Check cryptographic keys for known weaknesses
Project description
badkeys
Tool and library to check cryptographic public keys for known vulnerabilities
what?
badkeys checks public keys in various formats for known vulnerabilities. A web version can be found at badkeys.info.
install
badkeys can be installed via pip:
pip3 install badkeys
You may want to use a virtual environment. For details about different installation options, please check the official Python documentation. Alternatively, you can directly call ./badkeys-cli directly from the git repository.
usage
Before using badkeys, you need to download the blocklist data:
badkeys --update-bl
After that, you can call badkeys and pass files with cryptographic public keys as the parameter:
badkeys test.crt my.key
It will automatically try to detect the file format. Supported are public and private keys in PEM format (both PKCS #1 and PKCS #8), X.509 certificates, certificate signing requests (CSRs) and SSH public keys. You can find some test keys in the tests/data directory.
By default, badkeys will only output information about vulnerable keys, meaning no output will be generated if no vulnerabilities are found. The -a parameter creates output for all keys.
scanning
badkeys can scan SSH and TLS hosts and automatically check their public keys. This can be enabled with the parameters -s (SSH) and -t (TLS). By default, SSH will be scanned on port 22 and TLS will be scanned on several ports for common protocols (https/443, smtps/465, ldaps/636, ftps/990, imaps/993, pop3s/995 and 8443, which is commonly used as a non-standard https port).
Alternative ports can be configured with --tls-ports and --ssh-ports.
TLS and SSH scanning can be combined:
badkeys -ts example.org
Note that the scanning modes have limitations. It is often more desirable to use other tools to collect TLS/SSH keys and scan them locally with badkeys.
SSH scanning needs paramiko as an additional dependency.
TLS scanning can't detect multiple certificates on one host (e.g. ECDSA and RSA). This is a limitation of Python's ssl.get_server_certificate() function.
Python module and API
badkeys can also be used as a Python module. However, currently the software is in beta state and the API may change regularly.
about
badkeys was written by Hanno Böck.
This work was initially funded in 2022 by Industriens Fond through the CIDI project (Cybersecure IOT in Danish Industry) and the Center for Information Security and Trust (CISAT) at the IT University of Copenhagen, Denmark.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file badkeys-0.0.12.tar.gz.
File metadata
- Download URL: badkeys-0.0.12.tar.gz
- Upload date:
- Size: 375.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2c80bbb84a39d0428082ee8f2990a91a6f30f6df85e9a75091c4a862c08611e1 |
|
| MD5 | 87aa7c6696fafcd5f5e9b2e85617ae91 |
|
| BLAKE2b-256 | 3f51e1acca1ebddf0dc44937e340690364051e2e79e6d4bd628aba9f30f56115 |
File details
Details for the file badkeys-0.0.12-py3-none-any.whl.
File metadata
- Download URL: badkeys-0.0.12-py3-none-any.whl
- Upload date:
- Size: 365.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 512bfddefe504fa9fc8cad77e1f065951fcbd0954dbf9d6ac3ee5f9aee038c44 |
|
| MD5 | 510257947f2e777354b28e320696abc2 |
|
| BLAKE2b-256 | ab9764ae750093a44f011c20fef3d6e57a78f593e7c45ad59d963d4cdacae74d |
