# badkeys
Tool and library to check cryptographic public keys for known vulnerabilities
# what?
badkeys checks public keys in various formats for known vulnerabilities. A web version
can be found at [badkeys.info](https://badkeys.info/).
# install
badkeys can be installed [via pip](https://pypi.org/project/badkeys/):
```
pip3 install badkeys
```
You may want to use a virtual environment. For details about different installation
options, please [check the official Python documentation](
https://packaging.python.org/en/latest/tutorials/installing-packages/). Alternatively,
you can directly call _./badkeys-cli_ directly from the git repository.
# usage
Before using badkeys, you need to download the blocklist data:
```
badkeys --update-bl
```
After that, you can call _badkeys_ and pass files with cryptographic public keys as the
parameter:
```
badkeys test.crt my.key
```
It will automatically try to detect the file format. Supported are public and private
keys in PEM format (both PKCS #1 and PKCS #8), X.509 certificates, certificate signing
requests (CSRs) and SSH public keys. You can find some test keys in the _tests/data_
directory.
By default, badkeys will only output information about vulnerable keys, meaning no
output will be generated if no vulnerabilities are found. The _-a_ parameter creates
output for all keys.
# scanning
badkeys can scan SSH and TLS hosts and automatically check their public keys. This can
be enabled with the parameters _-s_ (SSH) and _-t_ (TLS). By default, SSH will be
scanned on port 22 and TLS will be scanned on several ports for common protocols
(https/443, smtps/465, ldaps/636, ftps/990, imaps/993, pop3s/995 and 8443, which is
commonly used as a non-standard https port).
Alternative ports can be configured with _--tls-ports_ and _--ssh-ports_.
TLS and SSH scanning can be combined:
```
badkeys -ts example.org
```
Note that the scanning modes have limitations. It is often more desirable to use other
tools to collect TLS/SSH keys and scan them locally with badkeys.
SSH scanning needs [paramiko](https://www.paramiko.org/) as an additional dependency.
TLS scanning can't detect multiple certificates on one host (e.g. ECDSA and RSA). This
is a [limitation of Python's ssl.get_server_certificate() function](
https://bugs.python.org/issue31892).
# Python module and API
badkeys can also be used as a Python module. However, currently the software is in beta
state and the API may change regularly.
# about
badkeys was written by [Hanno Böck](https://hboeck.de).
This work was initially funded in 2022 by Industriens Fond through the CIDI project
(Cybersecure IOT in Danish Industry) and the [Center for Information Security and Trust
(CISAT)](https://cisat.dk/) at the IT University of Copenhagen, Denmark.
Raw data
{
"_id": null,
"home_page": null,
"name": "badkeys",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "security, cryptography, rsa",
"author": "Hanno B\u00f6ck",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/3f/51/e1acca1ebddf0dc44937e340690364051e2e79e6d4bd628aba9f30f56115/badkeys-0.0.12.tar.gz",
"platform": null,
"description": "# badkeys\n\nTool and library to check cryptographic public keys for known vulnerabilities\n\n# what?\n\nbadkeys checks public keys in various formats for known vulnerabilities. A web version\ncan be found at [badkeys.info](https://badkeys.info/).\n\n# install\n\nbadkeys can be installed [via pip](https://pypi.org/project/badkeys/):\n```\npip3 install badkeys\n```\n\nYou may want to use a virtual environment. For details about different installation\noptions, please [check the official Python documentation](\nhttps://packaging.python.org/en/latest/tutorials/installing-packages/). Alternatively,\nyou can directly call _./badkeys-cli_ directly from the git repository.