# OpenPGP-Key-Analyzer
An Open Source Python CLI, which can parse keyfiles conforming to the OpenPGP standard and analyze them for vulnerability to known cryptographic weaknesses
## Supported Formats
The Analyzer supports OpenPGP Key Files in ASCII-armored or Binary Format.<br>
Both [RFC 4880](https://www.rfc-editor.org/rfc/rfc4880.html) and [RFC 9580](https://www.rfc-editor.org/rfc/rfc9580.html) are supported.
:warning: <b>If no warning is created for a given key this does not automatically make the key secure against any attack. It only indicates, that no weakness to the already implemented vulnerabilities could be detected!</b>
## Installation
The OpenPGP Key Analyzer can be installed [via pip](https://pypi.org/project/OpenPGPKeyAnalyzer/) (it is encouraged to use a virtual environment):<br>
```pip install OpenPGPKeyAnalyzer```<br>
Alternatively you can execute the OpenPGPKeyAnalyzerApp.py file in the OpenPGPKeyAnalyzer Directory directly from this repository.
## Usage
If installed via pip: Enter the command <em>openpgp-analyze</em> in a shell wherever you installed the application to.<br>
> :warning: ***The first time you use this command a settings.json file will be created in an specified directory, if no settings.json yet exists there. This file will be read and written to by the application and can alter the workflow of evaluations. It therefore poses a potential security risk!***
After starting the application, a Python CLI will start. At the moment, the following commands are supportet:
<ol>
<li><em>?</em> or <em>help</em>: Displays the allowed commands of the cli as well as their docstring</li>
<li><em>settings</em>: Display the current settings and possibly alter them</li>
<li><em>analyze</em>: Enter an OpenPGP Keyfile and evaluate it for cryptographic vulnerabilities</li>
<li><em>analyzedir</em>: Enter the path to a directory and evaluate all OpenPGP Keyfiles in it. Only Keyfiles on the top level of the directory will be evaluated. No recursive check in subdirectories is currently implemented</li>
<li><em>sources</em>: Prints the sources for implemented vulnerabilities onto the command line.</li>
</ol>
## Implemented Checks
<ol>
<li><b>Deprecated Key Version</b>: Checks if the version of a given Keyfile is deprecated according to the specified RFC</li>
<li><b>Key lengths</b>: Checks wether a given Keyfile has an key length that is considered insecure according to the NIST and BSI specifications. Additionally, users can specify an effective key length against which Keyfiles should be checked</li>
<li><b>Deprecated algorithm</b>; Checks, wether a given Keyfile uses an deprecated algorithm</li>
<li><b>RSA specific checks: </b><ol>
<li><b>Fermat Factoring Algorithm</b>: Checks an RSA key for vulnerability to Fermat's Factoring Algorithm</li>
<li><b>Low private exponent</b>: Checks an RSA secret key for low private exponent</li>
<li><b>Low public exponent</b>: Checks an RSA key for low public exponent </li>
<li><b>ROCA</b>: Checks an RSA key for the ROCA vulnerability</li></ol></li>
<li><b>Elgamal specific checks</b>: No further checks implemented yet</li>
<li><b>DSA specific checks</b>: No further checks implemented yet</li>
<li><b>ECC specific checks</b>: No further checks implemented yet</li>
</ol>
## Settings
| Setting | Allowed Values | Default Value | Purpose |
|----------------------------------------------|-------------------------------------|---------------------|---------|
| **RFCVersion** | RFC4880, RFC9580 | RFC4880 | Specifies the RFC version a key should be checked against. |
| **UserSpecifiedKeyLength** | Integer values greater than 0 | -1 | Specifies the minimum effective key length a key must possess. |
| **FermatFactoringCheckIncluded** | Boolean values | True | Specifies whether the RSA key should be checked for vulnerabilities against Fermat's factoring algorithm. |
| **FermatFactoringEffectiveLengthToCheck** | Integer values greater than 0 | 120 | Specifies the minimum bit-length difference between *p* and *q* in RSA keys for Fermat checks with secret keys. |
| **LowPrivateExponentCheckIncluded** | Boolean values | True | Specifies if a given RSA secret key should be checked for a low private exponent. |
| **LowPrivateExponentBound** | Estimated Bound, Boneh and Durfee Bound | Estimated Bound | Specifies the bound to check the private exponent *d* of an RSA secret key against. |
