Mirrors/trufflehog
2
0
Fork 0
mirror of https://github.com/trufflesecurity/trufflehog.git synced 2024-11-10 07:04:24 +00:00
Code Issues Projects Releases Packages Wiki Activity

Improve private key detector (#1760)

Browse source 
* Surface extra data and check private keys directly against gitlab and github

* fix encrpypted private key test

* implement feedback

* mod tidy

* fix change

* Set timeout for SSH connections
This commit is contained in:
Dustin Decker 2023-09-11 12:05:27 -07:00 committed by GitHub
parent 3f84a6700e
commit 72b3fa31a3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 279 additions and 127 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
go.mod
View file

@ -11,6 +11,7 @@ require (
cloud.google.com/go/secretmanager v1.11.1
cloud.google.com/go/storage v1.31.0
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1
github.com/BobuSumisu/aho-corasick v1.0.3
github.com/TheZeroSlave/zapsentry v1.17.0
github.com/aws/aws-sdk-go v1.44.83
@ -203,7 +204,7 @@ require (
github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe // indirect
github.com/montanaflynn/stats v0.6.6 // indirect
github.com/mtibben/percent v0.2.1 // indirect
github.com/muesli/ansi v0.0.0-20211031195517-c9f0611b6c70 // indirect
github.com/muesli/cancelreader v0.2.2 // indirect

6
go.sum
View file

@ -304,6 +304,7 @@ github.com/goccy/go-json v0.10.0 h1:mXKd9Qw4NuzShiRlOXKews24ufknHO7gx30lsDyokKA=
github.com/goccy/go-json v0.10.0/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0=
github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
@ -382,6 +383,7 @@ github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8I
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@ -518,8 +520,9 @@ github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8Ie
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe h1:iruDEfMl2E6fbMZ9s0scYfZQ84/6SPL6zC8ACM2oIL0=
github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
github.com/montanaflynn/stats v0.6.6 h1:Duep6KMIDpY4Yo11iFsvyqJDyfzLF9+sndUKT+v64GQ=
github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ibNBTZrns=
github.com/muesli/ansi v0.0.0-20211031195517-c9f0611b6c70 h1:kMlmsLSbjkikxQJ1IPwaM+7LJ9ltFu/fi8CRzvSnQmA=
@ -565,6 +568,7 @@ github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTw
github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8=

10
pkg/detectors/privatekey/cracker.go
View file

@ -9,7 +9,7 @@ import (
"golang.org/x/crypto/ssh"
)
//go:embed "rockyou-15.txt"
//go:embed "list.txt"
var rawCrackList []byte
var passphrases [][]byte
@ -21,17 +21,17 @@ var (
ErrUncrackable = errors.New("unable to crack encryption")
)
func crack(in []byte) (interface{}, error) {
func crack(in []byte) (interface{}, string, error) {
for _, passphrase := range passphrases {
parsed, err := ssh.ParseRawPrivateKeyWithPassphrase(in, passphrase)
if err != nil {
if errors.Is(err, x509.IncorrectPasswordError) {
continue
} else {
return nil, err
return nil, "", err
}
}
return parsed, nil
return parsed, string(passphrase), nil
}
return nil, ErrUncrackable
return nil, "", ErrUncrackable
}

20
pkg/detectors/privatekey/cracker_test.go
View file

@ -56,23 +56,29 @@ Hx7UPVlTK8dyvk1Z+Yw0nrfNClI=
func Test_crack(t *testing.T) {
tests := []struct {
name string
in []byte
wantErr bool
name string
in []byte
wantedPassphrase string
wantErr bool
}{
{
name: "crackable",
wantErr: false,
in: testEncryptedKey,
name: "crackable",
wantErr: false,
in: testEncryptedKey,
wantedPassphrase: string(testEncryptedKeyCorrectPassword),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, err := crack(tt.in)
_, passphrase, err := crack(tt.in)
if (err != nil) != tt.wantErr {
t.Errorf("crack() error = %v, wantErr %v", err, tt.wantErr)
return
}
if passphrase != string(tt.wantedPassphrase) {
t.Errorf("crack() passphrase = %v, want %v", passphrase, string(testEncryptedKeyCorrectPassword))
}
})
}
}