\n\n# usage\n\nBefore using badkeys, you need to download the blocklist data:\n```\nbadkeys --update-bl\n```\n\nAfter that, you can call _badkeys_ and pass files with cryptographic public keys as the\nparameter:\n```\nbadkeys test.crt my.key\n```\n\nIt will automatically try to detect the file format. Supported are public and private\nkeys in PEM format (both PKCS #1 and PKCS #8), X.509 certificates, certificate signing\nrequests (CSRs) and SSH public keys. You can find some test keys in the _tests/data_\ndirectory.\n\nBy default, badkeys will only output information about vulnerable keys, meaning no\noutput will be generated if no vulnerabilities are found. The _-a_ parameter creates\noutput for all keys.\n\n# scanning\n\nbadkeys can scan SSH and TLS hosts and automatically check their public keys. This can\nbe enabled with the parameters _-s_ (SSH) and _-t_ (TLS). By default, SSH will be\nscanned on port 22 and TLS will be scanned on several ports for common protocols\n(https/443, smtps/465, ldaps/636, ftps/990, imaps/993, pop3s/995 and 8443, which is\ncommonly used as a non-standard https port).\n\nAlternative ports can be configured with _--tls-ports_ and _--ssh-ports_.\n\nTLS and SSH scanning can be combined:\n```\nbadkeys -ts example.org\n```\n\nNote that the scanning modes have limitations. It is often more desirable to use other\ntools to collect TLS/SSH keys and scan them locally with badkeys.\n\nSSH scanning needs [paramiko](https://www.paramiko.org/) as an additional dependency.\n\nTLS scanning can't detect multiple certificates on one host (e.g. ECDSA and RSA). This\nis a [limitation of Python's ssl.get_server_certificate() function](\nhttps://bugs.python.org/issue31892).\n\n# Python module and API\n\nbadkeys can also be used as a Python module. However, currently the software is in beta\nstate and the API may change regularly.\n\n# about\n\nbadkeys was written by [Hanno B\u00f6ck](https://hboeck.de).\n\nThis work was initially funded in 2022 by Industriens Fond through the CIDI project\n(Cybersecure IOT in Danish Industry) and the [Center for Information Security and Trust\n(CISAT)](https://cisat.dk/) at the IT University of Copenhagen, Denmark.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Check cryptographic keys for known weaknesses",
"version": "0.0.12",
"project_urls": {
"Bug Tracker": "https://github.com/badkeys/badkeys/issues",
"Homepage": "https://badkeys.info/",
"Source": "https://github.com/badkeys/badkeys"
},
"split_keywords": [
"security",
" cryptography",
" rsa"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "ab9764ae750093a44f011c20fef3d6e57a78f593e7c45ad59d963d4cdacae74d",
"md5": "510257947f2e777354b28e320696abc2",
"sha256": "512bfddefe504fa9fc8cad77e1f065951fcbd0954dbf9d6ac3ee5f9aee038c44"
},
"downloads": -1,
"filename": "badkeys-0.0.12-py3-none-any.whl",
"has_sig": false,
"md5_digest": "510257947f2e777354b28e320696abc2",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 365494,
"upload_time": "2024-09-15T11:27:11",
"upload_time_iso_8601": "2024-09-15T11:27:11.780682Z",
"url": "https://files.pythonhosted.org/packages/ab/97/64ae750093a44f011c20fef3d6e57a78f593e7c45ad59d963d4cdacae74d/badkeys-0.0.12-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "3f51e1acca1ebddf0dc44937e340690364051e2e79e6d4bd628aba9f30f56115",
"md5": "87aa7c6696fafcd5f5e9b2e85617ae91",
"sha256": "2c80bbb84a39d0428082ee8f2990a91a6f30f6df85e9a75091c4a862c08611e1"
},
"downloads": -1,
"filename": "badkeys-0.0.12.tar.gz",
"has_sig": false,
"md5_digest": "87aa7c6696fafcd5f5e9b2e85617ae91",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 374956,
"upload_time": "2024-09-15T11:34:03",
"upload_time_iso_8601": "2024-09-15T11:34:03.258605Z",
"url": "https://files.pythonhosted.org/packages/3f/51/e1acca1ebddf0dc44937e340690364051e2e79e6d4bd628aba9f30f56115/badkeys-0.0.12.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-15 11:34:03",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "badkeys",
"github_project": "badkeys",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "cryptography",
"specs": []
},
{
"name": "gmpy2",
"specs": []
}
],
"lcname": "badkeys"
}