Tags: badkeys/badkeys
Tags
Add JSON Web Key Support Noteworthy changes in this release: * Support to directly scan JSON Web Keys (JWK) and JSON Web Key Sets with the --jwk parameter. * Speed of the precomputation in the smallfactors test was improved. * Warning messages are now generated with a generic output function that should make their behavior more consistent.
Extra blocklist bugfix, quiet updates This release contains no major changes, but a few minor new features and bugfixes: * Add -q/--quiet option for --update-* commands * Fix bug when passing multiple extra blocklists * Make output of ERROR:/WARNING: more consistent / always uppercase * Detect "square" keys * Handle DNS errors in DKIM check better * Handle malformed CSRs
Fix DKIM parsing with no k= value This release only contains one important bugfix. The key type (k=) variable in DKIM is optional. If it is not set, the key type is "rsa". badkeys wrongly assumed such records were invalid, and did not scan the key. This is now fixed.
Release DKIM support * Supports scanning DKIM keys both in files (e.g. zone files, output of tools like dig/host) or directly from DNS (requires dnspython). * Silence deprecation warnings for SSH DSA keys, we may need to implement our own parser in the future. * Add __version__ module variable and --version command line.
Major speedup release * The rsainvalid module contained a check whether the N in an RSA key was prime, which would indicate a defect key. Via profiling with cProfile/snakeviz, I discovered that this check is very computationally expensive. Removing this feature, which is not very valuable, makes badkeys 10x faster. Minor changes: * Continue TLS scans when remote server drops packages. * Produce proper error message in SSH scan mode when paramiko is not available. * Make blocklist tests optional (for distro build systems).
* This version introduces a new module to detect keys used in the xz backdoor. The backdoor expects a certain type of RSA public key, badkeys can detect these now. This detection can theoretically lead to false positives, however, the false positive rate is low enough (~1:2^62) that it will likely never show up in practice. * Move from setup.py/setup.cfg to pyproject.toml. * Avoid installing the "tests" dir in the wheel. * Avoid open_binary() deprecation warning and use new files() API. This raises the required Python version to 3.9.
PreviousNext