Filesystem Scanner supported formats↑
SSH keys↑
SSH-2 public keys↑
OpenSSH public key or known_hosts format using one of the following algorithms:
- ssh-rsa
- ssh-dss
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- ssh-ed25519
PuTTY Private Key (PPK) files↑
The algorithms supported are the same as those supported for SSH-2 public keys.
PEM- or DER-encoded ASN.1 files↑
- X.509 certificates (containing RSA, EC or DSA public keys)
- X.509 format public keys
- PKCS#8 encrypted and unencrypted private keys
- RSA public and private keys
- DSA private keys
- Elliptic curve private keys
- PKCS#7 files
Keystores↑
Info
Unsupported syntax in parts of a file can have an impact on what else the Filesystem Scanner discovers in the file. In the following tables, we distinguish those unsupported cases using this convention:
- Case 1: The scanner finds all supported items in the same file as the unsupported item.
- Case 2: The scanner only finds supported items appearing before the unsupported item.
- Case 3: Nothing is found in the file.
To learn more about the scanning process, see How it works.
JKS↑
Type of JKS item | Supported |
---|---|
Certificates | Yes (if unencrypted) |
Private keys | Yes (if unencrypted) |
Secret keys | Not applicable |
JCEKS↑
Type of JCEKS item | Supported |
---|---|
Certificates | Yes (if unencrypted) |
Private keys | Yes (if unencrypted) |
Secret keys | No (Case 1 if AES or DES, Case 2 otherwise) |
Microsoft Serialized Certificate Stores (SST)↑
This format is fully supported.
PKCS#12↑
A PKCS#12 keystore can have three different types of items, listed below:
Type of PKCS#12 item | Supported |
---|---|
Data |
Yes (see below) |
EncryptedData |
No (Case 1 or 3, see below) |
EnvelopedData |
No (Case 1) |
Data
is represented as a SafeBag
, which can be expressed using one of the six different grammars below:
Type of SafeBag |
Supported |
---|---|
keyBag |
Yes |
certBag |
Yes |
pkcs8ShroudedKeyBag |
Yes |
crlBag |
No (Case 3) |
secretBag |
No (Case 3) |
safeContentsBag |
No (Case 3) |
EncryptedData
is an item type with an encrypted payload.
pkcs8ShroudedKeyBag
is a specific safebag type with an encrypted payload. Both formats store the encrypted content using
PKCS#5.
PKCS#5↑
The Filesystem Scanner supports the following grammars:
Type of encryption | Supported |
---|---|
PKCS#12 PBES1 | Yes |
PKCS#5 PBES2 with PBKDF2 as KDF | Yes |
PKCS#5 PBES2 with another KDF | No (Case 3) |
If you provide a password to the Filesystem Scanner using the --password
argument, the scanner will attempt to decrypt PBE-encrypted payloads under the following conditions:
- PKCS#5 with PBES2 is used for PBE encryption.
- PBKDF2 is used as the Key Derivation Function (KDF) following the above constraints.
- The supported encryption algorithms include:
- AES with ECB and CBC modes using 128-bit, 192-bit, and 256-bit keys.
- 3DES in CBC mode.
Please note that ‘on the fly’ decryption is experimental and incomplete. For instance, RC2 encryption, which can be found in older versions of OpenSSL, is not yet supported for decryption.
JAR files↑
This feature is available if a link to the Java Bytecode Scanner has been provided with the
--static-scanner-path
argument.
- Hard-coded keys
- Certificates
PGP files↑
- RSA public keys
- DSA public keys
- ElGamal public keys
ZIP files↑
When the Filesystem Scanner encounters a .zip file, it scans the files inside it. It conducts the same checks as it would for typical files on a filesystem, with the following limitations:
- JAR files inside ZIP archives aren’t supported.
- ZIP files inside ZIP archives aren’t supported.
It’s also worth noting that the Filesystem Scanner only supports files that follow the original PKZIP file format specification, without spanning across multiple files. In particular, it doesn’t support ZIP64 archives and the following limitations apply:
- A maximum of 216 files can be inside the ZIP archive.
- The maximum compressed size is 4 GB for each entry.
- The maximum uncompressed size is 4 GB for each entry.
- The maximum overall size of the ZIP archive is 4 GB.