| **LowPublicExponentCheckIncluded** | Boolean values | True | Specifies if a given RSA key should be checked for a low public exponent. |
| **LowPublicExponentBound** | Integer values greater than 3 | 65537 | Specifies the lower bound an RSA public exponent should have. |
| **ROCACheckIncluded** | Boolean values | True | Specifies if a given RSA key should be checked for the ROCA vulnerability. |
Raw data
{
"_id": null,
"home_page": null,
"name": "OpenPGPKeyAnalyzer",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.12",
"maintainer_email": null,
"keywords": "security, cryptography, OpenPGP",
"author": "Alexander Bleicher",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/cb/3b/9fb6a1b28fdcda68d6e448eccba07a2d700ce73b241659b52dabc68e3149/openpgpkeyanalyzer-0.1.13.tar.gz",
"platform": null,
"description": "# OpenPGP-Key-Analyzer\r\nAn Open Source Python CLI, which can parse keyfiles conforming to the OpenPGP standard and analyze them for vulnerability to known cryptographic weaknesses\r\n\r\n## Supported Formats\r\nThe Analyzer supports OpenPGP Key Files in ASCII-armored or Binary Format.<br>\r\nBoth [RFC 4880](https://www.rfc-editor.org/rfc/rfc4880.html) and [RFC 9580](https://www.rfc-editor.org/rfc/rfc9580.html) are supported.\r\n\r\n:warning: <b>If no warning is created for a given key this does not automatically make the key secure against any attack. It only indicates, that no weakness to the already implemented vulnerabilities could be detected!</b>\r\n## Installation\r\nThe OpenPGP Key Analyzer can be installed [via pip](https://pypi.org/project/OpenPGPKeyAnalyzer/) (it is encouraged to use a virtual environment):<br>\r\n```pip install OpenPGPKeyAnalyzer```<br>\r\nAlternatively you can execute the OpenPGPKeyAnalyzerApp.py file in the OpenPGPKeyAnalyzer Directory directly from this repository.\r\n\r\n## Usage\r\nIf installed via pip: Enter the command <em>openpgp-analyze</em> in a shell wherever you installed the application to.<br>\r\n> :warning: ***The first time you use this command a settings.json file will be created in an specified directory, if no settings.json yet exists there. This file will be read and written to by the application and can alter the workflow of evaluations. It therefore poses a potential security risk!***\r\n\r\nAfter starting the application, a Python CLI will start. At the moment, the following commands are supportet:\r\n<ol>\r\n <li><em>?</em> or <em>help</em>: Displays the allowed commands of the cli as well as their docstring</li>\r\n <li><em>settings</em>: Display the current settings and possibly alter them</li>\r\n <li><em>analyze</em>: Enter an OpenPGP Keyfile and evaluate it for cryptographic vulnerabilities</li>\r\n <li><em>analyzedir</em>: Enter the path to a directory and evaluate all OpenPGP Keyfiles in it. Only Keyfiles on the top level of the directory will be evaluated. No recursive check in subdirectories is currently implemented</li>\r\n <li><em>sources</em>: Prints the sources for implemented vulnerabilities onto the command line.</li>\r\n</ol>\r\n\r\n## Implemented Checks\r\n<ol>\r\n <li><b>Deprecated Key Version</b>: Checks if the version of a given Keyfile is deprecated according to the specified RFC</li>\r\n <li><b>Key lengths</b>: Checks wether a given Keyfile has an key length that is considered insecure according to the NIST and BSI specifications. Additionally, users can specify an effective key length against which Keyfiles should be checked</li>\r\n <li><b>Deprecated algorithm</b>; Checks, wether a given Keyfile uses an deprecated algorithm</li>\r\n <li><b>RSA specific checks: </b><ol>\r\n <li><b>Fermat Factoring Algorithm</b>: Checks an RSA key for vulnerability to Fermat's Factoring Algorithm</li>\r\n <li><b>Low private exponent</b>: Checks an RSA secret key for low private exponent</li>\r\n <li><b>Low public exponent</b>: Checks an RSA key for low public exponent </li>\r\n <li><b>ROCA</b>: Checks an RSA key for the ROCA vulnerability</li></ol></li>\r\n <li><b>Elgamal specific checks</b>: No further checks implemented yet</li>\r\n <li><b>DSA specific checks</b>: No further checks implemented yet</li>\r\n <li><b>ECC specific checks</b>: No further checks implemented yet</li>\r\n</ol>\r\n\r\n## Settings\r\n| Setting | Allowed Values | Default Value | Purpose |\r\n|----------------------------------------------|-------------------------------------|---------------------|---------|\r\n| **RFCVersion** | RFC4880, RFC9580 | RFC4880 | Specifies the RFC version a key should be checked against. |\r\n| **UserSpecifiedKeyLength** | Integer values greater than 0 | -1 | Specifies the minimum effective key length a key must possess. |\r\n| **FermatFactoringCheckIncluded** | Boolean values | True | Specifies whether the RSA key should be checked for vulnerabilities against Fermat's factoring algorithm. |\r\n| **FermatFactoringEffectiveLengthToCheck** | Integer values greater than 0 | 120 | Specifies the minimum bit-length difference between *p* and *q* in RSA keys for Fermat checks with secret keys. |\r\n| **LowPrivateExponentCheckIncluded** | Boolean values | True | Specifies if a given RSA secret key should be checked for a low private exponent. |\r\n| **LowPrivateExponentBound** | Estimated Bound, Boneh and Durfee Bound | Estimated Bound | Specifies the bound to check the private exponent *d* of an RSA secret key against. |\r\n| **LowPublicExponentCheckIncluded** | Boolean values | True | Specifies if a given RSA key should be checked for a low public exponent. |\r\n| **LowPublicExponentBound** | Integer values greater than 3 | 65537 | Specifies the lower bound an RSA public exponent should have. |\r\n| **ROCACheckIncluded** | Boolean values | True | Specifies if a given RSA key should be checked for the ROCA vulnerability. |\r\n\r\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Check OpenPGP Key files for known cryptographic vulnerabilities",
"version": "0.1.13",
"project_urls": {
"Repository": "https://github.com/AlexBleicher/OpenPGP-Key-Analyzer"
},
"split_keywords": [
"security",
" cryptography",
" openpgp"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "103bea18b6844d169a389ede78c9d9d02199ab345f05b3b5e7d3cab501b46cd3",
"md5": "39c9b72e25b398b11532586680465753",
"sha256": "3db3f8506d05591cf2f4c519511ecd02d1b9e9a53a0ec4ea68a03ba5d597645b"
},
"downloads": -1,
"filename": "OpenPGPKeyAnalyzer-0.1.13-py3-none-any.whl",
"has_sig": false,
"md5_digest": "39c9b72e25b398b11532586680465753",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.12",
"size": 21616,
"upload_time": "2025-02-11T18:01:25",
"upload_time_iso_8601": "2025-02-11T18:01:25.422030Z",
"url": "https://files.pythonhosted.org/packages/10/3b/ea18b6844d169a389ede78c9d9d02199ab345f05b3b5e7d3cab501b46cd3/OpenPGPKeyAnalyzer-0.1.13-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "cb3b9fb6a1b28fdcda68d6e448eccba07a2d700ce73b241659b52dabc68e3149",
"md5": "ebd7744a68b4ad1242285a601e3473e6",
"sha256": "635d2572d12dbd8988930bbc5a0f7332c20d711b23a595f7d9d189d15a00884d"
},
"downloads": -1,
"filename": "openpgpkeyanalyzer-0.1.13.tar.gz",
"has_sig": false,
"md5_digest": "ebd7744a68b4ad1242285a601e3473e6",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.12",
"size": 14377,
"upload_time": "2025-02-11T18:01:27",
"upload_time_iso_8601": "2025-02-11T18:01:27.145246Z",
"url": "https://files.pythonhosted.org/packages/cb/3b/9fb6a1b28fdcda68d6e448eccba07a2d700ce73b241659b52dabc68e3149/openpgpkeyanalyzer-0.1.13.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-02-11 18:01:27",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "AlexBleicher",
"github_project": "OpenPGP-Key-Analyzer",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "cffi",
"specs": [
[
"==",
"1.17.1"
]
]
},
{
"name": "coloredlogs",
"specs": [
[
"==",
"15.0.1"
]
]
},
{
"name": "cryptography",
"specs": [
[
"==",
"44.0.0"
]
]
},
{
"name": "future",
"specs": [
[
"==",
"1.0.0"
]
]
},
{
"name": "gmpy2",
"specs": [
[
"==",
"2.2.1"
]
]
},
{
"name": "humanfriendly",
"specs": [
[
"==",
"10.0"
]
]
},
{
"name": "pgpdump",
"specs": [
[
"==",
"1.5"
]
]
},
{
"name": "PGPy",
"specs": [
[
"==",
"0.6.0"
]
]
},
{
"name": "pyasn1",
"specs": [
[
"==",
"0.6.1"
]
]
},
{
"name": "pycparser",
"specs": [
[
"==",
"2.22"
]
]
},
{
"name": "pyreadline3",
"specs": [
[
"==",
"3.5.4"
]
]
},
{
"name": "python-dateutil",
"specs": [
[
"==",
"2.9.0.post0"
]
]
},
{
"name": "roca-detect",
"specs": [
[
"==",
"1.2.12"
]
]
},
{
"name": "setuptools",
"specs": [
[
"==",
"75.8.0"
]
]
},
{
"name": "six",
"specs": [
[
"==",
"1.17.0"
]
]
}
],
"lcname": "openpgpkeyanalyzer"
}
JSON
