Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

roca-detect not analyzing RSA/SSH keys

See original GitHub issue

Case 1: Newly-generated RSA keypair

Commands:

$ ssh-keygen -t rsa -C "test@test.com" -f test_key
$ roca-detect test_key
$ roca-detect test_key.pub

Output:

2017-10-17 04:11:20 [1987] INFO ### SUMMARY ####################
2017-10-17 04:11:20 [1987] INFO Records tested: 12
2017-10-17 04:11:20 [1987] INFO .. PEM certs: . . . 0
2017-10-17 04:11:20 [1987] INFO .. DER certs: . . . 0
2017-10-17 04:11:20 [1987] INFO .. RSA key files: . 0
2017-10-17 04:11:20 [1987] INFO .. PGP master keys: 0
2017-10-17 04:11:20 [1987] INFO .. PGP total keys:  0
2017-10-17 04:11:20 [1987] INFO .. SSH keys:  . . . 0
2017-10-17 04:11:20 [1987] INFO .. APK keys:  . . . 0
2017-10-17 04:11:20 [1987] INFO .. JSON keys: . . . 0
2017-10-17 04:11:20 [1987] INFO .. LDIFF certs: . . 0
2017-10-17 04:11:20 [1987] INFO .. JKS certs: . . . 0
2017-10-17 04:11:20 [1987] INFO .. PKCS7: . . . . . 0
2017-10-17 04:11:20 [1987] INFO No fingerprinted keys found (OK)
2017-10-17 04:11:20 [1987] INFO ################################

Note that by removing test_key and test_key.pub and run the command with roca-detect ., the command still outputs Records tested: 12. No files (including hidden) are in the given folder.

Expected: The command detects the keys (I’m not sure if it should be PEM certs, RSA key files, or SSH keys, or other, but none is showing).

Case 2: Downloaded crocs-muni/roca’s positive pem key

Commands:

$ curl https://raw.githubusercontent.com/crocs-muni/roca/master/roca/tests/data/cert05.pem --output cert05.pem
$ roca-detect cert05.pem

Output:

2017-10-17 04:17:45 [2034] INFO ### SUMMARY ####################
2017-10-17 04:17:45 [2034] INFO Records tested: 0
2017-10-17 04:17:45 [2034] INFO .. PEM certs: . . . 0
2017-10-17 04:17:45 [2034] INFO .. DER certs: . . . 0
2017-10-17 04:17:45 [2034] INFO .. RSA key files: . 0
2017-10-17 04:17:45 [2034] INFO .. PGP master keys: 0
2017-10-17 04:17:45 [2034] INFO .. PGP total keys:  0
2017-10-17 04:17:45 [2034] INFO .. SSH keys:  . . . 0
2017-10-17 04:17:45 [2034] INFO .. APK keys:  . . . 0
2017-10-17 04:17:45 [2034] INFO .. JSON keys: . . . 0
2017-10-17 04:17:45 [2034] INFO .. LDIFF certs: . . 0
2017-10-17 04:17:45 [2034] INFO .. JKS certs: . . . 0
2017-10-17 04:17:45 [2034] INFO .. PKCS7: . . . . . 0
2017-10-17 04:17:45 [2034] INFO No fingerprinted keys found (OK)
2017-10-17 04:17:45 [2034] INFO ################################

Expected: The command warns of potential vulnerability.

Case 3: Downloaded crocs-muni/roca’s positive GPG key

Commands:

$ curl https://raw.githubusercontent.com/crocs-muni/roca/master/roca/tests/data/key04.pgp --output key04.pgp
$ roca-detect key04.pgp

Output:

2017-10-17 04:19:30 [2041] WARNING Fingerprint found in PGP key key04.pgp key ID 0x85052d6915c34dc4
{"type": "pgp", "fname": "key04.pgp", "fname_idx": 0, "master_key_id": "69825656415676c0", "master_fprint": "42FC1322AE0C0E495687454269825656415676C0", "identities": [{"name": "test@test.com", "email": "test@test.com"}], "signatures_count": 3, "packets_count": 7, "keys_count": 3, "signature_keys": ["85052D6915C34DC4"], "created_at": "2017-05-06", "created_at_utc": 1494098780.0, "is_master": false, "kid": "85052d6915c34dc4", "bitsize": 4096, "master_kid": "69825656415676c0", "e": "0x10001", "n": "0x9226986e6f4d3c3121d7676c5431a79dbb3187f325ce56928610c984b42015b1f87ca59ae6fa98ba0761b166d58f22ad2bb542e6c88c29c2d5270bc10cc7c9e5948fe6d5a7ac433d6479c69966e88bcbb82c98339c61b7451c781c18ae5b8fb9942f1f867c7405f3a1487d1c9d1d1a6c2b3f984f25778ffdf73ddc431197e5572946ed42f97afa54fd6d6f33c876133982214797adbf81e33b7e0d005cd974ae369bf4537f5c2a94c7634c45009a8c42d679d37933680acd74e64256a8a9b97cda4f410140d588450cc85c9a7761f2625ba68cacf103e2971e5773467a039c563a7f64645a897f2a75797a8d091c9b389561c063357490f8dab4f4b77930bd95ab3c80c07be6c5a6d3e64ba71579d3bf5375370dcaf3209fa62f4167dab58587df343646bd31bf8d1933cb5993f739ce431cb42c64f2f55219589ac77a94d4f5d9ef886ed2c6b40db0b6a9e1560778b09aa618436fa84e84ad5751be8230adeefce7d8aae9b4b800a1bae65cd4380eea2dc0bd1068db06af5f6f6d46496bc68c7f8f8b1bc155160f276df04326e4771e344ea7570b0c33f267c1a068f54da7aa82846acdcddd534e38b00138db38d94399aac16189bd8711a40d1a71d50f02a139bde5292c9a76e573e1eaefbfd69794b5b5525499651e6973912b54b86a2f7b58e7b80adf3626f54ff2d488fdfb8f2b70aee44d97d6bda170bffee6e9dc55b3", "marked": true, "time_years": 776705277.0892105, "price_aws_c4": 340429922948.201}
2017-10-17 04:19:30 [2041] WARNING Fingerprint found in PGP key key04.pgp key ID 0x6f2887dba4bbd140
{"type": "pgp", "fname": "key04.pgp", "fname_idx": 0, "master_key_id": "69825656415676c0", "master_fprint": "42FC1322AE0C0E495687454269825656415676C0", "identities": [{"name": "test@test.com", "email": "test@test.com"}], "signatures_count": 3, "packets_count": 7, "keys_count": 3, "signature_keys": ["85052D6915C34DC4"], "created_at": "2017-05-06", "created_at_utc": 1494098780.0, "is_master": false, "kid": "6f2887dba4bbd140", "bitsize": 4032, "master_kid": "69825656415676c0", "e": "0x10001", "n": "0x9a652f174b36fef8371f9b67a383452485b2b7a052dc18f423e2dc809107161564b81eb59b5c6888d4ee0bba4c6b876b5709c112ce5be098ad3e4d1833a02d0a567f9747c3bd0e10e2a2c3d91c49b603f793176091904e51f1d0f23949b40dbd587a41bf30a589b06b39002de657b6e795cd626d09a4c7561dce67e7d69f9cd7f1a6c97fa4a56a04a6eb75eb3e12781c4badfa1b5a0b2e76a61a23e4938a21312d5473c35d7ecbf218dbc4b7399b019bf3c1348be1c9bc36adcfc1ebc60538304a7ef608d273318a9d2c808fba076be98994c129057410cee6308cc259743ecb6a45702a760b2d724f55537f78036c685c5ff9dbc5ef4825357db83d6d59344d6cee1b7900e9e37b57fc022d3d5bba20920c2467eb2426969acd28f6ece1870daa86ce1007478f0b7b9848f701693c4f7eee41b6935ba372455775be0ff897f378b1030ddf7ce7acefbc9ec59412350af801637e94d2345de6856330b1c47920fa2fa14aa6ba7185c03fdf7523aace3bd51087e43f466eefe65a818c2a2a1a6e7cb483ee0a61a5c4d562168f18822a72cc3684f83077d7702ad29bc45812e8fa8aee16af4976a8eab02be6140c6a28f518b2434fecf4ab9ef83f4cce90aac7bb49ae786d4776e6000b473cd80703e7a39693ee65056efb9affa8f1e252134e933dbdc13477d76199729453519b3a8a6fce564de145a32865", "marked": true, "time_years": 122124147.91450001, "price_aws_c4": 53527014030.92536}