27
pkg/detectors/privatekey/fingerprint.go
View file

@ -5,10 +5,12 @@ import (
"crypto/ed25519"
"crypto/rsa"
"crypto/sha1"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/hex"
"errors"
"strings"
"fmt"
"golang.org/x/crypto/ssh"
)
@ -18,18 +20,8 @@ var (
ErrEncryptedKey = errors.New("key is encrypted")
)
func FingerprintPEMKey(in []byte) (string, error) {
parsedKey, err := ssh.ParseRawPrivateKey(in)
if err != nil && strings.Contains(err.Error(), "private key is passphrase protected") {
parsedKey, err = crack(in)
if err != nil {
return "", err
}
} else if err != nil {
return "", err
}
var pubKey interface{}
func FingerprintPEMKey(parsedKey any) (string, error) {
var pubKey any
switch privateKey := parsedKey.(type) {
case *rsa.PrivateKey:
pubKey = &privateKey.PublicKey
@ -44,6 +36,10 @@ func FingerprintPEMKey(in []byte) (string, error) {
return "", ErrNotSupported
}
return fingerprintPublicKey(pubKey)
}
func fingerprintPublicKey(pubKey any) (string, error) {
publickeyBytes, err := x509.MarshalPKIXPublicKey(pubKey)
if err != nil {
return "", err
@ -53,3 +49,8 @@ func FingerprintPEMKey(in []byte) (string, error) {
publicKeyFingerprintInHex := hex.EncodeToString(publicKeyFingerprint[:])
return publicKeyFingerprintInHex, nil
}
func fingerprintSSHPublicKey(pubKey ssh.PublicKey) string {
publicKeyFingerprint := sha256.Sum256(pubKey.Marshal())
return fmt.Sprintf("SHA256:%s", base64.RawStdEncoding.EncodeToString(publicKeyFingerprint[:]))
}

0
pkg/detectors/privatekey/rockyou-15.txt → pkg/detectors/privatekey/list.txt
View file

