port).\n\nAlternative ports can be configured with _--tls-ports_ and _--ssh-ports_.\n\nTLS and SSH scanning can be combined:\n```\nbadkeys -ts example.org\n```\n\nNote that the scanning modes have limitations. It is often more desirable to use other\ntools to collect TLS/SSH keys and scan them locally with badkeys.\n\nSSH scanning needs [paramiko](https://www.paramiko.org/) as an additional dependency.\n\nTLS scanning can't detect multiple certificates on one host (e.g. ECDSA and RSA). This\nis a [limitation of Python's ssl.get_server_certificate() function](\nhttps://bugs.python.org/issue31892).\n\n# Python module and API\n\nbadkeys can also be used as a Python module. However, currently the software is in beta\nstate and the API may change regularly.\n\n# about\n\nbadkeys was written by [Hanno B\u00f6ck](https://hboeck.de).\n\nThis work was initially funded in 2022 by Industriens Fond through the CIDI project\n(Cybersecure IOT in Danish Industry) and the [Center for Information Security and Trust\n(CISAT)](https://cisat.dk/) at the IT University of Copenhagen, Denmark.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Check cryptographic keys for known weaknesses",
"version": "0.0.11",
"project_urls": {
"Bug Tracker": "https://github.com/badkeys/badkeys/issues",
"Homepage": "https://badkeys.info/",
"Source": "https://github.com/badkeys/badkeys"
},
"split_keywords": [
"security",
" cryptography",
" rsa"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "5e0b3cde0cc846bf8c4a6dd188980134ca1f66e35ba84df62de621b7d1a89e03",
"md5": "91d711836b0a734eab2ad99497368ab6",
"sha256": "8ae2c27a58f1c0bde7e524af0970e270113d3c619fdd28d8ee3b5ad6a9ec829a"
},
"downloads": -1,
"filename": "badkeys-0.0.11-py3-none-any.whl",
"has_sig": false,
"md5_digest": "91d711836b0a734eab2ad99497368ab6",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 365256,
"upload_time": "2024-05-13T07:47:03",
"upload_time_iso_8601": "2024-05-13T07:47:03.268066Z",
"url": "https://files.pythonhosted.org/packages/5e/0b/3cde0cc846bf8c4a6dd188980134ca1f66e35ba84df62de621b7d1a89e03/badkeys-0.0.11-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "88fd0b40be2d9d46befa087cc5ca494ebadf5777cb05a5ef6ee27577e82ae409",
"md5": "7bdb4129927a7e84cf2ac0a4fbd1c0d9",
"sha256": "0bc38ac6e683d5c85f7abb15de5ea14e1bf428267e60a9240b1faa34bd91f018"
},
"downloads": -1,
"filename": "badkeys-0.0.11.tar.gz",
"has_sig": false,
"md5_digest": "7bdb4129927a7e84cf2ac0a4fbd1c0d9",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 374536,
"upload_time": "2024-05-13T07:47:06",
"upload_time_iso_8601": "2024-05-13T07:47:06.573353Z",
"url": "https://files.pythonhosted.org/packages/88/fd/0b40be2d9d46befa087cc5ca494ebadf5777cb05a5ef6ee27577e82ae409/badkeys-0.0.11.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-05-13 07:47:06",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "badkeys",
"github_project": "badkeys",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "cryptography",
"specs": []
},
{
"name": "gmpy2",
"specs": []
}
],
"lcname": "badkeys"
}
JSON