2017-10-17 04:19:30 [2041] WARNING Fingerprint found in PGP key key04.pgp key ID 0x69825656415676c0
{"type": "pgp", "fname": "key04.pgp", "fname_idx": 0, "master_key_id": "69825656415676c0", "master_fprint": "42FC1322AE0C0E495687454269825656415676C0", "identities": [{"name": "test@test.com", "email": "test@test.com"}], "signatures_count": 3, "packets_count": 7, "keys_count": 3, "signature_keys": ["85052D6915C34DC4"], "created_at": "2017-05-06", "created_at_utc": 1494098780.0, "is_master": true, "kid": "69825656415676c0", "bitsize": 3968, "master_kid": "69825656415676c0", "e": "0x10001", "n": "0x93d74f131fc356077aee29fd528e908c78c6504e3dda636d936aa4c05a6279e431c012f2fce107e9b1817336ec1ec51c39aebff73766582fbc6f3735c1764bbdc543a4e9b5ab9189dc1ac7ec3f82305744dca485c452880ea7031d1e926ec4a00ecb4073eaf735dd8c468de1f449bd67d36161c30a5ec9d0eaf457b3608784d8be3be42408d751711e129787572c94ab06bb46fc1b884cf9128843bc86f72cfef64c658329d2bc0d9d632ec4dfc7d67d3c985a28172e50953bc15bed73dfb2203bf60a47616bcdd25102123a53a371080fa5104f97424a6fed67bc83ed8a8731a8551fd66babdbebd9bd4ab589656a4de6c9fd1502632ed8498b5e1b7e37ec338ff19a91b974ac92fc166c47d0f03d10d0dcc3ce76a36b131973b1b36752592dc17d0f4ce6709de44ae1d2c702e8198a81f7b1a1c12298471675ac86bb75e2c4623619747bb57880d10cc5ff4b3d1c9ca908256fec52032a1230751500cbbc84d125d96c60bf5a3d6bf92240197c3244455f22b48654b7e2bf58c033b17022b829abf8572b1d4f5cd512bf472febf4c59819c700ad6d7929c5cb008b5754cf5176d00b024d2c64131087c8a4dc9db0615558af041d8d543b7b21c9c5f118382dbebe139e95b8ae7c810f330f7c3be1a6273d758679ee2b000916b82f048b54c8f0084142fae999cf763bd7a573580d23", "marked": true, "time_years": 29022724.31603158, "price_aws_c4": 12720660067.716642}
2017-10-17 04:19:30 [2041] INFO ### SUMMARY ####################
2017-10-17 04:19:30 [2041] INFO Records tested: 3
2017-10-17 04:19:30 [2041] INFO .. PEM certs: . . . 0
2017-10-17 04:19:30 [2041] INFO .. DER certs: . . . 0
2017-10-17 04:19:30 [2041] INFO .. RSA key files: . 0
2017-10-17 04:19:30 [2041] INFO .. PGP master keys: 1
2017-10-17 04:19:30 [2041] INFO .. PGP total keys:  3
2017-10-17 04:19:30 [2041] INFO .. SSH keys:  . . . 0
2017-10-17 04:19:30 [2041] INFO .. APK keys:  . . . 0
2017-10-17 04:19:30 [2041] INFO .. JSON keys: . . . 0
2017-10-17 04:19:30 [2041] INFO .. LDIFF certs: . . 0
2017-10-17 04:19:30 [2041] INFO .. JKS certs: . . . 0
2017-10-17 04:19:30 [2041] INFO .. PKCS7: . . . . . 0
2017-10-17 04:19:30 [2041] INFO Fingerprinted keys found: 3
2017-10-17 04:19:30 [2041] INFO WARNING: Potential vulnerability
2017-10-17 04:19:30 [2041] INFO ################################