99
pkg/detectors/privatekey/privatekey.go
View file

@ -6,11 +6,14 @@ import (
"fmt"
"net/http"
"regexp"
"strings"
"time"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/errors"
"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
"golang.org/x/crypto/ssh"
)
type Scanner struct {
@ -53,19 +56,67 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) ([]dete
Redacted: token[0:64],
}
fingerprint, err := FingerprintPEMKey([]byte(token))
secret.ExtraData = make(map[string]string)
var passphrase string
parsedKey, err := ssh.ParseRawPrivateKey([]byte(token))
if err != nil && strings.Contains(err.Error(), "private key is passphrase protected") {
secret.ExtraData["encrypted"] = "true"
parsedKey, passphrase, err = crack([]byte(token))
if err != nil {
secret.VerificationError = err
continue
}
if passphrase != "" {
secret.ExtraData["cracked_encryption_passphrase"] = "true"
}
} else if err != nil {
// couldn't parse key, probably invalid
continue
}
fingerprint, err := FingerprintPEMKey(parsedKey)
if err != nil {
continue
}
if verify {
verificationErrors := []string{}
data, err := lookupFingerprint(fingerprint, s.IncludeExpired)
if err == nil {
secret.StructuredData = data
if data != nil {
secret.Verified = true
secret.ExtraData["certificate_urls"] = strings.Join(data.CertificateURLs, ", ")
}
} else {
verificationErrors = append(verificationErrors, err.Error())
}
user, err := verifyGitHubUser(parsedKey)
if err != nil && !errors.Is(err, errPermissionDenied) {
verificationErrors = append(verificationErrors, err.Error())
}
if user != nil {
secret.Verified = true
secret.ExtraData["github_user"] = *user
}
user, err = verifyGitLabUser(parsedKey)
if err != nil && !errors.Is(err, errPermissionDenied) {
verificationErrors = append(verificationErrors, err.Error())
}
if user != nil {
secret.Verified = true
secret.ExtraData["gitlab_user"] = *user
}
if !secret.Verified && len(verificationErrors) > 0 {
secret.VerificationError = fmt.Errorf("verification failures: %s", strings.Join(verificationErrors, ", "))
}
}
if len(secret.ExtraData) == 0 {
secret.ExtraData = nil
}
results = append(results, secret)
@ -74,23 +125,30 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) ([]dete
return results, nil
}
func lookupFingerprint(publicKeyFingerprintInHex string, includeExpired bool) (data *detectorspb.StructuredData, err error) {
type result struct {
CertificateURLs []string
GitHubUsername string
}
func lookupFingerprint(publicKeyFingerprintInHex string, includeExpired bool) (*result, error) {
req, err := http.NewRequest("GET", fmt.Sprintf("https://keychecker.trufflesecurity.com/fingerprint/%s", publicKeyFingerprintInHex), nil)
if err != nil {
return
return nil, err
}
res, err := client.Do(req)
if err != nil {
return
return nil, err
}
defer res.Body.Close()
results := DriftwoodResult{}
err = json.NewDecoder(res.Body).Decode(&results)
if err != nil {
return
return nil, err
}
var data *result
seen := map[string]struct{}{}
for _, r := range results.CertificateResults {
if _, ok := seen[r.CertificateFingerprint]; ok {
@ -100,36 +158,13 @@ func lookupFingerprint(publicKeyFingerprintInHex string, includeExpired bool) (d
continue
}
if data == nil {
data = &detectorspb.StructuredData{}
data = &result{}
}
if data.TlsPrivateKey == nil {
data.TlsPrivateKey = make([]*detectorspb.TlsPrivateKey, 0)
}
data.TlsPrivateKey = append(data.TlsPrivateKey, &detectorspb.TlsPrivateKey{
CertificateFingerprint: r.CertificateFingerprint,
ExpirationTimestamp: r.ExpirationTimestamp.Unix(),
VerificationUrl: fmt.Sprintf("https://crt.sh/?q=%s", r.CertificateFingerprint),
})
data.CertificateURLs = append(data.CertificateURLs, fmt.Sprintf("https://crt.sh/?q=%s", r.CertificateFingerprint))
seen[r.CertificateFingerprint] = struct{}{}
}
for _, r := range results.GitHubSSHResults {
if _, ok := seen[r.Username]; ok {
continue
}
if data == nil {
data = &detectorspb.StructuredData{}
}
if data.GithubSshKey == nil {
data.GithubSshKey = make([]*detectorspb.GitHubSSHKey, 0)
}
data.GithubSshKey = append(data.GithubSshKey, &detectorspb.GitHubSSHKey{
User: r.Username,
})
seen[r.Username] = struct{}{}
}
return
return data, nil
}
type DriftwoodResult struct {

