Skip to content

Filesystem Scanner supported formats

SSH keys

SSH-2 public keys

OpenSSH public key or known_hosts format using one of the following algorithms:

  • ssh-rsa
  • ssh-dss
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • ssh-ed25519

PuTTY Private Key (PPK) files

The algorithms supported are the same as those supported for SSH-2 public keys.

PEM- or DER-encoded ASN.1 files

  • X.509 certificates (containing RSA, EC or DSA public keys)
  • X.509 format public keys
  • PKCS#8 encrypted and unencrypted private keys
  • RSA public and private keys
  • DSA private keys
  • Elliptic curve private keys
  • PKCS#7 files

Keystores

Info

Unsupported syntax in parts of a file can have an impact on what else the Filesystem Scanner discovers in the file. In the following tables, we distinguish those unsupported cases using this convention:

  • Case 1: The scanner finds all supported items in the same file as the unsupported item.
  • Case 2: The scanner only finds supported items appearing before the unsupported item.
  • Case 3: Nothing is found in the file.

To learn more about the scanning process, see How it works.

JKS

Type of JKS item Supported
Certificates Yes (if unencrypted)
Private keys Yes (if unencrypted)
Secret keys Not applicable

JCEKS

Type of JCEKS item Supported
Certificates Yes (if unencrypted)
Private keys Yes (if unencrypted)
Secret keys No (Case 1 if AES or DES, Case 2 otherwise)

Microsoft Serialized Certificate Stores (SST)

This format is fully supported.

PKCS#12

A PKCS#12 keystore can have three different types of items, listed below:

Type of PKCS#12 item Supported
Data Yes (see below)
EncryptedData No (Case 1 or 3, see below)
EnvelopedData No (Case 1)

Data is represented as a SafeBag, which can be expressed using one of the six different grammars below:

Type of SafeBag Supported
keyBag Yes
certBag Yes
pkcs8ShroudedKeyBag Yes
crlBag No (Case 3)
secretBag No (Case 3)
safeContentsBag No (Case 3)

EncryptedData is an item type with an encrypted payload. pkcs8ShroudedKeyBag is a specific safebag type with an encrypted payload. Both formats store the encrypted content using PKCS#5.

PKCS#5

The Filesystem Scanner supports the following grammars:

Type of encryption Supported
PKCS#12 PBES1 Yes
PKCS#5 PBES2 with PBKDF2 as KDF Yes
PKCS#5 PBES2 with another KDF No (Case 3)

If you provide a password to the Filesystem Scanner using the --password argument, the scanner will attempt to decrypt PBE-encrypted payloads under the following conditions:

  • PKCS#5 with PBES2 is used for PBE encryption.
  • PBKDF2 is used as the Key Derivation Function (KDF) following the above constraints.
  • The supported encryption algorithms include:
    • AES with ECB and CBC modes using 128-bit, 192-bit, and 256-bit keys.
    • 3DES in CBC mode.

Please note that ‘on the fly’ decryption is experimental and incomplete. For instance, RC2 encryption, which can be found in older versions of OpenSSL, is not yet supported for decryption.

JAR files

This feature is available if a link to the Java Bytecode Scanner has been provided with the --static-scanner-path argument.

  • Hard-coded keys
  • Certificates

PGP files

  • RSA public keys
  • DSA public keys
  • ElGamal public keys

ZIP files

When the Filesystem Scanner encounters a .zip file, it scans the files inside it. It conducts the same checks as it would for typical files on a filesystem, with the following limitations:

  • JAR files inside ZIP archives aren’t supported.
  • ZIP files inside ZIP archives aren’t supported.

It’s also worth noting that the Filesystem Scanner only supports files that follow the original PKZIP file format specification, without spanning across multiple files. In particular, it doesn’t support ZIP64 archives and the following limitations apply:

  • A maximum of 216 files can be inside the ZIP archive.
  • The maximum compressed size is 4 GB for each entry.
  • The maximum uncompressed size is 4 GB for each entry.
  • The maximum overall size of the ZIP archive is 4 GB.