Only in this case the command warns of vulnerable PGP keys as expected.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
maethorcommented, Oct 17, 2017

Hi,

To be precise, roca-detect works only with Python 2.7.13, as explained in the README.md. I had the same problem on Debian oldstable (jessie), for instance, because it is running Python 2.7.9. Use Pyenv to install 2.7.13 and it should work better.

0reactions
fboussarsarcommented, Oct 18, 2017

I’m using 2.7.13 and having the same issue:

2017-10-18 18:27:52 [11460] DEBUG processing /home/fkboussarsar/.s3lib-keys/test.pem as PEM
2017-10-18 18:27:52 [11460] DEBUG Pubkey loading error: /home/fkboussarsar/.s3lib-keys/test.pem : 0 [-----BEGIN PUBLIC KE] : Could not deserialize key data.
2017-10-18 18:27:52 [11460] DEBUG Could not deserialize key data.
2017-10-18 18:27:52 [11460] DEBUG Traceback (most recent call last):
  File "/home/fkboussarsar/.pyenv/versions/2.7.13/lib/python2.7/site-packages/roca/detect.py", line 933, in process_pem_rsakey
    rsa = load_pem_private_key(data, None, self.get_backend())
  File "/home/fkboussarsar/.pyenv/versions/2.7.13/lib/python2.7/site-packages/cryptography/hazmat/primitives/serialization.py", line 20, in load_pem_private_key
    return backend.load_pem_private_key(data, password)
  File "/home/fkboussarsar/.pyenv/versions/2.7.13/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1015, in load_pem_private_key
    password,
  File "/home/fkboussarsar/.pyenv/versions/2.7.13/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1234, in _load_key
    self._handle_key_loading_error()
  File "/home/fkboussarsar/.pyenv/versions/2.7.13/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1292, in _handle_key_loading_error
    raise ValueError("Could not deserialize key data.")
ValueError: Could not deserialize key data.

2017-10-18 18:27:52 [11460] INFO ### SUMMARY ####################
2017-10-18 18:27:52 [11460] INFO Records tested: 0
2017-10-18 18:27:52 [11460] INFO .. PEM certs: . . . 0
2017-10-18 18:27:52 [11460] INFO .. DER certs: . . . 0
2017-10-18 18:27:52 [11460] INFO .. RSA key files: . 0
2017-10-18 18:27:52 [11460] INFO .. PGP master keys: 0
2017-10-18 18:27:52 [11460] INFO .. PGP total keys:  0
2017-10-18 18:27:52 [11460] INFO .. SSH keys:  . . . 0
2017-10-18 18:27:52 [11460] INFO .. APK keys:  . . . 0
2017-10-18 18:27:52 [11460] INFO .. JSON keys: . . . 0
2017-10-18 18:27:52 [11460] INFO .. LDIFF certs: . . 0
2017-10-18 18:27:52 [11460] INFO .. JKS certs: . . . 0
2017-10-18 18:27:52 [11460] INFO .. PKCS7: . . . . . 0
2017-10-18 18:27:52 [11460] DEBUG . Total RSA keys . 0  (# of keys RSA extracted & analyzed)
2017-10-18 18:27:52 [11460] INFO No fingerprinted keys found (OK)
2017-10-18 18:27:52 [11460] INFO ################################
Read more comments on GitHub >

github_iconTop Results From Across the Web

roca-detect - test RSA public keys for ROCA vulnerability
I can't complain much since you caved on using a distro specific wrapper. For reference, here is the EASY script I am replacing....
Read more >
Git authentication not working when using RSA, but...
If I generate a ssh-key with `ssh-keygen -t rsa` and I add the public key to my SSH keys, I can't use it...
Read more >
Ubuntu 22.04 SSH the RSA key isn't working since upgrading ...
It seems this has happened for the ssh client in Ubuntu 22.04. The RSA public-private key pair is considered not safe any more....
Read more >
Use ssh-keygen to create SSH key pairs and more - TechTarget
SSH authenticates using public keys, and the utility ssh-keygen makes SSH key pairs possible. Find out how ssh-keygen works and what else it...
Read more >
Using SSH keys with MobaXterm (Windows)
Ed25519 encryption is believed to be about as secure as a 3K RSA key. ... If you do not already have a SSH...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Should be able to list cards not in any pile

Next page

Handle unkonwn public key types in GPG