82
pkg/detectors/privatekey/privatekey_test.go
View file

@ -20,13 +20,15 @@ import (
func TestPrivatekey_FromChunk(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
defer cancel()
testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors2")
testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors4")
if err != nil {
t.Fatalf("could not get test secrets from GCP: %s", err)
}
secretTLS := testSecrets.MustGetField("PRIVATEKEY_TLS")
secretGitHub := testSecrets.MustGetField("PRIVATEKEY_GITHUB")
secretGitHubEncrypted := testSecrets.MustGetField("PRIVATEKEY_GITHUB_ENCRYPTED")
secretInactive := testSecrets.MustGetField("PRIVATEKEY_UNVERIFIED")
type args struct {
ctx context.Context
data []byte
@ -75,19 +77,8 @@ func TestPrivatekey_FromChunk(t *testing.T) {
DetectorType: detectorspb.DetectorType_PrivateKey,
Verified: true,
Redacted: "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgw",
StructuredData: &detectorspb.StructuredData{
TlsPrivateKey: []*detectorspb.TlsPrivateKey{
{
CertificateFingerprint: "1e20c40deb44a8539dd3ac3e8c53b72750cb19f9",
VerificationUrl: "https://crt.sh/?q=1e20c40deb44a8539dd3ac3e8c53b72750cb19f9",
ExpirationTimestamp: 1497337731,
},
{
CertificateFingerprint: "0e9de31fb2ee16465a4d5d93b227d54f870326d1",
VerificationUrl: "https://crt.sh/?q=0e9de31fb2ee16465a4d5d93b227d54f870326d1",
ExpirationTimestamp: 1528192832,
},
},
ExtraData: map[string]string{
"certificate_urls": "https://crt.sh/?q=1e20c40deb44a8539dd3ac3e8c53b72750cb19f9, https://crt.sh/?q=0e9de31fb2ee16465a4d5d93b227d54f870326d1",
},
},
},
@ -106,12 +97,8 @@ func TestPrivatekey_FromChunk(t *testing.T) {
DetectorType: detectorspb.DetectorType_PrivateKey,
Verified: true,
Redacted: "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5v",
StructuredData: &detectorspb.StructuredData{
GithubSshKey: []*detectorspb.GitHubSSHKey{
{
User: "thisisforgithub0",
},
},
ExtraData: map[string]string{
"github_user": "sirdetectsalot",
},
},
},
@ -121,47 +108,8 @@ func TestPrivatekey_FromChunk(t *testing.T) {
name: "found encrypted GitHub SSH private key, verified",
s: Scanner{},
args: args{
ctx: context.Background(),
data: []byte(`-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAjNIZuun
xgLkM8KuzfmQuRAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDe3Al0EMPz
utVNk5DixaYrGMK56RqUoqGBinke6SWVWmqom1lBcJWzor6HlnMRPPr7YCEsJKL4IpuVwu
inRa5kdtNTyM7yyQTSR2xXCS0fUItNuq8pUktsH8VUggpMeew8hJv7rFA7tnIg3UXCl6iF
OLZKbDA5aa24idpcD8b1I9/RzTOB1fu0of5xd9vgODzGw5JvHQSJ0FaA42aNBMGwrDhDB3
sgnRNdWf6NNIh8KpXXMKJADf3klsyn6He8L2bPMp8a4wwys2YB35p5zQ0JURovsdewlOxH
NT7eP19eVf4dCreibxUmRUaob5DEoHEk8WrxjKWIYUuLeD6AfcW6oXyRU2Yy8Vrt6SqFl5
WAi47VMFTkDZYS/eCvG53q9UBHpCj7Qvb0vSkCZXBvBIhlw193F3PX4WvO1IXsMwvQ1D1X
lmomsItbqM0cJyKw6LU18QWiBHvE7BqcphaoL5E08W2ATTSRIMCp6rt4rptM7KyGK8rc6W
UYrCnWt6KlCA8AAAWQXk+lVx6bH5itIKKYmQr6cR/5xtZ2GHAxnYtvlW3xnGhU0MHv+lJ2
uoWlT2RXE5pdMUQj7rNWAMqkwifSKZs9wBfYeo1TaFDmC3nW7yHSN3XTuO78mPIW5JyvmE
