Skip to content

badkeys/badkeys

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

badkeys

Tool and library to check cryptographic public keys for known vulnerabilities

what?

badkeys checks public keys in a variety of formats for known vulnerabilities. A web version can be found at badkeys.info.

install

badkeys can be installed via pip:

pip3 install badkeys

Alternatively you can call ./badkeys-cli directly from the git repository.

usage

Before using badkeys you need to download the blocklist data:

badkeys --update-bl

After that you can call badkeys and pass files with cryptographic public keys as the parameter:

badkeys test.crt my.key

It will automatically try to detect the file format. Supported are public and private keys in PEM format (both PKCS #1 and PKCS #8), X.509 certificates, certificate signing requests (CSRs) and SSH public keys. You can find some test keys in the tests/data directory.

By default badkeys will only output information about vulnerable keys, meaning there will be no output if no vulnerabilities are found. The -a parameter creates output for all keys.

scanning

badkeys can directly scan SSH and TLS hosts and automatically check their public keys. This can be enabled with the parameters -s (for SSH) and -t (for TLS). By default SSH will be scanned on port 22 and TLS will be scanned on several ports for common protocols (https/443, smtps/465, ldaps/636, ftps/990, imaps/993, pop3s/995 and 8443, which is commonly used as a non-standard https port).

Alternative ports can be configured with --tls-ports and --ssh-ports.

TLS and SSH scanning can be combined:

badkeys -ts example.org

Python module and API

badkeys can also be used as a Python module. However currently the software is in alpha state and the API may change regularly.

about

badkeys was written by Hanno Böck.

This work was funded in part by Industriens Fond through the CIDI project (Cybersecure IOT in Danish Industry) and in part by the Center for Information Security and Trust (CISAT) at the IT University of Copenhagen, Denmark.

About

Tool to find common vulnerabilities in cryptographic public keys

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published