Rj5qjsUn7fNmzECoAxnVERhwnF3KqUBEPzIAc6/7v/na9NTiiGaJPco9lvCoPWbVLN08WG
SuyU+0x5zc3ebzuPcYqu5/c5nmiGxhALrIhjIS0OV1mtAAFhvdMjMIHOijOzSKVCC7rRk5
kG9EMLNvOn/DUVSRHamw5gs2V3V+Zq2g5nYWfgq8aDSTB8XlIzOj1cz3HwfN6pfSNQ/3Qe
wOQfWfTWdO+JSL8aoBN5Wg8tDbgmvmbFrINsJfFfSm0wZgcHhC7Ul4U3v4c8PoNdK9HXwi
TKKzJ9nxLYb+vDh50cnkseu2gt0KwVpjIorxEqeK755mKPao3JmOMr6uFTQsb+g+ZNgPwl
nRHA4Igx+zADFj3twldnKIiRpBQ5J4acur3uQ+saanBTXgul1TiFiUGT2cnz+IiCsdPovg
TAMt868W5LmzpfH4Cy54JtaRC4/UuMnkTGbWgutVDnWj2stOAzsQ1YmhH5igUmc94mUL+W
8vQDCKpeI8n+quDS9zxTvy4L4H5Iz7OZlh0h6N13BDvCYXKcNF/ugkfxZbu8mZsZQQzXNR
wOrEtKoHc4AnXYNzsuHEoEyLyJxGfFRDSTLbyN9wFOS/c0k9Gjte+kQRZjBVGORE5sN6X3
akUnTF76RhbEc+LamrwM1h5340bwosRbR8I+UrsQdFfJBEj1ZSyMRJlMkFUNi6blt7bhyx
ea+Pm2A614nlYUBjw2KKzzn8N/0H2NpJjIptvDsbrx3BS/rKwOeJwavRrGnIlEzuAag4vx
Zb2TPVta45uz7fQP5IBl83b0BJKI5Zv/fniUeLI78W/UsZqb64YQbfRyBzFtI1T/SsCi0B
e0EyKMzbxtSceT1Mb8eJiVIq04Xpwez9fIUt5rSedZD8KPq8P6s0cGsR7Qmw6eXZ/dBR/a
s5vPhfIUmQawmnwAVuWNRdQQ79jUBSn5M+ZRVVTgEG+vFyvxr/bZqOo1JCoq5BmQhLWGRJ
Dk9TolbeFIVFrkuXkcu99a079ux7XSkON64oPzHrcsEzjPA1GPqs9CGBSO16wq/nI3zg+E
kcOCaurc9yHJJPwduem0+8WLX3WoGNfQRKurtQze2ppy8KarEtDhDd96sKkhYaqOg3GOX8
Yx827L4vuWSJSIqKuO2kH6kOCMUNO16piv0z/8u3CJxOGh9+4FZIop81fiFTKLhV3/gwLm
fzFY++KIZrLfZcUjzd80NNEja69F452Eb9HrI5BurN/PznDEi9bzM598Y7beyl4/kd4R2e
S7SW9/LOrGw5UgxtiU+kV8nPz1PdgxO4sRlnntSBEwkQBzMkLOpq2h2BuJ2TlMP/TWuwLQ
sDkv1Yk1pD0roGmtMzbujnURGxqRJ8gUmuIot4hpfyRSssvnRQQZ3lQCQCwHiE+HJxXWf5
c58zOMjW7o21tI8e13uUnbRoQVJM9XYqk1usPXIkYPYL9uOw3AW/Zn+cnDrsXvTK9ZxgGD
/90b1BNwVqMlUK+QggHNwl5qD8eoXK5cDvav66te+E+V7FYFQ06w3tytRVz8SjoaiChN02
muIjvl6G7Hoj1hObM2t/ZheN1EShS11z868hhS6Mx7GvIdtkXuvdiBYMiBLOshJQxB8Mzx
iug9W+Di3upLf0UMC1TqADGphsIHRU7RbmHQ8Rwp7dogswmDfpRSapPt9p0D+6Ad5VBzi3
f3BPXj76UBLMEJCrZR1P28vnAA7AyNHaLvMPlWDMG5v3V/UV+ugyFcoBAOyjiQgYST8F3e
Hx7UPVlTK8dyvk1Z+Yw0nrfNClI=
-----END OPENSSH PRIVATE KEY-----
`),
ctx: context.Background(),
data: []byte(secretGitHubEncrypted),
verify: true,
},
want: []detectors.Result{
@ -169,12 +117,10 @@ func TestPrivatekey_FromChunk(t *testing.T) {
DetectorType: detectorspb.DetectorType_PrivateKey,
Verified: true,
Redacted: "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAACmFl",
StructuredData: &detectorspb.StructuredData{
GithubSshKey: []*detectorspb.GitHubSSHKey{
{
User: "thisisforgithub0",
},
},
ExtraData: map[string]string{
"github_user": "sirdetectsalot",
"encrypted": "true",
"cracked_encryption_passphrase": "true",
},
},
},
@ -262,7 +208,7 @@ func Test_lookupFingerprint(t *testing.T) {
t.Errorf("lookupFingerprint() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(gotFingerprints != nil && len(gotFingerprints.TlsPrivateKey) > 0, tt.wantFingerprints) {
if !reflect.DeepEqual(gotFingerprints != nil && len(gotFingerprints.CertificateURLs) > 0, tt.wantFingerprints) {
t.Errorf("lookupFingerprint() = %v, want %v", gotFingerprints, tt.wantFingerprints)
}
})

125
pkg/detectors/privatekey/ssh.go Normal file
View file

@ -0,0 +1,125 @@
package privatekey
import (
"bytes"
"errors"
"fmt"
"net"
"strings"
"time"
"golang.org/x/crypto/ssh"
)
// https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
var githubFingerprints = map[string]string{
"SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s": "RSA",
"SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ": "DSA - deprecated",
"SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM": "ECDSA",
"SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU": "ED25519",
}
// https://docs.gitlab.com/ee/user/gitlab_com/index.html#ssh-host-keys-fingerprints
var gitlabFingerprints = map[string]string{
"SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw": "ECDSA",
"SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8": "ED25519",
"SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ": "RSA",
}
func firstResponseFromSSH(parsedKey any, username, hostport string) (string, error) {
signer, err := ssh.NewSignerFromKey(parsedKey)
if err != nil {
return "", err
}
// Verify the server fingerprint to ensure that there is no MITM replay attack
config := &ssh.ClientConfig{
Timeout: 3 * time.Second,
User: username,
Auth: []ssh.AuthMethod{
ssh.PublicKeys(signer),
},
HostKeyCallback: func(hostname string, _ net.Addr, key ssh.PublicKey) error {
switch hostname {
case "github.com:22":
fingerprint := fingerprintSSHPublicKey(key)
if _, ok := githubFingerprints[fingerprint]; !ok {
return fmt.Errorf("unknown host fingerprint for github.com, got %s", fingerprint)
}
case "gitlab.com:22":
fingerprint := fingerprintSSHPublicKey(key)
if _, ok := gitlabFingerprints[fingerprint]; !ok {
return fmt.Errorf("unknown host fingerprint for gitlab.com, got %s", fingerprint)
}
default:
return errors.New("unknown host in fingerprint db")
}
return nil
},
}
client, err := ssh.Dial("tcp", hostport, config)
if err != nil {
if strings.Contains(err.Error(), "unable to authenticate") {
return "", errPermissionDenied
}
return "", err
}
defer client.Close()
session, err := client.NewSession()
if err != nil {
return "", err
}
defer session.Close()
var output bytes.Buffer
session.Stderr = &output
err = session.Shell()
if err != nil {
return "", err
}
_ = session.Wait()
return output.String(), err
}
var errPermissionDenied = errors.New("permission denied")
func verifyGitHubUser(parsedKey any) (*string, error) {
output, err := firstResponseFromSSH(parsedKey, "git", "github.com:22")
if err != nil {
return nil, err
}
if strings.Contains(output, "Permission denied") {
return nil, errPermissionDenied
}
if strings.Contains(output, "successfully authenticated") {
username := strings.TrimSuffix(strings.Split(output, " ")[1], "!")
return &username, nil
}
return nil, nil
}
func verifyGitLabUser(parsedKey any) (*string, error) {
output, err := firstResponseFromSSH(parsedKey, "git", "gitlab.com:22")
if err != nil {
return nil, err
}
if strings.Contains(output, "Permission denied") {
return nil, errPermissionDenied
}
if strings.Contains(output, "Welcome to GitLab") {
split := strings.Split(output, " ")
username := strings.TrimPrefix(strings.TrimSuffix(split[len(split)-1], "!"), "@")
return &username, nil
}
return nil, nil
}

34
pkg/detectors/privatekey/ssh_test.go Normal file
View file

@ -0,0 +1,34 @@
package privatekey
import (
"context"
"testing"
"time"
"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"golang.org/x/crypto/ssh"
)
func TestFirstResponseFromSSH(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
defer cancel()
testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors4")
if err != nil {
t.Fatalf("could not get test secrets from GCP: %s", err)
}
secretGitHub := testSecrets.MustGetField("PRIVATEKEY_GITHUB")
parsedKey, err := ssh.ParseRawPrivateKey([]byte(normalize(secretGitHub)))
if err != nil {
t.Fatalf("could not parse test secret: %s", err)
}
output, err := firstResponseFromSSH(parsedKey, "git", "github.com:22")
if err != nil {
t.Fail()
}
if len(output) == 0 {
t.Fail()
}
}